A properly configured firewall is one of the most important security tools available to us. It allows us to define policies and rules that control precisely which network connections are permitted and which are rejected.

In Linux 2.6 the firewall is provided by netfilter (also known as IPTables) and we will use a script named Shorewall to simply it's configuration.

This is a quick start guide to installing and configuring Shorewall. The configuration shown here is suitable for systems with a single network interface and a single public IP address.

For full documentation and details of other configurations please consult the Shorewall website.

aptitude install shorewall

Shorewall ships without any default configuration, so we need to copy configuration file examples:

cp -p /usr/share/doc/shorewall/default-config/interfaces
cp -p /usr/share/doc/shorewall/default-config/policy
cp -p /usr/share/doc/shorewall/default-config/rules
cp -p /usr/share/doc/shorewall/default-config/zones

The interfaces file defines the network interfaces in your system. Edit the file and define your network adapter something like this:

#ZONE    INTERFACE      BROADCAST       OPTIONS
#
net     eth0            detect
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

The policy file defines default rules that will apply to traffic where a more specific rule does not apply. Edit the file and define your policy something like this:

#SOURCE         DEST            POLICY          LOG             LIMIT:BURST
#                                               LEVEL
fw              net             ACCEPT
net             all             DROP            info
all             all             REJECT          info
#LAST LINE -- DO NOT REMOVE

The zones file defines network zones that you can refer to when creating firewall rules. Edit the file and define your zones something like this:

#ZONE                   DISPLAY         COMMENTS
net                     Internet
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

The rules file is where to specify your firewall rules. Since your default policy will be to drop or reject connections, its usually just a matter ot allowing connections as appropriate. Edit the file and define your rules something like this:

#ACTION  SOURCE         DEST            PROTO   DEST    SOURCE     ORIGINAL     RATE            USER/
#                                               PORT    PORT(S)    DEST         LIMIT           GROUP
# ALLOW PUBLIC ACCESS TO LOCAL SERVICES
#
AllowICMPs      net     fw
AllowPing       net     fw
AllowSSH        net     fw
AllowDNS        net     fw
AllowWeb        net     fw
AllowPOP3       net     fw
AllowIMAP       net     fw
AllowSMTP       net     fw
AllowFTP        net     fw
ACCEPT          net     fw              TCP     587

Note that we use standard sets of rules for most common services, but create a rule manually to allow incoming connections on TCP/587 for SMTP-SUBMIT.

Ideally you should restrict connections to SSH to your IP address for security reasons. To do so you will need a static IP address on the system you will connect from, and you should specify this in the rule.

Comment out the standard rule:

# AllowSSH        net     fw

And then add lines as shown below:

#
# ALLOW RESTRICTED ACCESS TO SSH
#
ACCEPT          net:your.ip.address     fw      tcp     22

Finally enable Shorewall and start the script:

# ee /etc/default/shorewall

# prevent startup with default configuration
# set the below varible to 1 in order to allow shorewall to start
startup=1

/etc/init.d/shorewall restart

If you have access to a system on another network then use nmap to port-scan your server and verify that these are as expected:

# nmap server.example.com