User Tools

Site Tools


doc:recipes:shorewall-on-openwrt

Shorewall on OpenWRT 20130530

Both, Shorewall and the OpenWrt UCI firewall, are wrappers for netfilter.

About OpenWRT UCI Firewall:

For most users, the current default OpenWrt UCI firewall manager will be their best choice. For those managing different generations of OpenWRT routers, or those who want to use the same firewall manager on all their Linux based devices, Shorewall may be a better answer.

About Shorewall:

The Shoreline firewall is a well designed firewall manager for Linux netfilters (http://www.shorewall.net/shorewall_index.htm#WhatIs). A runtime package, Shorewall-Lite, can be hosted on one device, e.g: an OpenWRT router, but built on another (the "nanny"). Shorewall-Lite is otherwise nearly identical to the full Shorewall package. Shorewall is one of the oldest ongoing Linux netfilter firewall managers around, offering a stable user interface to zone based firewalling across platforms for more than a decade.

Shorewall meshes well with OpenWRT. The other components of UCI/Luci, and tools like the firewall/IP chain report perform as intended. Shorewall or Shorewall-Lite has been available on most OpenWRT releases (WR,BF,AA, etc). This example will use the Shorewall-Lite package.

By design, Shorewall offers the user a script based fine grained startup, runtime, and shutdown sequence. This file based sequence works around the different generations and implementations of run levels and network initializations found in the real world of Linux versions and distributions. Once you have developed a set of networks, routes, zones, rules and policies, you can readily duplicate those across all your Shorewall installations on those networks. Shorewall is a single setup and firewall solution that makes extending, altering and managing a heterogeneous system of networks easier. See the bottom of this document for URLs to Shorewall.

If you do not need Shorewall, stick with the OpenWRT UCI firewall. You will likely not get Shorewall support from OpenWRT staff.

Example Installation

Firewall zones isolate networks, sub-networks, and individual machines from other networks and nodes. Port traffic is firewalled (blocked) across zones, subject to the policies and rules you define to manage cross zone traffic. For many situations, limiting network access to resources is handy, if not necessary. Constraining infection vectors to their zones advances basic digital hygiene.

The firewall in this example is Procrustean, set to cut off all traffic as a policy. You must set rules to ACCEPT port traffic. Only the ports, networks, and if you like, machine MAC addresses explicitly allowed in the Shorewall rules configuration file will pass traffic between zones. Most firewall policies are more relaxed than this, but such policies make for a good exercise, and with management, good firewalls. Manifestly, you can relax Shorewall policy and rules to allow packets and choose to log, inspect then build DENY rules, for a lighter touch. The firewall in this example has one inbound (net) port open and forwarded to a single workstation in Lan1, all other inbound net connections are dropped. Outbound connections from the Lan zones that meet the rules are connected to the net. In this example the Lan zones are firewalled from one another. You can find additional instruction for a similar example in the Shorewall documentation: http://www.shorewall.net/three-interface.htm

The use of the labels "Lan1" and "Lan2" in this example is inductive, and one can add more zones, e.g.: "Lan3".."LanN", using the first pair as models by editing the Shorewall configuration. The "Lan" label used in the OpenWRT configuration files (below), and it it's permutations ("LAN","LAN_", etc), is arbitrary, and you may use your own naming system for zones, networks, and SSIDs, using the example files found here as a model.

In this example scenario, two distinct groups of users need to share one OpenWRT router. One group is working with secure financial data and public monies in a managed work environment with a fixed group of antiviral scanned PCs and known applications, the second group is an undisciplined revolving public meeting group with all manners and generations of wireless devices with unknown applications, any of which may be a malware vector. This second group also requires certain streaming media access that is not allowed to the first group. Both groups will share a router, firewall, and internet gateway. Each group has a zone to itself, with differing rules based on those zones.

In this example the host router must be Multi-SSID capable. As a demonstration, an ar71xx chip set router is setup as a single 802.11G radio and two VAP WPA2-PSK radio interfaces, two Ethernet interfaces, and a bridge from one of the radio interfaces to one of the Ethernet (LAN1+Eth0), called "br-LAN1". The SSIDs are 'LAN1' and 'LAN2'. VLAN zones could be substituted for the VAP's, but that won't be described here.

