1 diff --git a/src/_updown/_updown.in b/src/_updown/_updown.in
2 index 3a40e21..d9f3ea0 100644
3 --- a/src/_updown/_updown.in
4 +++ b/src/_updown/_updown.in
5 @@ -193,6 +193,29 @@ custom:*) # custom parameters (see above CAUTION comment)
9 +function ip_encode() {
14 + int=$(( $(( $int << 8 )) | $field ))
20 +function ip_in_subnet() {
22 + netmask=$(_netmask $2)
23 + [ $(( $(ip_encode $1) & $netmask)) = $(( $(ip_encode ${2%/*}) & $netmask )) ]
26 +function _netmask() {
29 + [ $vlsm -eq 0 ] && echo 0 || echo $(( -1 << $(( 32 - $vlsm )) ))
32 # utility functions for route manipulation
33 # Meddling with this stuff should not be necessary and requires great care.
35 @@ -397,12 +420,12 @@ up-host:iptables)
36 # connection to me, with (left/right)firewall=yes, coming up
37 # This is used only by the default updown script, not by your custom
38 # ones, so do not mess with it; see CAUTION comment up at top.
39 - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
40 + iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
41 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
42 -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
43 - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
44 + iptables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
45 -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
46 - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
47 + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j MARK --set-mark 50
49 # log IPsec host connection setup
51 @@ -410,10 +433,10 @@ up-host:iptables)
52 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
54 logger -t $TAG -p $FAC_PRIO \
55 - "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
56 + "host+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
58 logger -t $TAG -p $FAC_PRIO \
59 - "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
60 + "host+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
64 @@ -421,12 +444,12 @@ down-host:iptables)
65 # connection to me, with (left/right)firewall=yes, going down
66 # This is used only by the default updown script, not by your custom
67 # ones, so do not mess with it; see CAUTION comment up at top.
68 - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
69 + iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
70 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
71 -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
72 - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
73 + iptables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
74 -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
75 - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
76 + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j MARK --set-mark 50
78 # log IPsec host connection teardown
80 @@ -434,10 +457,10 @@ down-host:iptables)
81 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
83 logger -t $TAG -p $FAC_PRIO -- \
84 - "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
85 + "host- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
87 logger -t $TAG -p $FAC_PRIO -- \
88 - "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
89 + "host- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
93 @@ -447,24 +470,24 @@ up-client:iptables)
94 # ones, so do not mess with it; see CAUTION comment up at top.
95 if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
97 - iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
98 + iptables -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
99 -s $PLUTO_MY_CLIENT $S_MY_PORT \
100 - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
101 - iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
102 + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j MARK --set-mark 50
103 + iptables -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
104 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
105 - -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
106 + -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j RETURN
109 # a virtual IP requires an INPUT and OUTPUT rule on the host
110 # or sometimes host access via the internal IP is needed
111 if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
113 - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
114 + iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
115 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
116 -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
117 - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
118 + iptables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
119 -s $PLUTO_MY_CLIENT $S_MY_PORT \
120 - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
121 + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j MARK --set-mark 50
124 # log IPsec client connection setup
125 @@ -473,12 +496,51 @@ up-client:iptables)
126 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
128 logger -t $TAG -p $FAC_PRIO \
129 - "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
130 + "client+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
132 logger -t $TAG -p $FAC_PRIO \
133 - "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
134 + "client+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
139 + # Open Firewall for IPinIP + AH + ESP Traffic
140 + iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p IP \
141 + -s $PLUTO_PEER $S_PEER_PORT \
142 + -d $PLUTO_ME $D_MY_PORT -j ACCEPT
143 + iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p AH \
144 + -s $PLUTO_PEER $S_PEER_PORT \
145 + -d $PLUTO_ME $D_MY_PORT -j ACCEPT
146 + iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p ESP \
147 + -s $PLUTO_PEER $S_PEER_PORT \
148 + -d $PLUTO_ME $D_MY_PORT -j ACCEPT
149 + if [ $VPN_LOGGING ]
151 + logger -t $TAG -p $FAC_PRIO \
152 + "tunnel+ $PLUTO_PEER -- $PLUTO_ME"
155 + # Add source nat so also the gateway can access the other nets
156 + eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
157 + for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
158 + ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}"
159 + if [ $? -eq 0 ]; then
165 + if [ -n "${src}" ]; then
166 + iptables -t nat -A IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src
167 + logger -t $TAG -p $FAC_PRIO \
168 + "snat+ $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src"
170 + logger -t $TAG -p $FAC_PRIO \
171 + "Cannot create NAT rule because no IP of the IPFire does match the subnet. $PLUTO_MY_CLIENT"
174 + # Flush routing cache
175 + ip route flush cache
177 down-client:iptables)
178 # connection to client subnet, with (left/right)firewall=yes, going down
179 @@ -486,28 +548,28 @@ down-client:iptables)
180 # ones, so do not mess with it; see CAUTION comment up at top.
