Skip to main content

Firewall Setup

Install Shorewall

ToConfiguring manageShorewall nftables/iptablesfor IPv6 is nearly identical to how I decideddid it for IPv4. The biggest different is I can skip most things related to masquerading since that is less often necessary in the world of IPv6.

The only changes that need to be made is installing and configuring shorewall6. I am not going to go withover Shorewalleverything again since it is easynearly to configure and very mature. At some point I may look into switchingidentical to FireHolFirewall Setup sinceunder itIPv4 looksbut evenpay simplerclose attention to configure but I wanted something I knew I'd be able to make do everything I needed.

I started by installing shorewall, shorewall-doc that include examples, and shorewall-init which can lockdown the systempath atis bootnow before Shorewall has had a chance to configure the firewall./etc/shorewall6

# apt install shorewall shorewall-doc shorewall-initshorewall6

Then I update the Shorewall configuration. All I have to do is update some logging parameters to reflect that I'm using ulogd2 and that I want IPv4 forwarding enabled when Shorewall starts.

# /etc/shorewall/shorewall6/shorewall.conf
- LOG_LEVEL="info"
+ LOG_LEVEL="NFLOG(1,0,1)"
...
- LOGFILE=/var/log/messages
+ LOGFILE=/var/log/firewall.log
...
- IP_FORWARDING=Keep
+ IP_FORWARDING=Yes

All my configuration files are adapted from the examples that shorewall-doc makes available under /usr/share/doc/shorewall/examples.

I changed a few names and added some additional zones like wg and warp which is a zone where all exiting traffic gets automatically routed through a VPN tunnel. This makes it easy for any Docker container I want to use a VPN I just put it on that subnet/zone.

# /etc/shorewall/zones
+ #------------------------------------------------------------------------------
+ # For information about entries in this file, type "man shorewall-zones"
+ #
+ # See http://shorewall.net/org/manpages/shorewall-zones.html for more information
+ ###############################################################################
+ #ZONE   TYPE    OPTIONS                 IN                      OUT
+ #                                       OPTIONS                 OPTIONS
+ fw      firewall
+ wan     ipv4
+ lan     ipv4
+ dmz     ipv4
+ warp    ipv4
+ wg      ipv4

Setting

# up the /etc/shorewall/interfaces
and+ assiging them zones is pretty self-explanatory.


# /etc/shorewall/interfaces
+ #------------------------------------------------------------------------------
+ # For information about entries in this file, type "man shorewall-shorewall6-interfaces"
+ #
+ # See http://shorewall.net/org/manpages/shorewall-interfaces.html for more information
+ ###############################################################################
+ ?FORMAT 2
+ ###############################################################################
+ #ZONE	INTERFACE	OPTIONS
+ wan     WAN_IF          tcpflags,dhcp,nosmurfs,routefilter,logmartians,forward=1,accept_ra=2,sourceroute=0,physical=eth0
+ lan     LAN_IF          tcpflags,dhcp,nosmurfs,routefilter,logmartians,forward=1,physical=eth1
+ dmz     DMZ_IF          tcpflags,dhcp,nosmurfs,routefilter,logmartians,forward=1,physical=eth1.8
+ warp	WARP_IF		tcpflags,dhcp,nosmurfs,routefilter,logmartians,forward=1,physical=eth1.9
+ wg	WGAZSE1_IF	tcpflags,forward=1,physical=wgazse1



My real policy differs slightly but I included a basic example policy.


# /etc/shorewall/policy
+ #------------------------------------------------------------------------------
+ # For information about entries in this file, type "man shorewall-shorewall6-policy"
+ #
+ # See http://shorewall.net/org/manpages/shorewall-policy.html for more information
+ ###############################################################################
+ #SOURCE	DEST		POLICY		LOGLEVEL	RATE	CONNLIMIT
+ 
+ $FWlan	 	allwan   		ACCEPT		+ lan	  all             ACCEPT
+ dmz     $FW,wan	      ACCEPTLOG_LEVEL
+ warp		$FWwg    		ACCEPT
+ 
+ wan		all			DROP		$LOG_LEVEL
+ # THE FOLLOWING POLICY MUST BE LAST
+ all		all			REJECT		$LOG_LEVEL



Because my example policy is pretty liberal, my rules in this example are pretty sparse.


# /etc/shorewall/rules
+ #------------------------------------------------------------------------------------------------------------
+ # For information about entries in this file, type "man shorewall-rules"
+ #
+ # See http://shorewall.net/manpages/shorewall-rules.html for more information
+ ######################################################################################################################################################################################################
+ #ACTION         SOURCE          DEST            PROTO   DEST    SOURCE          ORIGINAL        RATE          USER/    MARK    CONNLIMIT       TIME            HEADERS         SWITCH          HELPER
+ #                                                       PORT    PORT(S)         DEST            LIMIT         GROUP
+ ?SECTION ALL
+ ?SECTION ESTABLISHED
+ ?SECTION RELATED
+ ?SECTION INVALID
+ ?SECTION UNTRACKED
+ ?SECTION NEW
+ 
+ #       Don't allow connection pickup from the net
+ Invalid(DROP)   wan             all             tcp
+ 
+ DNS(ACCEPT)     all!wan,warp    $FW
+ DNS(ACCEPT)     $FW,dmz         lan:10.0.1.2
+ 
+ Web(ACCEPT)     dmz             $FW
+ Web(DNAT)       wan             dmz:10.0.8.2



Last but not least is the magic that allows private addresses to access the greater Internet by masquerading as the one public IPv4 address I am assigned. The following just says all traffic heading out of WAN_IF (eth0) coming from a private IP range should be masqueraded.


# /etc/shorewall/snat
+ #------------------------------------------------------------------------------
+ # For information about entries in this file, type "man shorewall-snat"
+ #
+ # See http://shorewall.net/org/manpages/shorewall-snat.html for more information
+ ###########################################################################################################################################
+ #ACTION                 SOURCE                  DEST            PROTO   PORT    IPSEC   MARK    USER    SWITCHORIGDESTSWITCH  ORIGDEST        PROBABILITY
+ MASQUERADE              10.0.0.0/8,\::/0                    +                         169.254.0.0/16,\
+                         172.16.0.0/12,\
+                         192.168.0.0/16          WAN_IFWGAZSE1_IF



NowJust thatlike everything is configuredbefore it might be wise to run shorewallshorewall6 check just to make sure I didn't have any typos.


YouI canalready hook Shorewall into the boot process to make sure the system is secure during boot by enablingenabled shorewall-init andto shorewall.secure Firstthe wesystem tellduring shorewall-initboot, that it needsso to takehook in shorewall6 I just need to edit its configuration and then enable shorewall6 to start at boot like I already did for shorewall intoand account.shorwall-init.


# /etc/default/shorewall-init
- PRODUCTS=""shorewall"
+ PRODUCTS="shorewall"shorewall shorewall6"



Then we simply tell them to start at boot.


# systemctl enable shorewall
# systemctl enable shorewall-initshorewall6



Modify Interfaces


Now that Shorewall will secure everything at bootup it is safe to upate my /etc/networking/interfaces with their addresses.


# /etc/networking/interfaces
 auto eth1
- iface eth1 inet manual
+ iface eth1 inet static
+         address 10.0.1.1/21
  
  auto eth1.8
- iface eth1.8 inet manual
+ iface eth1.8 inet static
          vlan-raw-device eth1
+         address 10.0.8.1/24
  
  auto eth1.9
- iface eth1.9 inet manual
+ iface eth1.9 inet static
          vlan-raw-device eth1
+         address 10.0.9.1/24



Now if I reboot the system all my interfaces will come up configured and the system will be protected by nftables/iptables configured by Shorewall.


Be sure to sanity check your configuration, if you need to SSH into a system to configure it Shorewall has to allow SSH traffic.


# reboot
Back to top