Just a small clarification:
my box acts as one-armed router with a bridge between ethernet (connected to
LAN and WAN) and vpn. If you need the complete shorewall dump, just let me know
(some more VPNs and secondary wlan0 WAN link out there). As an option I am
considering to setup any filtering I would need in rules for lan2net, but
that's kind of a hack. I'd much better have the shorewall infrastructure set-up
correctly.
Cheers
--
Radoslaw Kamil Ejsmont, Ph.D.
http://radoslaw.ejsmont.net
On 20 Dec 2012, at 12:30, Radoslaw Kamil Ejsmont <[email protected]> wrote:
> Dear all,
>
> I am running a quite non-standard set-up, where I need to have multiple zones
> on one of the bridge ports.
> Simplified view of my network is:
>
> NAS/shorewall
> lan(bridge) -- eth0 --> lan/router (192.168.0.1) --> internet (DSL)
> 192.168.0.5 \ tap0 --> vpn
>
>
> I currently have the following config files:
>
> ### interfaces ###
>
> #ZONE INTERFACE BROADCAST OPTIONS
> net lan detect bridge,dhcp,nosmurfs,tcpflags
> vpn lan:tap0 detect
>
> ### hosts ###
>
> #ZONE HOST(S) OPTIONS
> lan lan:192.168.0.0/24
>
> ### zones ###
>
> #ZONE TYPE OPTIONS IN OUT
> # OPTIONS OPTIONS
> fw firewall
> net ipv4
> lan:net ipv4
> vpn:net bport
>
> ### policy ###
>
> #SOURCE DEST POLICY LOG LIMIT: CONNLIMIT:
> # LEVEL BURST MASK
> $FW all ACCEPT
> lan $FW ACCEPT
> lan vpn ACCEPT
> lan net ACCEPT
> vpn $FW ACCEPT
> vpn lan ACCEPT
> vpn net ACCEPT
> all all REJECT info
>
> ### tunnels ###
>
> #TYPE ZONE GATEWAY GATEWAY
> # ZONE
> openvpnserver net 0.0.0.0/0
>
>
> While this setup works (kind of), I am unable to filter traffic between lan
> and vpn/net zones separately (extract from rules created by shorewall below):
>
> -A INPUT -i lan -j lan_in
> -A FORWARD -i lan -j lan_fwd
> -A OUTPUT -o lan -j lan_out
>
> -A lan_frwd -o lan -j lan2net
> -A lan_fwd -m conntrack --ctstate NEW,INVALID -j dynamic
> -A lan_fwd -m conntrack --ctstate NEW,INVALID -j smurfs
> -A lan_fwd -p udp --dport 67:68 -o lan -j ACCEPT
> -A lan_fwd -p tcp -j tcpflags
> -A lan_fwd -s 192.168.0.0/24 -j lan_frwd
> -A lan_fwd -m physdev --physdev-in tap0 -j vpn_frwd
> -A lan_fwd -j net_frwd
> -A lan_in -m conntrack --ctstate NEW,INVALID -j dynamic
> -A lan_in -m conntrack --ctstate NEW,INVALID -j smurfs
> -A lan_in -p udp --dport 67:68 -j ACCEPT
> -A lan_in -p tcp -j tcpflags
> -A lan_in -s 192.168.0.0/24 -j lan2fw
> -A lan_in -m physdev --physdev-in tap0 -j vpn2fw
> -A lan_in -j net2fw
> -A lan_out -p udp --dport 67:68 -j ACCEPT
> -A lan_out -d 192.168.0.0/24 -j fw2lan
> -A lan_out -j fw2net
>
> In the lan_frwd chain there are no --physdev-out nor -d entries to divide
> forwarded traffic between to lan2vpn or lan2net. Similarly lan_out just
> specifies fw2net, without taking into account fw2lan or fw2vpn.
>
> Anything I am doing wrong ? (and yes, I know it's generally a bad idea to
> have lan and net on the same iface, but in my network setup - I have no
> choice - and my tiny server has only one eth port)
>
> Best regards,
>
> Radek
>
> --
> Radoslaw Kamil Ejsmont, Ph.D.
> http://radoslaw.ejsmont.net
>
> ------------------------------------------------------------------------------
> LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
> Remotely access PCs and mobile devices and provide instant support
> Improve your efficiency, and focus on delivering more value-add services
> Discover what IT Professionals Know. Rescue delivers
> http://p.sf.net/sfu/logmein_12329d2d_______________________________________________
> Shorewall-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
