Re: [Shorewall-users] Openvpn Bridge

Jerry Vonau Fri, 12 Jun 2009 09:22:34 -0700

On Fri, 2009-06-12 at 08:36 -0700, Mike Lander wrote:
> 
> > 
> > Mike Lander wrote:
> > 
> > > not sure how to config shorewall or if I have this bridge right but 
> > > now there seems to be several ways to config shorewall here
> > > which shorewall docs should I look at with suse 11.1 and shorewall 4.2.9?
> > 
> > Hi Mike,
> > 
> > 'brctl show br0' will show you the bridge configuration.
> Tom
> 
> linux-rwu0:~ # brctl show br0
> bridge name     bridge id               STP enabled     interfaces
> br0             8000.0016177efed1       no              eth1
>                                                         tap0
> 
> > 
> > Do you need to firewall traffic through the bridge? If not, simply set
> > 'routeback' on 'br0' and you are finished. That's
> > http://www.shorewall.net/SimpleBridge.html. If you need to firewall
> > traffic through the bridge, then you need to folllow
> > http://www.shorewall.net/bridge-Shorewall-perl.html.
> 
> I do need to firewall traffic to the internet eth0, however traffic
> between the bridge I just need traffic shaping. I remove the push
> route and bridge option.
> 
> Items I changed in shorewall from stock two interface is in interfaces,masq, 
> and routestopped 
> which is correct according to simple bridge I believe. I changed these as 
> follows
> 
> net     eth0            detect          tcpflags,nosmurfs
> loc     br0            detect          routeback
> 
> masq
> eth0    br0
> 
> routestopped
> br0     -
> 
> However when starting the bridge with /etc/init.d/bridge, I lose connectivity 
> with
> the internet from the firewall and lan. I believe routing in the 
> /etc/init.d/bridge
> is incorrect. I followed examples and I believe the gateway is incorrect. 
> Here is /etc/init.d/bridge, ip route ls and ifconfig.
> 
> #!/bin/bash
> 
> ########openvpn bridge-script#################
> # Set up Ethernet bridge on Linux
> # Requires: bridge-utils
> #################################
> 
> #  Define Bridge Interface
> br="br0"
> 
> # Define list of TAP interfaces to be bridged
> tap="tap0"
> 
> # Define a list of physical ethernet interfaces to be bridged
> # with TAP interface(s) above.
> #
> eth="eth1"
> eth_ip="10.194.79.191"
> eth_netmask="255.255.255.0"
> eth_broadcast="10.194.79.255"
> default_gw=10.194.79.191
> 
Don't add default_gw here, the firewall would be the gateway for that
lan.



> # Path to the system networking script
> # For Debian
> #NETWORK="/etc/init.d/networking"
> # For SuSE
> NETWORK="/etc/init.d/network"
> 
> # Path to the openvpn start/stop script
> OPENVPN_INIT="/etc/init.d/openvpn"
> 
> # Path to the openvpn binary
> OPENVPN="/usr/sbin/openvpn"
> 
> # Path to the brctl binary
> BRCTL="/sbin/brctl"
> 
> # Path to the ifconfig binary
> IFCONFIG="/sbin/ifconfig"
> 
> # Path to the route binary
> ROUTE="/sbin/route"
> 
> do_start(){
> 
> for i in $tap; do
> $OPENVPN --mktun --dev $i
> done
> 
> $BRCTL addbr $br
> 
> for i in $eth; do
> $BRCTL addif $br $i
> done
> 
> for i in $tap; do
> $BRCTL addif $br $i
> done
> 
> for i in $eth; do
> $IFCONFIG $i 0.0.0.0 promisc up
> done
> 
> for i in $tap; do
> $IFCONFIG $i 0.0.0.0 promisc up
> done
> 
> $IFCONFIG $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
> 
> $ROUTE add default gw $default_gw
> 
> $OPENVPN_INIT start
> 
> }
> 
> do_stop(){
> 
> $IFCONFIG $br down
> $BRCTL delbr $br
> 
> for i in $tap; do
> $OPENVPN --rmtun --dev $i
> $IFCONFIG $i down
> $NETWORK force-reload
> done
> 
> $OPENVPN_INIT stop
> 
> }
> 
> case "$1" in
> 
> start)
>         do_start
> ;;
> stop)
>         do_stop
> ;;
> restart)
>         do_stop
>         sleep 1
>         do_start
> ;;
> *)
> echo "usage: $0 start|stop|restart" >&2
> exit 3
> ;;
> esac
> exit 0
> 
> linux-rwu0:~ # ip route ls
> 75.149.172.80/28 dev eth0  proto kernel  scope link  src 75.149.172.88 
> 10.194.79.0/24 dev br0  proto kernel  scope link  src 10.194.79.191 
> 169.254.0.0/16 dev eth0  scope link 
> 127.0.0.0/8 dev lo  scope link 
> default via 10.194.79.191 dev br0  scope link 
> default via 75.149.172.94 dev eth0 
> 
> The gateway to br0 is the problem I think. Since the firewall already has
> a gateway do enter 75.149.172.94 as the gateway in /etc/init.d/bridge?
> 
No don't add anything to the bridge script as a gateway.


> ifconfig
> 
> linux-rwu0:~ # ifconfig 
> br0       Link encap:Ethernet  HWaddr 00:16:17:7E:FE:D1  
>           inet addr:10.194.79.191  Bcast:10.194.79.255  Mask:255.255.255.0
>           inet6 addr: fe80::216:17ff:fe7e:fed1/64 Scope:Link
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:1742 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:881 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:0 
>           RX bytes:145423 (142.0 Kb)  TX bytes:257627 (251.5 Kb)
> 
> eth0      Link encap:Ethernet  HWaddr 00:14:D1:13:43:11  
>           inet addr:75.149.172.88  Bcast:75.149.172.95  Mask:255.255.255.240
>           inet6 addr: fe80::214:d1ff:fe13:4311/64 Scope:Link
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:739 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:309 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:1000 
>           RX bytes:69916 (68.2 Kb)  TX bytes:36146 (35.2 Kb)
>           Interrupt:20 Base address:0x4000 
> 
> eth1      Link encap:Ethernet  HWaddr 00:16:17:7E:FE:D1  
>           inet6 addr: fe80::216:17ff:fe7e:fed1/64 Scope:Link
>           UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
>           RX packets:2987 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:1538 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:1000 
>           RX bytes:317952 (310.5 Kb)  TX bytes:528815 (516.4 Kb)
>           Interrupt:23 Base address:0xc000 
> 
> lo        Link encap:Local Loopback  
>           inet addr:127.0.0.1  Mask:255.0.0.0
>           inet6 addr: ::1/128 Scope:Host
>           UP LOOPBACK RUNNING  MTU:16436  Metric:1
>           RX packets:25 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:25 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:0 
>           RX bytes:2788 (2.7 Kb)  TX bytes:2788 (2.7 Kb)
> 
> tap0      Link encap:Ethernet  HWaddr 8E:F2:06:E9:82:70  
>           inet6 addr: fe80::8cf2:6ff:fee9:8270/64 Scope:Link
>           UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
>           RX packets:0 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:1067 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:100 
>           RX bytes:0 (0.0 b)  TX bytes:85438 (83.4 Kb)
> 
> 
> Mike
> 

Jerry



------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing 
server and web deployment.
http://p.sf.net/sfu/businessobjects
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] Openvpn Bridge

Reply via email to