-MAIN-MENU-  
Appal Home
Appal.org
  -MAIN-MENU-  
Search The Website
-*-

How To Setup a Shorewall Netfilter Firewall on OpenWRT Wireless Routers.   Posted: March 29, 2014
Many common 802.11abgn wifi access point routers can support OpenWRT firmware. Replacing their factory programs with OpenWRT can often add features and security, and will provide a uniform body of operating system and software across a disparate array of different makes and brands of wireless access points. Having a common operating system and software base makes the gear much easier to secure and manage.

About OpenWRT UCI Firewall: For most users, the current default OpenWRT UCI firewall manager will be their best choice. For those managing different generations of OpenWRT routers, or those who want to use the same firewall manager on all their Linux based devices, Shorewall may be a better answer.

About Shorewall: The Shoreline firewall is a well designed firewall manager for Linux netfilters (https://www.shorewall.net/shorewall_index.htm#WhatIs). A runtime package, Shorewall-Lite, can be hosted on one device, e.g: an OpenWRT router, but built on another (the "nanny"). Shorewall-Lite is otherwise nearly identical to the full Shorewall package. Shorewall is one of the oldest ongoing Linux netfilter firewall managers around, offering a stable user interface to zone based firewalling across platforms for more than a decade.

Shorewall meshes well with OpenWRT. The other components of UCI/Luci, and tools like the firewall/IP chain report perform as intended. Shorewall or Shorewall-Lite has been available on most OpenWRT releases (WR,BF,AA, etc). This example will use the Shorewall-Lite package.

By design, Shorewall offers the user a script based fine grained startup, runtime, and shutdown sequence. This file based sequence works around the different generations and implementations of run levels and network initializations found in the real world of Linux versions and distributions. Once you have developed a set of networks, routes, zones, rules and policies, you can readily duplicate those across all your Shorewall installations on those networks. Shorewall is a single setup and firewall solution that makes extending, altering and managing a heterogeneous system of networks easier. See the bottom of this document for URLs to Shorewall.

If you do not need Shorewall, stick with the OpenWRT UCI firewall. You will likely not get Shorewall support from OpenWRT staff.

Example Installation Firewall zones isolate networks, sub-networks, and individual machines from other networks and nodes. Port traffic is firewalled (blocked) across zones, subject to the policies and rules you define to manage cross zone traffic. For many situations, limiting network access to resources is handy, if not necessary. Constraining infection vectors to their zones advances basic digital hygiene.

The firewall in this example is Procrustean, set to cut off all traffic as a policy. You must set rules to ACCEPT port traffic. Only the ports, networks, and if you like, machine MAC addresses explicitly allowed in the Shorewall rules configuration file will pass traffic between zones. Most firewall policies are more relaxed than this, but such policies make for a good exercise, and with management, good firewalls. Manifestly, you can relax Shorewall policy and rules to allow packets and choose to log, inspect then build DENY rules, for a lighter touch. The firewall in this example has one inbound (net) port open and forwarded to a single workstation in Lan1, all other inbound net connections are dropped. Outbound connections from the Lan zones that meet the rules are connected to the net. In this example the Lan zones are firewalled from one another. You can find additional instruction for a similar example in the Shorewall documentation: https://www.shorewall.net/three-interface.htm

The use of the labels "Lan1" and "Lan2" in this example is inductive, and one can add more zones, e.g.: "Lan3".."LanN", using the first pair as models by editing the Shorewall configuration. The "Lan" label used in the OpenWRT configuration files (below), and it it's permutations ("LAN","LAN_", etc), is arbitrary, and you may use your own naming system for zones, networks, and SSIDs, using the example files found here as a model.

In this example scenario, two distinct groups of users need to share one OpenWRT router. One group is working with secure financial data and public monies in a managed work environment with a fixed group of antiviral scanned PCs and known applications, the second group is an undisciplined revolving public meeting group with all manners and generations of wireless devices with unknown applications, any of which may be a malware vector. This second group also requires certain streaming media access that is not allowed to the first group. Both groups will share a router, firewall, and internet gateway. Each group has a zone to itself, with differing rules based on those zones.

In this example the host router must be Multi-SSID capable. As a demonstration, an ar71xx chip set router is setup as a single 802.11G radio and two VAP WPA2-PSK radio interfaces, two Ethernet interfaces, and a bridge from one of the radio interfaces to one of the Ethernet (LAN1+Eth0), called "br-LAN1". The SSIDs are 'LAN1' and 'LAN2'. VLAN zones could be substituted for the VAP's, but that won't be described here.

