How To Configure Dual ADSL / Cable Connections, Firewall, Gateway / NAT With Shorewall Firewall on LinuxBy Angsuman Chakraborty, Gaea News Network
Tuesday, October 23, 2007
Shorewall is an excellent free linux firewall which provides unparalleled level of fine grained control. It not only acts as a firewall and Gateway, it also supports DMZ, IP Masquerading (NAT & SNAT), Proxy ARP and more. In short Shorewall is your one stop solution for complex networking routing needs, flexible & controllable internet connectivity options.
The Shoreline Firewall is a high-level tool for configuring Netfilter. The firewall/gateway requirements are described in a set of configuration files. Shorewall reads those configuration files and configures Netfilter to match your requirements. Shorewall can be used on a dedicated firewall system, a multi-function gateway/router/server or on a standalone GNU/Linux system. Shorewall takes advantage of Netfilter’s connection state tracking capabilities to create a stateful firewall. In short it provides full power of iptables without the associated complexity.
Today I will describe a rather common setup where you have two or more redundant ADSL / Cable / T1 connections which you want to use to provide reliable internet connectivity to your intranet machines. You have set aside a machine which will act as the firewall and gateway. It will also provide transparent connectivity to you intranet machines using NAT / SNAT using the dual connections you have most likely configured earlier with load balancing & fail-over (see below).
Note: This is the second part of article on providing load-balanced with fail-over internet connectivity using two or more DSL / Cable connections. You can read the first part here.
Note: You can also use the concept from this article to configure a setup with single or more than two internet connection(s).
Shorewall is configured using several configuration files. All configuration files are in /etc/shorewall directory.
Shorewall views the network as being composed of zones. Shorewall recognizes the firewall system as its own zone. One or more interfaces can be defined as belonging to a single zone. However you can have multiple zones within a single interface too as well as nested and overlapped zones.
In addition to the default zones I created two new zones - net & loc. I added the following lines to zones file:
The net zone represents the machines interfaces which provide internet connectivity. I then define associate these zones with the interfaces in the interfaces file by adding the following lines:
net eth1 detect
net eth2 detect
loc eth0 detect
The main functionality of the firewall is configured in the policy file. Here I specify how the traffic is restricted across various zones. I added the following lines in policy file:
loc net ACCEPT
net all DROP info
$FW net ACCEPT
$FW loc ACCEPT
loc $FW ACCEPT
all all REJECT info
loc net ACCEPT -&rt; Accept all connections from local network to internet
net all DROP info -&rt; Drop all incoming connection requests from network interfaces
$FW net ACCEPT -&rt; Accept connections from firewall to the internet interfaces
$FW loc ACCEPT -&rt; Accept connections from firewall to the local network. You may want to omit this line for added security.
loc $FW ACCEPT -&rt; Accept all connection from local network to firewall machine
all all REJECT info -&rt; Reject everything else
To enable IP Masquerading I need to specify the interfaces between which IP Masq needs to be enabled. I made the following additions to masq files to accomplish this:
eth1 172.16.0.0/24 192.168.1.10
eth2 172.16.0.0/24 192.168.0.10
The above lines instructs that IP Masquerading should be enabled from intranet to either eth1 or eth2 interfaces.
This completes the core configuration changes. Finally the shorewall.conf needs to be modified to enable shorewall, add the SNAT aliases and you can also do a minor optimization of the firewall while you are at it. The changes to shorewall.conf are as follows:
Now you are ready to go. You should set shorewall to start as a service on rebooting with:
chkconfig shorewall on
You can start it now with:
service shorewall start
Tags: Broadband, DSL, Firewall, Tata Indicom Broadband