1SHOREWALL-NESTING(5) [FIXME: manual] SHOREWALL-NESTING(5)
2
3
4
6 nesting - Shorewall Nested Zones
7
9 child-zone[:parent-zone[,parent-zone]...]
10
12 In shorewall-zones[1](5), a zone may be declared to be a sub-zone of
13 one or more other zones using the above syntax. The child-zone may be
14 neither the firewall zone nor a vserver zone. The firewall zone may not
15 appear as a parent zone, although all vserver zones are handled as
16 sub-zones of the firewall zone.
17
18 Where zones are nested, the CONTINUE policy in shorewall-policy[2](5)
19 allows hosts that are within multiple zones to be managed under the
20 rules of all of these zones.
21
23 /etc/shorewall/zones:
24
25 #ZONE TYPE OPTION
26 fw firewall
27 net ipv4
28 sam:net ipv4
29 loc ipv4
30
31 /etc/shorewall/interfaces:
32
33 #ZONE INTERFACE BROADCAST OPTIONS
34 - eth0 detect dhcp,norfc1918
35 loc eth1 detect
36
37 /etc/shorewall/hosts:
38
39 #ZONE HOST(S) OPTIONS
40 net eth0:0.0.0.0/0
41 sam eth0:206.191.149.197
42
43 /etc/shorewall/policy:
44
45 #SOURCE DEST POLICY LOG LEVEL
46 loc net ACCEPT
47 sam all CONTINUE
48 net all DROP info
49 all all REJECT info
50
51 The second entry above says that when Sam is the client, connection
52 requests should first be processed under rules where the source zone is
53 sam and if there is no match then the connection request should be
54 treated under rules where the source zone is net. It is important that
55 this policy be listed BEFORE the next policy (net to all). You can have
56 this policy generated for you automatically by using the
57 IMPLICIT_CONTINUE option in shorewall.conf[3](5).
58
59 Partial /etc/shorewall/rules:
60
61 #ACTION SOURCE DEST PROTO DEST PORT(S)
62 ...
63 DNAT sam loc:192.168.1.3 tcp ssh
64 DNAT net loc:192.168.1.5 tcp www
65 ...
66
67 Given these two rules, Sam can connect to the firewall's internet
68 interface with ssh and the connection request will be forwarded to
69 192.168.1.3. Like all hosts in the net zone, Sam can connect to the
70 firewall's internet interface on TCP port 80 and the connection request
71 will be forwarded to 192.168.1.5. The order of the rules is not
72 significant. Sometimes it is necessary to suppress port forwarding for
73 a sub-zone. For example, suppose that all hosts can SSH to the firewall
74 and be forwarded to 192.168.1.5 EXCEPT Sam. When Sam connects to the
75 firewall's external IP, he should be connected to the firewall itself.
76 Because of the way that Netfilter is constructed, this requires two
77 rules as follows:
78
79 #ACTION SOURCE DEST PROTO DEST PORT(S)
80 ...
81 ACCEPT+ sam $FW tcp ssh
82 DNAT net loc:192.168.1.3 tcp ssh
83 ...
84
85 The first rule allows Sam SSH access to the firewall. The second rule
86 says that any clients from the net zone with the exception of those in
87 the “sam” zone should have their connection port forwarded to
88 192.168.1.3. If you need to exclude more than one zone, simply use
89 multiple ACCEPT+ rules. This technique also may be used when the ACTION
90 is REDIRECT.
91
92 Care must be taken when nesting occurs as a result of the use of
93 wildcard interfaces (interface names ends in '+').
94
95 Here's an example. /etc/shorewall/zones:
96
97 /etc/shorewall/interfaces:
98
99 #ZONE INTERFACE BROADCAST OPTIONS
100 net ppp0
101 loc eth1
102 loc ppp+
103 dmz eth2
104
105 Because the net zone is declared before the loc zone, net is an
106 implicit sub-zone of loc and in the absence of a net->... CONTINUE
107 policy, traffic from the net zone will not be passed through loc->...
108 rules. But DNAT and REDIRECT rules are an exception!
109
110 · DNAT and REDIRECT rules generate two Netfilter rules: a 'nat' table
111 rule that rewrites the destination IP address and/or port number,
112 and a 'filter' table rule that ACCEPTs the rewritten connection.
113
114 · Policies only affect the 'filter' table.
115
116 As a consequence, the following rules will have unexpected behavior:
117
118 #ACTION SOURCE DEST PROTO DEST
119 # PORT(S)
120 ACCEPT net dmz tcp 80
121 REDIRECT loc 3128 tcp 80
122
123 The second rule is intended to redirect local web requests to a proxy
124 running on the firewall and listening on TCP port 3128. But the 'nat'
125 part of that rule will cause all connection requests for TCP port 80
126 arriving on interface ppp+ (including ppp0!) to have their destination
127 port rewritten to 3128. Hence, the web server running in the DMZ will
128 be inaccessible from the web.
129
130 The above problem can be corrected in several ways.
131
132 The preferred way is to use the ifname pppd option to change the 'net'
133 interface to something other than ppp0. That way, it won't match ppp+.
134
135 If you are running Shorewall version 4.1.4 or later, a second way is to
136 simply make the nested zones explicit:
137
138 #ZONE TYPE OPTION
139 fw firewall
140 loc ipv4
141 net:loc ipv4
142 dmz ipv4
143
144 If you take this approach, be sure to set IMPLICIT_CONTINUE=No in
145 shorewall.conf.
146
147 When using other Shorewall versions, another way is to rewrite the DNAT
148 rule (assume that the local zone is entirely within 192.168.2.0/23):
149
150 #ACTION SOURCE DEST PROTO DEST
151 # PORT(S)
152 ACCEPT net dmz tcp 80
153 REDIRECT loc:192.168.2.0/23 3128 tcp 80
154
155 Another way is to restrict the definition of the loc zone:
156
157 /etc/shorewall/interfaces:
158
159 #ZONE INTERFACE BROADCAST OPTIONS
160 net ppp0
161 loc eth1
162 - ppp+
163 dmz eth2
164
165 /etc/shorewall/hosts:
166
167 #ZONE HOST(S) OPTIONS
168 loc ppp+:192.168.2.0/23
169
171 /etc/shorewall/zones
172
173 /etc/shorewall/interfaces
174
175 /etc/shorewall/hosts
176
177 /etc/shorewall/policy
178
179 /etc/shorewall/rules
180
182 shorewall(8), shorewall-accounting(5), shorewall-actions(5),
183 shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
184 shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
185 shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
186 shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
187 shorewall-route_rules(5), shorewall-routestopped(5),
188 shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
189 shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
190 shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)
191
193 1. shorewall-zones
194 http://www.shorewall.net/manpages/shorewall-zones.html
195
196 2. shorewall-policy
197 http://www.shorewall.net/manpages/shorewall-policy.html
198
199 3. shorewall.conf
200 http://www.shorewall.net/manpages/shorewall.conf.html
201
202
203
204[FIXME: source] 09/16/2011 SHOREWALL-NESTING(5)