Table of Contents
Shorewall_Firewall
Shorewall provides a front-end to iptables.
It allows configuration of iptables without knowing actual ports, but rather services running, such as Web, SSH, SVN etc. etc.
Shorewall is a large application which handles the following Jobs:
- Handle a single public IP address
- Standalone Linux System
- Two-interface Linux System acting as a firewall/router for a small local network.
- Three-interface Linux System acting as a firewall/router for a small local network and a DMZ.
- Handle Multiple Public IP addresses!!
Currently, we only want Shorewall to cater for a Standalone Linux System. <br />The Shorewall website http://www.shorewall.net provides excellent and definitive guides and how-to's on each of the points/jobs listed above!
Versions of Shorewall
There are currently two versions of Shorewall: 2.X and 3.X and there are different guides for each. <br /> Debian Sarge as on 22nd Oct, 2006 uses version 2.X <br /> Debian Etch(testing) as on 22nd Oct, 2006 uses version 3.X
The setup guides for each of the above versions are available on the main http://www.shorewall.net website - and should be taken from there directly. Click on the Documentation link in the left menu.
Setup & Installation of Shorewall - Version 3.X
apt-get install shorewall
The above installs the latest version of shorewall depending on whether you are running Debian Sarge or Debian Etch (testing). Due to the compulsory configuration required, debian disables the startup of Shorewall in /etc/default/shorewall (startup=0) on purpose. Only when Shorewall is configured - should the above file be enabled (startup=1).
The direct link to the shorewall how-to for Standalone Linux System is available at: http://www.shorewall.net/standalone.htm
Location of Default Shorewall Files
/usr/share/doc/shorewall/default-config = Default Config Files for Shorewall. <br /> /usr/share/shorewall = Default macros & rules for Shorewall.
Copy over and Edit Default Config files to /etc/shorewall/
Following the how-to guide on the main shorewall website (http://www.shorewall.net/standalone.htm) #1. - Copy over the modules file (as described in how-to) cp /usr/share/doc/shorewall/default-config/modules /etc/shorewall/ #2. - Copy over the zones file and enter the 2 zones - the internet (ipv4 and the firewall) cp /usr/share/doc/shorewall/default-config/zones /etc/shorewall/ uncomment the following two lines:
fw firewall
net ipv4
comment in if required (make sure there is only 1 line {fw firewall}:
#fw firewall
#3. - Copy over the default policy. (This default policy is the same as setting the main iptables policy) cp /usr/share/doc/shorewall/default-config/policy /etc/shorewall/ uncomment(or include):
$FW net ACCEPT
net all DROP info
all all REJECT info
#4. - Copy over and include the default interface cp /usr/share/doc/shorewall/default-config/interfaces /etc/shorewall/ uncomment(include):
net eth0 136.201.192.144
#5. - Copy over the rules file which will be edited later. cp /usr/share/doc/shorewall/default-config/rules /etc/shorewall/
Copy over the required Macros to /etc/shorewall/
cp /usr/share/shorewall/macro.service /etc/shorewall/ What are macros? <br /> Macros are where Service based Firewall rules are made. These macros are then used inside the /etc/shorewall/rules file eliminating the need for several entries and port numbers. The macro.Web (for the web service) is: # Shorewall version 3.0 - Web Macro # # /usr/share/shorewall/macro.Web # # This macro handles WWW traffic (secure and insecure). # ############################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ # PORT PORT(S) DEST LIMIT GROUP PARAM - - tcp 80 PARAM - - tcp 443 #LAST LINE – ADD YOUR ENTRIES BEFORE THIS ONE – DO NOT REMOVE
Once this macro.Web is copied to /etc/shorewall/ it is used by calling the following line inside /etc/shorewall/rules Web/ACCEPT net $FW
Create a custom macro.Munin (if required)
Because munin-node (statistics) uses port 4949, Shorewall does not have a pre-existing macro. A simple one can be created in /etc/shorewall/macro.Munin having the following config: # Shorewall version 3.0 - Munin Macro # # This macro handles Munin traffic. # ############################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ # PORT PORT(S) DEST LIMIT GROUP PARAM - - tcp 4949 #LAST LINE – ADD YOUR ENTRIES BEFORE THIS ONE – DO NOT REMOVE
Final Config of /etc/shorewall/rules to Include macros
As per following the instructions on www.shorewall.net the macros are added in after: SECTION NEW ############################################################################################################# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ # PORT PORT(S) DEST LIMIT GROUP #SECTION ESTABLISHED #SECTION RELATED SECTION NEW Web/ACCEPT net $FW SSH/ACCEPT net $FW AllowICMPs/ACCEPT net $FW Ping/ACCEPT net $FW SNMP/ACCEPT net $FW Munin/ACCEPT net $FW #LAST LINE – ADD YOUR ENTRIES BEFORE THIS ONE – DO NOT REMOVE
Finally - Config Shorewall to start
vi /etc/default/shorewall #change startup=0 to startup=1
Conclusion on Shorewall
Shorewall similar to other applications (e.g. apache), tries to keep various config files seperated out for easy management (instead of in one huge config). Shorewall keeps seperate configs for services (in macro files). Should a service change requirements - only the macro requires editing.
More Info: <br /> http://www.besy.co.uk/projects/debian/sarge_mail_server_howto.htm