Shorewall Firewall Setup - Debian

Shorewall-Logo

The Shoreline Firewall, more commonly known as “Shorewall”, is high-level tool for configuring Netfilter. You describe your firewall/gateway requirements using entries in a set of configuration files. Shorewall reads those configuration files and with the help of the iptables, iptables-restore, ip and tc utilities, Shorewall configures Netfilter and the Linux networking subsystem to match your requirements. Shorewall can be used on a dedicated firewall system, a multi-function gateway/router/server or on a standalone GNU/Linux system. Shorewall does not use Netfilter's ipchains compatibility mode and can thus take advantage of Netfilter's connection state tracking capabilities.

Shorewall firewall settings

Shorewall install and initial config

First of all, install Shorewall:
apt-get install shorewall

You probably noticed a warning message at the end of the Shorewall installation, telling you the program will not start unless you change the /etc/default/shorewall file. You can do this by changing

startup = 0

to

startup = 1

Next, edit /etc/shorewall/shorewall.conf and change the following values:

IP_FORWARDING=Keep
DISABLE_IPV6=No

to:

IP_FORWARDING=On
DISABLE_IPV6=Yes

And two simple tricks for quality. First, always check the Shorewall config files for correct syntax:
shorewall check
To switch temporary to the new config, but return to the old ones after 60 seconds:
shorewall try /etc/shorewall 60

 

Network config in Shorewall

The following config files implement then the required firewall functionality, as well as the target network setup. For more details please refer to Shorewall docs.

/etc/shorewall/zones
# http://linux.die.net/man/5/shorewall-zones
#ZONE   TYPE   OPTIONS   IN       OUT
#                        OPTIONS  OPTIONS
fw      firewall
net     ipv4
loc     ipv4
dmz     ipv4
/etc/shorewall/interfaces
# http://linux.die.net/man/5/shorewall-interfaces
#ZONE INTERFACE BROADCAST OPTIONS
net   eth0      detect logmartians,tcpflags,nosmurfs
dmz   vmbr0     detect logmartians,bridge,routefilter,tcpflags,nosmurfs
dmz   vmbr1     detect logmartians,bridge,routefilter
loc   vmbr2     detect logmartians,bridge,routefilter
/etc/shorewall/policy
# http://linux.die.net/man/5/shorewall-policy
#SOURCE DEST    POLICY          LOG     LIMIT:          CONNLIMIT:
#                               LEVEL   BURST           MASK

# From Firewall Policy
fw      fw      ACCEPT
fw      net     ACCEPT
fw      dmz     ACCEPT
fw      loc     ACCEPT

# From DMZ Policy
dmz     dmz     ACCEPT
dmz     net     ACCEPT
dmz     fw      DROP            info
dmz     loc     DROP            info

# From Net Policy
net     fw      DROP            info
net     dmz     DROP            info
net     loc     DROP            info

# From Local Policy
loc     dmz     ACCEPT
loc     net     ACCEPT
loc     fw      ACCEPT

# THE FOLLOWING POLICY MUST BE LAST
#
all     all     REJECT          info

/etc/shorewall/rules
# http://linux.die.net/man/5/shorewall-rules
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
#
# Accept particular connections from Internet
#
# Permit access to SSH
SSH/ACCEPT net fw   -     -    -      -        6/min:5
#
# Permit access to Proxmox Manager and Console
ACCEPT     net fw  tcp    443,5900:5999,8006
#
# PING Rules
Ping/ACCEPT all all
#
# Permit traffic to - certain - VMs in DMZ
HTTP/ACCEPT net  dmz:$ADDITIONAL_SERVER_IP
SSH/ACCEPT  net  dmz:$ADDITIONAL_SERVER_IP
#
# LAST LINE -- DO NOT REMOVE
/etc/shorewall/masq
# implements NAT on vmbr1
#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK
eth0 192.168.0.0/24
/etc/shorewall/proxyarp
# vmbr0 apperars on the Internet
#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
$ADDITIONAL_SERVER_IP vmbr0 eth0
/etc/shorewall/params
ADDITIONAL_SERVER_IP=12.34.56.56

Now we can start to build guests on the Proxmox web interface and all the guests will be behind the host's firewall.

Details
Category: Tutorials
Hits: 2732