You are here : Main Page > HOWTO > HOWTO: Debian Etch: Install Shorewall firewall.
This HOWTO is applicable to Debian and Ubuntu. It will guide through setting up Shorewall.
Contents |
$sudo apt-get install shorewall iproute
On Xen/Ubuntu 7.04, iptables is not installed by default, so be sure to install it too
$sudo apt-get install iptables
Note: By default, no configuration files will be present.
$cd /usr/share/doc/shorewall/default-config/ $sudo cp -p interfaces rules zones policy /etc/shorewall
Get the name of your external interface using ip route ls
The external interface device name will immediately follow dev.
On an OpenVZ VPS you should see something like this:
$sudo ip route ls 191.255.255.1 dev venet0 scope link
but on a Xen VPS account, you should see something like this:
ip route ls 206.124.146.0/24 dev eth0 scope link 206.124.146.0/24 dev eth0 proto kernel scope link src 206.124.146.11 default via 206.124.146.1 dev eth0
So on OpenVZ the eternal interface was venet0, but on Xen eth0.
Edit /etc/shorewall/interfaces to insert the following:
############################################################################### #ZONE INTERFACE BROADCAST OPTIONS net venet0 detect tcpflags #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
The INTERFACE should reflect the external interface name. This example shows the OpenVZ interface of venet0. On Xen you would use eth0.
When you use the special value detect in the BROADCAST column, Shorewall detects the broadcast address(es) for you. If you select this option, the interface must be up before the firewall is started.
Alternately, you can manually enter the broadcast address(es). To do so, first determine your ip address(es)
$sudo ip addr ls dev <interface>
where <interface> is the name of the external interface you determined in the previous step. On an OpenVZ account you should see something like this
$sudo ip addr ls dev venet0
3: venet0: <BROADCAST,POINTOPOINT,NOARP,UP> mtu 1500 qdisc noqueue
link/void
inet 127.0.0.1/32 scope host venet0
inet 206.124.146.11/32 scope global venet0:0
but on a Xen account, you should see something like this
$sudo ip addr ls dev eth0
root@lists:~# ip addr ls dev eth0
2: eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether aa:00:36:3b:f4:01 brd ff:ff:ff:ff:ff:ff
inet 206.124.146.11/24 brd 206.124.146.255 scope global eth0
inet6 fe80::a800:36ff:fe3b:f401/64 scope link
valid_lft forever preferred_lft forever
Once you have your ip address(es), enter it under BROADCAST.
############################################################################### #ZONE INTERFACE BROADCAST OPTIONS net venet0 206.124.146.11 tcpflags #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
Note: If the interface has multiple addresses on multiple subnets then list the broadcast addresses as a comma-separated list.
Edit /etc/shorewall/policy and add these lines:
############################################################################### #SOURCE DEST POLICY LOG LIMIT:BURST # LEVEL $FW net ACCEPT net all DROP info all all REJECT info #LAST LINE -- DO NOT REMOVE
Edit /etc/shorewall/zones and add these lines:
############################################################################### #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall net ipv4 #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
Edit /etc/shorewall/rules and enable the connections you want. We will use the Shorewall macros found in /usr/share/shorewall/macro.* to simplify this process. A path to this directory already exists in the Shorewall config file. When using a Shorewall macro, the general format of each rule in /etc/shorewall/rules is as follows:
#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <macro>/ACCEPT net $FW
Enter shorewall show macros to display a list of macros available on the system.
This example enables distcc (distributed compiler), http, https, imap, imaps, MySQL, POP3, POP3s, SMTP, SMTPS, and SSH:
####################################################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ # PORT(S) PORT(S) DEST LIMIT GROUP #SECTION ESTABLISHED #SECTION RELATED SECTION NEW Distcc/ACCEPT net $FW HTTP/ACCEPT net $FW HTTPS/ACCEPT net $FW IMAP/ACCEPT net $FW IMAPS/ACCEPT net $FW MySQL/ACCEPT net $FW POP3/ACCEPT net $FW POP3S/ACCEPT net $FW SMTP/ACCEPT net $FW SMTPS/ACCEPT net $FW SSH/ACCEPT net $FW #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
As reported in a post regarding Shorewall Installation Problems on the VPSLink Forums, you may need to update your /etc/shorewall/shorewall.conf config file with the DISABLE_IPV6=No setting to bypass ip6tables checks.
Run shorewall safe-start to start Shorewall.
You will be prompted asking if everything went all right. If you answer n, or if you fail to answer within 60 seconds, (such as when your new configuration has disabled communication with your terminal) a shorewall clear is performed for you.
If you are modifying an existing firewall, use shorewall safe-restart to test the changes.
Edit /etc/default/shorewall and change startup to 1
# prevent startup with default configuration # set the below variable to 1 in order to allow shorewall to start startup=1
/etc/init.d/shorewall start
For further details see /etc/share/doc/shorewall/README.Debian and http://shorewall.net/standalone.htm#System
Copyright © 2013 VPSLink, a subsidiary of Spry
