Firewall Setup
Install Shorewall
Configuring Shorewall for IPv6 is nearly identical to how I did it for IPv4. The biggest different is I can skip most things related to masquerading since that is less often necessary in the world of IPv6.
The only changes that need to be made is installing and configuring shorewall6. I am not going to go over everything again since it is nearly identical to Firewall Setup under IPv4 but pay close attention to the path is now /etc/shorewall6
# apt install shorewall6
# /etc/shorewall6/shorewall.conf
- LOG_LEVEL="info"
+ LOG_LEVEL="NFLOG(1,0,1)"
...
- LOGFILE=/var/log/messages
+ LOGFILE=/var/log/firewall.log
...
- IP_FORWARDING=Keep
+ IP_FORWARDING=Yes
# /etc/shorewall/zones
+ #------------------------------------------------------------------------------
+ # For information about entries in this file, type "man shorewall-zones"
+ #
+ # See http://shorewall.org/manpages/shorewall-zones.html for more information
+ ###############################################################################
+ #ZONE TYPE OPTIONS IN OUT
+ # OPTIONS OPTIONS
+ fw firewall
+ wan ipv4
+ lan ipv4
+ dmz ipv4
+ warp ipv4
+ wg ipv4
# /etc/shorewall/interfaces
+ # /etc/shorewall/interfaces
+ #------------------------------------------------------------------------------
+ # For information about entries in this file, type "man shorewall6-interfaces"
+ #
+ # See http://shorewall.org/manpages/shorewall-interfaces.html for more information
+ ###############################################################################
+ ?FORMAT 2
+ ###############################################################################
+ #ZONE INTERFACE OPTIONS
+ wan WAN_IF tcpflags,dhcp,forward=1,accept_ra=2,sourceroute=0,physical=eth0
+ lan LAN_IF tcpflags,dhcp,forward=1,physical=eth1
+ dmz DMZ_IF tcpflags,dhcp,forward=1,physical=eth1.8
+ warp WARP_IF tcpflags,dhcp,forward=1,physical=eth1.9
+ wg WGAZSE1_IF tcpflags,forward=1,physical=wgazse1
My real policy differs slightly but I included a basic example policy.
# /etc/shorewall/policy
+ #------------------------------------------------------------------------------
+ # For information about entries in this file, type "man shorewall6-policy"
+ #
+ # See http://shorewall.org/manpages/shorewall-policy.html for more information
+ ###############################################################################
+ #SOURCE DEST POLICY LOGLEVEL RATE CONNLIMIT
+
+ lan wan ACCEPT $LOG_LEVEL
+ warp wg ACCEPT
+
+ wan all DROP $LOG_LEVEL
+ # THE FOLLOWING POLICY MUST BE LAST
+ all all REJECT $LOG_LEVEL
# /etc/shorewall/rules
+ #------------------------------------------------------------------------------------------------------------
+ # For information about entries in this file, type "man shorewall-rules"
+ #
+ # See http://shorewall.net/manpages/shorewall-rules.html for more information
+ ######################################################################################################################################################################################################
+ #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER
+ # PORT PORT(S) DEST LIMIT GROUP
+ ?SECTION ALL
+ ?SECTION ESTABLISHED
+ ?SECTION RELATED
+ ?SECTION INVALID
+ ?SECTION UNTRACKED
+ ?SECTION NEW
+
+ # Don't allow connection pickup from the net
+ Invalid(DROP) wan all tcp
+
+ DNS(ACCEPT) all!wan,warp $FW
+ DNS(ACCEPT) $FW,dmz lan:10.0.1.2
+
+ Web(ACCEPT) dmz $FW
+ Web(DNAT) wan dmz:10.0.8.2
Last but not least is the magic that allows private addresses to access the greater Internet by masquerading as the one public IPv4 address I am assigned. The following just says all traffic heading out of WAN_IF (eth0) coming from a private IP range should be masqueraded.
# /etc/shorewall/snat
+ #------------------------------------------------------------------------------
+ # For information about entries in this file, type "man shorewall-snat"
+ #
+ # See http://shorewall.org/manpages/shorewall-snat.html for more information
+ ###########################################################################################################################################
+ #ACTION SOURCE DEST PROTO PORT IPSEC MARK USER SWITCH ORIGDEST PROBABILITY
+ MASQUERADE ::/0 WGAZSE1_IF
Just like before it might be wise to run shorewall6 check just to make sure I didn't have any typos.
I already enabled shorewall-init to secure the system during boot, so to hook in shorewall6 I just need to edit its configuration and then enable shorewall6 to start at boot like I already did for shorewall and shorwall-init.
# /etc/default/shorewall-init
- PRODUCTS="shorewall"
+ PRODUCTS="shorewall shorewall6"
Then we simply tell them to start at boot.
# systemctl enable shorewall6
Modify Interfaces
Now that Shorewall will secure everything at bootup it is safe to upate my /etc/networking/interfaces with their addresses.
# /etc/networking/interfaces
auto eth1
- iface eth1 inet manual
+ iface eth1 inet static
+ address 10.0.1.1/21
auto eth1.8
- iface eth1.8 inet manual
+ iface eth1.8 inet static
vlan-raw-device eth1
+ address 10.0.8.1/24
auto eth1.9
- iface eth1.9 inet manual
+ iface eth1.9 inet static
vlan-raw-device eth1
+ address 10.0.9.1/24
Now if I reboot the system all my interfaces will come up configured and the system will be protected by nftables/iptables configured by Shorewall.
Be sure to sanity check your configuration, if you need to SSH into a system to configure it Shorewall has to allow SSH traffic.
# reboot