For IPSec, we can use the mark feature of iptables to select and (if needed) forward packets sent via an established IPSec tunnel.
#!/bin/sh
IFACE_WIRED=eth0
IFACE_WIRELESS=eth1
IPTABLES=/sbin/iptables
# Flush existing rules.
$IPTABLES -F
$IPTABLES -t mangle -F
$IPTABLES -t nat -F
# We are picky about what we will take in and what we will forward,
# but we presume anything we output is legit.
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT
# We don't want stuff from the loopback address coming in on anything
# except the loopback interface.
$IPTABLES -A INPUT -i ! lo -s 127.0.0.0/8 -j DROP
$IPTABLES -A INPUT -i ! lo -d 127.0.0.0/8 -j DROP
# We trust anything from the loopback interface.
$IPTABLES -A INPUT -i lo -j ACCEPT
# We also trust anything from our wired Ethernet.
$IPTABLES -A INPUT -i $IFACE_WIRED -j ACCEPT
$IPTABLES -A FORWARD -i $IFACE_WIRED -j ACCEPT
# Users can SSH in from anywhere.
$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
# On the wireless side we need to leave the following services open:
#
# DHCP (TCP port 67)
# IKE (UDP port 500)
$IPTABLES -A INPUT -i $IFACE_WIRELESS -p tcp --dport 67 -j ACCEPT
$IPTABLES -A INPUT -i $IFACE_WIRELESS -s 10.42.1.0/24 \
-p udp --dport 500 -j ACCEPT
# The following rules handle ESP packets from the wireless network:
#
# - We mark them in the PREROUTING chain.
# - We allow them in the INPUT chain
# - When the decrypted packets come back around for the INPUT or
# FORWARD chains, we allow them; the mark holds through decryption.
$IPTABLES -t mangle -A PREROUTING -i $IFACE_WIRELESS \
-s 10.42.1.0/24 -p esp -j MARK --set-mark 1
$IPTABLES -A INPUT -i $IFACE_WIRELESS -s 10.42.1.0/24 \
-p esp -j ACCEPT
$IPTABLES -A INPUT -i $IFACE_WIRELESS -m mark --mark 1 -j ACCEPT
$IPTABLES -A FORWARD -i $IFACE_WIRELESS -m mark --mark 1 -j ACCEPTFor OpenVPN all we need to do is allow traffic on the port being used by our OpenVPN server process, and on the tunX interfaces, which OpenVPN will also be using.
#!/bin/sh
IFACE_WIRED=eth0
IFACE_WIRELESS=eth1
IPTABLES=/sbin/iptables
OPENVPN_PORT=1194
# Flush existing rules.
$IPTABLES -F
$IPTABLES -t mangle -F
$IPTABLES -t nat -F
# We are picky about what we will take in and what we will forward,
# but we presume anything we output is legit.
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT
# We don't want stuff from the loopback address coming in on anything
# except the loopback interface.
$IPTABLES -A INPUT -i ! lo -s 127.0.0.0/8 -j DROP
$IPTABLES -A INPUT -i ! lo -d 127.0.0.0/8 -j DROP
# We trust anything from the loopback interface.
$IPTABLES -A INPUT -i lo -j ACCEPT
# We also trust anything from our wired Ethernet.
$IPTABLES -A INPUT -i $IFACE_WIRED -j ACCEPT
$IPTABLES -A FORWARD -i $IFACE_WIRED -j ACCEPT
# Users can SSH in from anywhere.
$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
# On the wireless side we need to leave the following services open:
#
# DHCP (TCP port 67)
# OpenVPN
$IPTABLES -A INPUT -i $IFACE_WIRELESS -p tcp --dport 67 -j ACCEPT
$IPTABLES -A INPUT -i $IFACE_WIRELESS -s 192.168.1.0/24 \
-p udp --dport $OPENVPN_PORT -j ACCEPT
# To finish making OpenVPN work, we need to trust the tunX interfaces.
$IPTABLES -A INPUT -i tun+ -j ACCEPT
$IPTABLES -A FORWARD -i tun+ -j ACCEPT