User Tools

Site Tools


doc:howto:vpn.ipsec.firewall

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
doc:howto:vpn.ipsec.firewall [2013/01/20 18:26]
birnenschnitzel
doc:howto:vpn.ipsec.firewall [2015/02/23 16:26] (current)
birnenschnitzel [Firewall integration]
Line 1: Line 1:
 ====== IPsec Firewall ====== ====== IPsec Firewall ======
 +| For an overview over all existing Virtual private network (VPN)-related articles in the OpenWrt wiki, please visit [[doc/​howto/​vpn.overview]] |
  
 :!: This page is about strongswan. The old racoon documentation can be found [[vpn.ipsec.firewall.racoon|here]]. :!: This page is about strongswan. The old racoon documentation can be found [[vpn.ipsec.firewall.racoon|here]].
Line 111: Line 112:
 So once again we have to fix the queue. Therefore we will put a rule at the first position in the chain. This will ensure that packets to foreign VPN subnets will remain untouched. ​ So once again we have to fix the queue. Therefore we will put a rule at the first position in the chain. This will ensure that packets to foreign VPN subnets will remain untouched. ​
  
 +===== Firewall integration =====
 +
 +To enable custom firewall rules we hook up with the default firewall mechanism. Ensure that firewall user scripts are loaded and reloaded everytime we (re)start the OpenWrt firewall. Verify/​adapt the following lines in /​etc/​config/​firewall
 +
 +<​code>​
 +config include
 +        option path '/​etc/​firewall.user'​
 +        option reload 1
 +</​code>​
 +
 +Additionally place the call to the ipsec user firewall script into /​etc/​firewall.user.
 +
 +<​code>​
 +# This file is interpreted as shell script.
 +# Put your custom iptables rules here, they will
 +# be executed with each firewall (re-)start.
 +
 +# Internal uci firewall chains are flushed and recreated on reload, so
 +# put custom rules into the root chains e.g. INPUT or FORWARD or into the
 +# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
 +
 +/​etc/​firewall.ipsec ​
 +</​code>​
 ===== VPN Firewall Script ===== ===== VPN Firewall Script =====
  
Line 118: Line 142:
 <code bash> <code bash>
 #!/bin/sh #!/bin/sh
-#/​etc/​ipsec/​firewall.sh - version ​1+#/​etc/​ipsec/​firewall.sh - version ​2
  
 . /​etc/​functions.sh . /​etc/​functions.sh
doc/howto/vpn.ipsec.firewall.1358702807.txt.bz2 · Last modified: 2013/01/20 18:26 by birnenschnitzel