UFW [Link] is my recommendation for Firewall on Linux.
The firewalls will basically create rules on the IPTables and NetFilter. UFW makes it very simple to set up, maintain, and visualize those rules.
UFW Install
sudo apt update sudo apt install ufw -y
UFW Basics
sudo ufw status sudo ufw status numbered sudo ufw delete 5 sudo ufw enable sudo ufw disable sudo ufw limit 22 sudo ufw limit ssh sudo ufw allow 80 sudo ufw allow http sudo ufw allow 60000:65000/tcp comment "Port Range" sudo ufw deny 80 sudo ufw delete deny 80
UFW Expressions
sudo ufw allow proto tcp from 10.10.10.1 to 20.20.20.2 port 80 sudo ufw allow proto tcp from any to any port 80,443 sudo ufw deny out 21 sudo ufw deny out from 10.10.10.1 sudo ufw deny out from 10.10.10.1 to any port 21 sudo ufw deny in on eth0 from 10.10.10.1 sudo ufw deny in on eth0 from 10.10.10.0/24
Shorewall [Link] is another open-source firewall that manipulates the IPTables to apply the desired rules.
It seems to be more popular on RedHat / CentOS and its usage is much more complicated through configuration files.
Shorewall Install
sudo apt update sudo apt install shorewall shorewall-init -y
Shorewall Configuration
The configuration directory /etc/shorewall/ comes not configured and based on what type of firewall will be implemented copy the examples file from the documentation directory:
sudo cp /usr/share/doc/shorewall/examples/one-interface/* /etc/shorewall/ sudo cp /usr/share/doc/shorewall/examples/two-interfaces/* /etc/shorewall/ sudo cp /usr/share/doc/shorewall/examples/three-interfaces/* /etc/shorewall/
For the case of two interfaces, where the Shorewall will not be standalone but will route traffic between LAN and WAN.
Define the zones
sudo nano /etc/shorewall/zones
See the following lines:
fw firewall net ipv4 loc ipv4
- net is the WAN (e.g. Internet)
- loc is the LAN (e.g. Local)
Configure the interfaces
sudo nano /etc/shorewall/interfaces
Shall look like:
net NET_IF dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0,physical=eth0 loc LOC_IF tcpflags,nosmurfs,routefilter,logmartians,physical=eth1
Set up the policies
sudo nano /etc/shorewall/policy
To allow traffic from LAN-to-WAN but refuse traffic from WAN-to-LAN the policy must look like the following:
loc net ACCEPT net all DROP $LOG_LEVEL all all REJECT $LOG_LEVEL
Manage the rules
sudo nano /etc/shorewall/rules
By default the rules are:
###################################################################################################################################################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER # PORT PORT(S) DEST LIMIT GROUP ?SECTION ALL ?SECTION ESTABLISHED ?SECTION RELATED ?SECTION INVALID ?SECTION UNTRACKED ?SECTION NEW # Don't allow connection pickup from the net Invalid(DROP) net all tcp # Accept DNS connections from the firewall to the network DNS(ACCEPT) $FW net # Accept SSH connections from the local network for administration SSH(ACCEPT) loc $FW # Allow Ping from the local network Ping(ACCEPT) loc $FW # Drop Ping from the "bad" net zone.. and prevent your log from being flooded.. Ping(DROP) net $FW ACCEPT $FW loc icmp ACCEPT $FW net icmp
Port Forwarding
DNAT net loc:10.0.0.1 tcp 80
Note: it will listen and forward to the same port 80.
DNAT net loc:10.0.0.1:80 tcp 8080
Note: it will listen on port 8080 but will forward to port 80.