LAN1 is this example is the 192.168.1.0/24 net. LAN1, as a member of the firewall zone 'Lan1', allows no dhcp, nor any packets from LAN2 (Shorewall zone Lan2). This example firewall will DNAT forward a single zone, "net", (inbound from the internet) ssh port to Lan1, and has some zone specific firewall rules and policies.

LAN2 is the 192.168.2.0/24 net. LAN2 has a dhcp server, and no firewall prohibitions on the requisite ports (53, 67, 68). LAN2 is the 'Lan2' zone in Shorewall, and has it's own specific firewall rules and policies.

Two more Shorewall zones are defined in this example, the firewall itself ($FW), and the internet (net). Generally, connections can initiate from any zone, but most often, they originate from within the Lan zones (outbound packets), or from the net zone as inbound internet packets. Policies and rules control the permission for traffic to cross the firewall zones.

Software Versions in this example

Your versions will likely differ from the examples above, adjust as necessary to conform to your router and current software releases as you work through the below.

To use Shorewall with recent (20130530+) OpenWRT releases (AA, snapshot, etc), one must disable the default OpenWRT UCI firewall, and substitute the Shorewall-Lite package. Shorewall-Lite needs a nanny machine to compile and load the firewall to the OpenWRT (Shorewall-Lite host) router. The nanny will manage all the configuration files and needs a net connection to load the compiled firewall to the OpenWRT host device.

The Nanny Setup:

  • In this example the nanny has the IP 192.168.1.30, but you can assign other values in the Lan1 zone.
  • Download and install Shorewall (not Shorewall-Lite) on the nanny. The nanny's Shorewall and host's Shorewall-Lite versions should be the same major.minor release. Check the OpenWRT package dir, e.g.:

"http://downloads.openwrt.org/attitude_adjustment/12.09/ar71xx/generic/package/" for the available Shorewall-Lite major.minor release for your router's chip set.

Note the "ar71xx" in the above URL: substitute your router's chip set acronym into the URL, e.g.: ar7, brcm47xx, ramips etcetera, to find the correct package for your router and OpenWRT release. Conform the nanny's Shorewall release to that version.

For general instructions see http://www.shorewall.net/CompiledPrograms.html.

  • Shorewall offers this regarding the nanny: Note to Debian Users-

If you install using the .deb, you will find that your /etc/Shorewall directory is empty. This is intentional. The released configuration file skeletons may be found on your system in the directory /usr/share/doc/Shorewall/default-config. Simply copy the files you need from that directory to /etc/Shorewall and modify the copies.

  • If your /etc/Shorewall directory is empty after a vanilla Shorewall install, sort that out before proceeding.
  • Assert the following in the nanny's /etc/Shorewall.conf


      CONFIG_PATH=/usr/share/Shorewall
      STARTUP_LOG=/var/log/Shorewall-lite-init.log

  • Make the directory ~/Oexample/ and copy all the /etc/Shorewall files (masq, rules, etc) to it. This is your working directory for the OpenWRT host's firewall configuration, analogous to /etc/Shorewall/. You can choose your own directory name, and substitute it for ~/Oexample/. Edit these files to configure the OpenWRT host's firewall.
  • First, edit the ~/Oexample/routestopped file to add the IP address of the nanny machine like: eth0 192.168.1.30 source,dest.
  • Next, construct your ~/Oexample/ Shorewall files. The example below shows a file name header ( init:, interfaces, etc) followed by the contents of the file for each Shorewall file needed in this example. Edit your files to conform to the examples below:


* * * * * * * * * * * * * * * * * *   B E G I N    S H O R E W A L L    C O N F I G     F I L E S    * * * * * * * * * * * * * * * * * * * * 
init:
# Use this file to set the machine state before the firewall starts, 
# e.g: to assure that the internet interface is ready, 
# or to set static routes and the like.  It is very handy to have a common system across the networks to assign routes.
#
# Example-uncomment the ## lines below to delay Shorewall while a tardy DSL gateway negotiates it's IP,
# & to assert static routes through .1.7 to .5.0, .51.0, and .51.0 
#
# example workaround DSL not starting before firewall
##/sbin/ifup ppp0
##sleep 5
# example set up static routes example (add a system of networks, use .1.7 as it's gateway)
##route add -net 192.168.5.0 netmask 255.255.255.0 gw 192.168.1.7 
##route add -net 192.168.50.0 netmask 255.255.255.0 gw 192.168.1.7
##route add -net 192.168.51.0/24 gw 192.168.1.7
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

