Hi, I’m no Shorewall expert, so please regard this answer as possibly incomplete. I think I can help you a little with the aliased configuration, not with the NAT part.
It’s important to understand that the aliased ‘interface’ actually isn’t a separate interface: eth0 and eth0:1 are regarded as the same thing. If you want to differentiate between them, you will have to specify an IP address in the SOURCE or DESTINATION column of the rules file. For example: # Public interface ACCEPT net $FW:12.34.56.78 icmp echo-request # Private interface DROP net $FW:98.76.54.32 icmp echo-request It is possible to create variables to hold the IP addresses in the Shorewall params file, for example: PUB_IP=12.34.56.78 PRV_IP=98.76.54.32 FW_PUB=fw:$PUB_IP FW_PRV=fw:$PRV_IP Then you could say: ACCEPT net $FW_PUB icmp echo-request DROP net $FW_PRV icmp echo-request Note that the 'fw' zone is mentioned in the variable declarations. This should be the same name as the firewall zone declared in the zones file. Hope this helps a little bit, Sascha Sanches From: Aaron St. Pierre Sent: Saturday, June 09, 2012 4:31 AM To: [email protected] Subject: [Shorewall-users] Aliased interfaces proper setup Hello, I'm new to shorewall and new to the list. My question is related to aliased interface and the proper configuration of shorewall for my setup. I currently have a VPS running at linode and it has the following configuration: eth0 primary address is publicly routed eth0:1 is a private address and internal only What I'd like to do is: - limit traffic from the Internet to the FW (which is standard and makes sense). But I'd also like to - limit traffic on the private aliased interface as there are other VPS's on that same network which have nothing to do with me. I want to limit traffic on the internal private network to only the VPS's that I own and no others. I've played around with a few different configurations, but really don't think I'm understanding what needs to happen here with respect to shorewall. From a firewall perspective it would seem simple enough to only allow traffic between my VPS's on the backend network but I'm not having luck translating that... Currently I've got a one-to-one NAT setup from my Internet IP to the private IP. This is working great but I'm not sure what to do next. Was wondering is someone could point me in the right direction. I'd send my configuration but there really isn't much to it. Like I said I'm using a basic configuration to do NAT and have three zones setup: fw, loc, and net. I've RTFM, esp the aliased interfaces page but still don't think I've grokked how to setup the rules. Thanks for the help! -- Aaron ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
