Greetings,
I have setup a router which is connected to private network using
OpenVPN. Everything was working well, but I needed to allow inbound SSH
connections. OpenVPN sets some rules to forward all traffic over the
VPN. To prevent this, I setup a provider to my eth0 connection and set
USE_DEFAULT_RT=No. This seems to have worked. All my devices outbound
connections are going over the VPN and the inbound connections (SSH)
responses are returning over eth0. Here are my configs:
/etc/shorewall/interfaces
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect
routeback,routefilter,dhcp,tcpflags,logmartians,nosmurfs
bri br0 detect
optional,routeback,routefilter,tcpflags,logmartians,nosmurfs
vpn tun+ detect
optional,routeback,routefilter,tcpflags,logmartians,nosmurfs
/etc/shorewall/masq
tun+ br0
/etc/shorewall/policy
#SOURCE DEST POLICY LOG
# LEVEL
$FW vpn ACCEPT
$FW bri ACCEPT
$FW net ACCEPT
bri vpn ACCEPT
net all DROP info
# The following policy MUST BE LAST
all all REJECT info
/etc/shorewall/providers
#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY
OPTIONS COPY
isp 1 1 - eth0
192.168.0.1 track,balance=1 -
/etc/shorewall/rules
#ACTION SOURCE DEST PROTO DEST
SOURCE ORIGINAL RATE USER/ MARK
CONNLIMIT TIME
# PORT PORT(S) DEST
LIMIT GROUP
#SECTION ESTABLISHED
#SECTION RELATED
?SECTION NEW
#Permit all ICMP traffic FROM the firewall TO the net zone
#Only accept ICMP from local networks
ACCEPT net:192.168.0.0/24,192.168.1.0/24 \
$FW icmp 8 - - 1/sec:1
ACCEPT bri $FW icmp 8
- - 1/sec:1
SSH(ACCEPT) net,bri $FW -
- - - s:1/min:3
DNS(ACCEPT) bri $FW
DHCPfwd(ACCEPT) bri $FW
#Last line
DROP net all all
/etc/shorewall/zones
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net ipv4
bri ipv4
vpn ipv4
/etc/shorewall/shorewall.conf
#Unchanged except this:
USE_DEFAULT_RT=No
/etc/openvpn/vpn.conf
client
dev tun
proto udp
remote VPN 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca /etc/openvpn/ca.crt
tls-client
remote-cert-tls server
auth-user-pass
comp-lzo
verb 1
reneg-sec 0
crl-verify /etc/openvpn/crl.pem
auth-user-pass /etc/openvpn/cred
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
user nobody
group nogroup
#route-nopull
#route 10.0.0.1/24
#redirect-gateway
This setup is working. The bridge, DHCP, and DNS are working. Outbound
connections are going over the VPN. Inbound connection responses are
going back over eth0 and not tun+. I have a couple questions, though:
1. Why do I need /etc/shorewall/providers for this to work? I'm not
using /etc/shorewall/mangle.
2. In the docs it says USE_DEFAULT_RT=No is deprecated. Without turning
it off, I can't get inbound SSH to work. I tried route-nopull in the
OpenVPN config, but after setting up route and redirect-gateway, I
still had the same problem. It seems the VPN provider uses a dynamic
gateway on each connection. With a dynamic gateway, I am not sure
how to use /etc/shorewall/tunnels or /etc/shorewall/mangle. What is
the alternative to USE_DEFAULT_RT=No?
I've come up with this setup by reading the docs, mailing lists, and
forums. Please let me know if there are any glaring security issues. I
am still learning. :-)
Thanks for the help!
------------------------------------------------------------------------------
Presto, an open source distributed SQL query engine for big data, initially
developed by Facebook, enables you to easily query your data on Hadoop in a
more interactive manner. Teradata is also now providing full enterprise
support for Presto. Download a free open source copy now.
http://pubads.g.doubleclick.net/gampad/clk?id=250295911&iu=/4140
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
