know how to setup a firewall under RHEL / Fedora and CentOS Linux quickly. How do I setup a host based firewall under Debian or Ubuntu Linux server or desktop system? How do I install Shoreline
firewall (Shorewall) utility to build firewall based on the Netfilter under Debian or Ubuntu Linux?
Tutorial details
Shorewall is an open source tool Linux that builds upon the iptables. It makes it easier to manage more complex configuration schemes. It provides a higher level of abstraction for describing rules using text files. Shorewall is mainly used to protect DMZ, LAN, or dedicated servers powered by Debian or Ubuntu Linux. You can also use it to protect a single computer or laptop.
Difficulty R oot privile ge s R e quire m e nts
Advance d (rss) Ye s De bian/Ubuntu
How do I install shorewall?
Type the following command as root user:
#atgtisalsoealsoealcmo soealsel p-e ntl hrwl hrwl-omn hrwl-hl
Shorewall Configuration Files
All files are located in / t / h r w l / e c s o e a l directory as follows: 1. / t / h r w l / h r w l . o f e c s o e a l s o e a l c n Shorewall global configuration file. 2. / t / h r w l / n e f c s e c s o e a l i t r a e The interfaces file serves to define the firewall's network interfaces to Shorewall. 3. / t / h r w l / o i y e c s o e a l p l c Shorewall policy file for connections between zones defined in /etc/shorewall/zones config file. 4. / t / h r w l / u e Shorewall rules file. ecsoealrls 5. / t / h r w l / o e The /etc/shorewall/zones file declares your network zones. You specify the ecsoealzns hosts in each zone through entries in /etc/shorewall/interfaces or /etc/shorewall/hosts.
Configuration
Turn on firewall by editing / t / e a l / h r w l file, enter: ecdfutsoeal
#v /t/eal/hrwl i ecdfutsoeal
Set the startup varible to 1 in order to allow Shorewall to start:
satp1 tru=
Save and close the file.
Step #1: Define network zones
Edit /etc/shorewall/zones, enter:
#v /t/hrwl/oe i ecsoealzns
Append the following code:
#OE ZN
TP YE
OTOS PIN
I N
OT U#
Where, f f r w l Zone name. Designates the firewall itself. You must have exactly one 'firewall' zone. No w ieal options are permitted with a 'firewall' zone. The name that you enter in the ZONE column will be stored in the shell variable $FW which you may use in other configuration files to designate the firewall zone. n t i v Zone name. This is the standard Shorewall zone. e p4
Step #2: Create interfaces
Create a interface file as follows:
#v /t/hrwl/nefcs i ecsoealitrae
Append the following code:
#OE ZN
ITRAE NEFC
BODAT RACS
OTOSe PINnt
eh t0
dtc eet
t
Save and close the file. In this example I've defined the firewall's network interfaces (eth0) to Shorewall. Where, nt e net is zone for eth0 interface. Must match the name of a zone declared in /etc/shorewall/zones. e h eth0 interface for net zone. t0 d t c This is optional but uf you use the special value d t c Shorewall will detect the broadcast eet eet address(es) for you if your iptables and kernel include Address Type match support. tplg,omrin,omrs c f a s l g a t a s n s u f A commaseparated list of options: t p l g Packets arriving on this interface are checked for certain illegal combinations of TCP cfas flags. lgatas o m r i n Turn on kernel martian logging i.e. logging of packets with impossible source addresses. This is a must for system that act as a router. n s u f Filter packets for smurfs (packets with a broadcast address as the source) omrs d c The interface gets its IP address via DHCP hp n t e h d t c d c eth1 is my net zone interface. This my wireless interface. e t1 eet hp n t p p d t c d c ppp+ (ppp0, ppp1 and so on) is my net zone interface. This is used by pppd e p+ eet hp (e.g., pptp vpn client)
Where, fw Firewall zone (i.e. machine itself). net Internet zone. In this example, I'm allowing all traffic from firewall (machine). However, all traffic coming from net zone is dropped. In other words, I'm allowing all outgoing traffic from my desktop, but no incoming connections are allowed by default and logged at syslog level KERNEL.INFO. The last line rejects / drops all connections and logged at level KERNEL.INFO.
Step #4: Open required ports (if any)
Edit /etc/shorewall/rules, enter:
#v /t/hrwl/ue i ecsoealrls
In this example, I'm accepting bittorrent traffic on TCP / UDP port # 9500 forwarded by ISP router. You can use the rule as follows to open smtp and ssh ports:
#owr alshadht cneto rqet fo teitre t lclsse 1218 Frad l s n tp oncin euss rm h nent o oa ytm 9.6
Save and close the file.
How do I start / stop / restart shoewall?
Use the following command:
/t/ntdsoealsat ecii./hrwl tr /t/hrwl/ue so ecsoealrls tp /t/hrwl/ue rsat ecsoealrls etr
How do I see currently loaded firewall rules?
#soealso |ls hrwl hw es
Sample outputs:
hrwl 441. fle Tbea ws1-StAg1 0:94 IT21Cutr rstSt oeal ..16 itr al t k0 a u 8 31:9 S 02ones ee a
How do I see the IP connections currently being tracked by the firewall?
#soealso cnetos hrwl hw oncin
How do I see zones?
#soealso zns hrwl hw oe
Sample outputs:
Soeal441. Znsa ws1-StAg1 0:13 IT21 f (iealnt( hrwl ..16 oe t k0 a u 8 32:0 S 02 w frwl)e
How do I see firewall logs?
The hits command generates several reports from Shorewall log messages in the current log file:
#soealht hrwl is
Sample outputs:
Soeal441. Ht a ws1-StAg1 0:30 IT21 hrwl ..16 is t k0 a u 8 32:9 S 02
HT I IS P
DT AE
Conclusion
The shorewall firewall allows many more options and this quick tutorial just covered basic firewall settings. I recommend that you read shorewall man page for more information or visit the project website.