]>
Commit | Line | Data |
---|---|---|
fd25fb31 TB |
1 | #!/bin/sh |
2 | # default updown script | |
997358a6 MW |
3 | # |
4 | # Copyright (C) 2003-2004 Nigel Meteringham | |
5 | # Copyright (C) 2003-2004 Tuomo Soini | |
6 | # Copyright (C) 2002-2004 Michael Richardson | |
ef014519 | 7 | # Copyright (C) 2005-2007 Andreas Steffen <andreas.steffen@strongswan.org> |
8b3b4a24 | 8 | # |
997358a6 MW |
9 | # This program is free software; you can redistribute it and/or modify it |
10 | # under the terms of the GNU General Public License as published by the | |
11 | # Free Software Foundation; either version 2 of the License, or (at your | |
12 | # option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. | |
8b3b4a24 | 13 | # |
997358a6 MW |
14 | # This program is distributed in the hope that it will be useful, but |
15 | # WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY | |
16 | # or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License | |
17 | # for more details. | |
997358a6 MW |
18 | |
19 | # CAUTION: Installing a new version of strongSwan will install a new | |
20 | # copy of this script, wiping out any custom changes you make. If | |
21 | # you need changes, make a copy of this under another name, and customize | |
22 | # that, and use the (left/right)updown parameters in ipsec.conf to make | |
23 | # strongSwan use yours instead of this default one. | |
24 | ||
997358a6 MW |
25 | # PLUTO_VERSION |
26 | # indicates what version of this interface is being | |
27 | # used. This document describes version 1.1. This | |
28 | # is upwardly compatible with version 1.0. | |
29 | # | |
30 | # PLUTO_VERB | |
31 | # specifies the name of the operation to be performed | |
32 | # (prepare-host, prepare-client, up-host, up-client, | |
33 | # down-host, or down-client). If the address family | |
8af25c56 | 34 | # for security gateway to security gateway communica- |
997358a6 MW |
35 | # tions is IPv6, then a suffix of -v6 is added to the |
36 | # verb. | |
37 | # | |
38 | # PLUTO_CONNECTION | |
39 | # is the name of the connection for which we are | |
40 | # routing. | |
41 | # | |
997358a6 MW |
42 | # PLUTO_INTERFACE |
43 | # is the name of the ipsec interface to be used. | |
44 | # | |
45 | # PLUTO_REQID | |
c5d9b133 MW |
46 | # is the requid of the AH|ESP policy |
47 | # | |
48 | # PLUTO_PROTO | |
49 | # is the negotiated IPsec protocol, ah|esp | |
997358a6 | 50 | # |
cf4a7395 TB |
51 | # PLUTO_IPCOMP |
52 | # is not empty if IPComp was negotiated | |
53 | # | |
2ce40343 EH |
54 | # PLUTO_UNIQUEID |
55 | # is the unique identifier of the associated IKE_SA | |
56 | # | |
997358a6 MW |
57 | # PLUTO_ME |
58 | # is the IP address of our host. | |
59 | # | |
60 | # PLUTO_MY_ID | |
61 | # is the ID of our host. | |
62 | # | |
63 | # PLUTO_MY_CLIENT | |
64 | # is the IP address / count of our client subnet. If | |
65 | # the client is just the host, this will be the | |
66 | # host's own IP address / max (where max is 32 for | |
67 | # IPv4 and 128 for IPv6). | |
68 | # | |
997358a6 | 69 | # PLUTO_MY_SOURCEIP |
2df15595 MW |
70 | # PLUTO_MY_SOURCEIP4_$i |
71 | # PLUTO_MY_SOURCEIP6_$i | |
72 | # contains IPv4/IPv6 virtual IP received from a responder, | |
73 | # $i enumerates from 1 to the number of IP per address family. | |
1de31bcc | 74 | # PLUTO_MY_SOURCEIP is a legacy variable and equal to the first |
2df15595 | 75 | # virtual IP, IPv4 or IPv6. |
997358a6 MW |
76 | # |
77 | # PLUTO_MY_PROTOCOL | |
78 | # is the IP protocol that will be transported. | |
79 | # | |
80 | # PLUTO_MY_PORT | |
81 | # is the UDP/TCP port to which the IPsec SA is | |
9739a0bf TB |
82 | # restricted on our side. For ICMP/ICMPv6 this contains the |
83 | # message type, and PLUTO_PEER_PORT the message code. | |
997358a6 MW |
84 | # |
85 | # PLUTO_PEER | |
86 | # is the IP address of our peer. | |
87 | # | |
88 | # PLUTO_PEER_ID | |
89 | # is the ID of our peer. | |
90 | # | |
997358a6 | 91 | # PLUTO_PEER_CLIENT |
8af25c56 | 92 | # is the IP address / count of the peer's client sub- |
997358a6 MW |
93 | # net. If the client is just the peer, this will be |
94 | # the peer's own IP address / max (where max is 32 | |
95 | # for IPv4 and 128 for IPv6). | |
96 | # | |
1de31bcc TB |
97 | # PLUTO_PEER_SOURCEIP |
98 | # PLUTO_PEER_SOURCEIP4_$i | |
99 | # PLUTO_PEER_SOURCEIP6_$i | |
