mirror of
https://gitlab.com/shorewall/code.git
synced 2025-01-19 20:19:36 +01:00
292 lines
13 KiB
XML
292 lines
13 KiB
XML
|
<?xml version="1.0" encoding="UTF-8"?>
|
||
|
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
||
|
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
||
|
<article id="Shorewall_and_Aliased_Interfaces">
|
||
|
<!--$Id$-->
|
||
|
|
||
|
<articleinfo>
|
||
|
<title>Shorewall and Aliased Interfaces</title>
|
||
|
|
||
|
<authorgroup>
|
||
|
<author>
|
||
|
<firstname>Tom</firstname>
|
||
|
|
||
|
<surname>Eastep</surname>
|
||
|
</author>
|
||
|
</authorgroup>
|
||
|
|
||
|
<pubdate>2004-06-29</pubdate>
|
||
|
|
||
|
<copyright>
|
||
|
<year>2001-2004</year>
|
||
|
|
||
|
<holder>Thomas M. Eastep</holder>
|
||
|
</copyright>
|
||
|
|
||
|
<legalnotice>
|
||
|
<para>Permission is granted to copy, distribute and/or modify this
|
||
|
document under the terms of the GNU Free Documentation License, Version
|
||
|
1.2 or any later version published by the Free Software Foundation; with
|
||
|
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||
|
Texts. A copy of the license is included in the section entitled
|
||
|
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
|
||
|
</legalnotice>
|
||
|
</articleinfo>
|
||
|
|
||
|
<section>
|
||
|
<title>Background</title>
|
||
|
|
||
|
<para>The traditional net-tools contain a program called
|
||
|
<emphasis>ifconfig</emphasis> which is used to configure network devices.
|
||
|
ifconfig introduced the concept of <emphasis>aliased</emphasis> or
|
||
|
<emphasis>virtual</emphasis> interfaces. These virtual interfaces have
|
||
|
names of the form <emphasis>interface:integer</emphasis> (e.g., <filename
|
||
|
class="devicefile">eth0:0</filename>) and ifconfig treats them more or
|
||
|
less like real interfaces.</para>
|
||
|
|
||
|
<example>
|
||
|
<title>ifconfig</title>
|
||
|
|
||
|
<programlisting>[root@gateway root]# <command>ifconfig eth0:0</command>
|
||
|
eth0:0 Link encap:Ethernet HWaddr 02:00:08:3:FA:55
|
||
|
inet addr:206.124.146.178 Bcast:206.124.146.255 Mask:255.255.255.0
|
||
|
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
|
||
|
Interrupt:11 Base address:0x2000
|
||
|
[root@gateway root]# </programlisting>
|
||
|
</example>
|
||
|
|
||
|
<para>The ifconfig utility is being gradually phased out in favor of the
|
||
|
ip utility which is part of the <emphasis>iproute</emphasis> package. The
|
||
|
ip utility does not use the concept of aliases or virtual interfaces but
|
||
|
rather treats additional addresses on an interface as objects in their own
|
||
|
right. The ip utility does provide for interaction with ifconfig in that
|
||
|
it allows addresses to be <emphasis>labeled</emphasis> where these labels
|
||
|
take the form of ipconfig virtual interfaces.</para>
|
||
|
|
||
|
<example>
|
||
|
<title>ip</title>
|
||
|
|
||
|
<programlisting>[root@gateway root]# <command>ip addr show dev eth0</command>
|
||
|
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc htb qlen 100
|
||
|
link/ether 02:00:08:e3:fa:55 brd ff:ff:ff:ff:ff:ff
|
||
|
inet 206.124.146.176/24 brd 206.124.146.255 scope global eth0
|
||
|
inet 206.124.146.178/24 brd 206.124.146.255 scope global secondary eth0:0
|
||
|
[root@gateway root]# </programlisting>
|
||
|
|
||
|
<para><note><para>One <emphasis role="bold">cannot</emphasis> type
|
||
|
<quote><command>ip addr show dev eth0:0</command></quote> because
|
||
|
<quote><filename class="devicefile">eth0:0</filename></quote> is a label
|
||
|
for a particular address rather than a device name.</para><programlisting>[root@gateway root]# <command>ip addr show dev eth0:0</command>
|
||
|
Device "eth0:0" does not exist.
|
||
|
[root@gateway root]#</programlisting></note></para>
|
||
|
</example>
|
||
|
|
||
|
<para>The iptables program doesn't support virtual interfaces in
|
||
|
either it's <quote>-i</quote> or <quote>-o</quote> command options; as
|
||
|
a consequence, Shorewall does not allow them to be used in the
|
||
|
/etc/shorewall/interfaces file or anywhere else except as described in the
|
||
|
discussion below.</para>
|
||
|
</section>
|
||
|
|
||
|
<section>
|
||
|
<title>Adding Addresses to Interfaces</title>
|
||
|
|
||
|
<para>Most distributions have a facility for adding additional addresses
|
||
|
to interfaces. If you have already used your distribution's capability
|
||
|
to add your required addresses, you can skip this section.</para>
|
||
|
|
||
|
<para>Shorewall provides facilities for automatically adding addresses to
|
||
|
interfaces as described in the following section. It is also easy to add
|
||
|
them yourself using the <emphasis role="bold">ip</emphasis> utility. The
|
||
|
above alias was added using:</para>
|
||
|
|
||
|
<programlisting><command>ip addr add 206.124.146.178/24 brd 206.124.146.255 dev eth0 label eth0:0</command></programlisting>
|
||
|
|
||
|
<para>You probably want to arrange to add these addresses when the device
|
||
|
is started rather than placing commands like the above in one of the
|
||
|
Shorewall extension scripts. For example, on RedHat systems, you can place
|
||
|
the commands in /sbin/ifup-local:</para>
|
||
|
|
||
|
<programlisting>#!/bin/sh
|
||
|
|
||
|
case $1 in
|
||
|
eth0)
|
||
|
/sbin/ip addr add 206.124.146.177 dev eth0 label eth0:0
|
||
|
;;
|
||
|
esac</programlisting>
|
||
|
|
||
|
<para>RedHat systems also allow adding such aliases from the network
|
||
|
administration GUI (which only works well if you have a graphical
|
||
|
environment on your firewall).</para>
|
||
|
</section>
|
||
|
|
||
|
<section>
|
||
|
<title>So how do I handle more than one address on an interface?</title>
|
||
|
|
||
|
<para>The answer depends on what you are trying to do with the interfaces.
|
||
|
In the sub-sections that follow, we'll take a look at common
|
||
|
scenarios.</para>
|
||
|
|
||
|
<section>
|
||
|
<title>Separate Rules</title>
|
||
|
|
||
|
<para>If you need to make a rule for traffic to/from the firewall itself
|
||
|
that only applies to a particular IP address, simply qualify the $FW
|
||
|
zone with the IP address.</para>
|
||
|
|
||
|
<example>
|
||
|
<title>allow SSH from net to eth0:0 above</title>
|
||
|
|
||
|
<para><optional><filename>/etc/shorewall/rules</filename></optional><programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||
|
ACCEPT net $FW:206.124.146.178 tcp 22</programlisting></para>
|
||
|
</example>
|
||
|
</section>
|
||
|
|
||
|
<section>
|
||
|
<title>DNAT</title>
|
||
|
|
||
|
<para>Suppose that I had set up eth0:0 as above and I wanted to port
|
||
|
forward from that virtual interface to a web server running in my local
|
||
|
zone at 192.168.1.3. That is accomplised by a single rule in the
|
||
|
<filename>/etc/shorewall/rules</filename> file:</para>
|
||
|
|
||
|
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
|
||
|
# PORT(S) DEST
|
||
|
DNAT net loc:192.168.1.3 tcp 80 - 206.124.146.178 </programlisting>
|
||
|
</section>
|
||
|
|
||
|
<section>
|
||
|
<title>SNAT</title>
|
||
|
|
||
|
<para>If you wanted to use eth0:0 as the IP address for outbound
|
||
|
connections from your local zone (eth1), then in <filename>/etc/shorewall/masq</filename>:</para>
|
||
|
|
||
|
<programlisting>#INTERFACE SUBNET ADDRESS
|
||
|
eth0 eth1 206.124.146.178</programlisting>
|
||
|
|
||
|
<para>Shorewall can create the alias (additional address) for you if you
|
||
|
set ADD_SNAT_ALIASES=Yes in <filename>/etc/shorewall/shorewall.con</filename>f.
|
||
|
Beginning with Shorewall 1.3.14, Shorewall can actually create the
|
||
|
<quote>label</quote> (virtual interface) so that you can see the created
|
||
|
address using ifconfig. In addition to setting ADD_SNAT_ALIASES=Yes, you
|
||
|
specify the virtual interface name in the INTERFACE column as follows.</para>
|
||
|
|
||
|
<para><filename>/etc/shorewall/masq</filename><programlisting>#INTERFACE SUBNET ADDRESS
|
||
|
eth0:0 eth1 206.124.146.178</programlisting></para>
|
||
|
|
||
|
<para>Shorewall can also set up SNAT to round-robin over a range of IP
|
||
|
addresses. Do do that, you specify a range of IP addresses in the
|
||
|
ADDRESS column. If you specify a label in the INTERFACE column,
|
||
|
Shorewall will use that label for the first address of the range and
|
||
|
will increment the label by one for each subsequent label.</para>
|
||
|
|
||
|
<para><filename>/etc/shorewall/masq</filename><programlisting>#INTERFACE SUBNET ADDRESS
|
||
|
eth0:0 eth1 206.124.146.178-206.124.146.180</programlisting></para>
|
||
|
|
||
|
<para>The above would create three IP addresses:</para>
|
||
|
|
||
|
<programlisting>eth0:0 = 206.124.146.178
|
||
|
eth0:1 = 206.124.146.179
|
||
|
eth0:2 = 206.124.146.180</programlisting>
|
||
|
</section>
|
||
|
|
||
|
<section>
|
||
|
<title>One-to-one NAT</title>
|
||
|
|
||
|
<para>If you wanted to use one-to-one NAT to link <filename
|
||
|
class="devicefile">eth0:0</filename> with local address 192.168.1.3, you
|
||
|
would have the following in <filename>/etc/shorewall/nat</filename>:</para>
|
||
|
|
||
|
<programlisting>#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL
|
||
|
206.124.146.178 eth0 192.168.1.3 no no</programlisting>
|
||
|
|
||
|
<para>Shorewall can create the alias (additional address) for you if you
|
||
|
set ADD_IP_ALIASES=Yes in /etc/shorewall/shorewall.conf. Beginning with
|
||
|
Shorewall 1.3.14, Shorewall can actually create the <quote>label</quote>
|
||
|
(virtual interface) so that you can see the created address using
|
||
|
ifconfig. In addition to setting ADD_IP_ALIASES=Yes, you specify the
|
||
|
virtual interface name in the INTERFACE column as follows.</para>
|
||
|
|
||
|
<para><filename>/etc/shorewall/nat</filename><programlisting>#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL
|
||
|
206.124.146.178 eth0:0 192.168.1.3 no no</programlisting></para>
|
||
|
|
||
|
<para>In either case, to create rules in <filename>/etc/shorewall/rules</filename>
|
||
|
that pertain only to this NAT pair, you simply qualify the local zone
|
||
|
with the internal IP address.</para>
|
||
|
|
||
|
<example>
|
||
|
<title>You want to allow SSH from the net to 206.124.146.178 a.k.a.
