Shorewall and Aliased Interfaces
|
Background
The traditional net-tools contain a program called ifconfig which
is used to configure network devices. ifconfig introduced the concept of
aliased or virtial interfaces. These virtual interfaces have
names of the form interface:integer (e.g., eth0:0) and ifconfig
treats them more or less like real interfaces.
Example:
[root@gateway root]# ifconfig eth0:0
eth0:0 Link encap:Ethernet HWaddr 02:00:08:3:FA:55
inet addr:206.124.146.178 Bcast:206.124.146.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:11 Base address:0x2000
[root@gateway root]#
The ifconfig utility is being gradually phased out in favor of the ip
utility which is part of the iproute package. The ip utility does
not use the concept of aliases or virtual interfaces but rather treats additional
addresses on an interface as addresses. The ip utility does provide for interaction
with ifconfig in that it allows addresses to be labeled.
Example:
[root@gateway root]# ip addr show dev eth0
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc htb qlen 100
link/ether 02:00:08:e3:fa:55 brd ff:ff:ff:ff:ff:ff
inet 206.124.146.176/24 brd 206.124.146.255 scope global eth0
inet 206.124.146.178/24 brd 206.124.146.255 scope global secondary eth0:0
[root@gateway root]#
Note that one cannot type "ip addr show dev eth0:0"
[root@gateway root]# ip addr show dev eth0:0
Device "eth0:0" does not exist.
[root@gateway root]#
The iptables program doesn't support virtual interfaces in either it's
"-i" or "-o" command options; as a consequence, Shorewall does not allow
them to be used in the /etc/shorewall/interfaces file.
So how do I handle more than one address on an interface?
Depends on what you are trying to do with the interfaces. In the sub-sections
that follow, we'll take a look at common scenarios.
Separate Rules
If you need to make a rule for traffic to/from the firewall itself only
apply to a particular IP address, simply qualify the $FW zone with the IP
address.
Example (allow SSH from net to eth0:0 above):
ACTION
|
SOURCE
|
DESTINATION
|
PROTOCOL
|
PORT(S)
|
SOURCE PORT(S)
|
ORIGINAL DESTINATION
|
DNAT
|
net
|
fw:206.124.146.178
|
tcp
|
22
|
|
|
DNAT
Suppose that I had set up eth0:0 as above and I wanted to port forward
from that virtual interface to a web server running in my local zone at 192.168.1.3.
That is accomplised by a single rule in the /etc/shorewall/rules file:
ACTION
|
SOURCE
|
DESTINATION
|
PROTOCOL
|
PORT(S)
|
SOURCE PORT(S)
|
ORIGINAL DESTINATION
|
DNAT
|
net
|
loc:192.168.1.3
|
tcp
|
80
|
-
|
206.124.146.178
|
SNAT
If you wanted to use eth0:0 as the IP address for outbound connections
from your local zone (eth1), then in /etc/shorewall/masq:
INTERFACE
|
SUBNET
|
ADDRESS
|
eth0
|
eth1
|
206.124.146.178
|
Shorewall can create the alias (additional address) for you if you set
ADD_SNAT_ALIASES=Yes in /etc/shorewall/shorewall.conf. Beginning with Shorewall
1.3.14, Shorewall can actually create the "label" (virtual interface) so
that you can see the created address using ifconfig. In addition to setting
ADD_SNAT_ALIASES=Yes, you specify the virtual interface name in the INTERFACE
column as follows:
INTERFACE
|
SUBNET
|
ADDRESS
|
eth0:0
|
eth1
|
206.124.146.178
|
STATIC NAT
If you wanted to use static NAT to link eth0:0 with local address 192.168.1.3,
you would have the following in /etc/shorewall/nat:
EXTERNAL
|
INTERFACE
|
INTERNAL
|
ALL INTERFACES
|
LOCAL
|
206.124.146.178
|
eth0
|
192.168.1.3
|
no
|
no
|
Shorewall can create the alias (additional address) for you if you set
ADD_IP_ALIASES=Yes in /etc/shorewall/shorewall.conf. Beginning with Shorewall
1.3.14, Shorewall can actually create the "label" (virtual interface) so
that you can see the created address using ifconfig. In addition to setting
ADD_IP_ALIASES=Yes, you specify the virtual interface name in the INTERFACE
column as follows:
EXTERNAL
|
INTERFACE
|
INTERNAL
|
ALL INTERFACES
|
LOCAL
|
206.124.146.178
|
eth0:0
|
192.168.1.3
|
no
|
no
|
In either case, to create rules that pertain only to this NAT pair, you
simply qualify the local zone with the internal IP address.
Example: You want to allow SSH from the net to 206.124.146.178 a.k.a. 192.168.1.3.
ACTION
|
SOURCE
|
DESTINATION
|
PROTOCOL
|
PORT(S)
|
SOURCE PORT(S)
|
ORIGINAL DESTINATION
|
ACCEPT
|
net
|
loc:192.168.1.3
|
tcp
|
22
|
|
|
MULTIPLE SUBNETS
Sometimes multiple IP addresses are used because there are multiple subnetworks
configured on a LAN segment. This technique does not provide for any security
between the subnetworks if the users of the systems have administrative privileges
because in that case, the users can simply manipulate their system's routing
table to bypass your firewall/router. Nevertheless, there are cases where
you simply want to consider the LAN segment itself as a zone and allow your
firewall/router to route between the two subnetworks.
Example 1: Local interface eth1 interfaces to 192.168.1.0/24 and
192.168.20.0/24. The primary IP address of eth1 is 192.168.1.254 and eth1:0
is 192.168.20.254. You want to simply route all requests between the two
subnetworks.
In /etc/shorewall/interfaces:
ZONE
|
INTERFACE
|
BROADCAST
|
OPTIONS
|
loc
|
eth1
|
192.168.1.255,192.168.20.255
|
Note 1:
|
Note 1: If you are running Shorewall 1.3.10 or earlier then you must specify
the multi option.
In /etc/shorewall/policy:
SOURCE
|
DESTINATION
|
POLICY
|
LOG LEVEL
|
BURST:LIMIT
|
loc
|
loc
|
ACCEPT
|
|
|
Example 2: Local interface eth1 interfaces to 192.168.1.0/24 and 192.168.20.0/24.
The primary IP address of eth1 is 192.168.1.254 and eth1:0 is 192.168.20.254.
You want to make these subnetworks into separate zones and control the
access between them (the users of the systems do not have administrative
privileges).
In /etc/shorewall/zones:
ZONE
|
DISPLAY
|
DESCRIPTION
|
loc
|
Local
|
Local Zone 1
|
loc2
|
Local2
|
Local Zone 2
|
In /etc/shorewall/interfaces:
ZONE
|
INTERFACE
|
BROADCAST
|
OPTIONS
|
-
|
eth1
|
192.168.1.255,192.168.20.255
|
Note 1:
|
Note 1: If you are running Shorewall 1.3.10 or earlier then you must specify
the multi option.
In /etc/shorewall/hosts:
ZONE
|
HOSTS
|
OPTIONS
|
loc
|
eth0:192.168.1.0/24
|
|
loc2
|
eth0:192.168.20.0/24
|
|
In /etc/shorewall/rules, simply specify ACCEPT rules for the traffic that
you want to permit.
Last Updated 3/5/2003 A - Tom Eastep
Copyright ©
2001, 2002, 2003 Thomas M. Eastep.