LAN1 is this example is the 192.168.1.0/24 net. LAN1, as a member of the firewall zone 'Lan1', allows no dhcp, nor any packets from LAN2 (Shorewall zone Lan2). This example firewall will DNAT forward a single zone, "net", (inbound from the internet) ssh port to Lan1, and has some zone specific firewall rules and policies.

LAN2 is the 192.168.2.0/24 net. LAN2 has a dhcp server, and no firewall prohibitions on the requisite ports (53, 67, 68). LAN2 is the 'Lan2' zone in Shorewall, and has it's own specific firewall rules and policies.

Two more Shorewall zones are defined in this example, the firewall itself ($FW), and the internet (net). Generally, connections can initiate from any zone, but most often, they originate from within the Lan zones (outbound packets), or from the net zone as inbound internet packets. Policies and rules control the permission for traffic to cross the firewall zones.

Software Versions in this example OpenWRT ATTITUDE ADJUSTMENT (12.09, r36088), using "https://downloads.openwrt.org/attitude_adjustment/12.09/ar71xx/generic/", Shorewall-lite version 4.4.27.3, Shorewall version: 4.4.11.6-3

Your versions will likely differ from the examples above, adjust as necessary to conform to your router and current software releases as you work through the below.

To use Shorewall with recent (20130530+) OpenWRT releases (AA, snapshot, etc), one must disable the default OpenWRT UCI firewall, and substitute the Shorewall-Lite package. Shorewall-Lite needs a nanny machine to compile and load the firewall to the OpenWRT (Shorewall-Lite host) router. The nanny will manage all the configuration files and needs a net connection to load the compiled firewall to the OpenWRT host device. The Nanny Setup:

In this example the nanny has the IP 192.168.1.30, but you can assign other values in the Lan1 zone.

Download and install Shorewall (not Shorewall-Lite) on the nanny. The nanny's Shorewall and host's Shorewall-Lite versions should be the same major.minor release. Check the OpenWRT package dir, e.g.:

"https://downloads.openwrt.org/attitude_adjustment/12.09/ar71xx/generic/package/" for the available Shorewall-Lite major.minor release for your router's chip set.

Note the "ar71xx" in the above URL: substitute your router's chip set acronym into the URL, e.g.: ar7, brcm47xx, ramips etcetera, to find the correct package for your router and OpenWRT release. Conform the nanny's Shorewall release to that version.

For general instructions see https://www.shorewall.net/CompiledPrograms.html.

Shorewall offers this regarding the nanny: Note to Debian Users-

If you install using the .deb, you will find that your /etc/Shorewall directory is empty. This is intentional. The released configuration file skeletons may be found on your system in the directory /usr/share/doc/Shorewall/default-config. Simply copy the files you need from that directory to /etc/Shorewall and modify the copies.

If your /etc/Shorewall directory is empty after a vanilla Shorewall install, sort that out before proceeding.

Assert the following in the nanny's /etc/Shorewall.conf

CONFIG_PATH=/usr/share/Shorewall STARTUP_LOG=/var/log/Shorewall-lite-init.log

Make the directory ~/Oexample/ and copy all the /etc/Shorewall files (masq, rules, etc) to it. This is your working directory for the OpenWRT host's firewall configuration, analogous to /etc/Shorewall/. You can choose your own directory name, and substitute it for ~/Oexample/. Edit these files to configure the OpenWRT host's firewall.

First, edit the ~/Oexample/routestopped file to add the IP address of the nanny machine like: eth0 192.168.1.30 source,dest.

Next, construct your ~/Oexample/ Shorewall files. The example below shows a file name header ( init:, interfaces, etc) followed by the contents of the file for each Shorewall file needed in this example. Edit your files to conform to the examples below:



