Apologies for the long reply time, I've been quite busy with other projects.
I made the changes you requested (see below for specifics). 1) I am able to start the firewall without connection to OpenVPN 2) I am able to connect to OpenVPN without issue with the firewall up 3) I can then restart the firewall with OpenVPN up to enforce traffic shaping with the 'tun0' adapter 4) I can use the OpenVPN normally during this time 5) I can disconnect the OpenVPN and normal traffic is blocked from traversing my local connection 6) I Cannot reconnect to OpenVPN once this is done, though I have supplied rules in 'tcrules' to attempt to provide exceptions for OpenVPN traffic. Firewall eth0 ip address: 192.168.0.38, gateway (my home router) 192.168.0.1. I am working from the examples in "MultiISP" (http://www.shorewall.net/MultiISP.html#USE_DEFAULT_RT) and "Complex Traffic Shaping" (http://www.shorewall.net/traffic_shaping.htm#tcrules). I am not the most experienced with routing, so I will freely confess that most of the discussion in these articles, I do not completely understand. But the basic idea appears to be: Shape traffic to go over OpenVPN only (mark 2), then provide exceptions for traffic defined in 'tcrules' such that said traffic is marked for my standard connection (mark 1). Please correct me if I'm wrong. (Including changes to files changed since last post) "providers" #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS loc 1 1 - eth0 192.168.0.1 track,balance=1 iPredator 2 2 - tun0 - track,balance=2 "rtrules" #SOURCE DEST PROVIDER PRIORITY - - iPredator 11999 "tcrules" #ACTION SOURCE DESTINATION PROTOCOL PORT(S) CLIENT # PORT(S) #allow OpenVPN traffic through 1 $FW 0.0.0.0/0 udp 1194 (I had also tried variations here of: 1 0.0.0.0/0 0.0.0.0/0 udp 1194 As well as: 1 0.0.0.0/0 0.0.0.0/0 udp 1194 1 0.0.0.0/0 0.0.0.0/0 udp - 1194 ) On 11/19/12, Tom Eastep <[email protected]> wrote: > On 11/18/12 7:10 PM, f q wrote: >> I'm looking to have my Debian (ver 6.0.6) server act as a router >> between network1 (eth1, 10.0.0.0/8) and network2 (eth0, >> 192.168.0.0/24) while providing Internet access to network1 via >> OpenVPN. I would like to do this in a way that prevents network1 from >> accessing the Internet in any way except for OpenVPN. It should also >> have access to network2 (I have some Samba shares it should have >> access to). >> > > To accomplish this goal, you must use Shorewall's Multi-ISP capability > (http://www.shorewall.net/MultiISP.html). One provider will be > associated with eth0 while the other will be associated with tun0. You > probably want to make eth0 'required' and tun0 'optional' in > /etc/shorewall/interfaces. > > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > >
shorewall_dump_1.1.13.txt.gz
Description: GNU Zip compressed data
------------------------------------------------------------------------------ Master SQL Server Development, Administration, T-SQL, SSAS, SSIS, SSRS and more. Get SQL Server skills now (including 2012) with LearnDevNow - 200+ hours of step-by-step video tutorials by Microsoft MVPs and experts. SALE $99.99 this month only - learn more at: http://p.sf.net/sfu/learnmore_122512
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
