Am 05.01.2014 21:55, schrieb Christian Boltz:
Hello,
Am Sonntag, 5. Januar 2014 schrieb Rainer Sokoll:
Am 2014-01-05 21:03, schrieb Christian Boltz:
I have a VPN connection to my mail server, and would like to enforce that mails can be fetched only over the VPN connection.
What kind of VPN? IPSEC? PPTP (ouch)? OpenVPN? For the latter, see redirect_gateway.
openVPN.
redirect_gateway is useful to let the client set the default route if needed (easier to handle than doing it on the server if you want it only for some clients).
However redirect_gateway only helps when the VPN connection is up.
I'd like to have something that blocks the traffic to 10.7.0.1 when the VPN connection is _down_. Call it a static route for 10.7.0.1 to /dev/null ;-)
You can do exactly that: susi:~ # ip r default via 192.168.200.254 dev air proto static 127.0.0.0/8 dev lo scope link 192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1 192.168.200.0/24 dev air proto kernel scope link src 192.168.200.11 metric 9 (that's my default, 200.0 my home lan, 122.0 my virtual machines NATed to the outside) susi:~ # ip r add blackhole 10.7.0.1 susi:~ # ping 10.7.0.1 connect: Network is unreachable susi:~ # ip r del 10.7.0.1 susi:~ # ping -c 3 10.7.0.1 PING 10.7.0.1 (10.7.0.1) 56(84) bytes of data. --- 10.7.0.1 ping statistics --- 3 packets transmitted, 0 received, 100% packet loss, time 2000ms susi:~ # (of course, I don't get any answers from 10.7.0.1 :-)) Getting this into your VPN connect / disconnect script, I guess you are able to do that :-) -- Stefan Seyfried "If your lighter runs out of fluid or flint and stops making fire, and you can't be bothered to figure out about lighter fluid or flint, that is not Zippo's fault." -- bkw -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org