From: Michael Tremer Date: Tue, 24 Apr 2018 09:47:16 +0000 (+0100) Subject: ipsec: Open ports in outgoing direction X-Git-Tag: v2.21-core122~186 X-Git-Url: http://git.ipfire.org/?p=people%2Fpmueller%2Fipfire-2.x.git;a=commitdiff_plain;h=a3452c90307aa6fd2b8543c17c15638c2ffda15e ipsec: Open ports in outgoing direction When the firewall policy is blocked, no outgoing IPsec connections can be established. That is slightly counter-intuitive since we open ports in the incoming direction automatically. Fixes: #11704 Reported-by: Oliver Fuhrer Signed-off-by: Michael Tremer --- diff --git a/src/misc-progs/ipsecctrl.c b/src/misc-progs/ipsecctrl.c index 204753640a..9afc409ca9 100644 --- a/src/misc-progs/ipsecctrl.c +++ b/src/misc-progs/ipsecctrl.c @@ -63,6 +63,10 @@ void open_physical (char *interface, int nat_traversal_port) { safe_system(str); sprintf(str, "/sbin/iptables --wait -A IPSECINPUT -p udp -i %s --dport 500 -j ACCEPT", interface); safe_system(str); + sprintf(str, "/sbin/iptables --wait -D IPSECOUTPUT -p udp -o %s --dport 500 -j ACCEPT >/dev/null 2>&1", interface); + safe_system(str); + sprintf(str, "/sbin/iptables --wait -A IPSECOUTPUT -p udp -o %s --dport 500 -j ACCEPT", interface); + safe_system(str); if (! nat_traversal_port) return; @@ -71,6 +75,10 @@ void open_physical (char *interface, int nat_traversal_port) { safe_system(str); sprintf(str, "/sbin/iptables --wait -A IPSECINPUT -p udp -i %s --dport %i -j ACCEPT", interface, nat_traversal_port); safe_system(str); + sprintf(str, "/sbin/iptables --wait -D IPSECOUTPUT -p udp -o %s --dport %i -j ACCEPT >/dev/null 2>&1", interface, nat_traversal_port); + safe_system(str); + sprintf(str, "/sbin/iptables --wait -A IPSECOUTPUT -p udp -o %s --dport %i -j ACCEPT", interface, nat_traversal_port); + safe_system(str); } void ipsec_norules() {