[ipfire-2.x.git] / config / firewall / ipsec-policy

#!/bin/bash
###############################################################################
#                                                                             #
# IPFire.org - A linux based firewall                                         #
# Copyright (C) 2015 IPFire Team                                              #
#                                                                             #
# This program is free software: you can redistribute it and/or modify        #
# it under the terms of the GNU General Public License as published by        #
# the Free Software Foundation, either version 3 of the License, or           #
# (at your option) any later version.                                         #
#                                                                             #
# This program is distributed in the hope that it will be useful,             #
# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
# GNU General Public License for more details.                                #
#                                                                             #
# You should have received a copy of the GNU General Public License           #
# along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
#                                                                             #
###############################################################################

VPN_CONFIG="/var/ipfire/vpn/config"

eval $(/usr/local/bin/readhash /var/ipfire/vpn/settings)

VARS=(
	id status name lefthost type ctype psk local local_id leftsubnets
	remote_id remote rightsubnets x3 x4 x5 x6 x7 x8 x9 x10 x11 x12
	x13 x14 x15 x16 x17 x18 x19 proto x20 x21 x22
	route x23 mode interface_mode interface_address interface_mtu rest
)

block_subnet() {
	local subnet="${1}"
	local action="${2}"

	# Nothing to be done if no action is requested
	if [ "${action}" = "none" ]; then
		return 0
	fi

	# Don't block a wildcard subnet
	if [ "${subnet}" = "0.0.0.0/0" ] || [ "${subnet}" = "0.0.0.0/0.0.0.0" ]; then
		return 0
	fi

	case "${action}" in
		reject)
			iptables -A IPSECBLOCK -d "${subnet}" -j REJECT --reject-with icmp-net-unreachable
			;;
		drop)
			iptables -A IPSECBLOCK -d "${subnet}" -j DROP
			;;
		*)
			return 1
			;;
	esac

	return 0
}

install_policy() {
	# Flush existing rules
	iptables -F IPSECINPUT
	iptables -F IPSECOUTPUT
	iptables -F IPSECBLOCK

	# We are done when IPsec is not enabled
	[ "${ENABLED}" = "on" ] || exit 0

	# IKE
	iptables -A IPSECINPUT  -p udp --dport 500 -j ACCEPT
	iptables -A IPSECOUTPUT -p udp --dport 500 -j ACCEPT

	# IKE NAT
	iptables -A IPSECINPUT  -p udp --dport 4500 -j ACCEPT
	iptables -A IPSECOUTPUT -p udp --dport 4500 -j ACCEPT

	# Register local variables
	local "${VARS[@]}"
	local action

	while IFS="," read -r "${VARS[@]}"; do
		# Check if the connection is enabled
		[ "${status}" = "on" ] || continue

		# Check if this a net-to-net connection
		[ "${type}" = "net" ] || continue

		# Default local to 0.0.0.0/0
		if [ "${local}" = "" -o "${local}" = "off" ]; then
			local="0.0.0.0/0"
		fi

		# Install permissions for GRE traffic
		case "${interface_mode}" in
			gre)
				if [ -n "${remote}" ]; then
					iptables -A IPSECINPUT -p gre \
						-s "${remote}" -d "${local}" -j ACCEPT

					iptables -A IPSECOUTPUT -p gre \
						-s "${local}" -d "${remote}" -j ACCEPT
				fi
				;;
		esac

		# Install firewall rules only for interfaces without interface
		[ -n "${interface_mode}" ] && continue

		# Split multiple subnets
		rightsubnets="${rightsubnets//\|/ }"

		case "${route}" in
			route)
				action="none"
				;;
			*)
				action="reject"
				;;
		esac

		local rightsubnet
		for rightsubnet in ${rightsubnets}; do
			block_subnet "${rightsubnet}" "${action}"
		done
	done < "${VPN_CONFIG}"
}

