Shorewall installation configuration for Linux – CentOS,Fedora or RHEL

Shorewall is a gateway/firewall (iptables) configuration tool for GNU/Linux.

Install shorewall on CentOS or RHEL

Enable Epel repo – How to enable epel repo? then

# yum install shorewall

or

Download and install though rpm link Downlod shorewall

shorewall main package name “shorewall-version.architecture.rpm
And Dependency packages are :”perl-Digest-SHA-version.architecture.rpm and shorewall-core-version.architecture.rpm

The User with Centos 6 / RHEL 6 can download from direct link, shorewall version 5.0.12 as below

wget http://sudoadmin.com/DownLoads/ShoreWall/shorewall-5.0.12.0-2.el6.noarch.rpm
wget http://sudoadmin.com/DownLoads/ShoreWall/perl-Digest-SHA-5.47-141.el6_7.1.x86_64.rpm
wget http://sudoadmin.com/DownLoads/ShoreWall/shorewall-core-5.0.12.0-2.el6.noarch.rpm
rpm -ivh shorewall-5.0.12.0-2.el6.noarch.rpm perl-Digest-SHA-5.47-141.el6_7.1.x86_64.rpm shorewall-core-5.0.12.0-2.el6.noarch.rpm

Shorewall Configaration

Configure interface /etc/shorewall/interfaces

check interface name: find interface name from command “ip link”

#ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether g4:3d:7e:fd:0c:1a brd ff:ff:gf:ff:ff:ff

Append following entries

#ZONE   INTERFACE       OPTIONS
net     eth0     tcpflags,routefilter,nosmurfs,logmartians

OR

for two interface eth0 for local lan and eth1 for public ip or internet

#ZONE   INTERFACE    OPTIONS
net     eth1      tcpflags,routefilter,nosmurfs,logmartians
loc     eth0      tcpflags,nosmurfs
    1. routefilter – Turn on kernel route filtering for this interface i.e. turn on anti-spoofing measurements.
    2. tcpflags – Packets arriving on this interface are checked for certain illegal combinations of TCP flags such as x mas or null or invalid packets. Packets found to have such a combination of flags are dropped (see the settings of TCP_FLAGS_DISPOSITION option in shorewall.conf) after having been logged in /var/log/messages file (see the setting of TCP_FLAGS_LOG_LEVEL in shorewall.conf).
    3. logmartians – Turn on kernel martian logging (logging of packets with impossible source addresses). It is strongly suggested that if you set routefilter on an interface that you also set logmartians.
    4. nosmurfs – Filter packets for smurfs (packets with a broadcast address as the source) i.e. turn on anti-smurf protection.

Configure Zone – /etc/shorewall/zones

 

 # vi /etc/shorewall/zones

Update the file as follows:

fw              firewall
net             ipv4

Configure Policy – /etc/shorewall/policy

ACCEPT – Accept the connection.
DROP – Ignore the connection request.
REJECT – Return an appropriate error to the connection request.
Connection request logging may be specified as part of a policy and it is conventional (and highly recommended) to log DROP and REJECT policies.

Edit the file /etc/shorewall/policy,

Append the policy:

#SOURCE         DEST            POLICY  LOGLEVEL        LIMIT   CONNLIMIT
$FW             net             DROP            info
net             $FW             DROP            info
net             all             DROP            info
# The FOLLOWING POLICY MUST BE LAST
all             all             REJECT          info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

Configure Rules – /etc/shorewall/rules

configure according to your IP refer-macros for predefined syntax /usr/share/shorewall/macro.* eg no need to specify 80 you can use HTTP insted

