Shorewall and Aliased Interfaces


Background

The traditional net-tools contain a program called ifconfig which is used to configure network devices. ifconfig introduced the concept of aliased or virtial interfaces. These virtual interfaces have names of the form interface:integer (e.g., eth0:0) and ifconfig treats them more or less like real interfaces.

Example:
[root@gateway root]# ifconfig eth0:0
eth0:0 Link encap:Ethernet HWaddr 02:00:08:3:FA:55
inet addr:206.124.146.178 Bcast:206.124.146.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:11 Base address:0x2000
[root@gateway root]#
The ifconfig utility is being gradually phased out in favor of the ip utility which is part of the iproute package. The ip utility does not use the concept of aliases or virtual interfaces but rather treats additional addresses on an interface as addresses. The ip utility does provide for interaction with ifconfig in that it allows addresses to be labeled.

Example:

[root@gateway root]# ip addr show dev eth0
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc htb qlen 100
link/ether 02:00:08:e3:fa:55 brd ff:ff:ff:ff:ff:ff
inet 206.124.146.176/24 brd 206.124.146.255 scope global eth0
inet 206.124.146.178/24 brd 206.124.146.255 scope global secondary eth0:0
[root@gateway root]#
Note that one cannot type "ip addr show dev eth0:0"
[root@gateway root]# ip addr show dev eth0:0
Device "eth0:0" does not exist.
[root@gateway root]#
The iptables program doesn't support virtual interfaces in either it's "-i" or "-o" command options; as a consequence, Shorewall does not allow them to be used in the /etc/shorewall/interfaces file.

So how do I handle more than one address on an interface?

Depends on what you are trying to do with the interfaces. In the sub-sections that follow, we'll take a look at common scenarios.

Separate Rules

If you need to make a rule for traffic to/from the firewall itself only apply to a particular IP address, simply qualify the $FW zone with the IP address.

Example (allow SSH from net to eth0:0 above):

ACTION
SOURCE
DESTINATION
PROTOCOL
PORT(S)
SOURCE PORT(S)
ORIGINAL DESTINATION
DNAT
net
fw:206.124.146.178
tcp
22



DNAT

Suppose that I had set up eth0:0 as above and I wanted to port forward from that virtual interface to a web server running in my local zone at 192.168.1.3. That is accomplised by a single rule in the /etc/shorewall/rules file:

ACTION
SOURCE
DESTINATION
PROTOCOL
PORT(S)
SOURCE PORT(S)
ORIGINAL DESTINATION
DNAT
net
loc:192.168.1.3
tcp
80
-
206.124.146.178

SNAT

If you wanted to use eth0:0 as the IP address for outbound connections from your local zone (eth1), then in /etc/shorewall/masq:

INTERFACE
SUBNET
ADDRESS
eth0
eth1
206.124.146.178

Shorewall can create the alias (additional address) for you if you set ADD_SNAT_ALIASES=Yes in /etc/shorewall/shorewall.conf. Beginning with Shorewall 1.3.14, Shorewall can actually create the "label" (virtual interface) so that you can see the created address using ifconfig. In addition to setting ADD_SNAT_ALIASES=Yes, you specify the virtual interface name in the INTERFACE column as follows:
INTERFACE
SUBNET
ADDRESS
eth0:0
eth1
206.124.146.178

STATIC NAT

If you wanted to use static NAT to link eth0:0 with local address 192.168.1.3, you would have the following in /etc/shorewall/nat:

EXTERNAL
INTERFACE
INTERNAL
ALL INTERFACES
LOCAL
206.124.146.178
eth0
192.168.1.3
no
no

Shorewall can create the alias (additional address) for you if you set ADD_IP_ALIASES=Yes in /etc/shorewall/shorewall.conf. Beginning with Shorewall 1.3.14, Shorewall can actually create the "label" (virtual interface) so that you can see the created address using ifconfig. In addition to setting ADD_IP_ALIASES=Yes, you specify the virtual interface name in the INTERFACE column as follows:

EXTERNAL
INTERFACE
INTERNAL
ALL INTERFACES
LOCAL
206.124.146.178
eth0:0
192.168.1.3
no
no

In either case, to create rules that pertain only to this NAT pair, you simply qualify the local zone with the internal IP address.

Example: You want to allow SSH from the net to 206.124.146.178 a.k.a. 192.168.1.3.

ACTION
SOURCE
DESTINATION
PROTOCOL
PORT(S)
SOURCE PORT(S)
ORIGINAL DESTINATION
ACCEPT
net
loc:192.168.1.3
tcp
22



MULTIPLE SUBNETS

Sometimes multiple IP addresses are used because there are multiple subnetworks configured on a LAN segment. This technique does not provide for any security between the subnetworks if the users of the systems have administrative privileges because in that case, the users can simply manipulate their system's routing table to bypass your firewall/router. Nevertheless, there are cases where you simply want to consider the LAN segment itself as a zone and allow your firewall/router to route between the two subnetworks.

Example 1:  Local interface eth1 interfaces to 192.168.1.0/24 and 192.168.20.0/24. The primary IP address of eth1 is 192.168.1.254 and eth1:0 is 192.168.20.254. You want to simply route all requests between the two subnetworks.

In /etc/shorewall/interfaces:

ZONE
INTERFACE
BROADCAST
OPTIONS
loc
eth1
192.168.1.255,192.168.20.255
Note 1:

Note 1: If you are running Shorewall 1.3.10 or earlier then you must specify the multi option.

In /etc/shorewall/policy:

SOURCE
DESTINATION
POLICY
LOG LEVEL
BURST:LIMIT
loc
loc
ACCEPT



Example 2: Local interface eth1 interfaces to 192.168.1.0/24 and 192.168.20.0/24. The primary IP address of eth1 is 192.168.1.254 and eth1:0 is 192.168.20.254. You want to make these subnetworks into separate zones and control the access between them (the users of the systems do not have administrative privileges).

In /etc/shorewall/zones:

ZONE
DISPLAY
DESCRIPTION
loc
Local
Local Zone 1
loc2
Local2
Local Zone 2

In /etc/shorewall/interfaces:

ZONE
INTERFACE
BROADCAST
OPTIONS
-
eth1
192.168.1.255,192.168.20.255
Note 1:

Note 1: If you are running Shorewall 1.3.10 or earlier then you must specify the multi option.

In /etc/shorewall/hosts:
ZONE
HOSTS
OPTIONS
loc
eth0:192.168.1.0/24

loc2
eth0:192.168.20.0/24


In /etc/shorewall/rules, simply specify ACCEPT rules for the traffic that you want to permit.

Last Updated 3/5/2003 A - Tom Eastep

Copyright © 2001, 2002, 2003 Thomas M. Eastep.