]>
Commit | Line | Data |
---|---|---|
50a488f4 AF |
1 | diff -Naur strongswan-4.4.0.org/src/_updown/_updown.in strongswan-4.4.0/src/_updown/_updown.in |
2 | --- strongswan-4.4.0.org/src/_updown/_updown.in 2010-03-15 21:52:51.000000000 +0100 | |
3 | +++ strongswan-4.4.0/src/_updown/_updown.in 2010-05-08 16:42:23.000000000 +0200 | |
db073a10 | 4 | @@ -374,12 +374,12 @@ |
6652626c AF |
5 | # connection to me, with (left/right)firewall=yes, coming up |
6 | # This is used only by the default updown script, not by your custom | |
7 | # ones, so do not mess with it; see CAUTION comment up at top. | |
8 | - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
9 | + iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
10 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
11 | -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
12 | - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
13 | + iptables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
14 | -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ | |
db073a10 AF |
15 | - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT |
16 | + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j MARK --set-mark 50 | |
6652626c | 17 | # |
db073a10 AF |
18 | # log IPsec host connection setup |
19 | if [ $VPN_LOGGING ] | |
6652626c AF |
20 | @@ -387,10 +387,10 @@ |
21 | if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] | |
22 | then | |
23 | logger -t $TAG -p $FAC_PRIO \ | |
24 | - "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" | |
25 | + "host+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" | |
26 | else | |
27 | logger -t $TAG -p $FAC_PRIO \ | |
28 | - "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" | |
29 | + "host+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" | |
30 | fi | |
31 | fi | |
32 | ;; | |
db073a10 | 33 | @@ -398,12 +398,12 @@ |
6652626c AF |
34 | # connection to me, with (left/right)firewall=yes, going down |
35 | # This is used only by the default updown script, not by your custom | |
36 | # ones, so do not mess with it; see CAUTION comment up at top. | |
37 | - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
38 | + iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
39 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
40 | -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
41 | - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
42 | + iptables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
43 | -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ | |
db073a10 AF |
44 | - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT |
45 | + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j MARK --set-mark 50 | |
6652626c | 46 | # |
db073a10 AF |
47 | # log IPsec host connection teardown |
48 | if [ $VPN_LOGGING ] | |
6652626c AF |
49 | @@ -411,10 +411,10 @@ |
50 | if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] | |
51 | then | |
52 | logger -t $TAG -p $FAC_PRIO -- \ | |
53 | - "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" | |
54 | + "host- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" | |
55 | else | |
56 | logger -t $TAG -p $FAC_PRIO -- \ | |
57 | - "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" | |
58 | + "host- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" | |
59 | fi | |
60 | fi | |
61 | ;; | |
62 | @@ -424,10 +424,10 @@ | |
63 | # ones, so do not mess with it; see CAUTION comment up at top. | |
64 | if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] | |
65 | then | |
66 | - iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
67 | + iptables -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
68 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ | |
db073a10 | 69 | - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT |
6652626c | 70 | - iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
db073a10 | 71 | + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j MARK --set-mark 50 |
6652626c AF |
72 | + iptables -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
73 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
74 | -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
75 | fi | |
db073a10 | 76 | @@ -436,12 +436,12 @@ |
6652626c AF |
77 | # or sometimes host access via the internal IP is needed |
78 | if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] | |
79 | then | |
80 | - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
81 | + iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
82 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
83 | -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
84 | - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
85 | + iptables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
86 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ | |
db073a10 AF |
87 | - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT |
88 | + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j MARK --set-mark 50 | |
6652626c | 89 | fi |
db073a10 AF |
90 | # |
91 | # log IPsec client connection setup | |
50a488f4 | 92 | @@ -450,12 +450,30 @@ |
6652626c AF |
93 | if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] |
94 | then | |
95 | logger -t $TAG -p $FAC_PRIO \ | |
96 | - "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" | |
97 | + "client+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" | |
98 | else | |
99 | logger -t $TAG -p $FAC_PRIO \ | |
100 | - "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" | |
101 | + "client+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" | |
102 | fi | |
103 | fi | |
104 | + | |
105 | + # | |
50a488f4 AF |
106 | + # Open Firewall for IPinIP + AH + ESP Traffic |
107 | + iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p IP \ | |
108 | + -s $PLUTO_PEER $S_PEER_PORT \ | |
109 | + -d $PLUTO_ME $D_MY_PORT -j ACCEPT | |
db073a10 AF |
110 | + iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p AH \ |
111 | + -s $PLUTO_PEER $S_PEER_PORT \ | |
112 | + -d $PLUTO_ME $D_MY_PORT -j ACCEPT | |
6652626c AF |
113 | + iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p ESP \ |
114 | + -s $PLUTO_PEER $S_PEER_PORT \ | |
115 | + -d $PLUTO_ME $D_MY_PORT -j ACCEPT | |
6652626c AF |
116 | + if [ $VPN_LOGGING ] |
117 | + then | |
118 | + logger -t $TAG -p $FAC_PRIO \ | |
119 | + "ESP+ $PLUTO_PEER -- $PLUTO_ME" | |
120 | + fi | |
121 | + | |
122 | ;; | |
123 | down-client:iptables) | |
124 | # connection to client subnet, with (left/right)firewall=yes, going down | |
50a488f4 | 125 | @@ -463,11 +481,11 @@ |
6652626c AF |
126 | # ones, so do not mess with it; see CAUTION comment up at top. |
127 | if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] | |
128 | then | |
129 | - iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
130 | + iptables -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
131 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ | |
132 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ | |
db073a10 | 133 | - $IPSEC_POLICY_OUT -j ACCEPT |
6652626c | 134 | - iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
db073a10 | 135 | + $IPSEC_POLICY_OUT -j MARK --set-mark 50 |