100 | # contains IPv4/IPv6 virtual IP sent to an initiator, | |
101 | # $i enumerates from 1 to the number of IP per address family. | |
102 | # PLUTO_PEER_SOURCEIP is a legacy variable and equal to the first | |
103 | # virtual IP, IPv4 or IPv6. | |
104 | # | |
997358a6 MW |
105 | # PLUTO_PEER_PROTOCOL |
106 | # is the IP protocol that will be transported. | |
107 | # | |
108 | # PLUTO_PEER_PORT | |
109 | # is the UDP/TCP port to which the IPsec SA is | |
9739a0bf TB |
110 | # restricted on the peer side. For ICMP/ICMPv6 this contains the |
111 | # message code, and PLUTO_MY_PORT the message type. | |
997358a6 | 112 | # |
16c97c8e AS |
113 | # PLUTO_XAUTH_ID |
114 | # is an optional user ID employed by the XAUTH protocol | |
115 | # | |
116 | # PLUTO_MARK_IN | |
117 | # is an optional XFRM mark set on the inbound IPsec SA | |
118 | # | |
119 | # PLUTO_MARK_OUT | |
120 | # is an optional XFRM mark set on the outbound IPsec SA | |
121 | # | |
3fa8c3e5 TB |
122 | # PLUTO_IF_ID_IN |
123 | # is an optional XFRM interface ID set on the inbound IPsec SA | |
124 | # | |
125 | # PLUTO_IF_ID_OUT | |
126 | # is an optional XFRM interface ID set on the outbound IPsec SA | |
127 | # | |
6d71f4dc | 128 | # PLUTO_UDP_ENC |
16c97c8e AS |
129 | # contains the remote UDP port in the case of ESP_IN_UDP |
130 | # encapsulation | |
964f6372 | 131 | # |
2b08ae45 MW |
132 | # PLUTO_DNS4_$i |
133 | # PLUTO_DNS6_$i | |
134 | # contains IPv4/IPv6 DNS server attribute received from a | |
135 | # responder, $i enumerates from 1 to the number of servers per | |
136 | # address family. | |
137 | # | |
997358a6 | 138 | |
c2bb1eca | 139 | # define a minimum PATH environment in case it is not set |
b7b56533 | 140 | PATH="/sbin:/bin:/usr/sbin:/usr/bin:@sbindir@" |
c2bb1eca AS |
141 | export PATH |
142 | ||
dcae0a39 | 143 | # comment to disable logging VPN connections to syslog |
997358a6 MW |
144 | VPN_LOGGING=1 |
145 | # | |
146 | # tag put in front of each log entry: | |
147 | TAG=vpn | |
148 | # | |
149 | # syslog facility and priority used: | |
150 | FAC_PRIO=local0.notice | |
151 | # | |
152 | # to create a special vpn logging file, put the following line into | |
153 | # the syslog configuration file /etc/syslog.conf: | |
154 | # | |
155 | # local0.notice -/var/log/vpn | |
f6f55adb | 156 | |
997358a6 MW |
157 | # check interface version |
158 | case "$PLUTO_VERSION" in | |
fd25fb31 | 159 | 1.[0|1]) # Older release?!? Play it safe, script may be using new features. |
997358a6 | 160 | echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 |
fd25fb31 | 161 | echo "$0: called by obsolete release?" >&2 |
997358a6 MW |
162 | exit 2 |
163 | ;; | |
164 | 1.*) ;; | |
165 | *) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2 | |
166 | exit 2 | |
167 | ;; | |
168 | esac | |
169 | ||
170 | # check parameter(s) | |
171 | case "$1:$*" in | |
172 | ':') # no parameters | |
173 | ;; | |
174 | iptables:iptables) # due to (left/right)firewall; for default script only | |
175 | ;; | |
176 | custom:*) # custom parameters (see above CAUTION comment) | |
177 | ;; | |
178 | *) echo "$0: unknown parameters \`$*'" >&2 | |
179 | exit 2 | |
180 | ;; | |
181 | esac | |
182 | ||
fd25fb31 TB |
183 | IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID" |
184 | IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" | |
185 | IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" | |
997358a6 | 186 | |
4c185d11 TB |
187 | # use protocol specific options to set ports |
188 | case "$PLUTO_MY_PROTOCOL" in | |
189 | 1) # ICMP | |
190 | ICMP_TYPE_OPTION="--icmp-type" | |
191 | ;; | |
192 | 58) # ICMPv6 | |
193 | ICMP_TYPE_OPTION="--icmpv6-type" | |
194 | ;; | |
195 | *) | |
196 | ;; | |
197 | esac | |
198 | ||
997358a6 MW |
199 | # are there port numbers? |
200 | if [ "$PLUTO_MY_PORT" != 0 ] | |
201 | then | |
4c185d11 TB |
202 | if [ -n "$ICMP_TYPE_OPTION" ] |
203 | then | |
204 | S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" | |
205 | D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" | |
206 | else | |
207 | S_MY_PORT="--sport $PLUTO_MY_PORT" | |
208 | D_MY_PORT="--dport $PLUTO_MY_PORT" | |
209 | fi | |
997358a6 MW |
210 | fi |
211 | if [ "$PLUTO_PEER_PORT" != 0 ] | |
212 | then | |
4c185d11 TB |
213 | if [ -n "$ICMP_TYPE_OPTION" ] |
214 | then | |
