As the linux server implementation increases every year, it becomes more and more important to have easy to use tools for server administration, instead of logging on with ssh. GUI based tools have the effect of an increased accessibility and it creates a clearer understanding of the configuration and features of the functions of a server. As stated here, the purview of this document is to provide a step-by-step manual for configuring the Shoreline firewall (also called Shorewall) using Webmin as the interface instead of using the console for editing files. I assume you already have a server in basic configuration with webmin and shorewall, if not, there are other manuals for that. My recommendation for the firewall script is Shorewall, as the standard install of webmin comes with a Shorewall configuration tool integrated. After the installation of webmin and configuring it you can login using the url given at the end of the installation process and the username and password entered during the configuration phase. Now you see the first screen of the webmin user interface :
(Click on image to see the lager version)
Here you can select the topics to different tasks, such as webmin administration, different server administration tasks etc. Next you click on networking which gives you the next screen :
As you can see, there is already an icon called Shorewall Firewall, so let's click on that :
Here we find the different options for configuring Shorewall so let's explain first what each option means and what we do with it :
Network Zones (zones) : here you define to what kind of networks the firewall is connected :
For example the standard configuration is one internet side and one LAN side, also called local network(s). The internal zone of the firewall is already defined in the script, so it is not necessary to put it there! As this is a fresh install there are no zones defined yet, so we click on "Add a new network zone" :
First thing we do is define the internet zone. Type in Zone ID "net" without the quotes, in Displayed name "Net" and in Description "Internet" :
Now click create :
As you can see, a new entry has been made defining Network zone net, described as internet. presuming you have a Local Area Network attached to the firewall, click create again, type in Zone ID "loc", in Displayed name "Local" and in Description "Local networks", click create and the necessary zones are defined :
Next click on "Return to list of tables" and we are back at the index. now we proceed to the Network Interfaces (interfaces) where you can define which interface belongs to which zone. This is naturally blank, so you click on "Add a new network interface" :
Let's say that your eth0 is the network interface connected to the internet, you receive your IP address using DHCP so you configure it as follows :
Interface is eth0
Zone name is Net
Broadcast address is automatic
Options are dhcp, routefilter and tcpflags :
Click create and the first interface is defined. Now you can do the same with the local interface, with the settings :
Interface eth1
Zone name Local
Broadcast address Automatic
Click save and the end result should look like this :
Once again return to the list of tables and we proceed to the next item on the list : the Default Policies (policy). These define what the firewall should do with incoming or outgoing traffic, what to allow(accept or continue), deny(reject or drop). None are defined yet, so click "Add a new default policy" :
This looks pretty straightforward, and it is! First lets deny everything, as this makes the firewall in principle safer. As a source we say that when traffic comes from anywhere, which is Any, and it wants to go anywhere, which is again Any, we want to deny(DROP) it. The traffic limit option is not applicable here so we leave it alone. If you want to log the traffic, you can specify the log level from "debug" (tons of information) to "emerg" (only the most important info). Click Create and the first policy is defined! Next lets say you want to access the internet via the firewall from a client on the local network. This makes the source zone "loc", the destination zone net and the policy would then be accept, as we want the firewall to allow the traffic to continue. As this is allowed traffic, not logging is advised, as it otherwise generates huge amounts of log-files. Click create and the policy is defined. We do not want to allow incoming traffic from the internet to reach us, as this otherwise nullifies the use of the firewall, so the next policy is to DROP traffic coming in from source Net with destination Any (which is loc, firewall and net). You can log this for monitoring purposes if you want to with one of the log-levels. These log messages are saved in the file /var/log/shorewallmess. Click create and you're done :
When returning to the list of tables you see the next item on the list, the Firewall Rules. As these are only for hosting services, we will skip it for now but we will return to it later. We also skip Types of Service for now and proceed to the Masquerading (masq) part. Masquerading is the feature of the firewall to use NAT, Network Address Translation. This feature enables you to run your LAN with private IP addresses and connect everybody on the LAN to the internet with only one public IP. Lets click "Add a new masquerading rule" and proceed to the configuration page. Here you can define what the outgoing interface is, which is in our case eth0 as this is the interface connected to the internet. Next you have to chose which network to masquerade. As the interface eth1 is connected to the LAN, you can select "Subnet on interface" and define eth1 as the interface there. The result should look as follows :
Now your basic firewall configuration is done, and you can return to the list of tables. Here you see the option "Check Firewall" which rudimentarily checks the configuration of your firewall :
If it all checks out, you can select Start Firewall, except for this : if you are working on the server from a client on the LAN or if you are working from a remote client and the firewall implementation fails, the system will go in safe mode and block everything. To prevent this from happening, you can define which hosts still have access to the system when the firewall stops. These hosts can be define in "When Stopped". Click "Add a new stopped address" and you see the different options displayed on the page :
Interface : this is the interface where the incoming connection is received, in our case eth0 as this is the interface connected to the internet.
Accessible addresses : here you can define which address is allowed to access the server even though it is in safe-mode. Preferably you specify an address by selecting Listed addresses and networks. In the frame below that you can type the public IP address of the computer allowed to access the system. Click create. Do this again to define the LAN but now you put the interface on eth1 and the Accessible addresses on All addresses :
Well, that concludes the basic configuration, so all that remains is starting the firewall, cross your fingers and press. If you still have internet afterwards, it works, otherwise you get an error, specifying which setting was erroneous.
Now the rest of the options come into play. We start with the option Firewall Rules (rules) for providing services. For example when you run a webserver on the firewall it self, people need access on port 80 on the firewall. As the LAN is already allowed to access all, it is not necessary to declare a rule allowing access to port 80 from the LAN. Because the webserver is running on the server itself, it is according to the firewall script located in the zone Firewall. Now you proceed to the settings page for creating a new Firewall Rule. Here you find the options :
Action : accept, accept+, continue, dnat, dnat-, drop, log, nonat, etc etc.
Logging : this is the same as above.
Source zone : Here you specify where the request comes from.
Destination zone or port : The zone where the request should end.
Protocol : Look up which protocol the request uses and specify it here according to that.
Destination ports : Once again, look up which port the service uses and specify it here according to the number corresponding to your service.
In our case of the webserver, running in the destination zone "Firewall" on port "80" requests from zone "Net" will be "Accept"-ed using protocol "TCP". If you want logging, you can as stated above use the different log-levels to specify the detailing of the log entries :
You can do the same for other services in the same manner, for example you can do this with webmin, making it remotely accessible. Just remember to be careful, as every open port creates more vulnerabilities.
You can also create portforwardings with the Firewall Rules set. Portforwardings are open ports on the internet side of the firewall, but these do point to a service on the server it self, but to port on another computer on the LAN. Lets say that said webserver does not run on the server itself but on another server located on the LAN with IP address 192.168.1.2. Now we have a request for the webserver from source "Net". The destination is now not the "Firewall" zone, but the local network "Local" but only for the host 192.168.1.2 with port 80 noted as 192.168.1.2:80. Protocol is still "TCP" and the destination port is 80. The request will be "DNAT"-ed, again, logging is an option :
Now all request on port 80 from the internet zone get redirected to the internal address 192.168.1.2 op port 80, but only with the tcp protocol. The webserver is now accessible from outside. If for example you have a game server to forward to, you specify the protocol being "UDP" instead of "TCP".
In the feature Types of Service you can specify which kind of traffic gets which priority, but keep in mind that the package iproute or iproute2 is necessary for this feature. For example, if you want to give the viewing of web pages by clients on the priority, you specify the source zone as "Local", the destination zone as "Net", protocol as "TCP" and destination ports on 80. Now you can specify the priority and as it is desirable that the response is quick the type of service should be minimize delay. You can also create a second ToS for http access, but then specify it as maximize-Throughput.
Warning : This part of the firewall config is doable, but should be used with some consideration, as it is advisable that you play around with Shorewall first for some time, before attempting other configurations than the standard 2 NIC setup.
If you have for example one interface for the internet access but two LAN's, you have three NIC's in total, now how do we deal with this in Shorewall? There are several approaches to this, but the easiest way is to give each LAN a different IP range, so LAN 1 gets 192.168.0/24 and LAN 2 gets 192.168.1/24 (if you don't know what this means, with the slashes and all, look here). This means to the Shorewall, that it needs to recognize an extra zone, namely the one of the second LAN. So you define another zone, add the extra interface in "interfaces", couple it with the extra zone and declare the subnet as stated above. To give the second LAN internet access, you also need to add the default policy and masq the network. To let each LAN connect to each other another default policy is needed. For ease of use, it is also possible to let the firewall server function as a WINS server, more on that here.
This works the same with vpn sessions. For exaple if you make a pptp connection from the server to another server, the vpn adapter is called ppp0, which you can create an extra zone for to attach the interface to. Policies and firewall rules can be added to your liking to create an optimal set of rules for the connection. The same with incoming pptp-vpn connections.
Using more then one interface as the internet side requires either strict routing, or a traffic shaping principle for using both interfaces like HTB as explained in the how-to's at www.shorewall.net. You can still create the second interface and a second external zone, but keep in mind that the routing of the server can get confused by having two default routes. If you plan to use one interface for access to a external network but not for general internet access, be sure to adjust for this in your routing tables.
Original Document Configuring Shorewall Using Webmin by Rouke de Jong
