Let me now post my working solution for others who may want this
functionality in future:
shorewall version -> 4.5.5.3
installed packages: shorewall, shorewall-core, shorewall-init
'interfaces'
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect
dhcp,tcpflags,nosmurfs,routefilter=0,logmartians,required
vpn tun0 detect optional,routefilter=0
'policy'
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
$FW net DROP
#VPN
$FW vpn ACCEPT
net all DROP info
# THE FOLLOWING POLICY MUST BE LAST
all all REJECT info
'providers'
#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY
OPTIONS
loc 1 1 - eth0 192.168.0.1
track,fallback=1
iPredator 2 2 - tun0 -
track,balance=2
'rtrules'
#SOURCE DEST PROVIDER PRIORITY
lo - iPredator 11999
'rules'
#ACTION SOURCE DEST PROTO DEST SOURCE
ORIGINAL RATEUSER/ MARK
# PORT PORT(S)
DEST LIMIT
GROUP
#
# Accept DNS connections from the firewall to the network
#
DNS(ACCEPT) $FW net
#Allow OpenVPN traffic to and from the firewall
ACCEPT $FW net udp 1194
ACCEPT net $FW udp 1194
#
# Drop Ping from the "bad" net zone.. and prevent your log from being flooded..
#
Ping(DROP) net $FW
'tcrules'
#ACTION SOURCE DESTINATION PROTOCOL PORT(S) CLIENT
# PORT(S)
#allow OpenVPN traffic through
1 $FW 0.0.0.0/0 udp 1194
'tunnels'
#TYPE ZONE GATEWAY GATEWAY ZONE
openvpnclient:1194 net 0.0.0.0/0
'zones'
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net ipv4
vpn ipv4
(This assumes an OpenVPN client connection [UDP / using a tun*
interface] on the default port 1194, originating from the firewall,
where no traffic EXCEPT VPN traffic should flow from the firewall.)
(Obvious improvements include: Allowing DNS lookups ONLY through VPN
[with the exception of lookups of the VPN provider], Allowing
connections from / through the firewall to non-routable networks [e.g.
the private network outside the eth0 interface on the firewall], a
helper script to modify the shorewall configuration to allow different
/ random ports for use with OpenVPN [some VPN providers will accept
OpenVPN connections on any port to circumvent filter of such traffic
from an ISP]).
All due thanks to Mr. Tom Eastep, for his wonderful product he's
invested so much time and effort into!
On 1/5/13, f q <[email protected]> wrote:
> Excellent! Removing the rule causes the firewall to behave as I except.
>
> "What do you expect?"
>
> I was using this as an example and the line:
>
> http://www.shorewall.net/MultiISP.html#USE_DEFAULT_RT
>
> "Although 'balance' is automatically assumed when USE_DEFAULT_RT=Yes,
> you can easily cause all traffic to use one provider except when you
> explicitly direct it to use the other provider via shorewall-rtrules
> (5) or shorewall-tcrules (5)."
>
> I see now, that this should include "rules" as well, as we had just found.
>
> Previous experimentation with "USE_DEFAULT_RT=Yes" with the outdated
> version prior to upgrade, did not result in any discernible
> difference, oddly. I was focused on using the files listed here to
> create the behavior I was looking for, as this appeared to be your
> recommendation.
>
> On 1/5/13, Tom Eastep <[email protected]> wrote:
>> On 01/05/2013 04:13 PM, f q wrote:
>>> Apologies, I test my connections by doing a "ping 8.8.8.8" (Google DNS);
>>> So:
>>>
>>> source IP -> 192.168.0.38 (my VPN would be down at this point, after
>>> step
>>> 7)
>>> dest IP -> 8.8.8.8
>>> protocol -> ICMP
>>> port -> NA
>>
>> You have this rule in your rules file:
>>
>> ACCEPT $FW net icmp
>>
>> What do you expect?
>>
>> -Tom
>> --
>> Tom Eastep \ When I die, I want to go like my Grandfather who
>> Shoreline, \ died peacefully in his sleep. Not screaming like
>> Washington, USA \ all of the passengers in his car
>> http://shorewall.net \________________________________________________
>>
>>
>
------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnmore_123012
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
