How to firewall your server with Shorewall

A properly configured firewall is one of the most important security tools available to us. It allows us to define policies and rules that control precisely which network connections are permitted and which are rejected.

In Linux 2.6 the firewall is provided by netfilter (also known as IPTables) and we will use a script named Shorewall to simply it's configuration.

This is a quick start guide to installing and configuring Shorewall. The configuration shown here is suitable for systems with a single network interface and a single public IP address.

For full documentation and details of other configurations please consult the Shorewall website.

Installing Shorewall

aptitude install shorewall

Configuring Shorewall

Shorewall ships without any default configuration, so we need to copy configuration file examples:

cp -p /usr/share/doc/shorewall/default-config/interfaces
cp -p /usr/share/doc/shorewall/default-config/policy
cp -p /usr/share/doc/shorewall/default-config/rules
cp -p /usr/share/doc/shorewall/default-config/zones

/etc/shorewall/interfaces

The interfaces file defines the network interfaces in your system. Edit the file and define your network adapter something like this:

#ZONE    INTERFACE      BROADCAST       OPTIONS
#
net     eth0            detect
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

/etc/shorewall/policy

The policy file defines default rules that will apply to traffic where a more specific rule does not apply. Edit the file and define your policy something like this:

#SOURCE         DEST            POLICY          LOG             LIMIT:BURST
#                                               LEVEL
fw              net             ACCEPT
net             all             DROP            info
all             all             REJECT          info
#LAST LINE -- DO NOT REMOVE

/etc/shorewall/zones

The zones file defines network zones that you can refer to when creating firewall rules. Edit the file and define your zones something like this:

#ZONE                   DISPLAY         COMMENTS
net                     Internet
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

/etc/shorewall/rules

The rules file is where to specify your firewall rules. Since your default policy will be to drop or reject connections, its usually just a matter ot allowing connections as appropriate. Edit the file and define your rules something like this:

#ACTION  SOURCE         DEST            PROTO   DEST    SOURCE     ORIGINAL     RATE            USER/
#                                               PORT    PORT(S)    DEST         LIMIT           GROUP
# ALLOW PUBLIC ACCESS TO LOCAL SERVICES
#
AllowICMPs      net     fw
AllowPing       net     fw
AllowSSH        net     fw
AllowDNS        net     fw
AllowWeb        net     fw
AllowPOP3       net     fw
AllowIMAP       net     fw
AllowSMTP       net     fw
AllowFTP        net     fw
ACCEPT          net     fw              TCP     587

Note that we use standard sets of rules for most common services, but create a rule manually to allow incoming connections on TCP/587 for SMTP-SUBMIT.

Restricting Access to SSH

Ideally you should restrict connections to SSH to your IP address for security reasons. To do so you will need a static IP address on the system you will connect from, and you should specify this in the rule.

Comment out the standard rule:

# AllowSSH        net     fw

And then add lines as shown below:

#
# ALLOW RESTRICTED ACCESS TO SSH
#
ACCEPT          net:your.ip.address     fw      tcp     22

Starting Shorewall

Finally enable Shorewall and start the script:

# ee /etc/default/shorewall
# prevent startup with default configuration
# set the below varible to 1 in order to allow shorewall to start
startup=1
/etc/init.d/shorewall restart

Testing Shorewall

If you have access to a system on another network then use nmap to port-scan your server and verify that these are as expected:

# nmap server.example.com

Discussion

KimberleyRasmussen, 2010/06/23 13:10:

Some time before, I needed to buy a house for my firm but I didn't earn enough money and couldn't order anything. Thank heaven my comrade suggested to try to take the <a href=“http://lowest-rate-loans.com/topics/mortgage-loans”>mortgage loans</a> from reliable creditors. Therefore, I acted so and used to be satisfied with my commercial loan.

Mccormick26Deena, 2010/06/25 10:59:

Very often, people accomplish the publish dissertation by their own. But some people choose to buy the interesting thought just about this good post in the <a href=“http://www.master-dissertations.com”>buy thesis</a> service, just because it is easier.

WeeksRhea, 2010/06/25 12:02:

An academic success seems to be really important thing and different students have to show the advanced <a href=“http://www.essaysprofessors.com”>research paper</a> creating skillfulness. In such case, the assistance of professional essay writing service would be substantial.

TanishaFerguson34, 2010/06/27 02:04:

Study process requires advanced writing skills, but, university students, which are lack of time can fail their career. Therefore, to buy the definition essay at the <a href=“http://primeessays.com/index.php?mode=cause_and_effect_essay”>cause and effect essay</a> writing service can be a great decision.

HardinLourdes, 2010/06/27 02:04:

Our professional <a href=“http://qualityessay.com/”>essays</a> writing service can support you to be engaged around what you forever dream. There is no space on this planet as far away as yesterday. The last split second is everything.

Raymond31Terri, 2010/06/30 14:30:

Yes, I agree with it! A useful comments is highly recommended. Not only for the blog owner, but for our self as well. Academic grades are not a problem at all, just because you can use <a href=“http://www.superbessay.com”>custom essay</a> in services that care about you.

ed hardy caps , 2010/07/08 10:33:

[url=http://www.nikeww.com/]运动鞋批发[/url] [url=http://www.nikeww.com/]耐克鞋批发[/url] [url=http://www.nikeww.com/]高仿鞋批发[/url]

cosplay, 2010/07/29 02:58:

Cosplay Costumes Cosplay Wigs Movie TV Cosplay School Uniform Uniform Cosplay Cosplay Accessories . cosplay costumes cosplay sexy lingerie The Lingerie Store,The lingerie and nightwear SALE at Style Lingerie. All lingerie sale garments marked 30% to 70% off. Sexy lingerie, ladies underwear and designer nightwear lingerie store lingerie sale sexy lingerie Sexy Clubwear Lingerie, sleepwear and intimate apparel is our specialty, ranging from sexy lingerie to bridal lingerie, including corset, bras, thongs and stockings. Sexy Costumes sexy nurses costume sexy Sports costume Vinyl Lingerie lingerie sale

Enter your comment (wiki syntax is allowed):

Subscribe to the RSS feed for Andy's Debian HOWTOs

Article from Andy's Debian HOWTOs (http://www.besy.co.uk/debian/debian)

 
debian/how_to_secure_your_system_with_the_shorewall_firewall.txt · Last modified: 2008/08/01 23:56 (external edit) · [Old revisions]
Recent changes RSS feed Powered by Debian Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki