RHEL - Working with Shorewall Default Macros

The configuration of Shorewall continues. After reading this, you should have a better understanding of working with Shorewall's rules file and utilizing the default macros that Shorewall makes available to you.

We've reached part 3 of getting Shorewall installed and working on your system. Of course, that implies that there would be a part 1 and a part 2. If you haven't already, take a look at those previous sections. It'll make everything else make more sense.

Understanding Macros

So Shorewall's installed and working. Excellent! We've got the cornerstone of a secure system in place. But wait, the programs that we had running outside of your slice that depend on the MySQL server installed on it are starting to throw errors. Why can't our external programs reach the MySQL server any more? Well, the short answer is that we just put a firewall in front of it.

Here's what's happening when anything from the outside tries to get to your slice now on the default MySQL port of 3306.

~> telnet rhelsandbox 3306
Trying rhelsandbox...

That's right. Nothing. But that's to be expected. We've cut off pretty much all access to the slice from the outside. But what about the times you want to allow access to the slice, like this one? We have to open a port in the firewall.

Remember in part 2 when we looked in /usr/share/shorewall at all the macros in there? Let's see what happens when we try this...

ls -la /usr/share/shorewall/*MySQL
-rw-r--r-- 1 root root 378 Jun 30 02:53 /usr/share/shorewall/macro.MySQL

Hey, a MySQL macro! What's in it? Let's find out. Type this.

sudo cat /usr/share/shorewall/macro.MySQL

What you see should look like this.

# Shorewall version 4 - MySQL Macro
# /usr/share/shorewall/macro.MySQL
#       This macro handles connections to the MySQL server.
#                               PORT(S) PORT(S) LIMIT   GROUP
PARAM   -       -       tcp     3306

If that 3306 looks familiar, it should. That's the default port for MySQL. As you've already figured out by now I'm sure, plugging these macros into the Shorewall rules will automatically apply the information contained in them to the configuration. In this case, we're telling the firewall to consider TCP packets involving port 3306.

Now let's get this macro into place. Again from part 2, let's have a look at the rules file.

sudo nano /etc/shorewall/rules

We can see in there the macros that are in place for our Shorewall. For example, this one is allowing us to connect with SSH.

# Accept SSH connections from the net
SSH/ACCEPT      net             $FW

You'll recognize the configuration. From left to right, we've got our macro name, what action we want to do with it, the originating zone, and finally the destination zone. So in this rule, we're allowing traffic involving the port specified in our SSH macro from the net zone to the $FW zone. Using this, we can construct a rule that will do the same for MySQL traffic. Let's do that now.

# Accept MySQL connections from the net
MySQL/ACCEPT   net             $FW

That first line is a comment to anyone reading the file of what you're doing with this command. It's always good practice to leave comments when modifying configuration files as it can minimize confusion for others (and perhaps you) later. That pound sign (#) in front of the comment will keep the firewall from reading the line as a command.

Keep in mind that macros are case sensitive. Entering 'MySQL' is going to be different than entering 'mysql'. If you enter a macro with the wrong case, Shorewall will look and look, but it won't find what you want.

Well now we have our rule in place. Let's make it an official part of our Shorewall configuration. Remember, since we've made a change to our configuration, we want to check to see if Shorewall complains about anything. Remember how to do a Shorewall check?

sudo /sbin/shorewall check

And did it end with this?

Shorewall configuration verified

Excellent, we're looking good so far. Time to restart Shorewall with the new rule in place.

sudo /etc/init.d/shorewall restart
Restarting shorewall:                                      [  OK  ]

Well, nothing's blown up yet. So what happens when we try to get to port 3306 now? Remember, we're doing this from AN ENTIRELY NEW CONSOLE WINDOW.

~> telnet rhelsandbox 3306
Trying rhelsandbox...
Connected to rhelsandbox.
Escape character is '^]'.

Outstanding! Outside connections are being allowed on port 3306. MySQL is back in business.

As I'm sure you've already been thinking, this is going to allow for very easy modification of the firewall. You can take a look in /usr/share/shorewall/macro.* to see the extensive list of macros and default ports that are already available to you. You can take a look at the shorewall-rules man page by entering this...

man shorewall-rules

That will give you an overview of the functions that you can apply to your macros in the rules file, there's much more than just “allow”.


We've just successfully opened a needed in our Shorewall using the conveniently provided macros that Shorewall has made available. But what if we need something a little more off the beaten path? We'll handle that next time when we discuss making our own macros for Shorewall. Relax, you're ready, trust me.

Article Comments:

Brad commented Wed Jan 13 17:52:19 UTC 2010:

I finished the first two articles and now my server is not accessible from outside http connections.

What about existing rules in ip tables? Was I supposed to remove them? Or is there a missing step here for opening port to allow http connections??

Brad commented Wed Jan 13 20:21:13 UTC 2010:

I don't get it. If there is an existing iptables rule for these:

iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp --dport 443 -j ACCEPT

Then why are new macros required? You guys really need to explain how the iptables ruleset functions with the shorewall ruleset.

Want to comment?

(not made public)


(use plain text or Markdown syntax)