* * * * * * * * * * * * * * * * * * B E G I N S H O R E W A L L C O N F I G F I L E S * * * * * * * * * * * * * * * * * * * *
init:
# Use this file to set the machine state before the firewall starts,
# e.g: to assure that the internet interface is ready,
# or to set static routes and the like. It is very handy to have a common system across the networks to assign routes.
#
# Example-uncomment the ## lines below to delay Shorewall while a tardy DSL gateway negotiates it's IP,
# & to assert static routes through .1.7 to .5.0, .51.0, and .51.0
#
# example workaround DSL not starting before firewall
##/sbin/ifup ppp0
##sleep 5
# example set up static routes example (add a system of networks, use .1.7 as it's gateway)
##route add -net 192.168.5.0 netmask 255.255.255.0 gw 192.168.1.7
##route add -net 192.168.50.0 netmask 255.255.255.0 gw 192.168.1.7
##route add -net 192.168.51.0/24 gw 192.168.1.7
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

interfaces:
#ZONE INTERFACE BROADCAST OPTIONS
net eth1
lan1 br-LAN1
lan2 wlan0-1

masq:
#INTERFACE:DEST SOURCE ADDRESS PROTO PORT(S) IPSEC MARK USER/
# GROUP
eth1 br-LAN1
eth1 wlan0-1

policy:
#SOURCE DEST POLICY LOG LIMIT: CONNLIMIT:
$FW net DROP info
lan1 all REJECT info
lan2 all REJECT info
net all DROP
all all DROP

routestopped:
#INTERFACE HOST(S) OPTIONS PROTO DEST SOURCE
# PORT(S) PORT(S)
br-LAN1 192.168.1.3 source,dest

rules:
#SECTION ESTABLISHED
#SECTION RELATED
SECTION NEW

#ftp fw to net (for updates, uncomment only as needed)
##ACCEPT $FW net tcp ftp - - - -
#http, https: fw to net (blocked outbound)
##ACCEPT $FW net tcp http - - - -
##ACCEPT $FW net tcp https - - - -

ACCEPT lan1 net tcp 82 # XFER Utility (TCP/UDP)
DNAT net lan1:192.168.1.3:22 tcp 53260 # inbound ssh on oddball port (53260), bound to a single machine
ACCEPT lan1 net tcp 53260 - - - - #outbound nanny ssh, also on oddball port

# Use first rules for lower latency-streaming
ACCEPT lan1 net tcp 554 - # realaudio-outbound tcp
ACCEPT lan1 net tcp 7070 - # realaudio-outbound tcp
ACCEPT lan1 net tcp 7071 - # realaudio
ACCEPT lan1 net tcp 8080 - # realaudio-outbound tcp
ACCEPT lan1 net tcp 8081 - # realaudio
ACCEPT lan1 net tcp rtsp - # realaudio-outbound call
ACCEPT lan2 net tcp 554 - # realaudio-outbound tcp
ACCEPT lan2 net tcp 7070 - # realaudio-outbound tcp
ACCEPT lan2 net tcp 7071 - # realaudio
ACCEPT lan2 net tcp 8080 - # realaudio-outbound tcp
ACCEPT lan2 net tcp 8081 - # realaudio
ACCEPT lan2 net tcp rtsp - # realaudio-outbound call
ACCEPT lan1 net tcp 8000:8003 - #realaudio-outbound tcp
ACCEPT lan1 net udp 8000:8003 - # realaudio-outbound tcp
ACCEPT lan2 net tcp 8000:8003 - #realaudio-outbound tcp
ACCEPT lan2 net udp 8000:8003 - # realaudio-outbound tcp
ACCEPT lan1 net tcp 1755 - #windowsmedia
#ACCEPT net lan1 tcp 1755 - #windowsmedia
ACCEPT lan2 net tcp 1755 - #windowsmedia
#ACCEPT net lan2 tcp 1755 - #windowsmedia
ACCEPT lan1 net udp 53 - - - - #dns
ACCEPT lan1 net tcp 53 - - - - #dns
ACCEPT lan2 net udp 53 - - - - #dns
ACCEPT lan2 net tcp 53 - - - - #dns
ACCEPT lan1 $FW tcp 53 - - - - #dns
ACCEPT lan1 $FW udp 53 - - - - #dns
ACCEPT lan2 $FW tcp 53 - - - - #dns
ACCEPT lan2 $FW udp 53 - - - - #dns
ACCEPT $FW net tcp 53 - - - - #dns
ACCEPT $FW net udp 53 - - - - #dns
ACCEPT $FW lan1 tcp 53 - - - - #dns
ACCEPT $FW lan1 udp 53 - - - - #dns
ACCEPT $FW lan2 tcp 53 - - - - #dns
ACCEPT $FW lan2 udp 53 - - - - #dns
#ACCEPT lan1 net udp 67:68 - - - - #dhcp
#ACCEPT lan2 net udp 67:68 - - - - #dhcp
ACCEPT lan1 $FW udp 67:68 - - - - #dhcp
ACCEPT lan2 $FW udp 67:68 - - - - #dhcp
ACCEPT $FW net udp 67:68 - - - - #dhcp
ACCEPT $FW lan1 udp 67:68 - - - - #dhcp
ACCEPT $FW lan2 udp 67:68 - - - - #dhcp

