[people/pmueller/ipfire-2.x.git] / config / firewall / ipsec-policy

#!/bin/bash
###############################################################################
#                                                                             #
# IPFire.org - A linux based firewall                                         #
# Copyright (C) 2015 IPFire Team                                              #
#                                                                             #
# This program is free software: you can redistribute it and/or modify        #
# it under the terms of the GNU General Public License as published by        #
# the Free Software Foundation, either version 3 of the License, or           #
# (at your option) any later version.                                         #
#                                                                             #
# This program is distributed in the hope that it will be useful,             #
# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
# GNU General Public License for more details.                                #
#                                                                             #
# You should have received a copy of the GNU General Public License           #
# along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
#                                                                             #
###############################################################################

VPN_CONFIG="/var/ipfire/vpn/config"

VARS=(
	id status name lefthost type ctype x1 x2 x3 leftsubnets
	x4 righthost rightsubnets x5 x6 x7 x8 x9 x10 x11 x12
	x13 x14 x15 x16 x17 x18 x19 x20 x21 proto x22 x23 x24
	route rest
)

block_subnet() {
	local subnet="${1}"
	local action="${2}"

	# Don't block a wildcard subnet
	if [ "${subnet}" = "0.0.0.0/0" ] || [ "${subnet}" = "0.0.0.0/0.0.0.0" ]; then
		return 0
	fi

	case "${action}" in
		reject)
			iptables -A IPSECBLOCK -d "${subnet}" -j REJECT --reject-with icmp-net-unreachable
			;;
		drop)
			iptables -A IPSECBLOCK -d "${subnet}" -j DROP
			;;
		*)
			return 1
			;;
	esac

	return 0
}

install_policy() {
	# Flush all exists rules
	iptables -F IPSECBLOCK

	# Register local variables
	local "${VARS[@]}"
	local action

	while IFS="," read -r "${VARS[@]}"; do
		# Check if the connection is enabled
		[ "${status}" = "on" ] || continue

		# Check if this a net-to-net connection
		[ "${type}" = "net" ] || continue

		# Split multiple subnets
		rightsubnets="${rightsubnets//\|/ }"

		case "${route}" in
			route)
				action="drop"
				;;
			*)
				action="reject"
				;;
		esac

		local rightsubnet
		for rightsubnet in ${rightsubnets}; do
			block_subnet "${rightsubnet}" "${action}"
		done
	done < "${VPN_CONFIG}"
}

install_policy || exit $?
Commit	Line	Data
80fbd899 MT	1	#!/bin/bash
	2	###############################################################################
	3	# #
	4	# IPFire.org - A linux based firewall #
	5	# Copyright (C) 2015 IPFire Team #
	6	# #
	7	# This program is free software: you can redistribute it and/or modify #
	8	# it under the terms of the GNU General Public License as published by #
	9	# the Free Software Foundation, either version 3 of the License, or #
	10	# (at your option) any later version. #
	11	# #
	12	# This program is distributed in the hope that it will be useful, #
	13	# but WITHOUT ANY WARRANTY; without even the implied warranty of #
	14	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
	15	# GNU General Public License for more details. #
	16	# #
	17	# You should have received a copy of the GNU General Public License #
	18	# along with this program. If not, see <http://www.gnu.org/licenses/>. #
	19	# #
	20	###############################################################################
	21
	22	VPN_CONFIG="/var/ipfire/vpn/config"
	23
6c920b19 MT	24	VARS=(
	25	id status name lefthost type ctype x1 x2 x3 leftsubnets
	26	x4 righthost rightsubnets x5 x6 x7 x8 x9 x10 x11 x12
	27	x13 x14 x15 x16 x17 x18 x19 x20 x21 proto x22 x23 x24
	28	route rest
	29	)
	30
80fbd899 MT	31	block_subnet() {
80fbd899 MT	32	local subnet="${1}"
cda384a2	33	local action="${2}"
80fbd899 MT	34
	35	# Don't block a wildcard subnet
	36	if [ "${subnet}" = "0.0.0.0/0" ] \|\| [ "${subnet}" = "0.0.0.0/0.0.0.0" ]; then
	37	return 0
	38	fi
	39
cda384a2 MT	40	case "${action}" in
	41	reject)
	42	iptables -A IPSECBLOCK -d "${subnet}" -j REJECT --reject-with icmp-net-unreachable
	43	;;
	44	drop)
	45	iptables -A IPSECBLOCK -d "${subnet}" -j DROP
	46	;;
	47	*)
	48	return 1
	49	;;
	50	esac
	51
	52	return 0
80fbd899 MT	53	}
80fbd899 MT	54
6c920b19	55	install_policy() {
80fbd899 MT	56	# Flush all exists rules
	57	iptables -F IPSECBLOCK
	58
cda384a2	59	# Register local variables
6c920b19 MT	60	local "${VARS[@]}"
6c920b19 MT	61	local action
cda384a2	62
6c920b19	63	while IFS="," read -r "${VARS[@]}"; do
80fbd899 MT	64	# Check if the connection is enabled
	65	[ "${status}" = "on" ] \|\| continue
	66
	67	# Check if this a net-to-net connection
	68	[ "${type}" = "net" ] \|\| continue
	69
	70	# Split multiple subnets
	71	rightsubnets="${rightsubnets//\\|/ }"
	72
cda384a2 MT	73	case "${route}" in
	74	route)
	75	action="drop"
	76	;;
	77	*)
	78	action="reject"
	79	;;
	80	esac
	81
80fbd899 MT	82	local rightsubnet
80fbd899 MT	83	for rightsubnet in ${rightsubnets}; do
cda384a2	84	block_subnet "${rightsubnet}" "${action}"
80fbd899 MT	85	done
	86	done < "${VPN_CONFIG}"
	87	}
	88
6c920b19	89	install_policy \|\| exit $?