| July 21, 2011 by |
Shorewall is a great little firewall that's excellent for use in many linux distributions. It is highly configurable and a great alternative to working with iptables directly. It's especially easy to install on debian-based distros such as ubuntu, mint, mepis, etc. I'll be using ubuntu in this tutorial. Be sure to perform the steps of this guide on the physical machine as root. If you're doing this over ssh/terminal, you may get locked out during the configuration process. Let's get started!
Step 1 - Install Shorewall
Let's switch to root and install Shorewall using apt:
su - apt-get install shorewall
Step 2 - Configure
Shorewall can be used in several different firewall configurations. If your linux machine is a dedicated server used for services like Apache or Samba, you'll be using a 1-interface configuration. If your linux machine is going to act as a router and firewall to an internal network, you'll be using a 2-interface configuration, and so on. Let's pretend our server is used for hosting websites, so we'll set up a 1-interface Shorewall configuration.
Shorewall's configuration files are stored in /etc/shorewall. Shorewall also comes with several example configurations you can use to get up and running quickly. Let's copy over the 1-interface example configuration files to get things going:
cp /usr/share/doc/shorewall/examples/one-interface/* /etc/shorewall
This will copy several files over to /etc/shorewall. Let's learn more about what these files do. Shorewall uses several configuration files. Here's a brief summary of each one:
- zones - allows you to define specific zones that will used when defining policies and rules
- interfaces - specifies which hardware devices and settings are assigned to each zone
- policy - contains general access rules and catchalls for traffic going to/from your zones
- rules - defines allowed/restricted protocols, ports, etc. that are allowed to/from your zones
The two most important files here are policy and rules. Let's take a look at the policy file:
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST $FW net ACCEPT net all DROP info # The FOLLOWING POLICY MUST BE LAST all all REJECT info
$FW is your firewalled network, in our case it's the server. net is the internet. The last line is important because it's the catchall. It tells Shorewall to reject all traffic that it doesn't know how to handle.
Next, let's look at the rules file. This defines which ports and protocols shorewall will handle.
############################################################################################################# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE # PORT PORT(S) DEST LIMIT # Drop Ping from the "bad" net zone.. and prevent your log from being flooded.. Ping(DROP) net $FW
# Allow the internet to connect to web server
ACCEPT net $FW tcp 80
# Allow telnet and ssh, port range 22-23
ACCEPT net $FW tcp 22:23
# Allow Outgoing SMTP Traffic on Multiple ports
ACCEPT $FW net tcp 25,26,465,587
These rules will allow several types of traffic. Shorewall also comes with many handy macros(as seen with the Ping macro above) that predefine several different protocols and services. They're located in /usr/share/shorewall. You can also create your own macros.
Step 3 - Start 'er up
Once you have your configuration all set up, start Shorewall.
shorewall start
That's it! You're now safe and sound behind a firewall. Don't you feel better?
Additional Resources
This is just a tiny showcase of Shorewall's features. You can do many other cool things with it as well. Be sure to check out the links below.
0 Comments
Back
Latest Posts
