Shorewall: Easy Network Firewall for GNU / Linux
I've always wanted to know iptables and have found it very difficult to use, hence, when I came the need to configure a firewall which I raised was the easiest way to deploy a server on linux, response, Shorewall. Iptables done easy, so is advertising this firewall which has a very simple way to use. We'll use this firewall aenseñar as a local area network.
For examples I will use the following network configuration.
Installation
To install this firewall in Ubuntu would be the command:
sudo apt-get install shorewall
Shorewall is configured via configuration files located in /etc/shorewall We will meet these files and their characteristics.
/etc/shorewall/shorewall.conf
Within this file several more relevant parameters are set are as follows:
STARTUP_ENABLED
Put the value in “Yes” the “yes” for the firewall function
ADMINISABSENTMINDED
This variable if configured in “Not” the “no” states that only when we stop the firewall connections to or from the addresses in the file put it allowed /etc/shorewall/routestopped. If it is configured in “Yes” the “yes” also the connections that were active when the firewall stopped working and you will all connections established with the machine in which we configure shorewall will be accepted.
IP_FORWARDING
Sets when configured in “On” if the firewall or routed IPv4 packets . This parameter is important for teams to access the internal network to the outside.
To view this help file.
man shorewall.conf
/etc/shorewall/zones
In this file few areas defined interfaces or has the firewall. Each network we want to unite through the firewall we consider an area, Near the first serious firewal own ,another serious area LAN, otra la zona wifi, another DMZ (DMZ for servers) and the last area would be internet.
Example of this file for the firewall to connect a network internet, three zones , firewall, lan y internet:
# ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS Fw firewall # define el firewall net ipv4 # define internet WAN loc ipv4 # defines the local area network LAN
To view this help file.
man shorewall-zones
/etc/shorewall/interfaces
Here the network cards are set, interfaces, the firewall is going to be used and assigned the area in which they have to be each. In addition, certain properties are identified on the interpretation of the packets entering or leaving a single interface.
Example of this file for the firewall to connect a network internet, three zones , firewall, lan y internet:
#ZONE INTERFACE BROADCAST OPTIONS net eth0 detect dhcp,tcpflags,routefilter,nosmurfs,logmartians,blacklist loc eth1 detect tcpflags,nosmurfs,blacklist
To view this help file.
man shorewall-interfaces
/etc/shorewall/policy
Here policies are set by default to do with packets traveling between different areas.
Possible policies are:
- ACCEPT: The connection is accepted
- DROP: The connection is ignored
- REJECT: The connection is explicitly rejects
- QUEUE: Send the request to an application with the QUEUE target.
- CONTINUE: Allow the connection request to continue processing other rules are.
- NONE: It is assumed that this connection can not be generated and no rules about.
Example of this file for the firewall to connect a network internet, three zones , firewall, lan y internet:
# origin destination loglevel policy limit:rafaga loc net ACCEPT # allow traffic from the local network to internet. net all DROP info # We ignore the connections from the Internet want to do to the local network and record them in the log. all all REJECT info # We reject any connection that is not collected at the top and checked.
To view this help file.
man shorewall-policy
/etc/shorewall/rules
Here opening ports defined. DNAT rules also define certain packages and registration.
Example of this file for the firewall to connect a network internet, three zones , firewall, lan y internet:
# Action Protocol Source Port Destination Port Destination Destination Original Rate / Limit SSH/ACCEPT lan $FW # We accept ssh connections from the LAN to the firewall (bell to see how you set up) RDP(DTA) net loc:192.168.1.23 # servico redirect the RDP port 3389 the LAN IP 192.168.1.23 ACCEPT $FW loc icmp # We allow ping from the firewall to the LAN ACCEPT $FW net icmp # Ping from the firewall allow Internet
To view this help file.
man shorewall-rules
/etc/shorewall/masq
This file is used to define SNAT and masquerading. We configure the networks you want to connect to the Internet traverse a firewall.
Example of this file so that the firewall allows the lan (eth1) connect to the internet (eth0):
# Interface Ports Address Subnet IPSEC Protocol eth0 eth1
To view this help file.
man shorewall-masq
Mas configuration files.
- hosts: Used to associate groups of hosts to an area. It is essential to define multiple areas on an interface.
- blacklist: Any IP address or block of IP addresses added to this file will be automatically blacklist.
- tunnels: It is used to automatically configure Netfilter rules for different types of tunnels (IPsec, OpenVPN, etc.)
- tcrules: Is used to load rules tc (tool for configuring traffic shaping services kernel) from the firewall. Load Balancing.
- For the rest look at /etc/shorewall
Example files
Another great advantage is that it has several shorewal example files with presets whereby only copy and paste into /etc/shorewall the official files firewall correctly.
Sample files are in the following path:
/usr/share/doc/shorewall-common/examples
There are three folders with the default configuration files for the following.
- A network interface (solo WAN)
- The network interfaces (WAN y LAN)
- Very interfaces res (WAN, LAN y DMZ)
Would copy the files in the folder / etc / shorewall firewall and run encenderiamos, faster and easier can not be.
I hope this tutorial useful sea, if you like the hicieseis appreciate a +1 in social networks to reach more people I'm excited. Thank you very much for reading the article until the end ;).
Very good, Thanks for your input.
very good contribution now wonder if I wanted to block a ip of the network with no internet as output as it could be done
I would change the gateway IP in these and no longer have internet connection in shorewall can do it in / etc / shorewall / rules adding
DENY lan:192.168.1.34 net tcp 80
Ip plays do you need or subnet you need.
How about,
And if we want to pass all traffic from a particular IP?, I mean for example a VIP, I do not want to block it in the shorewall na?.
Thanks
By default the firewall allows the removal of all local IPs (place) and all ports to the internet (net) as it stated in the file /etc/shorewall/policy with the entry loc net ACCEPT. If you are like teams do not have access to internet may be all that some rule /etc/shorewall/rules it prevents. If what you want is that from outside the network can connect to a specific computer what to do is open the ports or if you want them all open to put the computer in the DMZ. If none of these ideas will facilitate you think I need to know more details in order to answer it properly.
How can load balancing be performed for two or more WANs
do not know, I can't help you, I do the balancing with mikrotik routers