# smb: lan1 <-> $FW
ACCEPT lan1 $FW tcp 137:139 - - - - #Enable SMB on LAN1
ACCEPT lan1 $FW tcp 443 - - - - #http protocol over TLS/SSL
ACCEPT $FW lan1 tcp 137:139 - - - - #Enable SMB on LAN1
ACCEPT $FW lan1 tcp 443 - - - - #http protocol over TLS/SSL
# smb: lan2 <-> $FW
#ACCEPT lan2 $FW tcp 137:139 - - - - #Enable SMB on LAN1
#ACCEPT lan2 $FW tcp 443 - - - - #http protocol over TLS/SSL
#ACCEPT $FW lan2 tcp 137:139 - - - - #Enable SMB on LAN1
#ACCEPT $FW lan2 tcp 443 - - - - #http protocol over TLS/SSL

#web: outbound (lan to net) http, https, ssh, ftp, time, imap
ACCEPT lan1 net tcp http - - - -
ACCEPT lan1 net tcp https - - - -
ACCEPT lan1 net tcp 443 - - - - #http protocol over TLS/SSL
ACCEPT lan1 net tcp ssh - - - -
ACCEPT lan1 net tcp ftp - - - -
ACCEPT lan1 net tcp nntp - - - -
ACCEPT lan1 net tcp 37 - - - - #nttp timesync
ACCEPT lan1 net tcp imap - - - -
ACCEPT lan2 net tcp http - - - -
ACCEPT lan2 net tcp https - - - -
ACCEPT lan2 net tcp 443 - - - -
ACCEPT lan2 net tcp ssh - - - -
ACCEPT lan2 net tcp ftp - - - -
ACCEPT lan2 net tcp nntp - - - -
ACCEPT lan2 net tcp 37 - - - -
ACCEPT lan2 net tcp imap - - - -
ACCEPT lan1 net udp http - - - -
ACCEPT lan1 net udp https - - - -
ACCEPT lan1 net udp 443 - - - -
ACCEPT lan1 net udp ssh - - - -
ACCEPT lan1 net udp 37 - - - -
ACCEPT lan1 net udp imap - - - -
ACCEPT lan2 net udp http - - - -
ACCEPT lan2 net udp https - - - -
ACCEPT lan2 net udp 443 - - - -
ACCEPT lan2 net udp ssh - - - -
ACCEPT lan2 net udp 37 - - - -
ACCEPT lan2 net udp imap - - - -
#ACCEPT lan1 net tcp 6667 - # irc
#ACCEPT lan1 net udp 6667 - # irc
ACCEPT lan2 net tcp 6667 - # irc
ACCEPT lan2 net udp 6667 - # irc

ACCEPT lan1 net tcp 993 # imap4 protocol over TLS | SSL (TCP/UDP) (secure telnet)
ACCEPT lan1 net udp 993

ACCEPT lan1 net tcp 11371 #OpenPGP HTTP key server
ACCEPT lan1 net udp 11371 #OpenPGP HTTP key server
ACCEPT lan1 net tcp 6420 #OpenPGP HTTP key server
ACCEPT lan1 net udp 6420 #OpenPGP HTTP key server
ACCEPT lan1 net udp 123 - - - -# check time
ACCEPT lan1 net tcp 123 - - - -# check time
ACCEPT lan2 net udp 123 - - - - # check time
ACCEPT lan2 net tcp 123 - - - - # check time
ACCEPT $FW net udp 123 - - - -# check time
ACCEPT $FW net tcp 123 - - - -# check time

#mail
#ACCEPT $FW net tcp pop3 - - - -
ACCEPT lan1 net tcp pop3 - - - -
ACCEPT lan2 net tcp pop3 - - - -
#ACCEPT $FW net tcp smtp - - - -
ACCEPT lan1 net tcp smtp - - - -
ACCEPT lan2 net tcp smtp - - - -
#fw mail IP when chg rqrs port 25
#ACCEPT $FW net tcp 25 - - - -
#ACCEPT $FW net tcp 80 - - - -
#ACCEPT $FW net udp 80 - - -
DROP $FW net tcp 80 - - - - #explicitly kill $FW outbound to net on port 80
DROP $FW net udp 80 - - -
DROP net $FW tcp 80 - - - -
DROP net $FW udp 80 - - -
#mail

