Brian J. Murrell wrote:
I have an environment where I have openvpn and shorewall on the same node. Given that I want different rules applied based who the peer is and given that IP addresses given out by openvpn can be different from time to time (I don't want to get into statically allocating addresses as peers come and go) I've been cooking up something to make this work.Essentially what I have is openvpn creating chains and installing rules in them in the learn script with such stanzas: if [ "$OP" = "add" ]; then iptables -N "${CN}2loc" iptables -I vpn2loc -s $ADDRESS -j "${CN}2loc" iptables -N "loc2${CN}" iptables -I loc2vpn -d $ADDRESS -j "loc2${CN}" case "$CN" in "brian-laptop") iptables -I "${CN}2loc" -p udp --sport 4569 --dport 4569 -j ACCEPT iptables -I "${CN}2loc" -p udp --sport 123 --dport 123 -j ACCEPT ;;"peer1") iptables -I "loc2${CN}" -s 10.75.22.1 -j ACCEPT;; esac else if [ -n "$CN" ]; then iptables -D vpn2loc -s $ADDRESS -j "${CN}2loc" iptables -F "${CN}2loc" iptables -X "${CN}2loc" iptables -D loc2vpn -s $ADDRESS -j "vpn2${CN}" iptables -F "vpn2${CN}" iptables -X "vpn2${CN}"fi fiWhere CN is the openvpn name for a peer, normalized to work well in iptables rule names. This appears to be working pretty well with some obvious caveats: * goes to hell in a handbasket if shorewall needs to be restarte * rules are in the learn script * probably more caveats Any thoughts on how to roll this more properly into shorewall so that rules are specified with the traditional rules syntax and that it survives restarts?
Define the rules in terms of dynamic zones (preferably defined using ipsets rather than the deprecated DYNAMIC_ZONES=Yes), then simply add an address to the appropriate set when the client logs on and remove it from the set when the client logs off.
-Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
