Shorewall: Un buen firewall para GNU/Linux

Shorewall: Easy Network Firewall for GNU / Linux

I've always wanted to know iptables and have found it very difficult to use, hence, when I came the need to configure a firewall which I raised was the easiest way to deploy a server on linux, response, Shorewall. Iptables done easy, so is advertising this firewall which has a very simple way to use. We'll use this firewall aenseñar as a local area network.

For examples I will use the following network configuration.



To install this firewall in Ubuntu would be the command:

sudo apt-get install shorewall

Shorewall is configured via configuration files located in /etc/shorewall We will meet these files and their characteristics.


Within this file several more relevant parameters are set are as follows:


Put the value in “Yes” the “yes” for the firewall function


This variable if configured in “Not” the “no” states that only when we stop the firewall connections to or from the addresses in the file put it allowed /etc/shorewall/routestopped. If it is configured in “Yes” the “yes” also the connections that were active when the firewall stopped working and you will all connections established with the machine in which we configure shorewall will be accepted.


Sets when configured in “On” if the firewall or routed IPv4 packets . This parameter is important for teams to access the internal network to the outside.

To view this help file.

man shorewall.conf


In this file few areas defined interfaces or has the firewall. Each network we want to unite through the firewall we consider an area, Near the first serious firewal own ,another serious area LAN, otra la zona wifi, another DMZ (DMZ for servers) and the last area would be internet.

Example of this file for the firewall to connect a network internet, three zones , firewall, lan y internet:

# ZONE TYPE OPTIONS     IN           OUT
#                       OPTIONS     OPTIONS
Fw firewall # define el firewall
net ipv4 # define internet WAN
loc ipv4 # defines the local area network LAN

To view this help file.

man shorewall-zones


Here the network cards are set, interfaces, the firewall is going to be used and assigned the area in which they have to be each. In addition, certain properties are identified on the interpretation of the packets entering or leaving a single interface.

Example of this file for the firewall to connect a network internet, three zones , firewall, lan y internet:

net eth0 detect dhcp,tcpflags,routefilter,nosmurfs,logmartians,blacklist 
loc eth1 detect tcpflags,nosmurfs,blacklist

To view this help file.

man shorewall-interfaces


Here policies are set by default to do with packets traveling between different areas.

Possible policies are:

  • ACCEPT: The connection is accepted
  • DROP: The connection is ignored
  • REJECT: The connection is explicitly rejects
  • QUEUE: Send the request to an application with the QUEUE target.
  • CONTINUE: Allow the connection request to continue processing other rules are.
  • NONE: It is assumed that this connection can not be generated and no rules about.

Example of this file for the firewall to connect a network internet, three zones , firewall, lan y internet:

# origin destination loglevel policy limit:rafaga
 loc net ACCEPT # allow traffic from the local network to internet.
 net all DROP info # We ignore the connections from the Internet want to do to the local network and record them in the log.
 all all REJECT info # We reject any connection that is not collected at the top and checked.

To view this help file.

man shorewall-policy


Here opening ports defined. DNAT rules also define certain packages and registration.

Example of this file for the firewall to connect a network internet, three zones , firewall, lan y internet:

# Action Protocol Source Port Destination Port Destination Destination Original Rate / Limit
SSH/ACCEPT lan $FW   # We accept ssh connections from the LAN to the firewall (bell to see how you set up)
RDP(DTA) net loc: # servico redirect the RDP port 3389 the LAN IP
ACCEPT $FW loc icmp # We allow ping from the firewall to the LAN 
ACCEPT $FW net icmp # Ping from the firewall allow Internet

To view this help file.

man shorewall-rules


This file is used to define SNAT and masquerading. We configure the networks you want to connect to the Internet traverse a firewall.

Example of this file so that the firewall allows the lan (eth1) connect to the internet (eth0):

# Interface Ports Address Subnet IPSEC Protocol
eth0 eth1

To view this help file.

man shorewall-masq

Mas configuration files.

  • hosts: Used to associate groups of hosts to an area. It is essential to define multiple areas on an interface.
  • blacklist: Any IP address or block of IP addresses added to this file will be automatically blacklist.
  • tunnels: It is used to automatically configure Netfilter rules for different types of tunnels (IPsec, OpenVPN, etc.)
  • tcrules: Is used to load rules tc (tool for configuring traffic shaping services kernel) from the firewall. Load Balancing.
  • For the rest look at /etc/shorewall


Example files

Another great advantage is that it has several shorewal example files with presets whereby only copy and paste into /etc/shorewall the official files firewall correctly.

Sample files are in the following path:


There are three folders with the default configuration files for the following.

  • A network interface (solo WAN)
  • The network interfaces (WAN y LAN)
  • Very interfaces res (WAN, LAN y DMZ)

Would copy the files in the folder / etc / shorewall firewall and run encenderiamos, faster and easier can not be.

I hope this tutorial useful sea, if you like the hicieseis appreciate a +1 in social networks to reach more people I'm excited. Thank you very much for reading the article until the end ;).

About Ignacio Alba Obaya

Microcomputer and Technical Training for Employment. Lover of new technologies. Manager GNU / Linux and Windows.


  1. very good contribution now wonder if I wanted to block a ip of the network with no internet as output as it could be done

    1. I would change the gateway IP in these and no longer have internet connection in shorewall can do it in / etc / shorewall / rules adding
      DENY lan: net tcp 80

      Ip plays do you need or subnet you need.

  2. How about,

    And if we want to pass all traffic from a particular IP?, I mean for example a VIP, I do not want to block it in the shorewall na?.


    1. By default the firewall allows the removal of all local IPs (place) and all ports to the internet (net) as it stated in the file /etc/shorewall/policy with the entry loc net ACCEPT. If you are like teams do not have access to internet may be all that some rule /etc/shorewall/rules it prevents. If what you want is that from outside the network can connect to a specific computer what to do is open the ports or if you want them all open to put the computer in the DMZ. If none of these ideas will facilitate you think I need to know more details in order to answer it properly.

Leave a Reply

Your email address will not be published. Required fields are marked *