How To Set Up Shorewall (Shoreline) 4.0 Firewall On CentOS 5.1
Introduction
This tutorial will walk you through setting up Shorewall (Shoreline) 4.0 firewall on CentOS 5.1 , this can easily be adapted to any other Linux distribution out there.
The Shoreline Firewall, more commonly known as "Shorewall", is a high-level tool for configuring Netfilter. You describe your firewall/gateway requirements using entries in a set of configuration files. Shorewall reads those configuration files and with the help of the iptables utility, Shorewall configures Netfilter to match your requirements. Shorewall can be used on a dedicated firewall system, a multi-function gateway/router/server or on a standalone GNU/Linux system. Shorewall does not use Netfilter's ipchains compatibility mode and can thus take advantage of Netfilter's connection state tracking capabilities. http://www.shorewall.net/
Important Note: Before installing shorewall we need to uninstall ipchains if you installed in your machine.
Download shorewall
wget http://www.invoca.ch/pub/packages/shorewall/4.0/shorewall-4.0.11/shorewall-4.0.11-2.noarch.rpm
wget http://www.invoca.ch/pub/packages/shorewall/4.0/shorewall-4.0.11/shorewall-perl-4.0.11-2.noarch.rpm
wget http://www.invoca.ch/pub/packages/shorewall/4.0/shorewall-4.0.11/shorewall-shell-4.0.11-2.noarch.rpm
You can check download section in shorewall official web site for newer versions. http://www.shorewall.net/download.htm
Install Shorewall
Installing shorewall is quite easy. Just open a terminal and do a
rpm -ivh shorewall-perl-4.0.11-2.noarch.rpm shorewall-shell-4.0.11-2.noarch.rpm shorewall-4.0.11-2.noarch.rpm
and you're all ready. Don't close your terminal, because we will need it some more.
Setting Shorewall
The program will not start unless you change the shorewall configuration file /etc/shorewall/shorewall.conf .You can do this in following way:
vim /etc/shorewall/shorewall.conf
Change the first line from
STARTUP_ENABLED=No
to
STARTUP_ENABLED=Yes
Save and exit (in VIM, hit [ESC] and then ':wq').
If you want to configure shorewall you need to copy the sample configuration file from /usr/share/doc/shorewall-4.0.11/Samples/. In Samples directory there are 3 different directories : one-interface/,two-interfaces/ and three-interfaces/. Depending on your network,you can do this by the following command:
cp /usr/share/doc/shorewall-4.0.11/Samples/one-interfaces/{interfaces,policy,masq,routestopped,rules,zones} /etc/shorewall/
or
cp /usr/share/doc/shorewall-4.0.11/Samples/two-interfaces/{interfaces,policy,masq,routestopped,rules,zones} /etc/shorewall/
or
cp /usr/share/doc/shorewall-4.0.11/Samples/three-interfaces/{interfaces,policy,masq,routestopped,rules,zones} /etc/shorewall/
Now you have configuration files located in /etc/shorewall.
Zones Configuration
Open and edit the file /etc/shorewall/zones to specify the different network zones, these are just labels that you will use in the other files.
vim /etc/shorewall/zones
Consider the Internet(net) as one zone, and a private network(dmz) as another zone.The firewall zone or "fw" is your linux box itself. If you have these then the zones file would look like this:
#ZONE TYPE OPTIONS IN OPTIONS OUT OPTIONS # fw firewall net ipv4 loc ipv4 dmz ipv4 #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
Interfaces Configuration
The next file to edit is the interfaces file to specify the interfaces on your machine.
vim /etc/shorewall/interfaces
Here you will connect the zones that you defined in the previous step with an actual interface. The third field is the broadcast address for the network attached to the interface ("detect" will figure this out for you). Finally the last fields are options for the interface. The options listed below are a good starting point.
#ZONE INTERFACE BROADCAST OPTIONS net eth0 detect tcpflags,dhcp,routefilter,nosmurfs,logmartians loc eth1 detect tcpflags,nosmurfs dmz eth2 detect #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
Policy Configuration
The next file defines your firewall default policy. The default policy is used if no other rules apply. Often you will set the default policy to REJECT or DROP as the default, and then configure specifically what ports/services are allowed in the next step, and any that you do not configure are by default rejected or dropped according to this policy.
vim /etc/shorewall/policy
An example policy (based on the zones and interfaces we used above) would be:
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST # # Policies for traffic originating from the local LAN (loc) # # If you want to force clients to access the Internet via a proxy server # in your DMZ, change the following policy to REJECT info. loc net ACCEPT # If you want open access to DMZ from loc, change the following policy # to ACCEPT. (If you chose not to do this, you will need to add a rule # for each service in the rules file.) loc dmz REJECT info loc $FW REJECT info loc all REJECT info # # Policies for traffic originating from the firewall ($FW) # # If you want open access to the Internet from your firewall, change the # $FW to net policy to ACCEPT and remove the 'info' LOG LEVEL. $FW net REJECT info $FW dmz REJECT info $FW loc REJECT info $FW all REJECT info # # Policies for traffic originating from the De-Militarized Zone (dmz) # # If you want open access from DMZ to the Internet change the following # policy to ACCEPT. This may be useful if you run a proxy server in # your DMZ. dmz net REJECT info dmz $FW REJECT info dmz loc REJECT info dmz all REJECT info # # Policies for traffic originating from the Internet zone (net) # net dmz DROP info net $FW DROP info net loc DROP info net all DROP info # THE FOLLOWING POLICY MUST BE LAST all all REJECT info #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
Rules Configuration
The most important file is the rules. This is where you set what is allowed or not. Any new connection that comes into your firewall passes over these rules, if none of these apply, then the default policy will apply.
Note: This is only for new connections, existing connections are automatically accepted.
The comments in the file give you a good idea of how things work, but the following will provided an example that can give you a head-start:
vim /etc/shorewall/rules
An example would be:
############################################################################################################# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK # PORT PORT(S) DEST LIMIT GROUP # # Accept DNS connections from the firewall to the Internet # DNS/ACCEPT $FW net # # # Accept SSH connections from the local network to the firewall and DMZ # SSH/ACCEPT loc $FW SSH/ACCEPT loc dmz # # DMZ DNS access to the Internet # DNS/ACCEPT dmz net # # Drop Ping from the "bad" net zone. # Ping/DROP net $FW # # Make ping work bi-directionally between the dmz, net, Firewall and local zone # (assumes that the loc-> net policy is ACCEPT). # Ping/ACCEPT loc $FW Ping/ACCEPT dmz $FW Ping/ACCEPT loc dmz Ping/ACCEPT dmz loc Ping/ACCEPT dmz net ACCEPT $FW net icmp ACCEPT $FW loc icmp ACCEPT $FW dmz icmp # Uncomment this if using Proxy ARP and static NAT and you want to allow ping from # the net zone to the dmz and loc #Ping/ACCEPT net dmz #Ping/ACCEPT net loc #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
Finally
Well we are done, let's fire up the services and begin testing.
service shorewall start
Shorewall Web interface or GUI tool
We have a webmin interface for shorewall to configure through GUI. You can download from http://www.webmin.com/download/modules/shorewall.wbm.gz.
Have fun!