Tom, that worked like a charm. Thank you very much!
Best regards, Dorian On 13 October 2017 at 19:27, Tom Eastep <teas...@shorewall.net> wrote: > On 10/13/2017 01:53 AM, Dorian Kind wrote: >> Hi all, >> >> I'm a happy shorewall user since 2009 and never had an issue that I >> couldn't solve using the excellent documentation. There's just one thing >> that always bugged me. We have a couple of tunnels to branch offices, >> for which shorewall inserts the appropriate iptables rules (webr being >> the local zone, while the *pn zones are connected over IPsec tunnels): >> >> Chain webr_frwd (1 references) >> pkts bytes target prot opt in out source >> destination >> [...] >> 759K 121M webr2gvapn all -- * eth-ext1 0.0.0.0/0 >> <http://0.0.0.0/0> 10.50.0.0/16 <http://10.50.0.0/16> >> policy match dir out pol ipsec >> 6660K 4097M webr2swlpn all -- * eth-ext1 0.0.0.0/0 >> <http://0.0.0.0/0> 10.60.0.0/16 <http://10.60.0.0/16> >> policy match dir out pol ipsec >> 18M 66G webr2fnopn all -- * eth-ext1 0.0.0.0/0 >> <http://0.0.0.0/0> 10.70.0.0/16 <http://10.70.0.0/16> >> policy match dir out pol ipsec >> 4961K 6804M webr2hyppn all -- * eth-ext1 0.0.0.0/0 >> <http://0.0.0.0/0> 10.80.0.0/16 <http://10.80.0.0/16> >> policy match dir out pol ipsec >> 99227 134M webr2rwvpn all -- * eth-ext1 0.0.0.0/0 >> <http://0.0.0.0/0> 10.100.0.0/16 <http://10.100.0.0/16> >> policy match dir out pol ipsec >> >> However, in order to prevent local traffic from leaking out when the >> IPsec SA can't be established for some reason, I use a script to insert >> the following two rules after shorewall has generated its >> ruleset--because per policy, local (webr) traffic to the internet is >> allowed: >> >> iptables -I OUTPUT -d 10.0.0.0/8 <http://10.0.0.0/8> --out-interface >> eth-ext1 -m policy --pol none --dir out -j REJECT --reject-with >> icmp-admin-prohibited >> iptables -I FORWARD -d 10.0.0.0/8 <http://10.0.0.0/8> --out-interface >> eth-ext1 -m policy --pol none --dir out -j REJECT --reject-with >> icmp-admin-prohibited >> >> I would really like to integrate these rules into the shorewall >> configuration, but can't figure out any way to do it. From what I can >> tell, shorewall-rules does not have policy match options. >> >> Is there a canonical way to prevent RFC1918-addressed, non IPsec >> encrypted packets from leaving the FW on an external interface? >> > > You can simply put the rules in your rules file as: > > ?SECTION ALL > REJECT(icmp-admin-prohibited) webr net:10.0.0.0/8 > > (assumes that 'webr' is your local LAN and 'net' is the Internet zone) > > The jumps to the *webr2net chains specify "-m policy --pol none --dir > out" and the rules will be in those chains. > > -Tom > -- > Tom Eastep \ Q: What do you get when you cross a mobster with > Shoreline, \ an international standard? > Washington, USA \ A: Someone who makes you an offer you can't > http://shorewall.org \ understand > \_______________________________________________ > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
