Shorewall users - Jun 2007 - Shorewall and vlan

Hi,

i''ve a bering uclinux distrib with shorewall v 3.2.x
I don''t find any doc about shorewall and vlan :( Is it possible to work
with both ?
Is anyone can help me (examples, docs) about this ?

Regards

Franck

# /etc/network/interfaces
---------------------
auto eth1
iface eth1 inet static
	address 10.1.1.254
	netmask 255.255.255.0
	broadcast 10.1.1.255

auto eth1.3
iface eth1.3 inet static
	address 10.1.3.254
	netmask 255.255.255.0
	broadcast 10.1.3.255

# /etc/shorewall/params
---------------------
ETH_LAN=eth1
ETH_VLAN=eth1.3

# /etc/shorewall/interfaces
---------------------
emoti   $ETH_LAN	detect
vlan   $ETH_VLAN	detect

# /etc/shorewall/policy
---------------------
emoti          net             ACCEPT
vlan          net             ACCEPT
emoti            vlan            NONE
vlan            emoti            NONE

# /etc/shorewall/zones
---------------------
emoti	ipv4
vlan	ipv4

# /etc/shorewall/rules
---------------------
# VLAN -> FIREWALL
# ======================SSH/ACCEPT		vlan        fw
WebSimple/ACCEPT	vlan        fw
Ping/ACCEPT		vlan        fw
SNMP/ACCEPT		vlan        fw
DNS/ACCEPT		vlan        fw
Ping/ACCEPT    fw           vlan


-- 
http://www.linuxpourtous.com


-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Hi Franck,

from a shorewall point of view, simply treat VLANs as normal
interfaces !
No difference, since VLAN are handled by the network layer of the
kernel, and shorewall is not aware of this.

Si tu veux plus d'infos en FR-fr, droppe-moi un email ;-)


Le vendredi 15 juin 2007 à 14:43 +0200, Franck a écrit :
> Hi,
> 
> i've a bering uclinux distrib with shorewall v 3.2.x
> I don't find any doc about shorewall and vlan :( Is it possible to work
> with both ?
> Is anyone can help me (examples, docs) about this ?
> 
> Regards
> 
> Franck
> 
> # /etc/network/interfaces
> ---------------------
> auto eth1
> iface eth1 inet static
> 	address 10.1.1.254
> 	netmask 255.255.255.0
> 	broadcast 10.1.1.255
> 
> auto eth1.3
> iface eth1.3 inet static
> 	address 10.1.3.254
> 	netmask 255.255.255.0
> 	broadcast 10.1.3.255
> 
> # /etc/shorewall/params
> ---------------------
> ETH_LAN=eth1
> ETH_VLAN=eth1.3
> 
> # /etc/shorewall/interfaces
> ---------------------
> emoti   $ETH_LAN	detect
> vlan   $ETH_VLAN	detect
> 
> # /etc/shorewall/policy
> ---------------------
> emoti          net             ACCEPT
> vlan          net             ACCEPT
> emoti            vlan            NONE
> vlan            emoti            NONE
> 
> # /etc/shorewall/zones
> ---------------------
> emoti	ipv4
> vlan	ipv4
> 
> # /etc/shorewall/rules
> ---------------------
> # VLAN -> FIREWALL
> # ======================> SSH/ACCEPT		vlan        fw
> WebSimple/ACCEPT	vlan        fw
> Ping/ACCEPT		vlan        fw
> SNMP/ACCEPT		vlan        fw
> DNS/ACCEPT		vlan        fw
> Ping/ACCEPT    fw           vlan
> 
> 
-- 
Tristan DEFERT

Société Alpha Mosa

__________________________________________________________________

Tél. (33) 03 26 48 17 56        Internet : http://www.alphamosa.fr

Fax. (33) 03 26 48 10 87            eMail : tristan.d@alphamosa.fr


-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Franck wrote:
>I don''t find any doc about shorewall and vlan :( Is it possible to
work
>with both ?

Yes, try searching the list archives.
>Is anyone can help me (examples, docs) about this ?