215 | # the syntax is --icmp[v6]-type type[/code], so add it to the existing option | |
216 | S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT" | |
217 | D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT" | |
218 | else | |
219 | S_PEER_PORT="--sport $PLUTO_PEER_PORT" | |
220 | D_PEER_PORT="--dport $PLUTO_PEER_PORT" | |
221 | fi | |
997358a6 MW |
222 | fi |
223 | ||
997358a6 | 224 | case "$PLUTO_VERB:$1" in |
997358a6 MW |
225 | up-host:) |
226 | # connection to me coming up | |
227 | # If you are doing a custom version, firewall commands go here. | |
228 | ;; | |
229 | down-host:) | |
230 | # connection to me going down | |
231 | # If you are doing a custom version, firewall commands go here. | |
232 | ;; | |
233 | up-client:) | |
234 | # connection to my client subnet coming up | |
235 | # If you are doing a custom version, firewall commands go here. | |
236 | ;; | |
237 | down-client:) | |
238 | # connection to my client subnet going down | |
239 | # If you are doing a custom version, firewall commands go here. | |
240 | ;; | |
241 | up-host:iptables) | |
242 | # connection to me, with (left/right)firewall=yes, coming up | |
243 | # This is used only by the default updown script, not by your custom | |
244 | # ones, so do not mess with it; see CAUTION comment up at top. | |
245 | iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
b14a8768 | 246 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ |
997358a6 MW |
247 | -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT |
248 | iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
249 | -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ | |
b14a8768 | 250 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT |
997358a6 | 251 | # |
6d1198e7 TB |
252 | # allow IPIP traffic because of the implicit SA created by the kernel if |
253 | # IPComp is used (for small inbound packets that are not compressed) | |
254 | if [ -n "$PLUTO_IPCOMP" ] | |
255 | then | |
256 | iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ | |
257 | -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT | |
258 | fi | |
259 | # | |
997358a6 MW |
260 | # log IPsec host connection setup |
261 | if [ $VPN_LOGGING ] | |
262 | then | |
bb7b613b | 263 | if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] |
997358a6 MW |
264 | then |
265 | logger -t $TAG -p $FAC_PRIO \ | |
bb7b613b | 266 | "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" |
997358a6 MW |
267 | else |
268 | logger -t $TAG -p $FAC_PRIO \ | |
bb7b613b | 269 | "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" |
997358a6 | 270 | fi |
8b3b4a24 | 271 | fi |
997358a6 MW |
272 | ;; |
273 | down-host:iptables) | |
274 | # connection to me, with (left/right)firewall=yes, going down | |
275 | # This is used only by the default updown script, not by your custom | |
276 | # ones, so do not mess with it; see CAUTION comment up at top. | |
277 | iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
b14a8768 | 278 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ |
997358a6 MW |
279 | -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT |
280 | iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
281 | -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ | |
b14a8768 | 282 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT |
997358a6 | 283 | # |
6d1198e7 TB |
284 | # IPIP exception teardown |
285 | if [ -n "$PLUTO_IPCOMP" ] | |
286 | then | |
287 | iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ | |
288 | -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT | |
289 | fi | |
290 | # | |
997358a6 MW |
291 | # log IPsec host connection teardown |
292 | if [ $VPN_LOGGING ] | |
293 | then | |
bb7b613b | 294 | if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] |
997358a6 MW |
295 | then |
296 | logger -t $TAG -p $FAC_PRIO -- \ | |
bb7b613b | 297 | "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" |
997358a6 MW |
298 | else |
299 | logger -t $TAG -p $FAC_PRIO -- \ | |
bb7b613b | 300 | "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" |
997358a6 MW |
301 | fi |
302 | fi | |
303 | ;; | |
304 | up-client:iptables) | |
305 | # connection to client subnet, with (left/right)firewall=yes, coming up | |
306 | # This is used only by the default updown script, not by your custom | |
