mirror of
https://gitlab.com/shorewall/code.git
synced 2025-01-03 03:59:16 +01:00
Mention routed-nat configuration as an alternative to fw in a DomU
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4567 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
6aecd73c4b
commit
d917972673
23
docs/Xen.xml
23
docs/Xen.xml
@ -103,10 +103,10 @@
|
|||||||
<para>As I state in the answer to <ulink url="FAQ.htm#faq2">Shorewall FAQ
|
<para>As I state in the answer to <ulink url="FAQ.htm#faq2">Shorewall FAQ
|
||||||
2</ulink>, I object to running servers in a local zone because if the
|
2</ulink>, I object to running servers in a local zone because if the
|
||||||
server becomes compromised then there is no protection between that
|
server becomes compromised then there is no protection between that
|
||||||
compromised server and the other local systems. Xen allows me to safely
|
compromised server and the other local systems. Xen allows you to safely
|
||||||
run Internet-accessible servers in my local zone by creating a firewall in
|
run Internet-accessible servers in your local zone by creating a firewall
|
||||||
(the Extended) Dom0 to isolate the server(s) from the other local systems
|
in (the Extended) Dom0 to isolate the server(s) from the other local
|
||||||
(including Dom0).</para>
|
systems (including Dom0).</para>
|
||||||
|
|
||||||
<caution>
|
<caution>
|
||||||
<para>I find Xen Domain 0 to be an arcane environment in which to try to
|
<para>I find Xen Domain 0 to be an arcane environment in which to try to
|
||||||
@ -121,7 +121,9 @@
|
|||||||
<para>I know of no case where a user has successfully used NAT
|
<para>I know of no case where a user has successfully used NAT
|
||||||
(including Masquerade) in a bridged Xen Dom0. So if you want to create a
|
(including Masquerade) in a bridged Xen Dom0. So if you want to create a
|
||||||
masquerading firewall/gateway using Xen, you need to do so in a DomU
|
masquerading firewall/gateway using Xen, you need to do so in a DomU
|
||||||
(see <ulink url="XenMyWay.html">how I do it</ulink>).</para>
|
(see <ulink url="XenMyWay.html">how I do it</ulink>) or you must
|
||||||
|
configure Xen to use routing and NAT rather than the default
|
||||||
|
bridging.</para>
|
||||||
</warning>
|
</warning>
|
||||||
|
|
||||||
<para>Here is an example. In this example, we will assume that the system
|
<para>Here is an example. In this example, we will assume that the system
|
||||||
@ -147,10 +149,11 @@
|
|||||||
is that Dom0 is defined as two different zones. It is defined as the
|
is that Dom0 is defined as two different zones. It is defined as the
|
||||||
firewall zone and it is also defined as "all systems connected to
|
firewall zone and it is also defined as "all systems connected to
|
||||||
<filename class="devicefile">xenbr0:vif0.0</filename>. In this case, I
|
<filename class="devicefile">xenbr0:vif0.0</filename>. In this case, I
|
||||||
call this second zone <emphasis role="bold">ursa</emphasis> (which is
|
call this second zone <emphasis role="bold">ursa</emphasis> (which was
|
||||||
the name given to the virtual system running in Dom0); that zone
|
the name given to the virtual system running in Dom0 when I ran this
|
||||||
corresponds to Dom0 as seen from the outside in the diagram above (see
|
configuration); that zone corresponds to Dom0 as seen from the outside
|
||||||
more <link linkend="zones">below</link>).</para>
|
in the diagram above (see more <link
|
||||||
|
linkend="zones">below</link>).</para>
|
||||||
|
|
||||||
<blockquote>
|
<blockquote>
|
||||||
<programlisting># OPTIONS OPTIONS
|
<programlisting># OPTIONS OPTIONS
|
||||||
@ -242,7 +245,7 @@ Ping/ACCEPT dmz net
|
|||||||
Ping/ACCEPT dmz ursa</programlisting>
|
Ping/ACCEPT dmz ursa</programlisting>
|
||||||
</blockquote>
|
</blockquote>
|
||||||
|
|
||||||
<para>Here, 192.168.0.0/22 comprises my local network.</para>
|
<para>Here, 192.168.0.0/22 comprises the local network.</para>
|
||||||
|
|
||||||
<para id="zones">From the point of view of Shorewall, the zone diagram
|
<para id="zones">From the point of view of Shorewall, the zone diagram
|
||||||
is as shown in the following diagram.</para>
|
is as shown in the following diagram.</para>
|
||||||
|
@ -116,11 +116,11 @@
|
|||||||
|
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para><filename class="devicefile">eth0</filename> -- conntected to
|
<para><filename class="devicefile">eth0</filename> -- connected to the
|
||||||
the switch in my office. That switch is cabled to a second switch in
|
switch in my office. That switch is cabled to a second switch in my
|
||||||
my wife's office where my wife has her desktop and networked printer
|
wife's office where my wife has her desktop and networked printer (I
|
||||||
(I sure wish that there had been wireless back when I strung that
|
sure wish that there had been wireless back when I strung that CAT-5
|
||||||
CAT-5 cable halfway across the house).</para>
|
cable halfway across the house).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -161,15 +161,15 @@
|
|||||||
<caution>
|
<caution>
|
||||||
<para>As the developer of Shorewall, I have enough experience to be very
|
<para>As the developer of Shorewall, I have enough experience to be very
|
||||||
comfortable with Linux networking and Shorewall/iptables. I arrived at
|
comfortable with Linux networking and Shorewall/iptables. I arrived at
|
||||||
this configuration after a lot of trial and error experimentation (see
|
this configuration after a fair amount of trial and error
|
||||||
<ulink url="Xen.html">Xen and Shorewall</ulink>). If you are a Linux
|
experimentation (see <ulink url="Xen.html">Xen and Shorewall</ulink>).
