RHEL – Shorewall Custom Macros

If you've been following along from the beginning, then you've gotten Shorewall installed, running, and have worked with some of the basic rules and macros. In this article, we'll get into what we have to do when we have to deal with ports that aren't included in the Shorewall defaults.


We've reached the next step in the evolution of our Shorewall. If you just said to yourself, “What's Shorewall?”, then you either have gotten to this article out of turn or it's possible that you may have a very short attention span. Assuming it's the former, feel free to have a look at part 1, part 2 and part 3 of this series.

Now that everyone's up to speed, you're probably wondering what's next? We've got a nice, easy to configure firewall tool in place, and after reading part 3, we know how to open ports in it utilizing the macros that Shorewall has given us. But what about ports that aren't specified?

Say, for instance, that we're building our own application. Let's call it Wonderapp (we'll let the guys in marketing come up with a better name). Wonderapp runs on TCP port, um... 10101. I'm sure I don't have to tell you that any queries for Wonderapp are going to have a problem getting to our server now that we have the Shorewall in place. Just to be sure, let's check.

telnet rhelsandbox 10101
Trying rhelsandbox...

Denied! As we expected. But how do we open up that port? Remember last time in part 3 when we opened up the standard port for MySQL, all we had to do was look in the included Shorewall macros for the MySQL macro and plug it into place. Well, as you could have guessed, there isn't an included macro for Wonderapp. Wait...

$ ls -la /usr/share/shorewall/macro.W*
-rw-r--r-- 1 root root 520 Jun 30 02:53 /usr/share/shorewall/macro.Web
-rw-r--r-- 1 root root 364 Jun 30 02:53 /usr/share/shorewall/macro.Webmin
-rw-r--r-- 1 root root 368 Jun 30 02:53 /usr/share/shorewall/macro.Whois

Okay, no Wonderapp. I don't have to call my lawyer. Back to business, then.

Now that we have determined that we don't have a macro for Wonderapp, what do we do about it? We make one, of course. All we have to do is use the existing template for a macro and customize it to open the port we want. Let's start by making a copy of a macro and calling it something that pertains to the program we're dealing with.

sudo cp /usr/share/shorewall/macro.MySQL /usr/share/shorewall/macro.Wonderapp

What did that do for us? Let's check it out.

ls -la /usr/share/shorewall/macro.W*
-rw-r--r-- 1 root root 520 Jun 30 02:53 /usr/share/shorewall/macro.Web
-rw-r--r-- 1 root root 364 Jun 30 02:53 /usr/share/shorewall/macro.Webmin
-rw-r--r-- 1 root root 368 Jun 30 02:53 /usr/share/shorewall/macro.Whois
-rw-r--r-- 1 root root 378 Aug  4 19:49 /usr/share/shorewall/macro.Wonderapp

Hey, there it is! But as I'm sure you know, it's not ready yet. Let's start to edit it, and you'll see what I mean.

sudo nano /usr/share/shorewall/macro.Wonderapp

What you see will look something like this:

#
# Shorewall version 4 - MySQL Macro
#
# /usr/share/shorewall/macro.MySQL
#
#       This macro handles connections to the MySQL server.
#
###############################################################################
#ACTION SOURCE  DEST    PROTO   DEST    SOURCE  RATE    USER/
#                               PORT(S) PORT(S) LIMIT   GROUP
PARAM   -       -       tcp     3306
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

So really, all we've done so far is make a copy of the existing MySQL macro under a different name. Let's change this so that it will reference traffic for our world changing application, Wonderapp.

#
# Shorewall version 4 - Wonderapp Macro
#
# /usr/share/shorewall/macro.Wonderapp
#
#       This macro handles connections for my new application, Wonderapp.
#
###############################################################################
#ACTION SOURCE  DEST    PROTO   DEST    SOURCE  RATE    USER/
#                               PORT(S) PORT(S) LIMIT   GROUP
PARAM   -       -       tcp     10101
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

You see what we did there? Remember, every line beginning with a pound sign (#) is a comment line. It's not read as a command by Shorewall, but it can help to explain things when people are looking at the file. We changed the comment lines to explain what this macro is and what it does.

Note the only line in the macro that doesn't have a pound sign in front of it, therefore, the only line that's read as a command by Shorewall. We changed the 3306 to 10101, thus changing the port from referencing the mundane MySQL to the new and exciting Wonderapp! You're excited, right? Save and exit.

Now we have a freshly minted macro in place and ready to use. All that's left now is to put it into our rules file and restart the shorewall. This was covered in part 3, so I'll give you the abridged version here.

Open our rules file for editing...

sudo nano /etc/shorewall/rules

Add a rule that will open the firewall for Wonderapp...

# Accept connections from the net to the great Wonderapp
Wonderapp/ACCEPT        net             $FW

Save and exit. Check to make sure Shorewall likes the change...

sudo /sbin/shorewall check

Verify that the check ends with a happy line...

Shorewall configuration verified

Restart the Shorewall...

sudo /etc/init.d/shorewall restart
Restarting shorewall:                                      [  OK  ]

And finally, OPEN ANOTHER TERMINAL WINDOW and test...

telnet rhelsandbox 10101
Trying rhelsandbox...
telnet: connect to address 192.168.1.100: Connection refused

Don't worry, it's a success! It only says Connection refused because nothing's listening on port 10101, we haven't built Wonderapp yet. I'll save that for another article.

Working with multiple ports

Let's fast forward a bit. Wonderapp is a huge hit (of course)! Now, the people are clamoring for Wonderapp 2.0. As it turns out, Wonderapp 2.0 is going to run on a range of ports, 10101 to 10105. Not a problem. A simple change to our existing macro will handle this.

#
# Shorewall version 4 - Wonderapp Macro
#
# /usr/share/shorewall/macro.Wonderapp
#
#       This macro handles connections for my new application, Wonderapp.
#
###############################################################################
#ACTION SOURCE  DEST    PROTO   DEST    SOURCE  RATE    USER/
#                               PORT(S) PORT(S) LIMIT   GROUP
PARAM   -       -       tcp     10101:10105
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

That's all there is to it. Just use a colon to separate the low value from the high value. If you leave out the low value, Shorewall will assume it to be the lowest possible (zero), and if you leave out the high value, Shorewall will assume it to be the highest possible (65535).

Now say Wonderapp was going to run on ONLY ports 10101 and 10105. In that case, we would use a comma instead of a colon to get it done.

#
# Shorewall version 4 - Wonderapp Macro
#
# /usr/share/shorewall/macro.Wonderapp
#
#       This macro handles connections for my new application, Wonderapp.
#
###############################################################################
#ACTION SOURCE  DEST    PROTO   DEST    SOURCE  RATE    USER/
#                               PORT(S) PORT(S) LIMIT   GROUP
PARAM   -       -       tcp     10101,10105
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Really, does it get any easier than that?

Summary

Our Shorewall is evolving nicely. We can now make our own macros and use them to make references to non-standard ports, a necessary feature when administering a strong yet flexible firewall. Next time, we'll go over what happens when things don't exactly go according to plan and look at Shorewall logging and errors. And we'll decide what to do with all the profits from Wonderapp.

Want to comment?


(not made public)

(optional)

(use plain text or Markdown syntax)