The Shoreline Firewall, more commonly known as “Shorewall”, is high-level tool for configuring Netfilter. You describe your firewall/gateway requirements using entries in a set of configuration files. Shorewall reads those configuration files and with the help of the iptables, iptables-restore, ip and tc utilities, Shorewall configures Netfilter and the Linux networking subsystem to match your requirements. Shorewall can be used on a dedicated firewall system, a multi-function gateway/router/server or on a standalone GNU/Linux system. Shorewall does not use Netfilter's ipchains compatibility mode and can thus take advantage of Netfilter's connection state tracking capabilities.
Shorewall firewall settings
Shorewall install and initial config
First of all, install Shorewall:
apt-get install shorewall
You probably noticed a warning message at the end of the Shorewall installation, telling you the program will not start unless you change the /etc/default/shorewall file. You can do this by changing
startup = 0
to
startup = 1
Next, edit /etc/shorewall/shorewall.conf and change the following values:
IP_FORWARDING=Keep
DISABLE_IPV6=No
to:
IP_FORWARDING=On
DISABLE_IPV6=Yes
And two simple tricks for quality. First, always check the Shorewall config files for correct syntax:
shorewall check
To switch temporary to the new config, but return to the old ones after 60 seconds:
shorewall try /etc/shorewall 60
Network config in Shorewall
The following config files implement then the required firewall functionality, as well as the target network setup. For more details please refer to Shorewall docs.
/etc/shorewall/zones
# http://linux.die.net/man/5/shorewall-zones
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net ipv4
loc ipv4
dmz ipv4
/etc/shorewall/interfaces
# http://linux.die.net/man/5/shorewall-interfaces
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect logmartians,tcpflags,nosmurfs
dmz vmbr0 detect logmartians,bridge,routefilter,tcpflags,nosmurfs
dmz vmbr1 detect logmartians,bridge,routefilter
loc vmbr2 detect logmartians,bridge,routefilter
/etc/shorewall/policy
# http://linux.die.net/man/5/shorewall-policy
#SOURCE DEST POLICY LOG LIMIT: CONNLIMIT:
# LEVEL BURST MASK
# From Firewall Policy
fw fw ACCEPT
fw net ACCEPT
fw dmz ACCEPT
fw loc ACCEPT
# From DMZ Policy
dmz dmz ACCEPT
dmz net ACCEPT
dmz fw DROP info
dmz loc DROP info
# From Net Policy
net fw DROP info
net dmz DROP info
net loc DROP info
# From Local Policy
loc dmz ACCEPT
loc net ACCEPT
loc fw ACCEPT
# THE FOLLOWING POLICY MUST BE LAST
#
all all REJECT info
/etc/shorewall/rules
# http://linux.die.net/man/5/shorewall-rules
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
#
# Accept particular connections from Internet
#
# Permit access to SSH
SSH/ACCEPT net fw - - - - 6/min:5
#
# Permit access to Proxmox Manager and Console
ACCEPT net fw tcp 443,5900:5999,8006
#
# PING Rules
Ping/ACCEPT all all
#
# Permit traffic to - certain - VMs in DMZ
HTTP/ACCEPT net dmz:$ADDITIONAL_SERVER_IP
SSH/ACCEPT net dmz:$ADDITIONAL_SERVER_IP
#
# LAST LINE -- DO NOT REMOVE
/etc/shorewall/masq
# implements NAT on vmbr1
#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK
eth0 192.168.0.0/24
/etc/shorewall/proxyarp
# vmbr0 apperars on the Internet
#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
$ADDITIONAL_SERVER_IP vmbr0 eth0
/etc/shorewall/params
ADDITIONAL_SERVER_IP=12.34.56.56
Now we can start to build guests on the Proxmox web interface and all the guests will be behind the host's firewall.
