How To Set Up Shorewall (Shoreline) 4.0 Firewall On CentOS 5.1

Want to support HowtoForge? Become a subscriber!
 
Submitted by poustchi (Contact Author) (Forums) on Wed, 2008-07-02 19:32. :: CentOS | Security

How To Set Up Shorewall (Shoreline) 4.0 Firewall On CentOS 5.1

Introduction

This tutorial will walk you through setting up Shorewall (Shoreline) 4.0 firewall on CentOS 5.1 , this can easily be adapted to any other Linux distribution out there.

The Shoreline Firewall, more commonly known as "Shorewall", is a high-level tool for configuring Netfilter. You describe your firewall/gateway requirements using entries in a set of configuration files. Shorewall reads those configuration files and with the help of the iptables utility, Shorewall configures Netfilter to match your requirements. Shorewall can be used on a dedicated firewall system, a multi-function gateway/router/server or on a standalone GNU/Linux system. Shorewall does not use Netfilter's ipchains compatibility mode and can thus take advantage of Netfilter's connection state tracking capabilities. http://www.shorewall.net/

Important Note: Before installing shorewall we need to uninstall ipchains if you installed in your machine.

Download shorewall

wget http://www.invoca.ch/pub/packages/shorewall/4.0/shorewall-4.0.11/shorewall-4.0.11-2.noarch.rpm
wget http://www.invoca.ch/pub/packages/shorewall/4.0/shorewall-4.0.11/shorewall-perl-4.0.11-2.noarch.rpm
wget http://www.invoca.ch/pub/packages/shorewall/4.0/shorewall-4.0.11/shorewall-shell-4.0.11-2.noarch.rpm

You can check download section in shorewall official web site for newer versions. http://www.shorewall.net/download.htm

 

Install Shorewall

Installing shorewall is quite easy. Just open a terminal and do a

rpm -ivh shorewall-perl-4.0.11-2.noarch.rpm shorewall-shell-4.0.11-2.noarch.rpm shorewall-4.0.11-2.noarch.rpm

and you're all ready. Don't close your terminal, because we will need it some more.

 

Setting Shorewall

The program will not start unless you change the shorewall configuration file /etc/shorewall/shorewall.conf .You can do this in following way:

vim /etc/shorewall/shorewall.conf

Change the first line from

STARTUP_ENABLED=No

to

STARTUP_ENABLED=Yes

Save and exit (in VIM, hit [ESC] and then ':wq').

If you want to configure shorewall you need to copy the sample configuration file from /usr/share/doc/shorewall-4.0.11/Samples/. In Samples directory there are 3 different directories : one-interface/,two-interfaces/ and three-interfaces/. Depending on your network,you can do this by the following command:

cp /usr/share/doc/shorewall-4.0.11/Samples/one-interfaces/{interfaces,policy,masq,routestopped,rules,zones} /etc/shorewall/

or

cp /usr/share/doc/shorewall-4.0.11/Samples/two-interfaces/{interfaces,policy,masq,routestopped,rules,zones} /etc/shorewall/

or

cp /usr/share/doc/shorewall-4.0.11/Samples/three-interfaces/{interfaces,policy,masq,routestopped,rules,zones} /etc/shorewall/

Now you have configuration files located in /etc/shorewall.

 

Zones Configuration

Open and edit the file /etc/shorewall/zones to specify the different network zones, these are just labels that you will use in the other files.

vim /etc/shorewall/zones

Consider the Internet(net) as one zone, and a private network(dmz) as another zone.The firewall zone or "fw" is your linux box itself. If you have these then the zones file would look like this:

#ZONE	TYPE	OPTIONS		IN OPTIONS		OUT OPTIONS
#
fw	firewall
net	ipv4
loc	ipv4
dmz	ipv4
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

 

Interfaces Configuration

The next file to edit is the interfaces file to specify the interfaces on your machine.

vim /etc/shorewall/interfaces

Here you will connect the zones that you defined in the previous step with an actual interface. The third field is the broadcast address for the network attached to the interface ("detect" will figure this out for you). Finally the last fields are options for the interface. The options listed below are a good starting point.

