Difference between revisions of "Shorewall"

From ArchWiki
Jump to: navigation, search
(Create new page from Router: Basic.)
 
m (Configuration)
(7 intermediate revisions by one other user not shown)
Line 1: Line 1:
 
[[Category:Firewalls]]
 
[[Category:Firewalls]]
Shorewall is an iptables frontend. It is easier to setup than manually defining iptables rules. shorewall is available from the AUR. These settings are based on the [http://www.shorewall.net/two-interface.htm two-interface documentation on the shorewall website].
+
[http://www.shorewall.net/ The Shoreline Firewall], more commonly known as "Shorewall", is high-level tool for configuring Netfilter.  
 +
 
 +
You describe your firewall/gateway requirements using entries in a set of configuration files. Shorewall reads those configuration files and with the help of the iptables utility, Shorewall configures Netfilter to match your requirements.
 +
 
 +
Shorewall can be used on a dedicated firewall system, a multi-function gateway/router/server or on a standalone GNU/Linux system. Shorewall does not use Netfilter's ipchains compatibility mode and can thus take advantage of Netfilter's connection state tracking capabilities.
 +
 
 +
== Installation ==
 +
{{Pkg|shorewall}} is available in the [[Official Repositories|official repositories]].
 +
 
 +
== Configuration ==
 +
These settings are based on the [http://www.shorewall.net/two-interface.htm two-interface documentation on the shorewall website].
  
 
Use the some example configuration files that come with the shorewall package
 
Use the some example configuration files that come with the shorewall package
  
  # cp /usr/share/shorewall/Samples/two-interfaces/* /etc/shorewall/
+
  # cp /usr/share/doc/shorewall/Samples/two-interfaces/* /etc/shorewall/
  
 
===/etc/shorewall/interfaces===
 
===/etc/shorewall/interfaces===
Line 23: Line 33:
  
 
original
 
original
<pre>
+
{{bc|
 
###############################################################################
 
###############################################################################
 
#SOURCE        DEST            POLICY          LOG LEVEL      LIMIT:BURST
 
#SOURCE        DEST            POLICY          LOG LEVEL      LIMIT:BURST
Line 31: Line 41:
 
# THE FOLLOWING POLICY MUST BE LAST
 
# THE FOLLOWING POLICY MUST BE LAST
 
all            all            REJECT          info
 
all            all            REJECT          info
</pre>
+
}}
  
 
new
 
new
<pre>
+
{{bc|
 
###############################################################################
 
###############################################################################
 
#SOURCE        DEST            POLICY          LOG LEVEL      LIMIT:BURST
 
#SOURCE        DEST            POLICY          LOG LEVEL      LIMIT:BURST
Line 42: Line 52:
 
# THE FOLLOWING POLICY MUST BE LAST
 
# THE FOLLOWING POLICY MUST BE LAST
 
all            all            REJECT          info
 
all            all            REJECT          info
</pre>
+
}}
  
 
===/etc/shorewall/rules===
 
===/etc/shorewall/rules===
Line 48: Line 58:
 
DNS lookups are handled (actually forwarded) by dnsmasq, so shorewall needs to allow those connections. '''Add''' these lines to {{ic|/etc/shorewall/rules}}
 
DNS lookups are handled (actually forwarded) by dnsmasq, so shorewall needs to allow those connections. '''Add''' these lines to {{ic|/etc/shorewall/rules}}
  
<pre>
+
{{bc|
 
#      Accept DNS connections from the local network to the firewall
 
#      Accept DNS connections from the local network to the firewall
 
#
 
#
 
DNS(ACCEPT)    loc              $FW
 
DNS(ACCEPT)    loc              $FW
</pre>
+
}}
  
 +
==== SSH ====
 
'''OPTIONAL:''' You can '''add''' these lines if you want to be able to SSH into the router from computers on the Internet
 
'''OPTIONAL:''' You can '''add''' these lines if you want to be able to SSH into the router from computers on the Internet
  
