Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [shorewall]

high-level tool for configuring the Linux Netfilter packet filter

The Shoreline Firewall, more commonly known as “Shorewall”, is high-level tool for configuring Netfilter. You describe your firewall/gateway requirements using entries in a set of configuration files. Shorewall reads those configuration files and with the help of the iptables, iptables-restore, ip and tc utilities, Shorewall configures Netfilter and the Linux networking subsystem to match your requirements. Shorewall can be used on a dedicated firewall system, a multi-function gateway/router/server or on a standalone GNU/Linux system. Shorewall does not use Netfilter's ipchains compatibility mode and can thus take advantage of Netfilter's connection state tracking capabilities.

Official website

95 questions
17
votes
7 answers

Docker & Shorewall

I'm using Shorewall on my server as simple standalone firewall and would like to use Docker as well. By using a Docker container and its port redirection docker sets up its own iptables rules/chains which will be killed if shorewall is restarted. So…
jaltek
  • 283
  • 3
  • 9
6
votes
1 answer

multiple IP addresses bound - which one is used for outgoing packets?

Using IP aliasing a linux box has bound multiple ip addresses from the same subnet on the same NIC. So ifconfig shows up device eth0 with , eth0:1 with and eth0:2 with . How does Linux determine the IP source address used for outgoing ip traffic?…
Stefan Armbruster
  • 291
  • 3
  • 12
5
votes
2 answers

Shorewall: logging to custom file

I am running an Ubuntu Server 14.04 system with a shorewall firewall. Shorewall is essentially a front end to iptables, and it is iptables that does the logging via Netfilter (my understanding so far). My problem is that I can't make sense of the…
derabbink
  • 251
  • 4
  • 16
4
votes
1 answer

Using knockd with shorewall

I'd like to migrate my old pure iptables firewall configuration to a shorewall setup. I get the basics, but I haven't been able to replicate my existing knockd setup: I have a 'tmpknock' chain that opens some ports, e.g. port 22, for 30 seconds…
Chris Lercher
  • 3,982
  • 9
  • 34
  • 41
3
votes
1 answer

Shorewall blocks openvpn traffic

I have one root server and two clients. The root server has a static ip address and runs Debian Linux. My clients are Mac OS X and Debian Linux with dynamic ip addresses. From my clients I can open a vpn connection but the traffic is blocked by…
Ralph Bergmann
  • 133
  • 3
3
votes
1 answer

Configuring Shorewall for routed OpenVPN

I have an Ubuntu server 14.04 machine that serves as a NAT router. The routing is achieved using Shorewall, mostly in line with this tutorial. The LAN has the subnet 10.0.0.0/24 On this machine I also want to run an OpenVPN server, which listens on…
derabbink
  • 251
  • 4
  • 16
3
votes
1 answer

How can I whitelist oubound-from-private-subnet traffic to S3 on the NAT instance of an EC2 VPC?

I'm researching privacy-compliant high-security deployment options for AWS VPC. I'm looking for a method of tightening outbound traffic from the private subnets at the NAT instance. For example, how could I limit outbound traffic from behind the…
josh-wrale
  • 31
  • 4
3
votes
1 answer

Bridge and OpenVPN with shorewall

I have this scenario and everything it's working OK, but I want to configure my Shorewall and I can't do it. My interfaces are: br0 (bridge of eth0) tun0 (OpenVPN) vnet* (each one of bridged interfaces with public IP's) Public Main IP:…
blacksoul
  • 244
  • 6
  • 21
3
votes
2 answers

Prevent a single host from consuming entire bandwidth?

We have a linux router providing internet connectivity to several PCs. It's currently using shorewall to help make the iptables setup easier. Is there a way I can set it such that any individual host is prevented from using the entire line? I'm…
davr
  • 1,729
  • 3
  • 14
  • 24
3
votes
3 answers

What is better for an IP ban? At firewall (shorewall) level, or at IIS level?

I have a spambot that likes to spam my websites. I mailed to abuse@isp, but he ignored me. Attacks always come from the same ip, and i used IISIP to add the spammer IP to all of my websites. I am wondering, since i am using a linux box with…
Magnetic_dud
  • 1,034
  • 2
  • 15
  • 28
2
votes
3 answers

Shorewall with docker

I'm trying to enable docker support in shorewall (version 5.1.3.2). I've followed guide http://shorewall.org/Docker.html . However when I try to start shorewall I get the following error: * Starting shorewall ...iptables-restore v1.6.1: Couldn't…
alem0lars
  • 121
  • 5
2
votes
4 answers

How to block specific websites in a small office without hardware firewall?

We have a small office setup of less than 100 people. We have 2 ISP connection which come into Load Balancer and from there to Linux Firewall i.e. Shorewall. Now from Shorewall its goes to Switches and from Switches to Local LAN. Now my question is…
RjV
  • 161
  • 6
2
votes
1 answer

Shorewall: VPN clients can access LAN resources, but not the Internet

I set up a network in my studio's office with a Raspberry Pi serving as a VPN server for remote clients to access LAN resources. Router port-forwards 1194 port to RPi, so it's accessible from the Internet. After some time, I successfully set up…
Terzalo
  • 31
  • 4
2
votes
1 answer

How do I configure routing for an IPSEC tunnel between Openswan and RouterOS

I am trying to create a site-to-site VPN between a Linux router that runs openswan and shorewall (host A, serving subnet 10.10.0.0/16) and a MikroTek RouterBoard running RouterOS 6.3 (host B, serving 192.168.88.0/24). The IPSEC tunnel itself seems…
dorian
  • 397
  • 1
  • 7
  • 22
2
votes
3 answers

Can't resolve issue: iptables: No chain/target/match by that name

So I am trying to setup shorewall firewall on my linux vps. The vps is running ubuntu 12.10. When I type $ shorewall check I get this error. iptables: No chain/target/match by that name. ERROR: Log level INFO requires LOG Target in your kernel…
user186639
  • 31
  • 1
  • 2
1
2 3 4 5 6 7