# ls /usr/share/shorewall/macro.*

Now edit rules files and makes changes accordingly

 vi /etc/shorewall/rules
#ACTION         SOURCE          DEST            PROTO   DEST    SOURCE          ORIGINAL        RATE            USER/   MARK
#                                                       PORT    PORT(S)         DEST            LIMIT           GROUP
# Drop Ping from the "bad" net zone. and prevent your log from being flooded..
Ping/ACCEPT     net             $FW
# Permit all ICMP traffic FROM the firewall to the net zone for all IP
Ping/ACCEPT     $FW             net
#open SMPT port from firewall to internet for all IP
SMTP/ACCEPT     $FW             net
#open HTTP port from firewall to internet for all IP
HTTP/ACCEPT     $FW             net
#open DNS port from firewall to internet for all IP
DNS/ACCEPT      $FW             net
#open HTTP port from internet to firewall for all IP
HTTP/ACCEPT     net             $FW
#open HTTPS port from internet to firewall for all IP
HTTPS/ACCEPT    net             $FW
#open SSH port from internel to firewall for all IP
SSH/ACCEPT      net             $FW
#open 2812 port for 84.98.52.83 IP from internet to firewall and firewall to internet
ACCEPT          net:84.98.52.83        $FW     tcp     2812
ACCEPT          $FW             net:84.84.52.83 tcp   2812
#open FTP port for IP 84.98.52.83 from internet to firewall and firewall to internet
FTP/ACCEPT      net             $FW
FTP/ACCEPT      $FW             net

#open mysql port from internet to firewall
MySQL/ACCEPT    net             $FW

#you can specify range of port to open
ACCEPT          net             $FW     tcp     3000:3333     #FTPS passive port range

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Edit firewall configuration to enable startup

 # vi /etc/shorewall/shorewall.conf

Find the line: STARTUP_ENABLED and replace No with YES

 STARTUP_ENABLED=Yes

Save existing firewall rules
Use iptables-save command to dump the contents of an IP Table in easily parseable format to screen or a file:

# iptables-save > /root/old.firewall.config

Starting shorewall

However, I recommend that you use the following commands to save and disable iptables service on CentOS/RHEL:

# service iptables save
# service iptables stop
# chkconfig iptables off

Before starting shorewall always run check to verify error

 # shorewall check

sample output:

[root@sudoadmin ~]# shorewall check
Checking using Shorewall 5.0.12...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Loading Modules...
Checking /etc/shorewall/zones...
Checking /etc/shorewall/interfaces...
Determining Hosts in Zones...
Locating Action Files...
Checking /etc/shorewall/policy...
Running /etc/shorewall/initdone...
Adding Anti-smurf Rules
Adding rules for DHCP
Checking TCP Flags filtering...
Checking Kernel Route Filtering...
Checking Martian Logging...
Checking MAC Filtration -- Phase 1...
Checking /etc/shorewall/rules...
Checking MAC Filtration -- Phase 2...
Applying Policies...
Checking /usr/share/shorewall/action.Drop for chain Drop...
Checking /usr/share/shorewall/action.Broadcast for chain Broadcast...
Shorewall configuration verified

How do I start / stop / restart shorewall?
Type the following commands (warning poorly configured firewall rules may block out your remote access including ssh, so be careful when you type the following commands):

# service shorewall start
# service shorewall status
# service shorewall stop
# service shorewall restart

OR
# /etc/init.d/shorewall start
# /etc/init.d/shorewall status
# /etc/init.d/shorewall stop
# /etc/init.d/shorewall restart

To turn on shorewall at boot time, enter:

# chkconfig shorewall on

How do I list firewall rules?
Type the following command:

# iptables -n -L

or

# shorewall show
# shorewall show | less

How do I see the IP connections currently being tracked by the firewall?

# shorewall show connections

How do I see firewall logs?

# shorewall show hits
# shorewall show hits|less

How do I displays my kernel/iptables capabilities?

# shorewall show capabilities

How do I list all macros?

# shorewall show macros
# shorewall show Web

Source: www.shorewall.net
Source: http://www.shorewall.net/shorewall_setup_guide.htm#

4
Leave a Reply

avatar
3 Comment threads
1 Thread replies
0 Followers
 
Most reacted comment
Hottest comment thread
4 Comment authors
Pramey MayekarHitesh SatarkarX-Fire Recent comment authors
  Subscribe  
newest oldest most voted
Notify of
Anonymous
Guest
Anonymous

woah I like your website. It really helped me with the info I was looking for. Appreciate it, will bookmark.

Pramey Mayekar
Guest
Pramey Mayekar

Very useful thank you!!

X-Fire
Guest
X-Fire

Hi. And we need a repo for updates. The one I know baseurl = http://mirror.sysadminguide.net/shorewall is dead. Can you provide another one?

Hitesh Satarkar
Admin

Hello, Which version Shorewall are you looking? Also, provide me OS details.
Refer below link to turn on repo for Shorewall.
https://www.sudoadmin.com/install-enable-epel-repo-linux-centosrhelscientific-linux/