Gebruikershulpmiddelen

Site-hulpmiddelen


linux:applicaties:lxc:lxc-shorewallnat

LXC NAT Routing Shorewall configuration

Shorewall Firewall is a high level netfilter/iptables configuration tool. 1)

This document complements the LXC NAT Routing configuration Howto.

This document is based on:
- Tux4u®/Penguin Suite: PS-wheezy
- PS-app: emu-lxc 1.0.4

1. Overview

2. Shorewall installation

# apt-get install shorewall

3. Shorewall configuration

  • Note: All Shorewall configuration files are located in “/etc/shorewall/” unless specified otherwise.

3.1 shorewall.conf

Enable Linux kernel ip_forwarding:

# IP_FORWARDING=Keep
IP_FORWARDING=On

3.2 zones

# For information about entries in this file, type "man shorewall-zones"
###############################################################################
#ZONE   TYPE    OPTIONS                 IN                      OUT
#                                       OPTIONS                 OPTIONS
fw      firewall
net     ipv4
lxc     ipv4

Annotation of “fw zone”: 2)

Annotation of “lxc zone”: 3)

3.3 interfaces

# For information about entries in this file, type "man shorewall-interfaces"
###############################################################################
FORMAT 2
###############################################################################
#ZONE   INTERFACE       OPTIONS
net     eth0            dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0
lxc     br0             routeback,bridge,tcpflags,nosmurfs,routefilter,logmartians

3.4 policy

# For information about entries in this file, type "man shorewall-policy"
###############################################################################
#SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST

$FW             net             ACCEPT
$FW             lxc             ACCEPT
lxc             net             ACCEPT
lxc             $FW             ACCEPT
net             all             DROP            info
# THE FOLLOWING POLICY MUST BE LAST
all             all             REJECT          info

3.5 rules

  • The rules stated here are examples. Adjust as appriopriate.
# For information about entries in this file, type "man shorewall-rules"
######################################################################################################################################################################################
#ACTION         SOURCE          DEST            PROTO   DEST    SOURCE          ORIGINAL        RATE            USER/   MARK    CONNLIMIT       TIME         HEADERS         SWITCH
#                                                       PORT    PORT(S)         DEST            LIMIT           GROUP
#SECTION ALL
#SECTION ESTABLISHED
#SECTION RELATED
SECTION NEW

#       Don't allow connection pickup from the net
#
Invalid(DROP)   net             all

Ping(ACCEPT)    net             $FW
#
# Connections from net
# ====================
#ACTION         SOURCE          DEST            PROTO   DEST    SOURCE          ORIGINAL        RATE            USER/   MARK    CONNLIMIT       TIME         HEADERS         SWITCH
#                                                       PORT    PORT(S)         DEST            LIMIT           GROUP
SSH(ACCEPT)     net:192.168.1.0/24 $FW


# DNAT rules
# ==========
#ACTION         SOURCE          DEST            PROTO   DEST    SOURCE          ORIGINAL        RATE            USER/   MARK    CONNLIMIT       TIME         HEADERS         SWITCH
#                                                       PORT    PORT(S)         DEST            LIMIT           GROUP
DNAT            net             lxc:172.16.1.1  tcp     80      -               192.168.1.101

4. Shorewall start

4.1 Check configuration

# cd /etc/shorewall

# shorewall check .

4.2 Start Shorewall configuration

# cd /etc/shorewall

# shorewall start

Annotation of “shorewall start”: 4)

More information on shorewall commands:
$ man shorewall

4.3 Start Shorewall on boot

Edit the “/etc/default/shorewall” and set “startup=1”:

## /etc/default/shorewall

# prevent startup with default configuration
# set the following varible to 1 in order to allow Shorewall to start

# startup=0
startup=1

5. More information

Links
http://www.shorewall.net Shorewall Firewall Homepage
$ man -k shorewall List of Shorewall commands and files
/usr/share/doc/shorewall/* Shorewall documentation and examples

.

Copyright © 2014 Integrated Services; Tux4u.nl
Author: Marjan Waldorp; lxc/lxc-shorewallnat 2014-09-01

2)
All IP addresses configured on firewall interfaces are in the $FW (fw) zone.
If 192.168.1.254 is the IP address of your internal interface
then you can write $FW:192.168.1.254 in a rule but you may not write
loc:192.168.1.254. Similarly, it is nonsensical to add 192.168.1.254
to the loc zone using an entry in /etc/shorewall/hosts.
Shorewall Two-Interface example: Some Things to Keep in Mind
3)
The “lxc” zone is a virtual “local” zone. From a networking perspective LXC Containers are external computers, since their networking environment is completely separated from the networking environment of the host. Consequently IP addresses of LXC Containers do not belong to the $FW zone!
4)
Upon “shorewall start” Shorewall compiles the Shorewall configuration files into a set of “iptables” rules. If the compilation is successful this iptables ruleset will be applied to the Linux kernel. No daemons are started by Shorewall.
linux/applicaties/lxc/lxc-shorewallnat.txt · Laatst gewijzigd: 2018/12/30 17:17 (Externe bewerking)