#authent
DROP net $FW tcp 113 - - - - #
#ACCEPT net $FW tcp 113 - - - -

#ping: fw to lanx, lanx to net & fw, lanx to lany
ACCEPT $FW lan1 icmp 8 - - - -
ACCEPT $FW lan2 icmp 8 - - - -
ACCEPT lan1 $FW icmp 8 - - - -
ACCEPT lan2 $FW icmp 8 - - - -
ACCEPT lan1 net icmp 8 - - - -
ACCEPT lan2 net icmp 8 - - - -

ACCEPT $FW net tcp ssh - - - - #Enable FW to SSH out
ACCEPT $FW net udp ssh - - - -

# ssh: lan1 to/from fw on std ports
ACCEPT $FW lan1 tcp ssh - - - -
ACCEPT $FW lan1 udp ssh - - - -
ACCEPT lan1 $FW tcp ssh - - - -
ACCEPT lan1 $FW udp ssh - - - -

# httpd/s on fw visible only to lan1
ACCEPT lan1 $FW tcp http - - - -
ACCEPT lan1 $FW udp http - - - -
ACCEPT lan1 $FW tcp https - - - -
ACCEPT lan1 $FW udp https - - - -

#==============================================================
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE


zones:
#ZONE
fw firewall
net ipv4 #Internet
lan1 ipv4
lan2 ipv4


Shorewall.conf:
Is largely default, tho you may need to set the startup var to 1.
* * * * * * * * * * * * * * * * * * E O F S H O R E W A L L C O N F I G F I L E S * * * * * * * * * * * * * * * * * * * * * *

The OpenWRT Host Setup

Setup the OpenWRT host. See the wiki (https://wiki.openwrt.org/toh/start) for your specific hardware, and flash the OpenWRT host router.

Use UCI/Luci setup (https://wiki.openwrt.org/doc/uci) to setup IP addressing on the router (see below):

Wan 192.168.11.1
Lan 192.168.10.1
LAN_1 192.168.13.1
LAN_2 192.168.2.1
br-LAN1 192.168.1.1

* * * * * * * * * * * * * * * * * * B E G I N O P E N W R T C O N F I G F I L E S * * * * * * * * * * * * * * * * * * * * * *
#Working configs to boot up OpenWRT router w/ AA 12.09

Interfaces defined by Luci:
br-LAN1 Link encap:Ethernet HWaddr 00:26:5A:D2:33:77
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:513 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:64859 (63.3 KiB) TX bytes:0 (0.0 B)

eth0 Link encap:Ethernet HWaddr 00:26:5A:D2:33:77
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:248895 errors:0 dropped:0 overruns:0 frame:0
TX packets:232281 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:36434590 (34.7 MiB) TX bytes:21143615 (20.1 MiB)
Interrupt:5

eth1 Link encap:Ethernet HWaddr 00:26:5A:D2:33:76
inet addr:192.168.11.1 Bcast:192.168.11.255 Mask:255.255.255.0
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Interrupt:4

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:1277856 errors:0 dropped:0 overruns:0 frame:0
TX packets:1277856 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:86894208 (82.8 MiB) TX bytes:86894208 (82.8 MiB)

wlan0 Link encap:Ethernet HWaddr 00:26:5A:D2:33:76
inet addr:192.168.13.1 Bcast:192.168.13.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:3 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:32
RX bytes:0 (0.0 B) TX bytes:192 (192.0 B)

wlan0-1 Link encap:Ethernet HWaddr 02:26:5A:D2:33:77
inet addr:192.168.2.1 Bcast:192.168.2.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:1 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:32
RX bytes:0 (0.0 B) TX bytes:420 (420.0 B)


Firewall: #<===== These are temporary and will be overwritten when Shorewall-lite loads.
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'

config zone
option name 'lan'
option network 'lan' 'LAN_1' 'LAN_2'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'

config zone
option name 'wan'
option network 'wan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'

config include
option path '/etc/firewall.user'

Wireless:
config wifi-device 'radio0'
option type 'mac80211'
option macaddr '00:26:5a:d2:43:71'
option hwmode '11ng'
option htmode 'HT20'
list ht_capab 'SHORT-GI-40'
list ht_capab 'TX-STBC'
list ht_capab 'RX-STBC1'
list ht_capab 'DSSS_CCK-40'
option channel '1'
option txpower '20'
option country 'US'

config wifi-iface
option device 'radio0'
option encryption 'psk2'
option mode 'ap'
option key 'ThisIsSupposedToBeASecretPassphrase'
option ssid 'LAN1'
option network 'LAN_1'

config wifi-iface
option device 'radio0'
option mode 'ap'
option ssid 'LAN2'
option network 'LAN_2'
option encryption 'psk2'
option key 'ThisOneIsAlsoSupposedToBeASecret'

network:
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config interface 'lan'
option ifname 'eth0'
option proto 'static'
option ipaddr '192.168.10.1'
option netmask '255.255.255.0'

config interface 'wan'
option ifname 'eth1'
option proto 'static'
option ipaddr '192.168.11.1'
option netmask '255.255.255.0'

config switch
option name 'eth0'
option reset '1'

config switch_vlan
option device 'eth0'
option vlan '1'
option ports '0 1 2 3 4'
option vid '1'

config interface 'LAN_1'
option proto 'static'
option ifname 'wlan0'
option ipaddr '192.168.13.1'
option netmask '255.255.255.0'

config interface 'LAN_2'
option proto 'static'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
option _orig_ifname 'wlan0'
option _orig_bridge 'false'

config interface 'all_COM'
option type 'bridge'
option proto 'static'
option ifname 'eth0'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option dns '123.231.132.213' <= ASSIGN YOUR ISP's DNS HERE

System:
config system
option hostname 'COM_ap'
option zonename 'UTC'
option timezone 'GMT0'
option conloglevel '8'
option cronloglevel '8'

config timeserver 'ntp'
list server '0.OpenWRT.pool.ntp.org'
list server '1.OpenWRT.pool.ntp.org'
list server '2.OpenWRT.pool.ntp.org'
list server '3.OpenWRT.pool.ntp.org'
option enable_server '1'

config led 'led_wan'
option name 'WAN'
option sysfs 'd-link:green:wan'
option trigger 'netdev'
option dev 'eth1'
option mode 'link tx rx'

config led 'led_lan1'
option name 'LAN1'
option sysfs 'd-link:green:lan1'
option trigger 'switch0'
option port_mask '0x02'

config led 'led_lan2'
option name 'LAN2'
option sysfs 'd-link:green:lan2'
option trigger 'switch0'
option port_mask '0x04'

config led 'led_lan3'
option name 'LAN3'
option sysfs 'd-link:green:lan3'
option trigger 'switch0'
option port_mask '0x08'

config led 'led_lan4'
option name 'LAN4'
option sysfs 'd-link:green:lan4'
option trigger 'switch0'
option port_mask '0x10'
* * * * * * * * * * * * * * * * * * E O F O P E N W R T C O N F I G F I L E S * * * * * * * * * * * * * * * * * * * * * *

Install the Shorewall-lite IPK files to the OpenWRT router (e.g.: Shorewall-lite_4.4.27.3-4_ar71xx.ipk). May work best from command line as opkg update; opkg install Shorewall-lite

Have both the host and OpenWRT router up, running and networked.

Check the OpenWRT router's /etc/config/dropbear file to assure the interfaces listed there are valid, use the uci to show the dropbear settings:


uci show dropbear
option PasswordAuth 'on'
option Port '22'
option Interface 'br-LAN1'

Edit /etc/config/dropbear to repair as needed and then run uci commit when done.

From the host OpenWRT router, create and copy the Shorewall capabilities file to the nanny:


cd /usr/share/Shorewall-lite
./shorecap >/tmp/capabilities
scp /tmp/capabilities [Your Home Directory Here]@192.168.1.30:~/Oexample/.

Check the work, sort out your recovery route (fail-safe mode, etc) in case you need it.

Use UCI|Luci interface System/Startup/initscripts to set the router to not start the OpenWRT firewall on boot. You may, as an alternative suited to safe-mode recovery, edit the OpenWRT router /etc/init.d dir and move the firewall script to say, ../firewall.initd, and if you want, you can restore it to /etc/init.d/firewall .

