]>
Commit | Line | Data |
---|---|---|
80fbd899 MT |
1 | #!/bin/bash |
2 | ############################################################################### | |
3 | # # | |
4 | # IPFire.org - A linux based firewall # | |
5 | # Copyright (C) 2015 IPFire Team # | |
6 | # # | |
7 | # This program is free software: you can redistribute it and/or modify # | |
8 | # it under the terms of the GNU General Public License as published by # | |
9 | # the Free Software Foundation, either version 3 of the License, or # | |
10 | # (at your option) any later version. # | |
11 | # # | |
12 | # This program is distributed in the hope that it will be useful, # | |
13 | # but WITHOUT ANY WARRANTY; without even the implied warranty of # | |
14 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # | |
15 | # GNU General Public License for more details. # | |
16 | # # | |
17 | # You should have received a copy of the GNU General Public License # | |
18 | # along with this program. If not, see <http://www.gnu.org/licenses/>. # | |
19 | # # | |
20 | ############################################################################### | |
21 | ||
22 | VPN_CONFIG="/var/ipfire/vpn/config" | |
23 | ||
24 | block_subnet() { | |
25 | local subnet="${1}" | |
26 | ||
27 | # Don't block a wildcard subnet | |
28 | if [ "${subnet}" = "0.0.0.0/0" ] || [ "${subnet}" = "0.0.0.0/0.0.0.0" ]; then | |
29 | return 0 | |
30 | fi | |
31 | ||
32 | iptables -A IPSECBLOCK -d "${subnet}" -j REJECT --reject-with icmp-net-unreachable | |
33 | } | |
34 | ||
35 | block_ipsec() { | |
36 | # Flush all exists rules | |
37 | iptables -F IPSECBLOCK | |
38 | ||
39 | local id status name lefthost type ctype unknown1 unknown2 unknown3 | |
40 | local leftsubnets unknown4 righthost rightsubnets rest | |
41 | while IFS="," read -r id status name lefthost type ctype unkown1 unknown2 unknown3 \ | |
42 | leftsubnets unknown4 righthost rightsubnets rest; do | |
43 | # Check if the connection is enabled | |
44 | [ "${status}" = "on" ] || continue | |
45 | ||
46 | # Check if this a net-to-net connection | |
47 | [ "${type}" = "net" ] || continue | |
48 | ||
49 | # Split multiple subnets | |
50 | rightsubnets="${rightsubnets//\|/ }" | |
51 | ||
52 | local rightsubnet | |
53 | for rightsubnet in ${rightsubnets}; do | |
54 | block_subnet "${rightsubnet}" | |
55 | done | |
56 | done < "${VPN_CONFIG}" | |
57 | } | |
58 | ||
59 | block_ipsec || exit $? |