One of the design goals of Shorewall was that "it should be simple to do simple things". With that in mind, I've written this QuickStart guide to demonstrate how easy it is to configure common firewall setups.
This guide doesn't attempt to acquaint you with all of the features of Shorewall. It rather focuses on what is required to configure Shorewall in three common basic configurations. If you don't find what you are looking for in this Guide, check the Shorewall Documentation.
This guide assumes that you have the iproute/iproute2 package installed (on RedHat, the package is called iproute). You can tell if this package is installed by the presence of an ip program on your firewall system. As root, you can use the 'which' command to check for this program:
[root@gateway root]# which ip
/sbin/ip
[root@gateway root]#
After you have installed Shorewall, simply pick the sample configuration that best fits your needs and copy the files to /etc/shorewall. Next modify /etc/shorewall/interfaces and /etc/shorewall/masq to match your setup as described below. If you have servers, you will also need to modify /etc/shorewall/rules.
Available samples include:
| Standalone System |
| Two-interface Masquerading Firewall |
| Three-interface Masquerading Firewall with DMZ |
All of these samples assume that you have a single external IP address - it may be static or dynamic. Configuring Shorewall with multiple external IP addresses is outside of the scope of this guide; see the Shorewall Documentation.
Do not try to install Shorewall on a remote system -- you will almost certainly end up not being able to communicate with that system.
The configuration files for Shorewall are contained in the directory /etc/shorewall -- for simple setups, you will only need to deal with a few of these as described in this guide. As each file is introduced, I suggest that you look through the actual file on your system -- each file contains detailed configuration instructions and default entries.
Shorewall views the network where it is running as being composed of a set of zones. In the sample configurations, the following zone names are used:
| Name | Description | One Interface | Two Interfaces | Three Interfaces |
| net | The Internet | X | X | X |
| loc | Your Local Network | X | X | |
| dmz | Your demilitarized Zone | X |
Shorewall also recognizes the firewall system as its own zone - by default, the firewall itself is known as fw although you can change that name in the /etc/shorewall/shorewall.conf file. As shown in the above table, not all zones are available with all sample configurations.
The simplest way to define a zone is to associate the zone with a network interface on your firewall system. You do that using the /etc/shorewall/interfaces file. So for a standalone system, you would associate your single network interface with net; on a two-interface firewall, you would associate one interface with net and one with loc; and on a three-interface firewall with DMZ, you would associate one interface with net, a second with loc and a third with dmz. The sample interfaces do this as follows:
| Zone | Interface | One Interface | Two Interfaces | Three Interfaces |
| net | eth0 | X | X | X |
| loc | eth1 | X | X | |
| dmz | eth2 | X |
If your configuration doesn't match the sample then you will need to modify /etc/shorewall/interfaces.
Rules about what traffic to allow and what traffic to deny are expressed in terms of zones.
| You express your default policy for connections from one zone to another zone in the /etc/shorewall/policy file. |
| You define exceptions to those default policies in the /etc/shorewall/rules file. |
| The /etc/shorewall/rules file is also used to define port forwarding. |
For each connection request entering the firewall, the request is first checked against the /etc/shorewall/rules file. If the connection request doesn't match any rule in that file, the first policy in /etc/shorewall/policy that matches the request is then applied. If the policy is DROP or REJECT then the connection request is passed through the rules in /etc/shorewall/common (the samples supply that file for you).
If you have more than one interface and you have a single external IP address you will need to use either IP masquerade (if your IP address is dynamic) or Source Network Address Translation (SNAT). Whichever applies, you will define it in /etc/shorewall/masq file. Note: This file is used to describe "many-to-one outbound NAT". Shorewall also supports one-to-one NAT using the /etc/shorewall/nat file but I recommend against one-to-one NAT in most applications unless you are willing to deal with the DNS issues involved. The two- and three-interface samples assume that you will be using IP masquerade as follows:
| Traffic coming in on this interface | Will be masqueraded if it goes out this interface | Two Interfaces | Three Interfaces |
| eth1 | eth0 | X | X |
| eth2 | eth0 | X |
The detailed documentation for this file may be found here. Entries in this file have four columns:
Some examples:
Standalone system with ethernet interface to the internet.
net eth0 detect norfc1918,routefilter
Two interface system with eth0 connected to the local network and eth1 connected to the internet. eth1 gets its IP address via DHCP.
loc eth0 detect routestopped
net eth1 detect norfc1918,dhcp,routefilter
Three interface system with eth0 connected to the internet, eth1 connected to the DMZ and eth2 connected to the local network. eth0 gets its IP address via DHCP and the firewall runs a DHCP server for configuring local hosts (those connected to eth2).
net eth0 detect norfc1918,routefilter,dhcp
dmz eth1 detect routestopped
loc eth2 detect routestopped,dhcp
At this point, please edit /etc/shorewall/interfaces to match your setup.
If your primary internet interface uses PPPoE, PPP or PPTP then you will want to set CLAMPMSS=yes in /etc/shorewall/shorewall.conf.
The /etc/shorewall/policy file documentation is here. I recommend the following (which are in the standalone sample):
Standalone system:
fw net ACCEPT
all all DROP info
So by default, all connection requests from your firewall to the internet are accepted (allowed) and all other connection requests (i.e., those from the internet to your firewall) are dropped (ignored).
