-A INPUT -p tcp --dport 22 -j ACCEPT
-A OUTPUT -p tcp --sport 22 -j ACCEPT
+# allow crl fetch from winnetou
+-A INPUT -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT
+
COMMIT
+++ /dev/null
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
- before net
- need logger
-}
-
-start() {
- ebegin "Starting firewall"
-
- # default policy is DROP
- /sbin/iptables -P INPUT DROP
- /sbin/iptables -P OUTPUT DROP
- /sbin/iptables -P FORWARD DROP
-
- # allow esp
- iptables -A INPUT -i eth0 -p 50 -j ACCEPT
- iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
- # allow IKE
- iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
- iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
- # allow MobIKE
- iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
- iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
- # allow ldap crl fetch from winnetou
- iptables -A INPUT -i eth0 -p tcp --sport 389 -s PH_IP_WINNETOU -j ACCEPT
- iptables -A OUTPUT -o eth0 -p tcp --dport 389 -d PH_IP_WINNETOU -j ACCEPT
-
- # allow ssh
- iptables -A INPUT -p tcp --dport 22 -j ACCEPT
- iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
- eend $?
-}
-
-stop() {
- ebegin "Stopping firewall"
- for a in `cat /proc/net/ip_tables_names`; do
- /sbin/iptables -F -t $a
- /sbin/iptables -X -t $a
-
- if [ $a == nat ]; then
- /sbin/iptables -t nat -P PREROUTING ACCEPT
- /sbin/iptables -t nat -P POSTROUTING ACCEPT
- /sbin/iptables -t nat -P OUTPUT ACCEPT
- elif [ $a == mangle ]; then
- /sbin/iptables -t mangle -P PREROUTING ACCEPT
- /sbin/iptables -t mangle -P INPUT ACCEPT
- /sbin/iptables -t mangle -P FORWARD ACCEPT
- /sbin/iptables -t mangle -P OUTPUT ACCEPT
- /sbin/iptables -t mangle -P POSTROUTING ACCEPT
- elif [ $a == filter ]; then
- /sbin/iptables -t filter -P INPUT ACCEPT
- /sbin/iptables -t filter -P FORWARD ACCEPT
- /sbin/iptables -t filter -P OUTPUT ACCEPT
- fi
- done
- eend $?
-}
-
-reload() {
- ebegin "Flushing firewall"
- for a in `cat /proc/net/ip_tables_names`; do
- /sbin/iptables -F -t $a
- /sbin/iptables -X -t $a
- done;
- eend $?
- start
-}
-
--- /dev/null
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow ldap crl fetch from winnetou
+-A INPUT -i eth0 -p tcp --sport 389 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 389 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
+++ /dev/null
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
- before net
- need logger
-}
-
-start() {
- ebegin "Starting firewall"
-
- # enable IP forwarding
- echo 1 > /proc/sys/net/ipv4/ip_forward
-
- # default policy is DROP
- /sbin/iptables -P INPUT DROP
- /sbin/iptables -P OUTPUT DROP
- /sbin/iptables -P FORWARD DROP
-
- # allow esp
- iptables -A INPUT -i eth0 -p 50 -j ACCEPT
- iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
- # allow IKE
- iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
- iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
- # allow MobIKE
- iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
- iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
- # allow ldap crl fetch from winnetou
- iptables -A INPUT -i eth0 -p tcp --sport 389 -s PH_IP_WINNETOU -j ACCEPT
- iptables -A OUTPUT -o eth0 -p tcp --dport 389 -d PH_IP_WINNETOU -j ACCEPT
-
- # allow ssh
- iptables -A INPUT -p tcp --dport 22 -j ACCEPT
- iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
- eend $?
-}
-
-stop() {
- ebegin "Stopping firewall"
- for a in `cat /proc/net/ip_tables_names`; do
- /sbin/iptables -F -t $a
- /sbin/iptables -X -t $a
-
- if [ $a == nat ]; then
- /sbin/iptables -t nat -P PREROUTING ACCEPT
- /sbin/iptables -t nat -P POSTROUTING ACCEPT
- /sbin/iptables -t nat -P OUTPUT ACCEPT
- elif [ $a == mangle ]; then
- /sbin/iptables -t mangle -P PREROUTING ACCEPT
- /sbin/iptables -t mangle -P INPUT ACCEPT
- /sbin/iptables -t mangle -P FORWARD ACCEPT
- /sbin/iptables -t mangle -P OUTPUT ACCEPT
- /sbin/iptables -t mangle -P POSTROUTING ACCEPT
- elif [ $a == filter ]; then
- /sbin/iptables -t filter -P INPUT ACCEPT
- /sbin/iptables -t filter -P FORWARD ACCEPT
- /sbin/iptables -t filter -P OUTPUT ACCEPT
- fi
- done
- eend $?
-}
-
-reload() {
- ebegin "Flushing firewall"
- for a in `cat /proc/net/ip_tables_names`; do
- /sbin/iptables -F -t $a
- /sbin/iptables -X -t $a
- done;
- eend $?
- start
-}
-
--- /dev/null
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow ldap crl fetch from winnetou
+-A INPUT -i eth0 -p tcp --sport 389 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 389 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
moon::ipsec stop
carol::ipsec stop
winnetou::/etc/init.d/slapd stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
moon::rm /etc/ipsec.d/crls/*
carol::rm /etc/ipsec.d/crls/*
winnetou::/etc/init.d/slapd start
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
carol::sleep 2
moon::ipsec stop
carol::ipsec stop
dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
dave::ipsec start
+++ /dev/null
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
- before net
- need logger
-}
-
-start() {
- ebegin "Starting firewall"
-
- # enable IP forwarding
- echo 1 > /proc/sys/net/ipv4/ip_forward
-
- # default policy is DROP
- /sbin/iptables -P INPUT DROP
- /sbin/iptables -P OUTPUT DROP
- /sbin/iptables -P FORWARD DROP
-
- # allow esp
- iptables -A INPUT -i eth0 -p 50 -j ACCEPT
- iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
- # allow IKE
- iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
- iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
- # allow MobIKE
- iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
- iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
- # allow crl fetch from winnetou
- iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
- iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
- # allow RADIUS protocol with alice
- iptables -A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
- iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
-
- # allow ssh
- iptables -A INPUT -p tcp --dport 22 -j ACCEPT
- iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
- eend $?
-}
-
-stop() {
- ebegin "Stopping firewall"
- for a in `cat /proc/net/ip_tables_names`; do
- /sbin/iptables -F -t $a
- /sbin/iptables -X -t $a
-
- if [ $a == nat ]; then
- /sbin/iptables -t nat -P PREROUTING ACCEPT
- /sbin/iptables -t nat -P POSTROUTING ACCEPT
- /sbin/iptables -t nat -P OUTPUT ACCEPT
- elif [ $a == mangle ]; then
- /sbin/iptables -t mangle -P PREROUTING ACCEPT
- /sbin/iptables -t mangle -P INPUT ACCEPT
- /sbin/iptables -t mangle -P FORWARD ACCEPT
- /sbin/iptables -t mangle -P OUTPUT ACCEPT
- /sbin/iptables -t mangle -P POSTROUTING ACCEPT
- elif [ $a == filter ]; then
- /sbin/iptables -t filter -P INPUT ACCEPT
- /sbin/iptables -t filter -P FORWARD ACCEPT
- /sbin/iptables -t filter -P OUTPUT ACCEPT
- fi
- done
- eend $?
-}
-
-reload() {
- ebegin "Flushing firewall"
- for a in `cat /proc/net/ip_tables_names`; do
- /sbin/iptables -F -t $a
- /sbin/iptables -X -t $a
- done;
- eend $?
- start
-}
-
--- /dev/null
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow RADIUS protocol with alice
+-A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+COMMIT
moon::ipsec stop
carol::ipsec stop
alice::killall radiusd
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
alice::radiusd
moon::ipsec start
carol::ipsec start
+++ /dev/null
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
- before net
- need logger
-}
-
-start() {
- ebegin "Starting firewall"
-
- # enable IP forwarding
- echo 1 > /proc/sys/net/ipv4/ip_forward
-
- # default policy is DROP
- /sbin/iptables -P INPUT DROP
- /sbin/iptables -P OUTPUT DROP
- /sbin/iptables -P FORWARD DROP
-
- # allow esp
- iptables -A INPUT -i eth0 -p 50 -j ACCEPT
- iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
- # allow IKE
- iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
- iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
- # allow MobIKE
- iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
- iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
- # allow crl fetch from winnetou
- iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
- iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
- # allow RADIUS protocol with alice
- iptables -A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
- iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
-
- # allow ssh
- iptables -A INPUT -p tcp --dport 22 -j ACCEPT
- iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
- eend $?
