For IPSec, we can use the mark feature of iptables to select and (if needed) forward packets sent via an established IPSec tunnel.
#!/bin/sh IFACE_WIRED=eth0 IFACE_WIRELESS=eth1 IPTABLES=/sbin/iptables # Flush existing rules. $IPTABLES -F $IPTABLES -t mangle -F $IPTABLES -t nat -F # We are picky about what we will take in and what we will forward, # but we presume anything we output is legit. $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP $IPTABLES -P OUTPUT ACCEPT # We don't want stuff from the loopback address coming in on anything # except the loopback interface. $IPTABLES -A INPUT -i ! lo -s 127.0.0.0/8 -j DROP $IPTABLES -A INPUT -i ! lo -d 127.0.0.0/8 -j DROP # We trust anything from the loopback interface. $IPTABLES -A INPUT -i lo -j ACCEPT # We also trust anything from our wired Ethernet. $IPTABLES -A INPUT -i $IFACE_WIRED -j ACCEPT $IPTABLES -A FORWARD -i $IFACE_WIRED -j ACCEPT # Users can SSH in from anywhere. $IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT # On the wireless side we need to leave the following services open: # # DHCP (TCP port 67) # IKE (UDP port 500) $IPTABLES -A INPUT -i $IFACE_WIRELESS -p tcp --dport 67 -j ACCEPT $IPTABLES -A INPUT -i $IFACE_WIRELESS -s 10.42.1.0/24 \ -p udp --dport 500 -j ACCEPT # The following rules handle ESP packets from the wireless network: # # - We mark them in the PREROUTING chain. # - We allow them in the INPUT chain # - When the decrypted packets come back around for the INPUT or # FORWARD chains, we allow them; the mark holds through decryption. $IPTABLES -t mangle -A PREROUTING -i $IFACE_WIRELESS \ -s 10.42.1.0/24 -p esp -j MARK --set-mark 1 $IPTABLES -A INPUT -i $IFACE_WIRELESS -s 10.42.1.0/24 \ -p esp -j ACCEPT $IPTABLES -A INPUT -i $IFACE_WIRELESS -m mark --mark 1 -j ACCEPT $IPTABLES -A FORWARD -i $IFACE_WIRELESS -m mark --mark 1 -j ACCEPT
For OpenVPN all we need to do is allow traffic on the port being used by our OpenVPN server process, and on the tunX interfaces, which OpenVPN will also be using.
#!/bin/sh IFACE_WIRED=eth0 IFACE_WIRELESS=eth1 IPTABLES=/sbin/iptables OPENVPN_PORT=1194 # Flush existing rules. $IPTABLES -F $IPTABLES -t mangle -F $IPTABLES -t nat -F # We are picky about what we will take in and what we will forward, # but we presume anything we output is legit. $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP $IPTABLES -P OUTPUT ACCEPT # We don't want stuff from the loopback address coming in on anything # except the loopback interface. $IPTABLES -A INPUT -i ! lo -s 127.0.0.0/8 -j DROP $IPTABLES -A INPUT -i ! lo -d 127.0.0.0/8 -j DROP # We trust anything from the loopback interface. $IPTABLES -A INPUT -i lo -j ACCEPT # We also trust anything from our wired Ethernet. $IPTABLES -A INPUT -i $IFACE_WIRED -j ACCEPT $IPTABLES -A FORWARD -i $IFACE_WIRED -j ACCEPT # Users can SSH in from anywhere. $IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT # On the wireless side we need to leave the following services open: # # DHCP (TCP port 67) # OpenVPN $IPTABLES -A INPUT -i $IFACE_WIRELESS -p tcp --dport 67 -j ACCEPT $IPTABLES -A INPUT -i $IFACE_WIRELESS -s 192.168.1.0/24 \ -p udp --dport $OPENVPN_PORT -j ACCEPT # To finish making OpenVPN work, we need to trust the tunX interfaces. $IPTABLES -A INPUT -i tun+ -j ACCEPT $IPTABLES -A FORWARD -i tun+ -j ACCEPT