1SHOREWALL-NESTING(5) Configuration Files SHOREWALL-NESTING(5)
2
3
4
6 nesting - Shorewall Nested Zones
7
9 child-zone[:parent-zone[,parent-zone]...]
10
12 In shorewall-zones[1](5), a zone may be declared to be a sub-zone of
13 one or more other zones using the above syntax. The child-zone may be
14 neither the firewall zone nor a vserver zone. The firewall zone may not
15 appear as a parent zone, although all vserver zones are handled as
16 sub-zones of the firewall zone.
17
18 Where zones are nested, the CONTINUE policy in shorewall-policy[2](5)
19 allows hosts that are within multiple zones to be managed under the
20 rules of all of these zones.
21
23 /etc/shorewall/zones:
24
25 #ZONE TYPE OPTION
26 fw firewall
27 net ipv4
28 sam:net ipv4
29 loc ipv4
30
31 /etc/shorewall/interfaces:
32
33 #ZONE INTERFACE BROADCAST OPTIONS
34 - eth0 detect dhcp,norfc1918
35 loc eth1 detect
36
37 /etc/shorewall/hosts:
38
39 #ZONE HOST(S) OPTIONS
40 net eth0:0.0.0.0/0
41 sam eth0:206.191.149.197
42
43 /etc/shorewall/policy:
44
45 #SOURCE DEST POLICY LOG LEVEL
46 loc net ACCEPT
47 sam all CONTINUE
48 net all DROP info
49 all all REJECT info
50
51 The second entry above says that when Sam is the client, connection
52 requests should first be processed under rules where the source zone is
53 sam and if there is no match then the connection request should be
54 treated under rules where the source zone is net. It is important that
55 this policy be listed BEFORE the next policy (net to all). You can have
56 this policy generated for you automatically by using the
57 IMPLICIT_CONTINUE option in shorewall.conf[3](5).
58
59 Partial /etc/shorewall/rules:
60
61 #ACTION SOURCE DEST PROTO DPORT
62 ...
63 DNAT sam loc:192.168.1.3 tcp ssh
64 DNAT net loc:192.168.1.5 tcp www
65 ...
66
67 Given these two rules, Sam can connect to the firewall's internet
68 interface with ssh and the connection request will be forwarded to
69 192.168.1.3. Like all hosts in the net zone, Sam can connect to the
70 firewall's internet interface on TCP port 80 and the connection request
71 will be forwarded to 192.168.1.5. The order of the rules is not
72 significant. Sometimes it is necessary to suppress port forwarding for
73 a sub-zone. For example, suppose that all hosts can SSH to the firewall
74 and be forwarded to 192.168.1.5 EXCEPT Sam. When Sam connects to the
75 firewall's external IP, he should be connected to the firewall itself.
76 Because of the way that Netfilter is constructed, this requires two
77 rules as follows:
78
79 #ACTION SOURCE DEST PROTO DPORT
80 ...
81 ACCEPT+ sam $FW tcp ssh
82 DNAT net loc:192.168.1.3 tcp ssh
83 ...
84
85 The first rule allows Sam SSH access to the firewall. The second rule
86 says that any clients from the net zone with the exception of those in
87 the “sam” zone should have their connection port forwarded to
88 192.168.1.3. If you need to exclude more than one zone, simply use
89 multiple ACCEPT+ rules. This technique also may be used when the ACTION
90 is REDIRECT.
91
92 Care must be taken when nesting occurs as a result of the use of
93 wildcard interfaces (interface names ends in '+').
94
95 Here's an example. /etc/shorewall/zones:
96
97 /etc/shorewall/interfaces:
98
99 #ZONE INTERFACE BROADCAST OPTIONS
100 net ppp0
101 loc eth1
102 loc ppp+
103 dmz eth2
104
105 Because the net zone is declared before the loc zone, net is an
106 implicit sub-zone of loc and in the absence of a net->... CONTINUE
107 policy, traffic from the net zone will not be passed through loc->...
108 rules. But DNAT and REDIRECT rules are an exception!
109
110 · DNAT and REDIRECT rules generate two Netfilter rules: a 'nat' table
111 rule that rewrites the destination IP address and/or port number,
112 and a 'filter' table rule that ACCEPTs the rewritten connection.
113
114 · Policies only affect the 'filter' table.
115
116 As a consequence, the following rules will have unexpected behavior:
117
118 #ACTION SOURCE DEST PROTO DPORT
119 ACCEPT net dmz tcp 80
120 REDIRECT loc 3128 tcp 80
121
122 The second rule is intended to redirect local web requests to a proxy
123 running on the firewall and listening on TCP port 3128. But the 'nat'
124 part of that rule will cause all connection requests for TCP port 80
125 arriving on interface ppp+ (including ppp0!) to have their destination
126 port rewritten to 3128. Hence, the web server running in the DMZ will
127 be inaccessible from the web.
128
129 The above problem can be corrected in several ways.
130
131 The preferred way is to use the ifname pppd option to change the 'net'
132 interface to something other than ppp0. That way, it won't match ppp+.
133
134 If you are running Shorewall version 4.1.4 or later, a second way is to
135 simply make the nested zones explicit:
136
137 #ZONE TYPE OPTION
138 fw firewall
139 loc ipv4
140 net:loc ipv4
141 dmz ipv4
142
143 If you take this approach, be sure to set IMPLICIT_CONTINUE=No in
144 shorewall.conf.
145
146 When using other Shorewall versions, another way is to rewrite the DNAT
147 rule (assume that the local zone is entirely within 192.168.2.0/23):
148
149 #ACTION SOURCE DEST PROTO DPORT
150 ACCEPT net dmz tcp 80
151 REDIRECT loc:192.168.2.0/23 3128 tcp 80
152
153 Another way is to restrict the definition of the loc zone:
154
155 /etc/shorewall/interfaces:
156
157 #ZONE INTERFACE BROADCAST OPTIONS
158 net ppp0
159 loc eth1
160 - ppp+
161 dmz eth2
162
163 /etc/shorewall/hosts:
164
165 #ZONE HOST(S) OPTIONS
166 loc ppp+:192.168.2.0/23
167
169 /etc/shorewall/zones
170
171 /etc/shorewall/interfaces
172
173 /etc/shorewall/hosts
174
175 /etc/shorewall/policy
176
177 /etc/shorewall/rules
178
179 /etc/shorewall6/zones
180
181 /etc/shorewall6/interfaces
182
183 /etc/shorewall6/hosts
184
185 /etc/shorewall6/policy
186
187 /etc/shorewall6/rules
188
190 shorewall(8), shorewall-accounting(5), shorewall-actions(5),
191 shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
192 shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
193 shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
194 shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
195 shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
196 shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
197 shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5),
198 shorewall-tunnels(5), shorewall-zones(5)
199
201 1. shorewall-zones
202 https://shorewall.org/manpages/shorewall-zones.html
203
204 2. shorewall-policy
205 https://shorewall.org/manpages/shorewall-policy.html
206
207 3. shorewall.conf
208 https://shorewall.org/manpages/shorewall.conf.html
209
210
211
212Configuration Files 01/15/2020 SHOREWALL-NESTING(5)