UFW [Link] is my recommendation for Firewall on Linux.

The firewalls will basically create rules on the IPTables and NetFilter. UFW makes it very simple to set up, maintain, and visualize those rules.

UFW Install

sudo apt update
sudo apt install ufw -y

UFW Basics

sudo ufw status
sudo ufw status numbered
sudo ufw delete 5
sudo ufw enable
sudo ufw disable
sudo ufw limit 22
sudo ufw limit ssh
sudo ufw allow 80
sudo ufw allow http
sudo ufw allow 60000:65000/tcp comment "Port Range"
sudo ufw deny 80
sudo ufw delete deny 80

UFW Expressions

sudo ufw allow proto tcp from 10.10.10.1 to 20.20.20.2 port 80
sudo ufw allow proto tcp from any to any port 80,443
sudo ufw deny out 21
sudo ufw deny out from 10.10.10.1
sudo ufw deny out from 10.10.10.1 to any port 21
sudo ufw deny in on eth0 from 10.10.10.1
sudo ufw deny in on eth0 from 10.10.10.0/24

Shorewall [Link] is another open-source firewall that manipulates the IPTables to apply the desired rules.

It seems to be more popular on RedHat / CentOS and its usage is much more complicated through configuration files.

Shorewall Install

sudo apt update
sudo apt install shorewall shorewall-init -y

Shorewall Configuration

The configuration directory /etc/shorewall/ comes not configured and based on what type of firewall will be implemented copy the examples file from the documentation directory:

sudo cp /usr/share/doc/shorewall/examples/one-interface/* /etc/shorewall/
sudo cp /usr/share/doc/shorewall/examples/two-interfaces/* /etc/shorewall/
sudo cp /usr/share/doc/shorewall/examples/three-interfaces/* /etc/shorewall/

For the case of two interfaces, where the Shorewall will not be standalone but will route traffic between LAN and WAN.

Define the zones

sudo nano /etc/shorewall/zones

See the following lines:

fw firewall
net ipv4
loc ipv4
  • net is the WAN (e.g. Internet)
  • loc is the LAN (e.g. Local)

Configure the interfaces

sudo nano /etc/shorewall/interfaces

Shall look like:

net          NET_IF          dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0,physical=eth0
loc          LOC_IF          tcpflags,nosmurfs,routefilter,logmartians,physical=eth1

Set up the policies

sudo nano /etc/shorewall/policy

To allow traffic from LAN-to-WAN but refuse traffic from WAN-to-LAN the policy must look like the following:

loc          net          ACCEPT
net          all          DROP            $LOG_LEVEL
all          all          REJECT          $LOG_LEVEL

Manage the rules

sudo nano /etc/shorewall/rules

By default the rules are:

######################################################################################################################################################################################################
#ACTION         SOURCE          DEST            PROTO   DEST    SOURCE          ORIGINAL        RATE            USER/   MARK    CONNLIMIT       TIME            HEADERS         SWITCH          HELPER
#                                                       PORT    PORT(S)         DEST            LIMIT           GROUP
?SECTION ALL
?SECTION ESTABLISHED
?SECTION RELATED
?SECTION INVALID
?SECTION UNTRACKED
?SECTION NEW

#       Don't allow connection pickup from the net
Invalid(DROP)   net             all             tcp

#       Accept DNS connections from the firewall to the network
DNS(ACCEPT)     $FW             net

#       Accept SSH connections from the local network for administration
SSH(ACCEPT)     loc             $FW

#       Allow Ping from the local network
Ping(ACCEPT)    loc             $FW

# Drop Ping from the "bad" net zone.. and prevent your log from being flooded..
Ping(DROP)      net             $FW
ACCEPT          $FW             loc             icmp
ACCEPT          $FW             net             icmp

Port Forwarding

DNAT            net             loc:10.0.0.1       tcp    80

Note: it will listen and forward to the same port 80.

DNAT            net             loc:10.0.0.1:80    tcp    8080

Note: it will listen on port 8080 but will forward to port 80.