interfaces:
#ZONE   INTERFACE       BROADCAST       OPTIONS
net     eth1
lan1    br-LAN1
lan2    wlan0-1

masq:
#INTERFACE:DEST         SOURCE          ADDRESS         PROTO   PORT(S) IPSEC   MARK    USER/
#                                                                                       GROUP
eth1            br-LAN1
eth1            wlan0-1

policy:
#SOURCE DEST    POLICY          LOG     LIMIT:          CONNLIMIT:
$FW    net     DROP    info
lan1   all     REJECT  info
lan2   all     REJECT  info
net    all     DROP
all    all     DROP

routestopped:
#INTERFACE      HOST(S)                 OPTIONS         PROTO   DEST    SOURCE
#                                                               PORT(S) PORT(S)
br-LAN1 192.168.1.3  source,dest

rules:
#SECTION ESTABLISHED
#SECTION RELATED
SECTION NEW

#ftp fw to net (for updates, uncomment only as needed)
##ACCEPT        $FW     net     tcp     ftp     -       -       -       -
#http, https: fw to net (blocked outbound)
##ACCEPT        $FW     net     tcp     http    -       -       -       - 
##ACCEPT        $FW     net     tcp     https   -       -       -       - 

ACCEPT  lan1    net                     tcp     82       	# XFER Utility (TCP/UDP)
DNAT    net     lan1:192.168.1.3:22     tcp     53260    	# inbound ssh on oddball port (53260), bound to a single machine
ACCEPT  lan1    net     tcp     53260   -       -       -       -  #outbound nanny ssh, also on oddball port 

# Use first rules for lower latency-streaming
ACCEPT lan1    net     tcp     554 - # realaudio-outbound tcp
ACCEPT lan1    net     tcp     7070 - # realaudio-outbound tcp
ACCEPT lan1    net     tcp     7071 - # realaudio
ACCEPT lan1    net     tcp     8080 - # realaudio-outbound tcp
ACCEPT lan1    net     tcp     8081 - # realaudio
ACCEPT lan1    net     tcp     rtsp - # realaudio-outbound call                                  
ACCEPT lan2    net     tcp     554 - # realaudio-outbound tcp
ACCEPT lan2    net     tcp     7070 - # realaudio-outbound tcp
ACCEPT lan2    net     tcp     7071 - # realaudio
ACCEPT lan2    net     tcp     8080 - # realaudio-outbound tcp
ACCEPT lan2    net     tcp     8081 - # realaudio
ACCEPT lan2    net     tcp     rtsp - # realaudio-outbound call                                  
ACCEPT lan1    net     tcp     8000:8003 - #realaudio-outbound tcp
ACCEPT lan1    net     udp     8000:8003 - # realaudio-outbound tcp
ACCEPT lan2    net     tcp     8000:8003 - #realaudio-outbound tcp
ACCEPT lan2    net     udp     8000:8003 - # realaudio-outbound tcp
ACCEPT lan1     net     tcp     1755    -       #windowsmedia
#ACCEPT net     lan1    tcp     1755    -       #windowsmedia
ACCEPT lan2    net     tcp     1755    -       #windowsmedia
#ACCEPT net     lan2   tcp     1755    -       #windowsmedia
ACCEPT  lan1    net     udp     53      -       -       -       -          #dns
ACCEPT  lan1    net     tcp     53      -       -       -       -          #dns
ACCEPT  lan2    net     udp     53      -       -       -       -          #dns
ACCEPT  lan2    net     tcp     53      -       -       -       -          #dns
ACCEPT  lan1    $FW     tcp     53      -       -       -       -          #dns
ACCEPT  lan1    $FW     udp     53      -       -       -       -          #dns
ACCEPT  lan2    $FW     tcp     53      -       -       -       -          #dns
ACCEPT  lan2    $FW     udp     53      -       -       -       -          #dns
ACCEPT  $FW     net     tcp     53      -       -       -       -          #dns
ACCEPT  $FW     net     udp     53      -       -       -       -          #dns
ACCEPT  $FW     lan1    tcp     53      -       -       -       -          #dns
ACCEPT  $FW     lan1    udp     53      -       -       -       -          #dns
ACCEPT  $FW     lan2    tcp     53      -       -       -       -          #dns
ACCEPT  $FW     lan2    udp     53      -       -       -       -          #dns
#ACCEPT  lan1    net     udp     67:68      -       -       -       -          #dhcp 
#ACCEPT  lan2    net     udp     67:68      -       -       -       -          #dhcp
ACCEPT  lan1    $FW     udp     67:68      -       -       -       -          #dhcp
ACCEPT  lan2    $FW     udp     67:68      -       -       -       -          #dhcp
ACCEPT  $FW     net     udp     67:68      -       -       -       -          #dhcp
ACCEPT  $FW     lan1    udp     67:68      -       -       -       -          #dhcp
ACCEPT  $FW     lan2    udp     67:68      -       -       -       -          #dhcp

