[people/pmueller/ipfire-2.x.git] / config / firewall / ipsec-policy

#!/bin/bash
###############################################################################
#                                                                             #
# IPFire.org - A linux based firewall                                         #
# Copyright (C) 2015 IPFire Team                                              #
#                                                                             #
# This program is free software: you can redistribute it and/or modify        #
# it under the terms of the GNU General Public License as published by        #
# the Free Software Foundation, either version 3 of the License, or           #
# (at your option) any later version.                                         #
#                                                                             #
# This program is distributed in the hope that it will be useful,             #
# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
# GNU General Public License for more details.                                #
#                                                                             #
# You should have received a copy of the GNU General Public License           #
# along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
#                                                                             #
###############################################################################

VPN_CONFIG="/var/ipfire/vpn/config"

eval $(/usr/local/bin/readhash /var/ipfire/vpn/settings)

VARS=(
	id status name lefthost type ctype x1 x2 x3 leftsubnets
	x4 righthost rightsubnets x5 x6 x7 x8 x9 x10 x11 x12
	x13 x14 x15 x16 x17 x18 x19 x20 x21 proto x22 x23 x24
	route x26 x27 x28 x29 x30 x31 x32 x33 x34 x35
	interface_mode interface_address interface_mtu rest
)

block_subnet() {
	local subnet="${1}"
	local action="${2}"

	# Don't block a wildcard subnet
	if [ "${subnet}" = "0.0.0.0/0" ] || [ "${subnet}" = "0.0.0.0/0.0.0.0" ]; then
		return 0
	fi

	case "${action}" in
		reject)
			iptables -A IPSECBLOCK -d "${subnet}" -j REJECT --reject-with icmp-net-unreachable
			;;
		drop)
			iptables -A IPSECBLOCK -d "${subnet}" -j DROP
			;;
		*)
			return 1
			;;
	esac

	return 0
}

install_policy() {
	# Flush existing rules
	iptables -F IPSECINPUT
	iptables -F IPSECOUTPUT
	iptables -F IPSECBLOCK

	# We are done when IPsec is not enabled
	[ "${ENABLED}" = "on" ] || exit 0

	# IKE
	iptables -A IPSECINPUT  -p udp --dport 500 -j ACCEPT
	iptables -A IPSECOUTPUT -p udp --dport 500 -j ACCEPT

	# IKE NAT
	iptables -A IPSECINPUT  -p udp --dport 4500 -j ACCEPT
	iptables -A IPSECOUTPUT -p udp --dport 4500 -j ACCEPT

	# Register local variables
	local "${VARS[@]}"
	local action

	while IFS="," read -r "${VARS[@]}"; do
		# Check if the connection is enabled
		[ "${status}" = "on" ] || continue

		# Check if this a net-to-net connection
		[ "${type}" = "net" ] || continue

		# Split multiple subnets
		rightsubnets="${rightsubnets//\|/ }"

		case "${route}" in
			route)
				action="drop"
				;;
			*)
				action="reject"
				;;
		esac

		local rightsubnet
		for rightsubnet in ${rightsubnets}; do
			block_subnet "${rightsubnet}" "${action}"
		done
	done < "${VPN_CONFIG}"
}

install_policy || exit $?
Commit	Line	Data
80fbd899 MT	1	#!/bin/bash
	2	###############################################################################
	3	# #
	4	# IPFire.org - A linux based firewall #
	5	# Copyright (C) 2015 IPFire Team #
	6	# #
	7	# This program is free software: you can redistribute it and/or modify #
	8	# it under the terms of the GNU General Public License as published by #
	9	# the Free Software Foundation, either version 3 of the License, or #
	10	# (at your option) any later version. #
	11	# #
	12	# This program is distributed in the hope that it will be useful, #
	13	# but WITHOUT ANY WARRANTY; without even the implied warranty of #
	14	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
	15	# GNU General Public License for more details. #
	16	# #
	17	# You should have received a copy of the GNU General Public License #
	18	# along with this program. If not, see <http://www.gnu.org/licenses/>. #
	19	# #
	20	###############################################################################
	21
	22	VPN_CONFIG="/var/ipfire/vpn/config"
	23
6cf8bc91 MT	24	eval $(/usr/local/bin/readhash /var/ipfire/vpn/settings)
6cf8bc91 MT	25
6c920b19 MT	26	VARS=(
	27	id status name lefthost type ctype x1 x2 x3 leftsubnets
	28	x4 righthost rightsubnets x5 x6 x7 x8 x9 x10 x11 x12
	29	x13 x14 x15 x16 x17 x18 x19 x20 x21 proto x22 x23 x24
4cf4f8f6 MT	30	route x26 x27 x28 x29 x30 x31 x32 x33 x34 x35
4cf4f8f6 MT	31	interface_mode interface_address interface_mtu rest
6c920b19 MT	32	)
6c920b19 MT	33
80fbd899 MT	34	block_subnet() {
80fbd899 MT	35	local subnet="${1}"
cda384a2	36	local action="${2}"
80fbd899 MT	37
	38	# Don't block a wildcard subnet
	39	if [ "${subnet}" = "0.0.0.0/0" ] \|\| [ "${subnet}" = "0.0.0.0/0.0.0.0" ]; then
	40	return 0
	41	fi
	42
cda384a2 MT	43	case "${action}" in
	44	reject)
	45	iptables -A IPSECBLOCK -d "${subnet}" -j REJECT --reject-with icmp-net-unreachable
	46	;;
	47	drop)
	48	iptables -A IPSECBLOCK -d "${subnet}" -j DROP
	49	;;
	50	*)
	51	return 1
	52	;;
	53	esac
	54
	55	return 0
80fbd899 MT	56	}
80fbd899 MT	57
6c920b19	58	install_policy() {
6cf8bc91 MT	59	# Flush existing rules
	60	iptables -F IPSECINPUT
	61	iptables -F IPSECOUTPUT
80fbd899 MT	62	iptables -F IPSECBLOCK
80fbd899 MT	63
6cf8bc91 MT	64	# We are done when IPsec is not enabled
	65	[ "${ENABLED}" = "on" ] \|\| exit 0
	66
	67	# IKE
	68	iptables -A IPSECINPUT -p udp --dport 500 -j ACCEPT
	69	iptables -A IPSECOUTPUT -p udp --dport 500 -j ACCEPT
	70
	71	# IKE NAT
	72	iptables -A IPSECINPUT -p udp --dport 4500 -j ACCEPT
	73	iptables -A IPSECOUTPUT -p udp --dport 4500 -j ACCEPT
	74
cda384a2	75	# Register local variables
6c920b19 MT	76	local "${VARS[@]}"
6c920b19 MT	77	local action
cda384a2	78
6c920b19	79	while IFS="," read -r "${VARS[@]}"; do
80fbd899 MT	80	# Check if the connection is enabled
	81	[ "${status}" = "on" ] \|\| continue
	82
	83	# Check if this a net-to-net connection
	84	[ "${type}" = "net" ] \|\| continue
	85
	86	# Split multiple subnets
	87	rightsubnets="${rightsubnets//\\|/ }"
	88
cda384a2 MT	89	case "${route}" in
	90	route)
	91	action="drop"
	92	;;
	93	*)
	94	action="reject"
	95	;;
	96	esac
	97
80fbd899 MT	98	local rightsubnet
80fbd899 MT	99	for rightsubnet in ${rightsubnets}; do
cda384a2	100	block_subnet "${rightsubnet}" "${action}"
80fbd899 MT	101	done
	102	done < "${VPN_CONFIG}"
	103	}
	104
6c920b19	105	install_policy \|\| exit $?