From a855014784fc1ed621294a6f96ade637780f0a03 Mon Sep 17 00:00:00 2001 From: teastep Date: Fri, 11 Jan 2008 23:14:59 +0000 Subject: [PATCH] Add discussion of DNAT/REDIRECT and nesting to the 'nesting' manpage git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8046 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- manpages/shorewall-interfaces.xml | 10 ++--- manpages/shorewall-nesting.xml | 65 +++++++++++++++++++++++++++++++ 2 files changed, 68 insertions(+), 7 deletions(-) diff --git a/manpages/shorewall-interfaces.xml b/manpages/shorewall-interfaces.xml index 2ef2f2ecd..f4674079f 100644 --- a/manpages/shorewall-interfaces.xml +++ b/manpages/shorewall-interfaces.xml @@ -72,13 +72,9 @@ loc eth2 - ppp1, ppp2, … Care must be exercised when using wildcards where there is - another zone that uses a matching specific interface. In that case, - it is probably better to place a '-' in the ZONE column of the - wildcard entry and define the zone(s) associated with the wildcard - in shorewall-hosts(8). - This is particularly true if you use DNAT or REDIRECT rules; see - shorewall-rules(8). + another zone that uses a matching specific interface. See shorewall-nesting(8) for a + discussion of this problem. There is no need to define the loopback interface (lo) in this file. diff --git a/manpages/shorewall-nesting.xml b/manpages/shorewall-nesting.xml index 2f88b089c..891b57904 100644 --- a/manpages/shorewall-nesting.xml +++ b/manpages/shorewall-nesting.xml @@ -103,6 +103,71 @@ 192.168.1.3. If you need to exclude more than one zone, simply use multiple ACCEPT+ rules. This technique also may be used when the ACTION is REDIRECT. + + Care must be taken when nesting occurs as a result of the use of + wildcard interfaces (interface names ends in '+'). + + Here's an example. + /etc/shorewall/zones: #ZONE TYPE OPTION + fw firewall + net ipv4 + loc ipv4 + dmz ipv4 + + /etc/shorewall/interfaces: #ZONE INTERFACE BROADCAST OPTIONS + net ppp0 + loc eth1 + loc ppp+ + dmz eth2 + + Because the net zone is declared before the loc zone, net is an + implicit sub-zone of loc and in the absence of a net->... CONTINUE + policy, traffic from the net zone will not be passed through loc->... + rules. But DNAT and REDIRECT rules are an exception! + + + + DNAT and REDIRECT rules generate two Netfilter rules: a 'nat' + table rule that rewrites the destination IP address and/or port + number, and a 'filter' table rule that ACCEPTs the rewritten + connection. + + + + Policies only affect the 'filter' table. + + + + As a consequence, the following rules will have unexpected + behavior: #ACTION SOURCE DEST PROTO DEST + # PORT(S) + ACCEPT net dmz tcp 80 + REDIRECT loc 3128 tcp 80 + + The second rule is intended to redirect local web requests to a + proxy running on the firewall and listening on TCP port 3128. But the + 'nat' part of that rule will cause all connection requests for TCP port 80 + arriving on interface ppp+ (including ppp0!) to have their destination + port rewritten to 3128. Hence, the web server running in the DMZ will be + inaccessible from the web. + + The above problem can be corrected in a couple of ways. The first is + to rewrite the DNAT rule (assume that the local zone is entirely within + 192.168.2.0/23): #ACTION SOURCE DEST PROTO DEST + # PORT(S) + ACCEPT net dmz tcp 80 + REDIRECT loc:192.168.2.0/23 3128 tcp 80 + + The second way is to restrict the definition of the loc zone: + + /etc/shorewall/interfaces: #ZONE INTERFACE BROADCAST OPTIONS + net ppp0 + loc eth1 + - ppp+ + dmz eth2 + + /etc/shorewall/hosts: #ZONE HOST(S) OPTIONS + loc ppp+:192.168.2.0/23