by lunarg on June 3rd 2010, at 20:03

Linux has always been a great player in internetworking, thanks to a very advanced networking stack. In addition, the filtering capabilities provided by Netfilter are only surpassed by a very select group of devices. It doesn't come as a surprise there are a lot of firewalls and internet gateways out there that are running this powerful combo.
Detailing the features of linux as a firewall/internet gateway would take up an entire article so I'm not going to elaborate on it. It suffices to say that whatever you can think up of setting up, the linux + netfilter combo can probably do it. Worst case, there are other third party applications (Squid as a web proxy and content filter, for instance) who fill in the blanks nicely.
As a side-note, linux is not the only UNIX-like OS that has these features. BSD-based systems have similar capabilities and are also usable as stable and powerful internet gateways.

The only less nice part of linux is that, just like everything with a basic linux really, you have to have an advanced knowledge of how linux and netfilter works before you can start using it properly. Luckily, there are a whole lot of guidelines and helper applications that can aid you in that though. While there are plenty of front-ends and webinterfaces available, in my experience, there's only one that sticks out: Shoreline firewall, or in short: Shorewall.

Shorewall is not a web-based front-end (although there are web-interfaces that can manage Shorewall's configuration), it uses its own unique setup in the form of logically implemented configuration files. These files are parsed by the Shorewall compiler and are then executed and applied to the Netfilter.
Because of this method, you do not necessarily have to learn the complex matter of the iptables command (the official control tool of Netfilter) in order to set up complex filtering tasks. Network admins only have to learn the configuration parameters of Shorewall, which are very simple for basic tasks, and moderate for more complex setups.

This article does not pretend to be a full howto for setting up a linux firewall. If you want this, there are plenty of other howtos on the internet who can do that. The reason for this article is a reference guide for those that are familiar with linux and firewalling. If you've never used Shorewall before, but are adept in setting up firewalls, you should be good to go. If not, then this is probably not what you're looking for.

Also, do note that this is a work in progress. As I document things I tried out with Shorewall, I'm adding them to this article. We will start with a basic firewall configuration, and then add to that.


Aside of your working knowledge of networking and firewalls (along with a grasp of the concepts and symbology that go with it), you will need a computer able to run linux, and with at least two or more network cards. Additionally, you need one or more internet connections (depending on the setup) and a workstation to emulate the LAN portion of the setup.


Like I said before, this is not a guide for setting up a Shorewall in the strictest sense. The installation manual of Shorewall can be found on their site at The installation may very on the distribution of linux, but it usually all boils down to:

  1. Installing the compiler;
  2. Installing the common files (containing sample configurations, macros, etc.)
  3. Configuring your shorewall through the files in the configuration directory (defaults to /etc/shorewall).

Furthermore, additional requirements needed are told at the beginning of each "task" that is performed. Any network admin should have no problem determining them, though ... ;-)


Feedback on this article is very welcome. If you see errors or have valuable additions you'd like to contribute, please don't hesitate to add them in the comments. I'm always open to suggestions to improve the article (and my own skills).

Do note that I'll ignore questions about how obvious things are done with Shorewall. While I understand that this may not be the most easy material, I simply do not have the time to solve each and every problem, especially when it's about subjects that should be general knowledge to network admins, and about things that can be found elsewhere. Shorewall's website has a very good documentation, so you're bound to find your answer there. If not, there's still the Shorewall mailing lists and many forums on the internet. Nothing prevents others from responsing on your questions though.