Hello all, I''m setting up an OpenVPN --> Internet gateway, and I''m looking for a little assistance in configuring Shorewall to route packets correctly! What I want is for each user to have a static IP in a local IP address pool, and have any traffic destined for the Internet routed in/out of their own IP address. I''m planning to have OpenVPN running in ''bridge'' mode (so all the clients connect to a single IP/port), but I need a way of measuring bandwidth transfer on a per-user basis. Is what I have below on the right lines? What I have is: Interfaces: eth0 (public Internet) - ip addresses 192.0.2.50 <http://192.0.2.50> to 192.0.2.100 <http://192.0.2.100> tap0 (private VPN device) - ip addresses 10.10.1.1 <http://10.10.1.1> - 10.10.1.50 <http://10.10.1.50> Rules accept traffic on port 443 destined for 192.0.2.60 <http://192.0.2.60>, and send it to the OpenVPN daemon (how would I do this? forward to 192.0.2.49<http://192.0.2.49>, the server''s external IP or something?) accept all traffic destined for 192.0.2.60 <http://192.0.2.60>, and one-to-one NAT it to 10.10.1.10 <http://10.10.1.10> on the tap0 interface. accept all traffic coming from 10.10.1.10 <http://10.10.1.10> and one-to-one NAT it so it seems to come from 192.0.2.60 <http://192.0.2.60> on eth0 (part of above?) In addition to these rules, I want to put Snort listening (and blocking) any naughty goings-on - do I just put it listening on the tap0 interface? Thanks everyone. Jan Mulders
On Wednesday 09 November 2005 11:48, Jan Mulders wrote:> Hello all, > > I''m setting up an OpenVPN --> Internet gateway, and I''m looking for a > little assistance in configuring Shorewall to route packets correctly!Jan, I ignored your first post and I''m not going to be of much help on this one. While you apparently ask for "....a little assistance...", what you are really asking us to do is configure your router/firewall for you. Some words of advice.... You don''t configure Shorewall "...to route packets correctly" -- except for Proxy ARP (HAVEROUTE column contains No) and the /etc/shorewall/providers file (which has nothing to do with OpenVPN), Shorewall does not configure routing. Please see http://shorewall.net/Shorewall_and_Routing.html. So getting the packets headed in the right direction doesn''t have anything to do with Shorewall unless you rewrite the Destination IP address using DNAT. Shorewall can also alter the source IP address (SNAT) so that return traffic can find it''s way back to the right place. What you have described in your post SOUNDS like a simple two-interface firewall with ''tap0'' as the internal interface. So I suggest that you follow the two-interface QuickStart guide and if you run into problems, ask *specific* questions or file a complete problem report (http://shorewall.net/support.htm). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Wednesday 09 November 2005 12:50, Tom Eastep wrote:> > What you have described in your post SOUNDS like a simple two-interface > firewall with ''tap0'' as the internal interface. So I suggest that you > follow the two-interface QuickStart guide and if you run into problems, ask > *specific* questions or file a complete problem report > (http://shorewall.net/support.htm).I have read your post again and I''m not clear about what you want from us or what you what you are trying to do. Still sounds like the two-interface setup with some other stuff added in. You say that you want to run OpenVPN as a bridge -- that usually involves a bridge device (e.g., br0) and a local network interface (e.g., eth1) which you don''t mention (there is OpenVPN bridge documentation on the Shorewall OpenVPN page). You mention needing a way of measuring traffic bandwidth on a per-user basis. Sounds like you need to issue each user an X.509 certificate then associate them with entries in the --client-config-dir (see the above-mentioned documenation). That way, you can assign each user a specific IP address in the local (10.10.1.0/24?) network. You can then monitor traffic to/from each of those addresses and assign it to a "user". Other points: a) Port Forwarding HTTPS traffic to ''The OpenVPN daemon'' on some address in the public network. Traffic from where? And why??? And since the tap0 device is on the firewall, I assume that the OpenVPN daemon is running there; which means that 192.0.2.49 would need to be a configured address on eth0 -- why not just include ''--local 192.0.2.49'' in the OpenVPN configuration. Or am I missing something? b) The stuff having to do with one-to-one NAT seems to require just a single entry in /etc/shorewall/nat so I don''t know what the confusion is (or is there any?). c) Snort -- that''s nice but it has nothing to do with Shorewall unless you plan to run Snort inline, in which case you''ll have to wait for Mike and Jamie to finish their HOWTO (see the thread from yesterday). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Okay, thanks for your pointers, Tom (and warnings). Yes, this basically boils down to the simple two-interface firewall system, I just didn''t recognise it as such at the time. I also apologise for asking you to ''configure my firewall for me''. I was actually fishing for a few useful hints on how to achieve this, but I digress. I believe I nearly have the configuration sorted - the only problem now is that Shorewall is not forwarding packets between the tunneled interface and the internet. (tcpdump shows echo requests, and ''time exceeded'' replies, so something''s going on) Unfortunately my fallback for if the firewall was misconfigured failed (a reboot set after 15 minutes, with the machine I was admin''ing from added to the routestopped file). I''ll get my ''remote hands (also known as flat-mate) to reboot it in the morning. To explain what I''m trying to do, I have a set of imaginary public IP addresses, 192.0.2.49 <http://192.0.2.49> to 100, with the server''s eth0 interface being assigned the .49 address itself (for SSH, etc). I want port 443 - the port the OpenVPN daemon is going to listen on - on the .50 IP address to be forwarded correctly to the daemon. I presume this is just done by an ''accept'' rule, and I just tell OpenVPN to bind to that external IP? I also want all incoming and outgoing traffic - in other words, NAT - to be forwarded (or routed or mangled or whatever terminology you wish to use) to the VPN user''s private IP address, in this case, 10.10.1.6<http://10.10.1.6>(I still no not understand if OpenVPN uses the four extra IP''s on every single tun interface, or if it''s a ''one off''. To elaborate a bit further on the OpenVPN configuration, I have set tun+ in the ''policy'' file to be ACCEPTed by the fw ''interface''. I am using multiple tun interfaces - one for each client - in a routing configuration, rather than a bridging one. I don''t know how or why I''ve decided to do this, but to be honest it''s too early in the morning for me to pick apart the differences in scalability, implementation and user control of bridging versus routing and come up with an human-intelligible expression at the end of it. Suffice to say, each OpenVPN instance - one for each user - needs to listen on the corresponding user''s public IP address, and their private IP needs to be NAT''ed to their public one. Bandwidth monitoring will be applied onto the external interface on a per-user basis, as this appears to be the simplest way of doing it. Is the idea of what I''m trying to do sound, or can anyone suggest a better method of doing this? If my server was up, I''d provide some config information. However as it is currently not, the above information will have to do until morning. Sorry if I sound a little disgruntled. I chose Shorewall on the basis that it would make my job -easier-. Jan On 09/11/05, Tom Eastep <teastep@shorewall.net> wrote:> > On Wednesday 09 November 2005 12:50, Tom Eastep wrote: > > > > > What you have described in your post SOUNDS like a simple two-interface > > firewall with ''tap0'' as the internal interface. So I suggest that you > > follow the two-interface QuickStart guide and if you run into problems, > ask > > *specific* questions or file a complete problem report > > (http://shorewall.net/support.htm). > > I have read your post again and I''m not clear about what you want from us > or > what you what you are trying to do. Still sounds like the two-interface > setup > with some other stuff added in. > > You say that you want to run OpenVPN as a bridge -- that usually involves > a > bridge device (e.g., br0) and a local network interface (e.g., eth1) which > you don''t mention (there is OpenVPN bridge documentation on the Shorewall > OpenVPN page). You mention needing a way of measuring traffic bandwidth on > a > per-user basis. Sounds like you need to issue each user an X.509certificate > then associate them with entries in the --client-config-dir (see the > above-mentioned documenation). That way, you can assign each user a > specific > IP address in the local (10.10.1.0/24? <http://10.10.1.0/24?>) network. > You can then monitor traffic > to/from each of those addresses and assign it to a "user". > > Other points: > > a) Port Forwarding HTTPS traffic to ''The OpenVPN daemon'' on some address > in > the public network. Traffic from where? And why??? And since the tap0 > device > is on the firewall, I assume that the OpenVPN daemon is running there; > which > means that 192.0.2.49 <http://192.0.2.49> would need to be a configured > address on eth0 -- why > not just include ''--local 192.0.2.49 <http://192.0.2.49>'' in the OpenVPN > configuration. Or am I > missing something? > > b) The stuff having to do with one-to-one NAT seems to require just a > single > entry in /etc/shorewall/nat so I don''t know what the confusion is (or is > there any?). > > c) Snort -- that''s nice but it has nothing to do with Shorewall unless you > plan to run Snort inline, in which case you''ll have to wait for Mike and > Jamie to finish their HOWTO (see the thread from yesterday). > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > >
On Wednesday 09 November 2005 17:07, Jan Mulders wrote:> > I believe I nearly have the configuration sorted - the only problem now is > that Shorewall is not forwarding packets between the tunneled interface and > the internet. (tcpdump shows echo requests, and ''time exceeded'' replies, so > something''s going on)''time exceeded'' replies usually mean that you have a routing loop somewhere.> To explain what I''m trying to do, I have a set of imaginary public IP > addresses, 192.0.2.49 <http://192.0.2.49> to 100, with the server''s eth0 > interface being assigned the .49 address itself (for SSH, etc). I want port > 443 - the port the OpenVPN daemon is going to listen on - on the .50 IP > address to be forwarded correctly to the daemon. I presume this is just > done by an ''accept'' rule, and I just tell OpenVPN to bind to that external > IP?You can use explicit rules or use the /etc/shorewall/tunnels file. See http://www.shorewall.net/VPNBasics.html and http://www.shorewall.net/OPENVPN.html. The tunnel file entry will not have the capability of specifying only the .50 address whereas ACCEPT rules would.> I also want all incoming and outgoing traffic - in other words, NAT - > to be forwarded (or routed or mangled or whatever terminology you wish to > use) to the VPN user''s private IP address, in this case, > 10.10.1.6<http://10.10.1.6>(I still no not understand if OpenVPN uses > the four extra IP''s on every > single tun interface, or if it''s a ''one off''. To elaborate a bit further on > the OpenVPN configuration, I have set tun+ in the ''policy'' file to be > ACCEPTed by the fw ''interface''.The ''four addresses at a time'' limitation is for compatibility with the tap driver on Windows when it is running in tunnel mode. I assume that you don''t actually have ''tun+'' in the policy file but rather the name of the zone that you have associated with ''tun+'' in the interfaces file. Note however that this policy is not necessary for traffic to be able to flow through the firewall from the tunnel interfaces. That policy rather allows *connections* to be made from the hosts on the tunnel interfaces to application programs running on the firewall itself. Both Shorewall policies and rules are about *connections*, not about packet flow.> I am using multiple tun interfaces - one > for each client - in a routing configuration, rather than a bridging one. I > don''t know how or why I''ve decided to do this, but to be honest it''s too > early in the morning for me to pick apart the differences in scalability, > implementation and user control of bridging versus routing and come up with > an human-intelligible expression at the end of it.Well, I wouldn''t do it that way -- I would use the openvpn server mode so I had one tun/tap interface regardless of how many clients were connected. There are examples on the Shorewall site: Bridged - http://www.shorewall.net/OPENVPN.html#id2622264 Tunneled - http://www.shorewall.net/3.0/myfiles.htm#id2509889> Suffice to say, each > OpenVPN instance - one for each user - needs to listen on the corresponding > user''s public IP address, and their private IP needs to be NAT''ed to their > public one. Bandwidth monitoring will be applied onto the external > interface on a per-user basis, as this appears to be the simplest way of > doing it. > > Is the idea of what I''m trying to do sound, or can anyone suggest a better > method of doing this? >So you will need one entry in /etc/shorewall/nat for each of your ''users''. This approach is workable -- note though that if the clients need to communicate with each other, they must do so using internal (private) addresses rather than their public ones. If I were setting this up, I would be tempted to try this way: a) As I said above, I would *definitely* use OpenVPN server mode (bridged in this case). b) I would set my Shorewall box up as a bridge (http://www.shorewall.net/bridge.html) that bridged eth0 and tap0 with device br0. c) Assign the bridge addresses .49 and .50. Configure OpenVPN with --local .49 and the server on .50. You can verify the above configuration *without even installing shorewall*. Once the configuration is working, you can add Shorewall to tighten up the security. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------- SF.Net email is sponsored by: Tame your development challenges with Apache''s Geronimo App Server. Download it for free - -and be entered to win a 42" plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php
Hi
i am unsuccessfully trying to add a machine (ace) to my vendor network
I''m running shorewall2, bering 2.3 rc-1, and no other machines in the
vendor network
I have 5 zones
loc Local Local network
dmz DMZ Webserver DMZ
dat DATA-NET Data Server Network
air 802.11b 802.11b Network
vpn ipsec0 VPN
ven Vendor Secure Vendor Network
Here''s the info I have
ifconfig on firewall
eth3 Link encap:Ethernet HWaddr 00:0D:88:3D:A9:71
inet addr:192.168.20.1 Bcast:192.168.20.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:34715180 errors:0 dropped:0 overruns:0 frame:0
TX packets:39016932 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3145139575 (2.9 GiB) TX bytes:4076009337 (3.7 GiB)
Interrupt:5 Base address:0x2c00
eth5 Link encap:Ethernet HWaddr 00:C0:4F:79:55:F1
inet addr:192.168.40.1 Bcast:192.168.40.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:9087 errors:0 dropped:0 overruns:0 frame:0
TX packets:57808 errors:0 dropped:0 overruns:0 carrier:54386
collisions:0 txqueuelen:1000
RX bytes:924407 (902.7 KiB) TX bytes:3587796 (3.4 MiB)
Interrupt:12 Base address:0xdc00
ifconfig on Ace
eth0 Link encap:Ethernet HWaddr 00:08:A1:11:DE:BD
inet addr:192.168.40.40 Bcast:192.168.40.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:52978 errors:0 dropped:0 overruns:0 frame:0
TX packets:58537 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:5823699 (5.5 Mb) TX bytes:5809418 (5.5 Mb)
Interrupt:3 Base address:0xd800
interfaces file on firewall
#ZONE INTERFACE BROADCAST OPTIONS GATEWAY
#
net eth0 detect
loc eth1 detect
dmz eth2 detect
dat eth3 detect
air eth4 detect dhcp
ven eth5 detect
policys file on firewall
#SOURCE DEST POLICY LOG LIMIT:BURST
# LEVEL
loc net ACCEPT
air net ACCEPT
dmz dmz ACCEPT
vpn loc ACCEPT info
loc vpn ACCEPT info
loc ven ACCEPT info
net all DROP ULOG
sid# arp -a | grep DE:BD (mac address of ACE)
? (192.168.40.40) at 00:08:A1:11:DE:BD [ether] PERM on eth5
(i have to put the static entry in to be able to ssh into the machine
from loc/desktop network)
here is snippet from logs when I try to ssh from my desktop in LOC to Ace :
Nov 22 18:22:22 sid Shorewall:all2all:REJECT: IN=eth3 OUT=eth1
MAC=00:0d:88:3d:a9:71:00:08:a1:11:de:bd:08:00 SRC=192.168.40.40
DST=192.168.0.202 LEN=60 TOS=10 PREC=0x00 TTL=63 ID=50727 CE DF
PROTO=TCP SPT=32798 DPT=22 SEQ=4170824679 ACK=0 WINDOW=5840 SYN URGP=0
Snippet from Shorewall Rules :
#ssh access for configuration/testing ONLY TEMP
ACCEPT ven:192.168.40.40 loc tcp 22
#additional testing
#ACCEPT dat:192.168.40.40 loc tcp 22
if I however uncomment the dat line directly above, the ssh from ace to
my desktop works.
weird. looks like it''s somehow decided that this 192.168.40.40 machine
is in the dat zone. why???
how do I get it to be in the vendor zone? what am I missing other than
assigning the appropriate
ip address?
-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc. Get Certified Today
Register for a JBoss Training Course. Free Certification Exam
for All Training Attendees Through End of 2005. For more info visit:
http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click
On Tuesday 22 November 2005 11:14, Julie S. Lin wrote:> > if I however uncomment the dat line directly above, the ssh from ace to > my desktop works. > weird. looks like it''s somehow decided that this 192.168.40.40 machine > is in the dat zone. why??? > how do I get it to be in the vendor zone? what am I missing other than > assigning the appropriate > ip address?Let me guess -- eth3 and eth5 are connected to the same switch/hub, aren''t they? If so, please review one of the many warnings about such configurations in the Shorewall documentation -- for example http://www.shorewall.net/2.0/troubleshoot.htm#id2460845 (last bullet). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key