]>
Commit | Line | Data |
---|---|---|
80fbd899 MT |
1 | #!/bin/bash |
2 | ############################################################################### | |
3 | # # | |
4 | # IPFire.org - A linux based firewall # | |
5 | # Copyright (C) 2015 IPFire Team # | |
6 | # # | |
7 | # This program is free software: you can redistribute it and/or modify # | |
8 | # it under the terms of the GNU General Public License as published by # | |
9 | # the Free Software Foundation, either version 3 of the License, or # | |
10 | # (at your option) any later version. # | |
11 | # # | |
12 | # This program is distributed in the hope that it will be useful, # | |
13 | # but WITHOUT ANY WARRANTY; without even the implied warranty of # | |
14 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # | |
15 | # GNU General Public License for more details. # | |
16 | # # | |
17 | # You should have received a copy of the GNU General Public License # | |
18 | # along with this program. If not, see <http://www.gnu.org/licenses/>. # | |
19 | # # | |
20 | ############################################################################### | |
21 | ||
22 | VPN_CONFIG="/var/ipfire/vpn/config" | |
23 | ||
6cf8bc91 MT |
24 | eval $(/usr/local/bin/readhash /var/ipfire/vpn/settings) |
25 | ||
6c920b19 | 26 | VARS=( |
68263645 MT |
27 | id status name lefthost type ctype psk local local_id leftsubnets |
28 | remote_id remote rightsubnets x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 | |
c32fc72e MT |
29 | x13 x14 x15 x16 x17 x18 x19 proto x20 x21 x22 |
30 | route x23 mode interface_mode interface_address interface_mtu rest | |
6c920b19 MT |
31 | ) |
32 | ||
80fbd899 MT |
33 | block_subnet() { |
34 | local subnet="${1}" | |
cda384a2 | 35 | local action="${2}" |
80fbd899 | 36 | |
053a582d MT |
37 | # Nothing to be done if no action is requested |
38 | if [ "${action}" = "none" ]; then | |
39 | return 0 | |
40 | fi | |
41 | ||
80fbd899 MT |
42 | # Don't block a wildcard subnet |
43 | if [ "${subnet}" = "0.0.0.0/0" ] || [ "${subnet}" = "0.0.0.0/0.0.0.0" ]; then | |
44 | return 0 | |
45 | fi | |
46 | ||
cda384a2 MT |
47 | case "${action}" in |
48 | reject) | |
49 | iptables -A IPSECBLOCK -d "${subnet}" -j REJECT --reject-with icmp-net-unreachable | |
50 | ;; | |
51 | drop) | |
52 | iptables -A IPSECBLOCK -d "${subnet}" -j DROP | |
53 | ;; | |
54 | *) | |
55 | return 1 | |
56 | ;; | |
57 | esac | |
58 | ||
59 | return 0 | |
80fbd899 MT |
60 | } |
61 | ||
6c920b19 | 62 | install_policy() { |
6cf8bc91 MT |
63 | # Flush existing rules |
64 | iptables -F IPSECINPUT | |
65 | iptables -F IPSECOUTPUT | |
80fbd899 MT |
66 | iptables -F IPSECBLOCK |
67 | ||
6cf8bc91 MT |
68 | # We are done when IPsec is not enabled |
69 | [ "${ENABLED}" = "on" ] || exit 0 | |
70 | ||
71 | # IKE | |
72 | iptables -A IPSECINPUT -p udp --dport 500 -j ACCEPT | |
73 | iptables -A IPSECOUTPUT -p udp --dport 500 -j ACCEPT | |
74 | ||
75 | # IKE NAT | |
76 | iptables -A IPSECINPUT -p udp --dport 4500 -j ACCEPT | |
77 | iptables -A IPSECOUTPUT -p udp --dport 4500 -j ACCEPT | |
78 | ||
cda384a2 | 79 | # Register local variables |
6c920b19 MT |
80 | local "${VARS[@]}" |
81 | local action | |
cda384a2 | 82 | |
6c920b19 | 83 | while IFS="," read -r "${VARS[@]}"; do |
80fbd899 MT |
84 | # Check if the connection is enabled |
85 | [ "${status}" = "on" ] || continue | |
86 | ||
87 | # Check if this a net-to-net connection | |
88 | [ "${type}" = "net" ] || continue | |
89 | ||
c32fc72e MT |
90 | # Default local to 0.0.0.0/0 |
91 | if [ "${local}" = "" -o "${local}" = "off" ]; then | |
92 | local="0.0.0.0/0" | |
93 | fi | |
94 | ||
b54cd874 MT |
95 | # Install permissions for GRE traffic |
96 | case "${interface_mode}" in | |
97 | gre) | |
98 | if [ -n "${remote}" ]; then | |
99 | iptables -A IPSECINPUT -p gre \ | |
c32fc72e | 100 | -s "${remote}" -d "${local}" -j ACCEPT |
b54cd874 MT |
101 | |
102 | iptables -A IPSECOUTPUT -p gre \ | |
c32fc72e | 103 | -s "${local}" -d "${remote}" -j ACCEPT |
b54cd874 MT |
104 | fi |
105 | ;; | |
106 | esac | |
107 | ||
5a9c9ff3 MT |
108 | # Install firewall rules only for interfaces without interface |
109 | [ -n "${interface_mode}" ] && continue | |
110 | ||
80fbd899 MT |
111 | # Split multiple subnets |
112 | rightsubnets="${rightsubnets//\|/ }" | |
113 | ||
cda384a2 MT |
114 | case "${route}" in |
115 | route) | |
053a582d | 116 | action="none" |
cda384a2 MT |
117 | ;; |
118 | *) | |
119 | action="reject" | |
120 | ;; | |
121 | esac | |
122 | ||
80fbd899 MT |
123 | local rightsubnet |
124 | for rightsubnet in ${rightsubnets}; do | |
cda384a2 | 125 | block_subnet "${rightsubnet}" "${action}" |
80fbd899 MT |
126 | done |
127 | done < "${VPN_CONFIG}" | |
128 | } | |
129 | ||
6c920b19 | 130 | install_policy || exit $? |