After struggled with Shorewall and iptables for some time, finally got a working firewall for my ubuntu system. So, the winner is... FireHOL.
I have two network cards: eth0 (140.116.21.154) for internet and eth2 (192.168.0.154) for local net. On eth0, SSH, Apache, OpenVPN are running. Machines on local net (eth2) can communicates freely, so are those on OpenVPN net. The OpenVPN make a third interface, tun0 (10.8.0.1). Without the tun0 interface in the configuration, OpenVPN clients (10.8.0.6 and 10.8.0.18, say) can communicates with each other, but they cannot find 10.8.0.1.
Notes.
- I don't have communications between tun0 and eth2 since I do not have a reason for it.
- The file RESERVED_IPS should contain 10.0.0.0/8 and 184.0.0.0/7. If you see the message
"List of RESERVED_IPS is out of date"
when starting /etc/init.d/firehol, use /sbin/get-iana to update the RESERVED_IPS in the /etc/firehol directory. And if you have problem with /sbin/get-iana, edit it as root, and change the line that says
ANA_RESERVED="IANA - Reserved"
to
IANA_RESERVED="IANA\|Future use"
and try again. The Tutorial page on the FireHOL site is very helpful as well as the article "Installing and configuring FireHOL" on Unix-Tutorials.com.
Now, here is my firehol.conf:
version 5
| interface "eth0" Internet |
|
protection |
strong |
|
|
server |
"http" |
accept |
|
server |
"ssh" |
accept |
|
server custom openvpn "tcp/1194 udp/1194" default accept |
|
client |
all |
accept |
| interface "eth2" LAN |
|
policy |
accept |
|
|
client |
all |
accept |
| interface "tun0" VPN |
|
policy |
accept |
|
|
client |
all |
accept |
| router lan2internet inface "eth2" outface "eth0" |
|
client |
all |
accept |
|
route |
all |
accept |
|
masquerade |
|
|
| router vpn2internet inface "tun0" outface "eth0" |
|
client |
all |
accept |
|
route |
all |
accept |
|
masquerade |
|
|
|