<pre>
+
{{bc|
 
#      Accept SSH connections from the internet for administration
 
#      Accept SSH connections from the internet for administration
 
#
 
#
SSH(ACCEPT)    net            $FW
+
SSH(ACCEPT)    net            $FW         TCP      <SSH port used>
</pre>
+
}}
 +
 
 +
====Port forwarding (DNAT)====
 +
* /etc/shorewall/rules : here is an example for a webserver on our LAN with IP 10.0.0.85. You can reach it on port 5000 of our "external" IP.
 +
DNAT        net        loc:10.0.0.85:80        tcp        5000
  
 
===/etc/shorewall/shorewall.conf===
 
===/etc/shorewall/shorewall.conf===
Line 71: Line 86:
 
new
 
new
 
  STARTUP_ENABLED=Yes
 
  STARTUP_ENABLED=Yes
 +
 +
See [http://shorewall.net/manpages/shorewall.conf.html man page] for more info.
 +
 +
== Start ==
 +
# systemctl enable shorewall
 +
# systemctl start shorewall

Revision as of 17:59, 8 May 2013

The Shoreline Firewall, more commonly known as "Shorewall", is high-level tool for configuring Netfilter.

You describe your firewall/gateway requirements using entries in a set of configuration files. Shorewall reads those configuration files and with the help of the iptables utility, Shorewall configures Netfilter to match your requirements.

Shorewall can be used on a dedicated firewall system, a multi-function gateway/router/server or on a standalone GNU/Linux system. Shorewall does not use Netfilter's ipchains compatibility mode and can thus take advantage of Netfilter's connection state tracking capabilities.

Installation

shorewall is available in the official repositories.

Configuration

These settings are based on the two-interface documentation on the shorewall website.

Use the some example configuration files that come with the shorewall package

# cp /usr/share/doc/shorewall/Samples/two-interfaces/* /etc/shorewall/

/etc/shorewall/interfaces

Change the interface settings to match the names used for our ethernet devices and to allow dhcp traffic on the local network. Edit /etc/shorewall/interfaces

original

net     eth0            detect          dhcp,tcpflags,nosmurfs,routefilter,logmartians
loc     eth1            detect          tcpflags,nosmurfs,routefilter,logmartians

new

net     wan            detect          dhcp,tcpflags,nosmurfs,routefilter,logmartians
loc     lan            detect          dhcp,tcpflags,nosmurfs,routefilter,logmartians

/etc/shorewall/policy

Change the policy file to allow the router (this machine) to access the Internet. Edit /etc/shorewall/policy

original

###############################################################################
#SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST

loc             net             ACCEPT
net             all             DROP            info
# THE FOLLOWING POLICY MUST BE LAST
all             all             REJECT          info

new

###############################################################################
#SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST
$FW             net             ACCEPT
loc             net             ACCEPT
net             all             DROP            info
# THE FOLLOWING POLICY MUST BE LAST
all             all             REJECT          info

/etc/shorewall/rules

DNS lookups are handled (actually forwarded) by dnsmasq, so shorewall needs to allow those connections. Add these lines to /etc/shorewall/rules

#       Accept DNS connections from the local network to the firewall
#
DNS(ACCEPT)     loc              $FW

SSH

OPTIONAL: You can add these lines if you want to be able to SSH into the router from computers on the Internet

#       Accept SSH connections from the internet for administration
#
SSH(ACCEPT)     net             $FW         TCP      <SSH port used>

Port forwarding (DNAT)

  • /etc/shorewall/rules : here is an example for a webserver on our LAN with IP 10.0.0.85. You can reach it on port 5000 of our "external" IP.
DNAT        net        loc:10.0.0.85:80        tcp        5000

/etc/shorewall/shorewall.conf

When you are finished making above changes, enable shorewall by a change in it's config file /etc/shorewall/shorewall.conf:

original

STARTUP_ENABLED=No

new

STARTUP_ENABLED=Yes

See man page for more info.

Start

# systemctl enable shorewall
# systemctl start shorewall