ipsec-*: Name some more configuration variables
[ipfire-2.x.git] / config / firewall / ipsec-policy
CommitLineData
80fbd899
MT
1#!/bin/bash
2###############################################################################
3# #
4# IPFire.org - A linux based firewall #
5# Copyright (C) 2015 IPFire Team #
6# #
7# This program is free software: you can redistribute it and/or modify #
8# it under the terms of the GNU General Public License as published by #
9# the Free Software Foundation, either version 3 of the License, or #
10# (at your option) any later version. #
11# #
12# This program is distributed in the hope that it will be useful, #
13# but WITHOUT ANY WARRANTY; without even the implied warranty of #
14# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
15# GNU General Public License for more details. #
16# #
17# You should have received a copy of the GNU General Public License #
18# along with this program. If not, see <http://www.gnu.org/licenses/>. #
19# #
20###############################################################################
21
22VPN_CONFIG="/var/ipfire/vpn/config"
23
6cf8bc91
MT
24eval $(/usr/local/bin/readhash /var/ipfire/vpn/settings)
25
6c920b19 26VARS=(
68263645
MT
27 id status name lefthost type ctype psk local local_id leftsubnets
28 remote_id remote rightsubnets x3 x4 x5 x6 x7 x8 x9 x10 x11 x12
c32fc72e
MT
29 x13 x14 x15 x16 x17 x18 x19 proto x20 x21 x22
30 route x23 mode interface_mode interface_address interface_mtu rest
6c920b19
MT
31)
32
80fbd899
MT
33block_subnet() {
34 local subnet="${1}"
cda384a2 35 local action="${2}"
80fbd899
MT
36
37 # Don't block a wildcard subnet
38 if [ "${subnet}" = "0.0.0.0/0" ] || [ "${subnet}" = "0.0.0.0/0.0.0.0" ]; then
39 return 0
40 fi
41
cda384a2
MT
42 case "${action}" in
43 reject)
44 iptables -A IPSECBLOCK -d "${subnet}" -j REJECT --reject-with icmp-net-unreachable
45 ;;
46 drop)
47 iptables -A IPSECBLOCK -d "${subnet}" -j DROP
48 ;;
49 *)
50 return 1
51 ;;
52 esac
53
54 return 0
80fbd899
MT
55}
56
6c920b19 57install_policy() {
6cf8bc91
MT
58 # Flush existing rules
59 iptables -F IPSECINPUT
60 iptables -F IPSECOUTPUT
80fbd899
MT
61 iptables -F IPSECBLOCK
62
6cf8bc91
MT
63 # We are done when IPsec is not enabled
64 [ "${ENABLED}" = "on" ] || exit 0
65
66 # IKE
67 iptables -A IPSECINPUT -p udp --dport 500 -j ACCEPT
68 iptables -A IPSECOUTPUT -p udp --dport 500 -j ACCEPT
69
70 # IKE NAT
71 iptables -A IPSECINPUT -p udp --dport 4500 -j ACCEPT
72 iptables -A IPSECOUTPUT -p udp --dport 4500 -j ACCEPT
73
cda384a2 74 # Register local variables
6c920b19
MT
75 local "${VARS[@]}"
76 local action
cda384a2 77
6c920b19 78 while IFS="," read -r "${VARS[@]}"; do
80fbd899
MT
79 # Check if the connection is enabled
80 [ "${status}" = "on" ] || continue
81
82 # Check if this a net-to-net connection
83 [ "${type}" = "net" ] || continue
84
c32fc72e
MT
85 # Default local to 0.0.0.0/0
86 if [ "${local}" = "" -o "${local}" = "off" ]; then
87 local="0.0.0.0/0"
88 fi
89
b54cd874
MT
90 # Install permissions for GRE traffic
91 case "${interface_mode}" in
92 gre)
93 if [ -n "${remote}" ]; then
94 iptables -A IPSECINPUT -p gre \
c32fc72e 95 -s "${remote}" -d "${local}" -j ACCEPT
b54cd874
MT
96
97 iptables -A IPSECOUTPUT -p gre \
c32fc72e 98 -s "${local}" -d "${remote}" -j ACCEPT
b54cd874
MT
99 fi
100 ;;
101 esac
102
5a9c9ff3
MT
103 # Install firewall rules only for interfaces without interface
104 [ -n "${interface_mode}" ] && continue
105
80fbd899
MT
106 # Split multiple subnets
107 rightsubnets="${rightsubnets//\|/ }"
108
cda384a2
MT
109 case "${route}" in
110 route)
111 action="drop"
112 ;;
113 *)
114 action="reject"
115 ;;
116 esac
117
80fbd899
MT
118 local rightsubnet
119 for rightsubnet in ${rightsubnets}; do
cda384a2 120 block_subnet "${rightsubnet}" "${action}"
80fbd899
MT
121 done
122 done < "${VPN_CONFIG}"
123}
124
6c920b19 125install_policy || exit $?