Shorewall

This page describes various shorewall configurations.

Installation
One interface
- Example 1: Simple firewall to block all connections from the internet
Two interfaces
- Example 1: NAT network brnat for LXC containers
Activate Shorewall
Rules

Installation

# apt-get install shorewall

One interface

Example 1: Simple firewall to block all connections from the internet

Copy the one-interface example to /etc:

# cd /usr/share/doc/shorewall/examples/one-interface/
# cp interfaces policy rules zones /etc/shorewall/

Check the interface name in /etc/shorewall/interfaces:

#ZONE   INTERFACE   BROADCAST       OPTIONS
net     eth0        detect          dhcp,tcpflags,logmartians,nosmurfs,routefilter

Two interfaces

Example 1: NAT network brnat for LXC containers

Requirement: Setup NAT network.

Copy the two-interface exmple to /etc:

# cd /usr/share/doc/shorewall/examples/two-interfaces/
# cp interfaces policy rules zones masq /etc/shorewall/

In /etc/shorewall/zones:

#ZONE   TYPE    OPTIONS         IN          OUT
#                               OPTIONS     OPTIONS
fw      firewall
net     ipv4
lxc     ipv4

In /etc/shorewall/interfaces:

#ZONE   INTERFACE   BROADCAST       OPTIONS
net     eth0        detect          dhcp,tcpflags,logmartians,nosmurfs,routefilter
lxc     brnat       detect          tcpflags,nosmurfs,routefilter,logmartians

In /etc/shorewall/policy:

#SOURCE DEST    POLICY      LOG LEVEL    LIMIT:BURST
$FW     net     ACCEPT
$FW     lxc     ACCEPT
lxc     net     ACCEPT
net     all     DROP        info
# The FOLLOWING POLICY MUST BE LAST
all     all     REJECT      info

This allows all connections

from firewall to LXC containers
from firewall to the internet
from LXC containers to the internet

All connections from the internet are blocked by default.

Optional: in /etc/shorewall/rules:

#ACTION     SOURCE  DEST    PROTO   DEST   SOURCE  ORIGINAL RATE   USER/  MARK
#                                   PORT   PORT(S) DEST     LIMIT  GROUP
#
# Accept Ping and Traceroute from the internet
ACCEPT:info net     $FW     icmp       8
ACCEPT:info net     $FW     udp    33434:33524

To enable routing for all LXC containers configure in /etc/shorewall/masq:

#INTERFACE   SOURCE   ADDRESS   PROTO   PORT(S)   IPSEC   MARK
eth0         brnat

Activate Shorewall

Enable shorewall in /etc/default/shorewall:

startup=1

Restart and check:

# shorewall check
# /etc/init.d/shorewall start
# iptables -L

Rules

Accept services with limits

To accept connections to services running on the firewall with a limit add to /etc/shorewall/rules:

#ACTION     SOURCE  DEST    PROTO   DEST   SOURCE  ORIGINAL RATE      USER/  MARK
#                                   PORT   PORT(S) DEST     LIMIT     GROUP
ACCEPT:info net     $FW     tcp       22   -       -        2/min:3
ACCEPT:info net     $FW     tcp       25   -       -        2/min:8
ACCEPT:info net     $FW     tcp      143   -       -        2/min:8
ACCEPT:info net     $FW     tcp       80   -       -        30/min:60

DNAT

#ACTION     SOURCE  DEST                 PROTO   DEST SOURCE  ORIGINAL RATE      USER/  MARK
#                                                PORT PORT(S) DEST     LIMIT     GROUP
DNAT:info   net     lxc:10.10.10.2:22    tcp     2022  -       -       2/min:3

One-to-on NAT

To forward all traffic to a public IP address to a private IP address.

Add to /etc/shorewall/nat:

#EXTERNAL          INTERFACE         INTERNAL     ALL INTERFACES    LOCAL
1.2.3.4            eth0:0            10.10.10.1   no                no

In /etc/shorewall/shorwall.conf enable:

ADD_IP_ALIASES=Yes

Additional ACCEPT rules in /etc/shorwall/rules are required:

#ACTION     SOURCE  DEST            PROTO   DEST   SOURCE  ORIGINAL RATE      USER/  MARK
#                                           PORT   PORT(S) DEST     LIMIT     GROUP
ACCEPT:info net     lxc:10.10.10.1  tcp     22     -       1.2.3.4  2/min:3