Simple Shorewall config on Ubuntu server

Here are the steps I used to configure a simple Shorewall firewall on Ubuntu Lucid (10.04). The firewall provides SSH and webserver access only; all other ports are blocked.

1. Install the Shorewall firewall. Version 4.4.x was available on Lucid at the time of writing.

   sudo apt-get install shorewall
   

2. Backup the original configuration, just in case.

   sudo cp -p /etc/shorewall/shorewall.conf /etc/shorewall/shorewall.conf.orig
   

3. Copy the provided configuration for a single-interface machine.

   sudo cp -p /usr/share/doc/shorewall/examples/one-interface/* /etc/shorewall/
   

4. Add rules to allow SSH and web access.

   sudo nano /etc/shorewall/rules
   

   Changes:

   SSH(ACCEPT)     net             $FW
   Web(ACCEPT)     net             $FW
   

5. Edit Shorewall config to allow the firewall to start.

   sudo nano /etc/shorewall/shorewall.conf
   

   Changes:

   STARTUP_ENABLED=Yes
   

6. Edit Ubuntu’s Shorewall config to allow the firewall to start.

   sudo nano /etc/default/shorewall
   

   Changes:

   startup = 1
   

7. Start the firewall.

   sudo /etc/init.d/shorewall start
   

8. Observe the new rules.

   sudo /sbin/iptables -L
   

More information:

• Standalone Firewall on Shorewall site
• Installing Shorewall Firewall In Ubuntu/Debian

• Previous: Printing sorted contact lists in ThunderBird
• Next: PostgreSQL and Django in Ubuntu Natty