# smb: lan1 <-> $FW
ACCEPT  lan1    $FW     tcp     137:139         -       -       -       -  #Enable SMB on LAN1
ACCEPT  lan1    $FW     tcp     443     -       -       -       -  #http protocol over TLS/SSL
ACCEPT  $FW     lan1    tcp     137:139         -       -       -       -  #Enable SMB on LAN1
ACCEPT  $FW     lan1    tcp     443     -       -       -       -  #http protocol over TLS/SSL
# smb: lan2 <-> $FW
#ACCEPT  lan2    $FW     tcp     137:139         -       -       -       -  #Enable SMB on LAN1
#ACCEPT  lan2    $FW     tcp     443     -       -       -       -  #http protocol over TLS/SSL
#ACCEPT  $FW     lan2    tcp     137:139         -       -       -       -  #Enable SMB on LAN1
#ACCEPT  $FW     lan2    tcp     443     -       -       -       -  #http protocol over TLS/SSL

#web: outbound (lan to net)  http, https, ssh, ftp, time, imap
ACCEPT  lan1    net     tcp     http    -       -       -       -
ACCEPT  lan1    net     tcp     https   -       -       -       -
ACCEPT  lan1    net     tcp     443     -       -       -       -  #http protocol over TLS/SSL
ACCEPT  lan1    net     tcp     ssh     -       -       -       -
ACCEPT  lan1    net     tcp     ftp     -       -       -       -     
ACCEPT  lan1    net     tcp     nntp    -       -       -       -
ACCEPT  lan1    net     tcp     37      -       -       -       -  #nttp timesync
ACCEPT  lan1    net     tcp     imap    -       -       -       -
ACCEPT  lan2    net     tcp     http    -       -       -       -
ACCEPT  lan2    net     tcp     https   -       -       -       -
ACCEPT  lan2    net     tcp     443     -       -       -       -
ACCEPT  lan2    net     tcp     ssh     -       -       -       -
ACCEPT  lan2    net     tcp     ftp     -       -       -       -     
ACCEPT  lan2    net     tcp     nntp    -       -       -       -
ACCEPT  lan2    net     tcp     37      -       -       -       -
ACCEPT  lan2    net     tcp     imap    -       -       -       -
ACCEPT  lan1    net     udp     http    -       -       -       -
ACCEPT  lan1    net     udp     https   -       -       -       -
ACCEPT  lan1    net     udp     443     -       -       -       -
ACCEPT  lan1    net     udp     ssh     -       -       -       -
ACCEPT  lan1    net     udp     37      -       -       -       -
ACCEPT  lan1    net     udp     imap    -       -       -       -
ACCEPT  lan2    net     udp     http    -       -       -       -
ACCEPT  lan2    net     udp     https   -       -       -       -
ACCEPT  lan2    net     udp     443     -       -       -       -
ACCEPT  lan2    net     udp     ssh     -       -       -       -
ACCEPT  lan2    net     udp     37      -       -       -       -
ACCEPT  lan2    net     udp     imap    -       -       -       -
#ACCEPT lan1    net     tcp     6667 - # irc
#ACCEPT lan1    net     udp     6667 - # irc
ACCEPT lan2    net     tcp     6667 - # irc
ACCEPT lan2    net     udp     6667 - # irc

ACCEPT lan1 net tcp 993           # imap4 protocol over TLS | SSL (TCP/UDP) (secure telnet)
ACCEPT lan1 net udp 993

