OpenVPN / Shorewall – connecting N networks [#2 Shorewall]
To continue my previous article about Virtual Networks, today its time to write the firewall configuration part, which, is a lot more simple than you have imagined.
/etc/shorewal/interfaces
###############################################################################
#ZONE INTERFACE BROADCAST OPTIONS
net eth1 detect dhcp,tcpflags,routefilter,nosmurfs
loc eth0 detect tcpflags,detectnets,nosmurfs
loc tun+ detect –
/etc/shorewall/rules
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
# PORT PORT(S) DEST LIMIT GROUP
#SECTION ESTABLISHED
#SECTION RELATED
ACCEPT fw net udp 10000
ACCEPT net fw udp 10000
ACCEPT fw loc udp 10000
ACCEPT loc fw udp 10000
# PING
Ping/ACCEPT loc $FW
Ping/ACCEPT:warn:PING loc:tun0 loc:eth1
Ping/ACCEPT net $FW
#LAST LINE — ADD YOUR ENTRIES BEFORE THIS ONE — DO NOT REMOVE
I did have to write a special rule for the PING port, but in rest everythig worked perfectly. Please note that this specific rule must be duplicated for each tun interface regarding to the interface it must redirect the messages.
The interface file mentions the third interface (for tunneling in this case) on which openVPN sends the messages.
The rules files enables the port used by openVPN (in this case 10000) and adds the ping rule mentioned above.