1SHOREWALL-NESTING(5) Configuration Files SHOREWALL-NESTING(5)
2
6 nesting - Shorewall Nested Zones
7
9 child-zone[:parent-zone[,parent-zone]...]
10
12 In shorewall-zones[1](5), a zone may be declared to be a sub-zone of
13 one or more other zones using the above syntax. The child-zone may be
14 neither the firewall zone nor a vserver zone. The firewall zone may not
15 appear as a parent zone, although all vserver zones are handled as
16 sub-zones of the firewall zone.
17 Where zones are nested, the CONTINUE policy in shorewall-policy[2](5)
19 allows hosts that are within multiple zones to be managed under the
20 rules of all of these zones.
21
23 /etc/shorewall/zones:
24 #ZONE TYPE OPTION
26 fw firewall
27 net ipv4
28 sam:net ipv4
29 loc ipv4
30 /etc/shorewall/interfaces:
32 #ZONE INTERFACE BROADCAST OPTIONS
34 - eth0 detect dhcp,norfc1918
35 loc eth1 detect
36 /etc/shorewall/hosts:
38 #ZONE HOST(S) OPTIONS
40 net eth0:0.0.0.0/0
41 sam eth0:206.191.149.197
42 /etc/shorewall/policy:
44 #SOURCE DEST POLICY LOG LEVEL
46 loc net ACCEPT
47 sam all CONTINUE
48 net all DROP info
49 all all REJECT info
50 The second entry above says that when Sam is the client, connection
52 requests should first be processed under rules where the source zone is
53 sam and if there is no match then the connection request should be
54 treated under rules where the source zone is net. It is important that
55 this policy be listed BEFORE the next policy (net to all). You can have
56 this policy generated for you automatically by using the
57 IMPLICIT_CONTINUE option in shorewall.conf[3](5).
58 Partial /etc/shorewall/rules:
60 #ACTION SOURCE DEST PROTO DPORT
62 ...
63 DNAT sam loc:192.168.1.3 tcp ssh
64 DNAT net loc:192.168.1.5 tcp www
65 ...
66 Given these two rules, Sam can connect to the firewall's internet
68 interface with ssh and the connection request will be forwarded to
69 192.168.1.3. Like all hosts in the net zone, Sam can connect to the
70 firewall's internet interface on TCP port 80 and the connection request
71 will be forwarded to 192.168.1.5. The order of the rules is not
72 significant. Sometimes it is necessary to suppress port forwarding for
73 a sub-zone. For example, suppose that all hosts can SSH to the firewall
74 and be forwarded to 192.168.1.5 EXCEPT Sam. When Sam connects to the
75 firewall's external IP, he should be connected to the firewall itself.
76 Because of the way that Netfilter is constructed, this requires two
77 rules as follows:
78 #ACTION SOURCE DEST PROTO DPORT
80 ...
81 ACCEPT+ sam $FW tcp ssh
82 DNAT net loc:192.168.1.3 tcp ssh
83 ...
84 The first rule allows Sam SSH access to the firewall. The second rule
86 says that any clients from the net zone with the exception of those in
87 the “sam” zone should have their connection port forwarded to
88 192.168.1.3. If you need to exclude more than one zone, simply use
89 multiple ACCEPT+ rules. This technique also may be used when the ACTION
90 is REDIRECT.
91 Care must be taken when nesting occurs as a result of the use of
93 wildcard interfaces (interface names ends in '+').
94 Here's an example. /etc/shorewall/zones:
96 /etc/shorewall/interfaces:
98 #ZONE INTERFACE BROADCAST OPTIONS
100 net ppp0
101 loc eth1
102 loc ppp+
103 dmz eth2
104 Because the net zone is declared before the loc zone, net is an
106 implicit sub-zone of loc and in the absence of a net->... CONTINUE
107 policy, traffic from the net zone will not be passed through loc->...
108 rules. But DNAT and REDIRECT rules are an exception!
109 • DNAT and REDIRECT rules generate two Netfilter rules: a 'nat' table
111 rule that rewrites the destination IP address and/or port number,
112 and a 'filter' table rule that ACCEPTs the rewritten connection.
113 • Policies only affect the 'filter' table.
115 As a consequence, the following rules will have unexpected behavior:
117 #ACTION SOURCE DEST PROTO DPORT
119 ACCEPT net dmz tcp 80
120 REDIRECT loc 3128 tcp 80
121 The second rule is intended to redirect local web requests to a proxy
123 running on the firewall and listening on TCP port 3128. But the 'nat'
124 part of that rule will cause all connection requests for TCP port 80
125 arriving on interface ppp+ (including ppp0!) to have their destination
126 port rewritten to 3128. Hence, the web server running in the DMZ will
127 be inaccessible from the web.
128 The above problem can be corrected in several ways.
130 The preferred way is to use the ifname pppd option to change the 'net'
132 interface to something other than ppp0. That way, it won't match ppp+.
133 If you are running Shorewall version 4.1.4 or later, a second way is to
135 simply make the nested zones explicit:
136 #ZONE TYPE OPTION
138 fw firewall
139 loc ipv4
140 net:loc ipv4
141 dmz ipv4
142 If you take this approach, be sure to set IMPLICIT_CONTINUE=No in
144 shorewall.conf.
145 When using other Shorewall versions, another way is to rewrite the DNAT
147 rule (assume that the local zone is entirely within 192.168.2.0/23):
148 #ACTION SOURCE DEST PROTO DPORT
150 ACCEPT net dmz tcp 80
151 REDIRECT loc:192.168.2.0/23 3128 tcp 80
152 Another way is to restrict the definition of the loc zone:
154 /etc/shorewall/interfaces:
156 #ZONE INTERFACE BROADCAST OPTIONS
158 net ppp0
159 loc eth1
160 - ppp+
161 dmz eth2
162 /etc/shorewall/hosts:
164 #ZONE HOST(S) OPTIONS
166 loc ppp+:192.168.2.0/23
167
169 /etc/shorewall/zones
170 /etc/shorewall/interfaces
172 /etc/shorewall/hosts
174 /etc/shorewall/policy
176 /etc/shorewall/rules
178 /etc/shorewall6/zones
180 /etc/shorewall6/interfaces
182 /etc/shorewall6/hosts
184 /etc/shorewall6/policy
186 /etc/shorewall6/rules
188
190 shorewall(8), shorewall-accounting(5), shorewall-actions(5),
191 shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
192 shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
193 shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
194 shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
195 shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
196 shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
197 shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5),
198 shorewall-tunnels(5), shorewall-zones(5)
199
201 1. shorewall-zones
202 https://shorewall.org/manpages/shorewall-zones.html
203 2. shorewall-policy
205 https://shorewall.org/manpages/shorewall-policy.html
206 3. shorewall.conf
208 https://shorewall.org/manpages/shorewall.conf.html
209Configuration Files 09/24/2020 SHOREWALL-NESTING(5)