HOWTO setup a small server

Shorewall (Packet Filter Configurator)


It is always a good idea to install a packet filter, mainly due to these reasons:

  1. access to misconfigured services or services whose configuration is not yet finished can be circumvented.
  2. some services might not provide adequate access control options.
  3. even if access to a service can be configured in each service, a packet filter will prevent access from “bad” sources as soon as possible. There will be minimal processing of “bad” packets and supposable security holes might not be exploited.


I recommend installing Shorewall:

# apt-get install shorewall


To configure Shorewall on a server with single NIC copy the example files to the configuration directory:

# cp -R /usr/share/doc/shorewall-common/examples/one-interface/* \
# gunzip /etc/shorewall/shorewall.conf.gz

Make sure that the interface name of the net zone in /etc/shorewall/interfaces is identical to the external interface of your box. As the external interface has a static IP, you can disable DHCP support (unless you plan to run a DHCP server). Remove the option dhcp from the options list of the net zone in the same file.

Finally you will have to enable Shorewall by setting two variables:

Excerpt: /etc/shorewall/shorewall.conf


Excerpt: /etc/default/shorewall


You can start, stop, or restart Shorewall with:

shorewall start|stop|restart

Remote Shell Access

In case you are connected remotly, do not forget to permit the corresponding traffic before starting Shorewall, e.g. for SSH, add the following to the configuration:

Excerpt: /etc/shorewall/rules

ACCEPT		net		$FW		tcp	22

and restart the packet filter:

# shorewall restart

Back to index.