Brian J. Murrell wrote:
> I have an environment where I have openvpn and shorewall on the same
> node. Given that I want different rules applied based who the peer is
> and given that IP addresses given out by openvpn can be different from
> time to time (I don't want to get into statically allocating addresses
> as peers come and go) I've been cooking up something to make this work.
>
> Essentially what I have is openvpn creating chains and installing rules
> in them in the learn script with such stanzas:
>
> if [ "$OP" = "add" ]; then
> iptables -N "${CN}2loc"
> iptables -I vpn2loc -s $ADDRESS -j "${CN}2loc"
> iptables -N "loc2${CN}"
> iptables -I loc2vpn -d $ADDRESS -j "loc2${CN}"
> case "$CN" in
> "brian-laptop")
> iptables -I "${CN}2loc" -p udp --sport 4569
> --dport 4569 -j ACCEPT
> iptables -I "${CN}2loc" -p udp --sport 123
> --dport 123 -j ACCEPT
> ;;
> "peer1")
>
> iptables -I "loc2${CN}" -s 10.75.22.1 -j
> ACCEPT
> ;;
> esac
> else
> if [ -n "$CN" ]; then
> iptables -D vpn2loc -s $ADDRESS -j "${CN}2loc"
> iptables -F "${CN}2loc"
> iptables -X "${CN}2loc"
> iptables -D loc2vpn -s $ADDRESS -j "vpn2${CN}"
> iptables -F "vpn2${CN}"
> iptables -X "vpn2${CN}"
> fi
>
> fi
>
> Where CN is the openvpn name for a peer, normalized to work well in
> iptables rule names.
>
> This appears to be working pretty well with some obvious caveats:
>
> * goes to hell in a handbasket if shorewall needs to be restarte
> * rules are in the learn script
> * probably more caveats
>
> Any thoughts on how to roll this more properly into shorewall so that
> rules are specified with the traditional rules syntax and that it
> survives restarts?
>
> Cheers,
> b.
>
>
Hi Brian,
A way round this could be to identify the current state of the OpenVPN
internal routing table at the point where Shorewall restarts. You may
already have this in your config but if not, set up the following
directive in your OpenVPN server .conf file:
status /var/log/openvpn-status.log
After restarting the server, OpenVPN will maintain the current client
list and internal routing table in this file as clients connect and
disconnect. The routing table (among other things) lists the client IP
and common name of each connected client.
You could then add some commands to /etc/shorewall/started (run after a
complete Shorewall start or restart) that parses the routing table in
the openvpn-status.log file and greps for the client IPs and common
names. Once you have that info, you just need to include the "add"
logic from your attached script to create the appropriate chains and
rules for each connected client.
regards,
Aidan
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
