From a3452c90307aa6fd2b8543c17c15638c2ffda15e Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Tue, 24 Apr 2018 10:47:16 +0100 Subject: [PATCH] ipsec: Open ports in outgoing direction When the firewall policy is blocked, no outgoing IPsec connections can be established. That is slightly counter-intuitive since we open ports in the incoming direction automatically. Fixes: #11704 Reported-by: Oliver Fuhrer Signed-off-by: Michael Tremer --- src/misc-progs/ipsecctrl.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/src/misc-progs/ipsecctrl.c b/src/misc-progs/ipsecctrl.c index 204753640a..9afc409ca9 100644 --- a/src/misc-progs/ipsecctrl.c +++ b/src/misc-progs/ipsecctrl.c @@ -63,6 +63,10 @@ void open_physical (char *interface, int nat_traversal_port) { safe_system(str); sprintf(str, "/sbin/iptables --wait -A IPSECINPUT -p udp -i %s --dport 500 -j ACCEPT", interface); safe_system(str); + sprintf(str, "/sbin/iptables --wait -D IPSECOUTPUT -p udp -o %s --dport 500 -j ACCEPT >/dev/null 2>&1", interface); + safe_system(str); + sprintf(str, "/sbin/iptables --wait -A IPSECOUTPUT -p udp -o %s --dport 500 -j ACCEPT", interface); + safe_system(str); if (! nat_traversal_port) return; @@ -71,6 +75,10 @@ void open_physical (char *interface, int nat_traversal_port) { safe_system(str); sprintf(str, "/sbin/iptables --wait -A IPSECINPUT -p udp -i %s --dport %i -j ACCEPT", interface, nat_traversal_port); safe_system(str); + sprintf(str, "/sbin/iptables --wait -D IPSECOUTPUT -p udp -o %s --dport %i -j ACCEPT >/dev/null 2>&1", interface, nat_traversal_port); + safe_system(str); + sprintf(str, "/sbin/iptables --wait -A IPSECOUTPUT -p udp -o %s --dport %i -j ACCEPT", interface, nat_traversal_port); + safe_system(str); } void ipsec_norules() { -- 2.39.5