Shorewall Two-Interface

Install Ubuntu (12.04LTS Desktop)
Set proxy if needed
add canonical partners to software repositories
apt-get update
apt-get install nedit
apt-get install joe
apt-get install vim
apt-get install xrdp
apt-get install gnome-session-fallback
in your homedir via terminal: echo “gnome-session –session=gnome-fallback” > .xsession
apt-get install bridge-utils
apt-get install shorewall shorewall-doc

edit /etc/network/interfaces to contain:

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback
# To skip network manager
iface eth0 inet manual
iface eth1 inet manual
auto br0
iface br0 inet dhcp
bridge_ports eth0 eth1

copy the presetup shorewall configs to /etc/shorewall/
sudo shorewall check
sudo shorewall start
If you wish to have remote access, DO NOT edit /etc/default/shorewall and set startup=1

Configs:

  • /etc/shorewall
    • Shorewall configuration directory.
  • /etc/shorewall/interfaces
    • Specifies the network interfaces that Shorewall uses. Once Shorewall is setup and configured, this file should remain static.
  • /etc/shorewall/zones
    • Specifies and names the zones that Shorewall uses. Once Shorewall is setup and configured, this file should remain static.
  • /etc/shorewall/policy
    • High-level policy for connections between the zones defined in the zones file. In our case, the default policy is to drop a packet unless a rule is specified in the rules file to allow it to cross.
  • /etc/shorewall/rules
    • This file specifies what traffic will be allowed to cross the firewall. This will be the most actively edited file during testing.
  • /var/log/syslog
    • This is where Shorewall messages are logged.

For logfile analysys, check out logwatch: http://sourceforge.net/projects/logwatch/

For hardening of an Ubuntu system (specifically 12.04LTS) see: http://www.thefanclub.co.za/how-to/how-secure-ubuntu-1204-lts-server-part-1-basics

[this post to be update/finalized soon]

Advertisements