1shorewall-nesting(5)                                      shorewall-nesting(5)
2
3
4

NAME

6       Nesting - Shorewall Nested Zones
7

SYNOPSIS

9       child-zone[: parent-zone[, parent-zone]...]
10

DESCRIPTION

12       In  shorewall-zones  ⟨shorewall-zones.html⟩ (5), a zone may be declared
13       to be a sub-zone of one or more other zones using the above syntax.
14
15       Where zones are nested, the CONTINUE policy in shorewall-policy
16       ⟨shorewall-policy.html⟩ (5) allows hosts that are within multiple zones
17       to be managed under the rules of all of these zones.
18

EXAMPLE

20       /etc/shorewall/zones:
21
22               #ZONE    TYPE        OPTION
23               fw       firewall
24               net      ipv4
25               sam:net  ipv4
26               loc      ipv4
27
28       /etc/shorewall/interfaces:
29
30               #ZONE     INTERFACE     BROADCAST     OPTIONS
31               -         eth0          detect        dhcp,norfc1918
32               loc       eth1          detect
33
34       /etc/shorewall/hosts:
35
36               #ZONE     HOST(S)                     OPTIONS
37               net       eth0:0.0.0.0/0
38               sam       eth0:206.191.149.197
39
40       /etc/shorewall/policy:
41
42               #SOURCE      DEST        POLICY       LOG LEVEL
43               loc          net         ACCEPT
44               sam          all         CONTINUE
45               net          all         DROP         info
46               all          all         REJECT       info
47
48       The second entry above says that when Sam is the client, connection re‐
49       quests  should  first be processed under rules where the source zone is
50       sam and if there is no match then  the  connection  request  should  be
51       treated  under rules where the source zone is net. It is important that
52       this policy be listed BEFORE the next policy (net to all). You can have
53       this  policy generated for you automatically by using the IMPLICIT_CON‐
54       TINUE option in shorewall.conf ⟨shorewall.conf.html⟩ (5).
55
56       Partial /etc/shorewall/rules:
57
58               #ACTION   SOURCE    DEST            PROTO    DEST PORT(S)
59               ...
60               DNAT      sam       loc:192.168.1.3 tcp      ssh
61               DNAT      net       loc:192.168.1.5 tcp      www
62               ...
63
64       Given these two rules, Sam can connect to the firewall's  internet  in‐
65       terface  with  ssh  and  the  connection  request  will be forwarded to
66       192.168.1.3. Like all hosts in the net zone, Sam  can  connect  to  the
67       firewall's internet interface on TCP port 80 and the connection request
68       will be forwarded to 192.168.1.5. The order of the rules is not signif‐
69       icant. Sometimes it is necessary to suppress port forwarding for a sub-
70       zone. For example, suppose that all hosts can SSH to the  firewall  and
71       be  forwarded to 192.168.1.5 EXCEPT Sam. When Sam connects to the fire‐
72       wall's external IP, he should be connected to the firewall itself.  Be‐
73       cause of the way that Netfilter is constructed, this requires two rules
74       as follows:
75
76               #ACTION   SOURCE    DEST            PROTO    DEST PORT(S)
77               ...
78               ACCEPT+   sam       $FW             tcp      ssh
79               DNAT      net       loc:192.168.1.3 tcp      ssh
80               ...
81
82       The first rule allows Sam SSH access to the firewall. The  second  rule
83       says  that any clients from the net zone with the exception of those in
84       the  “sam”  zone  should  have  their  connection  port  forwarded   to
85       192.168.1.3. If you need to exclude more than one zone, simply use mul‐
86       tiple ACCEPT+ rules. This technique also may be used when the ACTION is
87       REDIRECT.
88
89       Care  must be taken when nesting occurs as a result of the use of wild‐
90       card interfaces (interface names ends in '+').
91
92       Here's an example.  /etc/shorewall/zones:
93
94               #ZONE    TYPE        OPTION
95               fw       firewall
96               net      ipv4
97               loc      ipv4
98               dmz      ipv4
99
100       /etc/shorewall/interfaces:
101
102               #ZONE    INTERFACE      BROADCAST        OPTIONS
103               net      ppp0
104               loc      eth1
105               loc      ppp+
106               dmz      eth2
107
108       Because the net zone is declared before the loc zone, net is an implic‐
109       it  sub-zone  of  loc and in the absence of a net->... CONTINUE policy,
110       traffic from the net zone will not be passed through  loc->...   rules.
111       But DNAT and REDIRECT rules are an exception!
112
113       · DNAT  and  REDIRECT rules generate two Netfilter rules: a 'nat' table
114         rule that rewrites the destination IP address and/or port number, and
115         a 'filter' table rule that ACCEPTs the rewritten connection.
116
117       · Policies only affect the 'filter' table.
118
119       As a consequence, the following rules will have unexpected behavior:
120
121               #ACTION     SOURCE               DEST      PROTO        DEST
122               #                                                       PORT(S)
123               ACCEPT      net                  dmz       tcp          80
124               REDIRECT    loc                  3128      tcp          80
125
126       The  second  rule is intended to redirect local web requests to a proxy
127       running on the firewall and listening on TCP port 3128. But  the  'nat'
128       part  of  that  rule will cause all connection requests for TCP port 80
129       arriving on interface ppp+ (including ppp0!) to have their  destination
130       port  rewritten  to 3128. Hence, the web server running in the DMZ will
131       be inaccessible from the web.
132
133       The above problem can be corrected in several of ways.
134
135       The best way is to use the ifname pppd option to set the net  interface
136       to something other than ppp0. That way, the 'net' interface won't match
137       ppp+.
138
139       A second way is to rewrite the DNAT rule (assume that the local zone is
140       entirely within 192.168.2.0/23):
141
142               #ACTION     SOURCE                 DEST      PROTO      DEST
143               #                                                       PORT(S)
144               ACCEPT      net                    dmz       tcp        80
145               REDIRECT    loc:192.168.2.0/23     3128      tcp        80
146
147       A  third  way is to exclude ppp0 from DNAT/REDIRECT as a consequence of
148       it being in the 'loc' zone.
149
150       /etc/shorewall/rules:
151
152               #ACTION     SOURCE               DEST      PROTO        DEST
153               #                                                       PORT(S)
154               ACCEPT      net                  dmz       tcp          80
155               NONAT       loc:ppp0             fw
156               REDIRECT    loc                  3128      tcp          80
157
158       A fourth way is to restrict the definition of the loc zone:
159
160       /etc/shorewall/interfaces:
161
162               #ZONE    INTERFACE      BROADCAST        OPTIONS
163               net      ppp0
164               loc      eth1
165               -        ppp+
166               dmz      eth2
167
168       /etc/shorewall/hosts:
169
170               #ZONE    HOST(S)             OPTIONS
171               loc      ppp+:192.168.2.0/23
172

FILES

174       /etc/shorewall/zones
175
176       /etc/shorewall/interfaces
177
178       /etc/shorewall/hosts
179
180       /etc/shorewall/policy
181
182       /etc/shorewall/rules
183

SEE ALSO

185       shorewall(8), shorewall-accounting(5), shorewall-actions(5), shorewall-
186       blacklist(5),  shorewall-hosts(5),  shorewall-interfaces(5), shorewall-
187       ipsec(5),  shorewall-maclist(5),  shorewall-masq(5),  shorewall-nat(5),
188       shorewall-netmap(5),  shorewall-params(5),  shorewall-policy(5), shore‐
189       wall-providers(5),   shorewall-proxyarp(5),   shorewall-route_rules(5),
190       shorewall-routestopped(5),    shorewall-rules(5),    shorewall.conf(5),
191       shorewall-tcclasses(5),  shorewall-tcdevices(5),  shorewall-tcrules(5),
192       shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)
193
194
195
196                                  19 May 2008             shorewall-nesting(5)
Impressum