shorewall-nesting(5): Shorewall Nested Zones - Linux man page
Synopsis. /etc/shorewall/tcinterfaces. Description. This file lists the interfaces that are subject to simple traffic shaping. Simple traffic shaping is enabled by setting TC_ENABLED=Simple in shorewall.conf[1](5). Shorewall - ArchWiki The Shoreline Firewall, more commonly known as "Shorewall", is a high-level tool for configuring Netfilter. You describe your firewall/gateway requirements using entries in a set of configuration files. Shorewall reads those configuration files and with the help of the iptables utility, Shorewall configures Netfilter to match your requirements. Shorewall - A High-Level Firewall for Configuring Linux Jul 25, 2018 Linux Configure Firewall Using Shorewall Under RHEL Dec 20, 2012
Update: You probably also need to masquerade traffic coming from docker out your WAN interface. Edit /etc/shorewall/masq and you'll need a line similar to: br0 172.17.0.0/12 In this case, my WAN interface is actually br0 (a bridge), but yours will probably be something like eth0. (Use ifconfig to see your interfaces and their IP addresses). On
shorewall-nesting(5): Shorewall Nested Zones - Linux man page Name. nesting - Shorewall Nested Zones Synopsis. child-zone[:parent-zone[,parent-zone]] Description. In shorewall-zones [1] (5), a zone may be declared to be a sub-zone of one or more other zones using the above syntax. The child-zone may be neither the firewall zone nor a vserver zone. The firewall zone may not appear as a parent zone, although all vserver zones are handled as sub-zones of shorewall-nat(5): Shorewall one-to-one NAT file - Linux Shorewall allows loose matches to wildcard entries in shorewall-interfaces [4] (5). For example, ppp0 in this file will match a shorewall-interfaces [4] (5) entry that defines ppp+. If you want to override ADD_IP_ALIASES=Yes for a particular entry, follow the interface name with ":" and no digit (e.g., "eth0:").
With the interfaces file defined as above and eth1.110 called out as an interface within Shorewall with appropriate rules, I cannot ping or reach any services on VLAN 110. If I simply revert the interface files back to using interface eth1, everything works through Shorewall. So I believe the issue is my incorrect implementation of VLANs.
interfaces . Just above, we told shorewall that we had two new ipv4 networks. In the interfaces configuration file, we link these networks to physical interfaces. A quick how-to on how to configure Shorewall with two interfaces to share internet to the LAN, protect clients with a firewall and setup dhcp server to assign automatic ip addresses. Share internet connection to the the LAN, protect everything with a firewall and setup dhcp server on Linux. Shorewall allows loose matches to wildcard entries in shorewall-interfaces [5] (5). For example, ppp0 in this file will match a shorewall-interfaces [5] (5) entry that defines ppp+. If you want to override ADD_IP_ALIASES=Yes for a particular entry, follow the interface name with ":" and no digit (e.g., "eth0:"). Must be specified as '-' if the classify option is given for the interface in shorewall-tcdevices(5) and you are running Shorewall 4.5.5 or earlier. You can use the same marks for different interfaces. RATE - {-| rate [: dmax [: umax]]} The minimum bandwidth this class should get, when the traffic load rises. Spring 2005 – Section 1. Shorewall Tutorial. What is Shorewall? Shorewall is a high-level tool for configuring Netfilter on Linux machines. You configure the firewall using configuration files that allow you to set the interfaces that are on the machine, the policies that apply to the interfaces, and the exceptions to the policy in the form of rules to use when a request is sent to the Setting up zones Shorewall's world is all about zones, a zone is merely a network that we are going to firewall between. In this example we have the following zones: