Difference between revisions of "Shorewall"

From ArchWiki
Jump to: navigation, search
(Create new page from Router: Basic.)
 
m (Fix style.)
Line 6: Line 6:
 
  # cp /usr/share/shorewall/Samples/two-interfaces/* /etc/shorewall/
 
  # cp /usr/share/shorewall/Samples/two-interfaces/* /etc/shorewall/
  
===/etc/shorewall/interfaces===
+
==/etc/shorewall/interfaces==
  
 
'''Change''' the interface settings to match the names used for our ethernet devices and to allow dhcp traffic on the local network. Edit {{ic|/etc/shorewall/interfaces}}
 
'''Change''' the interface settings to match the names used for our ethernet devices and to allow dhcp traffic on the local network. Edit {{ic|/etc/shorewall/interfaces}}
Line 18: Line 18:
 
  loc    lan            detect          dhcp,tcpflags,nosmurfs,routefilter,logmartians
 
  loc    lan            detect          dhcp,tcpflags,nosmurfs,routefilter,logmartians
  
===/etc/shorewall/policy===
+
==/etc/shorewall/policy==
  
 
'''Change''' the policy file to allow the router (this machine) to access the Internet. Edit {{ic|/etc/shorewall/policy}}
 
'''Change''' the policy file to allow the router (this machine) to access the Internet. Edit {{ic|/etc/shorewall/policy}}
  
 
original
 
original
<pre>
+
{{bc|
 
###############################################################################
 
###############################################################################
 
#SOURCE        DEST            POLICY          LOG LEVEL      LIMIT:BURST
 
#SOURCE        DEST            POLICY          LOG LEVEL      LIMIT:BURST
Line 31: Line 31:
 
# THE FOLLOWING POLICY MUST BE LAST
 
# THE FOLLOWING POLICY MUST BE LAST
 
all            all            REJECT          info
 
all            all            REJECT          info
</pre>
+
}}
  
 
new
 
new
<pre>
+
{{bc|
 
###############################################################################
 
###############################################################################
 
#SOURCE        DEST            POLICY          LOG LEVEL      LIMIT:BURST
 
#SOURCE        DEST            POLICY          LOG LEVEL      LIMIT:BURST
Line 42: Line 42:
 
# THE FOLLOWING POLICY MUST BE LAST
 
# THE FOLLOWING POLICY MUST BE LAST
 
all            all            REJECT          info
 
all            all            REJECT          info
</pre>
+
}}
  
===/etc/shorewall/rules===
+
==/etc/shorewall/rules==
  
 
DNS lookups are handled (actually forwarded) by dnsmasq, so shorewall needs to allow those connections. '''Add''' these lines to {{ic|/etc/shorewall/rules}}
 
DNS lookups are handled (actually forwarded) by dnsmasq, so shorewall needs to allow those connections. '''Add''' these lines to {{ic|/etc/shorewall/rules}}
  
<pre>
+
{{bc|
 
#      Accept DNS connections from the local network to the firewall
 
#      Accept DNS connections from the local network to the firewall
 
#
 
#
 
DNS(ACCEPT)    loc              $FW
 
DNS(ACCEPT)    loc              $FW
</pre>
+
}}
  
 
'''OPTIONAL:''' You can '''add''' these lines if you want to be able to SSH into the router from computers on the Internet
 
'''OPTIONAL:''' You can '''add''' these lines if you want to be able to SSH into the router from computers on the Internet
  
<pre>
+
{{bc|
 
#      Accept SSH connections from the internet for administration
 
#      Accept SSH connections from the internet for administration
 
#
 
#
 
SSH(ACCEPT)    net            $FW
 
SSH(ACCEPT)    net            $FW
</pre>
+
}}
  
===/etc/shorewall/shorewall.conf===
+
==/etc/shorewall/shorewall.conf==
  
 
When you are finished making above changes, enable shorewall by a '''change''' in it's config file {{ic|/etc/shorewall/shorewall.conf}}:
 
When you are finished making above changes, enable shorewall by a '''change''' in it's config file {{ic|/etc/shorewall/shorewall.conf}}:

Revision as of 09:50, 13 March 2013

Shorewall is an iptables frontend. It is easier to setup than manually defining iptables rules. shorewall is available from the AUR. These settings are based on the two-interface documentation on the shorewall website.

Use the some example configuration files that come with the shorewall package

# cp /usr/share/shorewall/Samples/two-interfaces/* /etc/shorewall/

/etc/shorewall/interfaces

Change the interface settings to match the names used for our ethernet devices and to allow dhcp traffic on the local network. Edit /etc/shorewall/interfaces

original

net     eth0            detect          dhcp,tcpflags,nosmurfs,routefilter,logmartians
loc     eth1            detect          tcpflags,nosmurfs,routefilter,logmartians

new

net     wan            detect          dhcp,tcpflags,nosmurfs,routefilter,logmartians
loc     lan            detect          dhcp,tcpflags,nosmurfs,routefilter,logmartians

/etc/shorewall/policy

Change the policy file to allow the router (this machine) to access the Internet. Edit /etc/shorewall/policy

original

###############################################################################
#SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST

loc             net             ACCEPT
net             all             DROP            info
# THE FOLLOWING POLICY MUST BE LAST
all             all             REJECT          info

new

###############################################################################
#SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST
$FW             net             ACCEPT
loc             net             ACCEPT
net             all             DROP            info
# THE FOLLOWING POLICY MUST BE LAST
all             all             REJECT          info

/etc/shorewall/rules

DNS lookups are handled (actually forwarded) by dnsmasq, so shorewall needs to allow those connections. Add these lines to /etc/shorewall/rules

#       Accept DNS connections from the local network to the firewall
#
DNS(ACCEPT)     loc              $FW

OPTIONAL: You can add these lines if you want to be able to SSH into the router from computers on the Internet

#       Accept SSH connections from the internet for administration
#
SSH(ACCEPT)     net             $FW

/etc/shorewall/shorewall.conf

When you are finished making above changes, enable shorewall by a change in it's config file /etc/shorewall/shorewall.conf:

original

STARTUP_ENABLED=No

new

STARTUP_ENABLED=Yes