install_policy || exit $?
Commit	Line	Data
80fbd899 MT	1	#!/bin/bash
	2	###############################################################################
	3	# #
	4	# IPFire.org - A linux based firewall #
	5	# Copyright (C) 2015 IPFire Team #
	6	# #
	7	# This program is free software: you can redistribute it and/or modify #
	8	# it under the terms of the GNU General Public License as published by #
	9	# the Free Software Foundation, either version 3 of the License, or #
	10	# (at your option) any later version. #
	11	# #
	12	# This program is distributed in the hope that it will be useful, #
	13	# but WITHOUT ANY WARRANTY; without even the implied warranty of #
	14	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
	15	# GNU General Public License for more details. #
	16	# #
	17	# You should have received a copy of the GNU General Public License #
	18	# along with this program. If not, see <http://www.gnu.org/licenses/>. #
	19	# #
	20	###############################################################################
	21
	22	VPN_CONFIG="/var/ipfire/vpn/config"
	23
6cf8bc91 MT	24	eval $(/usr/local/bin/readhash /var/ipfire/vpn/settings)
6cf8bc91 MT	25
6c920b19	26	VARS=(
68263645 MT	27	id status name lefthost type ctype psk local local_id leftsubnets
68263645 MT	28	remote_id remote rightsubnets x3 x4 x5 x6 x7 x8 x9 x10 x11 x12
c32fc72e MT	29	x13 x14 x15 x16 x17 x18 x19 proto x20 x21 x22
c32fc72e MT	30	route x23 mode interface_mode interface_address interface_mtu rest
6c920b19 MT	31	)
6c920b19 MT	32
80fbd899 MT	33	block_subnet() {
80fbd899 MT	34	local subnet="${1}"
cda384a2	35	local action="${2}"
80fbd899	36
053a582d MT	37	# Nothing to be done if no action is requested
	38	if [ "${action}" = "none" ]; then
	39	return 0
	40	fi
	41
80fbd899 MT	42	# Don't block a wildcard subnet
	43	if [ "${subnet}" = "0.0.0.0/0" ] \|\| [ "${subnet}" = "0.0.0.0/0.0.0.0" ]; then
	44	return 0
	45	fi
	46
cda384a2 MT	47	case "${action}" in
	48	reject)
	49	iptables -A IPSECBLOCK -d "${subnet}" -j REJECT --reject-with icmp-net-unreachable
	50	;;
	51	drop)
	52	iptables -A IPSECBLOCK -d "${subnet}" -j DROP
	53	;;
	54	*)
	55	return 1
	56	;;
	57	esac
	58
	59	return 0
80fbd899 MT	60	}
80fbd899 MT	61
6c920b19	62	install_policy() {
6cf8bc91 MT	63	# Flush existing rules
	64	iptables -F IPSECINPUT
	65	iptables -F IPSECOUTPUT
80fbd899 MT	66	iptables -F IPSECBLOCK
80fbd899 MT	67
6cf8bc91 MT	68	# We are done when IPsec is not enabled
	69	[ "${ENABLED}" = "on" ] \|\| exit 0
	70
	71	# IKE
	72	iptables -A IPSECINPUT -p udp --dport 500 -j ACCEPT
	73	iptables -A IPSECOUTPUT -p udp --dport 500 -j ACCEPT
	74
	75	# IKE NAT
	76	iptables -A IPSECINPUT -p udp --dport 4500 -j ACCEPT
	77	iptables -A IPSECOUTPUT -p udp --dport 4500 -j ACCEPT
	78
cda384a2	79	# Register local variables
6c920b19 MT	80	local "${VARS[@]}"
6c920b19 MT	81	local action
cda384a2	82
6c920b19	83	while IFS="," read -r "${VARS[@]}"; do
80fbd899 MT	84	# Check if the connection is enabled
	85	[ "${status}" = "on" ] \|\| continue
	86
	87	# Check if this a net-to-net connection
	88	[ "${type}" = "net" ] \|\| continue
	89
c32fc72e MT	90	# Default local to 0.0.0.0/0
	91	if [ "${local}" = "" -o "${local}" = "off" ]; then
	92	local="0.0.0.0/0"
	93	fi
	94
b54cd874 MT	95	# Install permissions for GRE traffic
	96	case "${interface_mode}" in
	97	gre)
	98	if [ -n "${remote}" ]; then
	99	iptables -A IPSECINPUT -p gre \
c32fc72e	100	-s "${remote}" -d "${local}" -j ACCEPT
b54cd874 MT	101
b54cd874 MT	102	iptables -A IPSECOUTPUT -p gre \
c32fc72e	103	-s "${local}" -d "${remote}" -j ACCEPT
b54cd874 MT	104	fi
	105	;;
	106	esac
	107
5a9c9ff3 MT	108	# Install firewall rules only for interfaces without interface
	109	[ -n "${interface_mode}" ] && continue
	110
80fbd899 MT	111	# Split multiple subnets
	112	rightsubnets="${rightsubnets//\\|/ }"
	113
cda384a2 MT	114	case "${route}" in
cda384a2 MT	115	route)
053a582d	116	action="none"
cda384a2 MT	117	;;
	118	*)
	119	action="reject"
	120	;;
	121	esac
	122
80fbd899 MT	123	local rightsubnet
80fbd899 MT	124	for rightsubnet in ${rightsubnets}; do
cda384a2	125	block_subnet "${rightsubnet}" "${action}"
80fbd899 MT	126	done
	127	done < "${VPN_CONFIG}"
	128	}
	129
6c920b19	130	install_policy \|\| exit $?