From ab4876ad4221acad2e62bbb7fe7f92ba45099806 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Fri, 8 Nov 2013 13:38:09 +0100 Subject: [PATCH] firewall: Don't require to enable the RW server for N2N networks. The firewall rules for OpenVPN have not been applied for N2N connections when the road warrior server was disabled. --- src/initscripts/init.d/firewall | 8 +- src/misc-progs/openvpnctrl.c | 144 ++++---------------------------- 2 files changed, 24 insertions(+), 128 deletions(-) diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall index 36d7e449f..37ef351ed 100644 --- a/src/initscripts/init.d/firewall +++ b/src/initscripts/init.d/firewall @@ -159,6 +159,10 @@ iptables_init() { /sbin/iptables -N WIRELESSFORWARD /sbin/iptables -A FORWARD -m conntrack --ctstate NEW -j WIRELESSFORWARD + # OpenVPN + /sbin/iptables -N OVPNINPUT + /sbin/iptables -A INPUT -j OVPNINPUT + # TOR /sbin/iptables -N TOR_INPUT /sbin/iptables -A INPUT -j TOR_INPUT @@ -206,8 +210,8 @@ iptables_init() { /etc/sysconfig/firewall.local start fi - # run openvpn - /usr/local/bin/openvpnctrl --create-chains-and-rules + # Apply OpenVPN firewall rules + /usr/local/bin/openvpnctrl --firewall-rules # run wirelessctrl /usr/local/bin/wirelessctrl diff --git a/src/misc-progs/openvpnctrl.c b/src/misc-progs/openvpnctrl.c index 257778892..2af537272 100644 --- a/src/misc-progs/openvpnctrl.c +++ b/src/misc-progs/openvpnctrl.c @@ -25,12 +25,10 @@ char enableblue[STRING_SIZE] = "off"; char enableorange[STRING_SIZE] = "off"; // consts -char OVPNRED[STRING_SIZE] = "OVPN"; -char OVPNBLUE[STRING_SIZE] = "OVPN_BLUE_"; -char OVPNORANGE[STRING_SIZE] = "OVPN_ORANGE_"; +char OVPNINPUT[STRING_SIZE] = "OVPNINPUT"; char OVPNBLOCK[STRING_SIZE] = "OVPNBLOCK"; char OVPNNAT[STRING_SIZE] = "OVPNNAT"; -char WRAPPERVERSION[STRING_SIZE] = "ipfire-2.2.3"; +char WRAPPERVERSION[STRING_SIZE] = "ipfire-2.2.4"; struct connection_struct { char name[STRING_SIZE]; @@ -40,7 +38,7 @@ struct connection_struct { char local_subnet[STRING_SIZE]; char transfer_subnet[STRING_SIZE]; char role[STRING_SIZE]; - int port; + char port[STRING_SIZE]; struct connection_struct *next; }; @@ -81,10 +79,6 @@ void usage(void) printf(" removes current OpenVPN chains and rules and resets them according to the config\n"); printf(" -sdo --start-daemon-only\n"); printf(" starts OpenVPN daemon only\n"); - printf(" -ccr --create-chains-and-rules\n"); - printf(" creates chains and rules for OpenVPN\n"); - printf(" -dcr --delete-chains-and-rules\n"); - printf(" removes all chains for OpenVPN\n"); exit(1); } @@ -149,7 +143,7 @@ connection *getConnections() { } else if (count == 29) { strcpy(conn_curr->proto, result); } else if (count == 30) { - conn_curr->port = atoi(result); + strcpy(conn_curr->port, result); } count++; @@ -242,111 +236,28 @@ void executeCommand(char *command) { safe_system(strncat(command, " >/dev/null 2>&1", 17)); } -void setChainRules(char *chain, char *interface, char *protocol, char *port) -{ - char str[STRING_SIZE]; +void addRule(const char *chain, const char *interface, const char *protocol, const char *port) { + char command[STRING_SIZE]; - sprintf(str, "/sbin/iptables -A %sINPUT -i %s -p %s --dport %s -j ACCEPT", chain, interface, protocol, port); - executeCommand(str); + snprintf(command, STRING_SIZE - 1, "/sbin/iptables -A %s -i %s -p %s --dport %s -j ACCEPT", + chain, interface, protocol, port); + executeCommand(command); } void flushChain(char *chain) { char str[STRING_SIZE]; - sprintf(str, "/sbin/iptables -F %s", chain); + snprintf(str, STRING_SIZE - 1, "/sbin/iptables -F %s", chain); executeCommand(str); } void flushChainNAT(char *chain) { char str[STRING_SIZE]; - sprintf(str, "/sbin/iptables -t nat -F %s", chain); - executeCommand(str); -} - -void flushChainINPUT(char *chain) { - char str[STRING_SIZE]; - - snprintf(str, STRING_SIZE, "%sINPUT", chain); - flushChain(str); -} - -void deleteChainReference(char *chain) { - char str[STRING_SIZE]; - - sprintf(str, "/sbin/iptables -D INPUT -j %sINPUT", chain); - executeCommand(str); -} - -void deleteChain(char *chain) { - char str[STRING_SIZE]; - - sprintf(str, "/sbin/iptables -X %sINPUT", chain); - executeCommand(str); -} - -void deleteAllChains(void) { - // not an elegant solution, but to avoid timing problems with undeleted chain references - deleteChainReference(OVPNRED); - deleteChainReference(OVPNBLUE); - deleteChainReference(OVPNORANGE); - flushChainINPUT(OVPNRED); - flushChainINPUT(OVPNBLUE); - flushChainINPUT(OVPNORANGE); - deleteChain(OVPNRED); - deleteChain(OVPNBLUE); - deleteChain(OVPNORANGE); - - // Only flush chains that are created by the firewall - flushChain(OVPNBLOCK); - flushChainNAT(OVPNNAT); -} - -void createChainReference(char *chain) { - char str[STRING_SIZE]; - sprintf(str, "/sbin/iptables -I INPUT %s -j %sINPUT", "14", chain); - executeCommand(str); -} - -void createChain(char *chain) { - char str[STRING_SIZE]; - sprintf(str, "/sbin/iptables -N %sINPUT", chain); + snprintf(str, STRING_SIZE - 1, "/sbin/iptables -t nat -F %s", chain); executeCommand(str); } -void createAllChains(void) { - // create chain and chain references - if (!strcmp(enableorange, "on")) { - if (strlen(orangeif) > 0) { - createChain(OVPNORANGE); - createChainReference(OVPNORANGE); - } else { - fprintf(stderr, "OpenVPN enabled on orange but no orange interface found\n"); - //exit(1); - } - } - - if (!strcmp(enableblue, "on")) { - if (strlen(blueif) > 0) { - createChain(OVPNBLUE); - createChainReference(OVPNBLUE); - } else { - fprintf(stderr, "OpenVPN enabled on blue but no blue interface found\n"); - //exit(1); - } - } - - if (!strcmp(enablered, "on")) { - if (strlen(redif) > 0) { - createChain(OVPNRED); - createChainReference(OVPNRED); - } else { - fprintf(stderr, "OpenVPN enabled on red but no red interface found\n"); - //exit(1); - } - } -} - char* calcTransferNetAddress(const connection* conn) { char *subnetmask = strdup(conn->transfer_subnet); char *address = strsep(&subnetmask, "/"); @@ -459,19 +370,17 @@ void setFirewallRules(void) { freekeyvalues(kv); // Flush all chains. - flushChainINPUT(OVPNRED); - flushChainINPUT(OVPNBLUE); - flushChainINPUT(OVPNORANGE); + flushChain(OVPNINPUT); flushChain(OVPNBLOCK); flushChainNAT(OVPNNAT); // set firewall rules if (!strcmp(enablered, "on") && strlen(redif)) - setChainRules(OVPNRED, redif, protocol, dport); + addRule(OVPNINPUT, redif, protocol, dport); if (!strcmp(enableblue, "on") && strlen(blueif)) - setChainRules(OVPNBLUE, blueif, protocol, dport); + addRule(OVPNINPUT, blueif, protocol, dport); if (!strcmp(enableorange, "on") && strlen(orangeif)) - setChainRules(OVPNORANGE, orangeif, protocol, dport); + addRule(OVPNINPUT, orangeif, protocol, dport); // read connection configuration connection *conn = getConnections(); @@ -482,12 +391,10 @@ void setFirewallRules(void) { char *transfer_subnet_address = NULL; while (conn != NULL) { if (strcmp(conn->type, "net") == 0) { - sprintf(command, "/sbin/iptables -A %sINPUT -i %s -p %s --dport %d -j ACCEPT", - OVPNRED, redif, conn->proto, conn->port); - executeCommand(command); + addRule(OVPNINPUT, redif, conn->proto, conn->port); /* Block all communication from the transfer nets. */ - snprintf(command, STRING_SIZE, "/sbin/iptables -A %s -s %s -j DROP", + snprintf(command, STRING_SIZE - 1, "/sbin/iptables -A %s -s %s -j DROP", OVPNBLOCK, conn->transfer_subnet); executeCommand(command); @@ -495,7 +402,7 @@ void setFirewallRules(void) { transfer_subnet_address = calcTransferNetAddress(conn); if ((local_subnet_address) && (transfer_subnet_address)) { - snprintf(command, STRING_SIZE, "/sbin/iptables -t nat -A %s -s %s -j SNAT --to-source %s", + snprintf(command, STRING_SIZE - 1, "/sbin/iptables -t nat -A %s -s %s -j SNAT --to-source %s", OVPNNAT, transfer_subnet_address, local_subnet_address); executeCommand(command); } @@ -705,16 +612,10 @@ int main(int argc, char *argv[]) { displayopenvpn(); return 0; } - else if( (strcmp(argv[1], "-dcr") == 0) || (strcmp(argv[1], "--delete-chains-and-rules") == 0) ) { - deleteAllChains(); - return 0; - } else { ovpnInit(); if( (strcmp(argv[1], "-s") == 0) || (strcmp(argv[1], "--start") == 0) ) { - deleteAllChains(); - createAllChains(); setFirewallRules(); startDaemon(); return 0; @@ -733,20 +634,11 @@ int main(int argc, char *argv[]) { } else if( (strcmp(argv[1], "-r") == 0) || (strcmp(argv[1], "--restart") == 0) ) { stopDaemon(); - deleteAllChains(); - createAllChains(); setFirewallRules(); startDaemon(); return 0; } else if( (strcmp(argv[1], "-fwr") == 0) || (strcmp(argv[1], "--firewall-rules") == 0) ) { - deleteAllChains(); - createAllChains(); - setFirewallRules(); - return 0; - } - else if( (strcmp(argv[1], "-ccr") == 0) || (strcmp(argv[1], "--create-chains-and-rules") == 0) ) { - createAllChains(); setFirewallRules(); return 0; } -- 2.39.2