307 | # ones, so do not mess with it; see CAUTION comment up at top. | |
308 | if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] | |
309 | then | |
310 | iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
b14a8768 AS |
311 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ |
312 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT | |
997358a6 | 313 | iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
b14a8768 AS |
314 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ |
315 | -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
997358a6 MW |
316 | fi |
317 | # | |
318 | # a virtual IP requires an INPUT and OUTPUT rule on the host | |
319 | # or sometimes host access via the internal IP is needed | |
320 | if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] | |
321 | then | |
322 | iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
b14a8768 AS |
323 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ |
324 | -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
997358a6 | 325 | iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ |
b14a8768 AS |
326 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ |
327 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT | |
997358a6 MW |
328 | fi |
329 | # | |
6d1198e7 TB |
330 | # allow IPIP traffic because of the implicit SA created by the kernel if |
331 | # IPComp is used (for small inbound packets that are not compressed). | |
332 | # INPUT is correct here even for forwarded traffic. | |
333 | if [ -n "$PLUTO_IPCOMP" ] | |
334 | then | |
335 | iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ | |
336 | -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT | |
337 | fi | |
338 | # | |
997358a6 MW |
339 | # log IPsec client connection setup |
340 | if [ $VPN_LOGGING ] | |
341 | then | |
bb7b613b | 342 | if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] |
997358a6 MW |
343 | then |
344 | logger -t $TAG -p $FAC_PRIO \ | |
bb7b613b | 345 | "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" |
997358a6 MW |
346 | else |
347 | logger -t $TAG -p $FAC_PRIO \ | |
bb7b613b | 348 | "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" |
997358a6 MW |
349 | fi |
350 | fi | |
351 | ;; | |
352 | down-client:iptables) | |
353 | # connection to client subnet, with (left/right)firewall=yes, going down | |
354 | # This is used only by the default updown script, not by your custom | |
355 | # ones, so do not mess with it; see CAUTION comment up at top. | |
356 | if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] | |
357 | then | |
358 | iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
b14a8768 AS |
359 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ |
360 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ | |
997358a6 MW |
361 | $IPSEC_POLICY_OUT -j ACCEPT |
362 | iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
b14a8768 AS |
363 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ |
364 | -d $PLUTO_MY_CLIENT $D_MY_PORT \ | |
997358a6 MW |
365 | $IPSEC_POLICY_IN -j ACCEPT |
366 | fi | |
367 | # | |
368 | # a virtual IP requires an INPUT and OUTPUT rule on the host | |
369 | # or sometimes host access via the internal IP is needed | |
370 | if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] | |
371 | then | |
372 | iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
b14a8768 AS |
373 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ |
374 | -d $PLUTO_MY_CLIENT $D_MY_PORT \ | |
997358a6 MW |
375 | $IPSEC_POLICY_IN -j ACCEPT |
376 | iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
b14a8768 AS |
377 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ |
378 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ | |
997358a6 MW |
379 | $IPSEC_POLICY_OUT -j ACCEPT |
380 | fi | |
381 | # | |
6d1198e7 TB |
382 | # IPIP exception teardown |
383 | if [ -n "$PLUTO_IPCOMP" ] | |
384 | then | |
385 | iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ | |
386 | -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT | |
387 | fi | |
388 | # | |
997358a6 MW |
389 | # log IPsec client connection teardown |
390 | if [ $VPN_LOGGING ] | |
391 | then | |
bb7b613b | 392 | if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] |
997358a6 MW |
393 | then |
394 | logger -t $TAG -p $FAC_PRIO -- \ | |
