diff --git a/STABLE/documentation/Shorewall_and_Aliased_Interfaces.html b/STABLE/documentation/Shorewall_and_Aliased_Interfaces.html new file mode 100755 index 000000000..63b6b92fa --- /dev/null +++ b/STABLE/documentation/Shorewall_and_Aliased_Interfaces.html @@ -0,0 +1,549 @@ + + + + Shorewall and Aliased Interfaces + + + + + + + + + + + + + + + +
+ + +

Shorewall and Aliased Interfaces

+
+
+ +

Background

+ The traditional net-tools contain a program called ifconfig which + is used to configure network devices. ifconfig introduced the concept of +aliased or virtial interfaces. These virtual interfaces have +names of the form interface:integer (e.g., eth0:0) and ifconfig +treats them more or less like real interfaces.
+
+ Example:
+ +
[root@gateway root]# ifconfig eth0:0
eth0:0    Link encap:Ethernet  HWaddr 02:00:08:3:FA:55
          inet addr:206.124.146.178  Bcast:206.124.146.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Interrupt:11 Base address:0x2000
[root@gateway root]#
+ The ifconfig utility is being gradually phased out in favor of the ip + utility which is part of the iproute package. The ip utility does +not use the concept of aliases or virtual interfaces but rather treats additional + addresses on an interface as addresses. The ip utility does provide for interaction + with ifconfig in that it allows addresses to be labeled.
+
+ Example:
+
+ +
[root@gateway root]# ip addr show dev eth0
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc htb qlen 100
    link/ether 02:00:08:e3:fa:55 brd ff:ff:ff:ff:ff:ff
    inet 206.124.146.176/24 brd 206.124.146.255 scope global eth0
    inet 206.124.146.178/24 brd 206.124.146.255 scope global secondary eth0:0
[root@gateway root]#
+ Note that one cannot type "ip addr show dev eth0:0"
+ +
[root@gateway root]# ip addr show dev eth0:0
Device "eth0:0" does not exist.
[root@gateway root]#
+ The iptables program doesn't support virtual interfaces in either it's +"-i" or "-o" command options; as a consequence, Shorewall does not allow +them to be used in the /etc/shorewall/interfaces file.
+
+ +

So how do I handle more than one address on an interface?

+ Depends on what you are trying to do with the interfaces. In the sub-sections + that follow, we'll take a look at common scenarios.
+ +

Separate Rules

+ If you need to make a rule for traffic to/from the firewall itself only +apply to a particular IP address, simply qualify the $FW zone with the IP +address.
+
+ Example (allow SSH from net to eth0:0 above):
+
+ +
+ + + + + + + + + + + + + + + + + + + + + + +
ACTION
+ 		SOURCE
+ 		DESTINATION
+ 		PROTOCOL
+ 		PORT(S)
+ 		SOURCE PORT(S)
+ 		ORIGINAL DESTINATION
+
DNAT
+ 		net
+ 		fw:206.124.146.178
+ 		tcp
+ 		22
+
+
+
+
+
+ +

DNAT

+ Suppose that I had set up eth0:0 as above and I wanted to port forward +from that virtual interface to a web server running in my local zone at 192.168.1.3. + That is accomplised by a single rule in the /etc/shorewall/rules file:
+
+ +
+ + + + + + + + + + + + + + + + + + + + + + +
ACTION
+ 		SOURCE
+ 		DESTINATION
+ 		PROTOCOL
+ 		PORT(S)
+ 		SOURCE PORT(S)
+ 		ORIGINAL DESTINATION
+
DNAT
+ 		net
+ 		loc:192.168.1.3
+ 		tcp
+ 		80
+ 		-
+ 		206.124.146.178
+
+
+
+ +

SNAT

+ If you wanted to use eth0:0 as the IP address for outbound connections +from your local zone (eth1), then in /etc/shorewall/masq:
+
+ +
+ + + + + + + + + + + + + + +
INTERFACE
+ 		SUBNET
+ 		ADDRESS
+
eth0
+ 		eth1
+ 		206.124.146.178
+
+
+
+ Shorewall can create the alias (additional address) for you if you set +ADD_SNAT_ALIASES=Yes in /etc/shorewall/shorewall.conf. Beginning with Shorewall +1.3.14, Shorewall can actually create the "label" (virtual interface) so +that you can see the created address using ifconfig. In addition to setting +ADD_SNAT_ALIASES=Yes, you specify the virtual interface name in the INTERFACE +column as follows:
+ +
+ + + + + + + + + + + + + + +
INTERFACE
+ 		SUBNET
+ 		ADDRESS
+
eth0:0
+ 		eth1
+ 		206.124.146.178
+
+
+
+ +

STATIC NAT

+ If you wanted to use static NAT to link eth0:0 with local address 192.168.1.3, + you would have the following in /etc/shorewall/nat:
+
+ +
+ + + + + + + + + + + + + + + + + + +
EXTERNAL
+ 		INTERFACE
+ 		INTERNAL
+ 		ALL INTERFACES
+ 		LOCAL
+
206.124.146.178
+ 		eth0
+ 		192.168.1.3
+ 		no
+ 		no
+
+
+
+ Shorewall can create the alias (additional address) for you if you set +ADD_IP_ALIASES=Yes in /etc/shorewall/shorewall.conf. Beginning with Shorewall +1.3.14, Shorewall can actually create the "label" (virtual interface) so +that you can see the created address using ifconfig. In addition to setting +ADD_IP_ALIASES=Yes, you specify the virtual interface name in the INTERFACE +column as follows:
+
+ +
+ + + + + + + + + + + + + + + + + + +
EXTERNAL
+ 		INTERFACE
+ 		INTERNAL
+ 		ALL INTERFACES
+ 		LOCAL
+
206.124.146.178
+ 		eth0:0
+ 		192.168.1.3
+ 		no
+ 		no
+
+
+
+ In either case, to create rules that pertain only to this NAT pair, you +simply qualify the local zone with the internal IP address.
+
+ Example: You want to allow SSH from the net to 206.124.146.178 a.k.a. 192.168.1.3.
+
+ +
+ + + + + + + + + + + + + + + + + + + + + + +
ACTION
+ 		SOURCE
+ 		DESTINATION
+ 		PROTOCOL
+ 		PORT(S)
+ 		SOURCE PORT(S)
+ 		ORIGINAL DESTINATION
+
ACCEPT
+ 		net
+ 		loc:192.168.1.3
+ 		tcp
+ 		22
+
+
+
+
+
+ +

MULTIPLE SUBNETS

+ Sometimes multiple IP addresses are used because there are multiple subnetworks + configured on a LAN segment. This technique does not provide for any security + between the subnetworks if the users of the systems have administrative privileges + because in that case, the users can simply manipulate their system's routing + table to bypass your firewall/router. Nevertheless, there are cases where + you simply want to consider the LAN segment itself as a zone and allow your + firewall/router to route between the two subnetworks.
+
+ Example 1:  Local interface eth1 interfaces to 192.168.1.0/24 and +192.168.20.0/24. The primary IP address of eth1 is 192.168.1.254 and eth1:0 +is 192.168.20.254. You want to simply route all requests between the two +subnetworks.
+
+ In /etc/shorewall/interfaces:
+
+ +
+ + + + + + + + + + + + + + + + +
ZONE
+ 		INTERFACE
+ 		BROADCAST
+ 		OPTIONS
+
loc
+ 		eth1
+ 		192.168.1.255,192.168.20.255
+ 		Note 1:
+
+
+
+ Note 1: If you are running Shorewall 1.3.10 or earlier then you must specify + the multi option.
+
+ In /etc/shorewall/policy:
+
+ +
+ + + + + + + + + + + + + + + + + + +
SOURCE
+ 		DESTINATION
+ 		POLICY
+ 		LOG LEVEL
+ 		BURST:LIMIT
+
loc
+ 		loc
+ 		ACCEPT
+
+
+
+
+
+ Example 2: Local interface eth1 interfaces to 192.168.1.0/24 and 192.168.20.0/24. + The primary IP address of eth1 is 192.168.1.254 and eth1:0 is 192.168.20.254. + You want to make these subnetworks into separate zones and control the +access between them (the users of the systems do not have administrative +privileges).
+
+ In /etc/shorewall/zones:
+
+ +
+ + + + + + + + + + + + + + + + + + + +
ZONE
+ 		DISPLAY
+ 		DESCRIPTION
+
loc
+ 		Local
+ 		Local Zone 1
+
loc2
+ 		Local2
+ 		Local Zone 2
+
+
+
+ In /etc/shorewall/interfaces:
+
+ +
+ + + + + + + + + + + + + + + + +
ZONE
+ 		INTERFACE
+ 		BROADCAST
+ 		OPTIONS
+
-
+ 		eth1
+ 		192.168.1.255,192.168.20.255
+ 		Note 1:
+
+
+
+ Note 1: If you are running Shorewall 1.3.10 or earlier then you must specify + the multi option.
+
+ In /etc/shorewall/hosts:
+ +
+ + + + + + + + + + + + + + + + + + + +
ZONE
+ 		HOSTS
+ 		OPTIONS
+
loc
+ 		eth0:192.168.1.0/24
+
+
loc2
+ 		eth0:192.168.20.0/24
+
+
+
+
+ In /etc/shorewall/rules, simply specify ACCEPT rules for the traffic that + you want to permit.
+
+ +

Last Updated 3/5/2003 A - Tom Eastep

+ +

Copyright © + 2001, 2002, 2003 Thomas M. Eastep.
+
+

+
+
+ +