Rechercher une page de manuel
shorewall-nesting
Langue: en
Version: 17 June 2007 (mandriva - 22/10/07)
Section: 5 (Format de fichier)
NAME
Nesting - Shorewall Nested ZonesSYNOPSIS
child-zone[: parent-zone[, parent-zone]...]DESCRIPTION
In shorewall-zones(5), a zone may be declared to be a sub-zone of one or more other zones using the above syntax.Where zones are nested, the CONTINUE policy in shorewall-policy(5) allows hosts that are within multiple zones to be managed under the rules of all of these zones.
EXAMPLE
/etc/shorewall/zones:
#ZONE TYPE OPTION
fw firewall
net ipv4
sam:net ipv4
loc ipv4
/etc/shorewall/interfaces:
#ZONE INTERFACE BROADCAST OPTIONS
- eth0 detect dhcp,norfc1918
loc eth1 detect
/etc/shorewall/hosts:
#ZONE HOST(S) OPTIONS
net eth0:0.0.0.0/0
sam eth0:206.191.149.197
/etc/shorewall/policy:
#SOURCE DEST POLICY LOG LEVEL
loc net ACCEPT
sam all CONTINUE
net all DROP info
all all REJECT info
The second entry above says that when Sam is the client, connection requests should first be processed under rules where the source zone is sam and if there is no match then the connection request should be treated under rules where the source zone is net. It is important that this policy be listed BEFORE the next policy (net to all). You can have this policy generated for you automatically by using the IMPLICIT_CONTINUE option in shorewall.conf(5).
Partial /etc/shorewall/rules:
#ACTION SOURCE DEST PROTO DEST PORT(S)
...
DNAT sam loc:192.168.1.3 tcp ssh
DNAT net loc:192.168.1.5 tcp www
...
Given these two rules, Sam can connect to the firewall's internet interface with ssh and the connection request will be forwarded to 192.168.1.3. Like all hosts in the net zone, Sam can connect to the firewall's internet interface on TCP port 80 and the connection request will be forwarded to 192.168.1.5. The order of the rules is not significant. Sometimes it is necessary to suppress port forwarding for a sub-zone. For example, suppose that all hosts can SSH to the firewall and be forwarded to 192.168.1.5 EXCEPT Sam. When Sam connects to the firewall's external IP, he should be connected to the firewall itself. Because of the way that Netfilter is constructed, this requires two rules as follows:
#ACTION SOURCE DEST PROTO DEST PORT(S)
...
ACCEPT+ sam $FW tcp ssh
DNAT net loc:192.168.1.3 tcp ssh
...
The first rule allows Sam SSH access to the firewall. The second rule says that any clients from the net zone with the exception of those in the "sam" zone should have their connection port forwarded to 192.168.1.3. If you need to exclude more than one zone, simply use multiple ACCEPT+ rules. This technique also may be used when the ACTION is REDIRECT.
FILES
/etc/shorewall/zones/etc/shorewall/interfaces
/etc/shorewall/hosts
/etc/shorewall/policy
/etc/shorewall/rules
SEE ALSO
shorewall(8), shorewall-accounting(5), shorewall-actions(5), shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5), shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5), shorewall-params(5), shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)Contenus ©2006-2024 Benjamin Poulain
Design ©2006-2024 Maxime Vantorre