<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<article id="Shorewall_and_Aliased_Interfaces">
  <!--$Id$-->

  <articleinfo>
    <title>Shorewall and Aliased Interfaces</title>

    <authorgroup>
      <author>
        <firstname>Tom</firstname>

        <surname>Eastep</surname>
      </author>
    </authorgroup>

    <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>

    <copyright>
      <year>2001-2007</year>

      <holder>Thomas M. Eastep</holder>
    </copyright>

    <legalnotice>
      <para>Permission is granted to copy, distribute and/or modify this
      document under the terms of the GNU Free Documentation License, Version
      1.2 or any later version published by the Free Software Foundation; with
      no Invariant Sections, with no Front-Cover, and with no Back-Cover
      Texts. A copy of the license is included in the section entitled
      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
      License</ulink></quote>.</para>
    </legalnotice>
  </articleinfo>

  <caution>
    <para><emphasis role="bold">This article applies to Shorewall 3.0 and
    later. If you are running a version of Shorewall earlier than Shorewall
    3.0.0 then please see the documentation for that
    release.</emphasis></para>
  </caution>

  <section id="Background">
    <title>Background</title>

    <para>The traditional net-tools contain a program called
    <emphasis>ifconfig</emphasis> which is used to configure network devices.
    ifconfig introduced the concept of <emphasis>aliased</emphasis> or
    <emphasis>virtual</emphasis> interfaces. These virtual interfaces have
    names of the form <emphasis>interface:integer</emphasis> (e.g., <filename
    class="devicefile">eth0:0</filename>) and ifconfig treats them more or
    less like real interfaces.</para>

    <example id="ifconfig">
      <title>ifconfig</title>

      <programlisting>[root@gateway root]# <command>ifconfig eth0:0</command>
eth0:0    Link encap:Ethernet  HWaddr 02:00:08:3:FA:55
          inet addr:206.124.146.178  Bcast:206.124.146.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Interrupt:11 Base address:0x2000
[root@gateway root]# </programlisting>
    </example>

    <para>The ifconfig utility is being gradually phased out in favor of the
    ip utility which is part of the <emphasis>iproute</emphasis> package. The
    ip utility does not use the concept of aliases or virtual interfaces but
    rather treats additional addresses on an interface as objects in their own
    right. The ip utility does provide for interaction with ifconfig in that
    it allows addresses to be <emphasis>labeled</emphasis> where these labels
    take the form of ipconfig virtual interfaces.</para>

    <example id="ip">
      <title>ip</title>

      <programlisting>[root@gateway root]# <command>ip addr show dev eth0</command>
2: eth0: &lt;BROADCAST,MULTICAST,UP&gt; mtu 1500 qdisc htb qlen 100
    link/ether 02:00:08:e3:fa:55 brd ff:ff:ff:ff:ff:ff
    inet 206.124.146.176/24 brd 206.124.146.255 scope global eth0
    inet 206.124.146.178/24 brd 206.124.146.255 scope global secondary eth0:0
[root@gateway root]# </programlisting>

      <para><note>
          <para>One <emphasis role="bold">cannot</emphasis> type
          <quote><command>ip addr show dev eth0:0</command></quote> because
          <quote><filename class="devicefile">eth0:0</filename></quote> is a
          label for a particular address rather than a device name.</para>

          <programlisting>[root@gateway root]# <command>ip addr show dev eth0:0</command>
Device "eth0:0" does not exist.
[root@gateway root]#</programlisting>
        </note></para>
    </example>

    <para>The iptables program doesn't support virtual interfaces in either
    its <quote>-i</quote> or <quote>-o</quote> command options; as a
    consequence, Shorewall does not allow them to be used in the
    /etc/shorewall/interfaces file or anywhere else except as described in the
    discussion below.</para>
  </section>

  <section id="Adding">
    <title>Adding Addresses to Interfaces</title>

    <para>Most distributions have a facility for adding additional addresses
    to interfaces. If you have already used your distribution's capability to
    add your required addresses, you can skip this section.</para>

    <para>Shorewall provides facilities for automatically adding addresses to
    interfaces as described in the following section. It is also easy to add
    them yourself using the <emphasis role="bold">ip</emphasis> utility. The
    above alias was added using:</para>

    <programlisting><command>ip addr add 206.124.146.178/24 brd 206.124.146.255 dev eth0 label eth0:0</command></programlisting>

    <para>You probably want to arrange to add these addresses when the device
    is started rather than placing commands like the above in one of the
    Shorewall extension scripts. For example, on RedHat systems, you can place
    the commands in /sbin/ifup-local:</para>

