We decided to go with Shorewall, which is relatively popular. It also has the advantage that we don't need to provide the IP addresses of the system – it determines them dynamically. So when we change IP addresses, we don't have to re-configure the firewall.
All we want from the firewall is basic host protection. (We don't do any routing, so we don't need to worry about packets going through the system.) We want to allow all outbound connections, and allow inbound connections to only the following ports:
Install shorewall (and its documentation):
sudo apt-get -y install shorewall shorewall-doc
In /etc/default/shorewall
, set shorewall to run by changing the startup
line:
sudo sed -i -e 's/startup=0/startup=1/' /etc/default/shorewall
Install the default config files for systems with one interface:
sudo cp -a /usr/share/doc/shorewall/examples/one-interface/* /etc/shorewall/ cd /etc/shorewall/ sudo gunzip -f *.gz
In /etc/shorewall/shorewall.conf
, we need to enable startup; we also change the log file and set the log rate limits:
sudo sed -i /etc/shorewall/shorewall.conf -e 's|^STARTUP_ENABLED=.*|STARTUP_ENABLED=Yes|' sudo sed -i /etc/shorewall/shorewall.conf -e 's|^LOGFILE=.*|LOGFILE=/var/log/shorewall.log|' sudo sed -i /etc/shorewall/shorewall.conf -e 's|^LOGRATE=.*|LOGRATE=10/minute|' sudo sed -i /etc/shorewall/shorewall.conf -e 's|^LOGBURST=.*|LOGBURST=5|'
Add rules to /etc/shorewall/rules
allowing various ports inbound:
sudo sh -c 'cat >> /etc/shorewall/rules' <<'EOF' # Allow inbound SSH. ACCEPT net $FW tcp 22 # Allow inbound DNS (including TCP, for AFXRs). ACCEPT net $FW udp 53 ACCEPT net $FW tcp 53 # Allow inbound NTP. ACCEPT net $FW udp 123 # Allow inbound HTTP and HTTPS. ACCEPT net $FW tcp 80 ACCEPT net $FW tcp 443 EOF
Start Shorewall:
sudo touch /var/log/shorewall.log sudo /etc/init.d/shorewall start
To check whether Shorewall is running, check what IP Tables are configured:
sudo iptables -L -vn
This should show a large number of tables.
If Shorewall is not running, check the /var/log/shorewall-init.log
file for details.
Ensure that you can establish a new SSH session inbound. If not, stop Shorewall and try again.