ipsec-policy: Don't install any block rules for connections with an interface
[people/pmueller/ipfire-2.x.git] / config / firewall / ipsec-policy
1 #!/bin/bash
2 ###############################################################################
3 #                                                                             #
4 # IPFire.org - A linux based firewall                                         #
5 # Copyright (C) 2015 IPFire Team                                              #
6 #                                                                             #
7 # This program is free software: you can redistribute it and/or modify        #
8 # it under the terms of the GNU General Public License as published by        #
9 # the Free Software Foundation, either version 3 of the License, or           #
10 # (at your option) any later version.                                         #
11 #                                                                             #
12 # This program is distributed in the hope that it will be useful,             #
13 # but WITHOUT ANY WARRANTY; without even the implied warranty of              #
14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
15 # GNU General Public License for more details.                                #
16 #                                                                             #
17 # You should have received a copy of the GNU General Public License           #
18 # along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
19 #                                                                             #
20 ###############################################################################
21
22 VPN_CONFIG="/var/ipfire/vpn/config"
23
24 eval $(/usr/local/bin/readhash /var/ipfire/vpn/settings)
25
26 VARS=(
27         id status name lefthost type ctype x1 x2 x3 leftsubnets
28         remote righthost rightsubnets x5 x6 x7 x8 x9 x10 x11 x12
29         x13 x14 x15 x16 x17 x18 x19 x20 x21 proto x22 x23 x24
30         route x26 mode interface_mode interface_address interface_mtu rest
31 )
32
33 block_subnet() {
34         local subnet="${1}"
35         local action="${2}"
36
37         # Don't block a wildcard subnet
38         if [ "${subnet}" = "0.0.0.0/0" ] || [ "${subnet}" = "0.0.0.0/0.0.0.0" ]; then
39                 return 0
40         fi
41
42         case "${action}" in
43                 reject)
44                         iptables -A IPSECBLOCK -d "${subnet}" -j REJECT --reject-with icmp-net-unreachable
45                         ;;
46                 drop)
47                         iptables -A IPSECBLOCK -d "${subnet}" -j DROP
48                         ;;
49                 *)
50                         return 1
51                         ;;
52         esac
53
54         return 0
55 }
56
57 install_policy() {
58         # Flush existing rules
59         iptables -F IPSECINPUT
60         iptables -F IPSECOUTPUT
61         iptables -F IPSECBLOCK
62
63         # We are done when IPsec is not enabled
64         [ "${ENABLED}" = "on" ] || exit 0
65
66         # IKE
67         iptables -A IPSECINPUT  -p udp --dport 500 -j ACCEPT
68         iptables -A IPSECOUTPUT -p udp --dport 500 -j ACCEPT
69
70         # IKE NAT
71         iptables -A IPSECINPUT  -p udp --dport 4500 -j ACCEPT
72         iptables -A IPSECOUTPUT -p udp --dport 4500 -j ACCEPT
73
74         # Register local variables
75         local "${VARS[@]}"
76         local action
77
78         while IFS="," read -r "${VARS[@]}"; do
79                 # Check if the connection is enabled
80                 [ "${status}" = "on" ] || continue
81
82                 # Check if this a net-to-net connection
83                 [ "${type}" = "net" ] || continue
84
85                 # Install permissions for GRE traffic
86                 case "${interface_mode}" in
87                         gre)
88                                 if [ -n "${remote}" ]; then
89                                         iptables -A IPSECINPUT -p gre \
90                                                 -s "${remote}" -j ACCEPT
91
92                                         iptables -A IPSECOUTPUT -p gre \
93                                                 -d "${remote}" -j ACCEPT
94                                 fi
95                                 ;;
96                 esac
97
98                 # Install firewall rules only for interfaces without interface
99                 [ -n "${interface_mode}" ] && continue
100
101                 # Split multiple subnets
102                 rightsubnets="${rightsubnets//\|/ }"
103
104                 case "${route}" in
105                         route)
106                                 action="drop"
107                                 ;;
108                         *)
109                                 action="reject"
110                                 ;;
111                 esac
112
113                 local rightsubnet
114                 for rightsubnet in ${rightsubnets}; do
115                         block_subnet "${rightsubnet}" "${action}"
116                 done
117         done < "${VPN_CONFIG}"
118 }
119
120 install_policy || exit $?