Shorewall is a great little firewall that's excellent for use in many linux distributions. It is highly configurable and a great alternative to working with iptables directly. It's especially easy to install on debian-based distros such as ubuntu, mint, mepis, etc. I'll be using ubuntu in this tutorial. Be sure to perform the steps of this guide on the physical machine as root. If you're doing this over ssh/terminal, you may get locked out during the configuration process. Let's get started!

Step 1 - Install Shorewall

Let's switch to root and install Shorewall using apt:

su -
apt-get install shorewall

Step 2 - Configure

Shorewall can be used in several different firewall configurations. If your linux machine is a dedicated server used for services like Apache or Samba, you'll be using a 1-interface configuration. If your linux machine is going to act as a router and firewall to an internal network, you'll be using a 2-interface configuration, and so on. Let's pretend our server is used for hosting websites, so we'll set up a 1-interface Shorewall configuration.

Shorewall's configuration files are stored in /etc/shorewall. Shorewall also comes with several example configurations you can use to get up and running quickly. Let's copy over the 1-interface example configuration files to get things going:

cp /usr/share/doc/shorewall/examples/one-interface/* /etc/shorewall

This will copy several files over to /etc/shorewall. Let's learn more about what these files do. Shorewall uses several configuration files. Here's a brief summary of each one:

  • zones - allows you to define specific zones that will used when defining policies and rules
  • interfaces - specifies which hardware devices and settings are assigned to each zone 
  • policy - contains general access rules and catchalls for traffic going to/from your zones
  • rules - defines allowed/restricted protocols, ports, etc. that are allowed to/from your zones

The two most important files here are policy and rules. Let's take a look at the policy file:

#SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST
$FW             net             ACCEPT
net             all             DROP            info
# The FOLLOWING POLICY MUST BE LAST
all             all             REJECT          info 

$FW is your firewalled network, in our case it's the server. net is the internet. The last line is important because it's the catchall. It tells Shorewall to reject all traffic that it doesn't know how to handle.

Next, let's look at the rules file. This defines which ports and protocols shorewall will handle.

#############################################################################################################
#ACTION         SOURCE          DEST            PROTO   DEST    SOURCE          ORIGINAL        RATE          
#                                                       PORT    PORT(S)         DEST            LIMIT         

# Drop Ping from the "bad" net zone.. and prevent your log from being flooded..
Ping(DROP)      net             $FW

# Allow the internet to connect to web server
ACCEPT net $FW tcp 80

# Allow telnet and ssh, port range 22-23
ACCEPT net $FW tcp 22:23

# Allow Outgoing SMTP Traffic on Multiple ports
ACCEPT $FW net tcp 25,26,465,587

These rules will allow several types of traffic. Shorewall also comes with many handy macros(as seen with the Ping macro above) that predefine several different protocols and services. They're located in /usr/share/shorewall. You can also create your own macros.

Step 3 - Start 'er up

Once you have your configuration all set up, start Shorewall.

shorewall start

That's it! You're now safe and sound behind a firewall. Don't you feel better?

Additional Resources

This is just a tiny showcase of Shorewall's features. You can do many other cool things with it as well. Be sure to check out the links below.


0 Comments


Add A Comment





Completely Private, used for Gravatar



example: https://www.whatever.com