Shorewall is a very powerful, high level configuration tool for the Linux firewall subsystem. The Linux kernel has an inbuilt framework to manipulate network packets called Netfilter. A front end tool “Iptables” is used to configure this netfilter subsystem. Iptables is sufficient for simple configurations and personal firewalls. However, for complex configuration scenarios you can easily get lost and bogged down with its syntax and myriad options.
Shorewall provides a high level abstraction and keeps the underlying complexity hidden. This makes firewall configurations easier to design and manage. Think of it as, Shorewall is to Iptables, what C is to assembly language. Also, keep in mind that Shorewall is not a daemon that runs in the background. It simply generates the rules, applies them and gets out-of-the-way.
To start with, I will cover a simple two interface firewall example configuration using Shorewall. We can move to more complex configurations in future posts.
In this scenario we have a server with one ADSL PPPOE connection – ppp0 and a local network on eth0. I have chosen this setup to hopefully explain the core concepts behind shorewall and set a stage for later enhancements.
1. First, install shorewall
# apt-get install shorewall
2. Shorewall configuration lives in /etc/shorewall folder which only has two files by default :
root@cronos:etc/shorewall# ls Makefile shorewall.conf
3. In order to configure a simple firewall we should, at least, set up the following files:
- /etc/shorewall/zones
- /etc/shorewall/interfaces
- /etc/shorewall/policy
- /etc/shorewall/rules
4. Configuration file skeletons are stored in /usr/share/doc/shorewall-common/default-config, however we will be using the files form the two-interfaces example.
5. Except for “shorewall.conf” copy all files from /usr/share/doc/shorewall-common/examples/two-interfaces to /etc/shorewall directory :
root@cronos:/usr/share/doc/shorewall-common/examples/two-interfaces# ls interfaces masq policy README.txt routestopped rules shorewall.conf zones root@cronos:/etc/shorewall# sudo cp /usr/share/doc/shorewall-common/default-config/zones zones root@cronos:/etc/shorewall# ls interfaces Makefile masq policy routestopped rules shorewall.conf zones
6. Shorewall.conf
This is the main Shorewall configuration file. Most of the defaults should be fine, expect :
- To enable IP forwarding you have to set the IP_FORWARDING variable “on”
- To disable IPv6 set DISABLE_IPV6 to “yes”
- Since our external interface is ppp0 we will want to set CLAMPMSS=yes. This sets the MSS to 1452 which is recommended on pppoe connections.
7. Zones
The network zones are defined by this file. Zones are an abstraction that help identify different areas of a network. This is a similar to the zones concept used in hardware based firewalls.
- The $FW variable refers to Shorewall itself, which may be used to refer to the firewall zone throughout the Shorewall configuration.
- Define a new zone called “modem” which will contain only our ADSL modem.
root@cronos:/etc/shorewall# cat zones ########################################################### #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall net ipv4 loc ipv4 modem ipv4 #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
8. Interfaces
This file is used to define the interfaces on the firewall and the zones they belong to.
root@cronos:/etc/shorewall# cat interfaces ########################################################################### #ZONE INTERFACE BROADCAST OPTIONS net ppp0 - tcpflags,routefilter,nosmurfs,logmartians modem eth1 detect loc eth0 detect tcpflags,nosmurfs #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
9. Masq
This file is used for masquerading and snat configuration. Masquerading or natting is used to allow a number of systems in a local network to get access to the internet over a single public IP.
Change the first column to the name of our external interface and the second column to the name of our internal interface.
root@cronos:/etc/shorewall# cat masq ######################################################################## #INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK ppp0 eth0 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
With the above files we have described our simple network layout from the perspective of the firewall. Next, we have to define the firewall policy and rules.
