http://www.shorewall.net/
Important Note:
Before installing shorewall we need to uninstall ipchains if you installed in your machine.
Download shorewall
wget http://www.invoca.ch/pub/packages/shorewall/4.0/shorewall-4.0.11/shorewall-4.0.11-2.noarch.rpm
wget http://www.invoca.ch/pub/packages/shorewall/4.0/shorewall-4.0.11/shorewall-perl-4.0.11-2.noarch.rpm
wget http://www.invoca.ch/pub/packages/shorewall/4.0/shorewall-4.0.11/shorewall-shell-4.0.11-2.noarch.rpm
Install Shorewall
Installing shorewall is quite easy. Just open a terminal and do a
rpm -ivh shorewall-perl-4.0.11-2.noarch.rpm shorewall-shell-4.0.11-2.noarch.rpm shorewall-4.0.11-2.noarch.rpm
and you're all ready. Don't close your terminal, because we will need it some more.
Setting Shorewall
The program will not start unless you change the shorewall configuration file /etc/shorewall/shorewall.conf .You can do this in following way:
vim /etc/shorewall/shorewall.conf
Change the first line from
STARTUP_ENABLED=No
to
STARTUP_ENABLED=Yes
Save and exit (in VIM, hit [ESC] and then ':wq').
If you want to configure shorewall you need to copy the sample configuration file from
/usr/share/doc/shorewall-4.0.11/Samples/. In Samples directory there are 3 different directories :one-interface/,two-interfaces/ and
three-interfaces/. Depending on your network,you can do this by the following command:
cp /usr/share/doc/shorewall-4.0.11/Samples/one-interfaces/{interfaces,policy,masq,routestopped,rules,zones} /etc/shorewall/
or
cp /usr/share/doc/shorewall-4.0.11/Samples/two-interfaces/{interfaces,policy,masq,routestopped,rules,zones} /etc/shorewall/
or
cp /usr/share/doc/shorewall-4.0.11/Samples/three-interfaces/{interfaces,policy,masq,routestopped,rules,zones} /etc/shorewall/
Now you have configuration files located in /etc/shorewall.
Zones Configuration
Open and edit the file /etc/shorewall/zones to specify the different network zones,
these are just labels that you will use in the other files.
vim /etc/shorewall/zones
Consider the Internet(net) as one zone, and a private network(dmz) as another zone.The firewall zone or "fw" is your linux box itself.
If you have these then the zones file would look like this:
#ZONE TYPE OPTIONS IN OPTIONS OUT OPTIONS
#
fw firewall
net ipv4
loc ipv4
dmz ipv4
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
Interfaces Configuration
The next file to edit is the interfaces file to specify the interfaces on your machine.
vim /etc/shorewall/interfaces
Here you will connect the zones that you defined in the previous step with an actual interface.
The third field is the broadcast address for the network attached to the interface ("detect" will figure this out for you). Finally the last fields are options for the interface. The options listed below are a good starting point.
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect tcpflags,dhcp,routefilter,nosmurfs,logmartians
loc eth1 detect tcpflags,nosmurfs
dmz eth2 detect
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
Policy Configuration
The next file defines your firewall default policy. The default policy is used if no other rules apply.
Often you will set the default policy to REJECT or DROP as the default, and then configure
specifically what ports/services are allowed in the next step, and any that you do not configure are by default
rejected or dropped according to this policy.
vim /etc/shorewall/policy
An example policy (based on the zones and interfaces we used above) would be:
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
#
# Policies for traffic originating from the local LAN (loc)
#
# If you want to force clients to access the Internet via a proxy server
# in your DMZ, change the following policy to REJECT info.
loc net ACCEPT
# If you want open access to DMZ from loc, change the following policy
# to ACCEPT. (If you chose not to do this, you will need to add a rule
# for each service in the rules file.)
loc dmz REJECT info
loc $FW REJECT info
loc all REJECT info
#
# Policies for traffic originating from the firewall ($FW)
#
# If you want open access to the Internet from your firewall, change the
# $FW to net policy to ACCEPT and remove the 'info' LOG LEVEL.
$FW net REJECT info
$FW dmz REJECT info
$FW loc REJECT info
$FW all REJECT info
#
# Policies for traffic originating from the De-Militarized Zone (dmz)
#
# If you want open access from DMZ to the Internet change the following
# policy to ACCEPT. This may be useful if you run a proxy server in
# your DMZ.
dmz net REJECT info
dmz $FW REJECT info
dmz loc REJECT info
dmz all REJECT info
#
# Policies for traffic originating from the Internet zone (net)
#
net dmz DROP info
net $FW DROP info
net loc DROP info
net all DROP info
# THE FOLLOWING POLICY MUST BE LAST
all all REJECT info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
Rules Configuration
The most important file is the rules. This is where you set what is allowed or not.
Any new connection that comes into your firewall passes over these rules, if none of these apply, then the
default policy will apply.
Note: This is only for new connections, existing connections are automatically accepted.
The comments in the file give you a good idea of how things work, but the following will provided an example
that can give you a head-start:
vim /etc/shorewall/rules
An example would be:
#############################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
# PORT PORT(S) DEST LIMIT GROUP
#
# Accept DNS connections from the firewall to the Internet
#
DNS/ACCEPT $FW net
#
#
# Accept SSH connections from the local network to the firewall and DMZ
#
SSH/ACCEPT loc $FW
SSH/ACCEPT loc dmz
#
# DMZ DNS access to the Internet
#
DNS/ACCEPT dmz net
#
# Drop Ping from the "bad" net zone.
#
Ping/DROP net $FW
#
# Make ping work bi-directionally between the dmz, net, Firewall and local zone
# (assumes that the loc-> net policy is ACCEPT).
#
Ping/ACCEPT loc $FW
Ping/ACCEPT dmz $FW
Ping/ACCEPT loc dmz
Ping/ACCEPT dmz loc
Ping/ACCEPT dmz net
ACCEPT $FW net icmp
ACCEPT $FW loc icmp
ACCEPT $FW dmz icmp
# Uncomment this if using Proxy ARP and static NAT and you want to allow ping from
# the net zone to the dmz and loc
#Ping/ACCEPT net dmz
#Ping/ACCEPT net loc
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
Finally
Well we are done, let's fire up the services and begin testing.
service shorewall start
Shorewall Web interface or GUI tool