Making Iptables easier with Shorewall

Shorewall is an open source tool firewall to manage Linux built upon netfilter (iptables,ipchains) systems. It’s an abstraction layer to manage netfilter rules, easier than iptables based in configuration files.

In this post I’ll show the basic implementation to begin working with shorewall and the main configuration files using a server with three interfaces.
Shorewall divided the different networks in zones, and each network interfaces is assigned to a zone, to after define the filter rules for the traffic flow in every zone. The different zones used in the scenario of this post are:

– eth0 (Internet): 192.168.1.135/24
– eth1 (LAN): 192.168.0.1/24
– eth2 (DMZ): 172.16.0.1/24

– Installing shorewall:

# apt-get install shorewall

– Copying the basic configuration files:

# cp /usr/share/doc/shorewall/examples/three-interfaces/zones /etc/shorewall/
# cp /usr/share/doc/shorewall/examples/three-interfaces/interfaces /etc/shorewall/
# cp /usr/share/doc/shorewall/examples/three-interfaces/policy /etc/shorewall/
# cp /usr/share/doc/shorewall/examples/three-interfaces/rules /etc/shorewall/
# cp /usr/share/doc/shorewall/examples/three-interfaces/masq /etc/shorewall/
# cp /usr/share/doc/shorewall/examples/three-interfaces/routestopped /etc/shorewall/

– Configure shorewall to start at boot time:

# vi /etc/default/shorewall

startup=1

– Editing and configuring the main configuration file of shorewall:

# vi /etc/shorewall/shorewall.conf

STARTUP_ENABLED=Yes

– Editing the zones for our network:

# vi /etc/shorewall/zones

############################
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net ipv4
loc ipv4
dmz ipv4

– fw: The firewall server.
– net: Internet.
– loc: Local network.
– dmz: our dmz network.

– Configuring our network interfaces:

# vi /etc/shorewall/interfaces

###################################
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect tcpflags,nosmurfs,routefilter,logmartians,blacklist
loc eth1 detect tcpflags,nosmurfs,routefilter,logmartians
dmz eth2 detect tcpflags,nosmurfs,routefilter,logmartians

– tcpflags: Check the packets to check illegal combination of TCP flags.
– routerfilter: drop the packets in the interface with a source ip address of other networks (anti spoofing measure).
– nosmurfs: filter broadcast packets.
– logmartians: shorewall will register martian packets (packets with a source ip address reserved for special use by the IANA).
– blacklist: This option perform a blacklist file (/etc/shorewall/blacklist), you can blacklist by ip address, mac or tcp ports.

– Configuring the default policies for the traffic between the zones:

# vi /etc/shorewall/policy

##########################################
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
dmz net ACCEPT
loc net ACCEPT
net all DROP info
# THE FOLLOWING POLICY MUST BE LAST
all all REJECT info

– Defining the firewall rules:

# vi /etc/shorewall/rules

#######################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
# PORT PORT(S) DEST LIMIT GROUP
#DNAT Rules
DNAT net dmz:172.16.0.2:80 tcp 80
DNAT net dmz:172.16.0.2:443 tcp 443
DNAT net dmz:172.16.0.2:21 tcp 21
# Drop the icmp traffic from internet to the firewall
Ping(DROP) net $FW
# Drop http, https and ftp with source port from the local network to any network
DROP loc net tcp - 80
DROP loc net tcp - 443
DROP loc net tcp - 21
# Accepting icmp traffic from the firewall to the other networks
ACCEPT $FW net icmp
ACCEPT $FW loc icmp
ACCEPT $FW dmz icmp
# Accepting ssh connections from the local network to the DMZ and the firewall using SSH macro
SSH(ACCEPT) loc $FW
SSH(ACCEPT) loc dmz
# Accepting http, https, ftp and dns from the local network to the dmz
ACCEPT loc dmz tcp 80 -
ACCEPT loc dmz tcp 443 -
ACCEPT loc dmz tcp 21 -
ACCEPT loc dmz udp 53 -

Shorewall macros are an alias to an existing set of iptables rules. This alias appear in the action column of the rules definition file, and the behaviour (ACCEPT, DROP, REJECT) of the rule is passed as parameter to the macro. We can find the default defined macros in the directory /usr/share/shorewall. There are the possibility to create new macros, for the creation of new one basically we have to create a file with the pattern macro.* in a directory listed in the variable CONFIG_PATH defined in /etc/shorewall/shorewall.conf. The definition of a macro is similar to the rules definition the unique change is in the action field. For example the ssh macro defined in /usr/share/shorewall/macro.SSH:

##################################################
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
PARAM - - tcp 22

– Defining a blacklist file:

# vi /etc/shorewall/blacklist

#ADDRESS/SUBNET PROTOCOL PORT
192.168.1.128/24 - -
192.168.1.8/24 udp 53

– Defining the SNAT rules:

# vi /etc/shorewall/masq

###################################################
#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK
#SNAT definition to masquerade the local network and dmz with the ip address 192.168.1.135
eth0 192.168.0.0/24 192.168.1.135
eth0 172.16.0.0/24 192.168.1.135

– Defining the traffic that will be accepted while shorewall is in stopped state, in this configuration all the hosts from the local network:

# vi /etc/shorewall/routestopped

######################
#INTERFACE HOST(S)
eth1 -

– Checking shorewall configuration:

# shorewall check

– Restarting the shorewall rules:

# shorewall safe-restart

With safe-restart a prompt will ask if you want accept the new configuration or not. If you accept then will edit the file in /var/lib/shorewall/.safe with the new rules, else the old rules saved in this file will be load.

– To show the firewall rules defined:

# shorewall show

– Sources:

http://www.shorewall.net/Manpages.html
http://www.shorewall.net/Documentation_Index.html