I know how to setup a firewall under RHEL / Fedora and CentOS Linux quickly. How do I setup a host-based firewall under Debian or Ubuntu Linux server or desktop system? How do I install Shoreline firewall (Shorewall) utility to build firewall based on the Netfilter under Debian or Ubuntu Linux?
Shorewall is an open source tool Linux that builds upon the iptables. It makes it easier to manage more complex configuration schemes. It provides a higher level of abstraction for describing rules using text files. Shorewall is mainly used to protect DMZ, LAN, or dedicated servers powered by Debian or Ubuntu Linux. You can also use it to protect a single computer or laptop.
How do I install shorewall?
Type the following command as root user:
# apt-get install shorewall shorewall-common shorewall-shell
Sample outputs:
Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed: shorewall shorewall-common shorewall-shell 0 upgraded, 3 newly installed, 0 to remove and 12 not upgraded. Need to get 455 kB of archives. After this operation, 2,052 kB of additional disk space will be used. Get:1 http://debian.osuosl.org/debian/ squeeze/main shorewall all 4.4.11.6-3+squeeze1 [378 kB] Get:2 http://debian.osuosl.org/debian/ squeeze/main shorewall-common all 4.4.11.6-3+squeeze1 [38.8 kB] Get:3 http://debian.osuosl.org/debian/ squeeze/main shorewall-shell all 4.4.11.6-3+squeeze1 [38.8 kB] Fetched 455 kB in 3s (120 kB/s) Preconfiguring packages ... Selecting previously deselected package shorewall. (Reading database ... 266807 files and directories currently installed.) Unpacking shorewall (from .../shorewall_4.4.11.6-3+squeeze1_all.deb) ... Selecting previously deselected package shorewall-common. Unpacking shorewall-common (from .../shorewall-common_4.4.11.6-3+squeeze1_all.deb) ... Selecting previously deselected package shorewall-shell. Unpacking shorewall-shell (from .../shorewall-shell_4.4.11.6-3+squeeze1_all.deb) ... Processing triggers for man-db ... Setting up shorewall (4.4.11.6-3+squeeze1) ... Setting up shorewall-common (4.4.11.6-3+squeeze1) ... Setting up shorewall-shell (4.4.11.6-3+squeeze1) ...
Shorewall Configuration Files
All files are located in /etc/shorewall/ directory as follows:
- /etc/shorewall/shorewall.conf – Shorewall global configuration file.
- /etc/shorewall/interfaces – The interfaces file serves to define the firewall’s network interfaces to Shorewall.
- /etc/shorewall/policy – Shorewall policy file for connections between zones defined in /etc/shorewall/zones config file.
- /etc/shorewall/rules – Shorewall rules file.
- /etc/shorewall/zones – The /etc/shorewall/zones file declares your network zones. You specify the hosts in each zone through entries in /etc/shorewall/interfaces or /etc/shorewall/hosts.
Configuration
Turn on firewall by editing /etc/default/shorewall file, enter:
# vi /etc/default/shorewall
Set the startup varible to 1 in order to allow Shorewall to start:
startup=1 |
Save and close the file.
Step #1: Define network zones
Edit /etc/shorewall/zones, enter:
# vi /etc/shorewall/zones
Append the following code:
#ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall net ipv4 |
Where,
- fw firewall – Zone name. Designates the firewall itself. You must have exactly one ‘firewall’ zone. No options are permitted with a ‘firewall’ zone. The name that you enter in the ZONE column will be stored in the shell variable $FW which you may use in other configuration files to designate the firewall zone.
- net ipv4 – Zone name. This is the standard Shorewall zone.
Step #2: Create interfaces
Create a interface file as follows:
# vi /etc/shorewall/interfaces
Append the following code:
#ZONE INTERFACE BROADCAST OPTIONS net eth0 detect tcpflags,logmartians,nosmurfs net eth1 detect dhcp net ppp+ detect dhcp |
Save and close the file. In this example I’ve defined the firewall’s network interfaces (eth0) to Shorewall.
Where,
- net – net is zone for eth0 interface. Must match the name of a zone declared in /etc/shorewall/zones.
- eth0 – eth0 interface for net zone.
- detect – This is optional but uf you use the special value detect Shorewall will detect the broadcast address(es) for you if your iptables and kernel include Address Type match support.
- tcpflags,logmartians,nosmurfs – A comma-separated list of options:
- tcpflags – Packets arriving on this interface are checked for certain illegal combinations of TCP flags.
- logmartians – Turn on kernel martian logging i.e. logging of packets with impossible source addresses. This is a must for system that act as a router.
- nosmurfs – Filter packets for smurfs (packets with a broadcast address as the source)
- dhcp – The interface gets its IP address via DHCP
- net eth1 detect dhcp – eth1 is my net zone interface. This my wireless interface.
- net ppp+ detect dhcp – ppp+ (ppp0, ppp1 and so on) is my net zone interface. This is used by pppd (e.g., pptp vpn client)
Step #3: Define shorewall policy
Edit /etc/shorewall/policy, enter:
# vi /etc/shorewall/policy
Append the code as follows:
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST fw all ACCEPT net all DROP info # The FOLLOWING POLICY MUST BE LAST all all REJECT info |
Where,
- fw Firewall zone (i.e. machine itself).
- net – Internet zone.
- In this example, I’m allowing all traffic from firewall (machine). However, all traffic coming from net zone is dropped. In other words, I’m allowing all outgoing traffic from my desktop, but no incoming connections are allowed by default and logged at syslog level KERNEL.INFO.