ACCEPT lan1              net     tcp     11371          #OpenPGP HTTP key server
ACCEPT lan1              net     udp     11371          #OpenPGP HTTP key server
ACCEPT lan1              net     tcp     6420           #OpenPGP HTTP key server
ACCEPT lan1              net     udp     6420           #OpenPGP HTTP key server
ACCEPT  lan1            net     udp     123     -       -       -       -#  check time
ACCEPT  lan1            net     tcp     123     -       -       -       -#  check time
ACCEPT lan2            net     udp     123     -       -       -       - #  check time
ACCEPT lan2            net     tcp     123     -       -       -       - #  check time
ACCEPT  $FW             net     udp     123     -       -       -       -#  check time
ACCEPT  $FW             net     tcp     123     -       -       -       -#  check time

#mail
#ACCEPT $FW     net     tcp     pop3    -       -       -       -
ACCEPT  lan1    net     tcp     pop3    -       -       -       -
ACCEPT lan2    net     tcp     pop3    -       -       -       -
#ACCEPT  $FW     net     tcp     smtp    -       -       -       -
ACCEPT  lan1    net     tcp     smtp    -       -       -       -
ACCEPT lan2    net     tcp     smtp    -       -       -       -
#fw mail IP when chg rqrs port 25
#ACCEPT $FW     net     tcp     25      -       -       -       -
#ACCEPT $FW             net             tcp     80      -       -       -       -
#ACCEPT $FW             net             udp     80              -       -       -
DROP    $FW             net             tcp     80      -       -       -       -	#explicitly kill $FW outbound to net on port 80
DROP    $FW             net             udp     80              -       -       -
DROP    net             $FW             tcp     80      -       -       -       -
DROP    net             $FW             udp     80              -       -       -
#mail

#authent
DROP    net     $FW     tcp     113     -       -       -       - #
#ACCEPT net     $FW     tcp     113     -       -       -       -

#ping: fw to lanx, lanx to net & fw, lanx to lany
ACCEPT  $FW     lan1    icmp    8       -       -       -       -
ACCEPT $FW     lan2    icmp    8       -       -       -       -
ACCEPT  lan1    $FW     icmp    8       -       -       -       -
ACCEPT lan2    $FW     icmp    8       -       -       -       -
ACCEPT  lan1    net     icmp    8       -       -       -       -
ACCEPT lan2    net     icmp    8       -       -       -       -

ACCEPT  $FW     net     tcp     ssh     -       -       -       -  #Enable FW to SSH out
ACCEPT  $FW     net     udp     ssh     -       -       -       -  

# ssh: lan1 to/from fw on std ports
ACCEPT  $FW     lan1    tcp     ssh     -       -       -       -
ACCEPT  $FW     lan1    udp     ssh     -       -       -       -
ACCEPT  lan1    $FW     tcp     ssh     -       -       -       -
ACCEPT  lan1    $FW     udp     ssh     -       -       -       -

# httpd/s on fw visible only to lan1
ACCEPT  lan1    $FW     tcp     http    -       -       -       -
ACCEPT lan1    $FW     udp     http    -       -       -       -
ACCEPT  lan1    $FW     tcp     https   -       -       -       -
ACCEPT  lan1    $FW     udp     https   -       -       -       -

#==============================================================
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
            

zones:
#ZONE 
fw        firewall
net      ipv4          #Internet
lan1    ipv4
lan2    ipv4


Shorewall.conf: 
Is largely default, tho you may need to set the startup var to 1.
* * * * * * * * * * * * * * * * * *   E O F    S H O R E W A L L    C O N F I G     F I L E S    * * * * * * * * * * * * * * * * * * * * * *


The OpenWRT Host Setup

Use UCI/Luci setup (http://wiki.openwrt.org/doc/uci) to setup IP addressing on the router (see below):

Wan 192.168.11.1                                                                                                          
Lan 192.168.10.1                                                                                                          
LAN_1 192.168.13.1                                                                                                       
LAN_2 192.168.2.1                                                                                                 
br-LAN1 192.168.1.1                                                                                                                                                                                                                                                       


* * * * * * * * * * * * * * * * * *   B E G I N    O P E N W R T    C O N F I G     F I L E S    * * * * * * * * * * * * * * * * * * * * * *
#Working configs to boot up OpenWRT router w/ AA 12.09

Interfaces defined by Luci:
br-LAN1 Link encap:Ethernet  HWaddr 00:26:5A:D2:33:77  
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:513 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:64859 (63.3 KiB)  TX bytes:0 (0.0 B)

eth0      Link encap:Ethernet  HWaddr 00:26:5A:D2:33:77  
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:248895 errors:0 dropped:0 overruns:0 frame:0
          TX packets:232281 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:36434590 (34.7 MiB)  TX bytes:21143615 (20.1 MiB)
          Interrupt:5 

eth1      Link encap:Ethernet  HWaddr 00:26:5A:D2:33:76  
          inet addr:192.168.11.1  Bcast:192.168.11.255  Mask:255.255.255.0
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
          Interrupt:4 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:1277856 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1277856 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:86894208 (82.8 MiB)  TX bytes:86894208 (82.8 MiB)

wlan0     Link encap:Ethernet  HWaddr 00:26:5A:D2:33:76  
          inet addr:192.168.13.1  Bcast:192.168.13.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:32 
          RX bytes:0 (0.0 B)  TX bytes:192 (192.0 B)

wlan0-1   Link encap:Ethernet  HWaddr 02:26:5A:D2:33:77  
          inet addr:192.168.2.1  Bcast:192.168.2.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:32 
          RX bytes:0 (0.0 B)  TX bytes:420 (420.0 B)


Firewall:		#<===== These are temporary and will be overwritten when Shorewall-lite loads.	
config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone				
        option name 'lan'
        option network 'lan' 'LAN_1' 'LAN_2'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        
config zone						
        option name 'wan'
        option network 'wan' 
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'        

config include
        option path '/etc/firewall.user'

Wireless:
config wifi-device 'radio0'
        option type 'mac80211'
        option macaddr '00:26:5a:d2:43:71'
        option hwmode '11ng'
        option htmode 'HT20'
        list ht_capab 'SHORT-GI-40'
        list ht_capab 'TX-STBC'
        list ht_capab 'RX-STBC1'
        list ht_capab 'DSSS_CCK-40'
        option channel '1'
        option txpower '20'
        option country 'US'

config wifi-iface
        option device 'radio0'
        option encryption 'psk2'
        option mode 'ap'
        option key 'ThisIsSupposedToBeASecretPassphrase'
        option ssid 'LAN1'
        option network 'LAN_1'

config wifi-iface
        option device 'radio0'
        option mode 'ap'
        option ssid 'LAN2'
        option network 'LAN_2'
        option encryption 'psk2'
        option key 'ThisOneIsAlsoSupposedToBeASecret'
       
network:
config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config interface 'lan'
        option ifname 'eth0'
        option proto 'static'
        option ipaddr '192.168.10.1'
        option netmask '255.255.255.0'

config interface 'wan'
        option ifname 'eth1'
        option proto 'static'
        option ipaddr '192.168.11.1'
        option netmask '255.255.255.0'

config switch
        option name 'eth0'
        option reset '1'

config switch_vlan
        option device 'eth0'
        option vlan '1'
        option ports '0 1 2 3 4'
        option vid '1'

config interface 'LAN_1'
        option proto 'static'
        option ifname 'wlan0'
        option ipaddr '192.168.13.1'
        option netmask '255.255.255.0'

config interface 'LAN_2'
        option proto 'static'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'
        option _orig_ifname 'wlan0'
        option _orig_bridge 'false'

config interface 'all_COM'
        option type 'bridge'
        option proto 'static'
        option ifname 'eth0'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option dns '123.231.132.213'       <=  ASSIGN YOUR ISP's DNS HERE
        
System:
config system
        option hostname 'COM_ap'
        option zonename 'UTC'
        option timezone 'GMT0'
        option conloglevel '8'
        option cronloglevel '8'

config timeserver 'ntp'
        list server '0.OpenWRT.pool.ntp.org'
        list server '1.OpenWRT.pool.ntp.org'
        list server '2.OpenWRT.pool.ntp.org'
        list server '3.OpenWRT.pool.ntp.org'
        option enable_server '1'

config led 'led_wan'
        option name 'WAN'
        option sysfs 'd-link:green:wan'
        option trigger 'netdev'
        option dev 'eth1'
        option mode 'link tx rx'

config led 'led_lan1'
        option name 'LAN1'
        option sysfs 'd-link:green:lan1'
        option trigger 'switch0'
        option port_mask '0x02'

config led 'led_lan2'
        option name 'LAN2'
        option sysfs 'd-link:green:lan2'
        option trigger 'switch0'
        option port_mask '0x04'

config led 'led_lan3'
        option name 'LAN3'
        option sysfs 'd-link:green:lan3'
        option trigger 'switch0'
        option port_mask '0x08'

config led 'led_lan4'
        option name 'LAN4'
        option sysfs 'd-link:green:lan4'
        option trigger 'switch0'
        option port_mask '0x10'      
* * * * * * * * * * * * * * * * * *   E O F    O P E N W R T    C O N F I G     F I L E S    * * * * * * * * * * * * * * * * * * * * * *


  • Install the Shorewall-lite IPK files to the OpenWRT router (e.g.: Shorewall-lite_4.4.27.3-4_ar71xx.ipk). May work best from command line as opkg update; opkg install Shorewall-lite
  • Have both the host and OpenWRT router up, running and networked.
  • Check the OpenWRT router's /etc/config/dropbear file to assure the interfaces listed there are valid, use the uci to show the dropbear settings:


  uci show dropbear
        option PasswordAuth 'on'
        option Port '22'
        option Interface 'br-LAN1'  

  Edit /etc/config/dropbear to repair as needed and then run   uci commit    when done.

  • From the host OpenWRT router, create and copy the Shorewall capabilities file to the nanny:


cd /usr/share/Shorewall-lite
./shorecap >/tmp/capabilities
scp /tmp/capabilities [Your Home Directory Here]@192.168.1.30:~/Oexample/.

  • Check the work, sort out your recovery route (fail-safe mode, etc) in case you need it.
  • Use UCI|Luci interface System/Startup/initscripts to set the router to not start the OpenWRT firewall on boot. You may, as an alternative suited to safe-mode recovery, edit the OpenWRT router /etc/init.d dir and move the firewall script to say, ../firewall.initd, and if you want, you can restore it to /etc/init.d/firewall .
  • To avoid a reporting error, create the file /usr/sbin/tac as:

#!/bin/sh if ! [ $# -gt 0 ]; then exit fi if [ "$1" != "" ]; then grep -n . $1 | sort -r -n fi

  • On the nanny,

cd ~/Oexample then run /sbin/Shorewall load 192.168.1.1 where the 192.168.1.1 is the OpenWRT host router's IP address. You'll need to fix compiler errors and hand off passwords until the command succeeds, then the firewall will be copied to and launched on the the OpenWRT router. To test it from the install session, use the Shorewall-lite status and dump commands on the OpenWRT router, and send test packets to/from each zone. When you restart the OpenWRT router, the pre-existing session connections of the last session are lost. NB: you can readily lock yourself out editing the policies in this example, but that's the point of a firewall. Fail-Safe mode will allow you to mount_root and hand edit the /etc files. Revert to the OpenWRT firewall and reboot to revise and reload your Shorewall-Lite settings.


  • When things are right, you will see something like this:


root@192.168.1.1's password: 
root@192.168.1.1's password: 
Compiling...
Processing ~/Oexample/params ...
Processing ~/Oexample/Shorewall.conf...
   WARNING: Unknown capability (RAWPOST_TABLE) ignored : ~/Oexample/capabilities (line 26)
   WARNING: Unknown capability (ULOG_TARGET) ignored : ~/Oexample/capabilities (line 50)
   WARNING: Unknown capability (NFLOG_TARGET) ignored : ~/Oexample/capabilities (line 51)
   WARNING: Unknown capability (CONDITION_MATCH) ignored : ~/Oexample/capabilities (line 61)
   WARNING: Unknown capability (IPTABLES_S) ignored : ~/Oexample/capabilities (line 62)
   WARNING: Unknown capability (BASIC_FILTER) ignored : ~/Oexample/capabilities (line 63)
   WARNING: Unknown capability (CT_TARGET) ignored : ~/Oexample/capabilities (line 64)
Compiling ~/Oexample/zones...
Compiling ~/Oexample/interfaces...
Determining Hosts in Zones...
Locating Action Files...
Compiling /usr/share/Shorewall/action.Drop for chain Drop...
Compiling /usr/share/Shorewall/action.Broadcast for chain Broadcast...
Compiling /usr/share/Shorewall/action.Invalid for chain Invalid...
Compiling /usr/share/Shorewall/action.NotSyn for chain NotSyn...
Compiling /usr/share/Shorewall/action.Reject for chain Reject...
Compiling ~/Oexample/policy...
Running ~/Oexample/initdone...
Compiling Kernel Route Filtering...
Compiling Martian Logging...
Compiling ~/Oexample/masq...
   WARNING: Using an interface as the masq SOURCE requires the interface to be up and configured when Shorewall starts/restarts : ~/Oexample/masq (line 12)
Compiling MAC Filtration -- Phase 1...
Compiling ~/Oexample/rules...
Compiling MAC Filtration -- Phase 2...
Applying Policies...
Generating Rule Matrix...
Creating iptables-restore input...
Compiling ~/Oexample/routestopped...
Shorewall configuration compiled to ~/Oexample/firewall
Copying ~/Oexample/firewall and ~/Oexample/firewall.conf to 192.168.1.1:/etc/shorewall-lite/state...
root@192.168.1.1's password: 
firewall                                                                                   100%   69KB  69.3KB/s   00:00    
firewall.conf                                                                              100%  981     1.0KB/s   00:00    
Copy complete
root@192.168.1.1's password: 
System 192.168.1.1 loaded


