diff --git a/Shorewall-docs/Shorewall_and_Aliased_Interfaces.xml b/Shorewall-docs/Shorewall_and_Aliased_Interfaces.xml new file mode 100644 index 000000000..58958338f --- /dev/null +++ b/Shorewall-docs/Shorewall_and_Aliased_Interfaces.xml @@ -0,0 +1,580 @@ + + +
+ + Shorewall and Aliased Interfaces + + + + Tom + + Eastep + + + + 2003-11-13 + + + 2001 + + 2002 + + 2003 + + Thomas M. Eastep + + + + Permission is granted to copy, distribute and/or modify this + document under the terms of the GNU Free Documentation License, Version + 1.2 or any later version published by the Free Software Foundation; with + no Invariant Sections, with no Front-Cover, and with no Back-Cover + Texts. A copy of the license is included in the section entitled "GNU Free Documentation License". + + + +
+ Background + + The traditional net-tools contain a program called + ifconfig which is used to configure network devices. + ifconfig introduced the concept of aliased or + virtual interfaces. These virtual interfaces have + names of the form interface:integer (e.g., eth0:0) + and ifconfig treats them more or less like real interfaces. + + + ifconfig + + [root@gateway root]# ifconfig eth0:0 +eth0:0 Link encap:Ethernet HWaddr 02:00:08:3:FA:55 + inet addr:206.124.146.178 Bcast:206.124.146.255 Mask:255.255.255.0 + UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 + Interrupt:11 Base address:0x2000 +[root@gateway root]# + + + The ifconfig utility is being gradually phased out in favor of the + ip utility which is part of the iproute package. The + ip utility does not use the concept of aliases or virtual interfaces but + rather treats additional addresses on an interface as objects in their own + right. The ip utility does provide for interaction with ifconfig in that + it allows addresses to be labeled where these labels + take the form of ipconfig virtual interfaces. + + + ip + + [root@gateway root]# ip addr show dev eth0 +2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc htb qlen 100 + link/ether 02:00:08:e3:fa:55 brd ff:ff:ff:ff:ff:ff + inet 206.124.146.176/24 brd 206.124.146.255 scope global eth0 + inet 206.124.146.178/24 brd 206.124.146.255 scope global secondary eth0:0 +[root@gateway root]# + + One cannot type + "ip addr show dev eth0:0" because "eth0:0" is a label + for a particular address rather than a device name.[root@gateway root]# ip addr show dev eth0:0 +Device "eth0:0" does not exist. +[root@gateway root]# + + + The iptables program doesn't support virtual interfaces in + either it's "-i" or "-o" command options; as a + consequence, Shorewall does not allow them to be used in the + /etc/shorewall/interfaces file or anywhere else except as described in the + discussion below. +
+ +
+ Adding Addresses to Interfaces + + Most distributions have a facility for adding additional addresses + to interfaces. If you have already used your distribution's capability + to add your required addresses, you can skip this section. + + Shorewall provides facilities for automatically adding addresses to + interfaces as described in the following section. It is also easy to add + them yourself using the ip utility. The + above alias was added using: + + ip addr add 206.124.146.178/24 brd 206.124.146.255 dev eth0 label eth0:0 + + You probably want to arrange to add these addresses when the device + is started rather than placing commands like the above in one of the + Shorewall extension scripts. For example, on RedHat systems, you can place + the commands in /sbin/ifup-local: + + #!/bin/sh + +case $1 in + eth0) + /sbin/ip addr add 206.124.146.177 dev eth0 label eth0:0 + ;; +esac + + RedHat systems also allow adding such aliases from the network + administration GUI (which only works well if you have a graphical + environment on your firewall). +
+ +
+ So how do I handle more than one address on an interface? + + The answer depends on what you are trying to do with the interfaces. + In the sub-sections that follow, we'll take a look at common + scenarios. + +
+ Separate Rules + + If you need to make a rule for traffic to/from the firewall itself + that only applies to a particular IP address, simply qualify the $FW + zone with the IP address. + + + allow SSH from net to eth0:0 above + + /etc/shorewall/rulesACTIONSOURCEDESTINATIONPROTOCOLPORT(S)SOURCE PORT(S)ORIGINAL DESTINATIONACCEPTnet$FW:206.124.146.178tcp22
+
+
+ +
+ DNAT + + Suppose that I had set up eth0:0 as above and I wanted to port + forward from that virtual interface to a web server running in my local + zone at 192.168.1.3. That is accomplised by a single rule in the + /etc/shorewall/rules file: + + + /etc/shorewall/rules + + + + + ACTION + + SOURCE + + DESTINATION + + PROTOCOL + + PORT(S) + + SOURCE PORT(S) + + ORIGINAL DESTINATION + + + + + + DNAT + + net + + loc:192.168.1.3 + + tcp + + 80 + + - + + 206.124.146.178 + + + +
+
+ +
+ SNAT + + If you wanted to use eth0:0 as the IP address for outbound + connections from your local zone (eth1), then in /etc/shorewall/masq: + + + /etc/shorewall/masq + + + + + INTERFACE + + SUBNET + + ADDRESS + + + + + + eth0 + + eth1 + + 206.124.146.178 + + + +
+ + Shorewall can create the alias (additional address) for you if you + set ADD_SNAT_ALIASES=Yes in /etc/shorewall/shorewall.conf. Beginning + with Shorewall 1.3.14, Shorewall can actually create the "label" + (virtual interface) so that you can see the created address using + ifconfig. In addition to setting ADD_SNAT_ALIASES=Yes, you specify the + virtual interface name in the INTERFACE column as follows: + + + /etc/shorewall/masq + + + + + INTERFACE + + SUBNET + + ADDRESS + + + + + + eth0:0 + + eth1 + + 206.124.146.178 + + + +
+ + Shorewall can also set up SNAT to round-robin over a range of IP + addresses. Do do that, you specify a range of IP addresses in the + ADDRESS column. If you specify a label in the INTERFACE column, + Shorewall will use that label for the first address of the range and + will increment the label by one for each subsequent label. + + + /etc/shorewall/masq + + + + + INTERFACE + + SUBNET + + ADDRESS + + + + + + eth0:0 + + eth1 + + 206.124.146.178-206.124.146.180 + + + +
+ + The above would create three IP addresses: + + eth0:0 = 206.124.146.178 +eth0:1 = 206.124.146.179 +eth0:2 = 206.124.146.180 +
+ +
+ One-to-one NAT + + If you wanted to use one-to-one NAT to link eth0:0 with local + address 192.168.1.3, you would have the following in /etc/shorewall/nat:/etc/shorewall/natEXTERNALINTERFACEINTERNALALL INTERFACESLOCAL206.124.146.178eth0192.168.1.3nono
+ + Shorewall can create the alias (additional address) for you if you + set ADD_IP_ALIASES=Yes in /etc/shorewall/shorewall.conf. Beginning with + Shorewall 1.3.14, Shorewall can actually create the "label" + (virtual interface) so that you can see the created address using + ifconfig. In addition to setting ADD_IP_ALIASES=Yes, you specify the + virtual interface name in the INTERFACE column as follows: + + + /etc/shorewall/nat + + + + + EXTERNAL + + INTERFACE + + INTERNAL + + ALL INTERFACES + + LOCAL + + + + + + 206.124.146.178 + + eth0:0 + + 192.168.1.3 + + no + + no + + + +
+ + In either case, to create rules that pertain only to this NAT + pair, you simply qualify the local zone with the internal IP address. + + + You want to allow SSH from the net to 206.124.146.178 a.k.a. + 192.168.1.3. + + /etc/shorewall/rulesACTIONSOURCEDESTINATIONPROTOCOLPORT(S)SOURCE PORT(S)ORIGINAL DESTINATIONACCEPTnetloc:192.168.1.3tcp22
+
+
+ +
+ MULTIPLE SUBNETS + + Sometimes multiple IP addresses are used because there are + multiple subnetworks configured on a LAN segment. This technique does + not provide for any security between the subnetworks if the users of the + systems have administrative privileges because in that case, the users + can simply manipulate their system's routing table to bypass your + firewall/router. Nevertheless, there are cases where you simply want to + consider the LAN segment itself as a zone and allow your firewall/router + to route between the two subnetworks. + + + Local interface eth1 interfaces to 192.168.1.0/24 and + 192.168.20.0/24. The primary IP address of eth1 is 192.168.1.254 and + eth1:0 is 192.168.20.254. You want to simply route all requests + between the two subnetworks. + + + + If you are running Shorewall 1.4.1 or Later + + + In /etc/shorewall/interfaces: + + + /etc/shorewall/interfaces + + + + + ZONE + + INTERFACE + + BROADCAST + + OPTIONS + + + + + + - + + eth1 + + 192.168.1.255,192.168.20.255 + + + + + +
+ + In /etc/shorewall/hosts: + + + /etc/shorewall/hosts + + + + + ZONE + + HOSTS + + OPTIONS + + + + + + loc + + eth1:192.168.1.0/24 + + + + + + loc + + eth1:192.168.20.0/24 + + + + + +
+ + + You do NOT need any entry in /etc/shorewall/policy as + Shorewall 1.4.1 and later releases default to allowing + intra-zone traffic. + +
+
+ + + If you are running Shorewall 1.4.0 or earlier + + + In /etc/shorewall/interfaces: + + + /etc/shorewall/interfaces + + + + + ZONE + + INTERFACE + + BROADCAST + + OPTIONS + + + + + + - + + eth1 + + 192.168.1.255,192.168.20.255 + + + + + +
+ + + If you are running Shorewall 1.3.10 or earlier then you + must specify the multi + option. + + + In /etc/shorewall/policy: + + + /etc/shorewall/policy + + + + + SOURCE + + DESTINATION + + POLICY + + LOG LEVEL + + BURST:LIMIT + + + + + + loc + + loc + + ACCEPT + + + + + + + +
+
+
+
+
+ + + Local interface eth1 interfaces to 192.168.1.0/24 and + 192.168.20.0/24. The primary IP address of eth1 is 192.168.1.254 and + eth1:0 is 192.168.20.254. You want to make these subnetworks into + separate zones and control the access between them (the users of the + systems do not have administrative privileges). + + In /etc/shorewall/zones:etc/shorewall/zonesZONEDISPLAYDESCRIPTIONlocLocalLocal + Zone 1loc2Local2Local + Zone 2
+ + In /etc/shorewall/interfaces:/etc/shorewall/interfacesZONEINTERFACEBROADCASTOPTIONS-eth1192.168.1.255,192.168.20.255
If you are running Shorewall + 1.3.10 or earlier then you must specify the multi + option.
+ + In /etc/shorewall/hosts:/etc/shorewall/hostsZONEHOSTSOPTIONSloceth1:192.168.1.0/24loc2eth1:192.168.20.0/24
+ + In /etc/shorewall/rules, simply specify ACCEPT rules for the + traffic that you want to permit. +
+
+
+
\ No newline at end of file