.Setting up Shorewall on a standalone Linux system is -very easy if you understand the basics and follow the documentation.
-This guide doesn't attempt to acquaint you with all of the features -of Shorewall. It rather focuses on what is required to configure -Shorewall in one of its most common configurations:
-Shorewall requires that you have the iproute/iproute2 package -installed (on RedHat, the package is called iproute). You -can tell if this package is installed by the presence of an ip -program -on your firewall system. As root, you can use the 'which' command to -check for this program:
-[root@gateway root]# which ip-
/sbin/ip
[root@gateway root]#
I recommend that you read through the guide first to familiarize
-yourself with what's involved then go back through it again making your
-configuration changes. Points at which configuration changes are
-recommended are
-flagged with .
- If you edit your configuration files on a Windows
-system,
-you must save them as Unix files if your editor supports that option
-or you must run them through dos2unix before trying to use them.
-Similarly,
-if you copy a configuration file from your Windows hard drive to a
-floppy disk, you must run dos2unix against the copy before using it
-with Shorewall.
If you
-have an ADSL Modem and you use PPTP to communicate with a server in
-that modem, you must make the changes
-recommended here in addition to those described in the steps below.
-ADSL with PPTP is most commonly found in Europe, notably in Austria. The configuration files for Shorewall are
-contained in the directory /etc/shorewall -- for simple setups, you
-only need to deal with a few of these as described in this guide. After
-you have installed Shorewall, download
-the one-interface
-sample, un-tar it (tar -zxvf one-interface.tgz) and and copy the
-files to /etc/shorewall (they will replace files with the same names
-that were placed in /etc/shorewall during Shorewall installation).
As each file is introduced, I suggest that you look through the -actual file on your system -- each file contains detailed configuration -instructions and default entries.
-Shorewall views the network where it is running as being composed of -a set of zones. In the one-interface sample configuration, only -one zone is defined:
-| Name | -Description | -
| net | -The Internet | -
Shorewall zones are defined in -/etc/shorewall/zones.
-Shorewall also recognizes the firewall system as its own zone - by -default, the firewall itself is known as fw.
-Rules about what traffic to allow and what traffic to deny are -expressed in terms of zones.
-For each connection request entering the firewall, the request is
-first checked against the /etc/shorewall/rules file. If no rule in that
-file matches the connection request then the first policy in
-/etc/shorewall/policy that matches the request is applied. If that
-policy is REJECT or DROP the request is first checked against the
-rules in /etc/shorewall/common if that file exists; otherwise the rules
-in /etc/shorewall/common.def are checked.
-
The /etc/shorewall/policy file included with the one-interface -sample -has the following policies:
---- -
-- -SOURCE ZONE -DESTINATION ZONE -POLICY -LOG LEVEL -LIMIT:BURST -- -fw -net -ACCEPT -- - - -net -all -
-DROP -info -- - - -all -all -REJECT -info --
The above policy will:
-At this point, edit your /etc/shorewall/policy and make any changes -that you wish.
-The firewall has a single network interface. Where -Internet connectivity is through a cable or DSL "Modem", the External -Interface will be the ethernet adapter (eth0) that is -connected to that "Modem" unless you connect via Point-to-Point -Protocol over Ethernet (PPPoE) or Point-to-Point -Tunneling Protocol (PPTP) in which case the -External Interface will be a ppp0. If you connect via a regular -modem, your External Interface will also be ppp0. If you -connect using ISDN, your external interface will be ippp0.
- The Shorewall one-interface sample
-configuration assumes that the external interface is eth0. If
-your configuration is different, you will have to modify the sample
-/etc/shorewall/interfaces file accordingly. While you are there, you
-may wish to review the list of options that are specified for the
-interface. Some hints:
If your external interface is ppp0 or ippp0, -you can replace the "detect" in the second column with "-".
-If your external interface is ppp0 or ippp0
-or if you have a static IP address, you can remove "dhcp" from the
-option list.
-
RFC 1918 reserves several Private IP address -ranges for use in private networks:
-10.0.0.0 - 10.255.255.255-
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255
These addresses are sometimes referred to as non-routable -because the Internet backbone routers will not forward a packet whose -destination address is reserved by RFC 1918. In some cases though, -ISPs are assigning these addresses then using Network Address -Translation to rewrite packet headers when forwarding to/from the -internet.
- Before starting
-Shorewall, you should look at the IP address of your external interface
-and if it is one of the above ranges, you should remove the 'norfc1918'
-option from the entry in /etc/shorewall/interfaces.
If you wish to enable connections from the internet to -your firewall, the general format is:
---- -
-- -ACTION -SOURCE -DESTINATION -PROTOCOL -PORT -SOURCE PORT -ORIGINAL ADDRESS -- - -ACCEPT -net -fw -<protocol> -<port> -- -
Example - You want to run a Web Server and a POP3 -Server -on your firewall system:
---- -
-- -ACTION -SOURCE -DESTINATION -PROTOCOL -PORT -SOURCE PORT -ORIGINAL ADDRESS -- -ACCEPT -net -fw -tcp -80 -- - - - -ACCEPT -net -fw -tcp -110 -- -
If you don't know what port and protocol a particular -application uses, see here.
-Important: I don't recommend enabling telnet -to/from the internet because it uses clear text (even for login!). If -you -want shell access to your firewall from the internet, use SSH:
---- -
-- -ACTION -SOURCE -DESTINATION -PROTOCOL -PORT -SOURCE PORT -ORIGINAL ADDRESS -- - -ACCEPT -net -fw -tcp -22 -- -
At this point, edit
-/etc/shorewall/rules to add other connections as desired.
The installation
-procedure configures your system to start Shorewall at system
-boot but beginning with Shorewall version 1.3.9 startup is disabled so
-that your system won't try to start Shorewall before configuration is
-complete. Once you have completed configuration of your firewall, you
-can enable Shorewall startup by removing the file
-/etc/shorewall/startup_disabled.
-
IMPORTANT: Users of the
-.deb package must edit /etc/default/shorewall and set 'startup=1'.
-
The firewall is started using the "shorewall start" -command and stopped using "shorewall stop". When the firewall is -stopped, -routing is enabled on those hosts that have an entry in /etc/shorewall/routestopped. -A running firewall may be restarted using the "shorewall restart" -command. If you want to totally remove any trace of Shorewall from your -Netfilter configuration, use "shorewall clear".
-WARNING: If you are connected to your firewall
-from the internet, do not issue a "shorewall stop" command unless you
-have added an entry for the IP address that you are connected from
-to /etc/shorewall/routestopped.
-Also, I don't recommend using "shorewall restart"; it is better to
-create an alternate
-configuration and test it using the "shorewall try" command.
-
Last updated 11/15/2003 - Tom Eastep
- - -