Shorewall

This page describes various shorewall configurations.

Installation

# apt-get install shorewall

One interface

Example 1: Simple firewall to block all connections from the internet

Copy the one-interface example to /etc:

# cd /usr/share/doc/shorewall/examples/one-interface/
# cp interfaces policy rules zones /etc/shorewall/

Check the interface name in /etc/shorewall/interfaces:

#ZONE   INTERFACE   BROADCAST       OPTIONS
net     eth0        detect          dhcp,tcpflags,logmartians,nosmurfs,routefilter

Two interfaces

Example 1: NAT network brnat for LXC containers

Requirement: Setup NAT network.

Copy the two-interface exmple to /etc:

# cd /usr/share/doc/shorewall/examples/two-interfaces/
# cp interfaces policy rules zones masq /etc/shorewall/

In /etc/shorewall/zones:

#ZONE   TYPE    OPTIONS         IN          OUT
#                               OPTIONS     OPTIONS
fw      firewall
net     ipv4
lxc     ipv4

In /etc/shorewall/interfaces:

#ZONE   INTERFACE   BROADCAST       OPTIONS
net     eth0        detect          dhcp,tcpflags,logmartians,nosmurfs,routefilter
lxc     brnat       detect          tcpflags,nosmurfs,routefilter,logmartians

In /etc/shorewall/policy:

#SOURCE DEST    POLICY      LOG LEVEL    LIMIT:BURST
$FW     net     ACCEPT
$FW     lxc     ACCEPT
lxc     net     ACCEPT
net     all     DROP        info
# The FOLLOWING POLICY MUST BE LAST
all     all     REJECT      info

This allows all connections

All connections from the internet are blocked by default.

Optional: in /etc/shorewall/rules:

#ACTION     SOURCE  DEST    PROTO   DEST   SOURCE  ORIGINAL RATE   USER/  MARK
#                                   PORT   PORT(S) DEST     LIMIT  GROUP
#
# Accept Ping and Traceroute from the internet
ACCEPT:info net     $FW     icmp       8
ACCEPT:info net     $FW     udp    33434:33524

To enable routing for all LXC containers configure in /etc/shorewall/masq:

#INTERFACE   SOURCE   ADDRESS   PROTO   PORT(S)   IPSEC   MARK
eth0         brnat

Activate Shorewall

Enable shorewall in /etc/default/shorewall:

startup=1

Restart and check:

# shorewall check
# /etc/init.d/shorewall start
# iptables -L

Rules

Accept services with limits

To accept connections to services running on the firewall with a limit add to /etc/shorewall/rules:

#ACTION     SOURCE  DEST    PROTO   DEST   SOURCE  ORIGINAL RATE      USER/  MARK
#                                   PORT   PORT(S) DEST     LIMIT     GROUP
ACCEPT:info net     $FW     tcp       22   -       -        2/min:3
ACCEPT:info net     $FW     tcp       25   -       -        2/min:8
ACCEPT:info net     $FW     tcp      143   -       -        2/min:8
ACCEPT:info net     $FW     tcp       80   -       -        30/min:60

DNAT

#ACTION     SOURCE  DEST                 PROTO   DEST SOURCE  ORIGINAL RATE      USER/  MARK
#                                                PORT PORT(S) DEST     LIMIT     GROUP
DNAT:info   net     lxc:10.10.10.2:22    tcp     2022  -       -       2/min:3

One-to-on NAT

To forward all traffic to a public IP address to a private IP address.

Add to /etc/shorewall/nat:

#EXTERNAL          INTERFACE         INTERNAL     ALL INTERFACES    LOCAL
1.2.3.4            eth0:0            10.10.10.1   no                no

In /etc/shorewall/shorwall.conf enable:

ADD_IP_ALIASES=Yes

Additional ACCEPT rules in /etc/shorwall/rules are required:

#ACTION     SOURCE  DEST            PROTO   DEST   SOURCE  ORIGINAL RATE      USER/  MARK
#                                           PORT   PORT(S) DEST     LIMIT     GROUP
ACCEPT:info net     lxc:10.10.10.1  tcp     22     -       1.2.3.4  2/min:3