What is Shorewall & How To Install it On Linux


Shorewall is a front-end command line environment, that uses a number of text files for its configuration. Shorewall is an open source software published under GNU General Public License. It is a gateway/firewall configuration tool for Linux. It is a robust firewall system, which can be used over a network of system. In this article, we will learn the procedures to install Shorewall.
Here we use two-interface configuration, that consists of a system with two Ethernet ports.

To install Shorewall

For Debian/Ubuntu/Linux Mint
Run the following command to install Shorewall.
$ sudo apt-get install shorewall6
For RHEL/CentOS/Fedora
Run the below command to install Shorewall.
[root@athuljith.com ~]# yum install shorewall6
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
* base: centos.excellmedia.net
* epel: ftp.cuhk.edu.hk
* extras: centos.excellmedia.net
* updates: centos.excellmedia.net
Resolving Dependencies
--> Running transaction check
---> Package shorewall6.noarch 0:4.6.5.3-1.el7 will be installed
.
.
.
Installed:
shorewall6.noarch 0:4.6.5.3-1.el7

Dependency Installed:
shorewall-core.noarch 0:4.6.5.3-1.el7

Complete!
Then copy a sample configuration from the /usr/share/doc/shorewall6‘ directory to the default directory Shorewall ‘/etc/shorewall6‘.
[root@athuljith.com ~]# cp /usr/share/doc/shorewall6-4.6.5.3/Samples6/two-interfaces/* /etc/shorewall6/
cp: overwrite ‘/etc/shorewall6/interfaces’? y
cp: overwrite ‘/etc/shorewall6/policy’? y
cp: overwrite ‘/etc/shorewall6/rules’? y
cp: overwrite ‘/etc/shorewall6/shorewall6.conf’? y
cp: overwrite ‘/etc/shorewall6/stoppedrules’? y
cp: overwrite ‘/etc/shorewall6/zones’? y
Next go to the ‘/etc/shorewall6’ directory.
[root@athuljith.com ~]# cd /etc/shorewall6
Now look at the ‘/etc/shorewall6/zones‘ file.
There are three zones defined by default namely net, loc, and all.
The net zone is internet facing interface, the loc zone, which is LAN facing interface and all includes everything.
[root@athuljith.com shorewall6]# vim zones
Open the policy file to set the policies for interfaces.
[root@athuljith.com shorewall6]# vim policy

Policies of this setup:

  • Allows all connection requests from the loc zone to the net zone
  • Removes all connection requests from the net zone to the firewall and also the LAN
  • Rejects all the connections

To configure the interfaces

To configure the interfaces, you need to edit ‘/etc/shorewall6/interfaces‘ file.
[root@athuljith.com shorewall6]# vim interfaces
Explanation of the interface options:
routefilter – it is a kernel route filtering for anti-spoofing.
logmartians – it is a log packets with the impossible source address.
nosmurfs – it is a filter packets with the broadcast address as source.
Run the following command to know more information about the interfaces.
[root@athuljith.com shorewall6]# man shorewall6-interfaces
Now, define the rules in ‘/etc/shorewall6/rules’ file.
[root@athuljith.com shorewall6]# vim rules
When you run the SSH server behind the system’s firewall with the IP 192.168.5.196. It opens up a port in your firewall. The firewall sends the traffic arriving on port 22 to the machine at 192.168.5.196. This is known as Port Forwarding.
When any SSH packets arrives from the net zone to the firewall, it redirects the packets to the  IP 192.168.5.196 via port 22 and this process is called Network Address Translation or NAT.
To attain this enter this entry SSH(DNAT) net loc:192.168.5.196 into the file ‘/etc/shorewall6/rules’.
[root@athuljith.com shorewall6]# vim rules
So it's that simple. Make your firewall something strong today.