10. Policy
The Policy file is used to define our default policy for connections from one zone to another zone. This describes which zones are allowed to establish connections with other zones. Later, we define exceptions to these default policies in the rules file to allow/deny desired traffic.
root@cronos:/etc/shorewall# cat policy ###################################################################### #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST # Policies for traffic originating from the local LAN (loc) # # If you want to force clients to access the Internet via a proxy server # on your firewall, change the loc to net policy to REJECT info. loc net ACCEPT loc $FW REJECT info loc all REJECT info # # Policies for traffic originating from the firewall ($FW) # # If you want open access to the Internet from your firewall, change the # $FW to net policy to ACCEPT and remove the 'info' LOG LEVEL. # This may be useful if you run a proxy server on the firewall. $FW net ACCEPT $FW loc REJECT info $FW all REJECT info # # Policies for traffic originating from the Internet zone (net) # net $FW DROP info net loc DROP info net all DROP info # THE FOLLOWING POLICY MUST BE LAST all all REJECT info #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
11. Rules
This file defines exceptions to the default policies established in the policy file. This is where you will be adding firewall rules to allow or deny traffic to the services running in your network – Usually accomplished thorough dnat or port forwarding rules.
root@cronos:/etc/shorewall# cat rules ################################################################################################ #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK # PORT PORT(S) DEST LIMIT GROUP # # Accept DNS connections from the firewall to the network # DNS/ACCEPT $FW net # # Accept SSH connections from the local network for administration # SSH/ACCEPT loc $FW # # Allow Ping from the local network # Ping/ACCEPT loc $FW # # Reject Ping from the "bad" net zone.. and prevent your log from being flooded.. # Ping/REJECT net $FW ACCEPT $FW loc icmp ACCEPT $FW net icmp # ######################################################## # Custom Lines #ACTION SOURCE DEST PROTO DEST PORT(S) # <macro>/ACCEPT $FW <destination zone> # ACCEPT $FW <destination zone> <protocol> <port> ## From Local Network ## Web/ACCEPT loc $FW VNC/ACCEPT loc $FW ## From Internet ## # Port Forwarding # DNAT net loc:[:] # Web/DNAT net loc:10.10.10.2 # FTP/DNAT net loc:10.10.10.1 SSH/ACCEPT net $FW #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
12. Starting shorewall
Automatic startup is disabled by default. To enable it just edit the file /etc/default/shorewall and set the startup variable to 1. Also, set wait_interface=”ppp0″
root@cronos:/etc/shorewall# cat /etc/default/shorewall # prevent startup with default configuration # set the following varible to 1 in order to allow Shorewall to start startup=1 wait_interface="ppp0""
The firewall is started using the shorewall start command and stopped using shorewall stop.
root@cronos:/# sudo shorewall start Compiling... Initializing... Determining Zones... IPv4 Zones: net loc modem Firewall Zone: fw Validating interfaces file... ... Creating action chain dropInvalid Creating action chain dropNotSyn Applying Policies... Setting up Masquerading/SNAT... Activating Rules... done.
The shorewall stop command does not remove all netfilter rules and open the firewall for all traffic to pass. It rather places the firewall in a safe state defined by the contents of /etc/shorewall/routestopped file. Use the shorewall clear command to remove all netfilter rules.
Note: For pppoe connections, when the PPP interface for the ADSL link goes down, Shorewall needs to be restarted to take the new IP address assignments into account. We will need to restart the firewall by placing /sbin/shorewall restart in the /etc/ppp/ip-up.d directory.
root@cronos:/etc/ppp/ip-up.d# cat shorewall #!/bin/sh /sbin/shorewall -f restart exit 0
This concludes the short introduction to Shorewall. A lot has been introduced above and I haven’t gone thorough the details of each configuration file since most of it is quite self-explanatory. Hopefully, that is enough to get started on Shorewall.
To truly admire Shorewall’s versatility however, we need to explore more complex setups such as multi-isp, load-balancing , active failover , traffic shaping etc. I hope to bring these topics in future posts.
accounting continue init ipsec masq netmap providers routestopped started tcclasses tos zones
actions ecn initdone ipsecvpn modules params proxyarp rules stop tcdevices tunnel
blacklist hosts interfaces maclist nat policy route_rules start stopped tcrules tunnels5. Except for “shorewall.conf” copy all files from /usr/share/doc/shorewall-common/examples/two-interfaces to /etc/shorewall directory
#:/usr/share/doc/shorewall-common/examples/two-interfaces$ ls
interfaces masq policy README.txt routestopped rules shorewall.conf zones
#:/etc/shorewall$ sudo cp /usr/share/doc/shorewall-common/default-config/zones zones
#:/etc/shorewall$ ls
interfaces Makefile masq policy routestopped rules shorewall.conf zones
6. shorewall.conf
* IP forwarding is neither enabled nor disabled. It is set to “keep”. To enable IP forwarding you have to set to “on” the IP_FORWARDING variable.
