Shorewall is reasonably effective for configuring a Linux iptables-based firewall.

We start with a clean load of Ubuntu Fiesty (7.04) on a spartan hardware configuration. The alternate installation is recommended. An adequate hardware configuration should include a modern 32-bit processor, 128 megabytes of RAM, a 6 gigabyte hard drive, two network interface controllers, a keyboard and monitor interface, and a boot-capable CD drive. Installation can be accomplished with PXE. Installation of the base OS is explained elsewhere; that process exceeds the scope of this page.

Using Debian systems, Ubuntu included, shorewall setup is a simple process. First, update apt-cache and install shorewall and administrative interfaces. Access the administrative user account and perform the following from a shell session.

# Get root

sudo bash

While you have the power, weild it wisely.

# Make sure the repository cache is updated with current package information

apt-get update

# Enable secure remote access

apt-get -y install openssh-server

 

# Install shorewall and wget

apt-get -y install shorewall wget

# Install perl support for webmin

apt-get -y install libnet-ssleay-perl libauthen-pam-perl libio-pty-perl libmd5-perl

# Download and install webmin

cd

wget http://prdownloads.sourceforge.net/webadmin/webmin_1.340_all.deb

dpkg -i webmin_1.340_all.deb

# Optionally remove downloaded webmin package

rm -f webmin_1.340_all.deb

# Make sure the system is up to date

apt-get -y upgrade

# Reboot for good measure

reboot

After rebooting, log in as the administrative user. You are just moments away from a working firewall; there is a fast-track configuration available.

# Get root

sudo bash

Again: use root wisely.

# Configuration files for shorewall live in /etc/shorewall

cd /etc/shorewall

# Start with the example configuration

cp /usr/share/doc/shorewall/examples/two-interfaces/* .

gunzip -f *gz

# Enable ip forwarding

echo 1 > /proc/sys/net/ipv4/ip_forward

# Enable shorewall startup by changing /etc/default/shorewall

cp /etc/default/shorewall shorewall.default

sed shorewall.default -e 's/startup=0/startup=1/g' > /etc/default/shorewall

# Optionally, remove the original default for shorewall

rm shorewall.default

# Start shorewall

/etc/init.d/shorewall start

# The job is done. Make root vanish.

exit

Of course there are some possibilities for failure. If your Internet facing interface is not eth0, then the interfaces file will need some modification. If you want to protect absent-minded admin from shooting their foot, you should make some adjustment to the routestopped file. If you are using more than two interfaces, you might want to study the documents at the shorewall site, and really understand their science.

Now that your firewall is configured, it's time to configure local policy and rules. The policy file contains general behavior of your firewall and the rules file contains special treatments for individual host and ports. Additional configuration diles may be required for your configurations and a tour of the shorewall site is in good preparation.