This is my basic how2 for shorewall firewall on the VPS for deb5 / ubuntu 9
http://www.shorewall.net
prepare your VPS;
Install shorewall;
/etc/shorewall
/etc/default/shorewall
/usr/share/shorewall
/usr/share/shorewall-shell
There are also some examples and manuals in /usr/share/doc/shorewall *
shorewall is now installed well done, go get a beer and chill.
Thats it.... joke, if only.
Now you need to setup the interfaces, zones, policy rules, blacklist
output;
shorewall.conf is your config file and there is only really 1 edit that you need to make to get started.
find
make sure it says
This disables IPV6 support seems backwards but it does.
There is a redundant file that needs removing to stop some errors being notified later, but lets rename and move it just incase...
Now to setup the firewall
interface; /etc/shorewall/interface
First we need to find the name of our interface
output;
The name of the external interface is written directly after the device, dev and in my case is 'venet0'
Now we have our dev name we can create the interface file
and add the following;
REMOVE STARS.... * ** *** ****
*net
this is the name we are going to give to the interface for future reference in rules and zones
net could have been joan, matthew, peter, ihateu it is just a name but net makes good sense
**venet0 is the dev name and needs to be accurate following 'ip route ls'
***detect/99.198.122.55,99.198.122.56
here you have 2 options;
detect - will detect your external ip
or
comma (,) seperated ip list will be a list of your ip's
use just 1 or the other
detect/ bad
/12.24.36.48 - bad
I use
99.198.122.55,99.198.122.56
99.198.122.55 will also work but obviously only for this IP
****blacklist - another comma seperated list of features to apply to this interface. In this tutorial I shall only focus on getting an ALLOW/macronames + the mentioned blacklist
here is is again without the stars;
zones; /etc/shorewall/zones
and add the following
If you used joan, matthew, peter, ihateu instead of net change it in your file but that is the ONLY change you can make.
fw is coded into the installed scripts and is non-negotiable.
policy; /etc/shorewall/policy
and add the following
Again no chnage other than that 1 'net' name.
This is the default policy for the firewall and will always do this if there are no rules stating otherwise.
rules; /etc/shorewall/rules
vi /etc/shorewall/rules
and add the following
In the above example I have #manually opened 2 ports and then used macros to manage other protocals.
Macro's are available in the following folder
/usr/share/shorewall
remove the macro. from the name and add it to the list in your rules to use it.
If you wanted to change your default ssh port to 222 instead of 22 you could just edit the macro.SSH file to reflect this or you could add the port to the rules. edit macro. makes most sense to me.
blacklist; /etc/shorewall/blacklist
and add the following
Actually add whatever IP's you do not want to have access to your VPS in this file 1 per line and they will be denied access.
the last thing to do is enable the firewall to start on boot.
find
change it to
start the firewall
is the firewall running?
apply those new rules / blacklist
apply any / all changes
what is my firewall capable of right now?
Remember if you screw up to just edit the /etc/default/shorewall to 0 again and try again.
BTW if this all goes horribly wrong for you it is your fault for following the blind man...
http://www.shorewall.net
prepare your VPS;
Code:
apt-get update
apt-get upgrade -y
Code:
apt-get install shorewall/etc/default/shorewall
/usr/share/shorewall
/usr/share/shorewall-shell
There are also some examples and manuals in /usr/share/doc/shorewall *
shorewall is now installed well done, go get a beer and chill.
Thats it.... joke, if only.
Now you need to setup the interfaces, zones, policy rules, blacklist
Code:
cd /etc/shorewall
dir
Code:
Makefile shorewall.conf
Code:
vi /etc/shorewall/shorewall.conf
Code:
DISABLE_IPV6=
Code:
DISABLE_IPV6=NoThere is a redundant file that needs removing to stop some errors being notified later, but lets rename and move it just incase...
Code:
cp /etc/modprobe.conf /etc/modprobe.d/was-modprobe.conf
rm /etc/modprobe.confinterface; /etc/shorewall/interface
First we need to find the name of our interface
Code:
ip route ls
Code:
192.0.2.1 dev venet0 scope link
default via 192.0.2.1 dev venet0Now we have our dev name we can create the interface file
Code:
vi /etc/shorewall/interface
Code:
###############################################################################
#ZONE INTERFACE BROADCAST OPTIONS
*net **venet0 ***detect/99.198.122.55,99.198.122.56 ****blacklist
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE*net
this is the name we are going to give to the interface for future reference in rules and zones
net could have been joan, matthew, peter, ihateu it is just a name but net makes good sense
**venet0 is the dev name and needs to be accurate following 'ip route ls'
***detect/99.198.122.55,99.198.122.56
here you have 2 options;
detect - will detect your external ip
or
comma (,) seperated ip list will be a list of your ip's
use just 1 or the other
detect/ bad
/12.24.36.48 - bad
I use
99.198.122.55,99.198.122.56
99.198.122.55 will also work but obviously only for this IP
****blacklist - another comma seperated list of features to apply to this interface. In this tutorial I shall only focus on getting an ALLOW/macronames + the mentioned blacklist
here is is again without the stars;
Code:
###############################################################################
#ZONE INTERFACE BROADCAST OPTIONS
net venet0 99.198.122.55,99.198.122.56 blacklist
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
Code:
vi /etc/shorewall/zones
Code:
###############################################################################
#ZONE TYPE OPTIONS IN OUT
fw firewall
net ipv4
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVEfw is coded into the installed scripts and is non-negotiable.
policy; /etc/shorewall/policy
Code:
vi /etc/shorewall/policy
Code:
###############################################################################
#SOURCE DEST POLICY LOG LIMIT:BURST
# LEVEL
$FW net ACCEPT info
net $FW ACCEPT info
net all DROP info
all all REJECT info
#LAST LINE -- DO NOT REMOVEThis is the default policy for the firewall and will always do this if there are no rules stating otherwise.
rules; /etc/shorewall/rules
vi /etc/shorewall/rules
and add the following
Code:
#######################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT(S) PORT(S) DEST LIMIT GROUP
#SECTION ESTABLISHED
#SECTION RELATED
SECTION NEW
ACCEPT net $FW udp 1234
ACCEPT net $FW tcp 2345
HTTP/ACCEPT net $FW
HTTPS/ACCEPT net $FW
IMAP/ACCEPT net $FW
IMAPS/ACCEPT net $FW
MySQL/ACCEPT net $FW
POP3/ACCEPT net $FW
POP3S/ACCEPT net $FW
SMTP/ACCEPT net $FW
SMTPS/ACCEPT net $FW
SSH/ACCEPT net $FW
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVEMacro's are available in the following folder
/usr/share/shorewall
remove the macro. from the name and add it to the list in your rules to use it.
If you wanted to change your default ssh port to 222 instead of 22 you could just edit the macro.SSH file to reflect this or you could add the port to the rules. edit macro. makes most sense to me.
blacklist; /etc/shorewall/blacklist
Code:
vi /etc/shorewall/blacklist
Code:
12.24.36.48
15.30.46.60the last thing to do is enable the firewall to start on boot.
Code:
vi /etc/default/shorewall
Code:
startup=0
Code:
startup=1
Code:
shorewall start
Code:
shorewall status
Code:
shorewall refresh
Code:
shorewall restart
Code:
shorewall show capabilitiesBTW if this all goes horribly wrong for you it is your fault for following the blind man...
Last edited: