How to do it...

  1. We begin with installing Shorewall on our system using the apt-get command:

  1. Once the installation is complete, try to start Shorewall. You will get an error message as shown here:

This means we need to first configure Shorewall before it can start running.

  1. To configure Shorewall, edit the /etc/default/shorewall file in the editor of your choice. Look for the line that reads startup=0 and change its value to 1:

  1. Next, edit the /etc/shorewall/shorewall.conf file and find the line that reads IP_FORWARDING. Verify that its value is set to On:

  1. The configuration files of Shorewall are located in the /etc/shorewall directory. The minimum files that are essential for it to work are interfaces, policy, rules, and zones. If any of these files are not found in the /etc/shorewall directory after its installation, we can find the same files in the /usr/share/doc/shorewall/default-config/ directory. Copy the required files from this location to the /etc/shorewall directory.
  2. Now, edit the /etc/shorewall/interfaces file and add the lines shown in the following screenshot:

We are referring to eth0 as net in our configuration and eth1 as local. You can choose any other name, as long as it is alphanumeric and 5 characters or less. 

  1. Next, edit the /etc/shorewall/zones file. Zone is mainly used to set whether to use ipv4 or ipv6:

In the previous configuration, fw refers to me or the shorewall firewall itself. The next two lines define ipv4 for both the network interfaces.

  1. Now, edit the /etc/shorewall/policy policy file. This file is mainly used to set the overall policy of who is allowed to go where. Each line in this file is processed from top to bottom and each is read in the following format: if a packet is sent from the ____ to the __, then ______ it:

In our example, if we read the first policy, it will be read as follows: if a packet is sent from the local to the net, then accept it. You can add as many policies as you want in the same way, and the Shorewall firewall will work accordingly.

  1. Finally, we edit the /etc/shorewall/rules file. This file is used to create exceptions to the policy. It is mainly used if you wish to allow people from the external network into the internal network. A sample rules files is shown here:

We have added a rule that says: accept a packet if it is sent from the net to the fw using the protocol of tcp on port number 80.

  1. Once we are done with configuring the previous files as per our requirements, we can test the settings by running this command:
    shorewall check
  1. In the output shown, scroll to the bottom, and if it says Shorewall configuration verified, it means the settings have been done properly and now shorewall can be used as a firewall:

  1. Now, restart the shorewall service to apply the settings:
    serviceshorewall restart