Set Up Shorewall Firewall On CentOS

This tutorial will guide you through the setting of Shorewall (Shoreline) 4.0 firewall on CentOS 5.1, which can be easily adapted to any other Linux distribution.

The Shoreline of firewalls, more commonly known as "Shorewall" is a high-level configuration tool Netfilter. You describe your firewall / gateway using entries in a set of configuration files. Shorewall read configuration files and with the help of utility iptables, Shorewall configure Netfilter to match your needs. Shorewall can be used on a dedicated firewall system , a multi-function gateway / router / server or on GNU / Linux system. Shorewall doesn't use Netfilter ipchains compatibility mode and can thus benefit from connecting Netfilter state monitoring capabilities.

http://www.shorewall.net/

Important Note:
Before installing shorewall we need to uninstall ipchains if you installed in your machine.

Download shorewall

wget http://www.invoca.ch/pub/packages/shorewall/4.0/shorewall-4.0.11/shorewall-4.0.11-2.noarch.rpm

wget http://www.invoca.ch/pub/packages/shorewall/4.0/shorewall-4.0.11/shorewall-perl-4.0.11-2.noarch.rpm

wget http://www.invoca.ch/pub/packages/shorewall/4.0/shorewall-4.0.11/shorewall-shell-4.0.11-2.noarch.rpm

You can check download section in shorewall official web site for newer versions.
http://www.shorewall.net/download.htm

Install Shorewall

Installing shorewall is quite easy. Just open a terminal and do a

rpm -ivh shorewall-perl-4.0.11-2.noarch.rpm shorewall-shell-4.0.11-2.noarch.rpm shorewall-4.0.11-2.noarch.rpm

and you're all ready. Don't close your terminal, because we will need it some more.

Setting Shorewall

The program will not start unless you change the shorewall configuration file /etc/shorewall/shorewall.conf .You can do this in following way:

vim /etc/shorewall/shorewall.conf

Change the first line from

STARTUP_ENABLED=No

to

STARTUP_ENABLED=Yes

Save and exit (in VIM, hit [ESC] and then ':wq').

If you want to configure shorewall you need to copy the sample configuration file from
/usr/share/doc/shorewall-4.0.11/Samples/. In Samples directory there are 3 different directories :one-interface/,two-interfaces/ and
three-interfaces/. Depending on your network,you can do this by the following command:

cp /usr/share/doc/shorewall-4.0.11/Samples/one-interfaces/{interfaces,policy,masq,routestopped,rules,zones} /etc/shorewall/

or

cp /usr/share/doc/shorewall-4.0.11/Samples/two-interfaces/{interfaces,policy,masq,routestopped,rules,zones} /etc/shorewall/

or

cp /usr/share/doc/shorewall-4.0.11/Samples/three-interfaces/{interfaces,policy,masq,routestopped,rules,zones} /etc/shorewall/

Now you have configuration files located in /etc/shorewall.

Zones Configuration

Open and edit the file /etc/shorewall/zones to specify the different network zones,
these are just labels that you will use in the other files.

vim /etc/shorewall/zones

Consider the Internet(net) as one zone, and a private network(dmz) as another zone.The firewall zone or "fw" is your linux box itself.
If you have these then the zones file would look like this:

#ZONE TYPE OPTIONS  IN OPTIONS  OUT OPTIONS
#
fw firewall
net ipv4
loc ipv4
dmz ipv4
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

Interfaces Configuration

The next file to edit is the interfaces file to specify the interfaces on your machine.

vim /etc/shorewall/interfaces

Here you will connect the zones that you defined in the previous step with an actual interface.
The third field is the broadcast address for the network attached to the interface ("detect" will figure this out for you). Finally the last fields are options for the interface. The options listed below are a good starting point.

