--- /dev/null
+#!/bin/bash
+###############################################################################
+# #
+# IPFire.org - A linux based firewall #
+# Copyright (C) 2015 IPFire Team #
+# #
+# This program is free software: you can redistribute it and/or modify #
+# it under the terms of the GNU General Public License as published by #
+# the Free Software Foundation, either version 3 of the License, or #
+# (at your option) any later version. #
+# #
+# This program is distributed in the hope that it will be useful, #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
+# GNU General Public License for more details. #
+# #
+# You should have received a copy of the GNU General Public License #
+# along with this program. If not, see <http://www.gnu.org/licenses/>. #
+# #
+###############################################################################
+
+VPN_CONFIG="/var/ipfire/vpn/config"
+
+block_subnet() {
+ local subnet="${1}"
+
+ # Don't block a wildcard subnet
+ if [ "${subnet}" = "0.0.0.0/0" ] || [ "${subnet}" = "0.0.0.0/0.0.0.0" ]; then
+ return 0
+ fi
+
+ iptables -A IPSECBLOCK -d "${subnet}" -j REJECT --reject-with icmp-net-unreachable
+}
+
+block_ipsec() {
+ # Flush all exists rules
+ iptables -F IPSECBLOCK
+
+ local id status name lefthost type ctype unknown1 unknown2 unknown3
+ local leftsubnets unknown4 righthost rightsubnets rest
+ while IFS="," read -r id status name lefthost type ctype unkown1 unknown2 unknown3 \
+ leftsubnets unknown4 righthost rightsubnets rest; do
+ # Check if the connection is enabled
+ [ "${status}" = "on" ] || continue
+
+ # Check if this a net-to-net connection
+ [ "${type}" = "net" ] || continue
+
+ # Split multiple subnets
+ rightsubnets="${rightsubnets//\|/ }"
+
+ local rightsubnet
+ for rightsubnet in ${rightsubnets}; do
+ block_subnet "${rightsubnet}"
+ done
+ done < "${VPN_CONFIG}"
+}
+
+block_ipsec || exit $?
iptables -A INPUT -j GUARDIAN
iptables -A FORWARD -j GUARDIAN
+ # Block non-established IPsec networks
+ iptables -N IPSECBLOCK
+ iptables -A FORWARD -m policy --dir out --pol none -j IPSECBLOCK
+ iptables -A OUTPUT -m policy --dir out --pol none -j IPSECBLOCK
+
# Block OpenVPN transfer networks
iptables -N OVPNBLOCK
iptables -A INPUT -i tun+ -j OVPNBLOCK
iptables -t nat -N REDNAT
iptables -t nat -A POSTROUTING -j REDNAT
+ # Populate IPsec block chain
+ /usr/lib/firewall/ipsec-block
+
# Apply OpenVPN firewall rules
/usr/local/bin/openvpnctrl --firewall-rules
"/usr/sbin/ipsec down %s >/dev/null", name);
safe_system(command);
+ // Reload the IPsec block chain
+ safe_system("/usr/lib/firewall/ipsec-block >/dev/null");
+
// Reload the configuration into the daemon (#10339).
ipsec_reload();
// start the system
if ((argc == 2) && strcmp(argv[1], "S") == 0) {
+ safe_system("/usr/lib/firewall/ipsec-block >/dev/null");
safe_system("/usr/sbin/ipsec restart >/dev/null");
exit(0);
}