<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>shorewall-nesting</title><link rel="stylesheet" href="html.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.73.2" /></head><body><div class="refentry" lang="en" xml:lang="en"><a id="id257171"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>nesting — Shorewall Nested Zones</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p> <em class="replaceable"><code>child-zone</code></em>[:<em class="replaceable"><code>parent-zone</code></em>[,<em class="replaceable"><code>parent-zone</code></em>]...] </p></div></div><div class="refsect1" lang="en" xml:lang="en"><a id="id257218"></a><h2>Description</h2><p>In <a class="ulink" href="shorewall-zones.html" target="_self">shorewall-zones</a>(5), a
zone may be declared to be a sub-zone of one or more other zones using the
above syntax.</p><p>Where zones are nested, the CONTINUE policy in <a class="ulink" href="shorewall-policy.html" target="_self">shorewall-policy</a>(5) allows hosts that
are within multiple zones to be managed under the rules of all of these
zones.</p></div><div class="refsect1" lang="en" xml:lang="en"><a id="id257243"></a><h2>Example</h2><p><code class="filename">/etc/shorewall/zones</code>:</p><pre class="programlisting"> #ZONE TYPE OPTION
fw firewall
net ipv4
sam:net ipv4
loc ipv4</pre><p><code class="filename">/etc/shorewall/interfaces</code>:</p><pre class="programlisting"> #ZONE INTERFACE BROADCAST OPTIONS
- eth0 detect dhcp,norfc1918
loc eth1 detect</pre><p><code class="filename">/etc/shorewall/hosts</code>:</p><pre class="programlisting"> #ZONE HOST(S) OPTIONS
net eth0:0.0.0.0/0
sam eth0:206.191.149.197</pre><p><code class="filename">/etc/shorewall/policy</code>:</p><pre class="programlisting"> #SOURCE DEST POLICY LOG LEVEL
loc net ACCEPT
sam all CONTINUE
net all DROP info
all all REJECT info</pre><p>The second entry above says that when Sam is the client, connection
requests should first be processed under rules where the source zone is
sam and if there is no match then the connection request should be treated
under rules where the source zone is net. It is important that this policy
be listed BEFORE the next policy (net to all). You can have this policy
generated for you automatically by using the IMPLICIT_CONTINUE option in
<a class="ulink" href="shorewall.conf.html" target="_self">shorewall.conf</a>(5).</p><p>Partial <code class="filename">/etc/shorewall/rules</code>:</p><pre class="programlisting"> #ACTION SOURCE DEST PROTO DEST PORT(S)
...
DNAT sam loc:192.168.1.3 tcp ssh
DNAT net loc:192.168.1.5 tcp www
...</pre><p>Given these two rules, Sam can connect to the firewall's internet
interface with ssh and the connection request will be forwarded to
192.168.1.3. Like all hosts in the net zone, Sam can connect to the
firewall's internet interface on TCP port 80 and the connection request
will be forwarded to 192.168.1.5. The order of the rules is not
significant. Sometimes it is necessary to suppress port forwarding for a
sub-zone. For example, suppose that all hosts can SSH to the firewall and
be forwarded to 192.168.1.5 EXCEPT Sam. When Sam connects to the
firewall's external IP, he should be connected to the firewall itself.
Because of the way that Netfilter is constructed, this requires two rules
as follows:</p><pre class="programlisting"> #ACTION SOURCE DEST PROTO DEST PORT(S)
...
ACCEPT+ sam $FW tcp ssh
DNAT net loc:192.168.1.3 tcp ssh
...</pre><p>The first rule allows Sam SSH access to the firewall. The second
rule says that any clients from the net zone with the exception of those
in the “sam” zone should have their connection port forwarded to
192.168.1.3. If you need to exclude more than one zone, simply use
multiple ACCEPT+ rules. This technique also may be used when the ACTION is
REDIRECT.</p><p>Care must be taken when nesting occurs as a result of the use of
wildcard interfaces (interface names ends in '+').</p><p>Here's an example.
<code class="filename">/etc/shorewall/zones</code>:</p><pre class="programlisting"> #ZONE TYPE OPTION
fw firewall
net ipv4
loc ipv4
dmz ipv4</pre><p><code class="filename">/etc/shorewall/interfaces</code>:</p><pre class="programlisting"> #ZONE INTERFACE BROADCAST OPTIONS
net ppp0
loc eth1
loc ppp+
dmz eth2</pre><p>Because the net zone is declared before the loc zone, net is an
implicit sub-zone of loc and in the absence of a net->... CONTINUE
policy, traffic from the net zone will not be passed through loc->...
rules. But DNAT and REDIRECT rules are an exception!</p><div class="itemizedlist"><ul type="disc"><li><p>DNAT and REDIRECT rules generate two Netfilter rules: a 'nat'
table rule that rewrites the destination IP address and/or port
number, and a 'filter' table rule that ACCEPTs the rewritten
connection.</p></li><li><p>Policies only affect the 'filter' table.</p></li></ul></div><p>As a consequence, the following rules will have unexpected
behavior:</p><pre class="programlisting"> #ACTION SOURCE DEST PROTO DEST
# PORT(S)
ACCEPT net dmz tcp 80
REDIRECT loc 3128 tcp 80</pre><p>The second rule is intended to redirect local web requests to a
proxy running on the firewall and listening on TCP port 3128. But the
'nat' part of that rule will cause all connection requests for TCP port 80
arriving on interface ppp+ (including ppp0!) to have their destination
port rewritten to 3128. Hence, the web server running in the DMZ will be
inaccessible from the web.</p><p>The above problem can be corrected in several of ways.</p><p>The best way is to use the <code class="option">ifname</code> pppd option to
set the net interface to something other than ppp0. That way, the 'net'
interface won't match ppp+.</p><p>A second way is to rewrite the DNAT rule (assume that the local zone
is entirely within 192.168.2.0/23):</p><pre class="programlisting"> #ACTION SOURCE DEST PROTO DEST
# PORT(S)
ACCEPT net dmz tcp 80
REDIRECT loc:192.168.2.0/23 3128 tcp 80</pre><p>A third way is to exclude ppp0 from DNAT/REDIRECT as a consequence
of it being in the 'loc' zone.</p><p><code class="filename">/etc/shorewall/rules</code>:</p><pre class="programlisting"> #ACTION SOURCE DEST PROTO DEST
# PORT(S)
ACCEPT net dmz tcp 80
NONAT loc:ppp0 fw
REDIRECT loc 3128 tcp 80</pre><p>A fourth way is to restrict the definition of the loc zone:</p><p><code class="filename">/etc/shorewall/interfaces</code>:</p><pre class="programlisting"> #ZONE INTERFACE BROADCAST OPTIONS
net ppp0
loc eth1
- ppp+
dmz eth2</pre><p><code class="filename">/etc/shorewall/hosts</code>:</p><pre class="programlisting"> #ZONE HOST(S) OPTIONS
loc ppp+:192.168.2.0/23</pre></div><div class="refsect1" lang="en" xml:lang="en"><a id="id257456"></a><h2>FILES</h2><p>/etc/shorewall/zones</p><p>/etc/shorewall/interfaces</p><p>/etc/shorewall/hosts</p><p>/etc/shorewall/policy</p><p>/etc/shorewall/rules</p></div><div class="refsect1" lang="en" xml:lang="en"><a id="id257479"></a><h2>See ALSO</h2><p>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
shorewall-zones(5)</p></div></div></body></html>
