From 4b74dc43a3925455a3ecccf44dfe4b32c75742e8 Mon Sep 17 00:00:00 2001 From: teastep Date: Sun, 9 Mar 2003 01:33:38 +0000 Subject: [PATCH] Add new documentation git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@492 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- .../Shorewall_and_Aliased_Interfaces.html | 549 ++++++++++++++++++ 1 file changed, 549 insertions(+) create mode 100755 STABLE/documentation/Shorewall_and_Aliased_Interfaces.html diff --git a/STABLE/documentation/Shorewall_and_Aliased_Interfaces.html b/STABLE/documentation/Shorewall_and_Aliased_Interfaces.html new file mode 100755 index 000000000..63b6b92fa --- /dev/null +++ b/STABLE/documentation/Shorewall_and_Aliased_Interfaces.html @@ -0,0 +1,549 @@ + + + + Shorewall and Aliased Interfaces + + + + + + + + + + + + + + + +
+ + +

Shorewall and Aliased Interfaces

+
+
+ +

Background

+ The traditional net-tools contain a program called ifconfig which + is used to configure network devices. ifconfig introduced the concept of +aliased or virtial interfaces. These virtual interfaces have +names of the form interface:integer (e.g., eth0:0) and ifconfig +treats them more or less like real interfaces.
+
+ Example:
+ +
[root@gateway root]# ifconfig eth0:0
eth0:0 Link encap:Ethernet HWaddr 02:00:08:3:FA:55
inet addr:206.124.146.178 Bcast:206.124.146.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:11 Base address:0x2000
[root@gateway root]#
+ The ifconfig utility is being gradually phased out in favor of the ip + utility which is part of the iproute package. The ip utility does +not use the concept of aliases or virtual interfaces but rather treats additional + addresses on an interface as addresses. The ip utility does provide for interaction + with ifconfig in that it allows addresses to be labeled.
+
+ Example:
+
+ +
[root@gateway root]# ip addr show dev eth0
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc htb qlen 100
link/ether 02:00:08:e3:fa:55 brd ff:ff:ff:ff:ff:ff
inet 206.124.146.176/24 brd 206.124.146.255 scope global eth0
inet 206.124.146.178/24 brd 206.124.146.255 scope global secondary eth0:0
[root@gateway root]#
+ Note that one cannot type "ip addr show dev eth0:0"
+ +
[root@gateway root]# ip addr show dev eth0:0
Device "eth0:0" does not exist.
[root@gateway root]#
+ The iptables program doesn't support virtual interfaces in either it's +"-i" or "-o" command options; as a consequence, Shorewall does not allow +them to be used in the /etc/shorewall/interfaces file.
+
+ +

So how do I handle more than one address on an interface?

+ Depends on what you are trying to do with the interfaces. In the sub-sections + that follow, we'll take a look at common scenarios.
+ +

Separate Rules

+ If you need to make a rule for traffic to/from the firewall itself only +apply to a particular IP address, simply qualify the $FW zone with the IP +address.
+
+ Example (allow SSH from net to eth0:0 above):
+
+ +
+ + + + + + + + + + + + + + + + + + + + + + +
ACTION
+
SOURCE
+
DESTINATION
+
PROTOCOL
+
PORT(S)
+
SOURCE PORT(S)
+
ORIGINAL DESTINATION
+
DNAT
+
net
+
fw:206.124.146.178
+
tcp
+
22
+

+

+
+
+
+ +

DNAT

+ Suppose that I had set up eth0:0 as above and I wanted to port forward +from that virtual interface to a web server running in my local zone at 192.168.1.3. + That is accomplised by a single rule in the /etc/shorewall/rules file:
+
+ +
+ + + + + + + + + + + + + + + + + + + + + + +
ACTION
+
SOURCE
+
DESTINATION
+
PROTOCOL
+
PORT(S)
+
SOURCE PORT(S)
+
ORIGINAL DESTINATION
+
DNAT
+
net
+
loc:192.168.1.3
+
tcp
+
80
+
-
+
206.124.146.178
+
+
+
+ +

SNAT

+ If you wanted to use eth0:0 as the IP address for outbound connections +from your local zone (eth1), then in /etc/shorewall/masq:
+
+ +
+ + + + + + + + + + + + + + +
INTERFACE
+
SUBNET
+
ADDRESS
+
eth0
+
eth1
+
206.124.146.178
+
+
+
+ Shorewall can create the alias (additional address) for you if you set +ADD_SNAT_ALIASES=Yes in /etc/shorewall/shorewall.conf. Beginning with Shorewall +1.3.14, Shorewall can actually create the "label" (virtual interface) so +that you can see the created address using ifconfig. In addition to setting +ADD_SNAT_ALIASES=Yes, you specify the virtual interface name in the INTERFACE +column as follows:
+ +
+ + + + + + + + + + + + + + +
INTERFACE
+
SUBNET
+
ADDRESS
+
eth0:0
+
eth1
+
206.124.146.178
+
+
+
+ +

