Shorewall

Shorewall is an abstraction layer for Netfilter (iptables) configuration. It allows you to describe the rules you want to apply to your machine (either a personal computer or a dedicated firewall or a gateway, etc.) through a set of configuration files.

For an easy way to configure Shorewall, consider installing Webmin as well.

Through this howto, we’ll set up a IPv4 gateway with NAT as well as an IPv6 firewall. We won’t cover the Shorewall lite features that allow you to centralise the management of several firewalls.

Network topology
Macro view:


 * We are connecting to the Internet through an ethernet modem.
 * The gateway establishes a permanent connection to the Internet through the modem with PPPoE.
 * The gateway serves dhcpd, dns, ssh, subversion, samba shares to the LAN, as well as transparent internet access.
 * The switch is a basic switch with no advanced feature.
 * The workstations are contemporary and support IPv4 as well as IPv6. Only Wk5 has IPv6 enabled.

The networks are set as follows:

The LAN is served with DHCP (IPv4 configuration) and Radvd (IPv6 stateless configuration).

Objectives
We want:
 * To provide transparent Internet acess to the LAN
 * To route IPv6 traffic in the Sixxs.net IPv6 tunnel
 * To route IPv4 traffic through our ISP
 * To provide local services to the LAN
 * To provide OpenVPN services to the Internet
 * To provide Bittorrent services to Wk5

We assume:
 * Internet is working: the gateway can reach it without problem.
 * A new computers plugs in the switch and retrieves a correct IP & DNS configuration.
 * If it is IPv6 enabled, it also gets immediate access to and from the Internet.
 * If it is Ipv4 enabled, it doesn’t get access to and from the Internet.

We are going to set up, through the firewall configuration:
 * Network Address Translation (NAT) for IPv4 hosts (so they can reach the Internet and use Bittorrent)
 * Strict firewalling on IPv6 traffic (as they can be directly reached from the Internet without NAT control)
 * Allow connection to the LAN services from the LAN only
 * Allow connection to the Internet services from the Internet only

= Installing Shorewall =

Kernel configuration
Refer to Shorewall documentation. They seem to keep it up to date for different versions of the kernel.

Install IPv4
Read carefully the notices of portage and take any appropriate action.

Install IPv6
Read carefully the notices of portage and take any appropriate action.

= Configuration =

Configuration files
Shorewall configuration files are stored in and. For extra information, read the |Shorewall Setup Guide

Setting up the zones
Shorewall rules are based on zones. Each zone determines an area of a different sensibility. We have:
 * The Internet IPv4
 * The Internet IPv6
 * The LAN IPv4
 * The LAN IPv6
 * The Modem

Defining the policies
For each zone, you can define a different policy. A policy determines which action will be taken if no rule is found. It’s a default behaviour.

We want to be silent in the Internet world because who knows who’s looking for an alive computer on a broad range of IPs (yes, turn on the stats and you’ll see how many times you’re the target of unknown people) : so we are going to drop everything by default. However, on our LAN, we are between happy fellows and we’ll politley reject the connections. The same for the modem.

We are also setting new connection limits in order to avoid the flood. Flood from the outside, but also from the inside: we’re protecting us as well as others. Feel free to adjust or remove. For instance, we’re able to open

PPP tunnel setting
We connect to the Internet through the modem with PPP. Change the CLAMPMSS setting:

Interfaces summary

 * eth0 connects to the LAN
 * eth3 connects to the modem
 * ppp0 connects to the Internet
 * sixxs connects to the IPv6 Internet

IPv4 NAT Masquerade
In our case, the internet interface is ppp0 and the LAN is on the network 192.168.55.0/24. So we tell shorewall we wan’t masquerade to work:

Opening the gates
With the steps before, we defined the zones and closed every possible connection. Now, we’re going to allow the traffic we want to use.

A Word About Macros
Shorewall offers some macros. You can list them with (in bash):

Each of them defines a service. It avoids to redefine each port through an accept rule. For instance, to allow Samba (Microsoft net sharing), we use the marco and write in the rules:

which would be equivalent to:

Setting up NAT (IPv4)
NAT only exists in IPv4. IPv6 has enough addresses to avoid this mechanism. You don’t need NAT to achieve security and filtering.

Source NAT
SNAT is used to pass the router from your LAN to the Internet. In our case, we wish to allow the LAN to go everywhere.


 * is your outoging (Internet) interface.
 * should be the netmask of your LAN (that you allow to go outside)

Destination NAT
DNAT is used to go from the Internet to a local machine. Here, we redirect some ports to run Bittorrent on wk5. Add the following line to your rules in the :

Review shorewall(6?).conf
Go through and  with the man page. Set it accordingly to your log preferences.

= Make it running =

Start it !
In order to avoid bad surprises, it’s a good pratice to use the try command instead of (re)start.

Add it upon startup
Currently, if you add both shorewall and shorewall6, there’s a conflict and it won’t start shorewall6 because shorewall already provides a firewall. As I haven’t got the time to investigate, I edited my init.d/shorewall6 script.

Troubleshooting

 * To troubleshoot, it’s advised you have a good understanding of how Netfilter works. A very useful output can be achieved with:


 * Reset your firewall to full ACCEPT policy and no rule:


 * After PPP disconnection, my gateway doesn’t work anymore. I read somewhere your need to restart shorewall after a change of IP on an interface. For the moment being, I trust it depends on the rules you’ve set. But, just in case it happens, you may add a shell script in to make a.