mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-09 01:04:06 +01:00
44e0d48fc5
Signed-off-by: Tom Eastep <teastep@shorewall.net>
221 lines
9.1 KiB
XML
221 lines
9.1 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
|
|
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
|
|
<refentry>
|
|
<refmeta>
|
|
<refentrytitle>shorewall-nesting</refentrytitle>
|
|
|
|
<manvolnum>5</manvolnum>
|
|
|
|
<refmiscinfo>Configuration Files</refmiscinfo>
|
|
</refmeta>
|
|
|
|
<refnamediv>
|
|
<refname>nesting</refname>
|
|
|
|
<refpurpose>Shorewall Nested Zones</refpurpose>
|
|
</refnamediv>
|
|
|
|
<refsynopsisdiv>
|
|
<cmdsynopsis>
|
|
<arg choice="plain"
|
|
rep="norepeat"><replaceable>child-zone</replaceable>[:<replaceable>parent-zone</replaceable>[,<replaceable>parent-zone</replaceable>]...]</arg>
|
|
</cmdsynopsis>
|
|
</refsynopsisdiv>
|
|
|
|
<refsect1>
|
|
<title>Description</title>
|
|
|
|
<para>In <ulink
|
|
url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5), a zone
|
|
may be declared to be a sub-zone of one or more other zones using the
|
|
above syntax. The <replaceable>child-zone</replaceable> may be neither the
|
|
firewall zone nor a vserver zone. The firewall zone may not appear as a
|
|
parent zone, although all vserver zones are handled as sub-zones of the
|
|
firewall zone.</para>
|
|
|
|
<para>Where zones are nested, the CONTINUE policy in <ulink
|
|
url="/manpages/shorewall-policy.html">shorewall-policy</ulink>(5) allows
|
|
hosts that are within multiple zones to be managed under the rules of all
|
|
of these zones.</para>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>Example</title>
|
|
|
|
<para><filename>/etc/shorewall/zones</filename>:</para>
|
|
|
|
<programlisting> #ZONE TYPE OPTION
|
|
fw firewall
|
|
net ipv4
|
|
sam:net ipv4
|
|
loc ipv4</programlisting>
|
|
|
|
<para><filename>/etc/shorewall/interfaces</filename>:</para>
|
|
|
|
<programlisting> #ZONE INTERFACE BROADCAST OPTIONS
|
|
- eth0 detect dhcp,norfc1918
|
|
loc eth1 detect</programlisting>
|
|
|
|
<para><filename>/etc/shorewall/hosts</filename>:</para>
|
|
|
|
<programlisting> #ZONE HOST(S) OPTIONS
|
|
net eth0:0.0.0.0/0
|
|
sam eth0:206.191.149.197</programlisting>
|
|
|
|
<para><filename>/etc/shorewall/policy</filename>:</para>
|
|
|
|
<programlisting> #SOURCE DEST POLICY LOG LEVEL
|
|
loc net ACCEPT
|
|
sam all CONTINUE
|
|
net all DROP info
|
|
all all REJECT info</programlisting>
|
|
|
|
<para>The second entry above says that when Sam is the client, connection
|
|
requests should first be processed under rules where the source zone is
|
|
sam and if there is no match then the connection request should be treated
|
|
under rules where the source zone is net. It is important that this policy
|
|
be listed BEFORE the next policy (net to all). You can have this policy
|
|
generated for you automatically by using the IMPLICIT_CONTINUE option in
|
|
<ulink
|
|
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
|
|
|
<para>Partial <filename>/etc/shorewall/rules</filename>:</para>
|
|
|
|
<programlisting> #ACTION SOURCE DEST PROTO DEST PORT(S)
|
|
...
|
|
DNAT sam loc:192.168.1.3 tcp ssh
|
|
DNAT net loc:192.168.1.5 tcp www
|
|
...</programlisting>
|
|
|
|
<para>Given these two rules, Sam can connect to the firewall's internet
|
|
interface with ssh and the connection request will be forwarded to
|
|
192.168.1.3. Like all hosts in the net zone, Sam can connect to the
|
|
firewall's internet interface on TCP port 80 and the connection request
|
|
will be forwarded to 192.168.1.5. The order of the rules is not
|
|
significant. Sometimes it is necessary to suppress port forwarding for a
|
|
sub-zone. For example, suppose that all hosts can SSH to the firewall and
|
|
be forwarded to 192.168.1.5 EXCEPT Sam. When Sam connects to the
|
|
firewall's external IP, he should be connected to the firewall itself.
|
|
Because of the way that Netfilter is constructed, this requires two rules
|
|
as follows:</para>
|
|
|
|
<programlisting> #ACTION SOURCE DEST PROTO DEST PORT(S)
|
|
...
