Götz Reinicke
2006-Mar-20 19:06 UTC
shorewall 3.0.5, openvpn 2.05 and restricting access to special "local"-lan resources?
Hi, we use shorewall for a couple of years now on different servers and - I love it! Recently I started to setup a routed OpenVPN_2/shorewall_3-server using the openvpn-2 howto and toms Roadwarrior-openvpn-doc. At the moment VPN-Clients can access all local servers e.g., http/intranet, smb/fileservers, our local DNS and NTP servers. Now I was looking for a solution to restrict connections, so that I can define, which VPN-Client can access which local servers. I haven''t found any shorewall-documentation on that for a routed vpn, but there is the OpenVPN 2.0 How-To. There is a setup for "Configuring client-specific rules and access policies" - Thats what I''m looking for. (http://openvpn.net/howto.html#policy) The OpenVPN-Config isn''t that hard, but how to set up the iptable-rules within shorewall? Thanks for any hints and tips! Regards Götz Reinicke -- Götz Reinicke IT Koordinator - IT OfficeNet Tel. +49 (0) 7141 - 969 420 Fax +49 (0) 7141 - 969 55 420 goetz.reinicke@filmakademie.de Filmakademie Baden-Württemberg Mathildenstr. 20 71638 Ludwigsburg www.filmakademie.de ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Tom Eastep
2006-Mar-20 20:53 UTC
Re: shorewall 3.0.5, openvpn 2.05 and restricting access to special "local"-lan resources?
On Monday 20 March 2006 11:06, Götz Reinicke wrote:> Hi, > > we use shorewall for a couple of years now on different servers and - I > love it! > > Recently I started to setup a routed OpenVPN_2/shorewall_3-server using > the openvpn-2 howto and toms Roadwarrior-openvpn-doc. At the moment > VPN-Clients can access all local servers e.g., http/intranet, > smb/fileservers, our local DNS and NTP servers. > > Now I was looking for a solution to restrict connections, so that I can > define, which VPN-Client can access which local servers. > > I haven''t found any shorewall-documentation on that for a routed vpn, > but there is the OpenVPN 2.0 How-To. There is a setup for "Configuring > client-specific rules and access policies" - Thats what I''m looking for. > (http://openvpn.net/howto.html#policy) > > The OpenVPN-Config isn''t that hard, but how to set up the iptable-rules > within shorewall? > > Thanks for any hints and tips!They are just simple Shorewall rules. In policy: vpn all REJECT In rules: ACCEPT vpn:<ip range> dst proto port,... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key