Shorewall 5 on EL7 - Revision history

Digimer: /* Starting the Firewall */

2016-07-02T05:36:28Z

Starting the Firewall

← Older revision		Revision as of 05:36, 2 July 2016
Line 503:		Line 503:

	This will print out the actual firewall rules. You will need some experience with <span class="code">[[TLUG Talk: Netfilter\|iptables]]</span> to understand all their meaning, but the general flow should be understandable.		This will print out the actual firewall rules. You will need some experience with <span class="code">[[TLUG Talk: Netfilter\|iptables]]</span> to understand all their meaning, but the general flow should be understandable.

			= Configure DHCP =

			{{note\|1=If you have an external DHCP server, or don't need one, you can stop here.}}

			This section is not a complete tutorial on DHCP server setup. To read a more comprehensive tutorial, see:

			* [[DHCP on an RPM-based OS]]

			Start, as always, by creating a backup.

			<syntaxhighlight lang="bash">
			mkdir /etc/dhcp/backups
			cp /etc/dhcp/dhcpd.conf /etc/dhcp/backups/
			</syntaxhighlight>

			Edit the <span class="code">dhcpd.conf</span> file. Remove the default comments at the top and then configure it for your environment.

			<syntaxhighlight lang="vim">
			vim /etc/dhcp/dhcpd.conf
			</syntaxhighlight>
			<syntaxhighlight lang="text">
			### Global options
			# General domain information
			option domain-name "alteeve.ca";
			option domain-name-servers 8.8.8.8, 8.8.4.4;

			# Tell the server that it's authoritative on our network.
			authoritative;

			# This is required for EL5 operating systems but is optional on EL6 and newer
			# Fedoras (F13+, at least). It controls how dynamic DNS updating is handled. In
			# our case, we aren't concerned about DDNS so we'll set it to 'none'.
			ddns-update-style none;

			### Subnet options
			subnet 10.200.0.0 netmask 255.255.0.0 {
			# This is the DHCP server, but not the actual Internet gateway. So this
			# Argument points our clients to the right box.
			option routers 10.200.255.254;

			# Set our range. This can be whatever you want so long as it fits in
			# your netmask.
			range 10.200.1.10 10.200.1.250;

			# If clients don't ask, make the lease available for the following
			# number of seconds. If the client does ask, allow up to this number of
			# seconds. 86,400s = 24h.
			default-lease-time 86400;
			max-lease-time 86400;
			}
			</syntaxhighlight>

			Start and enable the dhcp server.

			<syntaxhighlight lang="bash">
			systemctl start dhcpd
			systemctl enable dhcpd
			</syntaxhighlight>
			<syntaxhighlight lang="text">
			Created symlink from /etc/systemd/system/multi-user.target.wants/dhcpd.service to /usr/lib/systemd/system/dhcpd.service.
			</syntaxhighlight>

			Make sure it started OK:

			<syntaxhighlight lang="bash">
			systemctl status dhcpd
			</syntaxhighlight>
			<syntaxhighlight lang="text">
			● dhcpd.service - DHCPv4 Server Daemon
			Loaded: loaded (/usr/lib/systemd/system/dhcpd.service; enabled; vendor preset: disabled)
			Active: active (running) since Sat 2016-07-02 04:14:17 EDT; 36s ago
			Docs: man:dhcpd(8)
			man:dhcpd.conf(5)
			Main PID: 1922 (dhcpd)
			Status: "Dispatching packets..."
			CGroup: /system.slice/dhcpd.service
			└─1922 /usr/sbin/dhcpd -f -cf /etc/dhcp/dhcpd.conf -user dhcpd -group dhcpd --no-pid

			Jul 02 04:14:17 an-fw05.alteeve.ca dhcpd[1922]: Sending on LPF/lan0/00:90:fb:4d:3b:a1/10.200.0.0/16
			Jul 02 04:14:17 an-fw05.alteeve.ca dhcpd[1922]:
			Jul 02 04:14:17 an-fw05.alteeve.ca dhcpd[1922]: No subnet declaration for wan0 (10.255.1.105).
			Jul 02 04:14:17 an-fw05.alteeve.ca dhcpd[1922]: ** Ignoring requests on wan0. If this is not what
			Jul 02 04:14:17 an-fw05.alteeve.ca dhcpd[1922]: you want, please write a subnet declaration
			Jul 02 04:14:17 an-fw05.alteeve.ca dhcpd[1922]: in your dhcpd.conf file for the network segment
			Jul 02 04:14:17 an-fw05.alteeve.ca dhcpd[1922]: to which interface wan0 is attached. **
			Jul 02 04:14:17 an-fw05.alteeve.ca dhcpd[1922]:
			Jul 02 04:14:17 an-fw05.alteeve.ca dhcpd[1922]: Sending on Socket/fallback/fallback-net
			Jul 02 04:14:17 an-fw05.alteeve.ca systemd[1]: Started DHCPv4 Server Daemon.
			</syntaxhighlight>

			Don't worry about that error. We only want the DHCP server listening for requests on <span class="code">lan0</span>. We can verify that it is by checking syslog;

			<syntaxhighlight lang="bash">
			journalctl -n 100 \|grep lan0
			</syntaxhighlight>
			<syntaxhighlight lang="text">
			Jul 02 04:14:17 an-fw05.alteeve.ca dhcpd[1922]: Listening on LPF/lan0/00:90:fb:4d:3b:a1/10.200.0.0/16
			Jul 02 04:14:17 an-fw05.alteeve.ca dhcpd[1922]: Sending on LPF/lan0/00:90:fb:4d:3b:a1/10.200.0.0/16
			</syntaxhighlight>

			Perfect!

			If all went well, you now have a fully functioning router and firewall.

	{{footer}}		{{footer}}

Digimer: Digimer moved page Shorewall5 on EL7 to Shorewall 5 on EL7

2016-07-02T05:22:23Z

Digimer moved page Shorewall5 on EL7 to Shorewall 5 on EL7

← Older revision		Revision as of 05:22, 2 July 2016
(No difference)

Digimer: Created page with "{{howto_header}} This covers setup and maintenance of Shorewall 5 on Enterprise Linux 7.x (RHEL, CentOS and derivatives). * Note: A previou..."

2016-07-02T05:22:12Z

Created page with "{{howto_header}} This covers setup and maintenance of Shorewall 5 on Enterprise Linux 7.x (RHEL, CentOS and derivatives). * Note: A previou..."

Páàjì titun

{{howto_header}}

This covers setup and maintenance of Shorewall 5 on Enterprise Linux 7.x ([[RHEL]], [[CentOS]] and derivatives).

* Note: A previous version of this tutorial for [[EL6]] and Shorewall 4.x is: "[[Shorewall on RPM-based Servers]]"

This tutorial will introduce the basic concepts of firewalling by taking an Internet connection and sharing it with a local subnetwork of computers. It will also act as a [[DHCP]] server for the internal network. This combination of DHCP server and internet routing will cover the most common use case for shorewall; Acting as a traditional Internet router.

= Install =

Install is trivial via the [https://fedoraproject.org/wiki/EPEL EPEL] repository.

== Adding the EPEL Repo ==

If your firewall does not yet have EPEL installed, do so now:

<syntaxhighlight lang="bash">
rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
</syntaxhighlight>

== Rename Interfaces ==

For this tutorial, we will use two network interfaces. To make them easier to track, rename the two interfaces to reflect their role. We will use lan0 for the internal network and wan0 for the interface connected to the outside Internet.

If you are unfamiliar with renaming interfaces in [[EL7]], please pause and follow this tutorial:

* [[Changing Ethernet Device Names in EL7 and Fedora 15+]]

== Install Shorewall 5 ==

Now to install Shorewall 5, and while we're at it, we will install DHCP server as well.

<syntaxhighlight lang="bash">
yum install shorewall dhcp
</syntaxhighlight>

That was easy.

= Setup =

You need to decide which interface will have your internet connection on it and which will connect to your internal network. For this tutorial;

* lan0; Faces the internal network, has the IP 10.200.255.254/16 and provides DHCP services to the LAN.
* wan0; Faces the Internet.

== Configuring Shorewall ==

All configuration files are in the /etc/shorewall directory, unless explicitly defined. The main Shorewall configuration file, which we will edit last is /etc/shorewall/shorewall.conf.

The files to edit are listed in the order we will edit them in the following subsections.

=== Backups ===

Before we start, we will create a backups directory and save original copies of the files there.

<syntaxhighlight lang="bash">
mkdir /etc/shorewall/backups
cp /etc/shorewall/zones /etc/shorewall/backups/
cp /etc/shorewall/interfaces /etc/shorewall/backups/
cp /etc/shorewall/policy /etc/shorewall/backups/
cp /etc/shorewall/rules /etc/shorewall/backups/
cp /etc/shorewall/masq /etc/shorewall/backups/
cp /etc/shorewall/shorewall.conf /etc/shorewall/backups/
</syntaxhighlight>

=== zones ===

This controls the main "zones" used by Shorewall. The fw is special in that it defines the firewall itself. The wan zone is the Internet-facing network (wan0 in this tutorial). The lan is the local network, the internal network of machines the firewall is protecting, which is lan0 in this tutorial. Both lan0 and wan0 are [[ipv4]] networks.

Append two new lines telling shorewall that we have two new ipv4 networks that it will use so that the zones file looks like:

<syntaxhighlight lang="bash">
###############################################################################
#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS

fw firewall
wan ipv4
lan ipv4
</syntaxhighlight>

=== interfaces ===

Just above, we told shorewall that we had two new ipv4 networks. In the interfaces configuration file, we link these networks to physical interfaces.

To link the new networks to the physical interfaces, append the following entries so that the interfaces file looks like:

<syntaxhighlight lang="bash">
?FORMAT 2
###############################################################################
#ZONE INTERFACE OPTIONS
lan lan0 dhcp
wan wan0
</syntaxhighlight>

=== policy ===

Here you tell shorewall what the default policy is for each network when receiving new connection requests. You don't need to worry about ESTABLISHED and RELATED connections as shorewall handles these rules. The choices are:

{|class="wikitable"
!Action
!Description
|-
|class="code"|ACCEPT
|Accept the connection.
|-
|class="code"|DROP
|Ignore the connection request.
|-
|class="code"|REJECT
|Return an appropriate error to the connection request.
|}

You can also set the log level for connection requests that fall off the chain and hit these policies. It's a good idea to log info level so you can see twits trying to do "bad things(tm)". The one downside to using info is that it pushes a lot of data into the log files, which might make debugging other issues on the firewall. It's really up to you in the end.

Append the following default policies so that the policy file looks like:

<syntaxhighlight lang="bash">
###############################################################################
#SOURCE DEST POLICY LOGLEVEL LIMIT CONNLIMIT

# Let everything from the firewall machine out onto the WAN.
fw wan ACCEPT

# Likewise, allow everything from the firewall out onto the local network.
fw lan ACCEPT

# Don't allow incoming connections from the WAN into the fireall *or* into the
# local network. Add 'info' here if you want to log failed connection attempts.
wan all DROP info

# Don't allow incoming connections from the local network into the firewall.
lan fw DROP

# Let machines on the local network out onto the web
lan wan ACCEPT
</syntaxhighlight>

=== rules ===

This is really the heart of the firewall.

Here you tell shorewall what the exceptions there are to the default policies. The first rule to match is used.

The example below shows a setup where remote access in to the firewall itself is allowed only on port 22000 (modified [[SSH]] port). An example SSH forward from the external TCP port 3022 to an internal server on the private network listening on the standard [[SSH]] TCP port 22.

This example can be easily adapted to any other use. Just create a new entry per line, choosing the external port and pointing it at the desired IP address the internal machine is using and the TCP the internal machine's server is listening on. You can use the same external and internal TCP port if you wish to make the connection more seamless for external users. It is entirely up to you.

We'll also add a couple special rules that tells shorewall to respond to [[ICMP]] ping requests. Some people don't like this as ping sweeps are a quick way for malicious people to find servers on the net. Personally, I find the usefulness of being able to ping my firewall more beneficial. Also, "security through obscurity is no security at all".

Append rules so that the it file looks like.

<syntaxhighlight lang="bash">
vim /etc/shorewall/rules
</syntaxhighlight>
<syntaxhighlight lang="text">
##############################################################################################################################################################
#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH HELPER

?SECTION ALL
?SECTION ESTABLISHED
?SECTION RELATED
?SECTION INVALID
?SECTION UNTRACKED
?SECTION NEW

# Allow pings, because this author finds being able to ping for helpful than
# risky.
Ping(ACCEPT) wan fw
Ping(ACCEPT) lan fw

# Allow SSH into the firewall from the WAN on port 22000 and from the LAN on
# port 22 and 22000.
ACCEPT wan fw tcp 22000
ACCEPT lan fw tcp 22000
ACCEPT lan fw tcp 22

### Example; Enable and adapt to your needs.
# Allow SSH connection from the WAN on external port 3022 to an internal server
# at IP 10.200.255.250 port 22.
#ACCEPT wan lan:10.200.255.250:22 3022
</syntaxhighlight>

=== masq ===

This is the file that handles [[MASQ]]erading the machines on the local LAN (the lan zone). This is how shorewall provides internet access to an entire [[subnet]] of machines on a given network.

So to enable Internet access from your machines, you need to add a line with the '''Internet facing interface''' followed by the subnet of the '''local''' network that you will be masquerading.

Append masq so that the it file looks like.

<syntaxhighlight lang="bash">
vim /etc/shorewall/masq
</syntaxhighlight>
<syntaxhighlight lang="bash">
###################################################################################################################################
#INTERFACE SOURCE ADDRESS PROTO PORT IPSEC MARK USER SWITCH ORIGDEST PROBABILITY
wan0 10.200.0.0/16
</syntaxhighlight>

=== shorewall.conf ===

Once you have the above files in place, you need to enable the firewall.

Edit /etc/shorewall/shorewall.conf and change the following lines:

<syntaxhighlight lang="bash">
vim /etc/shorewall/shorewall.conf
</syntaxhighlight>
<syntaxhighlight lang="bash">
STARTUP_ENABLED=No
</syntaxhighlight>

To:

<syntaxhighlight lang="bash">
STARTUP_ENABLED=Yes
</syntaxhighlight>

To keep the noise in the syslog down, we'll tell shorewall to use a dedicated log file. Change:

<syntaxhighlight lang="bash">
LOGFILE=/var/log/messages
</syntaxhighlight>

To:

<syntaxhighlight lang="bash">
LOGFILE=/var/log/shorewall
</syntaxhighlight>

= Starting the Firewall =

== Disable firewalld ==

Before we can start using shorewall, we need to stop and disable the built-in firewall called firewalld.

<syntaxhighlight lang="bash">
systemctl stop firewalld
systemctl disable firewalld
</syntaxhighlight>
<syntaxhighlight lang="text">
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
Removed symlink /etc/systemd/system/basic.target.wants/firewalld.service.
</syntaxhighlight>

Make sure the firewall is off.

<syntaxhighlight lang="bash">
systemctl status firewalld
</syntaxhighlight>
<syntaxhighlight lang="text">
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
Active: inactive (dead)

Jul 02 02:11:20 an-fw05.alteeve.ca systemd[1]: Starting firewalld - dynamic firewall daemon...
Jul 02 02:11:21 an-fw05.alteeve.ca systemd[1]: Started firewalld - dynamic firewall daemon.
Jul 02 03:56:48 an-fw05.alteeve.ca systemd[1]: Stopping firewalld - dynamic firewall daemon...
Jul 02 03:56:50 an-fw05.alteeve.ca systemd[1]: Stopped firewalld - dynamic firewall daemon.
</syntaxhighlight>

We can double-confirm by looking at iptables-save:

<syntaxhighlight lang="bash">
iptables-save
</syntaxhighlight>
<syntaxhighlight lang="bash">
# No output
</syntaxhighlight>

== Starting shorewall ==

{{warning|1=If there are any problems, this might well lock you out of your firewall. Be sure you have direct access to the firewall before proceeding!}}

To start the firewall, simply run:

<syntaxhighlight lang="bash">
systemctl start shorewall
systemctl enable shorewall
</syntaxhighlight>
<syntaxhighlight lang="text">
Created symlink from /etc/systemd/system/basic.target.wants/shorewall.service to /usr/lib/systemd/system/shorewall.service.
</syntaxhighlight>

Verify that it is running and enabled;

<syntaxhighlight lang="bash">
systemctl status shorewall
</syntaxhighlight>
<syntaxhighlight lang="text">
● shorewall.service - Shorewall IPv4 firewall
Loaded: loaded (/usr/lib/systemd/system/shorewall.service; enabled; vendor preset: disabled)
Active: active (exited) since Sat 2016-07-02 03:59:53 EDT; 53s ago
Main PID: 1568 (code=exited, status=0/SUCCESS)

Jul 02 03:59:53 an-fw05.alteeve.ca shorewall[1568]: Setting up Route Filtering...
Jul 02 03:59:53 an-fw05.alteeve.ca shorewall[1568]: Setting up Martian Logging...
Jul 02 03:59:53 an-fw05.alteeve.ca shorewall[1568]: Setting up Proxy ARP...
Jul 02 03:59:53 an-fw05.alteeve.ca shorewall[1568]: Preparing iptables-restore input...
Jul 02 03:59:53 an-fw05.alteeve.ca shorewall[1568]: Running /sbin/iptables-restore ...
Jul 02 03:59:53 an-fw05.alteeve.ca shorewall[1568]: IPv4 Forwarding Enabled
Jul 02 03:59:53 an-fw05.alteeve.ca shorewall[1568]: Processing /etc/shorewall/start ...
Jul 02 03:59:53 an-fw05.alteeve.ca shorewall[1568]: Processing /etc/shorewall/started ...
Jul 02 03:59:53 an-fw05.alteeve.ca shorewall[1568]: done.
Jul 02 03:59:53 an-fw05.alteeve.ca systemd[1]: Started Shorewall IPv4 firewall.
</syntaxhighlight>

To see the new rules in place, simply run:

<syntaxhighlight lang="bash">
iptables-save
</syntaxhighlight>
<syntaxhighlight lang="text">
# Generated by iptables-save v1.4.21 on Sat Jul 2 04:01:15 2016
*nat
:PREROUTING ACCEPT [6:1404]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [1:144]
:POSTROUTING ACCEPT [1:144]
:wan0_masq - [0:0]
-A POSTROUTING -o wan0 -j wan0_masq
-A wan0_masq -s 10.200.0.0/16 -j MASQUERADE
COMMIT
# Completed on Sat Jul 2 04:01:15 2016
# Generated by iptables-save v1.4.21 on Sat Jul 2 04:01:15 2016
*mangle
:PREROUTING ACCEPT [83:6436]
:INPUT ACCEPT [83:6436]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [51:6584]
:POSTROUTING ACCEPT [51:6584]
:tcfor - [0:0]
:tcin - [0:0]
:tcout - [0:0]
:tcpost - [0:0]
:tcpre - [0:0]
-A PREROUTING -j tcpre
-A INPUT -j tcin
-A FORWARD -j MARK --set-xmark 0x0/0xff
-A FORWARD -j tcfor
-A OUTPUT -j tcout
-A POSTROUTING -j tcpost
COMMIT
# Completed on Sat Jul 2 04:01:15 2016
# Generated by iptables-save v1.4.21 on Sat Jul 2 04:01:15 2016
*raw
:PREROUTING ACCEPT [91:6852]
:OUTPUT ACCEPT [60:7880]
-A PREROUTING -p udp -m udp --dport 10080 -j CT --helper amanda
-A PREROUTING -p tcp -m tcp --dport 21 -j CT --helper ftp
-A PREROUTING -p udp -m udp --dport 1719 -j CT --helper RAS
-A PREROUTING -p tcp -m tcp --dport 1720 -j CT --helper Q.931
-A PREROUTING -p tcp -m tcp --dport 6667 -j CT --helper irc
-A PREROUTING -p udp -m udp --dport 137 -j CT --helper netbios-ns
-A PREROUTING -p tcp -m tcp --dport 1723 -j CT --helper pptp
-A PREROUTING -p tcp -m tcp --dport 6566 -j CT --helper sane
-A PREROUTING -p udp -m udp --dport 5060 -j CT --helper sip
-A PREROUTING -p udp -m udp --dport 161 -j CT --helper snmp
-A PREROUTING -p udp -m udp --dport 69 -j CT --helper tftp
-A OUTPUT -p udp -m udp --dport 10080 -j CT --helper amanda
-A OUTPUT -p tcp -m tcp --dport 21 -j CT --helper ftp
-A OUTPUT -p udp -m udp --dport 1719 -j CT --helper RAS
-A OUTPUT -p tcp -m tcp --dport 1720 -j CT --helper Q.931
-A OUTPUT -p tcp -m tcp --dport 6667 -j CT --helper irc
-A OUTPUT -p udp -m udp --dport 137 -j CT --helper netbios-ns
-A OUTPUT -p tcp -m tcp --dport 1723 -j CT --helper pptp
-A OUTPUT -p tcp -m tcp --dport 6566 -j CT --helper sane
-A OUTPUT -p udp -m udp --dport 5060 -j CT --helper sip
-A OUTPUT -p udp -m udp --dport 161 -j CT --helper snmp
-A OUTPUT -p udp -m udp --dport 69 -j CT --helper tftp
COMMIT
# Completed on Sat Jul 2 04:01:15 2016
# Generated by iptables-save v1.4.21 on Sat Jul 2 04:01:15 2016
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:Broadcast - [0:0]
:Drop - [0:0]
:Reject - [0:0]
:dynamic - [0:0]
:fw-lan - [0:0]
:fw-wan - [0:0]
:lan-fw - [0:0]
:lan-wan - [0:0]
:lan_frwd - [0:0]
:logdrop - [0:0]
:logflags - [0:0]
:logreject - [0:0]
:reject - [0:0]
:sfilter - [0:0]
:sha-lh-85bd0fbd43893f6cb64f - [0:0]
:sha-rh-1564976a559d45f214cb - [0:0]
:shorewall - [0:0]
:tcpflags - [0:0]
:wan-fw - [0:0]
:wan-lan - [0:0]
:wan_frwd - [0:0]
-A INPUT -i wan0 -j wan-fw
-A INPUT -i lan0 -j lan-fw
-A INPUT -i lo -j ACCEPT
-A INPUT -j Drop
-A INPUT -j LOG --log-prefix "Shorewall:INPUT:DROP:" --log-level 6
-A INPUT -j DROP
-A FORWARD -i wan0 -j wan_frwd
-A FORWARD -i lan0 -j lan_frwd
-A FORWARD -j Reject
-A FORWARD -j LOG --log-prefix "Shorewall:FORWARD:REJECT:" --log-level 6
-A FORWARD -g reject
-A OUTPUT -o wan0 -j fw-wan
-A OUTPUT -o lan0 -j fw-lan
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -j Reject
-A OUTPUT -j LOG --log-prefix "Shorewall:OUTPUT:REJECT:" --log-level 6
-A OUTPUT -g reject
-A Broadcast -m addrtype --dst-type BROADCAST -j DROP
-A Broadcast -m addrtype --dst-type MULTICAST -j DROP
-A Broadcast -m addrtype --dst-type ANYCAST -j DROP
-A Drop
-A Drop -p icmp -m icmp --icmp-type 3/4 -m comment --comment "Needed ICMP types" -j ACCEPT
-A Drop -p icmp -m icmp --icmp-type 11 -m comment --comment "Needed ICMP types" -j ACCEPT
-A Drop -j Broadcast
-A Drop -m conntrack --ctstate INVALID -j DROP
-A Drop -p udp -m multiport --dports 135,445 -m comment --comment SMB -j DROP
-A Drop -p udp -m udp --dport 137:139 -m comment --comment SMB -j DROP
-A Drop -p udp -m udp --sport 137 --dport 1024:65535 -m comment --comment SMB -j DROP
