Contact Sales Sitemap Customer Login

HOWTO: Debian Etch: Install Shorewall firewall

You are here : Main Page > HOWTO > HOWTO: Debian Etch: Install Shorewall firewall.

This HOWTO is applicable to Debian and Ubuntu. It will guide through setting up Shorewall.


Contents

Install the Shorewall Package

$sudo apt-get install shorewall iproute

On Xen/Ubuntu 7.04, iptables is not installed by default, so be sure to install it too

$sudo apt-get install iptables


Copy Default Configuration Files

Note: By default, no configuration files will be present.

$cd /usr/share/doc/shorewall/default-config/
$sudo cp -p interfaces rules zones policy /etc/shorewall


Retrieve External Interface Name

Get the name of your external interface using ip route ls

The external interface device name will immediately follow dev.

On an OpenVZ VPS you should see something like this:

$sudo ip route ls 
191.255.255.1 dev venet0  scope link

but on a Xen VPS account, you should see something like this:

ip route ls
206.124.146.0/24 dev eth0  scope link
206.124.146.0/24 dev eth0  proto kernel  scope link  src 206.124.146.11
default via 206.124.146.1 dev eth0

So on OpenVZ the eternal interface was venet0, but on Xen eth0.


Update Shorewall Interfaces

Edit /etc/shorewall/interfaces to insert the following:

###############################################################################
#ZONE	INTERFACE	BROADCAST	      OPTIONS
net     venet0          detect	      	      tcpflags
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

The INTERFACE should reflect the external interface name. This example shows the OpenVZ interface of venet0. On Xen you would use eth0.

When you use the special value detect in the BROADCAST column, Shorewall detects the broadcast address(es) for you. If you select this option, the interface must be up before the firewall is started.


Alternately, you can manually enter the broadcast address(es). To do so, first determine your ip address(es)

$sudo ip addr ls dev <interface>

where <interface> is the name of the external interface you determined in the previous step. On an OpenVZ account you should see something like this

$sudo ip addr ls dev venet0 
3: venet0: <BROADCAST,POINTOPOINT,NOARP,UP> mtu 1500 qdisc noqueue
    link/void
    inet 127.0.0.1/32 scope host venet0
inet 206.124.146.11/32 scope global venet0:0

but on a Xen account, you should see something like this

$sudo ip addr ls dev eth0 
root@lists:~# ip addr ls dev eth0
2: eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether aa:00:36:3b:f4:01 brd ff:ff:ff:ff:ff:ff
    inet 206.124.146.11/24 brd 206.124.146.255 scope global eth0
    inet6 fe80::a800:36ff:fe3b:f401/64 scope link
       valid_lft forever preferred_lft forever

Once you have your ip address(es), enter it under BROADCAST.

###############################################################################
#ZONE	INTERFACE	BROADCAST	      OPTIONS
net     venet0          206.124.146.11	      tcpflags
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Note: If the interface has multiple addresses on multiple subnets then list the broadcast addresses as a comma-separated list.


Update Shorewall Policies

Edit /etc/shorewall/policy and add these lines:

###############################################################################
#SOURCE		DEST		POLICY		LOG		LIMIT:BURST
#						LEVEL
$FW		net		ACCEPT		
net		all		DROP		info
all		all		REJECT          info
#LAST LINE -- DO NOT REMOVE


Update Shorewall Zones

Edit /etc/shorewall/zones and add these lines:

###############################################################################
#ZONE	TYPE		OPTIONS		IN			OUT
#					OPTIONS			OPTIONS
fw	firewall
net	ipv4
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE


Update Shorewall Rules

Edit /etc/shorewall/rules and enable the connections you want. We will use the Shorewall macros found in /usr/share/shorewall/macro.* to simplify this process. A path to this directory already exists in the Shorewall config file. When using a Shorewall macro, the general format of each rule in /etc/shorewall/rules is as follows:

#ACTION         SOURCE    DESTINATION     PROTO       DEST PORT(S)
<macro>/ACCEPT  net       $FW

Enter shorewall show macros to display a list of macros available on the system.

This example enables distcc (distributed compiler), http, https, imap, imaps, MySQL, POP3, POP3s, SMTP, SMTPS, and SSH:

#######################################################################################################
#ACTION SOURCE          DEST     PROTO   DEST    SOURCE          ORIGINAL        RATE            USER/
#                                        PORT(S) PORT(S)         DEST            LIMIT           GROUP
#SECTION ESTABLISHED
#SECTION RELATED
SECTION NEW
Distcc/ACCEPT   net   $FW
HTTP/ACCEPT     net   $FW
HTTPS/ACCEPT    net   $FW
IMAP/ACCEPT     net   $FW
IMAPS/ACCEPT    net   $FW
MySQL/ACCEPT    net   $FW
POP3/ACCEPT     net   $FW
POP3S/ACCEPT    net   $FW
SMTP/ACCEPT     net   $FW
SMTPS/ACCEPT    net   $FW
SSH/ACCEPT      net   $FW
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Disable IPv6 Support

As reported in a post regarding Shorewall Installation Problems on the VPSLink Forums, you may need to update your /etc/shorewall/shorewall.conf config file with the DISABLE_IPV6=No setting to bypass ip6tables checks.


Test Your Shorewall Setup

Run shorewall safe-start to start Shorewall.

You will be prompted asking if everything went all right. If you answer n, or if you fail to answer within 60 seconds, (such as when your new configuration has disabled communication with your terminal) a shorewall clear is performed for you.

If you are modifying an existing firewall, use shorewall safe-restart to test the changes.


Enable Shorewall

Edit /etc/default/shorewall and change startup to 1

# prevent startup with default configuration
# set the below variable to 1 in order to allow shorewall to start
startup=1


Start Shorewall

/etc/init.d/shorewall start

For further details see /etc/share/doc/shorewall/README.Debian and http://shorewall.net/standalone.htm#System

Retrieved from "http://wiki.vpslink.com/index.php?title=HOWTO:_Debian_Etch:_Install_Shorewall_firewall&oldid=15228"
Recent Changes | RSS RSS Feed