know how to setup a firewall under RHEL / Fedora and CentOS Linux quickly. How do I setup a host I based firewall under Debian or Ubuntu Linux server or desktop system? How do I install Shoreline firewall (Shorewall) utility to build firewall based on the Netfilter under Debian or Ubuntu Linux?
Tutorial details Shorewall is an open source tool Linux that builds upon the iptables. It Difficulty Advanced (rss) makes it easier to manage more complex configuration schemes. It provides a higher level of abstraction for describing rules using text files. Root privileges Yes Shorewall is mainly used to protect DMZ, LAN, or dedicated servers Requirements Debian/Ubuntu powered by Debian or Ubuntu Linux. You can also use it to protect a single computer or laptop.
How do I install shorewall?
Type the following command as root user:
# apt-get install shorewall shorewall-common shorewall-shell
Sample outputs:
Reading package lists... DoneBuilding dependency treeReading state information... DoneThe following NEW packages will be installed: shorewall shorewall-common shorewall-shell0 upgraded, 3 newly installed, 0 to remove and 12 not upgraded.Need to get 455 kB of archives.After this operation, 2,052 kB of additional disk space will be used.Get:1 http://debian.osuosl.org/debian/ squeeze/main shorewall all 4.4.11.6-3+squeeze1 [378 kB]Get:2 http://debian.osuosl.org/debian/ squeeze/main shorewall-common all 4.4.11.6-3+squeeze1 [38.8 kB]Get:3 http://debian.osuosl.org/debian/ squeeze/main shorewall-shell all 4.4.11.6-3+squeeze1 [38.8 kB]Fetched 455 kB in 3s (120 kB/s)Preconfiguring packages ...Selecting previously deselected package shorewall.(Reading database ... 266807 files and directories currently installed.)Unpacking shorewall (from .../shorewall_4.4.11.6-3+squeeze1_all.deb) ...Selecting previously deselected package shorewall-common.Unpacking shorewall-common (from .../shorewall-common_4.4.11.6-3+squeeze1_all.deb) ...Selecting previously deselected package shorewall-shell.Unpacking shorewall-shell (from .../shorewall-shell_4.4.11.6-3+squeeze1_all.deb) ...Processing triggers for man-db ...Setting up shorewall (4.4.11.6-3+squeeze1) ...Setting up shorewall-common (4.4.11.6-3+squeeze1) ...Setting up shorewall-shell (4.4.11.6-3+squeeze1) ...
Shorewall Configuration Files
All files are located in /etc/shorewall/ directory as follows:
1. /etc/shorewall/shorewall.conf Shorewall global configuration file. 2. /etc/shorewall/interfaces The interfaces file serves to define the firewall's network interfaces to Shorewall. 3. /etc/shorewall/policy Shorewall policy file for connections between zones defined in /etc/shorewall/zones config file. 4. /etc/shorewall/rules Shorewall rules file. 5. /etc/shorewall/zones The /etc/shorewall/zones file declares your network zones. You specify the hosts in each zone through entries in /etc/shorewall/interfaces or /etc/shorewall/hosts.
Configuration Turn on firewall by editing /etc/default/shorewall file, enter:
# vi /etc/default/shorewall
Set the startup varible to 1 in order to allow Shorewall to start:
startup=1
Save and close the file.
Step #1: Define network zones
Edit /etc/shorewall/zones, enter:
# vi /etc/shorewall/zones
Append the following code:
#ZONE TYPE OPTIONS IN OUT# OPTIONS OPTIONSfw firewallnet ipv4
Where,
fw firewall Zone name. Designates the firewall itself. You must have exactly one 'firewall' zone. No options are permitted with a 'firewall' zone. The name that you enter in the ZONE column will be stored in the shell variable $FW which you may use in other configuration files to designate the firewall zone. net ipv4 Zone name. This is the standard Shorewall zone.