181 if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
183 - iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
184 + iptables -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
185 -s $PLUTO_MY_CLIENT $S_MY_PORT \
186 -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
187 - $IPSEC_POLICY_OUT -j ACCEPT
188 - iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
189 + $IPSEC_POLICY_OUT -j MARK --set-mark 50
190 + iptables -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
191 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
192 -d $PLUTO_MY_CLIENT $D_MY_PORT \
193 - $IPSEC_POLICY_IN -j ACCEPT
194 + $IPSEC_POLICY_IN -j RETURN
197 # a virtual IP requires an INPUT and OUTPUT rule on the host
198 # or sometimes host access via the internal IP is needed
199 if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
201 - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
202 + iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
203 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
204 -d $PLUTO_MY_CLIENT $D_MY_PORT \
205 $IPSEC_POLICY_IN -j ACCEPT
206 - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
207 + iptables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
208 -s $PLUTO_MY_CLIENT $S_MY_PORT \
209 -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
210 - $IPSEC_POLICY_OUT -j ACCEPT
211 + $IPSEC_POLICY_OUT -j MARK --set-mark 50
214 # log IPsec client connection teardown
215 @@ -516,12 +578,51 @@ down-client:iptables)
216 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
218 logger -t $TAG -p $FAC_PRIO -- \
219 - "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
220 + "client- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
222 logger -t $TAG -p $FAC_PRIO -- \
223 - "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
224 + "client- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
229 + # Close Firewall for IPinIP + AH + ESP Traffic
230 + iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p IP \
231 + -s $PLUTO_PEER $S_PEER_PORT \
232 + -d $PLUTO_ME $D_MY_PORT -j ACCEPT
233 + iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p AH \
234 + -s $PLUTO_PEER $S_PEER_PORT \
235 + -d $PLUTO_ME $D_MY_PORT -j ACCEPT
236 + iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p ESP \
237 + -s $PLUTO_PEER $S_PEER_PORT \
238 + -d $PLUTO_ME $D_MY_PORT -j ACCEPT
239 + if [ $VPN_LOGGING ]
241 + logger -t $TAG -p $FAC_PRIO \
242 + "tunnel- $PLUTO_PEER -- $PLUTO_ME"
245 + # remove source nat
246 + eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
247 + for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
248 + ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}"
249 + if [ $? -eq 0 ]; then
255 + if [ -n "${src}" ]; then
256 + iptables -t nat -D IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src
257 + logger -t $TAG -p $FAC_PRIO \
258 + "snat- $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src"
260 + logger -t $TAG -p $FAC_PRIO \
261 + "Cannot remove NAT rule because no IP of the IPFire does match the subnet."
264 + # Flush routing cache
265 + ip route flush cache
269 @@ -556,10 +657,10 @@ up-host-v6:iptables)
270 # connection to me, with (left/right)firewall=yes, coming up
271 # This is used only by the default updown script, not by your custom
272 # ones, so do not mess with it; see CAUTION comment up at top.
273 - ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
274 + ip6tables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
275 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
276 -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
277 - ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
278 + ip6tables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
279 -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
280 -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
282 @@ -580,10 +681,10 @@ down-host-v6:iptables)
283 # connection to me, with (left/right)firewall=yes, going down
284 # This is used only by the default updown script, not by your custom
285 # ones, so do not mess with it; see CAUTION comment up at top.
286 - ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
287 + ip6tables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
288 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
289 -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
290 - ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
291 + ip6tables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
292 -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
293 -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
295 @@ -606,10 +707,10 @@ up-client-v6:iptables)
296 # ones, so do not mess with it; see CAUTION comment up at top.
297 if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
299 - ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
300 + ip6tables -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
301 -s $PLUTO_MY_CLIENT $S_MY_PORT \
302 -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
303 - ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
304 + ip6tables -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
305 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
306 -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
308 @@ -618,10 +719,10 @@ up-client-v6:iptables)
309 # or sometimes host access via the internal IP is needed
310 if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
312 - ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
313 + ip6tables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
314 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
315 -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
316 - ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
317 + ip6tables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
318 -s $PLUTO_MY_CLIENT $S_MY_PORT \
319 -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
321 @@ -645,11 +746,11 @@ down-client-v6:iptables)
322 # ones, so do not mess with it; see CAUTION comment up at top.
323 if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
325 - ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
326 + ip6tables -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
327 -s $PLUTO_MY_CLIENT $S_MY_PORT \
328 -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
329 $IPSEC_POLICY_OUT -j ACCEPT
330 - ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
331 + ip6tables -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
332 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
333 -d $PLUTO_MY_CLIENT $D_MY_PORT \
334 $IPSEC_POLICY_IN -j ACCEPT
335 @@ -659,11 +760,11 @@ down-client-v6:iptables)
336 # or sometimes host access via the internal IP is needed
337 if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
339 - ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
340 + ip6tables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
341 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
342 -d $PLUTO_MY_CLIENT $D_MY_PORT \
343 $IPSEC_POLICY_IN -j ACCEPT
344 - ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
345 + ip6tables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
346 -s $PLUTO_MY_CLIENT $S_MY_PORT \
347 -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
348 $IPSEC_POLICY_OUT -j ACCEPT