* IPv6 support is enabled by default. To disable it set DISABLE_IPV6 to “yes”.
* Since our external interface is ppp0 we will want to set CLAMPMSS=yes.
7. zones
* This file is used to define the network zones
* Shorewall recognizes the firewall system as its own zone. The name of the firewall zone is stored in the shell variable $FW which may be used to refer to the firewall zone throughout the Shorewall configuration.
* Define a new zone called “modem” which will contain only our ADSL modem.
#:/etc/shorewall$ cat zones
###############################################################################
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net ipv4
loc ipv4
modem ipv4
#LAST LINE – ADD YOUR ENTRIES ABOVE THIS ONE – DO NOT REMOVE
8. interfaces
* This file is used to tell the firewall which of your firewall’s network interfaces are connected to which zone.
#:/etc/shorewall$ cat interfaces
###############################################################################
#ZONE INTERFACE BROADCAST OPTIONS
net ppp0 – tcpflags,routefilter,nosmurfs,logmartians
modem eth1 detect
loc eth0 detect tcpflags,nosmurfs
#LAST LINE — ADD YOUR ENTRIES BEFORE THIS ONE — DO NOT REMOVE
9. masq
* Masquerade describes the case where you let your firewall system automatically detect the external interface address.
* SNAT refers to the case when you explicitly specify the source address that you want outbound packets from your local network to use.
* In Shorewall, both Masquerading and SNAT are configured with entries in the /etc/shorewall/masq file. You will normally use Masquerading if your external IP is dynamic and SNAT if the IP is static.
* Edit /etc/shorewall/masq and change the first column to the name of your external interface and the second column to the name of your internal interface.
#:/etc/shorewall$ cat masq
###############################################################################
#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK
ppp0 eth0
#LAST LINE — ADD YOUR ENTRIES ABOVE THIS LINE — DO NOT REMOVE
* policy
* Rules about what traffic to allow and what traffic to deny are expressed in terms of zones.
* We express our default policy for connections from one zone to another zone in the /etc/shorewall/policy file.
* We define exceptions to those default policies in the /etc/shorewall/rules file.
* This file is used to describe the firewall policy regarding establishment of connections. Connection establishment is described in terms of clients who initiate connections and servers who receive those connection requests.
* Policies defined in /etc/shorewall/policy describe which zones are allowed to establish connections with other zones.
#:/etc/shorewall$ cat policy
###############################################################################
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
#
# Note about policies and logging:
# This file contains an explicit policy for every combination of
# zones defined in this sample. This is solely for the purpose of
# providing more specific messages in the logs. This is not
# necessary for correct operation of the firewall, but greatly
# assists in diagnosing problems. The policies below are logically
# equivalent to:
#
# loc net ACCEPT
# net all DROP info
# all all REJECT info
#
# The Shorewall-perl compiler will generate the individual policies
# below from the above general policies if you set
# EXPAND_POLICIES=Yes in shorewall.conf.
#
# Policies for traffic originating from the local LAN (loc)
#
# If you want to force clients to access the Internet via a proxy server
# on your firewall, change the loc to net policy to REJECT info.
loc net ACCEPT
loc $FW REJECT info
loc all REJECT info
#
# Policies for traffic originating from the firewall ($FW)
#
# If you want open access to the Internet from your firewall, change the
# $FW to net policy to ACCEPT and remove the ‘info’ LOG LEVEL.
# This may be useful if you run a proxy server on the firewall.
# $FW net REJECT info
$FW net ACCEPT
$FW loc REJECT info
$FW all REJECT info
#
# Policies for traffic originating from the Internet zone (net)
#
net $FW DROP info
net loc DROP info
net all DROP info
# THE FOLLOWING POLICY MUST BE LAST
all all REJECT info
#LAST LINE — ADD YOUR ENTRIES ABOVE THIS LINE — DO NOT REMOVE
9. rules
* The /etc/shorewall/rules file defines exceptions to the policies established in the /etc/shorewall/policy file.
