Shorewall is a gateway/firewall (iptables) configuration tool for GNU/Linux.
Install shorewall on CentOS or RHEL
Enable Epel repo – How to enable epel repo? then
# yum install shorewall
Download and install though rpm link Downlod shorewall
shorewall main package name “shorewall-version.architecture.rpm”
And Dependency packages are :”perl-Digest-SHA-version.architecture.rpm and shorewall-core-version.architecture.rpm
The User with Centos 6 / RHEL 6 can download from direct link, shorewall version 5.0.12 as below
wget http://sudoadmin.com/DownLoads/ShoreWall/shorewall-188.8.131.52-2.el6.noarch.rpm wget http://sudoadmin.com/DownLoads/ShoreWall/perl-Digest-SHA-5.47-141.el6_7.1.x86_64.rpm wget http://sudoadmin.com/DownLoads/ShoreWall/shorewall-core-184.108.40.206-2.el6.noarch.rpm
rpm -ivh shorewall-220.127.116.11-2.el6.noarch.rpm perl-Digest-SHA-5.47-141.el6_7.1.x86_64.rpm shorewall-core-18.104.22.168-2.el6.noarch.rpm
Configure interface /etc/shorewall/interfaces
check interface name: find interface name from command “ip link”
#ip link 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether g4:3d:7e:fd:0c:1a brd ff:ff:gf:ff:ff:ff
Append following entries
#ZONE INTERFACE OPTIONS net eth0 tcpflags,routefilter,nosmurfs,logmartians
for two interface eth0 for local lan and eth1 for public ip or internet
#ZONE INTERFACE OPTIONS net eth1 tcpflags,routefilter,nosmurfs,logmartians loc eth0 tcpflags,nosmurfs
- routefilter – Turn on kernel route filtering for this interface i.e. turn on anti-spoofing measurements.
- tcpflags – Packets arriving on this interface are checked for certain illegal combinations of TCP flags such as x mas or null or invalid packets. Packets found to have such a combination of flags are dropped (see the settings of TCP_FLAGS_DISPOSITION option in shorewall.conf) after having been logged in /var/log/messages file (see the setting of TCP_FLAGS_LOG_LEVEL in shorewall.conf).
- logmartians – Turn on kernel martian logging (logging of packets with impossible source addresses). It is strongly suggested that if you set routefilter on an interface that you also set logmartians.
- nosmurfs – Filter packets for smurfs (packets with a broadcast address as the source) i.e. turn on anti-smurf protection.
Configure Zone – /etc/shorewall/zones
# vi /etc/shorewall/zones
Update the file as follows:
fw firewall net ipv4
Configure Policy – /etc/shorewall/policy
ACCEPT – Accept the connection.
DROP – Ignore the connection request.
REJECT – Return an appropriate error to the connection request.
Connection request logging may be specified as part of a policy and it is conventional (and highly recommended) to log DROP and REJECT policies.
Edit the file /etc/shorewall/policy,
Append the policy:
#SOURCE DEST POLICY LOGLEVEL LIMIT CONNLIMIT $FW net DROP info net $FW DROP info net all DROP info # The FOLLOWING POLICY MUST BE LAST all all REJECT info #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
Configure Rules – /etc/shorewall/rules
configure according to your IP refer-macros for predefined syntax /usr/share/shorewall/macro.* eg no need to specify 80 you can use HTTP insted
# ls /usr/share/shorewall/macro.*
Now edit rules files and makes changes accordingly
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK # PORT PORT(S) DEST LIMIT GROUP # Drop Ping from the "bad" net zone. and prevent your log from being flooded.. Ping/ACCEPT net $FW # Permit all ICMP traffic FROM the firewall to the net zone for all IP Ping/ACCEPT $FW net #open SMPT port from firewall to internet for all IP SMTP/ACCEPT $FW net #open HTTP port from firewall to internet for all IP HTTP/ACCEPT $FW net #open DNS port from firewall to internet for all IP DNS/ACCEPT $FW net #open HTTP port from internet to firewall for all IP HTTP/ACCEPT net $FW #open HTTPS port from internet to firewall for all IP HTTPS/ACCEPT net $FW #open SSH port from internel to firewall for all IP SSH/ACCEPT net $FW #open 2812 port for 22.214.171.124 IP from internet to firewall and firewall to internet ACCEPT net:126.96.36.199 $FW tcp 2812 ACCEPT $FW net:188.8.131.52 tcp 2812 #open FTP port for IP 184.108.40.206 from internet to firewall and firewall to internet FTP/ACCEPT net $FW FTP/ACCEPT $FW net #open mysql port from internet to firewall MySQL/ACCEPT net $FW #you can specify range of port to open ACCEPT net $FW tcp 3000:3333 #FTPS passive port range #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
Edit firewall configuration to enable startup
# vi /etc/shorewall/shorewall.conf
Find the line: STARTUP_ENABLED and replace No with YES
Save existing firewall rules
Use iptables-save command to dump the contents of an IP Table in easily parseable format to screen or a file:
# iptables-save > /root/old.firewall.config
However, I recommend that you use the following commands to save and disable iptables service on CentOS/RHEL:
# service iptables save # service iptables stop # chkconfig iptables off
Before starting shorewall always run check to verify error
# shorewall check
[root@sudoadmin ~]# shorewall check Checking using Shorewall 5.0.12... Processing /etc/shorewall/params ... Processing /etc/shorewall/shorewall.conf... Loading Modules... Checking /etc/shorewall/zones... Checking /etc/shorewall/interfaces... Determining Hosts in Zones... Locating Action Files... Checking /etc/shorewall/policy... Running /etc/shorewall/initdone... Adding Anti-smurf Rules Adding rules for DHCP Checking TCP Flags filtering... Checking Kernel Route Filtering... Checking Martian Logging... Checking MAC Filtration -- Phase 1... Checking /etc/shorewall/rules... Checking MAC Filtration -- Phase 2... Applying Policies... Checking /usr/share/shorewall/action.Drop for chain Drop... Checking /usr/share/shorewall/action.Broadcast for chain Broadcast... Shorewall configuration verified
How do I start / stop / restart shorewall?
Type the following commands (warning poorly configured firewall rules may block out your remote access including ssh, so be careful when you type the following commands):
# service shorewall start # service shorewall status # service shorewall stop # service shorewall restart
# /etc/init.d/shorewall start
# /etc/init.d/shorewall status
# /etc/init.d/shorewall stop
# /etc/init.d/shorewall restart
To turn on shorewall at boot time, enter:
# chkconfig shorewall on
How do I list firewall rules?
Type the following command:
# iptables -n -L
# shorewall show # shorewall show | less
How do I see the IP connections currently being tracked by the firewall?
# shorewall show connections
How do I see firewall logs?
# shorewall show hits # shorewall show hits|less
How do I displays my kernel/iptables capabilities?
# shorewall show capabilities
How do I list all macros?
# shorewall show macros # shorewall show Web