From 24721e01b61af4e4217864dea8cf4115c5c39430 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 25 May 2014 10:07:07 -0700 Subject: [PATCH] Document nat vs. subzone restriction. Signed-off-by: Tom Eastep --- Shorewall/manpages/shorewall-nat.xml | 74 ++++++++++++++++++++++++++++ 1 file changed, 74 insertions(+) diff --git a/Shorewall/manpages/shorewall-nat.xml b/Shorewall/manpages/shorewall-nat.xml index 33156e5d9..5b26fc984 100644 --- a/Shorewall/manpages/shorewall-nat.xml +++ b/Shorewall/manpages/shorewall-nat.xml @@ -136,6 +136,80 @@ + + RESTRICTIONS + + DNAT rules always preempt one-to-one NAT rules. This has subtile + consequences when there are sub-zones on an + interface. Consider the following: + + /etc/shorewall/zones: + + #ZONE TYPE OPTIONS IN OUT +# OPTIONS OPTIONS +fw firewall +net ipv4 +loc ipv4 +smc:net ipv4 + + /etc/shorewall/interfaces: + + #ZONE INTERFACE OPTIONS +net eth0 dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0 +loc eth1 tcpflags,nosmurfs,routefilter,logmartians + + /etc/shorewall/hosts: + + #ZONE HOST(S) OPTIONS +smc eth0:10.1.10.0/24 + + /etc/shorewall/nat: + + #EXTERNAL INTERFACE INTERNAL ALL LOCAL +# INTERFACES +10.1.10.100 eth0 172.20.1.100 + + + Note that the EXTERNAL address is in the smc zone. + + /etc/shorewall/rules: + + #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER +# PORT PORT(S) DEST LIMIT GROUP +?SECTION ALL +?SECTION ESTABLISHED +?SECTION RELATED +?SECTION INVALID +?SECTION UNTRACKED +?SECTION NEW +... +DNAT net loc:172.20.1.4 tcp 80 + + For the one-to-one NAT to work correctly in this configuration, one + of two approaches can be taken: + + + + Define a CONTINUE policy with smc as the SOURCE zone (preferred): + + #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST +smc $FW CONTINUE +loc net ACCEPT +net all DROP info +# THE FOLLOWING POLICY MUST BE LAST +all all REJECT info + + + + + Set IMPLICIT_CONTINUE=Yes in shorewall.conf(5). + + + + FILES