Shorewall configuration for AWS EC2 VPC instances

Started: February 2016. Last updated: 2nd March 2016.

shirts.flurdy.com

This is how I set up my Shorewall firewall on AWS EC2 instances within a VPC.

I am not security nor Shorewall expert, but this set up seems to work for me. This is not as a replacement for AWS's security groups. More as an common sense extension.

Install Shorewall

This assumes a Ubuntu Linux instance


               sudo apt-get update && sudo apt-get upgrade;

               sudo apt-get install shorewall shorewall-core shorewall-docs

Configure

/usr/share/doc/shorewall/examples contains example configuration in various scenarios. We will copy a few of those and modify them slightly.


               cd /usr/share/doc/shorewall/examples

Interfaces


               sudo cp one-interface/interfaces /etc/shorewall/;

               sudo vi /etc/shorewall/interfaces


               #ZONE INTERFACE  OPTIONS 

               -     eth0       dhcp,tcpflags,logmartians,nosmurfs,sourceroute=0

Zones


               sudo cp one-interface/zones /etc/shorewall/;

               sudo vi /etc/shorewall/zones


               #ZONE     TYPE    OPTIONS   IN        OUT 

               #                          
               OPTIONS   OPTIONS

               fw        firewall

               net       ipv4

               vpc:net   ipv4

Hosts

Change the last row to the two blocks of whatever is your VPC local IP range.


               sudo vi /etc/shorewall/hosts


               #ZONE  HOSTS(S)      OPTIONS

               net    eth0:0.0.0.0/0

               vpc    eth0:10.69.0.0/16

Policy


               sudo cp one-interface/policy /etc/shorewall/;

               sudo vi /etc/shorewall/policy


               #SOURCE  DEST    POLICY    LOG LEVEL  LIMIT:BURST

               $FW      vpc     ACCEPT

               $FW      net     ACCEPT

               vpc      all     CONTINUE

               net      all     DROP      info

               # The FOLLOWING POLICY MUST BE LAST

               all      all     REJECT    info

Rules

If for example this is a web server then also uncomment the two Web lines which allows traffic on port 80 and 443.


               sudo cp one-interface/rules /etc/shorewall/;

               sudo vi /etc/shorewall/rules


               SECTION NEW

               

               Invalid(DROP)  net   $FW   tcp

               

               Ping(ACCEPT)   vpc   $FW

               Ping(DROP)     net   $FW

               

               Trcrt(ACCEPT)  vpc   $FW

               Trcrt(DROP)    net   $FW

               

               DNS(ACCEPT)    vpc   $FW

               DNS(DROP)      net   $FW

               

               
                  # Web(ACCEPT)    vpc    $FW

                  # Web(ACCEPT)    net    $FW
               

               

               ACCEPT         $FW   vpc    icmp

               ACCEPT         $FW   net    icmp

Stoppedroutes

What is the default state for when shorewall is stopped.


               sudo cp one-interface/stoppedroutes /etc/shorewall/;

               sudo vi /etc/shorewall/stoppedroutes


               
                  #ACTION   SOURCE   DEST   PROTO DEST      SOURCE

                  #                 
                              
                  PORT(S)   PORT(S)
               

               ACCEPT    eth0     -

               ACCEPT    -        eth0

Activate new configuration

Check configuration

Make sure there is no typos that prevents Shorewall from starting.

sudo shorewall check

(Re)start Shorewall

sudo shorewall status

If stopped

sudo shorewall safe-start

If started

sudo shorewall safe-restart

Start on reboot

sudo vi /etc/default/shorewall


               startup=1

Feedback

Please fork and send a pull request for to correct any typos, or useful additions.

Buy a t-shirt if you found this guide useful. Hire Ivar for short term advice or long term consultancy.

Otherwise contact flurdy. Especially for things factually incorrect. Apologies for procrastinated replies.