<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Shorewall and Aliased Interfaces</title><link rel="stylesheet" href="html.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.73.2" /></head><body><div class="article" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title"><a id="Shorewall_and_Aliased_Interfaces"></a>Shorewall and Aliased Interfaces</h2></div><div><div class="authorgroup"><div class="author"><h3 class="author"><span class="firstname">Tom</span> <span class="surname">Eastep</span></h3></div></div></div><div><p class="copyright">Copyright © 2001-2007 Thomas M. Eastep</p></div><div><div class="legalnotice"><a id="id279794"></a><p>Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_self">GNU Free Documentation
License</a></span>”.</p></div></div><div><p class="pubdate">2008/12/15</p></div></div><hr /></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="section"><a href="#Background">Background</a></span></dt><dt><span class="section"><a href="#Adding">Adding Addresses to Interfaces</a></span></dt><dt><span class="section"><a href="#How">So how do I handle more than one address on an interface?</a></span></dt><dd><dl><dt><span class="section"><a href="#Rules">Separate Rules</a></span></dt><dt><span class="section"><a href="#DNAT">DNAT</a></span></dt><dt><span class="section"><a href="#SNAT">SNAT</a></span></dt><dt><span class="section"><a href="#NAT">One-to-one NAT</a></span></dt><dt><span class="section"><a href="#Subnets">MULTIPLE SUBNETS</a></span></dt></dl></dd></dl></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span class="bold"><strong>This article applies to Shorewall 3.0 and
later. If you are running a version of Shorewall earlier than Shorewall
3.0.0 then please see the documentation for that
release.</strong></span></p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Background"></a>Background</h2></div></div></div><p>The traditional net-tools contain a program called
<span class="emphasis"><em>ifconfig</em></span> which is used to configure network devices.
ifconfig introduced the concept of <span class="emphasis"><em>aliased</em></span> or
<span class="emphasis"><em>virtual</em></span> interfaces. These virtual interfaces have
names of the form <span class="emphasis"><em>interface:integer</em></span> (e.g., <code class="filename">eth0:0</code>) and ifconfig treats them more or
less like real interfaces.</p><div class="example"><a id="ifconfig"></a><p class="title"><b>Example 1. ifconfig</b></p><div class="example-contents"><pre class="programlisting">[root@gateway root]# <span class="command"><strong>ifconfig eth0:0</strong></span>
eth0:0 Link encap:Ethernet HWaddr 02:00:08:3:FA:55
inet addr:206.124.146.178 Bcast:206.124.146.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:11 Base address:0x2000
[root@gateway root]# </pre></div></div><br class="example-break" /><p>The ifconfig utility is being gradually phased out in favor of the
ip utility which is part of the <span class="emphasis"><em>iproute</em></span> package. The
ip utility does not use the concept of aliases or virtual interfaces but
rather treats additional addresses on an interface as objects in their own
right. The ip utility does provide for interaction with ifconfig in that
it allows addresses to be <span class="emphasis"><em>labeled</em></span> where these labels
take the form of ipconfig virtual interfaces.</p><div class="example"><a id="ip"></a><p class="title"><b>Example 2. ip</b></p><div class="example-contents"><pre class="programlisting">[root@gateway root]# <span class="command"><strong>ip addr show dev eth0</strong></span>
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc htb qlen 100
link/ether 02:00:08:e3:fa:55 brd ff:ff:ff:ff:ff:ff
inet 206.124.146.176/24 brd 206.124.146.255 scope global eth0
inet 206.124.146.178/24 brd 206.124.146.255 scope global secondary eth0:0
[root@gateway root]# </pre><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>One <span class="bold"><strong>cannot</strong></span> type
“<span class="quote"><span class="command"><strong>ip addr show dev eth0:0</strong></span></span>” because
“<span class="quote"><code class="filename">eth0:0</code></span>” is a
label for a particular address rather than a device name.</p><pre class="programlisting">[root@gateway root]# <span class="command"><strong>ip addr show dev eth0:0</strong></span>
Device "eth0:0" does not exist.
[root@gateway root]#</pre></div></div></div><br class="example-break" /><p>The iptables program doesn't support virtual interfaces in either
its “<span class="quote">-i</span>” or “<span class="quote">-o</span>” command options; as a
consequence, Shorewall does not allow them to be used in the
/etc/shorewall/interfaces file or anywhere else except as described in the
discussion below.</p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Adding"></a>Adding Addresses to Interfaces</h2></div></div></div><p>Most distributions have a facility for adding additional addresses
to interfaces. If you have already used your distribution's capability to
add your required addresses, you can skip this section.</p><p>Shorewall provides facilities for automatically adding addresses to
interfaces as described in the following section. It is also easy to add
them yourself using the <span class="bold"><strong>ip</strong></span> utility. The
above alias was added using:</p><pre class="programlisting"><span class="command"><strong>ip addr add 206.124.146.178/24 brd 206.124.146.255 dev eth0 label eth0:0</strong></span></pre><p>You probably want to arrange to add these addresses when the device
is started rather than placing commands like the above in one of the
Shorewall extension scripts. For example, on RedHat systems, you can place
the commands in /sbin/ifup-local:</p><pre class="programlisting">#!/bin/sh
case $1 in
eth0)
/sbin/ip addr add 206.124.146.178 dev eth0 label eth0:0
;;
esac</pre><p>RedHat systems also allow adding such aliases from the network
administration GUI (which only works well if you have a graphical
environment on your firewall).</p><p>On Debian and LEAF/Bering systems, it is as simple as adding the
command to the interface definition as follows:</p><pre class="programlisting"># Internet interface
auto eth0
iface eth0 inet static
address 206.124.146.176
netmask 255.255.255.0
gateway 206.124.146.254
<span class="command"><strong>up ip addr add 206.124.146.178/24 brd 206.124.146.255 dev eth0 label eth0:0</strong></span></pre></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="How"></a>So how do I handle more than one address on an interface?</h2></div></div></div><p>The answer depends on what you are trying to do with the interfaces.
In the sub-sections that follow, we'll take a look at common
scenarios.</p><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="Rules"></a>Separate Rules</h3></div></div></div><p>If you need to make a rule for traffic to/from the firewall itself
that only applies to a particular IP address, simply qualify the $FW
zone with the IP address.</p><div class="example"><a id="SSH"></a><p class="title"><b>Example 3. allow SSH from net to eth0:0 above</b></p><div class="example-contents"><p>[<span class="optional"><code class="filename">/etc/shorewall/rules</code></span>]</p><pre class="programlisting">#ACTION SOURCE DEST PROTO DEST PORT(S)
ACCEPT net $FW:206.124.146.178 tcp 22</pre></div></div><br class="example-break" /></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="DNAT"></a>DNAT</h3></div></div></div><p>Suppose that I had set up eth0:0 as above and I wanted to port
forward from that virtual interface to a web server running in my local
zone at 192.168.1.3. That is accomplished by a single rule in the
<code class="filename">/etc/shorewall/rules</code> file:</p><pre class="programlisting">#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
# PORT(S) DEST
DNAT net loc:192.168.1.3 tcp 80 - 206.124.146.178 </pre></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="SNAT"></a>SNAT</h3></div></div></div><p>If you wanted to use eth0:0 as the IP address for outbound
connections from your local zone (eth1), then in
<code class="filename">/etc/shorewall/masq</code>:</p><pre class="programlisting">#INTERFACE SUBNET ADDRESS
eth0 eth1 206.124.146.178</pre><p>Shorewall can create the alias (additional address) for you if you
set ADD_SNAT_ALIASES=Yes in
<code class="filename">/etc/shorewall/shorewall.con</code>f.</p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>Addresses added by ADD_SNAT_ALIASES=Yes are deleted and re-added
during <span class="command"><strong>shorewall restart</strong></span>. As a consequence,
connections using those addresses may be severed.</p></div><p>Beginning with Shorewall 1.3.14, Shorewall can actually create the
“<span class="quote">label</span>” (virtual interface) so that you can see the created
address using ifconfig. In addition to setting ADD_SNAT_ALIASES=Yes, you
specify the virtual interface name in the INTERFACE column as
follows.</p><p><code class="filename">/etc/shorewall/masq</code></p><pre class="programlisting">#INTERFACE SUBNET ADDRESS
eth0:0 eth1 206.124.146.178</pre><p>Shorewall can also set up SNAT to round-robin over a range of IP
addresses. To do that, you specify a range of IP addresses in the
ADDRESS column. If you specify a label in the INTERFACE column,
Shorewall will use that label for the first address of the range and