    <programlisting>#!/bin/sh

case $1 in
    eth0)
        /sbin/ip addr add 206.124.146.178 dev eth0 label eth0:0
        ;;
esac</programlisting>

    <para>RedHat systems also allow adding such aliases from the network
    administration GUI (which only works well if you have a graphical
    environment on your firewall).</para>

    <para>On Debian and LEAF/Bering systems, it is as simple as adding the
    command to the interface definition as follows:</para>

    <programlisting># Internet interface
auto eth0
iface eth0 inet static
        address 206.124.146.176
        netmask 255.255.255.0
        gateway 206.124.146.254
        <command>up ip addr add 206.124.146.178/24 brd 206.124.146.255 dev eth0 label eth0:0</command></programlisting>
  </section>

  <section id="How">
    <title>So how do I handle more than one address on an interface?</title>

    <para>The answer depends on what you are trying to do with the interfaces.
    In the sub-sections that follow, we'll take a look at common
    scenarios.</para>

    <section id="Rules">
      <title>Separate Rules</title>

      <para>If you need to make a rule for traffic to/from the firewall itself
      that only applies to a particular IP address, simply qualify the $FW
      zone with the IP address.</para>

      <example id="SSH">
        <title>allow SSH from net to eth0:0 above</title>

        <para><optional><filename>/etc/shorewall/rules</filename></optional><programlisting>#ACTION   SOURCE     DEST                 PROTO      DEST PORT(S)
ACCEPT    net        $FW:206.124.146.178  tcp        22</programlisting></para>
      </example>
    </section>

    <section id="DNAT">
      <title>DNAT</title>

      <para>Suppose that I had set up eth0:0 as above and I wanted to port
      forward from that virtual interface to a web server running in my local
      zone at 192.168.1.3. That is accomplised by a single rule in the
      <filename>/etc/shorewall/rules</filename> file:</para>

      <programlisting>#ACTION   SOURCE     DEST                 PROTO      DEST PORT(S)   SOURCE    ORIGINAL
#                                                                   PORT(S)   DEST
DNAT      net        loc:192.168.1.3      tcp        80             -         206.124.146.178    </programlisting>
    </section>

    <section id="SNAT">
      <title>SNAT</title>

      <para>If you wanted to use eth0:0 as the IP address for outbound
      connections from your local zone (eth1), then in
      <filename>/etc/shorewall/masq</filename>:</para>

      <programlisting>#INTERFACE             SUBNET          ADDRESS
eth0                   eth1            206.124.146.178</programlisting>

      <para>Shorewall can create the alias (additional address) for you if you
      set ADD_SNAT_ALIASES=Yes in
      <filename>/etc/shorewall/shorewall.con</filename>f.</para>

      <warning>
        <para>Addresses added by ADD_SNAT_ALIASES=Yes are deleted and re-added
        during <command>shorewall restart</command>. As a consequence,
        connections using those addresses may be severed.</para>
      </warning>

      <para>Beginning with Shorewall 1.3.14, Shorewall can actually create the
      <quote>label</quote> (virtual interface) so that you can see the created
      address using ifconfig. In addition to setting ADD_SNAT_ALIASES=Yes, you
      specify the virtual interface name in the INTERFACE column as
      follows.</para>

      <para><filename>/etc/shorewall/masq</filename><programlisting>#INTERFACE              SUBNET         ADDRESS
eth0:0                  eth1           206.124.146.178</programlisting></para>

      <para>Shorewall can also set up SNAT to round-robin over a range of IP
      addresses. Do do that, you specify a range of IP addresses in the
      ADDRESS column. If you specify a label in the INTERFACE column,
      Shorewall will use that label for the first address of the range and
      will increment the label by one for each subsequent label.</para>

      <para><filename>/etc/shorewall/masq</filename><programlisting>#INTERFACE               SUBNET         ADDRESS
eth0:0                   eth1           206.124.146.178-206.124.146.180</programlisting></para>

      <para>The above would create three IP addresses:</para>

      <programlisting>eth0:0 = 206.124.146.178
eth0:1 = 206.124.146.179
eth0:2 = 206.124.146.180</programlisting>
    </section>

    <section id="NAT">
      <title>One-to-one NAT</title>

      <para>If you wanted to use one-to-one NAT to link <filename
      class="devicefile">eth0:0</filename> with local address 192.168.1.3, you
      would have the following in
      <filename>/etc/shorewall/nat</filename>:</para>