Step #2: Create interfaces
Create a interface file as follows:
# vi /etc/shorewall/interfaces
Append the following code:
#ZONE INTERFACE BROADCAST OPTIONSnet eth0 detect tcpflags,logmartians,nosmurfsnet eth1 detect dhcpnet ppp+ detect dhcp Save and close the file. In this example I've defined the firewall's network interfaces (eth0) to Shorewall. Where,
net net is zone for eth0 interface. Must match the name of a zone declared in /etc/shorewall/zones. eth0 eth0 interface for net zone. detect This is optional but uf you use the special value detect Shorewall will detect the broadcast address(es) for you if your iptables and kernel include Address Type match support. tcpflags,logmartians,nosmurfs A commaseparated list of options: tcpflags Packets arriving on this interface are checked for certain illegal combinations of TCP flags. logmartians Turn on kernel martian logging i.e. logging of packets with impossible source addresses. This is a must for system that act as a router. nosmurfs Filter packets for smurfs (packets with a broadcast address as the source) dhcp The interface gets its IP address via DHCP net eth1 detect dhcp eth1 is my net zone interface. This my wireless interface. net ppp+ detect dhcp ppp+ (ppp0, ppp1 and so on) is my net zone interface. This is used by pppd (e.g., pptp vpn client)
Step #3: Define shorewall policy
Edit /etc/shorewall/policy, enter:
# vi /etc/shorewall/policy
Append the code as follows:
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURSTfw all ACCEPTnet all DROP info # The FOLLOWING POLICY MUST BE LASTall all REJECT info
Where,
fw Firewall zone (i.e. machine itself). net Internet zone. In this example, I'm allowing all traffic from firewall (machine). However, all traffic coming from net zone is dropped. In other words, I'm allowing all outgoing traffic from my desktop, but no incoming connections are allowed by default and logged at syslog level KERNEL.INFO. The last line rejects / drops all connections and logged at level KERNEL.INFO. Step #4: Open required ports (if any)
Edit /etc/shorewall/rules, enter:
# vi /etc/shorewall/rules
Append the following code:
##############################################################################################################ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK# PORT PORT
In this example, I'm accepting bittorrent traffic on TCP / UDP port # 9500 forwarded by ISP router. You can use the rule as follows to open smtp and ssh ports:
#Forward all ssh and http connection requests from the internet to local system 192.168
Save and close the file.
How do I start / stop / restart shoewall?
Use the following command:
/etc/init.d/shorewall start /etc/shorewall/rules stop /etc/shorewall/rules restart
How do I see currently loaded firewall rules?
# shorewall show | less
Sample outputs:
horewall 4.4.11.6 filter Table at wks01 - Sat Aug 18 03:19:49 IST 2012Counters reset Sat Aug 18 03:18:53 IST 2012Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 23 3176 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW 29 3540 eth0_in all -- eth0 * 0.0.0.0/0 0.0.0.0/0 0 0 eth1_in all -- eth1 * 0.0.0.0/0 0.0.0.0/0 0 0 ppp+_in all -- ppp+ * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:' 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 [goto]Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW 0 0 ppp+_fwd all -- ppp+ * 0.0.0.0/0 0.0.0.0/0 0 0 eth1_fwd all -- eth1 * 0.0.0.0/0 0.0.0.0/0 0 0 eth0_fwd all -- eth0 * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:' 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 [goto]Chain OUTPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 30 4184 fw2net all -- * eth0 0.0.0.0/0 0.0.0.0/0 0 0 fw2net all -- * eth1 0.0.0.0/0 0.0.0.0/0 0 0 fw2net all -- * ppp+ 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0Chain Drop (1 references) pkts bytes target prot opt in out source destination 0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113 /* Auth */ 0 0 dropBcast all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 3 code 4 /* Needed ICMP types */ 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 11 /* Needed ICMP types */ How do I see the IP connections currently being tracked by the firewall?
# shorewall show connections
How do I see zones?
# shorewall show zones
Sample outputs:
Shorewall 4.4.11.6 Zones at wks01 - Sat Aug 18 03:21:30 IST 2012 fw (firewall)net (
How do I see firewall logs?
The hits command generates several reports from Shorewall log messages in the current log file:
# shorewall hits
Sample outputs:
Shorewall 4.4.11.6 Hits at wks01 - Sat Aug 18 03:23:09 IST 2012 HITS IP DATE ------
Conclusion
The shorewall firewall allows many more options and this quick tutorial just covered basic firewall settings. I recommend that you read shorewall man page for more information or visit the project website.