bb7b613b | 395 | "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" |
997358a6 MW |
396 | else |
397 | logger -t $TAG -p $FAC_PRIO -- \ | |
bb7b613b | 398 | "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" |
997358a6 MW |
399 | fi |
400 | fi | |
401 | ;; | |
402 | # | |
403 | # IPv6 | |
404 | # | |
b14a8768 | 405 | up-host-v6:) |
997358a6 MW |
406 | # connection to me coming up |
407 | # If you are doing a custom version, firewall commands go here. | |
408 | ;; | |
b14a8768 | 409 | down-host-v6:) |
997358a6 MW |
410 | # connection to me going down |
411 | # If you are doing a custom version, firewall commands go here. | |
412 | ;; | |
b14a8768 | 413 | up-client-v6:) |
997358a6 MW |
414 | # connection to my client subnet coming up |
415 | # If you are doing a custom version, firewall commands go here. | |
416 | ;; | |
b14a8768 | 417 | down-client-v6:) |
997358a6 MW |
418 | # connection to my client subnet going down |
419 | # If you are doing a custom version, firewall commands go here. | |
420 | ;; | |
b14a8768 AS |
421 | up-host-v6:iptables) |
422 | # connection to me, with (left/right)firewall=yes, coming up | |
423 | # This is used only by the default updown script, not by your custom | |
424 | # ones, so do not mess with it; see CAUTION comment up at top. | |
425 | ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
426 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
427 | -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
428 | ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
429 | -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ | |
430 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT | |
431 | # | |
382f8a33 TB |
432 | # allow IP6IP6 traffic because of the implicit SA created by the kernel if |
433 | # IPComp is used (for small inbound packets that are not compressed) | |
434 | if [ -n "$PLUTO_IPCOMP" ] | |
435 | then | |
436 | ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p 41 \ | |
437 | -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT | |
438 | fi | |
439 | # | |
b14a8768 AS |
440 | # log IPsec host connection setup |
441 | if [ $VPN_LOGGING ] | |
442 | then | |
bb7b613b | 443 | if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] |
b14a8768 AS |
444 | then |
445 | logger -t $TAG -p $FAC_PRIO \ | |
bb7b613b | 446 | "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" |
b14a8768 AS |
447 | else |
448 | logger -t $TAG -p $FAC_PRIO \ | |
bb7b613b | 449 | "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" |
b14a8768 | 450 | fi |
8b3b4a24 | 451 | fi |
b14a8768 AS |
452 | ;; |
453 | down-host-v6:iptables) | |
454 | # connection to me, with (left/right)firewall=yes, going down | |
455 | # This is used only by the default updown script, not by your custom | |
456 | # ones, so do not mess with it; see CAUTION comment up at top. | |
457 | ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
458 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
459 | -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
460 | ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
461 | -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ | |
462 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT | |
463 | # | |
382f8a33 TB |
464 | # IP6IP6 exception teardown |
465 | if [ -n "$PLUTO_IPCOMP" ] | |
466 | then | |
467 | ip6tables -D INPUT -i $PLUTO_INTERFACE -p 41 \ | |
468 | -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT | |
469 | fi | |
470 | # | |
b14a8768 AS |
471 | # log IPsec host connection teardown |
472 | if [ $VPN_LOGGING ] | |
473 | then | |
bb7b613b | 474 | if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] |
b14a8768 AS |
475 | then |
476 | logger -t $TAG -p $FAC_PRIO -- \ | |
bb7b613b | 477 | "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" |
b14a8768 AS |
478 | else |
479 | logger -t $TAG -p $FAC_PRIO -- \ | |
bb7b613b | 480 | "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" |
b14a8768 AS |
481 | fi |
482 | fi | |
483 | ;; | |
484 | up-client-v6:iptables) | |
485 | # connection to client subnet, with (left/right)firewall=yes, coming up | |
486 | # This is used only by the default updown script, not by your custom | |
487 | # ones, so do not mess with it; see CAUTION comment up at top. | |
488 | if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] | |
489 | then | |