      <programlisting>#EXTERNAL          INTERFACE         INTERNAL     ALL INTERFACES    LOCAL
206.124.146.178    eth0              192.168.1.3  no                no</programlisting>

      <para>Shorewall can create the alias (additional address) for you if you
      set ADD_IP_ALIASES=Yes in /etc/shorewall/shorewall.conf.</para>

      <warning>
        <para>Addresses added by ADD_IP_ALIASES=Yes are deleted and re-added
        during <command>shorewall restart</command>. As a consequence,
        connections using those addresses may be severed.</para>
      </warning>

      <para>Beginning with Shorewall 1.3.14, Shorewall can actually create the
      <quote>label</quote> (virtual interface) so that you can see the created
      address using ifconfig. In addition to setting ADD_IP_ALIASES=Yes, you
      specify the virtual interface name in the INTERFACE column as
      follows.</para>

      <para><filename>/etc/shorewall/nat</filename><programlisting>#EXTERNAL          INTERFACE         INTERNAL     ALL INTERFACES    LOCAL
206.124.146.178    eth0:0            192.168.1.3  no                no</programlisting></para>

      <para>In either case, to create rules in
      <filename>/etc/shorewall/rules</filename> that pertain only to this NAT
      pair, you simply qualify the local zone with the internal IP
      address.</para>

      <example id="SSH1">
        <title>You want to allow SSH from the net to 206.124.146.178 a.k.a.
        192.168.1.3.</title>

        <para><programlisting>#ACTION    SOURCE     DEST              PROTO     DEST PORT(S)
ACCEPT     net        loc:192.168.1.3   tcp       22</programlisting></para>
      </example>
    </section>

    <section id="Subnets">
      <title>MULTIPLE SUBNETS</title>

      <para>Sometimes multiple IP addresses are used because there are
      multiple subnetworks configured on a LAN segment. This technique does
      not provide for any security between the subnetworks if the users of the
      systems have administrative privileges because in that case, the users
      can simply manipulate their system's routing table to bypass your
      firewall/router. Nevertheless, there are cases where you simply want to
      consider the LAN segment itself as a zone and allow your firewall/router
      to route between the two subnetworks.</para>

      <example id="subnets">
        <title>Local interface eth1 interfaces to 192.168.1.0/24 and
        192.168.20.0/24. The primary IP address of eth1 is 192.168.1.254 and
        eth1:0 is 192.168.20.254. You simply want your firewall to route
        between these two subnetworks.</title>

        <para>This example applies to Shorewall 1.4.2 and later.</para>

        <para>In <filename>/etc/shorewall/zones</filename>:</para>

        <programlisting>#ZONE        TYPE          OPTIONS
loc          ipv4</programlisting>

        <para>In <filename>/etc/shorewall/interfaces</filename>:</para>

        <programlisting>#ZONE       INTERFACE  BROADCAST                      OPTIONS
loc         eth1       192.168.1.255,192.168.20.255   <emphasis role="bold">routeback</emphasis>   </programlisting>

        <para>In <filename>/etc/shorewall/rules</filename>, simply specify
        ACCEPT rules for the traffic that you want to permit.</para>
      </example>

      <example id="subnets1">
        <title>Local interface eth1 interfaces to 192.168.1.0/24 and
        192.168.20.0/24. The primary IP address of eth1 is 192.168.1.254 and
        eth1:0 is 192.168.20.254. You want to make these subnetworks into
        separate zones and control the access between them (the users of the
        systems do not have administrative privileges).</title>

        <para>In <filename>/etc/shorewall/zones</filename>:</para>

        <programlisting>#ZONE        TYPE                 OPTIONS
loc          ipv4
loc2         ipv4</programlisting>

        <para>In <filename>/etc/shorewall/interfaces</filename>:</para>

        <programlisting>#ZONE       INTERFACE  BROADCAST                      OPTIONS
-           eth1       192.168.1.255,192.168.20.255   </programlisting>

        <para>In <filename>/etc/shorewall/hosts</filename>:</para>

        <programlisting>#ZONE        HOSTS                    OPTIONS
loc          eth1:192.168.1.0/24
loc2         eth1:192.168.20.0/24</programlisting>

        <para>In <filename>/etc/shorewall/rules</filename>, simply specify
        ACCEPT rules for the traffic that you want to permit.</para>

        <para>For more information on handling multiple networks through a
        single interface, see <ulink
        url="Multiple_Zones.html"><emphasis>Routing on One
        Interface</emphasis></ulink>.</para>
      </example>
    </section>
  </section>
</article>