How to firewall your server with Shorewall
A properly configured firewall is one of the most important security tools available to us. It allows us to define policies and rules that control precisely which network connections are permitted and which are rejected.
In Linux 2.6 the firewall is provided by netfilter (also known as IPTables) and we will use a script named Shorewall to simply it's configuration.
This is a quick start guide to installing and configuring Shorewall. The configuration shown here is suitable for systems with a single network interface and a single public IP address.
For full documentation and details of other configurations please consult the Shorewall website.
Installing Shorewall
aptitude install shorewall
Configuring Shorewall
Shorewall ships without any default configuration, so we need to copy configuration file examples:
cp -p /usr/share/doc/shorewall/default-config/interfaces cp -p /usr/share/doc/shorewall/default-config/policy cp -p /usr/share/doc/shorewall/default-config/rules cp -p /usr/share/doc/shorewall/default-config/zones
/etc/shorewall/interfaces
The interfaces file defines the network interfaces in your system. Edit the file and define your network adapter something like this:
#ZONE INTERFACE BROADCAST OPTIONS # net eth0 detect #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
/etc/shorewall/policy
The policy file defines default rules that will apply to traffic where a more specific rule does not apply. Edit the file and define your policy something like this:
#SOURCE DEST POLICY LOG LIMIT:BURST # LEVEL fw net ACCEPT net all DROP info all all REJECT info #LAST LINE -- DO NOT REMOVE
/etc/shorewall/zones
The zones file defines network zones that you can refer to when creating firewall rules. Edit the file and define your zones something like this:
#ZONE DISPLAY COMMENTS net Internet #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
/etc/shorewall/rules
The rules file is where to specify your firewall rules. Since your default policy will be to drop or reject connections, its usually just a matter ot allowing connections as appropriate. Edit the file and define your rules something like this:
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ # PORT PORT(S) DEST LIMIT GROUP # ALLOW PUBLIC ACCESS TO LOCAL SERVICES # AllowICMPs net fw AllowPing net fw AllowSSH net fw AllowDNS net fw AllowWeb net fw AllowPOP3 net fw AllowIMAP net fw AllowSMTP net fw AllowFTP net fw ACCEPT net fw TCP 587
Note that we use standard sets of rules for most common services, but create a rule manually to allow incoming connections on TCP/587 for SMTP-SUBMIT.
Restricting Access to SSH
Ideally you should restrict connections to SSH to your IP address for security reasons. To do so you will need a static IP address on the system you will connect from, and you should specify this in the rule.
Comment out the standard rule:
# AllowSSH net fw
And then add lines as shown below:
# # ALLOW RESTRICTED ACCESS TO SSH # ACCEPT net:your.ip.address fw tcp 22
Starting Shorewall
Finally enable Shorewall and start the script:
# ee /etc/default/shorewall
# prevent startup with default configuration # set the below varible to 1 in order to allow shorewall to start startup=1
/etc/init.d/shorewall restart
Testing Shorewall
If you have access to a system on another network then use nmap to port-scan your server and verify that these are as expected:
# nmap server.example.com
Subscribe to the RSS feed for Andy's Debian HOWTOs
Article from Andy's Debian HOWTOs (http://www.besy.co.uk/debian/debian)
Discussion
Some time before, I needed to buy a house for my firm but I didn't earn enough money and couldn't order anything. Thank heaven my comrade suggested to try to take the <a href=“http://lowest-rate-loans.com/topics/mortgage-loans”>mortgage loans</a> from reliable creditors. Therefore, I acted so and used to be satisfied with my commercial loan.
Very often, people accomplish the publish dissertation by their own. But some people choose to buy the interesting thought just about this good post in the <a href=“http://www.master-dissertations.com”>buy thesis</a> service, just because it is easier.
An academic success seems to be really important thing and different students have to show the advanced <a href=“http://www.essaysprofessors.com”>research paper</a> creating skillfulness. In such case, the assistance of professional essay writing service would be substantial.
Study process requires advanced writing skills, but, university students, which are lack of time can fail their career. Therefore, to buy the definition essay at the <a href=“http://primeessays.com/index.php?mode=cause_and_effect_essay”>cause and effect essay</a> writing service can be a great decision.
Our professional <a href=“http://qualityessay.com/”>essays</a> writing service can support you to be engaged around what you forever dream. There is no space on this planet as far away as yesterday. The last split second is everything.
Yes, I agree with it! A useful comments is highly recommended. Not only for the blog owner, but for our self as well. Academic grades are not a problem at all, just because you can use <a href=“http://www.superbessay.com”>custom essay</a> in services that care about you.
[url=http://www.nikeww.com/]运动鞋批发[/url] [url=http://www.nikeww.com/]耐克鞋批发[/url] [url=http://www.nikeww.com/]高仿鞋批发[/url]
Cosplay Costumes Cosplay Wigs Movie TV Cosplay School Uniform Uniform Cosplay Cosplay Accessories . cosplay costumes cosplay sexy lingerie The Lingerie Store,The lingerie and nightwear SALE at Style Lingerie. All lingerie sale garments marked 30% to 70% off. Sexy lingerie, ladies underwear and designer nightwear lingerie store lingerie sale sexy lingerie Sexy Clubwear Lingerie, sleepwear and intimate apparel is our specialty, ranging from sexy lingerie to bridal lingerie, including corset, bras, thongs and stockings. Sexy Costumes sexy nurses costume sexy Sports costume Vinyl Lingerie lingerie sale