mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-22 15:43:30 +01:00
d8eca457de
Signed-off-by: Tom Eastep <teastep@shorewall.net>
384 lines
16 KiB
XML
384 lines
16 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
|
|
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
|
|
<article id="Shorewall_and_Aliased_Interfaces">
|
|
<!--$Id$-->
|
|
|
|
<articleinfo>
|
|
<title>Shorewall and Aliased Interfaces</title>
|
|
|
|
<authorgroup>
|
|
<author>
|
|
<firstname>Tom</firstname>
|
|
|
|
<surname>Eastep</surname>
|
|
</author>
|
|
</authorgroup>
|
|
|
|
<pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
|
|
|
|
<copyright>
|
|
<year>2001-2009</year>
|
|
|
|
<holder>Thomas M. Eastep</holder>
|
|
</copyright>
|
|
|
|
<legalnotice>
|
|
<para>Permission is granted to copy, distribute and/or modify this
|
|
document under the terms of the GNU Free Documentation License, Version
|
|
1.2 or any later version published by the Free Software Foundation; with
|
|
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
|
Texts. A copy of the license is included in the section entitled
|
|
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
|
License</ulink></quote>.</para>
|
|
</legalnotice>
|
|
</articleinfo>
|
|
|
|
<caution>
|
|
<para><emphasis role="bold">This article applies to Shorewall 4.3 and
|
|
later. If you are running a version of Shorewall earlier than Shorewall
|
|
4.3.5 then please see the documentation for that
|
|
release.</emphasis></para>
|
|
</caution>
|
|
|
|
<section id="Background">
|
|
<title>Background</title>
|
|
|
|
<para>The traditional net-tools contain a program called
|
|
<emphasis>ifconfig</emphasis> which is used to configure network devices.
|
|
ifconfig introduced the concept of <emphasis>aliased</emphasis> or
|
|
<emphasis>virtual</emphasis> interfaces. These virtual interfaces have
|
|
names of the form <emphasis>interface:integer</emphasis> (e.g., <filename
|
|
class="devicefile">eth0:0</filename>) and ifconfig treats them more or
|
|
less like real interfaces.</para>
|
|
|
|
<example id="ifconfig">
|
|
<title>ifconfig</title>
|
|
|
|
<programlisting>[root@gateway root]# <command>ifconfig eth0:0</command>
|
|
eth0:0 Link encap:Ethernet HWaddr 02:00:08:3:FA:55
|
|
inet addr:206.124.146.178 Bcast:206.124.146.255 Mask:255.255.255.0
|
|
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
|
|
Interrupt:11 Base address:0x2000
|
|
[root@gateway root]# </programlisting>
|
|
</example>
|
|
|
|
<para>The ifconfig utility is being gradually phased out in favor of the
|
|
<firstterm>ip</firstterm> utility which is part of the
|
|
<emphasis>iproute</emphasis> package. The ip utility does not use the
|
|
concept of aliases or virtual interfaces but rather treats additional
|
|
addresses on an interface as objects in their own right. The ip utility
|
|
does provide for interaction with ifconfig in that it allows addresses to
|
|
be <emphasis>labeled</emphasis> where these labels take the form of
|
|
ipconfig virtual interfaces.</para>
|
|
|
|
<example id="ip">
|
|
<title>ip</title>
|
|
|
|
<programlisting>[root@gateway root]# <command>ip addr show dev eth0</command>
|
|
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc htb qlen 100
|
|
link/ether 02:00:08:e3:fa:55 brd ff:ff:ff:ff:ff:ff
|
|
inet 206.124.146.176/24 brd 206.124.146.255 scope global eth0
|
|
inet 206.124.146.178/24 brd 206.124.146.255 scope global secondary eth0:0
|
|
[root@gateway root]# </programlisting>
|
|
|
|
<para><note>
|
|
<para>One <emphasis role="bold">cannot</emphasis> type
|
|
<quote><command>ip addr show dev eth0:0</command></quote> because
|
|
<quote><filename class="devicefile">eth0:0</filename></quote> is a
|
|
label for a particular address rather than a device name.</para>
|
|
|
|
<programlisting>[root@gateway root]# <command>ip addr show dev eth0:0</command>
|
|
Device "eth0:0" does not exist.
