= Iptables with shorewall!
Apostolos rootApostolos@swarmlab.io
// Metadata:
:description: Intro and Install
:keywords: sec, tcpdump
:data-uri:
:toc: right
:toc-title: Πίνακας περιεχομένων
:toclevels: 4
:source-highlighter: highlight
:icons: font
:sectnums: 

include::header.adoc[]


{empty} +


[[cheat-Docker]]
== Install swarmlab-sec (Home PC)

HowTo: See http://docs.swarmlab.io/lab/sec/sec.adoc.html


.NOTE
[NOTE]
====
Assuming you're already logged in
====



== shorewall


**Shorewall** is an open source firewall tool for Linux that builds upon the Netfilter (iptables/ipchains) system built into the Linux kernel, making it easier to manage more complex configuration schemes by providing a higher level of abstraction for describing rules using text files. 

https://en.wikipedia.org/wiki/Shorewall[More: wikipedia]


=== Installation

Shorewall is already installed on swarmlab-sec. 


== Basic Two-Interface Firewall


image::basics.png[Basic Two-Interface Firewall]



.connect to master first
[NOTE]
====

Assuming you're already logged in master!

master is now our Firewall/Router

swarmlab-sec login 
====


== Shorewall Concepts

The configuration files for Shorewall are contained in the directory /etc/shorewall 

=== zones — Shorewall zone declaration file

The /etc/shorewall/zones file declares your network zones. You specify the hosts in each zone through entries in /etc/shorewall/interfaces 


./etc/shorewall/zones
[source,bash]
----
#ZONE   TYPE     OPTIONS                 IN_OPTIONS              OUT_OPTIONS
fw      firewall
net     ipv4
loc     ipv4
----

=== interfaces — Shorewall interfaces file

The interfaces file serves to define the firewall's network interfaces to Shorewall. 

./etc/shorewall/interfaces
[source,bash]
----
#ZONE       INTERFACE       BROADCAST      OPTIONS
net         eth0                           dhcp,routefilter
loc         eth1            detect
----


=== policy — Shorewall policy file

This file defines the high-level policy for connections between zone


./etc/shorewall/policy
[source,bash]
----
#SOURCE    DEST        POLICY      LOGLEVEL    LIMIT
loc        net         ACCEPT
net        all         DROP        info
all        all         REJECT      info
----


=== rules — Shorewall rules file

Entries in this file govern connection establishment by defining exceptions to the policies


./etc/shorewall/rules
[source,bash]
----
#ACTION    SOURCE    DEST               PROTO     DPORT
ACCEPT     $FW       net                udp       53
ACCEPT     net       $FW         	udp       53
ACCEPT     $FW       net                tcp       80
ACCEPT     net       $FW         	tcp       80
----




:hardbreaks:

{empty} +
{empty} +
{empty} 

:!hardbreaks:

'''

.Reminder
[NOTE]
====
:hardbreaks:
Caminante, no hay camino, 
se hace camino al andar.

Wanderer, there is no path, 
the path is made by walking.

*Antonio Machado* Campos de Castilla
====