I set a couple of (Debian) machines up not long ago - gateways for 
multi-tenancy business units. Key bits of the config are :




/etc/network/interfaces:
Outside interface is a Netgear DM111P ADSL modem, in this particular 
case with just one address from the ISP. There''s a commented line 
that shows one way of dealing with additional public addresses. 
You''ll notice I''ve used ethint and ethext instead of eth0 and
eth1 -
the system has ifrename installed which does this based on a mac-name 
mapping file (/etc/iftab) which makes it easier to guarantee which is 
which. The VLAN stuff is done by the kernel VLAN support with no 
special hardware, just pick a good quality network card and it should 
be fine.


auto ethext
# iface ethext inet dhcp
iface ethext inet static
   address a.b.c.d
   netmask 255.255.255.255
   broadcast a.b.c.d
   gateway a.b.c.d
   up ip addr add 192.168.0.2/24 brd 192.168.0.255 dev ethext label ethext:modem
#  up ip addr add a.b.c.27/24 brd a.b.c.255 dev ethext label ethext:27

auto ethint
iface ethint inet static
   address 10.1.1.1
   netmask 255.255.255.0
   vlan_raw_device ethint
   up echo "Name-Type: VLAN_NAME_TYPE_PLUS_VID_NO_PAD" >
/proc/net/vlan/config

auto vlan101
iface vlan101 inet static
   address 10.1.101.1
   netmask 255.255.255.0
   vlan_raw_device ethint
   up echo 1 > /proc/sys/net/ipv4/conf/vlan101/arp_filter
   up echo 2 > /proc/sys/net/ipv4/conf/vlan101/arp_ignore
   up echo 1 > /proc/sys/net/ipv4/conf/vlan101/rp_filter

auto vlan102
iface vlan102 inet static
   address 10.1.102.1
   netmask 255.255.255.0
   vlan_raw_device ethint
   up echo 1 > /proc/sys/net/ipv4/conf/vlan102/arp_filter
   up echo 2 > /proc/sys/net/ipv4/conf/vlan102/arp_ignore
   up echo 1 > /proc/sys/net/ipv4/conf/vlan102/rp_filter

and so on for as many interfaces as you need.





Zones:
fw      firewall
net     ipv4
tech    ipv4
cust    ipv4


Interfaces:
net     ethext          detect 
tcpflags,routefilter,nosmurfs,logmartians,arp_filter,arp_ignore=1
tech    ethint          detect 
tcpflags,detectnets,nosmurfs,routeback,dhcp,routefilter,arp_filter,arp_ignore=2
cust    vlan+           detect          tcpflags,nosmurfs,routeback,dhcp

Note that you can''t use certain options with "vlan+" which is
why
they are set by the ''up'' commands in the interfaces file.


The tech zone is there for all the network gear (switches etc) that 
need IP addresses for management, but which are not visible to 
customers/tenants. Tenants are given one of the VLANs and a private 
address apce each.





Masq:
#ethext                  10.1.103.199/32 a.b.c.27
ethext                  10.1.0.0/16

This masqs everything to the main external IP, the commented out line 
is how you can give a particular vlan/subnet it''s own outside address 
(ie traffic from that subnet goes out with a different source address 
to the rest).






Policy:
cust            net             ACCEPT
cust            $FW             REJECT          ULOG
cust            tech            REJECT          ULOG
cust            cust            REJECT          ULOG
cust            all             REJECT          ULOG

$FW             net             ACCEPT
$FW             cust            ACCEPT
$FW             tech            ACCEPT
$FW             all             ACCEPT

net             $FW             DROP
net             cust            DROP
net             tech            DROP
net             all             DROP

tech            $FW             ACCEPT
tech            cust            ACCEPT
tech            net             ACCEPT          ULOG
tech            all             REJECT          ULOG

all             all             DROP

That should be fairly self explanatory - adjust as required, but note 
that I explicitly block access from cust to cust and from cust to 
tech.




Rules:
This is where it gets fun ! You WILL most definitely have to fiddle 
with these, and some of these will get removed when I''ve finished 
setting things up.