will increment the label by one for each subsequent label.</p><p><code class="filename">/etc/shorewall/masq</code></p><pre class="programlisting">#INTERFACE SUBNET ADDRESS
eth0:0 eth1 206.124.146.178-206.124.146.180</pre><p>The above would create three IP addresses:</p><pre class="programlisting">eth0:0 = 206.124.146.178
eth0:1 = 206.124.146.179
eth0:2 = 206.124.146.180</pre></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="NAT"></a>One-to-one NAT</h3></div></div></div><p>If you wanted to use one-to-one NAT to link <code class="filename">eth0:0</code> with local address 192.168.1.3, you
would have the following in
<code class="filename">/etc/shorewall/nat</code>:</p><pre class="programlisting">#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL
206.124.146.178 eth0 192.168.1.3 no no</pre><p>Shorewall can create the alias (additional address) for you if you
set ADD_IP_ALIASES=Yes in /etc/shorewall/shorewall.conf.</p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>Addresses added by ADD_IP_ALIASES=Yes are deleted and re-added
during <span class="command"><strong>shorewall restart</strong></span>. As a consequence,
connections using those addresses may be severed.</p></div><p>Beginning with Shorewall 1.3.14, Shorewall can actually create the
“<span class="quote">label</span>” (virtual interface) so that you can see the created
address using ifconfig. In addition to setting ADD_IP_ALIASES=Yes, you
specify the virtual interface name in the INTERFACE column as
follows.</p><p><code class="filename">/etc/shorewall/nat</code></p><pre class="programlisting">#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL
206.124.146.178 eth0:0 192.168.1.3 no no</pre><p>In either case, to create rules in
<code class="filename">/etc/shorewall/rules</code> that pertain only to this NAT
pair, you simply qualify the local zone with the internal IP
address.</p><div class="example"><a id="SSH1"></a><p class="title"><b>Example 4. You want to allow SSH from the net to 206.124.146.178 a.k.a.
192.168.1.3.</b></p><div class="example-contents"><pre class="programlisting">#ACTION SOURCE DEST PROTO DEST PORT(S)
ACCEPT net loc:192.168.1.3 tcp 22</pre></div></div><br class="example-break" /></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="Subnets"></a>MULTIPLE SUBNETS</h3></div></div></div><p>Sometimes multiple IP addresses are used because there are
multiple subnetworks configured on a LAN segment. This technique does
not provide for any security between the subnetworks if the users of the
systems have administrative privileges because in that case, the users
can simply manipulate their system's routing table to bypass your
firewall/router. Nevertheless, there are cases where you simply want to
consider the LAN segment itself as a zone and allow your firewall/router
to route between the two subnetworks.</p><div class="example"><a id="subnets"></a><p class="title"><b>Example 5. Local interface eth1 interfaces to 192.168.1.0/24 and
192.168.20.0/24. The primary IP address of eth1 is 192.168.1.254 and
eth1:0 is 192.168.20.254. You simply want your firewall to route
between these two subnetworks.</b></p><div class="example-contents"><p>This example applies to Shorewall 1.4.2 and later.</p><p>In <code class="filename">/etc/shorewall/zones</code>:</p><pre class="programlisting">#ZONE TYPE OPTIONS
loc ipv4</pre><p>In <code class="filename">/etc/shorewall/interfaces</code>:</p><pre class="programlisting">#ZONE INTERFACE BROADCAST OPTIONS
loc eth1 192.168.1.255,192.168.20.255 <span class="bold"><strong>routeback</strong></span> </pre><p>In <code class="filename">/etc/shorewall/rules</code>, simply specify
ACCEPT rules for the traffic that you want to permit.</p></div></div><br class="example-break" /><div class="example"><a id="subnets1"></a><p class="title"><b>Example 6. Local interface eth1 interfaces to 192.168.1.0/24 and
192.168.20.0/24. The primary IP address of eth1 is 192.168.1.254 and
eth1:0 is 192.168.20.254. You want to make these subnetworks into
separate zones and control the access between them (the users of the
systems do not have administrative privileges).</b></p><div class="example-contents"><p>In <code class="filename">/etc/shorewall/zones</code>:</p><pre class="programlisting">#ZONE TYPE OPTIONS
loc ipv4
loc2 ipv4</pre><p>In <code class="filename">/etc/shorewall/interfaces</code>:</p><pre class="programlisting">#ZONE INTERFACE BROADCAST OPTIONS
- eth1 192.168.1.255,192.168.20.255 </pre><p>In <code class="filename">/etc/shorewall/hosts</code>:</p><pre class="programlisting">#ZONE HOSTS OPTIONS
loc eth1:192.168.1.0/24
loc2 eth1:192.168.20.0/24</pre><p>In <code class="filename">/etc/shorewall/rules</code>, simply specify
ACCEPT rules for the traffic that you want to permit.</p><p>For more information on handling multiple networks through a
single interface, see <a class="ulink" href="Multiple_Zones.html" target="_self"><span class="emphasis"><em>Routing on One
Interface</em></span></a>.</p></div></div><br class="example-break" /></div></div></div></body></html>
