The configuration of Shorewall continues. After reading this, you should have a better understanding of working with Shorewall's rules file and utilizing the default macros that Shorewall makes available to you.
We've reached part 3 of getting Shorewall installed and working on your system. Of course, that implies that there would be a part 1 and a part 2. If you haven't already, take a look at those previous sections. It'll make everything else make more sense.
So Shorewall's installed and working. Excellent! We've got the cornerstone of a secure system in place. But wait, the programs that we had running outside of your slice that depend on the MySQL server installed on it are starting to throw errors. Why can't our external programs reach the MySQL server any more? Well, the short answer is that we just put a firewall in front of it.
Here's what's happening when anything from the outside tries to get to your slice now on the default MySQL port of 3306.
~> telnet rhelsandbox 3306 Trying rhelsandbox...
That's right. Nothing. But that's to be expected. We've cut off pretty much all access to the slice from the outside. But what about the times you want to allow access to the slice, like this one? We have to open a port in the firewall.
Remember in part 2 when we looked in /usr/share/shorewall at all the macros in there? Let's see what happens when we try this...
ls -la /usr/share/shorewall/*MySQL -rw-r--r-- 1 root root 378 Jun 30 02:53 /usr/share/shorewall/macro.MySQL
Hey, a MySQL macro! What's in it? Let's find out. Type this.
sudo cat /usr/share/shorewall/macro.MySQL
What you see should look like this.
# # Shorewall version 4 - MySQL Macro # # /usr/share/shorewall/macro.MySQL # # This macro handles connections to the MySQL server. # ############################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ # PORT(S) PORT(S) LIMIT GROUP PARAM - - tcp 3306 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
If that 3306 looks familiar, it should. That's the default port for MySQL. As you've already figured out by now I'm sure, plugging these macros into the Shorewall rules will automatically apply the information contained in them to the configuration. In this case, we're telling the firewall to consider TCP packets involving port 3306.
Now let's get this macro into place. Again from part 2, let's have a look at the rules file.
sudo nano /etc/shorewall/rules
We can see in there the macros that are in place for our Shorewall. For example, this one is allowing us to connect with SSH.
# Accept SSH connections from the net SSH/ACCEPT net $FW
You'll recognize the configuration. From left to right, we've got our macro name, what action we want to do with it, the originating zone, and finally the destination zone. So in this rule, we're allowing traffic involving the port specified in our SSH macro from the net zone to the $FW zone. Using this, we can construct a rule that will do the same for MySQL traffic. Let's do that now.
# Accept MySQL connections from the net MySQL/ACCEPT net $FW
That first line is a comment to anyone reading the file of what you're doing with this command. It's always good practice to leave comments when modifying configuration files as it can minimize confusion for others (and perhaps you) later. That pound sign (#) in front of the comment will keep the firewall from reading the line as a command.
Keep in mind that macros are case sensitive. Entering 'MySQL' is going to be different than entering 'mysql'. If you enter a macro with the wrong case, Shorewall will look and look, but it won't find what you want.
Well now we have our rule in place. Let's make it an official part of our Shorewall configuration. Remember, since we've made a change to our configuration, we want to check to see if Shorewall complains about anything. Remember how to do a Shorewall check?
sudo /sbin/shorewall check
And did it end with this?
Shorewall configuration verified
Excellent, we're looking good so far. Time to restart Shorewall with the new rule in place.
sudo /etc/init.d/shorewall restart Restarting shorewall: [ OK ]
Well, nothing's blown up yet. So what happens when we try to get to port 3306 now? Remember, we're doing this from AN ENTIRELY NEW CONSOLE WINDOW.
~> telnet rhelsandbox 3306 Trying rhelsandbox... Connected to rhelsandbox. Escape character is '^]'.
Outstanding! Outside connections are being allowed on port 3306. MySQL is back in business.
As I'm sure you've already been thinking, this is going to allow for very easy modification of the firewall. You can take a look in /usr/share/shorewall/macro.* to see the extensive list of macros and default ports that are already available to you. You can take a look at the shorewall-rules man page by entering this...
That will give you an overview of the functions that you can apply to your macros in the rules file, there's much more than just “allow”.
We've just successfully opened a needed in our Shorewall using the conveniently provided macros that Shorewall has made available. But what if we need something a little more off the beaten path? We'll handle that next time when we discuss making our own macros for Shorewall. Relax, you're ready, trust me.