Debian / Ubuntu Linux: Install and Configure Shoreline Firewall (Shorewall)

Author: Last updated: December 19, 2012 4 comments

I know how to setup a firewall under RHEL / Fedora and CentOS Linux quickly. How do I setup a host-based firewall under Debian or Ubuntu Linux server or desktop system? How do I install Shoreline firewall (Shorewall) utility to build firewall based on the Netfilter under Debian or Ubuntu Linux?

Tutorial details
DifficultyAdvanced (rss)
Root privilegesYes
RequirementsDebian/Ubuntu
TimeN/A
Shorewall is an open source tool Linux that builds upon the iptables. It makes it easier to manage more complex configuration schemes. It provides a higher level of abstraction for describing rules using text files. Shorewall is mainly used to protect DMZ, LAN, or dedicated servers powered by Debian or Ubuntu Linux. You can also use it to protect a single computer or laptop.

ADVERTISEMENTS

How do I install shorewall?

Type the following command as root user:
# apt-get install shorewall shorewall-common shorewall-shell
Sample outputs:

Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following NEW packages will be installed:
  shorewall shorewall-common shorewall-shell
0 upgraded, 3 newly installed, 0 to remove and 12 not upgraded.
Need to get 455 kB of archives.
After this operation, 2,052 kB of additional disk space will be used.
Get:1 http://debian.osuosl.org/debian/ squeeze/main shorewall all 4.4.11.6-3+squeeze1 [378 kB]
Get:2 http://debian.osuosl.org/debian/ squeeze/main shorewall-common all 4.4.11.6-3+squeeze1 [38.8 kB]
Get:3 http://debian.osuosl.org/debian/ squeeze/main shorewall-shell all 4.4.11.6-3+squeeze1 [38.8 kB]
Fetched 455 kB in 3s (120 kB/s)         
Preconfiguring packages ...
Selecting previously deselected package shorewall.
(Reading database ... 266807 files and directories currently installed.)
Unpacking shorewall (from .../shorewall_4.4.11.6-3+squeeze1_all.deb) ...
Selecting previously deselected package shorewall-common.
Unpacking shorewall-common (from .../shorewall-common_4.4.11.6-3+squeeze1_all.deb) ...
Selecting previously deselected package shorewall-shell.
Unpacking shorewall-shell (from .../shorewall-shell_4.4.11.6-3+squeeze1_all.deb) ...
Processing triggers for man-db ...
Setting up shorewall (4.4.11.6-3+squeeze1) ...
Setting up shorewall-common (4.4.11.6-3+squeeze1) ...
Setting up shorewall-shell (4.4.11.6-3+squeeze1) ...

Shorewall Configuration Files

All files are located in /etc/shorewall/ directory as follows:

  1. /etc/shorewall/shorewall.conf – Shorewall global configuration file.
  2. /etc/shorewall/interfaces – The interfaces file serves to define the firewall’s network interfaces to Shorewall.
  3. /etc/shorewall/policy – Shorewall policy file for connections between zones defined in /etc/shorewall/zones config file.
  4. /etc/shorewall/rules – Shorewall rules file.
  5. /etc/shorewall/zones – The /etc/shorewall/zones file declares your network zones. You specify the hosts in each zone through entries in /etc/shorewall/interfaces or /etc/shorewall/hosts.

Configuration

Turn on firewall by editing /etc/default/shorewall file, enter:
# vi /etc/default/shorewall
Set the startup varible to 1 in order to allow Shorewall to start:

startup=1

Save and close the file.

Step #1: Define network zones

Edit /etc/shorewall/zones, enter:
# vi /etc/shorewall/zones
Append the following code:

#ZONE   TYPE    OPTIONS                 IN                      OUT
#                                       OPTIONS                 OPTIONS
fw      firewall
net     ipv4

Where,

  • fw firewall – Zone name. Designates the firewall itself. You must have exactly one ‘firewall’ zone. No options are permitted with a ‘firewall’ zone. The name that you enter in the ZONE column will be stored in the shell variable $FW which you may use in other configuration files to designate the firewall zone.
  • net ipv4 – Zone name. This is the standard Shorewall zone.

Step #2: Create interfaces

Create a interface file as follows:
# vi /etc/shorewall/interfaces
Append the following code:

#ZONE   INTERFACE       BROADCAST       OPTIONS
net     eth0            detect          tcpflags,logmartians,nosmurfs
net     eth1            detect          dhcp
net     ppp+            detect          dhcp

Save and close the file. In this example I’ve defined the firewall’s network interfaces (eth0) to Shorewall.
Where,

  • net – net is zone for eth0 interface. Must match the name of a zone declared in /etc/shorewall/zones.
  • eth0 – eth0 interface for net zone.
  • detect – This is optional but uf you use the special value detect Shorewall will detect the broadcast address(es) for you if your iptables and kernel include Address Type match support.
  • tcpflags,logmartians,nosmurfs – A comma-separated list of options:
    • tcpflags – Packets arriving on this interface are checked for certain illegal combinations of TCP flags.
    • logmartians – Turn on kernel martian logging i.e. logging of packets with impossible source addresses. This is a must for system that act as a router.
    • nosmurfs – Filter packets for smurfs (packets with a broadcast address as the source)
    • dhcp – The interface gets its IP address via DHCP
  • net eth1 detect dhcp – eth1 is my net zone interface. This my wireless interface.
  • net ppp+ detect dhcp – ppp+ (ppp0, ppp1 and so on) is my net zone interface. This is used by pppd (e.g., pptp vpn client)

Step #3: Define shorewall policy

Edit /etc/shorewall/policy, enter:
# vi /etc/shorewall/policy
Append the code as follows:

#SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST
fw              all             ACCEPT
net             all             DROP            info
 
# The FOLLOWING POLICY MUST BE LAST
all             all             REJECT          info

Where,

  • fw Firewall zone (i.e. machine itself).
  • net – Internet zone.
  • In this example, I’m allowing all traffic from firewall (machine). However, all traffic coming from net zone is dropped. In other words, I’m allowing all outgoing traffic from my desktop, but no incoming connections are allowed by default and logged at syslog level KERNEL.INFO.
  • The last line rejects / drops all connections and logged at level KERNEL.INFO.

Step #4: Open required ports (if any)

Edit /etc/shorewall/rules, enter:
# vi /etc/shorewall/rules
Append the following code:

#############################################################################################################
#ACTION         SOURCE          DEST            PROTO   DEST    SOURCE          ORIGINAL        RATE            USER/   MARK
#                                                       PORT    PORT(S)         DEST            LIMIT           GROUP
ACCEPT          net             $FW:192.168.1.5 TCP     9500
ACCEPT          net             $FW:192.168.1.5 UDP     9500
 
# Drop Ping from the "bad" net zone.. and prevent your log from being flooded..
Ping(DROP)      net             $FW

In this example, I’m accepting bittorrent traffic on TCP / UDP port # 9500 forwarded by ISP router. You can use the rule as follows to open smtp and ssh ports:

#Forward all ssh and http connection requests from the internet to local system 192.168.1.5
#ACTION SOURCE  DEST            PROTO   DEST    SOURCE  ORIGINAL
#                                       PORT    PORT(S) DEST
ACCEPT  net     $FW:192.168.1.5 tcp     ssh,http

Save and close the file.

How do I start / stop / restart shoewall?

Use the following command:
/etc/init.d/shorewall start
/etc/shorewall/rules stop
/etc/shorewall/rules restart

How do I see currently loaded firewall rules?

# shorewall show | less
Sample outputs:

horewall 4.4.11.6 filter Table at wks01 - Sat Aug 18 03:19:49 IST 2012

Counters reset Sat Aug 18 03:18:53 IST 2012

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   23  3176 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0           ctstate INVALID,NEW 
   29  3540 eth0_in    all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           
    0     0 eth1_in    all  --  eth1   *       0.0.0.0/0            0.0.0.0/0           
    0     0 ppp+_in    all  --  ppp+   *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           ctstate RELATED,ESTABLISHED 
    0     0 Reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:' 
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto] 

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0           ctstate INVALID,NEW 
    0     0 ppp+_fwd   all  --  ppp+   *       0.0.0.0/0            0.0.0.0/0           
    0     0 eth1_fwd   all  --  eth1   *       0.0.0.0/0            0.0.0.0/0           
    0     0 eth0_fwd   all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           ctstate RELATED,ESTABLISHED 
    0     0 Reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:' 
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto] 

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   30  4184 fw2net     all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           
    0     0 fw2net     all  --  *      eth1    0.0.0.0/0            0.0.0.0/0           
    0     0 fw2net     all  --  *      ppp+    0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           ctstate RELATED,ESTABLISHED 
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain Drop (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0            all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:113 /* Auth */ 
    0     0 dropBcast  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 3 code 4 /* Needed ICMP types */ 
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 11 /* Needed ICMP types */

How do I see the IP connections currently being tracked by the firewall?

# shorewall show connections

How do I see zones?

# shorewall show zones
Sample outputs:

Shorewall 4.4.11.6 Zones at wks01 - Sat Aug 18 03:21:30 IST 2012
 
fw (firewall)
net (ipv4)
   eth0:0.0.0.0/0
   eth1:0.0.0.0/0
   ppp+:0.0.0.0/0

How do I see firewall logs?

The hits command generates several reports from Shorewall log messages in the current log file:
# shorewall hits
Sample outputs:

Shorewall 4.4.11.6 Hits at wks01 - Sat Aug 18 03:23:09 IST 2012
 
   HITS IP	        DATE
   ---- --------------- ------
   3955 192.168.1.2     Aug 17
   2059 192.168.1.2     Aug 13
   1939 192.168.1.2     Aug 15
    960 192.168.1.2     Aug 14
    624 192.168.1.2     Aug 18
    592 192.168.1.2     Aug 16
    555 192.168.1.2     Aug 12
     21 192.168.1.10    Aug 18
     21 192.168.1.10    Aug 13
      1 209.133.67.35   Aug 17
 
   HITS IP	        PORT
   ---- --------------- -----
   4523 192.168.1.2     59092
   1955 192.168.1.2     41859
   1595 192.168.1.2     35511
    464 192.168.1.2     35351
    443 192.168.1.2     50015
    368 192.168.1.2     32827
    352 192.168.1.2     44954
    296 192.168.1.2     50840
    264 192.168.1.2     48698
    216 192.168.1.2     37711
    160 192.168.1.2     45371
     48 192.168.1.2     56431
     42 192.168.1.10    22
      1 209.133.67.35   0
 
   HITS DATE
   ---- ------
   3956 Aug 17
   2080 Aug 13
   1939 Aug 15
    960 Aug 14
    645 Aug 18
    592 Aug 16
    555 Aug 12
 
   HITS  PORT SERVICE(S)
   ---- ----- ----------
   4523 59092
   1955 41859
   1595 35511
    464 35351
    443 50015
    368 32827
    352 44954
    296 50840
    264 48698
    216 37711
    160 45371
     48 56431
     42    22 ssh

Conclusion

The shorewall firewall allows many more options and this quick tutorial just covered basic firewall settings. I recommend that you read shorewall man page for more information or visit the project website.

🐧 Get the latest tutorials on SysAdmin, Linux/Unix, Open Source/DevOps topics:
UP NEXT
CategoryList of Unix and Linux commands
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network Utilitiesdig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNCentOS 8 Debian 10 Firewall Ubuntu 20.04

ADVERTISEMENTS
4 comments… add one
  • guillermo Aug 21, 2012 @ 22:36

    This notes is not to shorewall 4.4 — stable at this moment & installed by default in debian wheezy

    Reply Link
  • Barlow Jan 17, 2013 @ 5:47

    Thanks, ive been searching for the proper information to get started with shorewall after years of no use. The debian config seems a bit harder than it needs to be just to get started. Not sure why the config files are not just located in the proper folder.

    Reply Link
  • Raf Mar 22, 2014 @ 19:21

    URGENT****

    I followed this tutorial and now i cant access my site, webmin control panel or ftp

    Except in this section for /etc/shorewall/rules:
#############################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
# PORT PORT(S) DEST LIMIT GROUP
ACCEPT net $FW:192.168.1.5 TCP 9500
ACCEPT net $FW:192.168.1.5 UDP 9500

# Drop Ping from the "bad" net zone.. and prevent your log from being flooded..
Ping(DROP) net $FW

Instead of $FW:192.168.1.5 I put $FW:198.154.62.131

    after all that i ran /etc/init.d/shorewall start from command shell and it said [FAILED]

    then webmin access stopped working

    I need to know how to resolve this it seems i cant login via telent, ssh, ftp or webmin, i assume its something to do with the rules as thats the only one where i didnt just driectly copy from the tutorial above.

    Need urgent help thanks

    Reply Link
    • Anders Apr 25, 2017 @ 16:34

      Late, I know. But for others to see.
      You didn’t added access for ssh and http to the machine in your firewall.
      You should probably use ufw instead if you are not setting up firewall in a router. In a router shorewall are great, for single machines which doesn’t forward, ufw are great.

      #Forward all ssh and http connection requests from the internet to local system 192.168.1.5
      #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
      # PORT PORT(S) DEST
      ACCEPT net $FW:192.168.1.5 tcp ssh,http

      Reply Link

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre>, <code>...</code> and <kbd>...</kbd> for code samples.

Next FAQ:

Previous FAQ: