I have an environment where I have openvpn and shorewall on the same node. Given that I want different rules applied based who the peer is and given that IP addresses given out by openvpn can be different from time to time (I don't want to get into statically allocating addresses as peers come and go) I've been cooking up something to make this work.
Essentially what I have is openvpn creating chains and installing rules
in them in the learn script with such stanzas:
if [ "$OP" = "add" ]; then
iptables -N "${CN}2loc"
iptables -I vpn2loc -s $ADDRESS -j "${CN}2loc"
iptables -N "loc2${CN}"
iptables -I loc2vpn -d $ADDRESS -j "loc2${CN}"
case "$CN" in
"brian-laptop")
iptables -I "${CN}2loc" -p udp --sport 4569
--dport 4569 -j ACCEPT
iptables -I "${CN}2loc" -p udp --sport 123
--dport 123 -j ACCEPT
;;
"peer1")
iptables -I "loc2${CN}" -s 10.75.22.1 -j ACCEPT
;;
esac
else
if [ -n "$CN" ]; then
iptables -D vpn2loc -s $ADDRESS -j "${CN}2loc"
iptables -F "${CN}2loc"
iptables -X "${CN}2loc"
iptables -D loc2vpn -s $ADDRESS -j "vpn2${CN}"
iptables -F "vpn2${CN}"
iptables -X "vpn2${CN}"
fi
fi
Where CN is the openvpn name for a peer, normalized to work well in
iptables rule names.
This appears to be working pretty well with some obvious caveats:
* goes to hell in a handbasket if shorewall needs to be restarte
* rules are in the learn script
* probably more caveats
Any thoughts on how to roll this more properly into shorewall so that
rules are specified with the traditional rules syntax and that it
survives restarts?
Cheers,
b.
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
