15. Configuring a gateway server

To set up Calculate Directory Server as a gateway, use Shorewall. Shorewall or, to be more precise, Shoreline Firewall is a tool designed for setting up a firewall (a network screen). Technically it is a superstructure above the Netfilter subsystem (iptables/ipchains) of the Linux kernel and supports simplified methods of configuring for the said subsystem. It provides a higher abstraction level for describing the firewall rules.

This program is not a daemon; that is, it is not running permanently. The rules are stored in text files. When you launch Shorewall, it reads its configuration files and transforms them into settings that ipchains/iptables will be able to recognize. These firewall settings can then operate until the OS reboots.

Software to be installed

net-firewall/shorewall

If you want to include examples and documentation, compile this package with the doc USE flag.

Packages adding new functionality

  • net-firewall/xtables-addons - extensions not yet accepted in kernel/iptables (to recognize the P2P traffic)
  • net-misc/l7-filter-userspace - classifies packages by contents (to recognize the traffic by its contents)
  • net-misc/linux-igd - adds UPnP functionality

Firewall settings

  • Zones

Shorewall considers the network it is running in as a set of zones. That is why you should begin configuring it by defining one or more zones in the file /etc/shorewall/zones. Zones are isolated IP addresses of hosts, subnetworks or incoming/outcoming packages for an interface. They may belong to an external network, to the local network or to DMZ.

  • Interfaces

Zones are recognized either by the network interface, defined in /etc/shorewall/interfaces, or by the IP address of the subnet specified in /etc/shorewall/hosts. One zone may have several interfaces, while one interface may correspond to several zones. Note that Shorewall handles the firewall system as its own zone.

  • Actions

Once the zones defined, you must set the default action in /etc/shorewall/policy (for instance, ACCEPT or DROP) that will be applied to traffic between each initial zone and destination zone.

  • Policies

Finally, in /etc/shorewall/rules you will define policy exceptions in detail, allowing access to the specified ports, etc.

Declaring zones

You can declare zones in the /etc/shorewall/zones file. To declare a zone, you will need its name (ZONE) and type (TYPE) (firewall for the firewall zone, ipv4 for the standard zone).

Pay attention to the order in which the zones are described.

Thank you!