VPN_CONFIG="/var/ipfire/vpn/config"
+eval $(/usr/local/bin/readhash /var/ipfire/vpn/settings)
+
VARS=(
id status name lefthost type ctype x1 x2 x3 leftsubnets
- x4 righthost rightsubnets x5 x6 x7 x8 x9 x10 x11 x12
+ remote righthost rightsubnets x5 x6 x7 x8 x9 x10 x11 x12
x13 x14 x15 x16 x17 x18 x19 x20 x21 proto x22 x23 x24
- route rest
+ route x26 mode interface_mode interface_address interface_mtu rest
)
block_subnet() {
}
install_policy() {
- # Flush all exists rules
+ # Flush existing rules
+ iptables -F IPSECINPUT
+ iptables -F IPSECOUTPUT
iptables -F IPSECBLOCK
+ # We are done when IPsec is not enabled
+ [ "${ENABLED}" = "on" ] || exit 0
+
+ # IKE
+ iptables -A IPSECINPUT -p udp --dport 500 -j ACCEPT
+ iptables -A IPSECOUTPUT -p udp --dport 500 -j ACCEPT
+
+ # IKE NAT
+ iptables -A IPSECINPUT -p udp --dport 4500 -j ACCEPT
+ iptables -A IPSECOUTPUT -p udp --dport 4500 -j ACCEPT
+
# Register local variables
local "${VARS[@]}"
local action
# Check if this a net-to-net connection
[ "${type}" = "net" ] || continue
+ # Install permissions for GRE traffic
+ case "${interface_mode}" in
+ gre)
+ if [ -n "${remote}" ]; then
+ iptables -A IPSECINPUT -p gre \
+ -s "${remote}" -j ACCEPT
+
+ iptables -A IPSECOUTPUT -p gre \
+ -d "${remote}" -j ACCEPT
+ fi
+ ;;
+ esac
+
+ # Install firewall rules only for interfaces without interface
+ [ -n "${interface_mode}" ] && continue
+
# Split multiple subnets
rightsubnets="${rightsubnets//\|/ }"