|
|
[root@gateway root]#</programlisting>
|
|
</note></para>
|
|
</example>
|
|
|
|
<para>The iptables program doesn't support virtual interfaces in either
|
|
its <quote>-i</quote> or <quote>-o</quote> command options; as a
|
|
consequence, Shorewall does not allow them to be used in the
|
|
/etc/shorewall/interfaces file or anywhere else except as described in the
|
|
discussion below.</para>
|
|
</section>
|
|
|
|
<section id="Adding">
|
|
<title>Adding Addresses to Interfaces</title>
|
|
|
|
<para>Most distributions have a facility for adding additional addresses
|
|
to interfaces. If you have already used your distribution's capability to
|
|
add your required addresses, you can skip this section.</para>
|
|
|
|
<para>Shorewall provides facilities for automatically adding addresses to
|
|
interfaces as described in the following section. It is also easy to add
|
|
them yourself using the <emphasis role="bold">ip</emphasis> utility. The
|
|
above alias was added using:</para>
|
|
|
|
<programlisting><command>ip addr add 206.124.146.178/24 brd 206.124.146.255 dev eth0 label eth0:0</command></programlisting>
|
|
|
|
<para>You probably want to arrange to add these addresses when the device
|
|
is started rather than placing commands like the above in one of the
|
|
Shorewall extension scripts. For example, on RedHat systems, you can place
|
|
the commands in /sbin/ifup-local:</para>
|
|
|
|
<programlisting>#!/bin/sh
|
|
|
|
case $1 in
|
|
eth0)
|
|
/sbin/ip addr add 206.124.146.178 dev eth0 label eth0:0
|
|
;;
|
|
esac</programlisting>
|
|
|
|
<para>RedHat systems also allow adding such aliases from the network
|
|
administration GUI (which only works well if you have a graphical
|
|
environment on your firewall).</para>
|
|
|
|
<para>On Debian and LEAF/Bering systems, it is as simple as adding the
|
|
command to the interface definition as follows:</para>
|
|
|
|
<programlisting># Internet interface
|
|
auto eth0
|
|
iface eth0 inet static
|
|
address 206.124.146.176
|
|
netmask 255.255.255.0
|
|
gateway 206.124.146.254
|
|
<command>up ip addr add 206.124.146.178/24 brd 206.124.146.255 dev eth0 label eth0:0</command></programlisting>
|
|
</section>
|
|
|
|
<section id="How">
|
|
<title>So how do I handle more than one address on an interface?</title>
|
|
|
|
<para>The answer depends on what you are trying to do with the interfaces.
|
|
In the sub-sections that follow, we'll take a look at common
|
|
scenarios.</para>
|
|
|
|
<note>
|
|
<para>The examples in the following sub-sections assume that the local
|
|
network is 192.168.1.0/24.</para>
|
|
</note>
|
|
|
|
<section id="Rules">
|
|
<title>Separate Rules</title>
|
|
|
|
<para>If you need to make a rule for traffic to/from the firewall itself
|
|
that only applies to a particular IP address, simply qualify the $FW
|
|
zone with the IP address.</para>
|
|
|
|
<example id="SSH">
|
|
<title>allow SSH from net to eth0:0 above</title>
|
|
|
|
<para><optional><filename>/etc/shorewall/rules</filename></optional><programlisting>#ACTION SOURCE DEST PROTO DPORT
|
|
ACCEPT net $FW:206.124.146.178 tcp 22</programlisting></para>
|
|
</example>
|
|
</section>
|
|
|
|
<section id="DNAT">
|
|
<title>DNAT</title>
|
|
|
|
<para>Suppose that I had set up eth0:0 as above and I wanted to port
|
|
forward from that virtual interface to a web server running in my local
|
|
zone at 192.168.1.3. That is accomplished by a single rule in the
|
|
<filename>/etc/shorewall/rules</filename> file:</para>
|
|
|
|
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
|
DNAT net loc:192.168.1.3 tcp 80 - 206.124.146.178 </programlisting>
|
|
|
|
<para>If I wished to forward tcp port 10000 on that virtual interface to
|
|
port 22 on local host 192.168.1.3, the rule would be:</para>
|
|
|
|
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
|
DNAT net loc:192.168.1.3 tcp 80 - 206.124.146.178
|
|
DNAT net loc:192.168.1.3:22 tcp 10000 - 206.124.146.178 </programlisting>
|
|
</section>
|
|
|
|
<section id="SNAT">
|
|
<title>SNAT</title>
|
|
|
|
<para>If you wanted to use eth0:0 as the IP address for outbound
|
|
connections from your local zone (eth1), then in
|
|
<filename>/etc/shorewall/masq</filename>:</para>
|
|
|
|
<programlisting>#INTERFACE SUBNET ADDRESS
|
|
eth0 192.168.1.0/24 206.124.146.178</programlisting>
|
|
|
|