490 | ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
491 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ | |
492 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT | |
493 | ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
494 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
495 | -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
496 | fi | |
497 | # | |
498 | # a virtual IP requires an INPUT and OUTPUT rule on the host | |
499 | # or sometimes host access via the internal IP is needed | |
500 | if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] | |
501 | then | |
502 | ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
503 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
504 | -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
505 | ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
506 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ | |
507 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT | |
508 | fi | |
509 | # | |
382f8a33 TB |
510 | # allow IP6IP6 traffic because of the implicit SA created by the kernel if |
511 | # IPComp is used (for small inbound packets that are not compressed). | |
512 | # INPUT is correct here even for forwarded traffic. | |
513 | if [ -n "$PLUTO_IPCOMP" ] | |
514 | then | |
515 | ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p 41 \ | |
516 | -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT | |
517 | fi | |
518 | # | |
b14a8768 AS |
519 | # log IPsec client connection setup |
520 | if [ $VPN_LOGGING ] | |
521 | then | |
bb7b613b | 522 | if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] |
b14a8768 AS |
523 | then |
524 | logger -t $TAG -p $FAC_PRIO \ | |
bb7b613b | 525 | "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" |
b14a8768 AS |
526 | else |
527 | logger -t $TAG -p $FAC_PRIO \ | |
bb7b613b | 528 | "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" |
b14a8768 AS |
529 | fi |
530 | fi | |
531 | ;; | |
532 | down-client-v6:iptables) | |
533 | # connection to client subnet, with (left/right)firewall=yes, going down | |
534 | # This is used only by the default updown script, not by your custom | |
535 | # ones, so do not mess with it; see CAUTION comment up at top. | |
536 | if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] | |
537 | then | |
538 | ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
539 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ | |
540 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ | |
541 | $IPSEC_POLICY_OUT -j ACCEPT | |
542 | ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
543 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
544 | -d $PLUTO_MY_CLIENT $D_MY_PORT \ | |
545 | $IPSEC_POLICY_IN -j ACCEPT | |
546 | fi | |
547 | # | |
548 | # a virtual IP requires an INPUT and OUTPUT rule on the host | |
549 | # or sometimes host access via the internal IP is needed | |
550 | if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] | |
551 | then | |
552 | ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
553 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
554 | -d $PLUTO_MY_CLIENT $D_MY_PORT \ | |
555 | $IPSEC_POLICY_IN -j ACCEPT | |
556 | ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
557 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ | |
558 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ | |
559 | $IPSEC_POLICY_OUT -j ACCEPT | |
560 | fi | |
561 | # | |
382f8a33 TB |
562 | # IP6IP6 exception teardown |
563 | if [ -n "$PLUTO_IPCOMP" ] | |
564 | then | |
565 | ip6tables -D INPUT -i $PLUTO_INTERFACE -p 41 \ | |
566 | -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT | |
567 | fi | |
568 | # | |
b14a8768 AS |
569 | # log IPsec client connection teardown |
570 | if [ $VPN_LOGGING ] | |
571 | then | |
bb7b613b | 572 | if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] |
b14a8768 AS |
573 | then |
574 | logger -t $TAG -p $FAC_PRIO -- \ | |
bb7b613b | 575 | "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" |
b14a8768 AS |
576 | else |
577 | logger -t $TAG -p $FAC_PRIO -- \ | |
bb7b613b | 578 | "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" |
b14a8768 AS |
579 | fi |
580 | fi | |
581 | ;; | |
997358a6 MW |
582 | *) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2 |
583 | exit 1 | |
584 | ;; | |
585 | esac |