<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"> <article id="Shorewall_and_Aliased_Interfaces"> <!--$Id$--> <articleinfo> <title>Shorewall and Aliased Interfaces</title> <authorgroup> <author> <firstname>Tom</firstname> <surname>Eastep</surname> </author> </authorgroup> <pubdate><?dbtimestamp format="Y/m/d"?></pubdate> <copyright> <year>2001-2007</year> <holder>Thomas M. Eastep</holder> </copyright> <legalnotice> <para>Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled <quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para> </legalnotice> </articleinfo> <caution> <para><emphasis role="bold">This article applies to Shorewall 3.0 and later. If you are running a version of Shorewall earlier than Shorewall 3.0.0 then please see the documentation for that release.</emphasis></para> </caution> <section id="Background"> <title>Background</title> <para>The traditional net-tools contain a program called <emphasis>ifconfig</emphasis> which is used to configure network devices. ifconfig introduced the concept of <emphasis>aliased</emphasis> or <emphasis>virtual</emphasis> interfaces. These virtual interfaces have names of the form <emphasis>interface:integer</emphasis> (e.g., <filename class="devicefile">eth0:0</filename>) and ifconfig treats them more or less like real interfaces.</para> <example id="ifconfig"> <title>ifconfig</title> <programlisting>[root@gateway root]# <command>ifconfig eth0:0</command> eth0:0 Link encap:Ethernet HWaddr 02:00:08:3:FA:55 inet addr:206.124.146.178 Bcast:206.124.146.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Interrupt:11 Base address:0x2000 [root@gateway root]# </programlisting> </example> <para>The ifconfig utility is being gradually phased out in favor of the ip utility which is part of the <emphasis>iproute</emphasis> package. The ip utility does not use the concept of aliases or virtual interfaces but rather treats additional addresses on an interface as objects in their own right. The ip utility does provide for interaction with ifconfig in that it allows addresses to be <emphasis>labeled</emphasis> where these labels take the form of ipconfig virtual interfaces.</para> <example id="ip"> <title>ip</title> <programlisting>[root@gateway root]# <command>ip addr show dev eth0</command> 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc htb qlen 100 link/ether 02:00:08:e3:fa:55 brd ff:ff:ff:ff:ff:ff inet 206.124.146.176/24 brd 206.124.146.255 scope global eth0 inet 206.124.146.178/24 brd 206.124.146.255 scope global secondary eth0:0 [root@gateway root]# </programlisting> <para><note> <para>One <emphasis role="bold">cannot</emphasis> type <quote><command>ip addr show dev eth0:0</command></quote> because <quote><filename class="devicefile">eth0:0</filename></quote> is a label for a particular address rather than a device name.</para> <programlisting>[root@gateway root]# <command>ip addr show dev eth0:0</command> Device "eth0:0" does not exist. [root@gateway root]#</programlisting> </note></para> </example> <para>The iptables program doesn't support virtual interfaces in either its <quote>-i</quote> or <quote>-o</quote> command options; as a consequence, Shorewall does not allow them to be used in the /etc/shorewall/interfaces file or anywhere else except as described in the discussion below.</para> </section> <section id="Adding"> <title>Adding Addresses to Interfaces</title> <para>Most distributions have a facility for adding additional addresses to interfaces. If you have already used your distribution's capability to add your required addresses, you can skip this section.</para> <para>Shorewall provides facilities for automatically adding addresses to interfaces as described in the following section. It is also easy to add them yourself using the <emphasis role="bold">ip</emphasis> utility. The above alias was added using:</para> <programlisting><command>ip addr add 206.124.146.178/24 brd 206.124.146.255 dev eth0 label eth0:0</command></programlisting> <para>You probably want to arrange to add these addresses when the device is started rather than placing commands like the above in one of the Shorewall extension scripts. For example, on RedHat systems, you can place the commands in /sbin/ifup-local:</para> <programlisting>#!/bin/sh case $1 in eth0) /sbin/ip addr add 206.124.146.178 dev eth0 label eth0:0 ;; esac</programlisting> <para>RedHat systems also allow adding such aliases from the network administration GUI (which only works well if you have a graphical environment on your firewall).</para> <para>On Debian and LEAF/Bering systems, it is as simple as adding the command to the interface definition as follows:</para> <programlisting># Internet interface auto eth0 iface eth0 inet static address 206.124.146.176 netmask 255.255.255.0 gateway 206.124.146.254 <command>up ip addr add 206.124.146.178/24 brd 206.124.146.255 dev eth0 label eth0:0</command></programlisting> </section> <section id="How"> <title>So how do I handle more than one address on an interface?</title> <para>The answer depends on what you are trying to do with the interfaces. In the sub-sections that follow, we'll take a look at common scenarios.</para> <section id="Rules"> <title>Separate Rules</title> <para>If you need to make a rule for traffic to/from the firewall itself that only applies to a particular IP address, simply qualify the $FW zone with the IP address.</para> <example id="SSH"> <title>allow SSH from net to eth0:0 above</title> <para><optional><filename>/etc/shorewall/rules</filename></optional><programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) ACCEPT net $FW:206.124.146.178 tcp 22</programlisting></para> </example> </section> <section id="DNAT"> <title>DNAT</title> <para>Suppose that I had set up eth0:0 as above and I wanted to port forward from that virtual interface to a web server running in my local zone at 192.168.1.3. That is accomplised by a single rule in the <filename>/etc/shorewall/rules</filename> file:</para> <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL # PORT(S) DEST DNAT net loc:192.168.1.3 tcp 80 - 206.124.146.178 </programlisting> </section> <section id="SNAT"> <title>SNAT</title> <para>If you wanted to use eth0:0 as the IP address for outbound connections from your local zone (eth1), then in <filename>/etc/shorewall/masq</filename>:</para> <programlisting>#INTERFACE SUBNET ADDRESS eth0 eth1 206.124.146.178</programlisting> <para>Shorewall can create the alias (additional address) for you if you set ADD_SNAT_ALIASES=Yes in <filename>/etc/shorewall/shorewall.con</filename>f.