Mention routed-nat configuration as an alternative to fw in a DomU

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4567 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2006-09-11 22:02:04 +00:00
parent 6aecd73c4b
commit d917972673
2 changed files with 42 additions and 42 deletions

View File

@ -103,10 +103,10 @@
<para>As I state in the answer to <ulink url="FAQ.htm#faq2">Shorewall FAQ <para>As I state in the answer to <ulink url="FAQ.htm#faq2">Shorewall FAQ
2</ulink>, I object to running servers in a local zone because if the 2</ulink>, I object to running servers in a local zone because if the
server becomes compromised then there is no protection between that server becomes compromised then there is no protection between that
compromised server and the other local systems. Xen allows me to safely compromised server and the other local systems. Xen allows you to safely
run Internet-accessible servers in my local zone by creating a firewall in run Internet-accessible servers in your local zone by creating a firewall
(the Extended) Dom0 to isolate the server(s) from the other local systems in (the Extended) Dom0 to isolate the server(s) from the other local
(including Dom0).</para> systems (including Dom0).</para>
<caution> <caution>
<para>I find Xen Domain 0 to be an arcane environment in which to try to <para>I find Xen Domain 0 to be an arcane environment in which to try to
@ -121,7 +121,9 @@
<para>I know of no case where a user has successfully used NAT <para>I know of no case where a user has successfully used NAT
(including Masquerade) in a bridged Xen Dom0. So if you want to create a (including Masquerade) in a bridged Xen Dom0. So if you want to create a
masquerading firewall/gateway using Xen, you need to do so in a DomU masquerading firewall/gateway using Xen, you need to do so in a DomU
(see <ulink url="XenMyWay.html">how I do it</ulink>).</para> (see <ulink url="XenMyWay.html">how I do it</ulink>) or you must
configure Xen to use routing and NAT rather than the default
bridging.</para>
</warning> </warning>
<para>Here is an example. In this example, we will assume that the system <para>Here is an example. In this example, we will assume that the system
@ -147,10 +149,11 @@
is that Dom0 is defined as two different zones. It is defined as the is that Dom0 is defined as two different zones. It is defined as the
firewall zone and it is also defined as "all systems connected to firewall zone and it is also defined as "all systems connected to
<filename class="devicefile">xenbr0:vif0.0</filename>. In this case, I <filename class="devicefile">xenbr0:vif0.0</filename>. In this case, I
call this second zone <emphasis role="bold">ursa</emphasis> (which is call this second zone <emphasis role="bold">ursa</emphasis> (which was
the name given to the virtual system running in Dom0); that zone the name given to the virtual system running in Dom0 when I ran this
corresponds to Dom0 as seen from the outside in the diagram above (see configuration); that zone corresponds to Dom0 as seen from the outside
more <link linkend="zones">below</link>).</para> in the diagram above (see more <link
linkend="zones">below</link>).</para>
<blockquote> <blockquote>
<programlisting># OPTIONS OPTIONS <programlisting># OPTIONS OPTIONS
@ -242,7 +245,7 @@ Ping/ACCEPT dmz net
Ping/ACCEPT dmz ursa</programlisting> Ping/ACCEPT dmz ursa</programlisting>
</blockquote> </blockquote>
<para>Here, 192.168.0.0/22 comprises my local network.</para> <para>Here, 192.168.0.0/22 comprises the local network.</para>
<para id="zones">From the point of view of Shorewall, the zone diagram <para id="zones">From the point of view of Shorewall, the zone diagram
is as shown in the following diagram.</para> is as shown in the following diagram.</para>

View File

@ -116,11 +116,11 @@
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<para><filename class="devicefile">eth0</filename> -- conntected to <para><filename class="devicefile">eth0</filename> -- connected to the
the switch in my office. That switch is cabled to a second switch in switch in my office. That switch is cabled to a second switch in my
my wife's office where my wife has her desktop and networked printer wife's office where my wife has her desktop and networked printer (I
(I sure wish that there had been wireless back when I strung that sure wish that there had been wireless back when I strung that CAT-5
CAT-5 cable halfway across the house).</para> cable halfway across the house).</para>
</listitem> </listitem>
<listitem> <listitem>
@ -161,15 +161,15 @@
<caution> <caution>
<para>As the developer of Shorewall, I have enough experience to be very <para>As the developer of Shorewall, I have enough experience to be very
comfortable with Linux networking and Shorewall/iptables. I arrived at comfortable with Linux networking and Shorewall/iptables. I arrived at
this configuration after a lot of trial and error experimentation (see this configuration after a fair amount of trial and error
<ulink url="Xen.html">Xen and Shorewall</ulink>). If you are a Linux experimentation (see <ulink url="Xen.html">Xen and Shorewall</ulink>).
networking novice, I recommend that you do not attempt a configuration If you are a Linux networking novice, I recommend that you do not
like this one for your first Shorewall installation. You are very likely attempt a configuration like this one for your first Shorewall
to frustrate both yourself and the Shorewall support team. Rather I installation. You are very likely to frustrate both yourself and the
suggest that you start with something simple like a <ulink Shorewall support team. Rather I suggest that you start with something
url="standalone.htm">standalone installation</ulink> in a domU; once you simple like a <ulink url="standalone.htm">standalone
are comfortable with that then you will be ready to try something more installation</ulink> in a domU; once you are comfortable with that then
substantial.</para> you will be ready to try something more substantial.</para>
<para>As Paul Gear says: <emphasis>Shorewall might make iptables easy, <para>As Paul Gear says: <emphasis>Shorewall might make iptables easy,
but it doesn't make understanding fundamental networking principles, but it doesn't make understanding fundamental networking principles,
@ -300,7 +300,7 @@ disk = [ 'phy:hda3,hda3,w' ]</programlisting>
<para>Under SuSE 10.1, I placed the following in <para>Under SuSE 10.1, I placed the following in
<filename>/etc/sysconfig/network/if-up.d/resettx</filename> (that file <filename>/etc/sysconfig/network/if-up.d/resettx</filename> (that file
is executable): </para> is executable):</para>
<programlisting>#!/bin/sh <programlisting>#!/bin/sh
@ -310,9 +310,9 @@ if [ $2 = eth0 ]; then
fi</programlisting> fi</programlisting>
<para>Under other distributions, the technique will vary. For example, <para>Under other distributions, the technique will vary. For example,
under <trademark>Debian</trademark> or Ubuntu, you can just add a under <trademark>Debian</trademark> or <trademark>Ubuntu</trademark>,
'post-up' entry to <filename>/etc/network/interfaces</filename> as you can just add a 'post-up' entry to
shown here:</para> <filename>/etc/network/interfaces</filename> as shown here:</para>
<programlisting> iface eth0 inet static <programlisting> iface eth0 inet static
address 206.124.146.177 address 206.124.146.177
@ -409,15 +409,15 @@ SECTION NEW
Guide</ulink> with the exception that I've added a fourth interface for Guide</ulink> with the exception that I've added a fourth interface for
our wireless network. The firewall runs a routed <ulink our wireless network. The firewall runs a routed <ulink
url="OPENVPN.html">OpenVPN server</ulink> to provide roadwarrior access url="OPENVPN.html">OpenVPN server</ulink> to provide roadwarrior access
for our two laptops and a bridged OpenVPN server for our wireless for our two laptops and a bridged OpenVPN server for the wireless
network. Here is the firewall's view of the network:</para> network in our home. Here is the firewall's view of the network:</para>
<graphic align="center" fileref="images/network4.png" /> <graphic align="center" fileref="images/network4.png" />
<para>The two laptops can be directly attached to the LAN as shown above <para>The two laptops can be directly attached to the LAN as shown above
or they can be attached wirelessly -- their IP addresses are the same in or they can be attached wirelessly -- their IP addresses are the same in
either case; when they are directly attached, the IP address is assigned either case; when they are directly attached, the IP address is assigned
by the DHCP server running on the firewall and when they are attached by the DHCP server running in Dom0 and when they are attached
wirelessly, the IP address is assigned by OpenVPN.</para> wirelessly, the IP address is assigned by OpenVPN.</para>
<para>The Shorewall configuration files are shown below. All routing and <para>The Shorewall configuration files are shown below. All routing and
@ -549,14 +549,16 @@ vpn tun+ -
<programlisting>#EXTERNAL INTERFACE INTERNAL ALL LOCAL <programlisting>#EXTERNAL INTERFACE INTERNAL ALL LOCAL
# INTERFACES # INTERFACES
206.124.146.178 $EXT_IF 192.168.1.3 No No 206.124.146.178 $EXT_IF 192.168.1.3 No No #Wookie
206.124.146.180 $EXT_IF 192.168.1.6 No No 206.124.146.180 $EXT_IF 192.168.1.6 No No #Work LapTop
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
<para><filename>/etc/shorewall/masq (Note the cute trick here and in <para><filename>/etc/shorewall/masq (Note the cute trick here and in
the <filename>proxyarp</filename> file that follows that allows me to the <filename>following proxyarp</filename> file that allows me to
access the DSL "Modem" using it's default IP address access the DSL "Modem" using it's default IP address
(192.168.1.1))</filename>:</para> (192.168.1.1))</filename>. The leading "+" is required to place the
rule before the SNAT rules generated by entries in
<filename>/etc/shorewall/nat</filename> above.</para>
<programlisting>#INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC <programlisting>#INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC
+$EXT_IF:192.168.1.1 0.0.0.0/0 192.168.1.254 +$EXT_IF:192.168.1.1 0.0.0.0/0 192.168.1.254
@ -574,8 +576,8 @@ $EXT_IF 192.168.0.0/22 206.124.146.179
<programlisting>#TYPE ZONE GATEWAY GATEWAY <programlisting>#TYPE ZONE GATEWAY GATEWAY
# ZONE # ZONE
openvpnserver:udp net 0.0.0.0/0 openvpnserver:udp net 0.0.0.0/0 #Routed server for RoadWarrior access
openvpnserver:udp wifi 192.168.3.0/24 openvpnserver:udp wifi 192.168.3.0/24 #Home wireless network server
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
<para><filename>/etc/shorewall/actions</filename>:</para> <para><filename>/etc/shorewall/actions</filename>:</para>
@ -649,7 +651,6 @@ dropNotSyn net dmz tcp
# Internet to DMZ # Internet to DMZ
# #
ACCEPT net dmz udp domain ACCEPT net dmz udp domain
LOG:$LOG net:64.126.128.0/18 dmz tcp smtp
ACCEPT net dmz tcp smtps,www,ftp,imaps,domain,https - ACCEPT net dmz tcp smtps,www,ftp,imaps,domain,https -
ACCEPT net dmz tcp smtp - 206.124.146.177,206.124.146.178 ACCEPT net dmz tcp smtp - 206.124.146.177,206.124.146.178
ACCEPT net dmz udp 33434:33454 ACCEPT net dmz udp 33434:33454
@ -682,10 +683,6 @@ ACCEPT net loc:192.168.1.3 tcp
ACCEPT net loc:192.168.1.3 tcp 6881:6889,6969 ACCEPT net loc:192.168.1.3 tcp 6881:6889,6969
ACCEPT net loc:192.168.1.3 udp 6881:6889,6969 ACCEPT net loc:192.168.1.3 udp 6881:6889,6969
# #
# Real Audio
#
ACCEPT net loc:192.168.1.3 udp 6970:7170
#
# Skype # Skype
# #
ACCEPT net loc:192.168.1.6 tcp 1194 ACCEPT net loc:192.168.1.6 tcp 1194