In shorewall you generaly define one ZONE for each interfacace like
this:
/etc/shorewall/interfaces
##############################################################################
#ZONE    INTERFACE      BROADCAST       OPTIONS
VPN             tun0    detect          dropunclean,blacklist,tcpflags
NET             eth0    detect  norfc1918,dropunclean,blacklist,tcpflags
LOCAL           eth1    detect          dropunclean,blacklist,tcpflags
DMZ             eth2    detect          dropunclean,blacklist,tcpflags
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
############################################################################

You can also define some ip adresses as ZONE like this:
/etc/shorewall/hosts
#######################################################################
FRD     eth0:125.213.63.56,222.111.0.4
routeback,tcpflags,blacklist,norfc1918,nosmurfs
######################################################################

Make policy for trafic betwen ZONES:
/etc/shorewall/policy
###############################################################################
#SOURCE         DEST            POLICY
fw              all             ACCEPT
LOCAL           NET             ACCEPT
LOCAL           FRD             ACCEPT
LOCAL           DMZ             ACCEPT
LOCAL           VPN             ACCEPT
VPN             DMZ             ACCEPT
DMZ             VPN             ACCEPT
DMZ             NET             ACCEPT
DMZ             FRD             ACCEPT
NET             all             DROP    
# THE FOLLOWING POLICY MUST BE LAST
all             all     REJECT
#LAST LINE -- DO NOT REMOVE
############################################################################

Then write some rules:
/etc/shorewall/rules
#########################################################
#ACTION         SOURCE          DEST    PROTO   DEST
REDIRECT:info   FRD             5000    udp     5000
###########################################################
This rule will redirect concetion making packeds from selected ip
adresses on Internet to firewall itself (firewall will accept this
packeds for itself). Port 5000 i use for incoming VPN conections. It
willl be loged (:info).

Make masquerade:
/etc/shorewall/masq
##############################################################################
#INTERFACE              SUBNET          ADDRESS
eth0    eth1
eth0    eth2
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
###########################################################################
Masquerade is needed for, that packeds from your intranet (e.g.
192.168.2.0) are visible on internet as packeds from your firewall
internet address.

My OpenVPN config file looks like this:
/etc/openvpn/server.conf
########################################################
port 5000

proto udp
dev tun0
ca keys/ca.crt
cert keys/server.crt
key keys/server.key
dh keys/dh1024.pem
server 10.8.1.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.2.0 255.255.255.0"
client-config-dir ccd
keepalive 10 120
comp-lzo
persist-key
persist-tun
status status.log
log-append  openvpn.log
verb 4

#####################################################

port 5000 is port where my firewall accept conection. Use protocol udp
(tcp will be tunneled through vpn - no need 2x tcp). dev tun0 will
create interface tun0, that you use in shorewall configuration.

So that`s it. OpenVPN and Shorewall works fine for me. Easy to
configure. Maybe I forgot something, bether check documentation also.
Enjoy
    Dexter


On Fri, 2006-02-17 at 21:10 +0100, Michael Przysucha wrote:
> Hallo Dexter!
> 
> Thank you for the hint, I will try with shorewall.
> Can you provide me your setupt for the tun0 interface? I had a fast view on 
> the link for openvpn and found it a little 
> difficult. Maybe you can help.
> 
> Thx,
> Michael Przysucha
> 
> 
> 
> 17.02.2006 18:30:29, Dexter <[EMAIL PROTECTED]> wrote:
> 
> >I have OpenVpn instaled on my Debian firewall. I use Shorewall to manage
> >firewall.  I have 3 interfaces eth0, eth1, eth2 in firewall host (Zones:
> >LAN, DMZ, NET). OpenVPN make 4-th interface tun0 (Zone: VPN).
> >Than I have set up policies and rules for trafic betwen Zones. It is
> >easy to set up and and even easer to change configuration if you need
> >later (open some port, redirect port...).
> >See:
> >http://openvpn.net/howto.html
> >http://www.shorewall.net/
> >
> >   Dexter
> >
> >
> >On Fri, 2006-02-17 at 17:57 +0100, Michael Przysucha wrote:
> >> Hello,
> >> I want to set up a Bridge/Router which shall include a VPN gateway to a 
> >> campus network with iptables.
> >> 
> >> First of all: Linux version 2.4.27-2-386 running on a Soekris net4501, 3 
> >> NICs, headles, 133MHz, 64MB RAM, 512MB 
> >> CF-card
> >> 
> >> purpose:
> >> I need access to the campus network through the VPN tunnel because some 
> >> services are restricted to the IP range 
> >> used by my university.
> >> 
> >> problems:
> >> I cannot remove my router at home, it is required by my ISP (why I do not 
> >> know...) but I am allowed to configure it as 
> I 
> >> want to.
> >> As well I want to be able to connect wireless-LAN (WLAN) clients with 
> >> special restrictions.
> >> 
> >> I have added a drawing of the sytem as I thought it should work. Can 
> >> anybody give me a link where I can get a 
> tutorial 
> >> for a configuration as I need it or give me a direct conf for iptables?
> >> 
> >> All further informations are written down in this little pdf.
> >> 
> >> 
> >> Thanks in advance for any help!
> >> Michael Przysucha
> >> (Germany)
> >> 
> >
> >
> 
> 
> 
> 

Reply via email to