So lets setup the final piece of the puzzle so we can install some packages and start coding already. If you've been following along (Part Two), we are now ready to setup the shorewall firewall. This will lock down all ports we aren't using, both tcp and udp. Go ahead and ssh into your slice from terminal and type in the code below to install the shorewall package.
-
sudo -i
-
apt-get install shorewall
-
cd /etc/shorewall
Now we need to copy some example configuration files to get us started. Note the change to "cp" for copying (you do need to type the period at the end).
-
cp /usr/share/doc/shorewall/default-config/interfaces .
-
cp /usr/share/doc/shorewall/default-config/policy .
-
cp /usr/share/doc/shorewall/default-config/rules .
-
cp /usr/share/doc/shorewall/default-config/zones .
Now we will edit each of the files to add our own secret sauce. The first line with the "#" character is a comment instruction for you, don't type it in. Remember to use <Ctrl> + X key combination and hit the <Enter> key to save.
-
nano /etc/shorewall/interfaces
-
# add the following line to the end of the interfaces file and save/exit
-
net eth0 detect
Now lets edit the zones file.
-
nano /etc/shorewall/zones
-
# add the following line to the end of the zones file and save/exit
-
net ipv4
The policy files also needs editing.
-
nano /etc/shorewall/policy
-
# add the following 3 lines to the end of the policy file, then save/exit
-
fw net ACCEPT
-
net all DROP info
-
all all REJECT info
The rules file also gets some sauce. Note that if you wish Shorewall to repond to pings you have to let it know. It does not by default (see BlueNovember's comment below).
-
nano /etc/shorewall/rules
-
# add the following 2 lines to the end of the rules file, then save/exit
-
ACCEPT net fw tcp 22
-
ACCEPT net fw tcp 80
-
# if you want your machine to respond to pings add the following line
-
Ping/ACCEPT net $FW
The final file we will edit is the shorewall file.
-
nano /etc/default/shorewall
-
# change startup=0 to startup=1, then save/exit
Now lets restart the firewall and test it out.
-
# Restart firewall
-
invoke-rc.d shorewall start
There you have it. Shorewall firewall, shaken not stirred. Now we can install some packages and start writing that application that will lead us to early retirement.
Hey there.
A great quick-start guide.
I think however there’s a slight mistake:
In the lines you say to add to /etc/shorewall/rules,
net fw tcp 22
net fw tcp 80
should read:
ACCEPT net fw tcp 22
ACCEPT net fw tcp 80
I’m not sure if that’s actually correct, but that’s what I understood from the man pages / other sources, and it worked for me. Without the changes I get this error after following your instructions:
(in /var/log/shorewall-init.log)
Compiling/etc/shorewall/rules …
ERROR: Invalid Action in rule “net fw tcp 22″
(running ubuntu server, fiesty fawn)
Thanks once again for the guide =)
~
Blue
Good catch Blue, now corrected. Thx.
Hey again. Finally finished setting up my own shorewall, and thought I’d my thoughts on bits I found annoying/tricky:
Shorewall will not reply to pings by default. To make it reply, add the following to your rules file:
Ping/ACCEPT net $FW
You can also add services by name, instead of port, eg:
ACCEPT net $FW tcp microsoft-ds
ACCEPT net $FW tcp mysql
ACCEPT net $FW tcp netbios-ssn
ACCEPT net $FW tcp ftp
…although of course this will just add the default ports, not intelligently find the ones you are listening on.
Excellent getting started guide
Shorewall also ships with a number of macros. In the rules file, you can do the same as above, with the following:
SSH/ACCEPT net $FW
Web/ACCEPT net $FW
Ping/ACCEPT net $FW
See ‘/usr/share/shorewall/’ for a list of all macros.