* There is one entry in /etc/shorewall/rules for each of these rules. Entries in this file only govern the establishment of new connections — packets that are part of an existing connection or that establish a connection that is related to an existing connection are automatically accepted.
* Rules : http://www.shorewall.net/3.0/Documentation.htm#Rules
#:/etc/shorewall$ cat rules
#############################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
# PORT PORT(S) DEST LIMIT GROUP
#
# Accept DNS connections from the firewall to the network
#
# DNS/ACCEPT $FW net
#
# Accept SSH connections from the local network for administration
#
SSH/ACCEPT loc $FW
#
# Allow Ping from the local network
#
Ping/ACCEPT loc $FW
#
# Reject Ping from the “bad” net zone.. and prevent your log from being flooded..
#
Ping/REJECT net $FW
ACCEPT $FW loc icmp
ACCEPT $FW net icmp
#
########################################################
# Custom Lines
#ACTION SOURCE DEST PROTO DEST PORT(S)
# <macro>/ACCEPT $FW <destination zone>
# ACCEPT $FW <destination zone> <protocol> <port>
## From Local Network ##
# Accept DNS requests from local nw
DNS/ACCEPT loc $FW
Web/ACCEPT loc $FW
VNC/ACCEPT loc $FW
## From Internet ##
# Port Forwarding
# DNAT net loc:[:]
# Web/DNAT net loc:10.10.10.2
# FTP/DNAT net loc:10.10.10.1
SSH/ACCEPT net $FW
#LAST LINE — ADD YOUR ENTRIES BEFORE THIS ONE — DO NOT REMOVE
10. Port Forwarding (DNAT)
* Port forwarding configuration is done using DNAT rules in the /etc/shorewall/rules file.
The general form of a simple port forwarding rule in /etc/shorewall/rules is:
#ACTION SOURCE DEST PROTO DEST PORT(S)
DNAT net loc:[:]
* Shorewall has macros for many popular applications. Look at /usr/share/shorewall/macro.* to see what is available.
* Macros simplify creating DNAT rules by supplying the protocol and port(s) as shown in the following examples.
#:/usr/share/shorewall$ ls
action.Drop macro.BitTorrent macro.HTTPS macro.Jetdirect macro.PostgreSQL macro.SPAMD macro.Web
action.Reject macro.CVS macro.ICQ macro.L2TP macro.Printer macro.SSH macro.Webmin
actions.std macro.Distcc macro.IMAP macro.LDAP macro.Rdate macro.Submission macro.Whois
action.template macro.DNS macro.IMAPS macro.LDAPS macro.RDP macro.SVN Makefile-lite
configpath macro.Drop macro.IPIP macro.MySQL macro.Reject macro.Syslog modules
firewall macro.DropDNSrep macro.IPP macro.NNTP macro.Rsync macro.Telnet rfc1918
lib.base macro.DropUPnP macro.IPPserver macro.NNTPS macro.SixXS macro.Telnets strip
lib.cli macro.Edonkey macro.IPsec macro.NTP macro.SMB macro.template version
lib.config macro.Finger macro.IPsecah macro.NTPbrd macro.SMBBI macro.TFTP wait4ifup
lib.dynamiczones macro.FTP macro.IPsecnat macro.PCA macro.SMBswat macro.Time
macro.AllowICMPs macro.Gnutella macro.Jabberd macro.Ping macro.SMTP macro.Trcrt
macro.Amanda macro.GRE macro.JabberPlain macro.POP3 macro.SMTPS macro.VNC
macro.Auth macro.HTTP macro.JabberSecure macro.POP3S macro.SNMP macro.VNCL
* Example :
#ACTION SOURCE DEST PROTO DEST PORT(S)
Web/DNAT net loc:10.10.10.2
VNC/ACCEPT loc $FW
* Starting shorewall
* In order to avoid the startup of the firewall on an unconfigured machine, automatic startup, on boot, is disabled by default. To enable it just edit the file /etc/default/shorewall and set the startup variable to 1.