Two and three interface firewalls:
loc net ACCEPT
net all DROP info
all all REJECT info
If you want your firewall system to have full access to servers on the internet, add the following rule before the last rule above (Note -- in the two- and three-interface samples, the line below is included but commented out).
fw net ACCEPT
The above policy will:
At this point, edit your /etc/shorewall/policy and make any changes that you wish.
The /etc/shorewall/masq file (documentation here) describes output many-to-one source Network Address Translation.
If you have a static external IP address (assume 206.124.146.176 in these examples), then:
Two interface firewall with eth0 interfacing to the internet and eth1 interfacing to the local network:
eth0 eth1 206.124.146.176
Three interface firewall with eth0 interfacing to the internet, eth1 interfacing to the DMZ and eth2 interfacing to the local network:
eth0 eth1 206.124.146.176
eth0 eth2 206.124.146.176
If you have a dynamic internet IP address, simply omit the third column! So for the two interface firewall, your /etc/shorewall/masq file would have:
eth0 eth1
If you don't want to use IP masquerade or SNAT (two- and three-interface samples), simple delete the entry/entries from /etc/shorewall/masq.
At this point, edit your /etc/shorewall/masq file and change it to match your configuration.
The rules file (documentation here) is probably the most important of the Shorewall configuration files.
The general simplified format for an ACCEPT rule that doesn't involve port forwarding is:
ACCEPT <source zone> <dest zone>[:<server IP address>] <protocol> <port(s)>
Here are some rules that I recommend that everyone use (and that I've included in the samples):
ACCEPT fw net udp 53 # Accept DNS queries from your firewall to the internet
ACCEPT fw net tcp 53 # " " " " " " " " "
You can omit these rules if your firewall to net policy is ACCEPT (In other words, if you uncommented the appropriate line in the policy file as described above).
If you have three interfaces with a DMZ, you probably need DNS access to the net from your DMZ. To permit that, I've included:
ACCEPT dmz net udp 53
ACCEPT dmz net tcp 53
If you run servers on your firewall system that you want to make accessible to internet clients, you need to include rules to permit that access (note that the default policy for net->fw in the policy file above is DROP which causes all inbound traffic to be ignored by default). For example, if you have a web server running on your firewall system, you would include the following rule:
ACCEPT net fw tcp 80
With multiple local zones, you will probably want to open some ports between these zones.
Example - You have server system 192.168.2.2 in your DMZ and you want to be able to access its FTP server from your local systems:
ACCEPT loc dmz:192.168.2.2 tcp ftp
For FTP to work properly, you will need kernel support for FTP connection tracking and NAT but all commercial 2.4 kernel's have such support built in.
If you don't know which protocol and/or port that one of your applications uses, try looking here.
When you are using many-to-one network address translation outbound (IP masquerade or SNAT) and you want to allow connections from the internet to an internal server (either in your local zone or in your DMZ), then you need to use port forwarding (also known as Destination Network Address Translation or DNAT). Inbound connection requests are selective forwarded to internal systems based on rules that you supply.
The general form of a simple port forwarding rule in /etc/shorewall/rules is:
DNAT net <server zone>:<server local ip address> <protocol> <port>
Example - you run a Web Server on your local zone at 192.168.1.5 and you want to forward incoming TCP port 80 to that system. You have a single external IP address:
DNAT net loc:192.168.1.5 tcp 80
Example - you want to forward TCP port 80 to 192.168.2.4 in your DMZ and you want to allow access to that server from your local zone:
DNAT net dmz:192.168.2.4 tcp 80
ACCEPT loc dmz:192.168.2.4 tcp 80
If you have a static IP address (assume 206.124.146.176) and you want your local clients to be able to access your web server using that external address, you can use these entries instead:
DNAT net dmz:192.168.2.4 tcp 80
DNAT loc dmz:192.168.2.4 tcp 80 - 206.124.146.176
Example - You have a static external IP address (206.124.146.176) and you have DNS set up so that www.yourdomain.com resolves to that address. You want to run a web server in your local network (I think that this is a BAD IDEA -- see FAQ 2) on system 192.168.1.4 and you want internet users and your local users to be able to access www.yourdomain.com. Your firewall's internal IP address is 192.168.1.254 and is on eth1.
DNAT net loc:192.168.1.4 tcp 80 DNAT loc loc:192.168.2.4 tcp 80 - 206.124.146.176:192.168.1.254
In addition, you must specify the multi option on eth1 in /etc/shorewall/interfaces:
loc eth1 detect routestopped,multi
If you have requirements for port forwarding beyond what is shown here (like forwarding to a different port number or redirecting to a proxy), see the rules file documentation.
At this point, please edit the /etc/shorewall/rules file and make any additions required by your setup.
You are now ready to start shorewall. If you encounter problems, see the troubleshooting information.
The firewall is started using the "shorewall start" command and stopped using "shorewall stop". When the firewall is stopped, routing is enabled on those interfaces that have the "routestopped" option specified in /etc/shorewall/interfaces. If you want to totally remove any trace of Shorewall from your Netfilter configuration, use "shorewall clear".