1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
|
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<article>
<!--$Id$-->
<articleinfo>
<title>Shorewall and Linux-vserver</title>
<authorgroup>
<author>
<firstname>Tom</firstname>
<surname>Eastep</surname>
</author>
</authorgroup>
<pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
<copyright>
<year>2010</year>
<holder>Thomas M. Eastep</holder>
</copyright>
<legalnotice>
<para>Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
<section>
<title>Introduction</title>
<para>Formal support for Linux-vserver was added in Shorewall 4.4.11
Beta2. The centerpiece of that support is the
<firstterm>vserver</firstterm> zone type. Vserver zones have the following
characteristics:</para>
<itemizedlist>
<listitem>
<para>They are defined on the Linux-vserver host.</para>
</listitem>
<listitem>
<para>The $FW zone is their implicit parent.</para>
</listitem>
<listitem>
<para>Their contents must be defined using the <ulink
url="manpages/shorewall-hosts.html">shorewall-hosts </ulink>(5) file.
The <emphasis role="bold">ipsec</emphasis> option may not be
specified.</para>
</listitem>
<listitem>
<para>They may not appear in the ZONE column of the <ulink
url="manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>
(5) file.</para>
</listitem>
</itemizedlist>
<para>Note that you don't need to run Vservers to use vserver zones; they
may also be used to create a firewall sub-zone for each <ulink
url="Shorewall_and_Aliased_Interfaces.html">aliased
interface</ulink>.</para>
<para>If you use these zones, keep in mind that Linux-vserver implements a
very weak form of network virtualization:</para>
<itemizedlist>
<listitem>
<para>From a networking point of view, vservers live on the host
system. So if you don't use care, Vserver traffic to/from zone z will
be controlled by the fw->z and z->fw rules and policies rather
than by vserver->z and z->vserver rules and policies.</para>
</listitem>
<listitem>
<para>Outgoing connections from a vserver will not use the Vserver's
address as the SOURCE IP address unless you configure applications
running in the Vserver properly. This is especially true for IPv6
applications. Such connections will appear to come from the $FW zone
rather than the intended Vserver zone.</para>
</listitem>
<listitem>
<para>While you can define the vservers to be associated with the
network interface where their IP addresses are added at vserver
startup time, Shorewall internally associates all vservers with the
loopback interface (<emphasis role="bold">lo</emphasis>). Here's an
example of how that association can show up:</para>
<programlisting>gateway:~# shorewall show zones
Shorewall 4.4.11-Beta2 Zones at gateway - Fri Jul 2 12:26:30 PDT 2010
fw (firewall)
drct (ipv4)
eth4:+drct_eth4
loc (ipv4)
eth4:0.0.0.0/0
net (ipv4)
eth1:0.0.0.0/0
vpn (ipv4)
tun+:0.0.0.0/0
dmz (<emphasis role="bold">vserver</emphasis>)
<emphasis role="bold">lo</emphasis>:70.90.191.124/31
gateway:~#</programlisting>
</listitem>
</itemizedlist>
</section>
<section>
<title>Vserver Zones</title>
<para>This is a diagram of the network configuration here at Shorewall.net
during the summer of 2010:</para>
<graphic align="center" fileref="images/Network2010a.png" />
<para>I created a zone for the vservers as follows:</para>
<para><filename>/etc/shorewall/zones</filename>:</para>
<programlisting>#ZONE TYPE OPTIONS ...
fw firewall
loc ip #Local Zone
drct:loc ipv4 #Direct internet access
net ipv4 #Internet
vpn ipv4 #OpenVPN clients
<emphasis role="bold">dmz vserver #Vservers</emphasis></programlisting>
<para><filename>/etc/shorewall/interfaces</filename>:</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
<emphasis role="bold">net eth1 detect routeback,dhcp,optional,routefilter=0,logmartians,proxyarp=0,nosmurfs,upnp</emphasis>
...</programlisting>
<para><filename>/etc/shorewall/hosts</filename>:</para>
<programlisting>#ZONE HOST(S) OPTIONS
drct eth4:dynamic
<emphasis role="bold">dmz eth1:70.90.191.124/31 routeback</emphasis></programlisting>
<para>While the IP addresses 70.90.191.124 and 70.90.191.125 are
configured on eth1, the actual interface name is irrelevant so long as the
interface is defined in <ulink
url="manpages/shorewall-interfaces.html">shorewall-interfaces</ulink> (5).
Shorewall will consider all vserver zones to be associated with the
loopback interface (<emphasis role="bold">lo</emphasis>). Note that the
<emphasis role="bold">routeback</emphasis> option is required if the
vservers are to be able to communicate with each other.</para>
<para>Once a vserver zone is defined, it can be used like any other zone
type.</para>
<para>Here is the corresponding IPv6 configuration.</para>
<para><filename>/etc/shorewall6/zones</filename></para>
<programlisting>#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net ipv6
loc ipv6
vpn ipv6
<emphasis role="bold">dmz vserver</emphasis>
</programlisting>
<para><filename>/etc/shorewall6/interfaces</filename>:</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
<emphasis role="bold">net sit1 detect tcpflags,forward=1,nosmurfs,routeback</emphasis>
...</programlisting>
<para><filename>/etc/shorewall6/hosts</filename>:</para>
<programlisting>#ZONE HOST(S) OPTIONS
<emphasis role="bold">dmz sit1:[2001:470:e857:1::/64]</emphasis></programlisting>
<para>Note that I choose to place the Vservers on sit1 (the IPv6 net
interface) rather than on eth1. Again, it really doesn't matter
much.</para>
</section>
<section id="NDP">
<title>Sharing an IPv6 /64 between Vservers and a LAN</title>
<para>I have both a /64 (2001:470:b:227::/64) and a /48
(2001:470:e857::/48) from <ulink
url="http://www.tunnelbroker.net">Hurricane Electric</ulink>. When I first
set up my Vserver configuration, I assigned addresses from the /48 to the
Vservers as shown above.</para>
<para>Given that it is likely that when native IPv6 is available from my
ISP, I will only be able to afford a single /64, in February 2011 I
decided to migrate my vservers to the /64. This was possible because of
Proxy NDP support in Shorewall 4.4.16 and later. The new network diagram
is as shown below:</para>
<graphic align="center" fileref="images/Network2011.png" />
<para>This change was accompanied by the following additions to
<filename>/etc/shorewall6/proxyndp</filename>:</para>
<programlisting>#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
2001:470:b:227::2 - eth4 Yes Yes
2001:470:b:227::3 - eth4 Yes Yes
</programlisting>
<para>These two entries allow the firewall to respond to NDP requests for
the two Vserver IPv6 addresses received on interface eth4.</para>
<para>As part of this change, the <emphasis role="bold">Lists</emphasis>
vserver (OpenSuSE 10.3 was retired in favor of <emphasis
role="bold">Mail</emphasis> (Debian Squeeze).</para>
</section>
</article>
|