* Also, set wait_interface=”ppp0″
#:/etc/shorewall$ cat /etc/default/shorewall
# prevent startup with default configuration
# set the following varible to 1 in order to allow Shorewall to start
startup=1
# if your Shorewall configuration requires detection of the ip address of a ppp
# interface, you must list such interfaces in “wait_interface” to get Shorewall to
# wait until the interface is configured. Otherwise the script will fail because
# it won’t be able to detect the IP address.
#
# Example:
# wait_interface=”ppp0″
# or
# wait_interface=”ppp0 ppp1″
# or, if you have defined in /etc/shorewall/params
# wait_interface=
wait_interface=”ppp0″
#
# Startup options
#
OPTIONS=””
# EOF
#:/etc/shorewall$
* The firewall is started using the shorewall start command and stopped using shorewall stop.
#:/$ sudo shorewall start
Compiling…
Initializing…
Determining Zones…
IPv4 Zones: net loc modem
Firewall Zone: fw
Validating interfaces file…
Validating hosts file…
Pre-processing Actions…
Pre-processing /usr/share/shorewall/action.Drop…
Pre-processing /usr/share/shorewall/action.Reject…
Validating Policy file…
Determining Hosts in Zones…
net Zone: ppp0:0.0.0.0/0
loc Zone: eth0:0.0.0.0/0
modem Zone: eth1:0.0.0.0/0
Deleting user chains…
Compiling /etc/shorewall/routestopped …
Creating Interface Chains…
Compiling Common Rules
Adding Anti-smurf Rules
Compiling TCP Flags checking…
Compiling Kernel Route Filtering…
Compiling Martian Logging…
Compiling IP Forwarding…
Compiling /etc/shorewall/rules…
Compiling Actions…
Compiling /usr/share/shorewall/action.Drop for Chain Drop…
Compiling /usr/share/shorewall/action.Reject for Chain Reject…
Compiling /etc/shorewall/policy…
Compiling Masquerading/SNAT
Compiling Traffic Control Rules…
Compiling Rule Activation…
Shorewall configuration compiled to /var/lib/shorewall/.start
Starting Shorewall….
Initializing…
Clearing Traffic Control/QOS
Deleting user chains…
Enabling Loopback and DNS Lookups
Creating Interface Chains…
Setting up SMURF control…
Setting up Black List…
Adding Anti-smurf Jumps…
Setting up TCP Flags checking…
Setting up ARP filtering…
Setting up Route Filtering…
Setting up Martian Logging…
Setting up Accept Source Routing…
IP Forwarding Enabled
Setting up SYN Flood Protection…
Setting up Rules…
Setting up Actions…
Creating action chain Drop
Creating action chain Reject
Creating action chain dropBcast
Creating action chain dropInvalid
Creating action chain dropNotSyn
Applying Policies…
Setting up Masquerading/SNAT…
Activating Rules…
done.
#:/$
* When the firewall is stopped, routing is enabled on those hosts that have an entry in /etc/shorewall/routestopped.
#:/etc/shorewall$ cat routestopped
#
# Shorewall version 4.0 – Sample Routestopped File for two-interface configuration.
# Copyright (C) 2006 by the Shorewall Team
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# See the file README.txt for further details.
#——————————————————————————
# For information about entries in this file, type “man shorewall-routestopped”
#
# The manpage is also online at
# http://shorewall.net/manpages/shorewall-routestopped.html
#
# See
# http://shorewall.net/starting_and_stopping_shorewall.htm for additional
# information.
#
##############################################################################
#INTERFACE HOST(S) OPTIONS
eth0 –
#LAST LINE — ADD YOUR ENTRIES BEFORE THIS ONE — DO NOT REMOVE
* The shorewall stop command does not remove all netfilter rules and open your firewall for all traffic to pass. It rather places the firewall in a safe state defined by the contents of /etc/shorewall/routestopped file and the setting of ADMINISABSENTMINDED in /etc/shorewall/shorewall.conf
* If you want to remove all Netfilter rules and open your firewall for all traffic to pass, use the shorewall clear command.
* If you change your configuration and want to install the changes, use the shorewall restart command.
[edit] For pppoe
When the PPP interface for the ADSL link goes down, Shorewall needs to be restarted to take the new IP address assignments into account.
We will need to restart the firewall by placing /sbin/shorewall restart in the /etc/ppp/ip-up.d directory.
root@ubuntu:/etc/ppp/ip-up.d# cat shorewall
#!/bin/sh
/sbin/shorewall -f restart
exit 0
root@ubuntu:/etc/ppp/ip-up.d#