Forward Firewall: Updated strongswan patch provided my Michael. (Changes _updown...
[people/teissler/ipfire-2.x.git] / src / patches / strongswan-5.0.2_ipfire.patch
1 diff --git a/src/_updown/_updown.in b/src/_updown/_updown.in
2 index 3a40e21..d9f3ea0 100644
3 --- a/src/_updown/_updown.in
4 +++ b/src/_updown/_updown.in
5 @@ -193,6 +193,29 @@ custom:*) # custom parameters (see above CAUTION comment)
6 ;;
7 esac
8
9 +function ip_encode() {
10 + local IFS=.
11 +
12 + local int=0
13 + for field in $1; do
14 + int=$(( $(( $int << 8 )) | $field ))
15 + done
16 +
17 + echo $int
18 +}
19 +
20 +function ip_in_subnet() {
21 + local netmask
22 + netmask=$(_netmask $2)
23 + [ $(( $(ip_encode $1) & $netmask)) = $(( $(ip_encode ${2%/*}) & $netmask )) ]
24 +}
25 +
26 +function _netmask() {
27 + local vlsm
28 + vlsm=${1#*/}
29 + [ $vlsm -eq 0 ] && echo 0 || echo $(( -1 << $(( 32 - $vlsm )) ))
30 +}
31 +
32 # utility functions for route manipulation
33 # Meddling with this stuff should not be necessary and requires great care.
34 uproute() {
35 @@ -397,12 +420,12 @@ up-host:iptables)
36 # connection to me, with (left/right)firewall=yes, coming up
37 # This is used only by the default updown script, not by your custom
38 # ones, so do not mess with it; see CAUTION comment up at top.
39 - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
40 + iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
41 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
42 -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
43 - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
44 + iptables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
45 -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
46 - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
47 + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j MARK --set-mark 50
48 #
49 # log IPsec host connection setup
50 if [ $VPN_LOGGING ]
51 @@ -410,10 +433,10 @@ up-host:iptables)
52 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
53 then
54 logger -t $TAG -p $FAC_PRIO \
55 - "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
56 + "host+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
57 else
58 logger -t $TAG -p $FAC_PRIO \
59 - "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
60 + "host+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
61 fi
62 fi
63 ;;
64 @@ -421,12 +444,12 @@ down-host:iptables)
65 # connection to me, with (left/right)firewall=yes, going down
66 # This is used only by the default updown script, not by your custom
67 # ones, so do not mess with it; see CAUTION comment up at top.
68 - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
69 + iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
70 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
71 -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
72 - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
73 + iptables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
74 -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
75 - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
76 + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j MARK --set-mark 50
77 #
78 # log IPsec host connection teardown
79 if [ $VPN_LOGGING ]
80 @@ -434,10 +457,10 @@ down-host:iptables)
81 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
82 then
83 logger -t $TAG -p $FAC_PRIO -- \
84 - "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
85 + "host- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
86 else
87 logger -t $TAG -p $FAC_PRIO -- \
88 - "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
89 + "host- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
90 fi
91 fi
92 ;;
93 @@ -447,24 +470,24 @@ up-client:iptables)
94 # ones, so do not mess with it; see CAUTION comment up at top.
