Either network configuration will work just fine, and will produce the same system state. I've done both from time to time. The advantage of the "iface" approach is that you've got each address separated into logical configuration stanzas; the advantage of the "up" approach is that you only need one line per IP address. I use a combo of the two approaches currently:

# The loopback network interface
auto lo
iface lo inet loopback

# Public IP addresses
auto eth0 eth0:sodtechssl
iface eth0 inet static
    address 97.107.134.213
    netmask 255.255.255.0
    gateway 97.107.134.1
    up /sbin/ip addr add 2600:3c03::f03c:91ff:fe96:1dc9 dev eth0 # main
    up /sbin/ip -6 route add default via fe80::1 dev eth0
    up /sbin/ip addr add 2600:3c03::13:3025/64 dev eth0 preferred_lft 0 # mail.sodtech.net
    up /sbin/ip addr add 2600:3c03::13:3123/64 dev eth0 preferred_lft 0 # ntp.sodtech.net
    # and fifteen billion other IPv6 addresses

iface eth0:sodtechssl inet static
    address 97.107.131.4
    netmask 255.255.255.0

# Internal IP address
auto eth0:lan
iface eth0:lan inet static
        address 192.168.137.246
        netmask 255.255.128.0

Thanks for the info :-)

I'm still in the dark on how to configure the shorewall zones. Would something like this work:

zones file:

===
#ZONE   TYPE            OPTIONS         IN                      OUT
#                                       OPTIONS                 OPTIONS
fw      firewall
net     ipv4
loc     ipv4
===

interfaces file:

===
#ZONE   INTERFACE       BROADCAST       OPTIONS
-       eth0            -
===

hosts file:

===
#ZONE   HOST(S)                                 OPTIONS
net     176.58.125.0/24                         tcpflags
loc                                             tcpflags
===

To be honest, I don't know what to fill in my hosts file for the "loc" zone.

According to Linode my private ip is 192.168.195.3/255.255.128.0, but I'm not sure how I should convert this to a format that shorewall understands.

I still wonder why Linode can't provide a separate virtual adapter for the private range. It would make firewall setup so much easier. A virtual adapter is just a piece of software, and wouldn't consume any additional resources.

Shorewall is easier than you think to setup for private/public ips.

Your zones file should have one ipv4 zone (let's call it net) then in your rules file you specify the IP i.e.

#ACTION        SOURCE      DEST        PROTO   DEST    SOURCE      ORIGINAL    RATE        USER/   MARK
#                            PORT    PORT(S)     DEST        LIMIT       GROUP
ACCEPT    net $FW:1.2.3.4     tcp     22 -   -   

The above allows SSH on the ip 1.2.3.4 any other IPs would be dropped (assuming your default policy is to drop).

Thanks, that does look a lot easier.

One final question: What's the difference between using '$FW' and using the zone 'fw' (as specified in the zones file by default) in your rules file?

$FW is a variable which represents the fw zone, so you can change the fw zone name and it'd still work. Apart from that they're the same it doesn't matter which you use.