Shorewall
This page describes various shorewall configurations.
Installation
# apt-get install shorewall
One interface
Example 1: Simple firewall to block all connections from the internet
Copy the one-interface example to /etc
:
# cd /usr/share/doc/shorewall/examples/one-interface/
# cp interfaces policy rules zones /etc/shorewall/
Check the interface name in /etc/shorewall/interfaces
:
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect dhcp,tcpflags,logmartians,nosmurfs,routefilter
Two interfaces
Example 1: NAT network brnat for LXC containers
Requirement: Setup NAT network.
Copy the two-interface exmple to /etc
:
# cd /usr/share/doc/shorewall/examples/two-interfaces/
# cp interfaces policy rules zones masq /etc/shorewall/
In /etc/shorewall/zones
:
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net ipv4
lxc ipv4
In /etc/shorewall/interfaces
:
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect dhcp,tcpflags,logmartians,nosmurfs,routefilter
lxc brnat detect tcpflags,nosmurfs,routefilter,logmartians
In /etc/shorewall/policy
:
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
$FW net ACCEPT
$FW lxc ACCEPT
lxc net ACCEPT
net all DROP info
# The FOLLOWING POLICY MUST BE LAST
all all REJECT info
This allows all connections
- from firewall to LXC containers
- from firewall to the internet
- from LXC containers to the internet
All connections from the internet are blocked by default.
Optional: in /etc/shorewall/rules
:
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
# PORT PORT(S) DEST LIMIT GROUP
#
# Accept Ping and Traceroute from the internet
ACCEPT:info net $FW icmp 8
ACCEPT:info net $FW udp 33434:33524
To enable routing for all LXC containers configure in /etc/shorewall/masq
:
#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK
eth0 brnat
Activate Shorewall
Enable shorewall in /etc/default/shorewall
:
startup=1
Restart and check:
# shorewall check
# /etc/init.d/shorewall start
# iptables -L
Rules
Accept services with limits
To accept connections to services running on the firewall with a limit add to /etc/shorewall/rules
:
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
# PORT PORT(S) DEST LIMIT GROUP
ACCEPT:info net $FW tcp 22 - - 2/min:3
ACCEPT:info net $FW tcp 25 - - 2/min:8
ACCEPT:info net $FW tcp 143 - - 2/min:8
ACCEPT:info net $FW tcp 80 - - 30/min:60
DNAT
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
# PORT PORT(S) DEST LIMIT GROUP
DNAT:info net lxc:10.10.10.2:22 tcp 2022 - - 2/min:3
One-to-on NAT
To forward all traffic to a public IP address to a private IP address.
Add to /etc/shorewall/nat
:
#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL
1.2.3.4 eth0:0 10.10.10.1 no no
In /etc/shorewall/shorwall.conf
enable:
ADD_IP_ALIASES=Yes
Additional ACCEPT rules in /etc/shorwall/rules
are required:
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
# PORT PORT(S) DEST LIMIT GROUP
ACCEPT:info net lxc:10.10.10.1 tcp 22 - 1.2.3.4 2/min:3