17
Jul

Shorewall Firewall on Ubuntu Feisty VPS Part 3

   Posted by: Jeff Owens   in Linux

Add Comment

So lets setup the final piece of the puzzle so we can install some packages and start coding already. If you've been following along (Part Two), we are now ready to setup the shorewall firewall. This will lock down all ports we aren't using, both tcp and udp. Go ahead and ssh into your slice from terminal and type in the code below to install the shorewall package.

PLAIN TEXT
CODE:
  1. sudo -i
  2. apt-get install shorewall
  3. cd /etc/shorewall


Now we need to copy some example configuration files to get us started. Note the change to "cp" for copying (you do need to type the period at the end).

PLAIN TEXT
CODE:
  1. cp /usr/share/doc/shorewall/default-config/interfaces .
  2. cp /usr/share/doc/shorewall/default-config/policy .
  3. cp /usr/share/doc/shorewall/default-config/rules .
  4. cp /usr/share/doc/shorewall/default-config/zones .

Now we will edit each of the files to add our own secret sauce. The first line with the "#" character is a comment instruction for you, don't type it in. Remember to use <Ctrl> + X key combination and hit the <Enter> key to save.

PLAIN TEXT
CODE:
  1. nano /etc/shorewall/interfaces
  2. # add the following line to the end of the interfaces file and save/exit
  3. net eth0 detect

Now lets edit the zones file.

PLAIN TEXT
CODE:
  1. nano /etc/shorewall/zones
  2. # add the following line to the end of the zones file and save/exit
  3. net ipv4

The policy files also needs editing.

PLAIN TEXT
CODE:
  1. nano /etc/shorewall/policy
  2. # add the following  3 lines to the end of the policy file, then save/exit
  3. fw net ACCEPT
  4. net all DROP info
  5. all all REJECT info

The rules file also gets some sauce. Note that if you wish Shorewall to repond to pings you have to let it know. It does not by default (see BlueNovember's comment below).

PLAIN TEXT
CODE:
  1. nano /etc/shorewall/rules
  2. # add the following 2 lines to the end of the rules file, then save/exit
  3. ACCEPT net fw tcp 22
  4. ACCEPT net fw tcp 80
  5. # if you want your machine to respond to pings add the following line
  6. Ping/ACCEPT net $FW

The final file we will edit is the shorewall file.

PLAIN TEXT
CODE:
  1. nano /etc/default/shorewall
  2. # change startup=0 to startup=1, then save/exit

Now lets restart the firewall and test it out.

PLAIN TEXT
CODE:
  1. # Restart firewall
  2. invoke-rc.d shorewall start

There you have it. Shorewall firewall, shaken not stirred. Now we can install some packages and start writing that application that will lead us to early retirement.

Tags: , , , , ,

This entry was posted on Tuesday, July 17th, 2007 at 7:23 pm and is filed under Linux. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

5 comments so far

BlueNovember
 1 

Hey there.
A great quick-start guide.
I think however there’s a slight mistake:

In the lines you say to add to /etc/shorewall/rules,
net fw tcp 22
net fw tcp 80

should read:
ACCEPT net fw tcp 22
ACCEPT net fw tcp 80

I’m not sure if that’s actually correct, but that’s what I understood from the man pages / other sources, and it worked for me. Without the changes I get this error after following your instructions:
(in /var/log/shorewall-init.log)
Compiling/etc/shorewall/rules …
ERROR: Invalid Action in rule “net fw tcp 22″

(running ubuntu server, fiesty fawn)

Thanks once again for the guide =)
~
Blue

July 29th, 2007 at 10:13 am
Jeff
 2 

Good catch Blue, now corrected. Thx.

July 29th, 2007 at 5:00 pm
BlueNovember
 3 

Hey again. Finally finished setting up my own shorewall, and thought I’d my thoughts on bits I found annoying/tricky:

Shorewall will not reply to pings by default. To make it reply, add the following to your rules file:
Ping/ACCEPT net $FW

You can also add services by name, instead of port, eg:
ACCEPT net $FW tcp microsoft-ds
ACCEPT net $FW tcp mysql
ACCEPT net $FW tcp netbios-ssn
ACCEPT net $FW tcp ftp

…although of course this will just add the default ports, not intelligently find the ones you are listening on.

August 5th, 2007 at 4:49 am
Jon
 4 

Excellent getting started guide :-)

Shorewall also ships with a number of macros. In the rules file, you can do the same as above, with the following:

SSH/ACCEPT net $FW
Web/ACCEPT net $FW
Ping/ACCEPT net $FW

See ‘/usr/share/shorewall/’ for a list of all macros.

November 15th, 2007 at 4:28 am
Gregg
 5 

Thank you so much for posting this – I admin’d CentOS for about 2 years and the transition to Debian has been like my six weeks in Germany “wie sagt man auf deutch?” – how do I say it in German (Debian). The part in /etc/default/shorewall was the key – thanks!

March 9th, 2009 at 10:20 pm

One Trackback/Ping

  1. Because I Learn » Blog Archive » Firewall    Oct 24 2007 / 4am:

    [...] tutorial at Debianhelp on the installation and setting of it. A more relevant tutorial is here and there for those who are running a Xen [...]

Leave a reply

Name (*)
Mail (will not be published) (*)
URI
Comment
Back to top