Shorewall

From ArchWiki
Revision as of 09:50, 13 March 2013 by Fengchao (Talk | contribs) (Fix style.)

Jump to: navigation, search

Shorewall is an iptables frontend. It is easier to setup than manually defining iptables rules. shorewall is available from the AUR. These settings are based on the two-interface documentation on the shorewall website.

Use the some example configuration files that come with the shorewall package

# cp /usr/share/shorewall/Samples/two-interfaces/* /etc/shorewall/

/etc/shorewall/interfaces

Change the interface settings to match the names used for our ethernet devices and to allow dhcp traffic on the local network. Edit /etc/shorewall/interfaces

original

net     eth0            detect          dhcp,tcpflags,nosmurfs,routefilter,logmartians
loc     eth1            detect          tcpflags,nosmurfs,routefilter,logmartians

new

net     wan            detect          dhcp,tcpflags,nosmurfs,routefilter,logmartians
loc     lan            detect          dhcp,tcpflags,nosmurfs,routefilter,logmartians

/etc/shorewall/policy

Change the policy file to allow the router (this machine) to access the Internet. Edit /etc/shorewall/policy

original

###############################################################################
#SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST

loc             net             ACCEPT
net             all             DROP            info
# THE FOLLOWING POLICY MUST BE LAST
all             all             REJECT          info

new

###############################################################################
#SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST
$FW             net             ACCEPT
loc             net             ACCEPT
net             all             DROP            info
# THE FOLLOWING POLICY MUST BE LAST
all             all             REJECT          info

/etc/shorewall/rules

DNS lookups are handled (actually forwarded) by dnsmasq, so shorewall needs to allow those connections. Add these lines to /etc/shorewall/rules

#       Accept DNS connections from the local network to the firewall
#
DNS(ACCEPT)     loc              $FW

OPTIONAL: You can add these lines if you want to be able to SSH into the router from computers on the Internet

#       Accept SSH connections from the internet for administration
#
SSH(ACCEPT)     net             $FW

/etc/shorewall/shorewall.conf

When you are finished making above changes, enable shorewall by a change in it's config file /etc/shorewall/shorewall.conf:

original

STARTUP_ENABLED=No

new

STARTUP_ENABLED=Yes