- The last line rejects / drops all connections and logged at level KERNEL.INFO.
Step #4: Open required ports (if any)
Edit /etc/shorewall/rules, enter:
# vi /etc/shorewall/rules
Append the following code:
############################################################################################################# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK # PORT PORT(S) DEST LIMIT GROUP ACCEPT net $FW:192.168.1.5 TCP 9500 ACCEPT net $FW:192.168.1.5 UDP 9500 # Drop Ping from the "bad" net zone.. and prevent your log from being flooded.. Ping(DROP) net $FW |
In this example, I’m accepting bittorrent traffic on TCP / UDP port # 9500 forwarded by ISP router. You can use the rule as follows to open smtp and ssh ports:
#Forward all ssh and http connection requests from the internet to local system 192.168.1.5 #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL # PORT PORT(S) DEST ACCEPT net $FW:192.168.1.5 tcp ssh,http |
Save and close the file.
How do I start / stop / restart shoewall?
Use the following command:
/etc/init.d/shorewall start
/etc/shorewall/rules stop
/etc/shorewall/rules restart
How do I see currently loaded firewall rules?
# shorewall show | less
Sample outputs:
horewall 4.4.11.6 filter Table at wks01 - Sat Aug 18 03:19:49 IST 2012
Counters reset Sat Aug 18 03:18:53 IST 2012
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
23 3176 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW
29 3540 eth0_in all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 eth1_in all -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 ppp+_in all -- ppp+ * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:'
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 [goto]
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW
0 0 ppp+_fwd all -- ppp+ * 0.0.0.0/0 0.0.0.0/0
0 0 eth1_fwd all -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 eth0_fwd all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:'
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 [goto]
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
30 4184 fw2net all -- * eth0 0.0.0.0/0 0.0.0.0/0
0 0 fw2net all -- * eth1 0.0.0.0/0 0.0.0.0/0
0 0 fw2net all -- * ppp+ 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain Drop (1 references)
pkts bytes target prot opt in out source destination
0 0 all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113 /* Auth */
0 0 dropBcast all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 3 code 4 /* Needed ICMP types */
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 11 /* Needed ICMP types */
How do I see the IP connections currently being tracked by the firewall?
# shorewall show connections
How do I see zones?
# shorewall show zones
Sample outputs:
Shorewall 4.4.11.6 Zones at wks01 - Sat Aug 18 03:21:30 IST 2012 fw (firewall) net (ipv4) eth0:0.0.0.0/0 eth1:0.0.0.0/0 ppp+:0.0.0.0/0 |
How do I see firewall logs?
The hits command generates several reports from Shorewall log messages in the current log file:
# shorewall hits
Sample outputs:
Shorewall 4.4.11.6 Hits at wks01 - Sat Aug 18 03:23:09 IST 2012 HITS IP DATE ---- --------------- ------ 3955 192.168.1.2 Aug 17 2059 192.168.1.2 Aug 13 1939 192.168.1.2 Aug 15 960 192.168.1.2 Aug 14 624 192.168.1.2 Aug 18 592 192.168.1.2 Aug 16 555 192.168.1.2 Aug 12 21 192.168.1.10 Aug 18 21 192.168.1.10 Aug 13 1 209.133.67.35 Aug 17 HITS IP PORT ---- --------------- ----- 4523 192.168.1.2 59092 1955 192.168.1.2 41859 1595 192.168.1.2 35511 464 192.168.1.2 35351 443 192.168.1.2 50015 368 192.168.1.2 32827 352 192.168.1.2 44954 296 192.168.1.2 50840 264 192.168.1.2 48698 216 192.168.1.2 37711 160 192.168.1.2 45371 48 192.168.1.2 56431 42 192.168.1.10 22 1 209.133.67.35 0 HITS DATE ---- ------ 3956 Aug 17 2080 Aug 13 1939 Aug 15 960 Aug 14 645 Aug 18 592 Aug 16 555 Aug 12 HITS PORT SERVICE(S) ---- ----- ---------- 4523 59092 1955 41859 1595 35511 464 35351 443 50015 368 32827 352 44954 296 50840 264 48698 216 37711 160 45371 48 56431 42 22 ssh |
Conclusion
The shorewall firewall allows many more options and this quick tutorial just covered basic firewall settings. I recommend that you read shorewall man page for more information or visit the project website.
4 comment
This notes is not to shorewall 4.4 — stable at this moment & installed by default in debian wheezy
Thanks, ive been searching for the proper information to get started with shorewall after years of no use. The debian config seems a bit harder than it needs to be just to get started. Not sure why the config files are not just located in the proper folder.
URGENT****
I followed this tutorial and now i cant access my site, webmin control panel or ftp
after all that i ran /etc/init.d/shorewall start from command shell and it said [FAILED]
then webmin access stopped working
I need to know how to resolve this it seems i cant login via telent, ssh, ftp or webmin, i assume its something to do with the rules as thats the only one where i didnt just driectly copy from the tutorial above.
Need urgent help thanks
Late, I know. But for others to see.
You didn’t added access for ssh and http to the machine in your firewall.
You should probably use ufw instead if you are not setting up firewall in a router. In a router shorewall are great, for single machines which doesn’t forward, ufw are great.
#Forward all ssh and http connection requests from the internet to local system 192.168.1.5
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# PORT PORT(S) DEST
ACCEPT net $FW:192.168.1.5 tcp ssh,http