#ZONE INTERFACE BROADCAST OPTIONS
net     eth0            detect          tcpflags,dhcp,routefilter,nosmurfs,logmartians
loc     eth1            detect          tcpflags,nosmurfs
dmz     eth2            detect
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Policy Configuration

The next file defines your firewall default policy. The default policy is used if no other rules apply.
Often you will set the default policy to REJECT or DROP as the default, and then configure
specifically what ports/services are allowed in the next step, and any that you do not configure are by default
rejected or dropped according to this policy.

vim /etc/shorewall/policy

An example policy (based on the zones and interfaces we used above) would be:

#SOURCE  DEST  POLICY  LOG LEVEL LIMIT:BURST
#
# Policies for traffic originating from the local LAN (loc)
#
# If you want to force clients to access the Internet via a proxy server
# in your DMZ, change the following policy to REJECT info.
loc  net  ACCEPT
# If you want open access to DMZ from loc, change the following policy
# to ACCEPT.  (If you chose not to do this, you will need to add a rule
# for each service in the rules file.)
loc  dmz  REJECT  info
loc  $FW  REJECT  info
loc  all  REJECT  info
#
# Policies for traffic originating from the firewall ($FW)
#
# If you want open access to the Internet from your firewall, change the
# $FW to net policy to ACCEPT and remove the 'info' LOG LEVEL.
$FW  net  REJECT  info
$FW  dmz  REJECT  info
$FW  loc  REJECT  info
$FW  all  REJECT  info
#
# Policies for traffic originating from the De-Militarized Zone (dmz)
#
# If you want open access from DMZ to the Internet change the following
# policy to ACCEPT.  This may be useful if you run a proxy server in
# your DMZ.
dmz  net  REJECT  info
dmz  $FW  REJECT  info
dmz  loc  REJECT  info
dmz  all  REJECT  info
#
# Policies for traffic originating from the Internet zone (net)
#
net  dmz  DROP  info
net  $FW  DROP  info
net  loc  DROP  info
net  all  DROP  info
# THE FOLLOWING POLICY MUST BE LAST
all  all  REJECT  info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

Rules Configuration

The most important file is the rules. This is where you set what is allowed or not.
Any new connection that comes into your firewall passes over these rules, if none of these apply, then the
default policy will apply.

Note: This is only for new connections, existing connections are automatically accepted.

The comments in the file give you a good idea of how things work, but the following will provided an example
that can give you a head-start:

vim /etc/shorewall/rules

An example would be:

#############################################################################################################
#ACTION  SOURCE  DEST PROTO DEST SOURCE  ORIGINAL RATE USER/ MARK
#      PORT PORT(S)  DEST  LIMIT  GROUP
#
# Accept DNS connections from the firewall to the Internet
#
DNS/ACCEPT $FW  net
#
#
# Accept SSH connections from the local network to the firewall and DMZ
#
SSH/ACCEPT      loc             $FW
SSH/ACCEPT      loc             dmz
#
# DMZ DNS access to the Internet
#
DNS/ACCEPT dmz  net
#
# Drop Ping from the "bad" net zone.
#
Ping/DROP     net             $FW
#
#       Make ping work bi-directionally between the dmz, net, Firewall and local zone
#       (assumes that the loc-> net policy is ACCEPT).
#
Ping/ACCEPT     loc             $FW
Ping/ACCEPT     dmz             $FW
Ping/ACCEPT     loc             dmz
Ping/ACCEPT     dmz             loc
Ping/ACCEPT     dmz             net
ACCEPT  $FW  net  icmp
ACCEPT  $FW  loc  icmp
ACCEPT  $FW  dmz  icmp
# Uncomment this if using Proxy ARP and static NAT and you want to allow ping from
# the net zone to the dmz and loc
#Ping/ACCEPT    net             dmz
#Ping/ACCEPT    net             loc
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Finally

Well we are done, let's fire up the services and begin testing.

service shorewall start

Shorewall Web interface or GUI tool

We have a webmin interface for shorewall to configure through GUI. You can download from http://www.webmin.com/download/modules/shorewall.wbm.gz.

♦DiggIt! ♦Add to del.icio.us ♦Add to Technorati Faves