Home / server / Questions / 403239
Accepted
blacksoul
Asked: 2012-06-29 15:03:59 +0800 CST

Bridge and OpenVPN with shorewall

  • 772

I have this scenario and everything it's working OK, but I want to configure my Shorewall and I can't do it.

My interfaces are:

br0 (bridge of eth0)
tun0 (OpenVPN)
vnet* (each one of bridged interfaces with public IP's)


Public Main IP: 188.165.X.Y
OpenVPN IP's: 172.28.0.x
Bridge: public ip's

So, I have the next configuration for shorewall:

/etc/shorewall/zones

#ZONE   TYPE        OPTIONS     IN          OUT
#                               OPTIONS     OPTIONS
fw      firewall
inet    ipv4
road    ipv4

/etc/shorewall/interfaces

#ZONE   INTERFACE   BROADCAST       OPTIONS
inet    br0         detect          routeback
road    tun+        detect          routeback

/etc/shorewall/policy

#SOURCE DEST    POLICY      LOG LIMIT:      CONNLIMIT:
#               LEVEL   BURST       MASK
$FW  all     ACCEPT
inet    $FW  DROP       info
road    all     DROP
inet    road    DROP

/etc/shorewall/tunnels

#TYPE           ZONE        GATEWAY     GATEWAY
#                                       ZONE
openvpnserver:1194          inet      0.0.0.0/0

The problem is that even with shorewall running I am able to ping or connect to the virtual machines behind the bridge

firewall kvm-virtualization openvpn bridge shorewall

1 Answers

  1. Best Answer

    You shouldn't be firewalling interfaces which are members of a bridge, only the bridge interface itself. A bridge is a layer 2 domain, whereas iptables is a layer 3 firewall, so it only works when the host is routing packets at layer 3.

    In your case Shorewall should only know about br0 and tun+, since eth0 and vnet+ are members of br0. If you want to police traffic between the VMs and the Internet then you must change your configuration to not bridge the VMs onto the LAN (i.e. take eth0 out of br0).

    • 4