Difference between revisions of "Shorewall"

From ArchWiki
Jump to: navigation, search
m (Fix style.)
 
(21 intermediate revisions by 11 users not shown)
Line 1: Line 1:
 
[[Category:Firewalls]]
 
[[Category:Firewalls]]
Shorewall is an iptables frontend. It is easier to setup than manually defining iptables rules. shorewall is available from the AUR. These settings are based on the [http://www.shorewall.net/two-interface.htm two-interface documentation on the shorewall website].
+
[[it:Shorewall]]
 +
[[ja:Shorewall]]
 +
[[zh-cn:Shorewall]]
 +
[http://www.shorewall.net/ The Shoreline Firewall], more commonly known as "Shorewall", is high-level tool for configuring Netfilter.  
  
Use the some example configuration files that come with the shorewall package
+
You describe your firewall/gateway requirements using entries in a set of configuration files. Shorewall reads those configuration files and with the help of the iptables utility, Shorewall configures Netfilter to match your requirements.
  
# cp /usr/share/shorewall/Samples/two-interfaces/* /etc/shorewall/
+
Shorewall can be used on a dedicated firewall system, a multi-function gateway/router/server or on a standalone GNU/Linux system. Shorewall does not use Netfilter's ipchains compatibility mode and can thus take advantage of Netfilter's connection state tracking capabilities.
  
==/etc/shorewall/interfaces==
+
== Installation ==
 +
[[Install]] the {{Pkg|shorewall}} or {{Pkg|shorewall6}} package.
  
'''Change''' the interface settings to match the names used for our ethernet devices and to allow dhcp traffic on the local network. Edit {{ic|/etc/shorewall/interfaces}}
+
== Configuration ==
 +
These settings are based on the [http://www.shorewall.net/two-interface.htm two-interface documentation on the Shorewall web site].
 +
 
 +
Use some example configuration files that come with the shorewall package
 +
 
 +
# cp /usr/share/doc/shorewall/Samples/one-interface/* /etc/shorewall/    # If you have a desktop-type system with a single network interface
 +
# cp /usr/share/doc/shorewall6/Samples6/one-interface/* /etc/shorewall6/  # If you have a desktop-type system with a single network interface, pkg shorewall6
 +
# cp /usr/share/doc/shorewall/Samples/two-interfaces/* /etc/shorewall/    # If you have a router with two network interfaces
 +
# cp /usr/share/doc/shorewall/Samples/three-interfaces/* /etc/shorewall/  # If you have a router with three network interfaces
 +
 
 +
===/etc/shorewall/interfaces===
 +
 
 +
'''Change''' the interface settings to match the names used for our Ethernet devices and to allow DHCP traffic on the local network. Edit {{ic|/etc/shorewall/interfaces}}
  
 
original
 
original
  net    eth0           detect         dhcp,tcpflags,nosmurfs,routefilter,logmartians
+
  net    eth0          dhcp,tcpflags,nosmurfs,routefilter,logmartians
  loc    eth1           detect         tcpflags,nosmurfs,routefilter,logmartians
+
  loc    eth1          tcpflags,nosmurfs,routefilter,logmartians
  
 
new
 
new
  net    wan           detect         dhcp,tcpflags,nosmurfs,routefilter,logmartians
+
  net    wan          dhcp,tcpflags,nosmurfs,routefilter,logmartians
  loc    lan           detect         dhcp,tcpflags,nosmurfs,routefilter,logmartians
+
  loc    lan          dhcp,tcpflags,nosmurfs,routefilter,logmartians
  
==/etc/shorewall/policy==
+
===/etc/shorewall/policy===
  
 
'''Change''' the policy file to allow the router (this machine) to access the Internet. Edit {{ic|/etc/shorewall/policy}}
 
'''Change''' the policy file to allow the router (this machine) to access the Internet. Edit {{ic|/etc/shorewall/policy}}
Line 44: Line 60:
 
}}
 
}}
  
==/etc/shorewall/rules==
+
===/etc/shorewall/rules===
  
DNS lookups are handled (actually forwarded) by dnsmasq, so shorewall needs to allow those connections. '''Add''' these lines to {{ic|/etc/shorewall/rules}}
+
DNS look-ups are handled (actually forwarded) by dnsmasq, so Shorewall needs to allow those connections. '''Add''' these lines to {{ic|/etc/shorewall/rules}}
  
 
{{bc|
 
{{bc|
Line 54: Line 70:
 
