Shorewall – Firewall

CentOS – Install and Configure Shorewall

Add repository EPEL that is provided from Fedora project.
wget http://ftp.riken.jp/Linux/fedora/epel/RPM-GPG-KEY-EPEL-6
rpm –import RPM-GPG-KEY-EPEL-6
rm -f RPM-GPG-KEY-EPEL-6
vi /etc/yum.repos.d/epel.repo
# create new
[epel]
name=EPEL RPM Repository for Red Hat Enterprise Linux
baseurl=http://ftp.riken.jp/Linux/fedora/epel/6/$basearch/
gpgcheck=1
enabled=0
# when you use the repository, input yum command like follows

yum –enablerepo=epel install shorewall

Backup and Edit System Control

cp /etc/sysctl.conf /etc/sysctl.conf.org

sed -i ‘s/net.ipv4.ip_forward = 0/net.ipv4.ip_forward = 1/g’ /etc/sysctl.conf

Backup and Edit Shorewall Zones
cp /etc/shorewall/zones /etc/shorewall/zones.org
vi /etc/shorewall/zones

##
# For information about this file, type “man shorewall-zones”
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-zones.html
#
###############################################################################
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net ipv4
loc ipv4
dmz ipv4
#LAST LINE – ADD YOUR ENTRIES ABOVE THIS ONE – DO NOT REMOVE

Backup and Edit Shorewall Interfaces
cp /etc/shorewall/interfaces /etc/shorewall/interfaces.ori
vi /etc/shorewall/interfaces

#
###############################################################################
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect tcpflags,dhcp,routefilter,nosmurfs,logmartians
loc eth1 detect tcpflags,nosmurfs
dmz eth2 detect
#LAST LINE — ADD YOUR ENTRIES BEFORE THIS ONE — DO NOT REMOVE

Backup and Edit Shorewall Policy
cp /etc/shorewall/policy /etc/shorewall/policy.ori
vi /etc/shorewall/policy

#
# Shorewall version 4 – Policy File
#
# For information about entries in this file, type “man shorewall-policy”
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-policy.html
#
###############################################################################
#SOURCE DEST POLICY LOG LIMIT:BURST
# LEVEL
# Policies for traffic originating from the local LAN (loc)
#
# If you want to force clients to access the Internet via a proxy server
# in your DMZ, change the following policy to REJECT info.
loc net ACCEPT
# If you want open access to DMZ from loc, change the following policy
# to ACCEPT. (If you chose not to do this, you will need to add a rule
# for each service in the rules file.)
loc dmz REJECT info
loc $FW REJECT info
loc all REJECT info
#
# Policies for traffic originating from the firewall ($FW)
#
# If you want open access to the Internet from your firewall, change the
# $FW to net policy to ACCEPT and remove the ‘info’ LOG LEVEL.
$FW net REJECT info
$FW dmz REJECT info
$FW loc REJECT info
$FW all REJECT info
#
# Policies for traffic originating from the De-Militarized Zone (dmz)
#
# If you want open access from DMZ to the Internet change the following
# policy to ACCEPT. This may be useful if you run a proxy server in
# your DMZ.
dmz net REJECT info
dmz $FW REJECT info
dmz loc REJECT info
dmz all REJECT info
#
# Policies for traffic originating from the Internet zone (net)
#
net dmz DROP info
net $FW DROP info
net loc DROP info
net all DROP info
# THE FOLLOWING POLICY MUST BE LAST
all all REJECT info
#LAST LINE — DO NOT REMOVE

Backup and Edit Shorewall Rules

cp /etc/shorewall/rules /etc/shorewall/rules.orig

vi /etc/shorewall/rules

# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-rules.html
#
#######################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
# PORT PORT(S) DEST LIMIT GROUP
#SECTION ESTABLISHED
#SECTION RELATED
#
# Accept DNS connections from the firewall to the Internet
#
DNS/ACCEPT $FW net
#
#
# Accept SSH connections from the local network to the firewall and DMZ
#
SSH/ACCEPT loc $FW
SSH/ACCEPT loc dmz
#
# DMZ DNS access to the Internet
#
DNS/ACCEPT dmz net
#
# Drop Ping from the “bad” net zone.
#
Ping/DROP net $FW
#
# Make ping work bi-directionally between the dmz, net, Firewall and local zone
# (assumes that the loc->net policy is ACCEPT).
#
Ping/ACCEPT loc $FW
Ping/ACCEPT dmz $FW
Ping/ACCEPT loc dmz
Ping/ACCEPT dmz loc
Ping/ACCEPT dmz net
ACCEPT $FW net icmp
ACCEPT $FW loc icmp
ACCEPT $FW dmz icmp
# Uncomment this if using Proxy ARP and static NAT and you want to allow ping from
# the net zone to the dmz and loc
#Ping/ACCEPT net dmz
#Ping/ACCEPT net loc
#LAST LINE — ADD YOUR ENTRIES BEFORE THIS ONE — DO NOT REMOVE

Backup and Edit Shorewall Configuration
[root@localhost ~]# cp /etc/shorewall/shorewall.conf /etc/shorewall/shorewall.conf.orig
[root@localhost ~]# vi /etc/shorewall/shorewall.conf
sed -i ‘s/STARTUP_ENABLED=No/STARTUP_ENABLED=Yes/g’ /etc/shorewall/shorewall.conf
Check Shorewall Configuration
shorewall check
Create Auto Start and Restart Shorewall
chkconfig shorewall on
service shorewall restart
or
shorewall restart