Learn how to install and configure the latest version of shorewall to use as a linux firewall and router with a DMZ.

NOTE: looking for instructions to configure a stand alone shorewall firewall click here

1. Download the latest rpm from Shorewalls Web Site ( as of this article the latest is 2.4.0 )

2. Install the rpm

   [root]# rpm -Uvh shorewall-2.4.0-1.noarch.rpm

** On some Mandrake systems you may get an error about a dependency on ip. Mandrake systems install ip2 which works fine. Verify that you have ip2 (which ip2) installed and, if you do, you can safely force the install by typing in the following:

[root]# rpm -Uvh --nodeps shorewall-2.4.0-1.noarch.rpm

3.Shorewall installs files in two seperate locations.

The shorewall core files are installed in
/usr/share/shorewall

The shorewall configuration files are installed in
/etc/shorewall

4. Modify the configuration files for your system. I will go through the files and settings for a very secure router.

/etc/shorewall/zones
net     Net       Internet
loc      Local     Local networks
dmz     DMZ     Demiliterized Zone

 /etc/shorewall/policy

loc    net    DROP    info
loc    fw     DROP    info
loc    dmz   ACCEPT
fw    net    DROP    info
fw    loc     DROP    info
fw    dmz   ACCEPT
dmz  loc      DROP   info
dmz  net     ACCEPT
dmz  fw      DROP    info
# THE FOLLOWING POLICY MUST BE LAST
all    all    REJECT    info

By setting the policy file this way, NO traffic is allowed to or from your network unless you add a rule to the rules file ( shown below )

/etc/shorewall/interfaces
net         eth0    detect    dhcp,norfc1918,routefilter,blacklist,tcpflags,nosmurfs, nobogons
loc          eth1        192.168.0.255     dhcp,detectnets,nobogons
dmz        eth2        10.0.0.255           dhcp,detectnets,nobogons

You can read what each option represents in the interfaces file comments. If you have a static IP address you will not need the dhcp option for eth0. If you do not use dhcp for your internal ip addresses you will not need the dhcp option for eth1

/etc/shorewall/masq
eth0    192.168.0.0/24
eth0    10.0.0.0/24

This tells shorewall to masquerade all traffic from the local network through eth0. This is how you share your internet connection with all your computers

/etc/shorewall/rules
AllowWeb         all     net
AllowSSH         all      net
AllowFTP         all      net
AllowNTP         all      net
AllowWHOIS     all      net
AllowTrcrt        all      net
AllowDNS         all      net

AllowMSN           loc   net      #(custom rule, see actions below)

AllowSMTP         loc    net
AllowPOP3          loc    net

AllowSquid           loc        fw  #(if you are using squid proxy)
AllowWebmin        loc        fw
AllowPing             loc        fw
AllowSSH             loc        fw

AllowRRDNS    fw    net    #( this is a custom action for the road runner dns servers )

AllowSSH     fw     loc

# REDIRECT INCOMING WEB REQUEST TO WEBSERVER IN DMZ
DNAT               net                     dmz:10.0.0.2       tcp    80     -

/etc/shorewall/actions ( you only need to edit this file if you created your own custom actions )
AllowRRDNS
AllowMSN
AllowSquid
AllowWebmin

/etc/shorewall/action.AllowRRDNS ( this is the custom action )
ACCEPT     -     24.26.163.32,24.26.163.24,24.94.165.132     udp     53
ACCEPT     -     24.26.163.32,24.26.163.24,24.94.165.132     tcp     53

/etc/shorewall/routestopped
eth1

This is a very important entry if you do most of your work by ssh (as I do) By adding this entry in the routestopped you will still be able to access your router from eth1 if you mess up the configuration. If you do not have this entry all traffic is blocked and you must fix the problem from the router itself

** If you would like to block known Ip addresses you can put them in the blacklist file

/etc/shorewall/blacklist
24.30.199.231

/etc/shorewall/shorewall.conf
BLACKLIST_DISPOSITION=DROP
STARTUP_ENABLED=Yes
BLACKLIST_LOGLEVEL=info (if you want to log attempts)

This will cause any packets sent from addresses in your blacklist file to be dropped

In addition, if you have a cable modem, you will want to add a RETURN rule in the rfc1918 file for your head end router address. You can find this by simply doing a traceroute. The first hop will be the rfc1918 address of your head end router.

[root]# traceroute microsoft.com
traceroute: Warning: microsoft.com has multiple addresses; using 207.46.245.214
traceroute to microsoft.com (207.46.245.214), 30 hops max, 38 byte packets
 1  10.38.128.1 (10.38.128.1)  6.786 ms  8.421 ms  10.476 ms
 2  srp2-0.mplsmn01-rtr2.mn.rr.com (24.26.162.34)  8.296 ms  8.734 ms  9.122 ms
 3  so0-1-2.chcgilL3-rtr1.kc.rr.com (24.94.160.13)  20.399 ms  20.157 ms  17.070 ms

In my case I will add the following to rfc1918 file
10.38.128.1             RETURN

Download common custom rules

action.AllowMSN - Allow MSN messenger traffic
action.AllowSquid - Allow squid traffic
action.AllowWHOIS - Allow whois command query's
action.AllowWebmin - Allow webmin traffic
action.AllowCVSUP - Allow access to the freeBSD cvsup servers
action.AllowWINMX  - Allow access to the winmx file sharing program

6. Start shorewall up

[root]# /etc/init.d/shorewall start

All messages will be logged to /var/log/messages.

I also have a shorewall log parser written in perl that works nicely to display your current days log in an easy to read format.
You can download it here  .
An example output would be like:

Mar 31 07:24:32     net2all     DROP    TCP     24.11.244.72:3449    ->     24.163.219.104:2745

This shows a TCP packet from 24.11.244.72 port 3449 was being sent to my machines port 2745 and was dropped by shorewall as a result of the net2all chain

If you would like to proactively protect your network against hackers you can install snort instrusion detection system and install my progam SnortShorewall to block intrusion attempts. You can read more about the program Here

Only registered users can write comments.
Please login or register.

Powered by AkoComment 1.0 beta 2!