Dear List,
I am trying to setup shorewall on a co-located server which is part of a
/24 network of which I have 5 IP addresses. Here is my setup in more detail:
[root@mail root]# shorewall version
2.0.9
[root@mail root]# ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:c0:9f:3d:12:41 brd ff:ff:ff:ff:ff:ff
inet 217.112.90.114/24 brd 217.112.90.255 scope global eth0
inet 217.112.90.115/24 brd 217.112.90.255 scope global secondary eth0:0
inet 217.112.90.116/24 brd 217.112.90.255 scope global secondary eth0:1
inet 217.112.90.117/24 brd 217.112.90.255 scope global secondary eth0:2
inet 217.112.90.118/24 brd 217.112.90.255 scope global secondary eth0:3
inet 217.112.90.119/24 brd 217.112.90.255 scope global secondary eth0:4
inet 217.112.90.120/24 brd 217.112.90.255 scope global secondary eth0:5
[root@mail root]# ip route show
217.112.90.0/24 dev eth0 proto kernel scope link src 217.112.90.114
169.254.0.0/16 dev eth0 scope link
default via 217.112.90.1 dev eth0
[root@mail root]#
As I only have a single "real" network interface I simply want to
restrict access on a per IP basis. Firstly I''d like to know if this is
possible with Shorewall? The documentation seems to indicate Shorewall
is for dedicated firewalls rather than protecting a single host - is
this correct?
Reading the article on virtual IP''s I can see that I could set rules as
follows:
ACCEPT net $FW:206.124.146.178 tcp 22
Which I think is what I need. What I don''t understand is how I would
setup /etc/shorewall/policy as really I only have one zone.
Can anyone advise if what I need is possible and how I would setup the
policy file? If it is possible, is there anything else I should take in
to consideration?
Thanks, Nick
Tom Eastep
2004-Oct-24 15:36 UTC
Re: Shorewall with a single interface and multiple aliases
On Sunday 24 October 2004 04:28, Nick Chettle wrote:> Reading the article on virtual IP''s I can see that I could set rules as > follows: > > ACCEPT net $FW:206.124.146.178 tcp 22That''s correct.> > Which I think is what I need. What I don''t understand is how I would > setup /etc/shorewall/policy as really I only have one zone. > > Can anyone advise if what I need is possible and how I would setup the > policy file? If it is possible, is there anything else I should take in > to consideration? >You still only have two zones -- $FW and ''net''. So you probably just want the policy file that you downloaded in from the ''standalone'' sample. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key