|
||||||
networking novice, I recommend that you do not attempt a configuration
|
If you are a Linux networking novice, I recommend that you do not
|
||||||
like this one for your first Shorewall installation. You are very likely
|
attempt a configuration like this one for your first Shorewall
|
||||||
to frustrate both yourself and the Shorewall support team. Rather I
|
installation. You are very likely to frustrate both yourself and the
|
||||||
suggest that you start with something simple like a <ulink
|
Shorewall support team. Rather I suggest that you start with something
|
||||||
url="standalone.htm">standalone installation</ulink> in a domU; once you
|
simple like a <ulink url="standalone.htm">standalone
|
||||||
are comfortable with that then you will be ready to try something more
|
installation</ulink> in a domU; once you are comfortable with that then
|
||||||
substantial.</para>
|
you will be ready to try something more substantial.</para>
|
||||||
|
|
||||||
<para>As Paul Gear says: <emphasis>Shorewall might make iptables easy,
|
<para>As Paul Gear says: <emphasis>Shorewall might make iptables easy,
|
||||||
but it doesn't make understanding fundamental networking principles,
|
but it doesn't make understanding fundamental networking principles,
|
||||||
@ -300,7 +300,7 @@ disk = [ 'phy:hda3,hda3,w' ]</programlisting>
|
|||||||
|
|
||||||
<para>Under SuSE 10.1, I placed the following in
|
<para>Under SuSE 10.1, I placed the following in
|
||||||
<filename>/etc/sysconfig/network/if-up.d/resettx</filename> (that file
|
<filename>/etc/sysconfig/network/if-up.d/resettx</filename> (that file
|
||||||
is executable): </para>
|
is executable):</para>
|
||||||
|
|
||||||
<programlisting>#!/bin/sh
|
<programlisting>#!/bin/sh
|
||||||
|
|
||||||
@ -310,9 +310,9 @@ if [ $2 = eth0 ]; then
|
|||||||
fi</programlisting>
|
fi</programlisting>
|
||||||
|
|
||||||
<para>Under other distributions, the technique will vary. For example,
|
<para>Under other distributions, the technique will vary. For example,
|
||||||
under <trademark>Debian</trademark> or Ubuntu, you can just add a
|
under <trademark>Debian</trademark> or <trademark>Ubuntu</trademark>,
|
||||||
'post-up' entry to <filename>/etc/network/interfaces</filename> as
|
you can just add a 'post-up' entry to
|
||||||
shown here:</para>
|
<filename>/etc/network/interfaces</filename> as shown here:</para>
|
||||||
|
|
||||||
<programlisting> iface eth0 inet static
|
<programlisting> iface eth0 inet static
|
||||||
address 206.124.146.177
|
address 206.124.146.177
|
||||||
@ -409,15 +409,15 @@ SECTION NEW
|
|||||||
Guide</ulink> with the exception that I've added a fourth interface for
|
Guide</ulink> with the exception that I've added a fourth interface for
|
||||||
our wireless network. The firewall runs a routed <ulink
|
our wireless network. The firewall runs a routed <ulink
|
||||||
url="OPENVPN.html">OpenVPN server</ulink> to provide roadwarrior access
|
url="OPENVPN.html">OpenVPN server</ulink> to provide roadwarrior access
|
||||||
for our two laptops and a bridged OpenVPN server for our wireless
|
for our two laptops and a bridged OpenVPN server for the wireless
|
||||||
network. Here is the firewall's view of the network:</para>
|
network in our home. Here is the firewall's view of the network:</para>
|
||||||
|
|
||||||
<graphic align="center" fileref="images/network4.png" />
|
<graphic align="center" fileref="images/network4.png" />
|
||||||
|
|
||||||
<para>The two laptops can be directly attached to the LAN as shown above
|
<para>The two laptops can be directly attached to the LAN as shown above
|
||||||
or they can be attached wirelessly -- their IP addresses are the same in
|
or they can be attached wirelessly -- their IP addresses are the same in