STATIC NAT

+ If you wanted to use static NAT to link eth0:0 with local address 192.168.1.3, + you would have the following in /etc/shorewall/nat:
+
+ +
+ + + + + + + + + + + + + + + + + + +
EXTERNAL
+
INTERFACE
+
INTERNAL
+
ALL INTERFACES
+
LOCAL
+
206.124.146.178
+
eth0
+
192.168.1.3
+
no
+
no
+
+
+
+ Shorewall can create the alias (additional address) for you if you set +ADD_IP_ALIASES=Yes in /etc/shorewall/shorewall.conf. Beginning with Shorewall +1.3.14, Shorewall can actually create the "label" (virtual interface) so +that you can see the created address using ifconfig. In addition to setting +ADD_IP_ALIASES=Yes, you specify the virtual interface name in the INTERFACE +column as follows:
+
+ +
+ + + + + + + + + + + + + + + + + + +
EXTERNAL
+
INTERFACE
+
INTERNAL
+
ALL INTERFACES
+
LOCAL
+
206.124.146.178
+
eth0:0
+
192.168.1.3
+
no
+
no
+
+
+
+ In either case, to create rules that pertain only to this NAT pair, you +simply qualify the local zone with the internal IP address.
+
+ Example: You want to allow SSH from the net to 206.124.146.178 a.k.a. 192.168.1.3.
+
+ +
+ + + + + + + + + + + + + + + + + + + + + + +
ACTION
+
SOURCE
+
DESTINATION
+
PROTOCOL
+
PORT(S)
+
SOURCE PORT(S)
+
ORIGINAL DESTINATION
+
ACCEPT
+
net
+
loc:192.168.1.3
+
tcp
+
22
+

+

+
+
+
+ +

MULTIPLE SUBNETS

+ Sometimes multiple IP addresses are used because there are multiple subnetworks + configured on a LAN segment. This technique does not provide for any security + between the subnetworks if the users of the systems have administrative privileges + because in that case, the users can simply manipulate their system's routing + table to bypass your firewall/router. Nevertheless, there are cases where + you simply want to consider the LAN segment itself as a zone and allow your + firewall/router to route between the two subnetworks.
+
+ Example 1:  Local interface eth1 interfaces to 192.168.1.0/24 and +192.168.20.0/24. The primary IP address of eth1 is 192.168.1.254 and eth1:0 +is 192.168.20.254. You want to simply route all requests between the two +subnetworks.
+
+ In /etc/shorewall/interfaces:
+
+ +
+ + + + + + + + + + + + + + + + +
ZONE
+
INTERFACE
+
BROADCAST
+
OPTIONS
+
loc
+
eth1
+
192.168.1.255,192.168.20.255
+
Note 1:
+
+
+
+ Note 1: If you are running Shorewall 1.3.10 or earlier then you must specify + the multi option.
+
+ In /etc/shorewall/policy:
+
+ +
+ + + + + + + + + + + + + + + + + + +
SOURCE
+
DESTINATION
+
POLICY
+
LOG LEVEL
+
BURST:LIMIT
+
loc
+
loc
+
ACCEPT
+

+

+
+
+
+ Example 2: Local interface eth1 interfaces to 192.168.1.0/24 and 192.168.20.0/24. + The primary IP address of eth1 is 192.168.1.254 and eth1:0 is 192.168.20.254. + You want to make these subnetworks into separate zones and control the +access between them (the users of the systems do not have administrative +privileges).
+
+ In /etc/shorewall/zones:
+
+ +
+ + + + + + + + + + + + + + + + + + + +
ZONE
+
DISPLAY
+
DESCRIPTION
+
loc
+
Local
+
Local Zone 1
+
loc2
+
Local2
+
Local Zone 2
+
+
+
+ In /etc/shorewall/interfaces:
+
+ +
+ + + + + + + + + + + + + + + + +
ZONE
+
INTERFACE
+
BROADCAST
+
OPTIONS
+
-
+
eth1
+
192.168.1.255,192.168.20.255
+
Note 1:
+
+
+
+ Note 1: If you are running Shorewall 1.3.10 or earlier then you must specify + the multi option.
+
+ In /etc/shorewall/hosts:
+ +
+ + + + + + + + + + + + + + + + + + + +
ZONE
+
HOSTS
+
OPTIONS
+
loc
+
eth0:192.168.1.0/24
+

+
loc2
+
eth0:192.168.20.0/24
+

+
+
+
+ In /etc/shorewall/rules, simply specify ACCEPT rules for the traffic that + you want to permit.
+
+ +

Last Updated 3/5/2003 A - Tom Eastep

+ +

Copyright © + 2001, 2002, 2003 Thomas M. Eastep.
+
+

+
+
+ +