#ZONE	INTERFACE	BROADCAST	OPTIONS
net     eth0            detect          tcpflags,dhcp,routefilter,nosmurfs,logmartians
loc     eth1            detect          tcpflags,nosmurfs
dmz     eth2            detect
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

 

Policy Configuration

The next file defines your firewall default policy. The default policy is used if no other rules apply. Often you will set the default policy to REJECT or DROP as the default, and then configure specifically what ports/services are allowed in the next step, and any that you do not configure are by default rejected or dropped according to this policy.

vim /etc/shorewall/policy

An example policy (based on the zones and interfaces we used above) would be:

#SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST
#
# Policies for traffic originating from the local LAN (loc)
#
# If you want to force clients to access the Internet via a proxy server
# in your DMZ, change the following policy to REJECT info.
loc		net		ACCEPT
# If you want open access to DMZ from loc, change the following policy
# to ACCEPT.  (If you chose not to do this, you will need to add a rule
# for each service in the rules file.)
loc		dmz		REJECT		info
loc		$FW		REJECT		info
loc		all		REJECT		info
#
# Policies for traffic originating from the firewall ($FW)
#
# If you want open access to the Internet from your firewall, change the
# $FW to net policy to ACCEPT and remove the 'info' LOG LEVEL.
$FW		net		REJECT		info
$FW		dmz		REJECT		info
$FW		loc		REJECT		info
$FW		all		REJECT		info
#
# Policies for traffic originating from the De-Militarized Zone (dmz)
#
# If you want open access from DMZ to the Internet change the following
# policy to ACCEPT.  This may be useful if you run a proxy server in
# your DMZ.
dmz		net		REJECT		info
dmz		$FW		REJECT		info
dmz		loc		REJECT		info
dmz		all		REJECT		info
#
# Policies for traffic originating from the Internet zone (net)
#
net		dmz		DROP		info
net		$FW		DROP		info
net		loc		DROP		info
net		all		DROP		info
# THE FOLLOWING POLICY MUST BE LAST
all		all		REJECT		info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

 

Rules Configuration

The most important file is the rules. This is where you set what is allowed or not. Any new connection that comes into your firewall passes over these rules, if none of these apply, then the default policy will apply.

Note: This is only for new connections, existing connections are automatically accepted.

The comments in the file give you a good idea of how things work, but the following will provided an example that can give you a head-start:

vim /etc/shorewall/rules

An example would be:

#############################################################################################################
#ACTION		SOURCE		DEST	PROTO	DEST	SOURCE		ORIGINAL	RATE	USER/	MARK
#						PORT	PORT(S)		DEST		LIMIT		GROUP
#
#	Accept DNS connections from the firewall to the Internet
#
DNS/ACCEPT	$FW		net
#
#
#	Accept SSH connections from the local network to the firewall and DMZ
#
SSH/ACCEPT      loc             $FW
SSH/ACCEPT      loc             dmz
#
#	DMZ DNS access to the Internet
#
DNS/ACCEPT	dmz		net
#
# Drop Ping from the "bad" net zone.
#
Ping/DROP     net             $FW
#
#       Make ping work bi-directionally between the dmz, net, Firewall and local zone
#       (assumes that the loc-> net policy is ACCEPT).
#
Ping/ACCEPT     loc             $FW
Ping/ACCEPT     dmz             $FW
Ping/ACCEPT     loc             dmz
Ping/ACCEPT     dmz             loc
Ping/ACCEPT     dmz             net
ACCEPT		$FW		net		icmp
ACCEPT		$FW		loc		icmp
ACCEPT		$FW		dmz		icmp
# Uncomment this if using Proxy ARP and static NAT and you want to allow ping from
# the net zone to the dmz and loc
#Ping/ACCEPT    net             dmz
#Ping/ACCEPT    net             loc
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

 

Finally

Well we are done, let's fire up the services and begin testing.

service shorewall start

 

Shorewall Web interface or GUI tool

We have a webmin interface for shorewall to configure through GUI. You can download from http://www.webmin.com/download/modules/shorewall.wbm.gz.

Have fun!


Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Submitted by Marco (not registered) on Tue, 2009-02-10 03:13.
Shorewall can also be installed on CentOS 5.2. I would recommend grabbing the shorewall rpm from the EPEL repository at http://download.fedora.redhat.com/pub/epel/5/i386/repoview/S.group.html But first add the repo to yum by downloading the epel-release 5.3 rpm from http://download.fedora.redhat.com/pub/epel/5/i386/repoview/epel-release.html Add this repo to yum by "rpm -i epelreleasefilename.rpm". Its good to use 'priority' to ensure no conflicts with your base and other critical repos. Regards, MarcoGM