From 6cf8bc9161c21dd7c274d09473ab46e3094204ac Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Thu, 29 Nov 2018 15:43:39 +0000 Subject: [PATCH] IPsec: Move opening ports from ipsecctrl into ipsec-policy script Signed-off-by: Michael Tremer --- config/firewall/ipsec-policy | 17 ++++- src/misc-progs/ipsecctrl.c | 118 ++--------------------------------- 2 files changed, 20 insertions(+), 115 deletions(-) diff --git a/config/firewall/ipsec-policy b/config/firewall/ipsec-policy index 4544a447d0..011e6e1f74 100644 --- a/config/firewall/ipsec-policy +++ b/config/firewall/ipsec-policy @@ -21,6 +21,8 @@ VPN_CONFIG="/var/ipfire/vpn/config" +eval $(/usr/local/bin/readhash /var/ipfire/vpn/settings) + VARS=( id status name lefthost type ctype x1 x2 x3 leftsubnets x4 righthost rightsubnets x5 x6 x7 x8 x9 x10 x11 x12 @@ -53,9 +55,22 @@ block_subnet() { } install_policy() { - # Flush all exists rules + # Flush existing rules + iptables -F IPSECINPUT + iptables -F IPSECOUTPUT iptables -F IPSECBLOCK + # We are done when IPsec is not enabled + [ "${ENABLED}" = "on" ] || exit 0 + + # IKE + iptables -A IPSECINPUT -p udp --dport 500 -j ACCEPT + iptables -A IPSECOUTPUT -p udp --dport 500 -j ACCEPT + + # IKE NAT + iptables -A IPSECINPUT -p udp --dport 4500 -j ACCEPT + iptables -A IPSECOUTPUT -p udp --dport 4500 -j ACCEPT + # Register local variables local "${VARS[@]}" local action diff --git a/src/misc-progs/ipsecctrl.c b/src/misc-progs/ipsecctrl.c index 53c87673af..278bacd0b7 100644 --- a/src/misc-progs/ipsecctrl.c +++ b/src/misc-progs/ipsecctrl.c @@ -52,42 +52,6 @@ static void ipsec_reload() { safe_system("/usr/sbin/ipsec reload >/dev/null 2>&1"); } -/* - ACCEPT the ipsec protocol ah, esp & udp (for nat traversal) on the specified interface -*/ -void open_physical (char *interface, int nat_traversal_port) { - char str[STRING_SIZE]; - - // IKE - sprintf(str, "/sbin/iptables --wait -D IPSECINPUT -p udp -i %s --dport 500 -j ACCEPT >/dev/null 2>&1", interface); - safe_system(str); - sprintf(str, "/sbin/iptables --wait -A IPSECINPUT -p udp -i %s --dport 500 -j ACCEPT", interface); - safe_system(str); - sprintf(str, "/sbin/iptables --wait -D IPSECOUTPUT -p udp -o %s --dport 500 -j ACCEPT >/dev/null 2>&1", interface); - safe_system(str); - sprintf(str, "/sbin/iptables --wait -A IPSECOUTPUT -p udp -o %s --dport 500 -j ACCEPT", interface); - safe_system(str); - - if (! nat_traversal_port) - return; - - sprintf(str, "/sbin/iptables --wait -D IPSECINPUT -p udp -i %s --dport %i -j ACCEPT >/dev/null 2>&1", interface, nat_traversal_port); - safe_system(str); - sprintf(str, "/sbin/iptables --wait -A IPSECINPUT -p udp -i %s --dport %i -j ACCEPT", interface, nat_traversal_port); - safe_system(str); - sprintf(str, "/sbin/iptables --wait -D IPSECOUTPUT -p udp -o %s --dport %i -j ACCEPT >/dev/null 2>&1", interface, nat_traversal_port); - safe_system(str); - sprintf(str, "/sbin/iptables --wait -A IPSECOUTPUT -p udp -o %s --dport %i -j ACCEPT", interface, nat_traversal_port); - safe_system(str); -} - -void