</para> <warning> <para>Addresses added by ADD_SNAT_ALIASES=Yes are deleted and re-added during <command>shorewall restart</command>. As a consequence, connections using those addresses may be severed.</para> </warning> <para>Beginning with Shorewall 1.3.14, Shorewall can actually create the <quote>label</quote> (virtual interface) so that you can see the created address using ifconfig. In addition to setting ADD_SNAT_ALIASES=Yes, you specify the virtual interface name in the INTERFACE column as follows.</para> <para><filename>/etc/shorewall/masq</filename><programlisting>#INTERFACE SUBNET ADDRESS eth0:0 eth1 206.124.146.178</programlisting></para> <para>Shorewall can also set up SNAT to round-robin over a range of IP addresses. Do do that, you specify a range of IP addresses in the ADDRESS column. If you specify a label in the INTERFACE column, Shorewall will use that label for the first address of the range and will increment the label by one for each subsequent label.</para> <para><filename>/etc/shorewall/masq</filename><programlisting>#INTERFACE SUBNET ADDRESS eth0:0 eth1 206.124.146.178-206.124.146.180</programlisting></para> <para>The above would create three IP addresses:</para> <programlisting>eth0:0 = 206.124.146.178 eth0:1 = 206.124.146.179 eth0:2 = 206.124.146.180</programlisting> </section> <section id="NAT"> <title>One-to-one NAT</title> <para>If you wanted to use one-to-one NAT to link <filename class="devicefile">eth0:0</filename> with local address 192.168.1.3, you would have the following in <filename>/etc/shorewall/nat</filename>:</para> <programlisting>#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL 206.124.146.178 eth0 192.168.1.3 no no</programlisting> <para>Shorewall can create the alias (additional address) for you if you set ADD_IP_ALIASES=Yes in /etc/shorewall/shorewall.conf.</para> <warning> <para>Addresses added by ADD_IP_ALIASES=Yes are deleted and re-added during <command>shorewall restart</command>. As a consequence, connections using those addresses may be severed.</para> </warning> <para>Beginning with Shorewall 1.3.14, Shorewall can actually create the <quote>label</quote> (virtual interface) so that you can see the created address using ifconfig. In addition to setting ADD_IP_ALIASES=Yes, you specify the virtual interface name in the INTERFACE column as follows.</para> <para><filename>/etc/shorewall/nat</filename><programlisting>#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL 206.124.146.178 eth0:0 192.168.1.3 no no</programlisting></para> <para>In either case, to create rules in <filename>/etc/shorewall/rules</filename> that pertain only to this NAT pair, you simply qualify the local zone with the internal IP address.</para> <example id="SSH1"> <title>You want to allow SSH from the net to 206.124.146.178 a.k.a. 192.168.1.3.</title> <para><programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) ACCEPT net loc:192.168.1.3 tcp 22</programlisting></para> </example> </section> <section id="Subnets"> <title>MULTIPLE SUBNETS</title> <para>Sometimes multiple IP addresses are used because there are multiple subnetworks configured on a LAN segment. This technique does not provide for any security between the subnetworks if the users of the systems have administrative privileges because in that case, the users can simply manipulate their system's routing table to bypass your firewall/router. Nevertheless, there are cases where you simply want to consider the LAN segment itself as a zone and allow your firewall/router to route between the two subnetworks.</para> <example id="subnets"> <title>Local interface eth1 interfaces to 192.168.1.0/24 and 192.168.20.0/24. The primary IP address of eth1 is 192.168.1.254 and eth1:0 is 192.168.20.254. You simply want your firewall to route between these two subnetworks.</title> <para>This example applies to Shorewall 1.4.2 and later.</para> <para>In <filename>/etc/shorewall/zones</filename>:</para> <programlisting>#ZONE TYPE OPTIONS loc ipv4</programlisting> <para>In <filename>/etc/shorewall/interfaces</filename>:</para> <programlisting>#ZONE INTERFACE BROADCAST OPTIONS loc eth1 192.168.1.255,192.168.20.255 <emphasis role="bold">routeback</emphasis> </programlisting> <para>In <filename>/etc/shorewall/rules</filename>, simply specify ACCEPT rules for the traffic that you want to permit.</para> </example> <example id="subnets1"> <title>Local interface eth1 interfaces to 192.168.1.0/24 and 192.168.20.0/24. The primary IP address of eth1 is 192.168.1.254 and eth1:0 is 192.168.20.254. You want to make these subnetworks into separate zones and control the access between them (the users of the systems do not have administrative privileges).</title> <para>In <filename>/etc/shorewall/zones</filename>:</para> <programlisting>#ZONE TYPE OPTIONS loc ipv4 loc2 ipv4</programlisting> <para>In <filename>/etc/shorewall/interfaces</filename>:</para> <programlisting>#ZONE INTERFACE BROADCAST OPTIONS - eth1 192.168.1.255,192.168.20.255 </programlisting> <para>In <filename>/etc/shorewall/hosts</filename>:</para> <programlisting>#ZONE HOSTS OPTIONS loc eth1:192.168.1.0/24 loc2 eth1:192.168.20.0/24</programlisting> <para>In <filename>/etc/shorewall/rules</filename>, simply specify ACCEPT rules for the traffic that you want to permit.</para> <para>For more information on handling multiple networks through a single interface, see <ulink url="Multiple_Zones.html"><emphasis>Routing on One Interface</emphasis></ulink>.</para> </example> </section> </section> </article>