6652626c AF |
136 | + iptables -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
137 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
138 | -d $PLUTO_MY_CLIENT $D_MY_PORT \ | |
139 | $IPSEC_POLICY_IN -j ACCEPT | |
50a488f4 | 140 | @@ -477,14 +495,14 @@ |
6652626c AF |
141 | # or sometimes host access via the internal IP is needed |
142 | if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] | |
143 | then | |
144 | - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
145 | + iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
146 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
147 | -d $PLUTO_MY_CLIENT $D_MY_PORT \ | |
148 | $IPSEC_POLICY_IN -j ACCEPT | |
149 | - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
150 | + iptables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
151 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ | |
152 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ | |
db073a10 AF |
153 | - $IPSEC_POLICY_OUT -j ACCEPT |
154 | + $IPSEC_POLICY_OUT -j MARK --set-mark 50 | |
155 | fi | |
156 | # | |
157 | # log IPsec client connection teardown | |
50a488f4 | 158 | @@ -493,12 +511,30 @@ |
6652626c AF |
159 | if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] |
160 | then | |
161 | logger -t $TAG -p $FAC_PRIO -- \ | |
162 | - "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" | |
163 | + "client- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" | |
164 | else | |
165 | logger -t $TAG -p $FAC_PRIO -- \ | |
166 | - "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" | |
167 | + "client- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" | |
168 | fi | |
169 | fi | |
170 | + | |
171 | + # | |
50a488f4 AF |
172 | + # Close Firewall for IPinIP + AH + ESP Traffic |
173 | + iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p IP \ | |
174 | + -s $PLUTO_PEER $S_PEER_PORT \ | |
175 | + -d $PLUTO_ME $D_MY_PORT -j ACCEPT | |
db073a10 AF |
176 | + iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p AH \ |
177 | + -s $PLUTO_PEER $S_PEER_PORT \ | |
178 | + -d $PLUTO_ME $D_MY_PORT -j ACCEPT | |
6652626c AF |
179 | + iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p ESP \ |
180 | + -s $PLUTO_PEER $S_PEER_PORT \ | |
181 | + -d $PLUTO_ME $D_MY_PORT -j ACCEPT | |
6652626c AF |
182 | + if [ $VPN_LOGGING ] |
183 | + then | |
184 | + logger -t $TAG -p $FAC_PRIO \ | |
185 | + "ESP- $PLUTO_PEER -- $PLUTO_ME" | |
186 | + fi | |
187 | + | |
188 | ;; | |
189 | # | |
190 | # IPv6 | |
50a488f4 | 191 | @@ -533,10 +569,10 @@ |
6652626c AF |
192 | # connection to me, with (left/right)firewall=yes, coming up |
193 | # This is used only by the default updown script, not by your custom | |
194 | # ones, so do not mess with it; see CAUTION comment up at top. | |
195 | - ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
196 | + ip6tables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
197 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
198 | -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
199 | - ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
200 | + ip6tables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
201 | -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ | |
202 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT | |
203 | # | |
50a488f4 | 204 | @@ -557,10 +593,10 @@ |
6652626c AF |
205 | # connection to me, with (left/right)firewall=yes, going down |
206 | # This is used only by the default updown script, not by your custom | |
207 | # ones, so do not mess with it; see CAUTION comment up at top. | |
208 | - ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
209 | + ip6tables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
210 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
211 | -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
212 | - ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
213 | + ip6tables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
214 | -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ | |
215 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT | |
216 | # | |
50a488f4 | 217 | @@ -583,10 +619,10 @@ |
6652626c AF |
218 | # ones, so do not mess with it; see CAUTION comment up at top. |
219 | if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] | |
220 | then | |
221 | - ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
222 | + ip6tables -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
223 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ | |
224 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT | |
225 | - ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
226 | + ip6tables -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
227 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
228 | -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
229 | fi | |
50a488f4 | 230 | @@ -595,10 +631,10 @@ |
6652626c AF |
231 | # or sometimes host access via the internal IP is needed |
232 | if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] | |
233 | then | |
234 | - ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
235 | + ip6tables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
236 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
237 | -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
238 | - ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
239 | + ip6tables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
240 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ | |
241 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT | |
242 | fi | |
50a488f4 | 243 | @@ -622,11 +658,11 @@ |
6652626c AF |
244 | # ones, so do not mess with it; see CAUTION comment up at top. |
245 | if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] | |
246 | then | |
247 | - ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
248 | + ip6tables -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
249 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ | |
250 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ | |
251 | $IPSEC_POLICY_OUT -j ACCEPT | |
252 | - ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
253 | + ip6tables -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
254 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
255 | -d $PLUTO_MY_CLIENT $D_MY_PORT \ | |
256 | $IPSEC_POLICY_IN -j ACCEPT | |
50a488f4 | 257 | @@ -636,11 +672,11 @@ |
6652626c AF |
258 | # or sometimes host access via the internal IP is needed |
259 | if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] | |
260 | then | |
261 | - ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
262 | + ip6tables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
263 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
264 | -d $PLUTO_MY_CLIENT $D_MY_PORT \ | |
265 | $IPSEC_POLICY_IN -j ACCEPT | |
266 | - ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
267 | + ip6tables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
268 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ | |
269 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ | |
270 | $IPSEC_POLICY_OUT -j ACCEPT |