[Shorewall-users] dynamically adding rules when hosts connect

[Brian J. Murrell]

I have an environment where I have openvpn and shorewall on the same
node.  Given that I want different rules applied based who the peer is
and given that IP addresses given out by openvpn can be different from
time to time (I don't want to get into statically allocating addresses
as peers come and go) I've been cooking up something to make this work.

Essentially what I have is openvpn creating chains and installing rules
in them in the learn script with such stanzas:

        if [ "$OP" = "add" ]; then
                iptables -N "${CN}2loc"
                iptables -I vpn2loc -s $ADDRESS -j "${CN}2loc"
                iptables -N "loc2${CN}"
                iptables -I loc2vpn -d $ADDRESS -j "loc2${CN}"
                case "$CN" in
                        "brian-laptop")
                                iptables -I "${CN}2loc" -p udp --sport 4569 
--dport 4569 -j ACCEPT
                                iptables -I "${CN}2loc" -p udp --sport 123 
--dport 123 -j ACCEPT
                                ;;
                        "peer1")                                                
               
                                iptables -I "loc2${CN}" -s 10.75.22.1 -j ACCEPT
                                ;;
                esac
        else
                if [ -n "$CN" ]; then
                        iptables -D vpn2loc -s $ADDRESS -j "${CN}2loc"
                        iptables -F "${CN}2loc"
                        iptables -X "${CN}2loc"
                        iptables -D loc2vpn -s $ADDRESS -j "vpn2${CN}"
                        iptables -F "vpn2${CN}"
                        iptables -X "vpn2${CN}"
                fi                                                              
      
        fi                                                      

Where CN is the openvpn name for a peer, normalized to work well in
iptables rule names.

This appears to be working pretty well with some obvious caveats:

      * goes to hell in a handbasket if shorewall needs to be restarte
      * rules are in the learn script
      * probably more caveats

Any thoughts on how to roll this more properly into shorewall so that
rules are specified with the traditional rules syntax and that it
survives restarts?

Cheers,
b.

signature.asc
Description: This is a digitally signed message part

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users