How To Configure Dual ADSL / Cable Connections, Firewall, Gateway / NAT With Shorewall Firewall on Linux

By Angsuman Chakraborty, Gaea News Network
Tuesday, October 23, 2007

Shorewall is an excellent free linux firewall which provides unparalleled level of fine grained control. It not only acts as a firewall and Gateway, it also supports DMZ, IP Masquerading (NAT & SNAT), Proxy ARP and more. In short Shorewall is your one stop solution for complex networking routing needs, flexible & controllable internet connectivity options.

The Shoreline Firewall is a high-level tool for configuring Netfilter. The firewall/gateway requirements are described in a set of configuration files. Shorewall reads those configuration files and configures Netfilter to match your requirements. Shorewall can be used on a dedicated firewall system, a multi-function gateway/router/server or on a standalone GNU/Linux system. Shorewall takes advantage of Netfilter’s connection state tracking capabilities to create a stateful firewall. In short it provides full power of iptables without the associated complexity.

Today I will describe a rather common setup where you have two or more redundant ADSL / Cable / T1 connections which you want to use to provide reliable internet connectivity to your intranet machines. You have set aside a machine which will act as the firewall and gateway. It will also provide transparent connectivity to you intranet machines using NAT / SNAT using the dual connections you have most likely configured earlier with load balancing & fail-over (see below).

Note: This is the second part of article on providing load-balanced with fail-over internet connectivity using two or more DSL / Cable connections. You can read the first part here.

Note: You can also use the concept from this article to configure a setup with single or more than two internet connection(s).

Shorewall is configured using several configuration files. All configuration files are in /etc/shorewall directory.

Shorewall views the network as being composed of zones. Shorewall recognizes the firewall system as its own zone. One or more interfaces can be defined as belonging to a single zone. However you can have multiple zones within a single interface too as well as nested and overlapped zones.

In addition to the default zones I created two new zones - net & loc. I added the following lines to zones file:

net ipv4
loc ipv4

The net zone represents the machines interfaces which provide internet connectivity. I then define associate these zones with the interfaces in the interfaces file by adding the following lines:

net eth1 detect
net eth2 detect
loc eth0 detect

The main functionality of the firewall is configured in the policy file. Here I specify how the traffic is restricted across various zones. I added the following lines in policy file:

loc net ACCEPT
net all DROP info
all all REJECT info

loc net ACCEPT -&rt; Accept all connections from local network to internet
net all DROP info -&rt; Drop all incoming connection requests from network interfaces
$FW net ACCEPT -&rt; Accept connections from firewall to the internet interfaces
$FW loc ACCEPT -&rt; Accept connections from firewall to the local network. You may want to omit this line for added security.
loc $FW ACCEPT -&rt; Accept all connection from local network to firewall machine
all all REJECT info -&rt; Reject everything else

To enable IP Masquerading I need to specify the interfaces between which IP Masq needs to be enabled. I made the following additions to masq files to accomplish this:


The above lines instructs that IP Masquerading should be enabled from intranet to either eth1 or eth2 interfaces.

This completes the core configuration changes. Finally the shorewall.conf needs to be modified to enable shorewall, add the SNAT aliases and you can also do a minor optimization of the firewall while you are at it. The changes to shorewall.conf are as follows:


Now you are ready to go. You should set shorewall to start as a service on rebooting with:
chkconfig shorewall on

You can start it now with:
service shorewall start

December 6, 2009: 2:31 am

How to combine 3x 256 kbps dsl bsnl broadband and 1×2mbps bsnl bb then destribute them to multi clients with the manage of bandwidth ?

August 14, 2009: 2:37 pm

“The Shoreline Firewall is a high-level tool for configuring Netfilter” so, can i use anothe tool for this purpose??

will not be displayed