1shorewall-nesting(5) shorewall-nesting(5)
2
6 Nesting - Shorewall Nested Zones
7
9 child-zone[: parent-zone[, parent-zone]...]
10
12 In shorewall-zones ⟨shorewall-zones.html⟩ (5), a zone may be declared
13 to be a sub-zone of one or more other zones using the above syntax.
14 Where zones are nested, the CONTINUE policy in shorewall-policy
16 ⟨shorewall-policy.html⟩ (5) allows hosts that are within multiple zones
17 to be managed under the rules of all of these zones.
18
20 /etc/shorewall/zones:
21 #ZONE TYPE OPTION
23 fw firewall
24 net ipv4
25 sam:net ipv4
26 loc ipv4
27 /etc/shorewall/interfaces:
29 #ZONE INTERFACE BROADCAST OPTIONS
31 - eth0 detect dhcp,norfc1918
32 loc eth1 detect
33 /etc/shorewall/hosts:
35 #ZONE HOST(S) OPTIONS
37 net eth0:0.0.0.0/0
38 sam eth0:206.191.149.197
39 /etc/shorewall/policy:
41 #SOURCE DEST POLICY LOG LEVEL
43 loc net ACCEPT
44 sam all CONTINUE
45 net all DROP info
46 all all REJECT info
47 The second entry above says that when Sam is the client, connection re‐
49 quests should first be processed under rules where the source zone is
50 sam and if there is no match then the connection request should be
51 treated under rules where the source zone is net. It is important that
52 this policy be listed BEFORE the next policy (net to all). You can have
53 this policy generated for you automatically by using the IMPLICIT_CON‐
54 TINUE option in shorewall.conf ⟨shorewall.conf.html⟩ (5).
55 Partial /etc/shorewall/rules:
57 #ACTION SOURCE DEST PROTO DEST PORT(S)
59 ...
60 DNAT sam loc:192.168.1.3 tcp ssh
61 DNAT net loc:192.168.1.5 tcp www
62 ...
63 Given these two rules, Sam can connect to the firewall's internet in‐
65 terface with ssh and the connection request will be forwarded to
66 192.168.1.3. Like all hosts in the net zone, Sam can connect to the
67 firewall's internet interface on TCP port 80 and the connection request
68 will be forwarded to 192.168.1.5. The order of the rules is not signif‐
69 icant. Sometimes it is necessary to suppress port forwarding for a sub-
70 zone. For example, suppose that all hosts can SSH to the firewall and
71 be forwarded to 192.168.1.5 EXCEPT Sam. When Sam connects to the fire‐
72 wall's external IP, he should be connected to the firewall itself. Be‐
73 cause of the way that Netfilter is constructed, this requires two rules
74 as follows:
75 #ACTION SOURCE DEST PROTO DEST PORT(S)
77 ...
78 ACCEPT+ sam $FW tcp ssh
79 DNAT net loc:192.168.1.3 tcp ssh
80 ...
81 The first rule allows Sam SSH access to the firewall. The second rule
83 says that any clients from the net zone with the exception of those in
84 the “sam” zone should have their connection port forwarded to
85 192.168.1.3. If you need to exclude more than one zone, simply use mul‐
86 tiple ACCEPT+ rules. This technique also may be used when the ACTION is
87 REDIRECT.
88 Care must be taken when nesting occurs as a result of the use of wild‐
90 card interfaces (interface names ends in '+').
91 Here's an example. /etc/shorewall/zones:
93 #ZONE TYPE OPTION
95 fw firewall
96 net ipv4
97 loc ipv4
98 dmz ipv4
99 /etc/shorewall/interfaces:
101 #ZONE INTERFACE BROADCAST OPTIONS
103 net ppp0
104 loc eth1
105 loc ppp+
106 dmz eth2
107 Because the net zone is declared before the loc zone, net is an implic‐
109 it sub-zone of loc and in the absence of a net->... CONTINUE policy,
110 traffic from the net zone will not be passed through loc->... rules.
111 But DNAT and REDIRECT rules are an exception!
112 · DNAT and REDIRECT rules generate two Netfilter rules: a 'nat' table
114 rule that rewrites the destination IP address and/or port number, and
115 a 'filter' table rule that ACCEPTs the rewritten connection.
116 · Policies only affect the 'filter' table.
118 As a consequence, the following rules will have unexpected behavior:
120 #ACTION SOURCE DEST PROTO DEST
122 # PORT(S)
123 ACCEPT net dmz tcp 80
124 REDIRECT loc 3128 tcp 80
125 The second rule is intended to redirect local web requests to a proxy
127 running on the firewall and listening on TCP port 3128. But the 'nat'
128 part of that rule will cause all connection requests for TCP port 80
129 arriving on interface ppp+ (including ppp0!) to have their destination
130 port rewritten to 3128. Hence, the web server running in the DMZ will
131 be inaccessible from the web.
132 The above problem can be corrected in several of ways.
134 The best way is to use the ifname pppd option to set the net interface
136 to something other than ppp0. That way, the 'net' interface won't match
137 ppp+.
138 A second way is to rewrite the DNAT rule (assume that the local zone is
140 entirely within 192.168.2.0/23):
141 #ACTION SOURCE DEST PROTO DEST
143 # PORT(S)
144 ACCEPT net dmz tcp 80
145 REDIRECT loc:192.168.2.0/23 3128 tcp 80
146 A third way is to exclude ppp0 from DNAT/REDIRECT as a consequence of
148 it being in the 'loc' zone.
149 /etc/shorewall/rules:
151 #ACTION SOURCE DEST PROTO DEST
153 # PORT(S)
154 ACCEPT net dmz tcp 80
155 NONAT loc:ppp0 fw
156 REDIRECT loc 3128 tcp 80
157 A fourth way is to restrict the definition of the loc zone:
159 /etc/shorewall/interfaces:
161 #ZONE INTERFACE BROADCAST OPTIONS
163 net ppp0
164 loc eth1
165 - ppp+
166 dmz eth2
167 /etc/shorewall/hosts:
169 #ZONE HOST(S) OPTIONS
171 loc ppp+:192.168.2.0/23
172
174 /etc/shorewall/zones
175 /etc/shorewall/interfaces
177 /etc/shorewall/hosts
179 /etc/shorewall/policy
181 /etc/shorewall/rules
183
185 shorewall(8), shorewall-accounting(5), shorewall-actions(5), shorewall-
186 blacklist(5), shorewall-hosts(5), shorewall-interfaces(5), shorewall-
187 ipsec(5), shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
188 shorewall-netmap(5), shorewall-params(5), shorewall-policy(5), shore‐
189 wall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
190 shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
191 shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
192 shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)
193 19 May 2008 shorewall-nesting(5)