Firewall with masquerading

From NewbieDOC

1 Introduction

The firewall in Debian is not activated by default. Here is a short example using shorewall 3.2.6-2 from etch. The configuration described here is very simple and should be sufficient for a simple setup. Shorewall is very powerfull, if you need more complicated stuff it can probably be done. Of course, you can set up a basic firewall much easier with a GUI-based frontend (ex. Firestarter), but it's much more difficult to do it remotely. The config files for shorewall can be edited very easy over ssh, which should work even on a dial-up connection without problems. This way you can have a headless machine (no monitor) for lots of stuff which can be done without a gui. I use the firewall machine for large downloads, listening to internet radio, playing mp3, ... everything over ssh, without ever needing a monitor.

Disclaimer: This is just a basic configuration. There is much more to security then setting up a firewall so don't blame me if you get cracked. If you are serious about security you should read more documentation. The Securing Debian Manual would be a good start.

2 Main

All actions will need root privileges, so make sure you change to root with su (or use sudo). First we need to install shorewall:

#aptitude install shorewall

shorewall is installed with an (almost) empty configuration. We can use the supplied default files with a few minor changes/additions. The files also contain lots of information and many more options. Note: when you need to add lines add them at the end of the file, just above the last line. Read the instructions in the file and you should figure it out.

#cp /usr/share/doc/shorewall/default-config/* /etc/shorewall/

Now use your prefered editor (ex. mcedit) to modify some files:

#mcedit /etc/shorewall/shorewall.conf

change IP_FORWARDING to On if you want to use your computer as a gateway:

IP_FORWARDING=On

I will assume eth0 is the internet connection (with dhcp) and eth1 is the connection to the rest of your network. Change to suit your configuration:

#mcedit /etc/shorewall/interfaces

add following lines:

net        eth0        detect         dhcp
loc        eth1        192.168.0.255
#mcedit /etc/shorewall/policy

add following lines (order is important):

loc        all         ACCEPT
fw         all         ACCEPT
net        all         DROP
all        all         REJECT
#mcedit /etc/shorewall/zones

add following lines:

fw      firewall
net     ipv4
loc     ipv4
#mcedit /etc/shorewall/masq

If you need masquerading (use your computer as a gateway for your network) you will also need to change the following:

#mcedit /etc/shorewall/masq

add following line:

eth0     eth1

Now we need to activate our configuration:

#shorewall start

Check your configuration. You should be able to ping the net from the firewall machine and from the network. There are also sites that will perform a scan of your machine. If everything is ok you should have all ports "stealth" except 113 (IDENT). Don't worry if you get a warning about that, oppinions differ. Now we need to make one final change so shorewall will be started on every boot:

#mcedit /etc/default/shorewall

change the 'startup' option from 0 to 1:

startup=1


3 Goodies:

I use the firewall machine for large downloads with bittorrent. For bittorent to work correctly we need to open a few ports. This will NOT work for other machines on your network. For that you will need port forwarding which is not covered here. (Update: ktorrent seems to work very nice irrespective of the firewall)

#mcedit /etc/shorewall/rules

add following line:

ACCEPT      net      fw      tcp        6881:6889

Allow connection to port 22 (ssh) of the firewall machine from a specific ip (great for remote administration):

ACCEPT      net:123.234.123.234   fw   tcp   22

--amp77 12:30, 23 September 2006 (BST)

This document has been released by the author under a Free license (which should be indicated beneath this notice). You may use it freely according to its particular license.

Free Software License: Either GNU FDL or GNU GPL at your choice.

GNU head Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license is included in the section entitled "GNU Free Documentation License."
GNU head This work is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

This work is distributed in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA

Content is available under GNU Free Documentation License 1.2, unless otherwise stated.