ipsec_norules() { - /* clear input rules */ - safe_system("/sbin/iptables --wait -F IPSECINPUT"); - safe_system("/sbin/iptables --wait -F IPSECFORWARD"); - safe_system("/sbin/iptables --wait -F IPSECOUTPUT"); -} - /* return values from the vpn config file or false if not 'on' */ @@ -187,8 +151,6 @@ void turn_connection_off (char *name) { } int main(int argc, char *argv[]) { - char configtype[STRING_SIZE]; - char redtype[STRING_SIZE] = ""; struct keyvalue *kv = NULL; if (argc < 2) { @@ -197,9 +159,8 @@ int main(int argc, char *argv[]) { } if (!(initsetuid())) exit(1); - - FILE *file = NULL; - + + FILE *file = NULL; if (strcmp(argv[1], "I") == 0) { safe_system("/usr/sbin/ipsec status"); @@ -219,7 +180,7 @@ int main(int argc, char *argv[]) { if (argc == 2) { if (strcmp(argv[1], "D") == 0) { safe_system("/usr/sbin/ipsec stop >/dev/null 2>&1"); - ipsec_norules(); + safe_system("/usr/lib/firewall/ipsec-policy >/dev/null"); exit(0); } } @@ -241,80 +202,9 @@ int main(int argc, char *argv[]) { exit(0); } - /* read interface settings */ - kv=initkeyvalues(); - if (!readkeyvalues(kv, CONFIG_ROOT "/ethernet/settings")) - { - fprintf(stderr, "Cannot read ethernet settings\n"); - exit(1); - } - if (!findkey(kv, "CONFIG_TYPE", configtype)) - { - fprintf(stderr, "Cannot read CONFIG_TYPE\n"); - exit(1); - } - findkey(kv, "RED_TYPE", redtype); - - - /* Loop through the config file to find physical interface that will accept IPSEC */ - int enable_red=0; // states 0: not used - int enable_green=0; // 1: error condition - int enable_orange=0; // 2: good - int enable_blue=0; - char if_red[STRING_SIZE] = ""; - char if_green[STRING_SIZE] = ""; - char if_orange[STRING_SIZE] = ""; - char if_blue[STRING_SIZE] = ""; char s[STRING_SIZE]; - // when RED is up, find interface name in special file - FILE *ifacefile = NULL; - if ((ifacefile = fopen(CONFIG_ROOT "/red/iface", "r"))) { - if (fgets(if_red, STRING_SIZE, ifacefile)) { - if (if_red[strlen(if_red) - 1] == '\n') - if_red[strlen(if_red) - 1] = '\0'; - } - fclose (ifacefile); - - if (VALID_DEVICE(if_red)) - enable_red++; - } - - // Check if GREEN is enabled. - findkey(kv, "GREEN_DEV", if_green); - if (VALID_DEVICE(if_green)) - enable_green++; - - // Check if ORANGE is enabled. - findkey(kv, "ORANGE_DEV", if_orange); - if (VALID_DEVICE(if_orange)) - enable_orange++; - - // Check if BLUE is enabled. - findkey(kv, "BLUE_DEV", if_blue); - if (VALID_DEVICE(if_blue)) - enable_blue++; - - freekeyvalues(kv); - - // exit if nothing to do - if ((enable_red+enable_green+enable_orange+enable_blue) == 0) - exit(0); - - // open needed ports - if (enable_red > 0) - open_physical(if_red, 4500); - - if (enable_green > 0) - open_physical(if_green, 4500); - - if (enable_orange > 0) - open_physical(if_orange, 4500); - - if (enable_blue > 0) - open_physical(if_blue, 4500); - - // start the system + // start the system if ((argc == 2) && strcmp(argv[1], "S") == 0) { safe_system("/usr/lib/firewall/ipsec-policy >/dev/null"); safe_system("/usr/sbin/ipsec restart >/dev/null"); -- 2.39.2