Linux - How to set up Shorewall firewall (alternate to FireStarter)

There are a few option of firewall interface available on Linux for iptables, both GUI (Graphical User Interface) and CLI (Command Line Interface). FireStarter user interface on GUI is easy to use and configure. The only problem is it does not work properly with PPTP VPN dialup, it blocks protocol GRE. It does provide a workaround (dont ask, it is too painful to remember) but the steps are too tedious and involve the mixture of setup in command line and GUI, and this kind of setup always spells trouble.

Shorewall is another firewall interface that operate on CLI. This is taken from the Shorewall's introduction :

"The Shoreline Firewall, more commonly known as “Shorewall”, is high-level tool for configuring Netfilter. You describe your firewall/gateway requirements using entries in a set of configuration files. Shorewall reads those configuration files and with the help of the iptables, iptables-restore, ip and tc utilities, Shorewall configures Netfilter and the Linux networking subsystem to match your requirements. Shorewall can be used on a dedicated firewall system, a multi-function gateway/router/server or on a standalone GNU/Linux system. Shorewall does not use Netfilter's ipchains compatibility mode and can thus take advantage of Netfilter's connection state tracking capabilities."

Shorewall's way of configuring iptables firewall made easy by just describing the rules and interfaces into a few files and the firewall is ready to go. Shorewall's website also provides extensive documentation on how it works and how to setup.

This post's intended to setup Shorewall in a few simple steps and thus, it is not really suitable to implement it on medium to large enterprise. Here it is :

1. Install shorewall using apt :
apt-get install shorewall shorewall-common shorewall-shell

2. Copy some samples that comes with shorewall :
cp /usr/share/doc/shorewall-common/default-config/interfaces /etc/shorewall/
cp /usr/share/doc/shorewall-common/default-config/policy /etc/shorewall/
cp /usr/share/doc/shorewall-common/default-config/rules /etc/shorewall/
cp /usr/share/doc/shorewall-common/default-config/zones /etc/shorewall/

3. Set the below parameter to :
(if it does not exist, extract it from /usr/share/doc/shorewall-common/examples/one-interface/shorewall.conf.gz)

4. Configure the firewall's interface. Insert :
net     eth0            detect          dhcp

5. Configure the firewall's default policy. Insert :
$FW             net             ACCEPT
net             all             DROP            info
all             all             DROP            info

6. Configure the firewall's rules. Insert :
ACCEPT          net             $FW             tcp     8899

7. Configure the firewall's zones. Insert :
fw      firewall
net     ipv4
loc     ipv4

8. Finally, start Shorewall's service,
/etc/init.d/shorewall start

Some log files to check out, just in case something fails :
  • /var/log/shorewall-init.log for shorewall startup messages
  • /var/log/messages for rules related problems

Ate mais !!!

No comments: