Simple Firewall Solutions for a Linux Laptop with Multiple Interfaces

Home, 2007-07-12

Firewall
Iptables
Shorewall
Configuraion
Start and Stop
Reducing the number of Services Running

FirewallContents

I needed something as simple as possible that fitted a laptop with two interfaces (cable and wireless) as well as an interface for VPNC. Firestarter seemed nice, but I could not get it to work with multiple interfaces. The two best solutions I found was Shorewall and iptables. I currently use Shorewall.

The following notes are for a laptop with Debian Etch, but most of the notes should be valid for any linux system.

IptablesContents

Requirements: iptables etc. in the kernel and the package iptables.

Iptables are easy to use for a simple setup. Get ./iptables.init.d rename it to iptables or something else and copy it into /etc/init.d and setup with something like:

update-rc.d iptables defaults

The script is documented (by comments).

Create dirs for rules:

mkdir /var/lib/iptables
mkdir /var/lib/ip6tables

Set up some rules with iptables:

# open for ssh
/sbin/iptables -A INPUT -p tcp --syn --destination-port 22 -j ACCEPT

# close everything else
/sbin/iptables -A INPUT -p tcp --syn -j DROP

(It is probably a good idea to keep these in a file.)

Save the rules:

/etc/init.d/iptables save active

Clear all rules and save the result:

/etc/init.d/iptables clear
/etc/init.d/iptables save inactive

Start the firewall:

/etc/init.d/iptables start

ShorewallContents

Requirements: iptables etc. in the kernel and the packages iptables and shorewall.

Shorewall (Shoreline Firewall, http://www.shorewall.net/) is a wrapper for iptables/netfilter. The version i Debian Etch is currenly 3.2.6. A good short introduction is http://www.shorewall.net/Introduction.html. (The versions for Sarge and Etch are not compatible, a configuration for Sarge has to be rewritten to work under Etch.)

ConfiguraionContents

/etc/shorewall/interfaces:

# cable
net     eth0    detect dhcp

# wireless
net     eth1    detect dhcp

# vpnc/dbc
net     tun0    detect dhcp

/etc/shorewall/zones:

# the firewall (localhost)
fw      firewall

# the internet
net     ipv4

/etc/shorewall/rules:

# accept all ssh connections
ACCEPT    all           all             tcp     22

# accept ping
ACCEPT    all           all             icmp    8

/etc/shorewall/policy:

# if there is nothing in rules, the policies are used

# accept all connections out
fw             all                ACCEPT

# drop all connects to FW
net            all                DROP     info

# catch all policy
all            all                REJECT   info

Start and StopContents

Done by the init.d script shorewall:

/etc/init.d/shorewall start

/etc/init.d/shorewall stop

When the firewall is started or restarted, it will compile the rules from the configuration.

Reducing the number of Services RunningContents

Use netstat to find out whats running and on what ports:

# netstat -atup