Shorewall is a robust iptables-based firewall for Linux. This guide walks through the process of setting up Shorewall to make your plug a bit more secure.

1. SSH into your plug:

$ ssh root@<ipaddress>

2. “Fix” apt-get:

# mkdir -p /var/cache/apt/archives/partial

3. Install Shorewall:

# apt-get install shorewall

The system may display a message stating that it cannot start due to misconfiguration. This is normal; shorewall‘s developers were smart and designed the firewall not to start with the default configuration.

4. Copy default config files:

# cp /usr/share/doc/shorewall-common/examples/one-interface/* /etc/shorewall

This copies the default shorewall config files into the correct directory.

5. Edit the config files: Open up /etc/shorewall/rules in your favorite text editor, and add the following lines:

ACCEPT          net             fw              tcp 22          #ssh
ACCEPT          net             fw              tcp 80          #http
ACCEPT          net             fw              tcp 10001       #tonido

This allows all traffic to port 22 (SSH) and port 80 (http), and of course 10001 (Tonido).

Save the file and exit. Next, open /etc/shorewall/shorewall.conf and look for STARTUP_ENABLED and set it to Yes.

STARTUP_ENABLED=Yes

Save the file, exit, and open /etc/default/shorewall and find the line that says startup and set it to 1.

startup=1

Save the file. This allows shorewall to start upon system startup.

6. Start Shorewall:

# /etc/init.d/shorewall start

And you’re done!

Here are a few additional ports you may want to open. To open them, just add the port to the /etc/shorewall/rules file with the same format as above.

21 -> ftp
8000 -> Icecast
10000 -> Webmin

Be sure to restart shorewall after you add any of these:

# /etc/init.d/shorewall restart

Enjoy.