-}
-
-stop() {
- ebegin "Stopping firewall"
- for a in `cat /proc/net/ip_tables_names`; do
- /sbin/iptables -F -t $a
- /sbin/iptables -X -t $a
-
- if [ $a == nat ]; then
- /sbin/iptables -t nat -P PREROUTING ACCEPT
- /sbin/iptables -t nat -P POSTROUTING ACCEPT
- /sbin/iptables -t nat -P OUTPUT ACCEPT
- elif [ $a == mangle ]; then
- /sbin/iptables -t mangle -P PREROUTING ACCEPT
- /sbin/iptables -t mangle -P INPUT ACCEPT
- /sbin/iptables -t mangle -P FORWARD ACCEPT
- /sbin/iptables -t mangle -P OUTPUT ACCEPT
- /sbin/iptables -t mangle -P POSTROUTING ACCEPT
- elif [ $a == filter ]; then
- /sbin/iptables -t filter -P INPUT ACCEPT
- /sbin/iptables -t filter -P FORWARD ACCEPT
- /sbin/iptables -t filter -P OUTPUT ACCEPT
- fi
- done
- eend $?
-}
-
-reload() {
- ebegin "Flushing firewall"
- for a in `cat /proc/net/ip_tables_names`; do
- /sbin/iptables -F -t $a
- /sbin/iptables -X -t $a
- done;
- eend $?
- start
-}
-
--- /dev/null
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow RADIUS protocol with alice
+-A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+COMMIT
carol::ipsec stop
dave::ipsec stop
alice::killall radiusd
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
alice::radiusd
moon::ipsec start
carol::ipsec start
+++ /dev/null
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
- before net
- need logger
-}
-
-start() {
- ebegin "Starting firewall"
-
- # default policy is DROP
- /sbin/iptables -P INPUT DROP
- /sbin/iptables -P OUTPUT DROP
- /sbin/iptables -P FORWARD DROP
-
- # allow ESP
- iptables -A INPUT -i eth0 -p 50 -j ACCEPT
- iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
- # allow IKE
- iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
- iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
- # allow MOBIKE
- iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
- iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
- # allow crl fetch from winnetou
- iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
- iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
- # allow ssh
- iptables -A INPUT -p tcp --dport 22 -j ACCEPT
- iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
- eend $?
-}
-
-stop() {
- ebegin "Stopping firewall"
- for a in `cat /proc/net/ip_tables_names`; do
- /sbin/iptables -F -t $a
- /sbin/iptables -X -t $a
-
- if [ $a == nat ]; then
- /sbin/iptables -t nat -P PREROUTING ACCEPT
- /sbin/iptables -t nat -P POSTROUTING ACCEPT
- /sbin/iptables -t nat -P OUTPUT ACCEPT
- elif [ $a == mangle ]; then
- /sbin/iptables -t mangle -P PREROUTING ACCEPT
- /sbin/iptables -t mangle -P INPUT ACCEPT
- /sbin/iptables -t mangle -P FORWARD ACCEPT
- /sbin/iptables -t mangle -P OUTPUT ACCEPT
- /sbin/iptables -t mangle -P POSTROUTING ACCEPT
- elif [ $a == filter ]; then
- /sbin/iptables -t filter -P INPUT ACCEPT
- /sbin/iptables -t filter -P FORWARD ACCEPT
- /sbin/iptables -t filter -P OUTPUT ACCEPT
- fi
- done
- eend $?
-}
-
-reload() {
- ebegin "Flushing firewall"
- for a in `cat /proc/net/ip_tables_names`; do
- /sbin/iptables -F -t $a
- /sbin/iptables -X -t $a
- done;
- eend $?
