shorewall - blocking more than it should!
Hello all, my first post here on a subject I have searched and read about but simply cannot make work! Most of the script below is copied and adapted from various sources to my needs.
I am running Plugbox Linux (Arch Linux ARM port) on a rooted Pogoplug (access only via SSH). I am trying a fairly typical setup - I am trying to block all comms unless they are via OpenVPN (ie if OpenVPN disconnects then all is blocked). To this effect, I am running shorewall with the following settings:
/etc/shorewall/zones:
fw firewall
net ipv4
vpn ipv4
lan ipv4
/etc/shorewall/policy
$FW lan ACCEPT
lan $FW ACCEPT
/etc/shorewall/interfaces:
- eth0 detect tcpflags,nosmurfs
vpn tap0 - tcpflags,nosmurfs,optional
/etc/shorewall/hosts:
lan eth0:192.168.0.0/24 -
net eth0:!192.168.0.0/24 -
I move my Plugbox between 3 different LANs which are starting 192.168.x.* , with x being either 1,2 or 11 so I think this should cover it.
/etc/shorewall/policy
$FW vpn ACCEPT
$FW net REJECT
vpn $FW DROP
net $FW DROP
After running "shorewall check" I get errors relating to no policies being set between other interfaces. I therefore added(at the end of the list):
all all REJECT
The problem being that all internet access is rejected when shorewall is restarted (but ssh is fine) - I cannot ping an ip address or number. It makes absolutely no difference whether I am connected to the vpn or not. What is really strange is that I cannot even ping the router or my PC, including the one from which I am logged in via ssh yet ssh is fine!
I therefore tried replacing "all all" with the following but the outcome is the same:
net vpn DROP
vpn net DROP
net lan DROP
lan net DROP
vpn lan ACCEPT
lan vpn ACCEPT
/etc/shorewall/rules
ACCEPT $FW net:188.126.68.0/22 udp 1194 - - - :root
ACCEPT $FW net:178.73.208.0/22 udp 1194 - - - :root
ACCEPT $FW net:80.67.14.0/23 udp 1194 - - - :root
My VPN provider lists the 3 IP ranges above in their FAQ.
Is anyone able to give me an insight into the problem? Thanks again for any help!
|