Learn how to install and configure the latest version of shorewall to use as a linux firewall and router.

NOTE: looking for instructions to configure a stand alone shorewall firewall click here

1. Download the latest rpm from Shorewalls Web Site ( as of this article the latest is 2.0.7 )

2. Install the rpm

   [root]# rpm -Uvh shorewall-2.0.7-1.noarch.rpm

** On some Mandrake systems you may get an error about a dependency on ip. Mandrake systems install ip2 which works fine. Verify that you have ip2 (which ip2) installed and, if you do, you can safely force the install by typing in the following:

[root]# rpm -Uvh --nodeps shorewall-2.0.7-1.noarch.rpm

3.Shorewall installs files in two seperate locations.

The shorewall core files are installed in
/usr/share/shorewall

The shorewall configuration files are installed in
/etc/shorewall

4. Modify the configuration files for your system. I will go through the files and settings for a very secure router.

/etc/shorewall/zones
net     Net       Internet
loc      Local       Local networks

/etc/shorewall/policy
loc    net    DROP    info
fw    net    DROP    info
fw    loc    DROP    info
loc    fw    DROP    info
net    all    DROP    info
# THE FOLLOWING POLICY MUST BE LAST
all    all    REJECT    info

By setting the policy file this way, NO traffic is allowed to or from your network unless you add a rule to the rules file ( shown below )

/etc/shorewall/interfaces
net    eth0    detect    dhcp,norfc1918,routefilter,blacklist,tcpflags,nosmurfs, nobogons
loc    eth1    detect    dhcp,detectnets,nobogons

You can read what each option represents in the interfaces file comments. If you have a static IP address you will not need the dhcp option for eth0. If you do not use dhcp for your internal ip addresses you will not need the dhcp option for eth1

/etc/shorewall/masq
eth0    172.16.0.0/12

This tells shorewall to masquerade all traffic from the local network through eth0. This is how you share your internet connection with all your computers

/etc/shorewall/rules
AllowWeb         all     net
AllowSSH         all      net
AllowFTP         all      net
AllowNTP         all      net
AllowWHOIS     all      net
AllowTrcrt        all      net
AllowDNS         all      net

AllowMSN           loc   net      #(custom rule, see actions below)

AllowSMTP         loc    net
AllowPOP3          loc    net

AllowSquid           loc        fw  #(if you are using squid proxy)
AllowWebmin        loc        fw
AllowPing             loc        fw
AllowSSH             loc        fw

AllowRRDNS    fw    net    #( this is a custom action for the road runner dns servers )

AllowSSH     fw     loc

/etc/shorewall/actions ( you only need to edit this file if you created your own custom actions )
AllowRRDNS
AllowMSN
AllowSquid
AllowWebmin

/etc/shorewall/action.AllowRRDNS ( this is the custom action )
ACCEPT     -     24.26.163.32,24.26.163.24,24.94.165.132     udp     53
ACCEPT     -     24.26.163.32,24.26.163.24,24.94.165.132     tcp     53

/etc/shorewall/routestopped
eth1

This is a very important entry if you do most of your work by ssh (as I do) By adding this entry in the routestopped you will still be able to access your router from eth1 if you mess up the configuration. If you do not have this entry all traffic is blocked and you must fix the problem from the router itself

** If you would like to block known Ip addresses you can put them in the blacklist file

/etc/shorewall/blacklist
24.30.199.231

/etc/shorewall/shorewall.conf
BLACKLIST_DISPOSITION=DROP

This will cause any packets sent from addresses in your blacklist file to be dropped

In addition, if you have a cable modem, you will want to add a RETURN rule in the rfc1918 file for your head end router address. You can find this by simply doing a traceroute. The first hop will be the rfc1918 address of your head end router.

[root]# traceroute microsoft.com
traceroute: Warning: microsoft.com has multiple addresses; using 207.46.245.214
traceroute to microsoft.com (207.46.245.214), 30 hops max, 38 byte packets
 1  10.38.128.1 (10.38.128.1)  6.786 ms  8.421 ms  10.476 ms
 2  srp2-0.mplsmn01-rtr2.mn.rr.com (24.26.162.34)  8.296 ms  8.734 ms  9.122 ms
 3  so0-1-2.chcgilL3-rtr1.kc.rr.com (24.94.160.13)  20.399 ms  20.157 ms  17.070 ms

In my case I will add the following to rfc1918 file
10.38.128.1             RETURN

Download common custom rules

action.AllowMSN - Allow MSN messenger traffic
action.AllowSquid - Allow squid traffic
action.AllowWHOIS - Allow whois command query's
action.AllowWebmin - Allow webmin traffic
action.AllowCVSUP - Allow access to the freeBSD cvsup servers
action.AllowWINMX  - Allow access to the winmx file sharing program

5. remove the file /etc/shorewall/startup_disabled

6. Start shorewall up

[root]# /etc/init.d/shorewall start

All messages will be logged to /var/log/messages.

I also have a shorewall log parser written in perl that works nicely to display your current days log in an easy to read format.
You can download it here  .
An example output would be like:

Mar 31 07:24:32     net2all     DROP    TCP     24.11.244.72:3449    ->     24.163.219.104:2745

This shows a TCP packet from 24.11.244.72 port 3449 was being sent to my machines port 2745 and was dropped by shorewall as a result of the net2all chain

If you would like to proactively protect your network against hackers you can install snort instrusion detection system and install my progam SnortShorewall to block intrusion attempts. You can read more about the program Here

Comments

Written by Guest on 2004-08-03 15:22:23 Good. Thanks. Clear.  Now how do I make it a transparent proxy so Shorewall will always send network-bound www traffic from my lan to Squid? I tried it but couldn't get it to go...

Squid transparent proxy Written by chad on 2004-08-08 19:19:06 If you are running squid on your router, you just have to add this line in your rules file.    REDIRECT loc 3128 tcp 80

Written by Guest on 2004-08-31 09:20:35

Written by Guest on 2004-09-18 08:09:14

squid on local Written by Guest on 2004-12-05 23:18:22 How redirect traffic if squid server was on local network. I've tried the doc in shorewall website but no luck in make it works.    thanks

redirekt from firewall to local PC Written by Guest on 2005-07-08 09:08:34 A have a shorewall runing on a linux router and a need to redrekt from incoming extarnal interface port to a local pc same port, pls. help

REDIRECT Written by Guest on 2005-07-08 09:22:07 use DNAT in rules eg.    DNAT net loc:192.168.2.1 tcp 80 -    This will redirect all incoming traffic on port 80 to the local machine 192.168.2.1 port 80

Thank you! Written by Guest on 2005-07-09 02:33:31 Thank you!

Redirect didn't work Written by Guest on 2006-02-19 19:21:17 i was setting the transparent proxy by adding:  redirect loc 8080 tcp 80  but didn't work, do u know what's the problem?

Write Comment
Name:	Guest
Title:
BBCode:
Comment:

Powered by AkoComment 1.0 beta 2!