2 ###############################################################################
4 # IPFire.org - A linux based firewall #
5 # Copyright (C) 2015 IPFire Team #
7 # This program is free software: you can redistribute it and/or modify #
8 # it under the terms of the GNU General Public License as published by #
9 # the Free Software Foundation, either version 3 of the License, or #
10 # (at your option) any later version. #
12 # This program is distributed in the hope that it will be useful, #
13 # but WITHOUT ANY WARRANTY; without even the implied warranty of #
14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
15 # GNU General Public License for more details. #
17 # You should have received a copy of the GNU General Public License #
18 # along with this program. If not, see <http://www.gnu.org/licenses/>. #
20 ###############################################################################
22 VPN_CONFIG
="/var/ipfire/vpn/config"
24 eval $
(/usr
/local
/bin
/readhash
/var
/ipfire
/vpn
/settings
)
27 id status name lefthost
type ctype psk
local x1 leftsubnets
28 x2 remote rightsubnets x3 x4 x5 x6 x7 x8 x9 x10 x11 x12
29 x13 x14 x15 x16 x17 x18 x19 proto x20 x21 x22
30 route x23 mode interface_mode interface_address interface_mtu rest
37 # Don't block a wildcard subnet
38 if [ "${subnet}" = "0.0.0.0/0" ] ||
[ "${subnet}" = "0.0.0.0/0.0.0.0" ]; then
44 iptables
-A IPSECBLOCK
-d "${subnet}" -j REJECT
--reject-with icmp-net-unreachable
47 iptables
-A IPSECBLOCK
-d "${subnet}" -j DROP
58 # Flush existing rules
59 iptables
-F IPSECINPUT
60 iptables
-F IPSECOUTPUT
61 iptables
-F IPSECBLOCK
63 # We are done when IPsec is not enabled
64 [ "${ENABLED}" = "on" ] ||
exit 0
67 iptables
-A IPSECINPUT
-p udp
--dport 500 -j ACCEPT
68 iptables
-A IPSECOUTPUT
-p udp
--dport 500 -j ACCEPT
71 iptables
-A IPSECINPUT
-p udp
--dport 4500 -j ACCEPT
72 iptables
-A IPSECOUTPUT
-p udp
--dport 4500 -j ACCEPT
74 # Register local variables
78 while IFS
="," read -r "${VARS[@]}"; do
79 # Check if the connection is enabled
80 [ "${status}" = "on" ] ||
continue
82 # Check if this a net-to-net connection
83 [ "${type}" = "net" ] ||
continue
85 # Default local to 0.0.0.0/0
86 if [ "${local}" = "" -o "${local}" = "off" ]; then
90 # Install permissions for GRE traffic
91 case "${interface_mode}" in
93 if [ -n "${remote}" ]; then
94 iptables
-A IPSECINPUT
-p gre \
95 -s "${remote}" -d "${local}" -j ACCEPT
97 iptables
-A IPSECOUTPUT
-p gre \
98 -s "${local}" -d "${remote}" -j ACCEPT
103 # Install firewall rules only for interfaces without interface
104 [ -n "${interface_mode}" ] && continue
106 # Split multiple subnets
107 rightsubnets
="${rightsubnets//\|/ }"
119 for rightsubnet
in ${rightsubnets}; do
120 block_subnet
"${rightsubnet}" "${action}"
122 done < "${VPN_CONFIG}"
125 install_policy ||
exit $?