-A Drop -p tcp -m multiport --dports 135,139,445 -m comment --comment SMB -j DROP
-A Drop -p udp -m udp --dport 1900 -m comment --comment UPnP -j DROP
-A Drop -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A Drop -p udp -m udp --sport 53 -m comment --comment "Late DNS Replies" -j DROP
-A Reject
-A Reject -p icmp -m icmp --icmp-type 3/4 -m comment --comment "Needed ICMP types" -j ACCEPT
-A Reject -p icmp -m icmp --icmp-type 11 -m comment --comment "Needed ICMP types" -j ACCEPT
-A Reject -j Broadcast
-A Reject -m conntrack --ctstate INVALID -j DROP
-A Reject -p udp -m multiport --dports 135,445 -m comment --comment SMB -g reject
-A Reject -p udp -m udp --dport 137:139 -m comment --comment SMB -g reject
-A Reject -p udp -m udp --sport 137 --dport 1024:65535 -m comment --comment SMB -g reject
-A Reject -p tcp -m multiport --dports 135,139,445 -m comment --comment SMB -g reject
-A Reject -p udp -m udp --dport 1900 -m comment --comment UPnP -j DROP
-A Reject -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A Reject -p udp -m udp --sport 53 -m comment --comment "Late DNS Replies" -j DROP
-A fw-lan -p udp -m udp --dport 67:68 -j ACCEPT
-A fw-lan -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A fw-lan -j ACCEPT
-A fw-wan -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A fw-wan -j ACCEPT
-A lan-fw -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic
-A lan-fw -p udp -m udp --dport 67:68 -j ACCEPT
-A lan-fw -p tcp -j tcpflags
-A lan-fw -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A lan-fw -p icmp -m icmp --icmp-type 8 -m comment --comment Ping -j ACCEPT
-A lan-fw -p tcp -m tcp --dport 22000 -j ACCEPT
-A lan-fw -p tcp -m tcp --dport 22 -j ACCEPT
-A lan-fw -j Drop
-A lan-fw -j DROP
-A lan-wan -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A lan-wan -j ACCEPT
-A lan_frwd -o lan0 -g sfilter
-A lan_frwd -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic
-A lan_frwd -p tcp -j tcpflags
-A lan_frwd -o wan0 -j lan-wan
-A logdrop -j DROP
-A logflags -j LOG --log-prefix "Shorewall:logflags:DROP:" --log-level 6 --log-ip-options
-A logflags -j DROP
-A logreject -j reject
-A reject -m addrtype --src-type BROADCAST -j DROP
-A reject -s 224.0.0.0/4 -j DROP
-A reject -p igmp -j DROP
-A reject -p tcp -j REJECT --reject-with tcp-reset
-A reject -p udp -j REJECT --reject-with icmp-port-unreachable
-A reject -p icmp -j REJECT --reject-with icmp-host-unreachable
-A reject -j REJECT --reject-with icmp-host-prohibited
-A sfilter -j LOG --log-prefix "Shorewall:sfilter:DROP:" --log-level 6
-A sfilter -j DROP
-A shorewall -m recent --set --name %CURRENTTIME --mask 255.255.255.255 --rsource
-A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g logflags
-A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g logflags
-A tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g logflags
-A tcpflags -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -g logflags
-A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g logflags
-A tcpflags -p tcp -m tcp --tcp-flags FIN,PSH,ACK FIN,PSH -g logflags
-A tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g logflags
-A wan-fw -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic
-A wan-fw -p tcp -j tcpflags
-A wan-fw -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A wan-fw -p icmp -m icmp --icmp-type 8 -m comment --comment Ping -j ACCEPT
-A wan-fw -p tcp -m tcp --dport 22000 -j ACCEPT
-A wan-fw -j Drop
-A wan-fw -j LOG --log-prefix "Shorewall:wan-fw:DROP:" --log-level 6
-A wan-fw -j DROP
-A wan-lan -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A wan-lan -j Drop
-A wan-lan -j LOG --log-prefix "Shorewall:wan-lan:DROP:" --log-level 6
-A wan-lan -j DROP
-A wan_frwd -o wan0 -g sfilter
-A wan_frwd -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic
-A wan_frwd -p tcp -j tcpflags
-A wan_frwd -o lan0 -j wan-lan
COMMIT
# Completed on Sat Jul 2 04:01:15 2016
</syntaxhighlight>

This will print out the actual firewall rules. You will need some experience with [[TLUG Talk: Netfilter|iptables]] to understand all their meaning, but the general flow should be understandable.

{{footer}}