Re: Routing, Bridging and VPN

To: debian-user@lists.debian.org
Cc: mp@abi-2k3.net
Subject: Re: Routing, Bridging and VPN
From: Dexter <dexter@madalbal.sk>
Date: Sat, 18 Feb 2006 09:09:49 +0100
Message-id: <[🔎] 1140250189.5749.35.camel@localhost.localdomain>
In-reply-to: <20060217201422.9A452148027@sedanet0.sedan.uos.de>
References: <20060217201422.9A452148027@sedanet0.sedan.uos.de>

In shorewall you generaly define one ZONE for each interfacace like
this:
/etc/shorewall/interfaces
##############################################################################
#ZONE	 INTERFACE	BROADCAST	OPTIONS
VPN		tun0	detect		dropunclean,blacklist,tcpflags
NET		eth0	detect	norfc1918,dropunclean,blacklist,tcpflags
LOCAL		eth1	detect		dropunclean,blacklist,tcpflags
DMZ		eth2	detect		dropunclean,blacklist,tcpflags
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
############################################################################

You can also define some ip adresses as ZONE like this:
/etc/shorewall/hosts
#######################################################################
FRD	eth0:125.213.63.56,222.111.0.4
routeback,tcpflags,blacklist,norfc1918,nosmurfs
######################################################################

Make policy for trafic betwen ZONES:
/etc/shorewall/policy
###############################################################################
#SOURCE		DEST		POLICY
fw		all		ACCEPT
LOCAL  		NET		ACCEPT
LOCAL		FRD		ACCEPT
LOCAL		DMZ		ACCEPT
LOCAL		VPN		ACCEPT
VPN		DMZ		ACCEPT
DMZ		VPN		ACCEPT
DMZ		NET		ACCEPT
DMZ		FRD		ACCEPT
NET		all		DROP	
# THE FOLLOWING POLICY MUST BE LAST
all		all	REJECT
#LAST LINE -- DO NOT REMOVE
############################################################################

Then write some rules:
/etc/shorewall/rules
#########################################################
#ACTION  	SOURCE		DEST    PROTO	DEST
REDIRECT:info	FRD		5000	udp	5000
###########################################################
This rule will redirect concetion making packeds from selected ip
adresses on Internet to firewall itself (firewall will accept this
packeds for itself). Port 5000 i use for incoming VPN conections. It
willl be loged (:info).

Make masquerade:
/etc/shorewall/masq
##############################################################################
#INTERFACE	        SUBNET		ADDRESS
eth0	eth1
eth0	eth2
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
###########################################################################
Masquerade is needed for, that packeds from your intranet (e.g.
192.168.2.0) are visible on internet as packeds from your firewall
internet address.

My OpenVPN config file looks like this:
/etc/openvpn/server.conf
########################################################
port 5000

proto udp
dev tun0
ca keys/ca.crt
cert keys/server.crt
key keys/server.key
dh keys/dh1024.pem
server 10.8.1.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.2.0 255.255.255.0"
client-config-dir ccd
keepalive 10 120
comp-lzo
persist-key
persist-tun
status status.log
log-append  openvpn.log
verb 4

#####################################################

port 5000 is port where my firewall accept conection. Use protocol udp
(tcp will be tunneled through vpn - no need 2x tcp). dev tun0 will
create interface tun0, that you use in shorewall configuration.

So that`s it. OpenVPN and Shorewall works fine for me. Easy to
configure. Maybe I forgot something, bether check documentation also.
Enjoy
    Dexter


On Fri, 2006-02-17 at 21:10 +0100, Michael Przysucha wrote:
> Hallo Dexter!
> 
> Thank you for the hint, I will try with shorewall.
> Can you provide me your setupt for the tun0 interface? I had a fast view on the link for openvpn and found it a little 
> difficult. Maybe you can help.
> 
> Thx,
> Michael Przysucha
> 
> 
> 
> 17.02.2006 18:30:29, Dexter <dexter@madalbal.sk> wrote:
> 
> >I have OpenVpn instaled on my Debian firewall. I use Shorewall to manage
> >firewall.  I have 3 interfaces eth0, eth1, eth2 in firewall host (Zones:
> >LAN, DMZ, NET). OpenVPN make 4-th interface tun0 (Zone: VPN).
> >Than I have set up policies and rules for trafic betwen Zones. It is
> >easy to set up and and even easer to change configuration if you need
> >later (open some port, redirect port...).
> >See:
> >http://openvpn.net/howto.html
> >http://www.shorewall.net/
> >
> >   Dexter
> >
> >
> >On Fri, 2006-02-17 at 17:57 +0100, Michael Przysucha wrote:
> >> Hello,
> >> I want to set up a Bridge/Router which shall include a VPN gateway to a campus network with iptables.
> >> 
> >> First of all: Linux version 2.4.27-2-386 running on a Soekris net4501, 3 NICs, headles, 133MHz, 64MB RAM, 512MB 
> >> CF-card
> >> 
> >> purpose:
> >> I need access to the campus network through the VPN tunnel because some services are restricted to the IP range 
> >> used by my university.
> >> 
> >> problems:
> >> I cannot remove my router at home, it is required by my ISP (why I do not know...) but I am allowed to configure it as 
> I 
> >> want to.
> >> As well I want to be able to connect wireless-LAN (WLAN) clients with special restrictions.
> >> 
> >> I have added a drawing of the sytem as I thought it should work. Can anybody give me a link where I can get a 
> tutorial 
> >> for a configuration as I need it or give me a direct conf for iptables?
> >> 
> >> All further informations are written down in this little pdf.
> >> 
> >> 
> >> Thanks in advance for any help!
> >> Michael Przysucha
> >> (Germany)
> >> 
> >
> >
> 
> 
> 
>

Reply to:

Prev by Date: splashy in sid
Next by Date: Re: New install and newbie questions
Previous by thread: Re: Routing, Bridging and VPN
Next by thread: Laptop battery
Index(es):
- Date
- Thread