95 if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
96 then
97 - iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
98 + iptables -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
99 -s $PLUTO_MY_CLIENT $S_MY_PORT \
100 - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
101 - iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
102 + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j MARK --set-mark 50
103 + iptables -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
104 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
105 - -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
106 + -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j RETURN
107 fi
108 #
109 # a virtual IP requires an INPUT and OUTPUT rule on the host
110 # or sometimes host access via the internal IP is needed
111 if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
112 then
113 - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
114 + iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
115 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
116 -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
117 - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
118 + iptables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
119 -s $PLUTO_MY_CLIENT $S_MY_PORT \
120 - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
121 + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j MARK --set-mark 50
122 fi
123 #
124 # log IPsec client connection setup
125 @@ -473,12 +496,51 @@ up-client:iptables)
126 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
127 then
128 logger -t $TAG -p $FAC_PRIO \
129 - "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
130 + "client+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
131 else
132 logger -t $TAG -p $FAC_PRIO \
133 - "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
134 + "client+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
135 fi
136 fi
137 +
138 + #
139 + # Open Firewall for IPinIP + AH + ESP Traffic
140 + iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p IP \
141 + -s $PLUTO_PEER $S_PEER_PORT \
142 + -d $PLUTO_ME $D_MY_PORT -j ACCEPT
143 + iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p AH \
144 + -s $PLUTO_PEER $S_PEER_PORT \
145 + -d $PLUTO_ME $D_MY_PORT -j ACCEPT
146 + iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p ESP \
147 + -s $PLUTO_PEER $S_PEER_PORT \
148 + -d $PLUTO_ME $D_MY_PORT -j ACCEPT
149 + if [ $VPN_LOGGING ]
150 + then
151 + logger -t $TAG -p $FAC_PRIO \
152 + "tunnel+ $PLUTO_PEER -- $PLUTO_ME"
153 + fi
154 +
155 + # Add source nat so also the gateway can access the other nets
156 + eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
157 + for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
158 + ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}"
159 + if [ $? -eq 0 ]; then
160 + src=${_src}
161 + break
162 + fi
163 + done
164 +
165 + if [ -n "${src}" ]; then
166 + iptables -t nat -A IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src
167 + logger -t $TAG -p $FAC_PRIO \
168 + "snat+ $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src"
169 + else
170 + logger -t $TAG -p $FAC_PRIO \
171 + "Cannot create NAT rule because no IP of the IPFire does match the subnet. $PLUTO_MY_CLIENT"
172 + fi
173 +
174 + # Flush routing cache
175 + ip route flush cache
176 ;;
177 down-client:iptables)
178 # connection to client subnet, with (left/right)firewall=yes, going down
179 @@ -486,28 +548,28 @@ down-client:iptables)
180 # ones, so do not mess with it; see CAUTION comment up at top.
181 if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
182 then
183 - iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
184 + iptables -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
185 -s $PLUTO_MY_CLIENT $S_MY_PORT \
186 -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
187 - $IPSEC_POLICY_OUT -j ACCEPT
188 - iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
189 + $IPSEC_POLICY_OUT -j MARK --set-mark 50
190 + iptables -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
191 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
192 -d $PLUTO_MY_CLIENT $D_MY_PORT \
193 - $IPSEC_POLICY_IN -j ACCEPT
194 + $IPSEC_POLICY_IN -j RETURN
195 fi
196 #
197 # a virtual IP requires an INPUT and OUTPUT rule on the host
198 # or sometimes host access via the internal IP is needed
199 if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
200 then
201 - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
202 + iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
203 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
204 -d $PLUTO_MY_CLIENT $D_MY_PORT \
205 $IPSEC_POLICY_IN -j ACCEPT
206 - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
207 + iptables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
208 -s $PLUTO_MY_CLIENT $S_MY_PORT \
209 -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
210 - $IPSEC_POLICY_OUT -j ACCEPT
211 + $IPSEC_POLICY_OUT -j MARK --set-mark 50
212 fi
213 #
214 # log IPsec client connection teardown
215 @@ -516,12 +578,51 @@ down-client:iptables)
216 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
217 then
218 logger -t $TAG -p $FAC_PRIO -- \
219 - "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
220 + "client- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
221 else
222 logger -t $TAG -p $FAC_PRIO -- \
223 - "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
224 + "client- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
225 fi
226 fi
227 +
228 + #
229 + # Close Firewall for IPinIP + AH + ESP Traffic
230 + iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p IP \
231 + -s $PLUTO_PEER $S_PEER_PORT \
232 + -d $PLUTO_ME $D_MY_PORT -j ACCEPT
233 + iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p AH \
234 + -s $PLUTO_PEER $S_PEER_PORT \
235 + -d $PLUTO_ME $D_MY_PORT -j ACCEPT
236 + iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p ESP \
237 + -s $PLUTO_PEER $S_PEER_PORT \
238 + -d $PLUTO_ME $D_MY_PORT -j ACCEPT
239 + if [ $VPN_LOGGING ]
240 + then
241 + logger -t $TAG -p $FAC_PRIO \
242 + "tunnel- $PLUTO_PEER -- $PLUTO_ME"
243 + fi
244 +
245 + # remove source nat
246 + eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
247 + for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
248 + ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}"
249 + if [ $? -eq 0 ]; then
250 + src=${_src}
251 + break
252 + fi
253 + done
254 +
255 + if [ -n "${src}" ]; then
256 + iptables -t nat -D IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src
257 + logger -t $TAG -p $FAC_PRIO \
258 + "snat- $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src"
259 + else
260 + logger -t $TAG -p $FAC_PRIO \
261 + "Cannot remove NAT rule because no IP of the IPFire does match the subnet."
262 + fi
263 +
264 + # Flush routing cache
265 + ip route flush cache
266 ;;
267 #
268 # IPv6
269 @@ -556,10 +657,10 @@ up-host-v6:iptables)
270 # connection to me, with (left/right)firewall=yes, coming up
271 # This is used only by the default updown script, not by your custom
272 # ones, so do not mess with it; see CAUTION comment up at top.
273 - ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
274 + ip6tables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
275 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
276 -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
277 - ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
278 + ip6tables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
279 -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
280 -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
281 #
282 @@ -580,10 +681,10 @@ down-host-v6:iptables)
283 # connection to me, with (left/right)firewall=yes, going down
284 # This is used only by the default updown script, not by your custom
285 # ones, so do not mess with it; see CAUTION comment up at top.
286 - ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
287 + ip6tables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
288 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
289 -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
290 - ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
291 + ip6tables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
292 -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
293 -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
294 #
295 @@ -606,10 +707,10 @@ up-client-v6:iptables)
296 # ones, so do not mess with it; see CAUTION comment up at top.
297 if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
298 then
299 - ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
300 + ip6tables -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
301 -s $PLUTO_MY_CLIENT $S_MY_PORT \
302 -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
303 - ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
304 + ip6tables -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
305 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
306 -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
307 fi
308 @@ -618,10 +719,10 @@ up-client-v6:iptables)
309 # or sometimes host access via the internal IP is needed
310 if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
311 then
312 - ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
313 + ip6tables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
314 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
315 -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
316 - ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
317 + ip6tables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
318 -s $PLUTO_MY_CLIENT $S_MY_PORT \
319 -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
320 fi
321 @@ -645,11 +746,11 @@ down-client-v6:iptables)
322 # ones, so do not mess with it; see CAUTION comment up at top.
323 if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
324 then
325 - ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
326 + ip6tables -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
327 -s $PLUTO_MY_CLIENT $S_MY_PORT \
328 -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
329 $IPSEC_POLICY_OUT -j ACCEPT
330 - ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
331 + ip6tables -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
332 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
333 -d $PLUTO_MY_CLIENT $D_MY_PORT \
334 $IPSEC_POLICY_IN -j ACCEPT
335 @@ -659,11 +760,11 @@ down-client-v6:iptables)
336 # or sometimes host access via the internal IP is needed
337 if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
338 then
339 - ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
340 + ip6tables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
341 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
342 -d $PLUTO_MY_CLIENT $D_MY_PORT \
343 $IPSEC_POLICY_IN -j ACCEPT
344 - ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
345 + ip6tables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
346 -s $PLUTO_MY_CLIENT $S_MY_PORT \
347 -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
348 $IPSEC_POLICY_OUT -j ACCEPT