Quickly configure shorewall on Debian

By definition shorewall is not a firewall, it is a way to (more) easily configure iptables to work as a firewall.

  • First install shorewall “$ apt-get intall shorewall”
  • Enter /etc/shorewall
  • Copy the example files from /usr/share/doc/shorewall-common/default-config/ (might also be located in /usr/share/doc/shorewall/default-config/) “$ cp /usr/share/doc/shorewall-common/default-config/* .”
  • Edit the files and enter the data that your system has
    • First create zones “$ nano zones”
       #ZONE   TYPE            OPTIONS         IN OPTIONS                OUT OPTIONS
      fw      firewall
      net     ipv4
      vpn     ipv4
    • Connect zones with interfaces”$ nano interfaces”
       #ZONE   INTERFACE       BROADCAST       OPTIONS
      net     eth0            detect          tcpflags,blacklist,dhcp
      vpn	tun0		-
    • Create policies “$ nano policy”
       #SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST
      fw              net             ACCEPT
      vpn             net             ACCEPT
      vpn             fw              ACCEPT
      fw              vpn             ACCEPT
      net             all             DROP            info
      all             all             DROP            info
    • Create rules “$ nano rules”
       #ACTION SOURCE          DEST            PROTO   DEST    SOURCE          ORIGINAL        RATE            USER/
      #                                               PORT(S) PORT(S)         DEST            LIMIT           GROUP
      ACCEPT          net             fw             tcp     22 # ssh
      ACCEPT          net             fw             tcp     80 # web
    • Verify that the rules are fine “$ shorewall check”
    • Edit /etc/default/shorewall and set startup to 1
       # prevent startup with default configuration
      # set the following varible to 1 in order to allow Shorewall to start
       
      startup=1
    • Start the firewall “$ /etc/init.d/shorewall start”

If you later decide to update rules, zones etc run “$ /etc/init.d/shorewall restart” to load the changes.