]>
Commit | Line | Data |
---|---|---|
80fbd899 MT |
1 | #!/bin/bash |
2 | ############################################################################### | |
3 | # # | |
4 | # IPFire.org - A linux based firewall # | |
5 | # Copyright (C) 2015 IPFire Team # | |
6 | # # | |
7 | # This program is free software: you can redistribute it and/or modify # | |
8 | # it under the terms of the GNU General Public License as published by # | |
9 | # the Free Software Foundation, either version 3 of the License, or # | |
10 | # (at your option) any later version. # | |
11 | # # | |
12 | # This program is distributed in the hope that it will be useful, # | |
13 | # but WITHOUT ANY WARRANTY; without even the implied warranty of # | |
14 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # | |
15 | # GNU General Public License for more details. # | |
16 | # # | |
17 | # You should have received a copy of the GNU General Public License # | |
18 | # along with this program. If not, see <http://www.gnu.org/licenses/>. # | |
19 | # # | |
20 | ############################################################################### | |
21 | ||
22 | VPN_CONFIG="/var/ipfire/vpn/config" | |
23 | ||
6cf8bc91 MT |
24 | eval $(/usr/local/bin/readhash /var/ipfire/vpn/settings) |
25 | ||
6c920b19 MT |
26 | VARS=( |
27 | id status name lefthost type ctype x1 x2 x3 leftsubnets | |
28 | x4 righthost rightsubnets x5 x6 x7 x8 x9 x10 x11 x12 | |
29 | x13 x14 x15 x16 x17 x18 x19 x20 x21 proto x22 x23 x24 | |
4cf4f8f6 MT |
30 | route x26 x27 x28 x29 x30 x31 x32 x33 x34 x35 |
31 | interface_mode interface_address interface_mtu rest | |
6c920b19 MT |
32 | ) |
33 | ||
80fbd899 MT |
34 | block_subnet() { |
35 | local subnet="${1}" | |
cda384a2 | 36 | local action="${2}" |
80fbd899 MT |
37 | |
38 | # Don't block a wildcard subnet | |
39 | if [ "${subnet}" = "0.0.0.0/0" ] || [ "${subnet}" = "0.0.0.0/0.0.0.0" ]; then | |
40 | return 0 | |
41 | fi | |
42 | ||
cda384a2 MT |
43 | case "${action}" in |
44 | reject) | |
45 | iptables -A IPSECBLOCK -d "${subnet}" -j REJECT --reject-with icmp-net-unreachable | |
46 | ;; | |
47 | drop) | |
48 | iptables -A IPSECBLOCK -d "${subnet}" -j DROP | |
49 | ;; | |
50 | *) | |
51 | return 1 | |
52 | ;; | |
53 | esac | |
54 | ||
55 | return 0 | |
80fbd899 MT |
56 | } |
57 | ||
6c920b19 | 58 | install_policy() { |
6cf8bc91 MT |
59 | # Flush existing rules |
60 | iptables -F IPSECINPUT | |
61 | iptables -F IPSECOUTPUT | |
80fbd899 MT |
62 | iptables -F IPSECBLOCK |
63 | ||
6cf8bc91 MT |
64 | # We are done when IPsec is not enabled |
65 | [ "${ENABLED}" = "on" ] || exit 0 | |
66 | ||
67 | # IKE | |
68 | iptables -A IPSECINPUT -p udp --dport 500 -j ACCEPT | |
69 | iptables -A IPSECOUTPUT -p udp --dport 500 -j ACCEPT | |
70 | ||
71 | # IKE NAT | |
72 | iptables -A IPSECINPUT -p udp --dport 4500 -j ACCEPT | |
73 | iptables -A IPSECOUTPUT -p udp --dport 4500 -j ACCEPT | |
74 | ||
cda384a2 | 75 | # Register local variables |
6c920b19 MT |
76 | local "${VARS[@]}" |
77 | local action | |
cda384a2 | 78 | |
6c920b19 | 79 | while IFS="," read -r "${VARS[@]}"; do |
80fbd899 MT |
80 | # Check if the connection is enabled |
81 | [ "${status}" = "on" ] || continue | |
82 | ||
83 | # Check if this a net-to-net connection | |
84 | [ "${type}" = "net" ] || continue | |
85 | ||
86 | # Split multiple subnets | |
87 | rightsubnets="${rightsubnets//\|/ }" | |
88 | ||
cda384a2 MT |
89 | case "${route}" in |
90 | route) | |
91 | action="drop" | |
92 | ;; | |
93 | *) | |
94 | action="reject" | |
95 | ;; | |
96 | esac | |
97 | ||
80fbd899 MT |
98 | local rightsubnet |
99 | for rightsubnet in ${rightsubnets}; do | |
cda384a2 | 100 | block_subnet "${rightsubnet}" "${action}" |
80fbd899 MT |
101 | done |
102 | done < "${VPN_CONFIG}" | |
103 | } | |
104 | ||
6c920b19 | 105 | install_policy || exit $? |