|
|
ACCEPT+ sam $FW tcp ssh
|
|
DNAT net loc:192.168.1.3 tcp ssh
|
|
...</programlisting>
|
|
|
|
<para>The first rule allows Sam SSH access to the firewall. The second
|
|
rule says that any clients from the net zone with the exception of those
|
|
in the “sam” zone should have their connection port forwarded to
|
|
192.168.1.3. If you need to exclude more than one zone, simply use
|
|
multiple ACCEPT+ rules. This technique also may be used when the ACTION is
|
|
REDIRECT.</para>
|
|
|
|
<para>Care must be taken when nesting occurs as a result of the use of
|
|
wildcard interfaces (interface names ends in '+').</para>
|
|
|
|
<para>Here's an example. <filename>/etc/shorewall/zones</filename>:</para>
|
|
|
|
<para><filename>/etc/shorewall/interfaces</filename>:<programlisting> #ZONE INTERFACE BROADCAST OPTIONS
|
|
net ppp0
|
|
loc eth1
|
|
loc ppp+
|
|
dmz eth2</programlisting></para>
|
|
|
|
<para>Because the net zone is declared before the loc zone, net is an
|
|
implicit sub-zone of loc and in the absence of a net->... CONTINUE
|
|
policy, traffic from the net zone will not be passed through loc->...
|
|
rules. But DNAT and REDIRECT rules are an exception!</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>DNAT and REDIRECT rules generate two Netfilter rules: a 'nat'
|
|
table rule that rewrites the destination IP address and/or port
|
|
number, and a 'filter' table rule that ACCEPTs the rewritten
|
|
connection.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Policies only affect the 'filter' table.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>As a consequence, the following rules will have unexpected
|
|
behavior:<programlisting> #ACTION SOURCE DEST PROTO DEST
|
|
# PORT(S)
|
|
ACCEPT net dmz tcp 80
|
|
REDIRECT loc 3128 tcp 80</programlisting></para>
|
|
|
|
<para>The second rule is intended to redirect local web requests to a
|
|
proxy running on the firewall and listening on TCP port 3128. But the
|
|
'nat' part of that rule will cause all connection requests for TCP port 80
|
|
arriving on interface ppp+ (including ppp0!) to have their destination
|
|
port rewritten to 3128. Hence, the web server running in the DMZ will be
|
|
inaccessible from the web.</para>
|
|
|
|
<para>The above problem can be corrected in several ways.</para>
|
|
|
|
<para>The preferred way is to use the <option>ifname</option> pppd option
|
|
to change the 'net' interface to something other than ppp0. That way, it
|
|
won't match ppp+.</para>
|
|
|
|
<para>If you are running Shorewall version 4.1.4 or later, a second way is
|
|
to simply make the nested zones explicit:<programlisting> #ZONE TYPE OPTION
|
|
fw firewall
|
|
loc ipv4
|
|
net:loc ipv4
|
|
dmz ipv4</programlisting></para>
|
|
|
|
<para>If you take this approach, be sure to set IMPLICIT_CONTINUE=No in
|
|
<filename>shorewall.conf</filename>.</para>
|
|
|
|
<para>When using other Shorewall versions, another way is to rewrite the
|
|
DNAT rule (assume that the local zone is entirely within
|
|
192.168.2.0/23):<programlisting> #ACTION SOURCE DEST PROTO DEST
|
|
# PORT(S)
|
|
ACCEPT net dmz tcp 80
|
|
REDIRECT loc:192.168.2.0/23 3128 tcp 80</programlisting></para>
|
|
|
|
<para>Another way is to restrict the definition of the loc zone:</para>
|
|
|
|
<para><filename>/etc/shorewall/interfaces</filename>:<programlisting> #ZONE INTERFACE BROADCAST OPTIONS
|
|
net ppp0
|
|
loc eth1
|
|
- ppp+
|
|
dmz eth2</programlisting></para>
|
|
|
|
<para><filename>/etc/shorewall/hosts</filename>:<programlisting> #ZONE HOST(S) OPTIONS
|
|
loc ppp+:192.168.2.0/23</programlisting></para>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>FILES</title>
|
|
|
|
<para>/etc/shorewall/zones</para>
|
|
|
|
<para>/etc/shorewall/interfaces</para>
|
|
|
|
<para>/etc/shorewall/hosts</para>
|
|
|
|
<para>/etc/shorewall/policy</para>
|
|
|
|
<para>/etc/shorewall/rules</para>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>See ALSO</title>
|
|
|
|
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
|
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
|
|
shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
|
|
shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
|
|
shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
|
|
shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
|
|
shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
|
|
shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5),
|
|
shorewall-tunnels(5), shorewall-zones(5)</para>
|
|
</refsect1>
|
|
</refentry>
|