}}
 
}}
  
'''OPTIONAL:''' You can '''add''' these lines if you want to be able to SSH into the router from computers on the Internet
+
===/etc/shorewall/masq===
 +
 
 +
'''Change''' the network interface to the one connected to your external (WAN) network and '''change''' the IP to the one used in your local network.
 +
 
 +
eth0        192.168.1.0/24
 +
 
 +
==== SSH ====
 +
'''OPTIONAL:''' You can '''add''' these lines to /etc/shorewall/rules if you want to be able to SSH into the router from computers on the Internet
  
 
{{bc|
 
{{bc|
 
#      Accept SSH connections from the internet for administration
 
#      Accept SSH connections from the internet for administration
 
#
 
#
SSH(ACCEPT)    net            $FW
+
SSH(ACCEPT)    net            $FW         TCP      <SSH port used>
 
}}
 
}}
  
==/etc/shorewall/shorewall.conf==
+
====Port forwarding (DNAT)====
 +
* /etc/shorewall/rules : here is an example for a webserver on our LAN with IP 10.0.0.85. You can reach it on port 5000 of our "external" IP.
 +
DNAT        net        loc:10.0.0.85:80        tcp        5000
 +
 
 +
===/etc/shorewall/stoppedrules===
 +
 
 +
If you have a network name other than eth1 for the network interface in /etc/shorewall/interfaces, you need to update stoppedrules with the correct name.
 +
 
 +
===/etc/shorewall/shorewall.conf===
  
 
When you are finished making above changes, enable shorewall by a '''change''' in it's config file {{ic|/etc/shorewall/shorewall.conf}}:
 
When you are finished making above changes, enable shorewall by a '''change''' in it's config file {{ic|/etc/shorewall/shorewall.conf}}:
Line 71: Line 102:
 
new
 
new
 
  STARTUP_ENABLED=Yes
 
  STARTUP_ENABLED=Yes
 +
 +
See [http://shorewall.net/manpages/shorewall.conf.html man page] for more info.
 +
 +
== Start ==
 +
[[Start]]/[[enable]] {{ic|shorewall.service}}.
 +
 +
== Traffic shaping ==
 +
 +
Read [http://www.shorewall.net/traffic_shaping.htm Shorewall's Traffic Shaping/Control] guide.
 +
 +
Here is my config as an example:
 +
* /etc/shorewall/tcdevices : here is where you define the interface you want to have shaped and its rates. I have got a ADSL connection with a 4MBit down/256KBit up profile.
 +
ppp0        4mbit        256kbit
 +
* /etc/shorewall/tcclasses : here you define the minimum (rate) and maximum (ceil) throughput per class. You will assign each one to a type of traffic to shape.
 +
# interactive traffic (ssh)
 +
ppp0            1      full    full    0
 +
# online gaming
 +
ppp0            2      full/2  full    5
 +
# http
 +
ppp0            3      full/4  full    10
 +
# rest
 +
ppp0            4      full/6  full    15              default
 +
* /etc/shorewall/tcrules : this file contains the types of traffic and the class it belongs to.
 +
1      0.0.0.0/0      0.0.0.0/0      tcp    ssh
 +
2      0.0.0.0/0      0.0.0.0/0      udp    27000:28000
 +
3      0.0.0.0/0      0.0.0.0/0      tcp    http
 +
3      0.0.0.0/0      0.0.0.0/0      tcp    https
 +
I have split it up my traffic in 4 groups:
 +
# interactive traffic or ssh: although it takes up almost no bandwidth, it is very annoying if it lags due to leechers on the LAN. This gets the highest priority.
 +
# online gaming: needless to say you cannot play when your ping sucks. ;)
 +
# webtraffic: can be a bit slower
 +
# everything else: every sort of download, they are the cause of the lag anyway.

Latest revision as of 03:31, 23 July 2016

The Shoreline Firewall, more commonly known as "Shorewall", is high-level tool for configuring Netfilter.

You describe your firewall/gateway requirements using entries in a set of configuration files. Shorewall reads those configuration files and with the help of the iptables utility, Shorewall configures Netfilter to match your requirements.

Shorewall can be used on a dedicated firewall system, a multi-function gateway/router/server or on a standalone GNU/Linux system. Shorewall does not use Netfilter's ipchains compatibility mode and can thus take advantage of Netfilter's connection state tracking capabilities.

Installation

Install the shorewall or shorewall6 package.

Configuration

These settings are based on the two-interface documentation on the Shorewall web site.