  • Shorewall-Lite is now running. Use UCI|Luci interface System/Startup/initscripts to enable 'Shorewall'.
  • To change any of the rules, zones, or other Shorewall settings on the OpenWRT router, revise the files in ~/Oexample and run the above "Shorewall load" command again. If the capabilities of the OpenWRT router change, then rerun /usr/share/Shorewall-lite/shorecap and re scp it to the host, and re-run Shorewall load.

Shorewall Documentation:

Complete example with QoS

Introduction

In this section you will find a complete example of a working firewall configuration in openwrt using shorewall-lite.

Setup

In this example the host is a debian wheezy box with shorewall 4.5.5.3-3 (debian version). The target is a TP-Link WDR3600 with BARRIER BREAKER (Bleeding Edge, r38408).

Goals:

  • manage the router's QoS configuration with shorewall.

In this setup, we assume a working OpenWrt configuration, so we will focus on the firewall configuration only.

Required packages

The following additional packages were used in the setup:

  • conntrack-tools
  • kmod-ipt-nathelper-extra
  • shorewall-lite
  • kmod-sched
  • iptables-mod-extra

Shorewall setup on the host

This setup work for me. Please adapt to your needs.

When satisfied, disable the built-in firewall and enable shorewall-lite.

zones


fw	firewall
lan	ipv4
wan	ipv4

interfaces


wan	eth0.2		detect		dhcp
lan	br-lan		X.X.X.X 	routeback,bridge,dhcp

policy


$FW		all		ACCEPT
lan		wan		ACCEPT
# THE FOLLOWING POLICY MUST BE LAST
all             all             DROP		info

masq


eth0.2			X.X.X.X/Y	detect

routestopped


br-lan		-			-		tcp	22

rules


SSH(ACCEPT)	all		$FW
HTTP(ACCEPT)	all		$FW
NTP(ACCEPT)	all		$FW
ACCEPT		all		$FW		udp	domain,mdns
ACCEPT		all		$FW		tcp	domain,mdns
ACCEPT		lan		wan		udp	sip
ACCEPT		lan		wan		tcp	sip
ACCEPT		all		$FW		icmp	echo-request
ACCEPT		all		$FW		icmp	echo-reply
ACCEPT		lan		wan		icmp

tcpri


COMMENT email traffic
3	tcp	143,220,993,110,995
COMMENT http traffic
2	tcp	80
COMMENT https traffic
2	tcp	443
COMMENT ssh traffic
2	tcp	22
COMMENT openvpn traffic
2	tcp	1194
COMMENT fast ping
1	icmp	echo-reply
1	icmp	echo-request
COMMENT dns traffic
1	udp	53,5353
COMMENT ntp traffic
1	udp	123
COMMENT SIP traffic 
1	udp	5060		-		-		sip
1	tcp	5060		-		-		sip

tcinterfaces


eth0.2		external	80mbit:90mbit		80mbit:90mbit:10ms

tcrules


COMMENT SIP traffic
1:CT   		0.0.0.0/0	0.0.0.0/0	udp	5060 - - - - - - sip
1:CT   		0.0.0.0/0	0.0.0.0/0	tcp	5060 - - - - - - sip

COMMENT check and restore connection marks to packages
RESTORE:T  	0.0.0.0/0	0.0.0.0/0       all     -     -        -      0
CONTINUE:T 	0.0.0.0/0	0.0.0.0/0       all     -     -        -      !0:C

COMMENT save connection marks
SAVE:T     	0.0.0.0/0	0.0.0.0/0	all     -     -        -      !0

doc/recipes/shorewall-on-openwrt.txt · Last modified: 2013/10/28 08:24 by lorema