====== LXC NAT Routing Shorewall configuration ======

Shorewall Firewall is a high level netfilter/iptables configuration tool.
(([[http://www.shorewall.net]]))

This document complements  the
[[linux:applicaties:lxc:lxc-natrouting|LXC NAT Routing configuration]]
Howto.

This document is based on:\\
- Tux4u(r)/Penguin Suite: PS-wheezy\\
- PS-app: emu-lxc 1.0.4


===== 1. Overview =====

{{ linux:applicaties:lxc-nat-450x601.png }}


More information:

  * [[linux:applicaties:lxc:lxc-natrouting|LXC NAT Routing configuration]]
  * [[linux:applicaties:lxc:lxc-introduction#lxc_networking_scenarios|LXC Introduction: LXC Networking scenarios]]


===== 2. Shorewall installation =====

<code>
# apt-get install shorewall
</code>


===== 3. Shorewall configuration =====

  * Note: All Shorewall configuration files are located in "**/etc/shorewall/**" unless specified otherwise.


==== 3.1 shorewall.conf ====

Enable Linux kernel ip_forwarding:

<code>
# IP_FORWARDING=Keep
IP_FORWARDING=On
</code>

==== 3.2 zones ====

<code>
# For information about entries in this file, type "man shorewall-zones"
###############################################################################
#ZONE   TYPE    OPTIONS                 IN                      OUT
#                                       OPTIONS                 OPTIONS
fw      firewall
net     ipv4
lxc     ipv4
</code>

Annotation of "fw zone":
((All IP addresses configured on firewall interfaces are in the $FW (fw) zone.
  If 192.168.1.254 is the IP address of your internal interface
  then you can write $FW:192.168.1.254 in a rule but you may not write
  loc:192.168.1.254. Similarly, it is nonsensical to add 192.168.1.254
  to the loc zone using an entry in /etc/shorewall/hosts.
[[http://shorewall.net/two-interface.htm|Shorewall Two-Interface example: Some Things to Keep in Mind]]
))

Annotation of "lxc zone":
((The "lxc" zone is a virtual "local" zone.
From a networking perspective LXC Containers are external computers,
since their networking environment is completely
separated from the networking environment of the host.
Consequently IP addresses of LXC Containers do not belong to the $FW zone!
))


==== 3.3 interfaces ====

<code>
# For information about entries in this file, type "man shorewall-interfaces"
###############################################################################
FORMAT 2
###############################################################################
#ZONE   INTERFACE       OPTIONS
net     eth0            dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0
lxc     br0             routeback,bridge,tcpflags,nosmurfs,routefilter,logmartians
</code>

==== 3.4 policy ====

<code>
# For information about entries in this file, type "man shorewall-policy"
###############################################################################
#SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST

$FW             net             ACCEPT
$FW             lxc             ACCEPT
lxc             net             ACCEPT
lxc             $FW             ACCEPT
net             all             DROP            info
# THE FOLLOWING POLICY MUST BE LAST
all             all             REJECT          info
</code>

==== 3.5 rules ====

  * The rules stated here are examples. Adjust as appriopriate.

<code>
# For information about entries in this file, type "man shorewall-rules"
######################################################################################################################################################################################
#ACTION         SOURCE          DEST            PROTO   DEST    SOURCE          ORIGINAL        RATE            USER/   MARK    CONNLIMIT       TIME         HEADERS         SWITCH
#                                                       PORT    PORT(S)         DEST            LIMIT           GROUP
#SECTION ALL
#SECTION ESTABLISHED
#SECTION RELATED
SECTION NEW

#       Don't allow connection pickup from the net
#
Invalid(DROP)   net             all

Ping(ACCEPT)    net             $FW
#
# Connections from net
# ====================
#ACTION         SOURCE          DEST            PROTO   DEST    SOURCE          ORIGINAL        RATE            USER/   MARK    CONNLIMIT       TIME         HEADERS         SWITCH
#                                                       PORT    PORT(S)         DEST            LIMIT           GROUP
SSH(ACCEPT)     net:192.168.1.0/24 $FW


# DNAT rules
# ==========
#ACTION         SOURCE          DEST            PROTO   DEST    SOURCE          ORIGINAL        RATE            USER/   MARK    CONNLIMIT       TIME         HEADERS         SWITCH
#                                                       PORT    PORT(S)         DEST            LIMIT           GROUP
DNAT            net             lxc:172.16.1.1  tcp     80      -               192.168.1.101
</code>


===== 4. Shorewall start =====

==== 4.1 Check configuration ====

<code>
# cd /etc/shorewall

# shorewall check .
</code>


==== 4.2 Start Shorewall configuration ====

<code>
# cd /etc/shorewall

# shorewall start
</code>

Annotation of "shorewall start":
((
Upon "shorewall start" Shorewall compiles the Shorewall configuration
files into a set of "iptables" rules.
If the compilation is successful this iptables ruleset will be
applied to the Linux kernel.
No daemons are started by Shorewall.
))

More information on shorewall commands:\\ $ **man shorewall**


==== 4.3 Start Shorewall on boot ====

Edit the "/etc/default/shorewall" and set "startup=1":

<code>
## /etc/default/shorewall

# prevent startup with default configuration
# set the following varible to 1 in order to allow Shorewall to start

# startup=0
startup=1
</code>


===== 5. More information =====

^  Links  ^^
| [[http://www.shorewall.net]]  | Shorewall Firewall Homepage  |
| $ man -k shorewall  | List of Shorewall commands and files  |
| /usr/share/doc/shorewall/*  | Shorewall documentation and examples  |


====== . ======
Copyright (c) 2014 Integrated Services; Tux4u.nl\\
Author: Marjan Waldorp; lxc/lxc-shorewallnat 2014-09-01