Shore line firewall known as “Shorewall”, it is a very high level firewall and very easy to install and ocnfigure
How to install :-
1 |
sudo apt-get install shorewall |
configuring shorewall startup service :-
1 |
nano /etc/default/shorewall |
#Now simply change the line below from 0 to 1
1 2 3 |
startup = 0 to startup = 1 |
#save, and exit.
Shorewall configuration files are stored in two separate places
/etc/shorewall stores all the program configuration files.
/usr/share/shorewall stores supporting files and action files.
Configuring shorewall :-
We need to copy all samples configuration file from /usr/share/doc/shorewall/default-config to /etc/shorewall
1 |
#cp /usr/share/doc/shorewall/default-config/* /etc/shorewall/ |
Now you have configuration files located at /etc/shorewall
Zones Configuration :-
First edit the zones file to specify the different network zones, these are just labels that you will use in the other files. Consider the Internet as one zone, and a private network as another zone. If you have this then the zones file would look like this:
1 |
$ nano /etc/shorewall/zones |
# add 2 lines below into your zones file
1 2 |
net ipv4 loc ipv4 |
#save and exit
Interfaces Configuration :-
The next file to edit is the interfaces file to specify the interfaces on your machine. Here you will connect the zones that you defined in the previous step with an actual interface. The third field is the broadcast address for the network attached to the interface (“detect” will figure this out for you). Finally the last fields are options for the interface. The options listed below are a good starting point,
1 |
$ nano /etc/shorewall/interfaces |
# add 2 lines below into interfaces file
1 2 |
net eth0 detect routefilter,norfc1918,logmartians,nosmurfs,tcpflags,blacklist loc eth1 detect tcpflags |
#save and exit
Policy Configuration :-
The next file defines your firewall default policy. The default policy is used if no other rules apply. Often you will set the default policy to REJECT or DROP as the default, and then configure specifically what ports/services are allowed in the next step, and any that you do not configure are by default rejected or dropped according to this policy. An example policy (based on the zones and interfaces we used above) would be:
1 |
$nano /etc/shorewall/policy |
# add few lines below into policy files
1 2 3 4 5 |
fw net ACCEPT fw loc ACCEPT net all DROP info # The FOLLOWING POLICY MUST BE LAST all all REJECT info |
# save and exit
This policy says: by default accept any traffic originating from the machine (fw) to the internet and to the local network. Anything that comes in from the internet destined to either the machine or the local network should be dropped and logged to the syslog level “info”. The last line closes everything else off, and probably wont ever be touched. Note: DROP rules are dropped quietly, and REJECTs send something back letting the originator know they’ve been rejected.
Rules Configuration :-
The most important file is the rules. This is where you set what is allowed or not. Any new connection that comes into your firewall passes over these rules, if none of these apply, then the default policy will apply. Note: This is only for new connections, existing connections are automatically accepted. The comments in the file give you a good idea of how things work, but the following will provided an example that can give you a head-start:
1 |
$nano /etc/shorewall/rules |
# add few lines below into rules file
1 2 3 4 5 6 7 |
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ # PORT PORT(S) DEST LIMIT GROUP ACCEPT net fw icmp 8 ACCEPT fw net icmp ACCEPT net fw tcp ssh,www,https,smtp,pop3,pop3s,imap2,imaps,submission ACCEPT net fw udp https # ACCEPT net:10.1.1.1 fw tcp ssh |
# save and exit
This example can be written in long-hand as, “Accept any pings (icmp) from the internet to the machine, accept any tcp connections from the internet that are on any of the ports referenced in /etc/services for the services
ssh(22),www(80),https(443), etc. Also accept from the internet the udp connections to https(443). While you are at it, accept only tcp connections from the IP 10.1.1.1 coming from the internet to the ssh port (22).
Final step is start shorewall firewall
1 2 |
$sudo /etc/init.d/shorewall start password : |
If there was a syntax error in your configuration you will get an error saying so and you should have a read of /var/log/shorewall-init.log to figure out why.
If everything does start up, you should make sure that you aren’t blocking something that you don’t mean to, you can do that by looking at your firewall logs.
Here is the result if someone try to attack the server
1 |
$tail -f /var/log/messages |
1 2 |
Oct 9 15:52:06 athena kernel: [1274443.734684] Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:0c:29:61:de:33:00:d0:00:6b:54:00:08:00 src=218.232.95.60 DST=216.176.188.107 LEN=404 TOS=0x00 PREC=0x00 TTL=115 ID=43443 PROTO=UDP SPT=3664 DPT=1434 LEN=384 Oct 9 16:00:33 athena kernel: [1274950.625316] Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:0c:29:61:de:33:00:d0:00:6b:54:00:08:00 src=121.18.13.107 DST=216.176.188.107 LEN=40 TOS=0x00 PREC=0x00 TTL=113 ID=256 DF PROTO=TCP SPT=12200 DPT=7212 WINDOW=8192 RES=0x00 SYN URGP=0 |
Nice howto but what about IPv6 firewalling?
Hi, thank you for your effort and help.
I’m new to Linux and would like to understand something.
I have followed exactly every step mentioned above. Then, when I launched shorewall I received an error about “norfc1918” in Interfaces file, line 11. I then completely changed the tow lines in Interfaces file with these :
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect dhcp,norfc1918,blacklist
and it works fine now.
I found this help in this link:
http://www.opendocs.net/shorewall/2.0/Documentation.htm#Interfaces
Can someone, please, explain what was the error cause and how it had been solved? Thank you.
SGfolF I’m not easily impressed. . . but that’s impressing me! 🙂