Re: Routing, Bridging and VPN
In shorewall you generaly define one ZONE for each interfacace like
this:
/etc/shorewall/interfaces
##############################################################################
#ZONE INTERFACE BROADCAST OPTIONS
VPN tun0 detect dropunclean,blacklist,tcpflags
NET eth0 detect norfc1918,dropunclean,blacklist,tcpflags
LOCAL eth1 detect dropunclean,blacklist,tcpflags
DMZ eth2 detect dropunclean,blacklist,tcpflags
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
############################################################################
You can also define some ip adresses as ZONE like this:
/etc/shorewall/hosts
#######################################################################
FRD eth0:125.213.63.56,222.111.0.4
routeback,tcpflags,blacklist,norfc1918,nosmurfs
######################################################################
Make policy for trafic betwen ZONES:
/etc/shorewall/policy
###############################################################################
#SOURCE DEST POLICY
fw all ACCEPT
LOCAL NET ACCEPT
LOCAL FRD ACCEPT
LOCAL DMZ ACCEPT
LOCAL VPN ACCEPT
VPN DMZ ACCEPT
DMZ VPN ACCEPT
DMZ NET ACCEPT
DMZ FRD ACCEPT
NET all DROP
# THE FOLLOWING POLICY MUST BE LAST
all all REJECT
#LAST LINE -- DO NOT REMOVE
############################################################################
Then write some rules:
/etc/shorewall/rules
#########################################################
#ACTION SOURCE DEST PROTO DEST
REDIRECT:info FRD 5000 udp 5000
###########################################################
This rule will redirect concetion making packeds from selected ip
adresses on Internet to firewall itself (firewall will accept this
packeds for itself). Port 5000 i use for incoming VPN conections. It
willl be loged (:info).
Make masquerade:
/etc/shorewall/masq
##############################################################################
#INTERFACE SUBNET ADDRESS
eth0 eth1
eth0 eth2
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
###########################################################################
Masquerade is needed for, that packeds from your intranet (e.g.
192.168.2.0) are visible on internet as packeds from your firewall
internet address.
My OpenVPN config file looks like this:
/etc/openvpn/server.conf
########################################################
port 5000
proto udp
dev tun0
ca keys/ca.crt
cert keys/server.crt
key keys/server.key
dh keys/dh1024.pem
server 10.8.1.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.2.0 255.255.255.0"
client-config-dir ccd
keepalive 10 120
comp-lzo
persist-key
persist-tun
status status.log
log-append openvpn.log
verb 4
#####################################################
port 5000 is port where my firewall accept conection. Use protocol udp
(tcp will be tunneled through vpn - no need 2x tcp). dev tun0 will
create interface tun0, that you use in shorewall configuration.
So that`s it. OpenVPN and Shorewall works fine for me. Easy to
configure. Maybe I forgot something, bether check documentation also.
Enjoy
Dexter
On Fri, 2006-02-17 at 21:10 +0100, Michael Przysucha wrote:
> Hallo Dexter!
>
> Thank you for the hint, I will try with shorewall.
> Can you provide me your setupt for the tun0 interface? I had a fast view on the link for openvpn and found it a little
> difficult. Maybe you can help.
>
> Thx,
> Michael Przysucha
>
>
>
> 17.02.2006 18:30:29, Dexter <dexter@madalbal.sk> wrote:
>
> >I have OpenVpn instaled on my Debian firewall. I use Shorewall to manage
> >firewall. I have 3 interfaces eth0, eth1, eth2 in firewall host (Zones:
> >LAN, DMZ, NET). OpenVPN make 4-th interface tun0 (Zone: VPN).
> >Than I have set up policies and rules for trafic betwen Zones. It is
> >easy to set up and and even easer to change configuration if you need
> >later (open some port, redirect port...).
> >See:
> >http://openvpn.net/howto.html
> >http://www.shorewall.net/
> >
> > Dexter
> >
> >
> >On Fri, 2006-02-17 at 17:57 +0100, Michael Przysucha wrote:
> >> Hello,
> >> I want to set up a Bridge/Router which shall include a VPN gateway to a campus network with iptables.
> >>
> >> First of all: Linux version 2.4.27-2-386 running on a Soekris net4501, 3 NICs, headles, 133MHz, 64MB RAM, 512MB
> >> CF-card
> >>
> >> purpose:
> >> I need access to the campus network through the VPN tunnel because some services are restricted to the IP range
> >> used by my university.
> >>
> >> problems:
> >> I cannot remove my router at home, it is required by my ISP (why I do not know...) but I am allowed to configure it as
> I
> >> want to.
> >> As well I want to be able to connect wireless-LAN (WLAN) clients with special restrictions.
> >>
> >> I have added a drawing of the sytem as I thought it should work. Can anybody give me a link where I can get a
> tutorial
> >> for a configuration as I need it or give me a direct conf for iptables?
> >>
> >> All further informations are written down in this little pdf.
> >>
> >>
> >> Thanks in advance for any help!
> >> Michael Przysucha
> >> (Germany)
> >>
> >
> >
>
>
>
>
Reply to: