HOWTO setup a small server
Shorewall (Packet Filter Configurator)
Motivation
It is always a good idea to install a packet filter, mainly due to these reasons:
- access to misconfigured services or services whose configuration is not yet finished can be circumvented.
- some services might not provide adequate access control options.
- even if access to a service can be configured in each service, a packet filter will prevent access from “bad” sources as soon as possible. There will be minimal processing of “bad” packets and supposable security holes might not be exploited.
Installation
I recommend installing Shorewall:
# apt-get install shorewall
Configuration
To configure Shorewall on a server with single NIC copy the example files to the configuration directory:
# cp -R /usr/share/doc/shorewall-common/examples/one-interface/* \ /etc/shorewall/ # gunzip /etc/shorewall/shorewall.conf.gz
Make sure that the interface name of the net
zone in
/etc/shorewall/interfaces
is identical to the external interface
of your box. As the external interface has a static IP, you can disable DHCP
support (unless you plan to run a DHCP server). Remove the option
dhcp
from the options list of the net
zone in the
same file.
Finally you will have to enable Shorewall by setting two variables:
Excerpt: /etc/shorewall/shorewall.conf
STARTUP_ENABLED=Yes
Excerpt: /etc/default/shorewall
startup=1
You can start, stop, or restart Shorewall with:
shorewall start|stop|restart
Remote Shell Access
In case you are connected remotly, do not forget to permit the corresponding traffic before starting Shorewall, e.g. for SSH, add the following to the configuration:
Excerpt: /etc/shorewall/rules
# SSH # ACCEPT net $FW tcp 22 #
and restart the packet filter:
# shorewall restart