In shorewall you generaly define one ZONE for each interfacace like this: /etc/shorewall/interfaces ############################################################################## #ZONE INTERFACE BROADCAST OPTIONS VPN tun0 detect dropunclean,blacklist,tcpflags NET eth0 detect norfc1918,dropunclean,blacklist,tcpflags LOCAL eth1 detect dropunclean,blacklist,tcpflags DMZ eth2 detect dropunclean,blacklist,tcpflags #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE ############################################################################
You can also define some ip adresses as ZONE like this: /etc/shorewall/hosts ####################################################################### FRD eth0:125.213.63.56,222.111.0.4 routeback,tcpflags,blacklist,norfc1918,nosmurfs ###################################################################### Make policy for trafic betwen ZONES: /etc/shorewall/policy ############################################################################### #SOURCE DEST POLICY fw all ACCEPT LOCAL NET ACCEPT LOCAL FRD ACCEPT LOCAL DMZ ACCEPT LOCAL VPN ACCEPT VPN DMZ ACCEPT DMZ VPN ACCEPT DMZ NET ACCEPT DMZ FRD ACCEPT NET all DROP # THE FOLLOWING POLICY MUST BE LAST all all REJECT #LAST LINE -- DO NOT REMOVE ############################################################################ Then write some rules: /etc/shorewall/rules ######################################################### #ACTION SOURCE DEST PROTO DEST REDIRECT:info FRD 5000 udp 5000 ########################################################### This rule will redirect concetion making packeds from selected ip adresses on Internet to firewall itself (firewall will accept this packeds for itself). Port 5000 i use for incoming VPN conections. It willl be loged (:info). Make masquerade: /etc/shorewall/masq ############################################################################## #INTERFACE SUBNET ADDRESS eth0 eth1 eth0 eth2 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE ########################################################################### Masquerade is needed for, that packeds from your intranet (e.g. 192.168.2.0) are visible on internet as packeds from your firewall internet address. My OpenVPN config file looks like this: /etc/openvpn/server.conf ######################################################## port 5000 proto udp dev tun0 ca keys/ca.crt cert keys/server.crt key keys/server.key dh keys/dh1024.pem server 10.8.1.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "route 192.168.2.0 255.255.255.0" client-config-dir ccd keepalive 10 120 comp-lzo persist-key persist-tun status status.log log-append openvpn.log verb 4 ##################################################### port 5000 is port where my firewall accept conection. Use protocol udp (tcp will be tunneled through vpn - no need 2x tcp). dev tun0 will create interface tun0, that you use in shorewall configuration. So that`s it. OpenVPN and Shorewall works fine for me. Easy to configure. Maybe I forgot something, bether check documentation also. Enjoy Dexter On Fri, 2006-02-17 at 21:10 +0100, Michael Przysucha wrote: > Hallo Dexter! > > Thank you for the hint, I will try with shorewall. > Can you provide me your setupt for the tun0 interface? I had a fast view on > the link for openvpn and found it a little > difficult. Maybe you can help. > > Thx, > Michael Przysucha > > > > 17.02.2006 18:30:29, Dexter <[EMAIL PROTECTED]> wrote: > > >I have OpenVpn instaled on my Debian firewall. I use Shorewall to manage > >firewall. I have 3 interfaces eth0, eth1, eth2 in firewall host (Zones: > >LAN, DMZ, NET). OpenVPN make 4-th interface tun0 (Zone: VPN). > >Than I have set up policies and rules for trafic betwen Zones. It is > >easy to set up and and even easer to change configuration if you need > >later (open some port, redirect port...). > >See: > >http://openvpn.net/howto.html > >http://www.shorewall.net/ > > > > Dexter > > > > > >On Fri, 2006-02-17 at 17:57 +0100, Michael Przysucha wrote: > >> Hello, > >> I want to set up a Bridge/Router which shall include a VPN gateway to a > >> campus network with iptables. > >> > >> First of all: Linux version 2.4.27-2-386 running on a Soekris net4501, 3 > >> NICs, headles, 133MHz, 64MB RAM, 512MB > >> CF-card > >> > >> purpose: > >> I need access to the campus network through the VPN tunnel because some > >> services are restricted to the IP range > >> used by my university. > >> > >> problems: > >> I cannot remove my router at home, it is required by my ISP (why I do not > >> know...) but I am allowed to configure it as > I > >> want to. > >> As well I want to be able to connect wireless-LAN (WLAN) clients with > >> special restrictions. > >> > >> I have added a drawing of the sytem as I thought it should work. Can > >> anybody give me a link where I can get a > tutorial > >> for a configuration as I need it or give me a direct conf for iptables? > >> > >> All further informations are written down in this little pdf. > >> > >> > >> Thanks in advance for any help! > >> Michael Przysucha > >> (Germany) > >> > > > > > > > >