|
||||||
either case; when they are directly attached, the IP address is assigned
|
either case; when they are directly attached, the IP address is assigned
|
||||||
by the DHCP server running on the firewall and when they are attached
|
by the DHCP server running in Dom0 and when they are attached
|
||||||
wirelessly, the IP address is assigned by OpenVPN.</para>
|
wirelessly, the IP address is assigned by OpenVPN.</para>
|
||||||
|
|
||||||
<para>The Shorewall configuration files are shown below. All routing and
|
<para>The Shorewall configuration files are shown below. All routing and
|
||||||
@ -549,14 +549,16 @@ vpn tun+ -
|
|||||||
|
|
||||||
<programlisting>#EXTERNAL INTERFACE INTERNAL ALL LOCAL
|
<programlisting>#EXTERNAL INTERFACE INTERNAL ALL LOCAL
|
||||||
# INTERFACES
|
# INTERFACES
|
||||||
206.124.146.178 $EXT_IF 192.168.1.3 No No
|
206.124.146.178 $EXT_IF 192.168.1.3 No No #Wookie
|
||||||
206.124.146.180 $EXT_IF 192.168.1.6 No No
|
206.124.146.180 $EXT_IF 192.168.1.6 No No #Work LapTop
|
||||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
||||||
|
|
||||||
<para><filename>/etc/shorewall/masq (Note the cute trick here and in
|
<para><filename>/etc/shorewall/masq (Note the cute trick here and in
|
||||||
the <filename>proxyarp</filename> file that follows that allows me to
|
the <filename>following proxyarp</filename> file that allows me to
|
||||||
access the DSL "Modem" using it's default IP address
|
access the DSL "Modem" using it's default IP address
|
||||||
(192.168.1.1))</filename>:</para>
|
(192.168.1.1))</filename>. The leading "+" is required to place the
|
||||||
|
rule before the SNAT rules generated by entries in
|
||||||
|
<filename>/etc/shorewall/nat</filename> above.</para>
|
||||||
|
|
||||||
<programlisting>#INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC
|
<programlisting>#INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC
|
||||||
+$EXT_IF:192.168.1.1 0.0.0.0/0 192.168.1.254
|
+$EXT_IF:192.168.1.1 0.0.0.0/0 192.168.1.254
|
||||||
@ -574,8 +576,8 @@ $EXT_IF 192.168.0.0/22 206.124.146.179
|
|||||||
|
|
||||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY
|
<programlisting>#TYPE ZONE GATEWAY GATEWAY
|
||||||
# ZONE
|
# ZONE
|
||||||
openvpnserver:udp net 0.0.0.0/0
|
openvpnserver:udp net 0.0.0.0/0 #Routed server for RoadWarrior access
|
||||||
openvpnserver:udp wifi 192.168.3.0/24
|
openvpnserver:udp wifi 192.168.3.0/24 #Home wireless network server
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||||
|
|
||||||
<para><filename>/etc/shorewall/actions</filename>:</para>
|
<para><filename>/etc/shorewall/actions</filename>:</para>
|
||||||
@ -649,7 +651,6 @@ dropNotSyn net dmz tcp
|
|||||||
# Internet to DMZ
|
# Internet to DMZ
|
||||||
#
|
#
|
||||||
ACCEPT net dmz udp domain
|
ACCEPT net dmz udp domain
|
||||||
LOG:$LOG net:64.126.128.0/18 dmz tcp smtp
|
|
||||||
ACCEPT net dmz tcp smtps,www,ftp,imaps,domain,https -
|
ACCEPT net dmz tcp smtps,www,ftp,imaps,domain,https -
|
||||||
ACCEPT net dmz tcp smtp - 206.124.146.177,206.124.146.178
|
ACCEPT net dmz tcp smtp - 206.124.146.177,206.124.146.178
|
||||||
ACCEPT net dmz udp 33434:33454
|
ACCEPT net dmz udp 33434:33454
|
||||||
@ -682,10 +683,6 @@ ACCEPT net loc:192.168.1.3 tcp
|
|||||||
ACCEPT net loc:192.168.1.3 tcp 6881:6889,6969
|
ACCEPT net loc:192.168.1.3 tcp 6881:6889,6969
|
||||||
ACCEPT net loc:192.168.1.3 udp 6881:6889,6969
|
ACCEPT net loc:192.168.1.3 udp 6881:6889,6969
|
||||||
#
|
#
|
||||||
# Real Audio
|
|
||||||
#
|
|
||||||
ACCEPT net loc:192.168.1.3 udp 6970:7170
|
|
||||||
#
|
|
||||||
# Skype
|
# Skype
|
||||||
#
|
#
|
||||||
ACCEPT net loc:192.168.1.6 tcp 1194
|
ACCEPT net loc:192.168.1.6 tcp 1194
|
||||||
|
Loading…
Reference in New Issue
Block a user