<para>When running Shorewall 5.0.14 or later, the equivalent
|
|
<filename>/etc/shorewall/snat</filename> is:</para>
|
|
|
|
<programlisting>#ACTION SOURCE DEST PROTO PORT
|
|
SNAT(206.124.146.178) 0.0.0.0/0 eth0</programlisting>
|
|
|
|
<para>Similarly, you want SMTP traffic from local system 192.168.1.22 to
|
|
have source IP 206.124.146.178:<programlisting>#INTERFACE SUBNET ADDRESS PROTO DPORT
|
|
eth0 192.168.1.22 206.124.146.178 tcp 25</programlisting></para>
|
|
|
|
<para>When running Shorewall 5.0.14 or later, the equivalent
|
|
<filename>/etc/shorewall/snat</filename> is:</para>
|
|
|
|
<programlisting>#ACTION SOURCE DEST PROTO PORT
|
|
SNAT(206.124.146.178) 0.0.0.0/0 eth0 tcp 25</programlisting>
|
|
|
|
<para>Shorewall can create the alias (additional address) for you if you
|
|
set ADD_SNAT_ALIASES=Yes in
|
|
<filename>/etc/shorewall/shorewall.con</filename>f.</para>
|
|
|
|
<warning>
|
|
<para>Addresses added by ADD_SNAT_ALIASES=Yes are deleted and re-added
|
|
during <command>shorewall restart</command>. As a consequence,
|
|
connections using those addresses may be severed.</para>
|
|
</warning>
|
|
|
|
<para>Shorewall can create the <quote>label</quote> (virtual interface)
|
|
so that you can see the created address using ifconfig. In addition to
|
|
setting ADD_SNAT_ALIASES=Yes, you specify the virtual interface name in
|
|
the INTERFACE column as follows.</para>
|
|
|
|
<para><filename>/etc/shorewall/masq</filename><programlisting>#INTERFACE SUBNET ADDRESS
|
|
eth0:0 192.168.1.0/24 206.124.146.178</programlisting></para>
|
|
|
|
<para>When running Shorewall 5.0.14 or later, the equivalent
|
|
<filename>/etc/shorewall/snat</filename> is:</para>
|
|
|
|
<programlisting>#ACTION SOURCE DEST PROTO PORT
|
|
SNAT(206.124.146.178) 192.168.1.0/24 eth0</programlisting>
|
|
|
|
<para>Shorewall can also set up SNAT to round-robin over a range of IP
|
|
addresses. To do that, you specify a range of IP addresses in the
|
|
ADDRESS column. If you specify a label in the INTERFACE column,
|
|
Shorewall will use that label for the first address of the range and
|
|
will increment the label by one for each subsequent label.</para>
|
|
|
|
<para><filename>/etc/shorewall/masq</filename><programlisting>#INTERFACE SOURCE ADDRESS
|
|
eth0:0 192.168.1.0/24 206.124.146.178-206.124.146.180</programlisting></para>
|
|
|
|
<para>When running Shorewall 5.0.14 or later, the equivalent
|
|
<filename>/etc/shorewall/snat</filename> is:</para>
|
|
|
|
<programlisting>#ACTION SOURCE DEST PROTO PORT
|
|
SNAT(206.124.146.178-206.24.146.180) 192.168.1.0/24 eth0</programlisting>
|
|
|
|
<para>The above would create three IP addresses:</para>
|
|
|
|
<programlisting>eth0:0 = 206.124.146.178
|
|
eth0:1 = 206.124.146.179
|
|
eth0:2 = 206.124.146.180</programlisting>
|
|
</section>
|
|
|
|
<section id="NAT">
|
|
<title>One-to-one NAT</title>
|
|
|
|
<para>If you wanted to use one-to-one NAT to link <filename
|
|
class="devicefile">eth0:0</filename> with local address 192.168.1.3, you
|
|
would have the following in
|
|
<filename>/etc/shorewall/nat</filename>:</para>
|
|
|
|
<programlisting>#EXTERNAL INTERFACE INTERNAL ALL_INTERFACES LOCAL
|
|
206.124.146.178 eth0 192.168.1.3 no no</programlisting>
|
|
|
|
<para>Shorewall can create the alias (additional address) for you if you
|
|
set ADD_IP_ALIASES=Yes in /etc/shorewall/shorewall.conf.</para>
|
|
|
|
<warning>
|
|
<para>Addresses added by ADD_IP_ALIASES=Yes are deleted and re-added
|
|
during <command>shorewall restart</command>. As a consequence,
|
|
connections using those addresses may be severed.</para>
|
|
</warning>
|
|
|
|
<para>Shorewall can create the <quote>label</quote> (virtual interface)
|
|
so that you can see the created address using ifconfig. In addition to
|
|
setting ADD_IP_ALIASES=Yes, you specify the virtual interface name in
|
|
the INTERFACE column as follows.</para>
|
|
|
|
<para><filename>/etc/shorewall/nat</filename><programlisting>#EXTERNAL INTERFACE INTERNAL ALL_INTERFACES LOCAL
|
|
206.124.146.178 eth0:0 192.168.1.3 no no</programlisting></para>
|
|
|
|
<para>In either case, to create rules in
|
|
<filename>/etc/shorewall/rules</filename> that pertain only to this NAT
|
|
pair, you simply qualify the local zone with the internal IP
|
|
address.</para>
|
|
|
|
<example id="SSH1">
|
|
<title>You want to allow SSH from the net to 206.124.146.178 a.k.a.