To avoid a reporting error, create the file /usr/sbin/tac as:

#!/bin/sh if ! [ $# -gt 0 ]; then exit fi if [ "$1" != "" ]; then grep -n . $1 | sort -r -n fi

On the nanny,

cd ~/Oexample then run /sbin/Shorewall load 192.168.1.1 where the 192.168.1.1 is the OpenWRT host router's IP address. You'll need to fix compiler errors and hand off passwords until the command succeeds, then the firewall will be copied to and launched on the the OpenWRT router. To test it from the install session, use the Shorewall-lite status and dump commands on the OpenWRT router, and send test packets to/from each zone. When you restart the OpenWRT router, the pre-existing session connections of the last session are lost. NB: you can readily lock yourself out editing the policies in this example, but that's the point of a firewall. Fail-Safe mode will allow you to mount_root and hand edit the /etc files. Revert to the OpenWRT firewall and reboot to revise and reload your Shorewall-Lite settings.

When things are right, you will see something like this:


root@192.168.1.1's password:
root@192.168.1.1's password:
Compiling...
Processing ~/Oexample/params ...
Processing ~/Oexample/Shorewall.conf...
WARNING: Unknown capability (RAWPOST_TABLE) ignored : ~/Oexample/capabilities (line 26)
WARNING: Unknown capability (ULOG_TARGET) ignored : ~/Oexample/capabilities (line 50)
WARNING: Unknown capability (NFLOG_TARGET) ignored : ~/Oexample/capabilities (line 51)
WARNING: Unknown capability (CONDITION_MATCH) ignored : ~/Oexample/capabilities (line 61)
WARNING: Unknown capability (IPTABLES_S) ignored : ~/Oexample/capabilities (line 62)
WARNING: Unknown capability (BASIC_FILTER) ignored : ~/Oexample/capabilities (line 63)
WARNING: Unknown capability (CT_TARGET) ignored : ~/Oexample/capabilities (line 64)
Compiling ~/Oexample/zones...
Compiling ~/Oexample/interfaces...
Determining Hosts in Zones...
Locating Action Files...
Compiling /usr/share/Shorewall/action.Drop for chain Drop...
Compiling /usr/share/Shorewall/action.Broadcast for chain Broadcast...
Compiling /usr/share/Shorewall/action.Invalid for chain Invalid...
Compiling /usr/share/Shorewall/action.NotSyn for chain NotSyn...
Compiling /usr/share/Shorewall/action.Reject for chain Reject...
Compiling ~/Oexample/policy...
Running ~/Oexample/initdone...
Compiling Kernel Route Filtering...
Compiling Martian Logging...
Compiling ~/Oexample/masq...
WARNING: Using an interface as the masq SOURCE requires the interface to be up and configured when Shorewall starts/restarts : ~/Oexample/masq (line 12)
Compiling MAC Filtration -- Phase 1...
Compiling ~/Oexample/rules...
Compiling MAC Filtration -- Phase 2...
Applying Policies...
Generating Rule Matrix...
Creating iptables-restore input...
Compiling ~/Oexample/routestopped...
Shorewall configuration compiled to ~/Oexample/firewall
Copying ~/Oexample/firewall and ~/Oexample/firewall.conf to 192.168.1.1:/etc/shorewall-lite/state...
root@192.168.1.1's password:
firewall 100% 69KB 69.3KB/s 00:00
firewall.conf 100% 981 1.0KB/s 00:00
Copy complete
root@192.168.1.1's password:
System 192.168.1.1 loaded

Shorewall-Lite is now running. Use UCI|Luci interface System/Startup/initscripts to enable 'Shorewall'.

To change any of the rules, zones, or other Shorewall settings on the OpenWRT router, revise the files in ~/Oexample and run the above "Shorewall load" command again. If the capabilities of the OpenWRT router change, then rerun /usr/share/Shorewall-lite/shorecap and re scp it to the host, and re-run Shorewall load.

Shorewall Documentation:

https://www.shorewall.net/
https://www.shorewall.net/GettingStarted.html
https://www.shorewall.net/Documentation_Index.html
https://www.shorewall.net/configuration_file_basics.html
https://www.shorewall.net/Notices.html
https://www.shorewall.net/starting_and_stopping_shorewall.htm esp: "Shorewall State Diagram" for more.





   All Postings
BROWSE       Headlines and Postings

Privacy Policy
Webmaster & Acknowledgments
Copyright (C) 2002,2016 W.S. Herrick and/or Respective Copyright Holders