|
||
|
192.168.1.3.</title>
|
||
|
|
||
|
<para><programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||
|
ACCEPT net loc:192.168.1.3 tcp 22</programlisting></para>
|
||
|
</example>
|
||
|
</section>
|
||
|
|
||
|
<section>
|
||
|
<title>MULTIPLE SUBNETS</title>
|
||
|
|
||
|
<para>Sometimes multiple IP addresses are used because there are
|
||
|
multiple subnetworks configured on a LAN segment. This technique does
|
||
|
not provide for any security between the subnetworks if the users of the
|
||
|
systems have administrative privileges because in that case, the users
|
||
|
can simply manipulate their system's routing table to bypass your
|
||
|
firewall/router. Nevertheless, there are cases where you simply want to
|
||
|
consider the LAN segment itself as a zone and allow your firewall/router
|
||
|
to route between the two subnetworks.</para>
|
||
|
|
||
|
<example>
|
||
|
<title>Local interface eth1 interfaces to 192.168.1.0/24 and
|
||
|
192.168.20.0/24. The primary IP address of eth1 is 192.168.1.254 and
|
||
|
eth1:0 is 192.168.20.254. You simply want your firewall to route
|
||
|
between these two subnetworks.</title>
|
||
|
|
||
|
<para>This example applies to Shorewall 1.4.2 and later.</para>
|
||
|
|
||
|
<para>In <filename>/etc/shorewall/zones</filename>:</para>
|
||
|
|
||
|
<programlisting>#ZONE DISPLAY DESCRIPTION
|
||
|
loc Local Local Zone
|
||
|
</programlisting>
|
||
|
|
||
|
<para>In <filename>/etc/shorewall/interfaces</filename>:</para>
|
||
|
|
||
|
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||
|
log eth1 192.168.1.255,192.168.20.255 <emphasis role="bold">routeback</emphasis> </programlisting>
|
||
|
|
||
|
<para>In <filename>/etc/shorewall/rules</filename>, simply specify
|
||
|
ACCEPT rules for the traffic that you want to permit.</para>
|
||
|
</example>
|
||
|
|
||
|
<example>
|
||
|
<title>Local interface eth1 interfaces to 192.168.1.0/24 and
|
||
|
192.168.20.0/24. The primary IP address of eth1 is 192.168.1.254 and
|
||
|
eth1:0 is 192.168.20.254. You want to make these subnetworks into
|
||
|
separate zones and control the access between them (the users of the
|
||
|
systems do not have administrative privileges).</title>
|
||
|
|
||
|
<para>This example applies to Shorewall 1.4.2 and later.</para>
|
||
|
|
||
|
<para>In <filename>/etc/shorewall/zones</filename>:</para>
|
||
|
|
||
|
<programlisting>#ZONE DISPLAY DESCRIPTION
|
||
|
loc Local Local Zone 1
|
||
|
loc2 Local2 Local Zone 2</programlisting>
|
||
|
|
||
|
<para>In <filename>/etc/shorewall/interfaces</filename>:</para>
|
||
|
|
||
|
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||
|
- eth1 192.168.1.255,192.168.20.255 </programlisting>
|
||
|
|
||
|
<para>In <filename>/etc/shorewall/hosts</filename>:</para>
|
||
|
|
||
|
<programlisting>#ZONE HOSTS OPTIONS
|
||
|
loc eth1:192.168.1.0/24
|
||
|
loc2 eth1:192.168.20.0/24</programlisting>
|
||
|
|
||
|
<para>In <filename>/etc/shorewall/rules</filename>, simply specify
|
||
|
ACCEPT rules for the traffic that you want to permit.</para>
|
||
|
</example>
|
||
|
</section>
|
||
|
</section>
|
||
|
</article>
|