]> git.ipfire.org Git - people/pmueller/ipfire-2.x.git/blob - config/firewall/ipsec-policy
projects / people / pmueller / ipfire-2.x.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
ipsec-policy: Parse all configuration settings
[people/pmueller/ipfire-2.x.git] / config / firewall / ipsec-policy
1 #!/bin/bash
2 ###############################################################################
3 # #
4 # IPFire.org - A linux based firewall #
5 # Copyright (C) 2015 IPFire Team #
6 # #
7 # This program is free software: you can redistribute it and/or modify #
8 # it under the terms of the GNU General Public License as published by #
9 # the Free Software Foundation, either version 3 of the License, or #
10 # (at your option) any later version. #
11 # #
12 # This program is distributed in the hope that it will be useful, #
13 # but WITHOUT ANY WARRANTY; without even the implied warranty of #
14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
15 # GNU General Public License for more details. #
16 # #
17 # You should have received a copy of the GNU General Public License #
18 # along with this program. If not, see <http://www.gnu.org/licenses/>. #
19 # #
20 ###############################################################################
21
22 VPN_CONFIG="/var/ipfire/vpn/config"
23
24 eval $(/usr/local/bin/readhash /var/ipfire/vpn/settings)
25
26 VARS=(
27 id status name lefthost type ctype x1 x2 x3 leftsubnets
28 x4 righthost rightsubnets x5 x6 x7 x8 x9 x10 x11 x12
29 x13 x14 x15 x16 x17 x18 x19 x20 x21 proto x22 x23 x24
30 route x26 x27 x28 x29 x30 x31 x32 x33 x34 x35
31 interface_mode interface_address interface_mtu rest
32 )
33
34 block_subnet() {
35 local subnet="${1}"
36 local action="${2}"
37
38 # Don't block a wildcard subnet
39 if [ "${subnet}" = "0.0.0.0/0" ] || [ "${subnet}" = "0.0.0.0/0.0.0.0" ]; then
40 return 0
41 fi
42
43 case "${action}" in
44 reject)
45 iptables -A IPSECBLOCK -d "${subnet}" -j REJECT --reject-with icmp-net-unreachable
46 ;;
47 drop)
48 iptables -A IPSECBLOCK -d "${subnet}" -j DROP
49 ;;
50 *)
51 return 1
52 ;;
53 esac
54
55 return 0
56 }
57
58 install_policy() {
59 # Flush existing rules
60 iptables -F IPSECINPUT
61 iptables -F IPSECOUTPUT
62 iptables -F IPSECBLOCK
63
64 # We are done when IPsec is not enabled
65 [ "${ENABLED}" = "on" ] || exit 0
66
67 # IKE
68 iptables -A IPSECINPUT -p udp --dport 500 -j ACCEPT
69 iptables -A IPSECOUTPUT -p udp --dport 500 -j ACCEPT
70
71 # IKE NAT
72 iptables -A IPSECINPUT -p udp --dport 4500 -j ACCEPT
73 iptables -A IPSECOUTPUT -p udp --dport 4500 -j ACCEPT
74
75 # Register local variables
76 local "${VARS[@]}"
77 local action
78
79 while IFS="," read -r "${VARS[@]}"; do
80 # Check if the connection is enabled
81 [ "${status}" = "on" ] || continue
82
83 # Check if this a net-to-net connection
84 [ "${type}" = "net" ] || continue
85
86 # Split multiple subnets
87 rightsubnets="${rightsubnets//\|/ }"
88
89 case "${route}" in
90 route)
91 action="drop"
92 ;;
93 *)
94 action="reject"
95 ;;
96 esac
97
98 local rightsubnet
99 for rightsubnet in ${rightsubnets}; do
100 block_subnet "${rightsubnet}" "${action}"
101 done
102 done < "${VPN_CONFIG}"
103 }
104
105 install_policy || exit $?
Peter's tree of IPFire 2.x