|
|
192.168.1.3.</title>
|
|
|
|
<para><programlisting>#ACTION SOURCE DEST PROTO DPORT
|
|
ACCEPT net loc:192.168.1.3 tcp 22</programlisting></para>
|
|
</example>
|
|
</section>
|
|
|
|
<section id="Subnets">
|
|
<title>MULTIPLE SUBNETS</title>
|
|
|
|
<para>Sometimes multiple IP addresses are used because there are
|
|
multiple subnetworks configured on a LAN segment. This technique does
|
|
not provide for any security between the subnetworks if the users of the
|
|
systems have administrative privileges because in that case, the users
|
|
can simply manipulate their system's routing table to bypass your
|
|
firewall/router. Nevertheless, there are cases where you simply want to
|
|
consider the LAN segment itself as a zone and allow your firewall/router
|
|
to route between the two subnetworks.</para>
|
|
|
|
<example id="subnets">
|
|
<title>Local interface eth1 interfaces to 192.168.1.0/24 and
|
|
192.168.20.0/24. The primary IP address of eth1 is 192.168.1.254 and
|
|
eth1:0 is 192.168.20.254. You simply want your firewall to route
|
|
between these two subnetworks.</title>
|
|
|
|
<para>In <filename>/etc/shorewall/zones</filename>:</para>
|
|
|
|
<programlisting>#ZONE TYPE OPTIONS
|
|
loc ipv4</programlisting>
|
|
|
|
<para>In <filename>/etc/shorewall/interfaces</filename>:</para>
|
|
|
|
<programlisting>#ZONE INTERFACE OPTIONS
|
|
loc eth1 <emphasis role="bold">routeback</emphasis> </programlisting>
|
|
|
|
<para>In <filename>/etc/shorewall/rules</filename>, simply specify
|
|
ACCEPT rules for the traffic that you want to permit.</para>
|
|
</example>
|
|
|
|
<example id="subnets1">
|
|
<title>Local interface eth1 interfaces to 192.168.1.0/24 and
|
|
192.168.20.0/24. The primary IP address of eth1 is 192.168.1.254 and
|
|
eth1:0 is 192.168.20.254. You want to make these subnetworks into
|
|
separate zones and control the access between them (the users of the
|
|
systems do not have administrative privileges).</title>
|
|
|
|
<para>In <filename>/etc/shorewall/zones</filename>:</para>
|
|
|
|
<programlisting>#ZONE TYPE OPTIONS
|
|
loc ipv4
|
|
loc2 ipv4</programlisting>
|
|
|
|
<para>In <filename>/etc/shorewall/interfaces</filename>:</para>
|
|
|
|
<programlisting>#ZONE INTERFACE OPTIONS
|
|
- eth1 </programlisting>
|
|
|
|
<para>In <filename>/etc/shorewall/hosts</filename>:</para>
|
|
|
|
<programlisting>#ZONE HOSTS OPTIONS
|
|
loc eth1:192.168.1.0/24
|
|
loc2 eth1:192.168.20.0/24</programlisting>
|
|
|
|
<para>In <filename>/etc/shorewall/rules</filename>, simply specify
|
|
ACCEPT rules for the traffic that you want to permit.</para>
|
|
|
|
<para>For more information on handling multiple networks through a
|
|
single interface, see <ulink
|
|
url="Multiple_Zones.html"><emphasis>Routing on One
|
|
Interface</emphasis></ulink>.</para>
|
|
</example>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Defining a Zone-per-Address</title>
|
|
|
|
<para><ulink url="Vserver.html">Shorewall's support for Linux
|
|
Vservers</ulink> can (mis-)used to create a separate zone per alias.
|
|
Note that this results in a <emphasis>partitioning of the firewall
|
|
zone</emphasis>. In this usage, you probably want to define an ACCEPT
|
|
policy between your vserver zones and the firewall zone.</para>
|
|
</section>
|
|
</section>
|
|
</article>
|