#       DNS
#
DNS/ACCEPT      $FW             net
DNS/ACCEPT      cust            $FW
DNS/ACCEPT      tech            $FW
DNS/ACCEPT      net             $FW
#
#       SSH
#
SSH/ACCEPT:ULOG cust            $FW
SSH/ACCEPT:ULOG cust            $FW:10.1.1.1
SSH/ACCEPT:ULOG tech            $FW
SSH/ACCEPT:ULOG net:$AdminAdd           $FW
#
#       Webmin
#
ACCEPT:ULOG     cust            $FW             tcp     10000
ACCEPT:ULOG     tech            $FW             tcp     10000
ACCEPT:ULOG     net:$AdminAdd           $FW             tcp     10000
#
#       Admin access to tech bits
#
# Ethernet switch
ACCEPT  cust:10.1.101.0/24    tech:10.1.1.16        icmp
ACCEPT:ULOG     cust:10.1.101.0/24    tech:10.1.1.16        tcp     80
DNAT:ULOG       net:$AdminAdd           tech:10.1.1.16:80     tcp 
8080    -       a.b.c.d
#DNAT:ULOG      net:$AdminAdd           tech:10.1.1.16:80     tcp 
80      -       a.b.c.27
# tftp for switch
ACCEPT:ULOG     tech:10.1.1.16        $FW:10.1.1.1  udp     69

# RDP to server
RDP/ACCEPT:ULOG cust:10.1.101.0/24    tech:10.1.1.32
RDP/ACCEPT:ULOG net:$AdminAdd           tech:10.1.1.32
RDP/DNAT:ULOG   net:$AdminAdd           tech:10.1.1.32        tcp 
-       -       a.b.c.d

# SMB & AD to server
SMB/ACCEPT      cust:10.1.102.0/24    tech:10.1.1.32
AD/REJECT       cust:10.1.102.0/24    tech:10.1.1.32
AD/ACCEPT       cust                    tech:10.1.1.32


# Access to ADSL Modem
ACCEPT          tech            net:192.168.0.0/24
ACCEPT          cust:10.1.101.0/24    net:192.168.0.0/24
DROP            cust            net:192.168.0.0/24


# Web to server
HTTP/ACCEPT:ULOG        cust    tech:10.1.1.32


#
#       Ping - don''t allow ping to other customers gateway address !
#
Ping/ACCEPT     cust            $FW:ethext
Ping/ACCEPT     cust            tech:10.1.1.32
Ping/ACCEPT     cust:10.1.101.0/24            $FW:10.1.101.1
Ping/ACCEPT     cust:10.1.102.0/24            $FW:10.1.102.1
...
Ping/ACCEPT     cust:10.1.132.0/24            $FW:10.1.132.1
Ping/REJECT     cust            $FW
Ping/ACCEPT     tech            $FW
Ping/ACCEPT     net             $FW             -       -       - 
-       12/min:10

ACCEPT          $FW             cust            icmp
ACCEPT          $FW             net             icmp
ACCEPT          $FW             tech            icmp


# And block unauthorised email

#SMTP/ACCEPT    cust:10.1.101.0/24    net
SMTP/ACCEPT     cust:10.1.101.0/24    net:<some mail server>

# <some customer> - allow them to send mail to their server
SMTP/ACCEPT     cust:10.1.102.0/24    net:<customers mail server>

# Allow connections to <our mail server>
SMTP/ACCEPT:ULOG        tech            net: <our mail server>
SMTP/ACCEPT:ULOG        cust            net: <our mail server>

# Allow SMTP inbound to server, and outbound from server
SMTP/DNAT:ULOG          net             tech:10.1.1.32        tcp 
-       -       a.b.c.d
SMTP/ACCEPT:ULOG        tech:10.1.1.32        net

# drop any smtp not specifically authorised
SMTP/DROP:ULOG  cust                    net

# Allow NTP
NTP/ACCEPT      cust    $FW
NTP/ACCEPT      cust    tech:10.1.1.32
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE




You may well have noticed that several bits of several files are ''a 
bit repetitive'' - I wrote a script to write these bits !

I also have traffic accounting so I can graph the network usage by 
different customers/tenents.

Hope this helps a bit.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/