Securing a host using the Shoreline firewall / Shorewall
Since I’m currently setting up a new server for hosting purposes I want to share some of my favourite sysadmin tools and practices.
The first featured tool is the shoreline firewall or shorewall. You can find the project at: http://www.shorewall.net/
Shorewall basically is a set of nice configuration files for iptables. Another benefit of shorewall is that it has no runtime part. You just fire up the tool, it configures your iptables and quits. This reduces the load and increases security. Additionally to the technical features there is one thing that makes shorewall really stand out: It has extensive, well-written and understandable documentation. You rarely find a use-case which is not already described in the documentation.
Read on to find out how to set up shorewall in minutes.
Setting up shorewall
In this section I will describe how to secure a single server directly connected to the internet. There is no hardware firewall or DMZ involved.
First you have to install shorewall on your server. Since I use Ubuntu 8.04 there is already a prepackaged version in the repository.
aptitude install shorewall
Then you have to copy some of the example configuration files to your /etc/shorewall directory.
cp -prv /usr/share/doc/shorewall-common/default-config/rules /etc/shorewall cp -prv /usr/share/doc/shorewall-common/default-config/zones /etc/shorewall cp -prv /usr/share/doc/shorewall-common/default-config/modules /etc/shorewall cp -prv /usr/share/doc/shorewall-common/default-config/interfaces /etc/shorewall cp -prv /usr/share/doc/shorewall-common/default-config/policy /etc/shorewall
To understand the meaning I will first give a very short explanation of the shorewall terminology (the terms are pretty standard): Shorewall sees the network as a collection of zones (your local network, the internet, the firewall host itself, …). Network interfaces (eth0, eth1, …) are connected to the zones and allow traffic to move in and out. If traffic want’s to move between zones the firewall checks the configured rules wether there is a rule allowing or denying the traffic flow. If there is no rule for the specific case it applies a policy (default rule).
With this in mind the filenames should be straightforward to understand. The modules file loads shorewall specific modules (for example enables the ftp connection tracking). You don’t have to modify the modules file for a basic setup.
Lets first define the zones in the zones file.
############################################################################### #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall net ipv4 #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
As you can see there are only two zones defined: The internet (net) and the server itself (fw).
We now connect the network interfaces to the zones using the interfaces file.
############################################################################### #ZONE INTERFACE BROADCAST OPTIONS net eth0 detect norfc1918 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
That’s it. If you have more interfaces you of course have to connect these to the zones too. But if this is the case it’s very likely that you are striving for a more complex configuration anyway.
After defining the traffic sources we will now implement the default policy using the policy file.
############################################################################### #SOURCE DEST POLICY LOG LIMIT:BURST # LEVEL fw net ACCEPT net fw DROP all all DROP #LAST LINE -- DO NOT REMOVE
This policy allows the firewall to access all internet services and drops all incoming connections silently. Since this is not very useful for a server we now allow public access to some specific services by defining some rules in the rules file.
############################################################################# #ACTION SOURCE DEST PROTO DEST SOURCE # PORT PORT(S) #SECTION ESTABLISHED #SECTION RELATED SECTION NEW ACCEPT net fw icmp echo-request ACCEPT net fw tcp 22 ACCEPT net fw tcp 80 ACCEPT net fw tcp 443 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
As cou can see we allowed our server to reply to pings, incoming SSH connections and to serve up websites through HTTP and HTTPS.
In Ubuntu you now have to set the startup variable in /etc/default/shorewall to 1 and run /etc/init.d/shorewall start. Be sure to check that everything works as expected before you close your SSH session!.
That’s it. Visit the shorewall website for more information.
Tags: Firewall, Linux, Security, Server, Shorewall, Sysadmin, Ubuntu