Install shorewall and configure firewall

1. - # apt-get install shorewall
2. - # cp -R /usr/share/doc/shorewall/examples/two-interfaces/* /etc/shorewall/

This will copy the preset two-interface example files to our shorewall configuration.

3. - # cd /etc/shorewall | gunzip *.gz

This extracts the archived example files so you can edit them in nano.

4. Things in {} are for a http/ftp webserver on the local network at 10.0.0.15,
   you should omit if you dont have need for this.
   Don’t use the actual curly brackets in your configuration files if you don’t need this hack!
5. - # nano interfaces

#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect dhcp,tcpflags,norfc1918,routefilter,nosmurfs,logmartians
loc eth1 detect dhcp,{routeback},tcpflags,detectnets,nosmurfs
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

6. - # nano zones


#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net ipv4
loc ipv4

#LAST LINE – ADD YOUR ENTRIES ABOVE THIS ONE – DO NOT REMOVE

7. - # nano masq

#INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC
eth0 10.0.0.0/24
{eth1:10.0.0.15 10.0.0.0/24 10.0.0.1 tcp www}
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

8. - # nano rules

#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
# PORT PORT(S) DEST LIMIT GROUP
#
# Accept DNS connections from the firewall to the network
#
DNS/ACCEPT $FW net
#
# Accept SSH connections from the local network for administration
#
SSH/ACCEPT loc $FW
#
# Allow Ping from the local network
#
Ping/ACCEPT loc $FW

#
# Reject Ping from the “bad” net zone.. and prevent your log from being flooded..
#

Ping/REJECT net $FW

ACCEPT $FW loc icmp
ACCEPT $FW net icmp

#
# Accept SSH from the net for administration of router outside local network

SSH/ACCEPT net $FW

# Various other rules
{DNAT net loc:10.0.0.15 tcp www}
{DNAT loc loc:10.0.0.15 tcp www – $ETH0_IP}

{FTP/DNAT net loc:10.0.0.15}

#LAST LINE — ADD YOUR ENTRIES BEFORE THIS ONE — DO NOT REMOVE

9. ONLY FOR WEBSERVER

{- # nano params

###############################################################################
ETH0_IP=`/sbin/shorewall call find_first_interface_address`

#LAST LINE – ADD YOUR ENTRIES ABOVE THIS ONE – DO NOT REMOVE
}

10. - # nano policy

#
# Policies for traffic originating from the local LAN (loc)
#
# If you want to force clients to access the Internet via a proxy server
# on your firewall, change the loc to net policy to REJECT info.
loc net ACCEPT
loc $FW ACCEPT
loc all REJECT

#
# Policies for traffic originating from the firewall ($FW)
#
# If you want open access to the Internet from your firewall, change the
# $FW to net policy to ACCEPT and remove the ‘info’ LOG LEVEL.
# This may be useful if you run a proxy server on the firewall.
$FW net ACCEPT
$FW loc ACCEPT
$FW all REJECT

#
# Policies for traffic originating from the Internet zone (net)
#
net $FW DROP
net loc DROP
net all DROP

# THE FOLLOWING POLICY MUST BE LAST
# THE FOLLOWING POLICY MUST BE LAST
all all REJECT

#LAST LINE — ADD YOUR ENTRIES ABOVE THIS LINE — DO NOT REMOVE

11. – # nano shorewall.conf

ctrl-w and change these to Yes and On
STARTUP_ENABLED=Yes

IP_FORWARDING=On

12. - # nano /etc/default/shorewall

startup=1

13. - # /etc/init.d/shorewall restart

Now tell shorewall to configure your firewall.

14. - # nano /var/log/shorewall-init.log

Don’t fret, you will probably get an error due to a typo or something, but you can view the error with the above command and scrolling with Page Down to the end of the log file.

See where it failed and that’s probably going to give you a hint at where your typo is. If you happen to fix the error, and you still can’t ping out to the internet on local machines, then…

15. - # reboot

Often, a reboot’s required to get everything working (and to be doubly sure your router can reboot).

Congrats.