Use some example configuration files that come with the shorewall package

# cp /usr/share/doc/shorewall/Samples/one-interface/* /etc/shorewall/     # If you have a desktop-type system with a single network interface
# cp /usr/share/doc/shorewall6/Samples6/one-interface/* /etc/shorewall6/  # If you have a desktop-type system with a single network interface, pkg shorewall6
# cp /usr/share/doc/shorewall/Samples/two-interfaces/* /etc/shorewall/    # If you have a router with two network interfaces
# cp /usr/share/doc/shorewall/Samples/three-interfaces/* /etc/shorewall/  # If you have a router with three network interfaces

/etc/shorewall/interfaces

Change the interface settings to match the names used for our Ethernet devices and to allow DHCP traffic on the local network. Edit /etc/shorewall/interfaces

original

net     eth0          dhcp,tcpflags,nosmurfs,routefilter,logmartians
loc     eth1          tcpflags,nosmurfs,routefilter,logmartians

new

net     wan          dhcp,tcpflags,nosmurfs,routefilter,logmartians
loc     lan          dhcp,tcpflags,nosmurfs,routefilter,logmartians

/etc/shorewall/policy

Change the policy file to allow the router (this machine) to access the Internet. Edit /etc/shorewall/policy

original

###############################################################################
#SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST

loc             net             ACCEPT
net             all             DROP            info
# THE FOLLOWING POLICY MUST BE LAST
all             all             REJECT          info

new

###############################################################################
#SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST
$FW             net             ACCEPT
loc             net             ACCEPT
net             all             DROP            info
# THE FOLLOWING POLICY MUST BE LAST
all             all             REJECT          info

/etc/shorewall/rules

DNS look-ups are handled (actually forwarded) by dnsmasq, so Shorewall needs to allow those connections. Add these lines to /etc/shorewall/rules

#       Accept DNS connections from the local network to the firewall
#
DNS(ACCEPT)     loc              $FW

/etc/shorewall/masq

Change the network interface to the one connected to your external (WAN) network and change the IP to the one used in your local network.

eth0        192.168.1.0/24

SSH

OPTIONAL: You can add these lines to /etc/shorewall/rules if you want to be able to SSH into the router from computers on the Internet

#       Accept SSH connections from the internet for administration
#
SSH(ACCEPT)     net             $FW         TCP      <SSH port used>

Port forwarding (DNAT)

  • /etc/shorewall/rules : here is an example for a webserver on our LAN with IP 10.0.0.85. You can reach it on port 5000 of our "external" IP.
DNAT        net        loc:10.0.0.85:80        tcp        5000

/etc/shorewall/stoppedrules

If you have a network name other than eth1 for the network interface in /etc/shorewall/interfaces, you need to update stoppedrules with the correct name.

/etc/shorewall/shorewall.conf

When you are finished making above changes, enable shorewall by a change in it's config file /etc/shorewall/shorewall.conf:

original

STARTUP_ENABLED=No

new

STARTUP_ENABLED=Yes

See man page for more info.

Start

Start/enable shorewall.service.

Traffic shaping

Read Shorewall's Traffic Shaping/Control guide.

Here is my config as an example:

  • /etc/shorewall/tcdevices : here is where you define the interface you want to have shaped and its rates. I have got a ADSL connection with a 4MBit down/256KBit up profile.
ppp0        4mbit        256kbit 
  • /etc/shorewall/tcclasses : here you define the minimum (rate) and maximum (ceil) throughput per class. You will assign each one to a type of traffic to shape.
# interactive traffic (ssh)
ppp0            1       full    full    0
# online gaming
ppp0            2       full/2  full    5
# http
ppp0            3       full/4  full    10
# rest
ppp0            4       full/6  full    15              default
  • /etc/shorewall/tcrules : this file contains the types of traffic and the class it belongs to.
1       0.0.0.0/0       0.0.0.0/0       tcp     ssh
2       0.0.0.0/0       0.0.0.0/0       udp     27000:28000
3       0.0.0.0/0       0.0.0.0/0       tcp     http
3       0.0.0.0/0       0.0.0.0/0       tcp     https

I have split it up my traffic in 4 groups:

  1. interactive traffic or ssh: although it takes up almost no bandwidth, it is very annoying if it lags due to leechers on the LAN. This gets the highest priority.
  2. online gaming: needless to say you cannot play when your ping sucks. ;)
  3. webtraffic: can be a bit slower
  4. everything else: every sort of download, they are the cause of the lag anyway.