2 ###############################################################################
4 # IPFire.org - A linux based firewall #
5 # Copyright (C) 2015 IPFire Team #
7 # This program is free software: you can redistribute it and/or modify #
8 # it under the terms of the GNU General Public License as published by #
9 # the Free Software Foundation, either version 3 of the License, or #
10 # (at your option) any later version. #
12 # This program is distributed in the hope that it will be useful, #
13 # but WITHOUT ANY WARRANTY; without even the implied warranty of #
14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
15 # GNU General Public License for more details. #
17 # You should have received a copy of the GNU General Public License #
18 # along with this program. If not, see <http://www.gnu.org/licenses/>. #
20 ###############################################################################
22 VPN_CONFIG
="/var/ipfire/vpn/config"
24 eval $
(/usr
/local
/bin
/readhash
/var
/ipfire
/vpn
/settings
)
27 id status name lefthost
type ctype x1 x2 x3 leftsubnets
28 x4 righthost rightsubnets x5 x6 x7 x8 x9 x10 x11 x12
29 x13 x14 x15 x16 x17 x18 x19 x20 x21 proto x22 x23 x24
30 route x26 x27 x28 x29 x30 x31 x32 x33 x34 x35
31 interface_mode interface_address interface_mtu rest
38 # Don't block a wildcard subnet
39 if [ "${subnet}" = "0.0.0.0/0" ] ||
[ "${subnet}" = "0.0.0.0/0.0.0.0" ]; then
45 iptables
-A IPSECBLOCK
-d "${subnet}" -j REJECT
--reject-with icmp-net-unreachable
48 iptables
-A IPSECBLOCK
-d "${subnet}" -j DROP
59 # Flush existing rules
60 iptables
-F IPSECINPUT
61 iptables
-F IPSECOUTPUT
62 iptables
-F IPSECBLOCK
64 # We are done when IPsec is not enabled
65 [ "${ENABLED}" = "on" ] ||
exit 0
68 iptables
-A IPSECINPUT
-p udp
--dport 500 -j ACCEPT
69 iptables
-A IPSECOUTPUT
-p udp
--dport 500 -j ACCEPT
72 iptables
-A IPSECINPUT
-p udp
--dport 4500 -j ACCEPT
73 iptables
-A IPSECOUTPUT
-p udp
--dport 4500 -j ACCEPT
75 # Register local variables
79 while IFS
="," read -r "${VARS[@]}"; do
80 # Check if the connection is enabled
81 [ "${status}" = "on" ] ||
continue
83 # Check if this a net-to-net connection
84 [ "${type}" = "net" ] ||
continue
86 # Split multiple subnets
87 rightsubnets
="${rightsubnets//\|/ }"
99 for rightsubnet
in ${rightsubnets}; do
100 block_subnet
"${rightsubnet}" "${action}"
102 done < "${VPN_CONFIG}"
105 install_policy ||
exit $?