- start
-}
-
+++ /dev/null
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
- before net
- need logger
-}
-
-start() {
- ebegin "Starting firewall"
-
- # default policy is DROP
- /sbin/iptables -P INPUT DROP
- /sbin/iptables -P OUTPUT DROP
- /sbin/iptables -P FORWARD DROP
-
- # allow ESP
- iptables -A INPUT -i eth0 -p 50 -j ACCEPT
- iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
- # allow IKE
- iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
- iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
- # allow MOBIKE
- iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
- iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
- # allow crl fetch from winnetou
- iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
- iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
- # allow ssh
- iptables -A INPUT -p tcp --dport 22 -j ACCEPT
- iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
- eend $?
-}
-
-stop() {
- ebegin "Stopping firewall"
- for a in `cat /proc/net/ip_tables_names`; do
- /sbin/iptables -F -t $a
- /sbin/iptables -X -t $a
-
- if [ $a == nat ]; then
- /sbin/iptables -t nat -P PREROUTING ACCEPT
- /sbin/iptables -t nat -P POSTROUTING ACCEPT
- /sbin/iptables -t nat -P OUTPUT ACCEPT
- elif [ $a == mangle ]; then
- /sbin/iptables -t mangle -P PREROUTING ACCEPT
- /sbin/iptables -t mangle -P INPUT ACCEPT
- /sbin/iptables -t mangle -P FORWARD ACCEPT
- /sbin/iptables -t mangle -P OUTPUT ACCEPT
- /sbin/iptables -t mangle -P POSTROUTING ACCEPT
- elif [ $a == filter ]; then
- /sbin/iptables -t filter -P INPUT ACCEPT
- /sbin/iptables -t filter -P FORWARD ACCEPT
- /sbin/iptables -t filter -P OUTPUT ACCEPT
- fi
- done
- eend $?
-}
-
-reload() {
- ebegin "Flushing firewall"
- for a in `cat /proc/net/ip_tables_names`; do
- /sbin/iptables -F -t $a
- /sbin/iptables -X -t $a
- done;
- eend $?
- start
-}
-
sun::ipsec stop
alice::ipsec stop
venus::ipsec stop
-alice::/etc/init.d/iptables stop 2> /dev/null
-venus::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+alice::iptables-restore < /etc/iptables.flush
+venus::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
sun::ip route del 10.1.0.0/16 via PH_IP_MOON
sun::conntrack -F
sun::rm /etc/mark_updown
-alice::/etc/init.d/iptables start 2> /dev/null
-venus::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+alice::iptables-restore < /etc/iptables.rules
+venus::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
moon::echo 1 > /proc/sys/net/ipv4/ip_forward
moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to PH_IP_MOON
sun::ip route add 10.1.0.0/16 via PH_IP_MOON
+++ /dev/null
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
- before net
- need logger
-}
-
-start() {
- ebegin "Starting firewall"
-
- # enable IP forwarding
- echo 1 > /proc/sys/net/ipv4/ip_forward
-
- # default policy is DROP
- /sbin/iptables -P INPUT DROP
- /sbin/iptables -P OUTPUT DROP
- /sbin/iptables -P FORWARD DROP
-
- # allow esp
- iptables -A INPUT -i eth0 -p 50 -j ACCEPT
- iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
- # allow IKE
- iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
- iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
- # allow MobIKE
- iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
- iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
- # allow crl fetch from winnetou
- iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
- iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
- # allow RADIUS protocol with alice
- iptables -A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
- iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
-
- # allow RADIUS accounting protocol with alice
- iptables -A INPUT -i eth1 -p udp --sport 1813 -s PH_IP_ALICE -j ACCEPT
- iptables -A OUTPUT -o eth1 -p udp --dport 1813 -d PH_IP_ALICE -j ACCEPT
-
- # allow ssh
- iptables -A INPUT -p tcp --dport 22 -j ACCEPT
- iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
- eend $?
-}
-
-stop() {
- ebegin "Stopping firewall"
- for a in `cat /proc/net/ip_tables_names`; do
- /sbin/iptables -F -t $a
- /sbin/iptables -X -t $a
-
- if [ $a == nat ]; then
- /sbin/iptables -t nat -P PREROUTING ACCEPT
- /sbin/iptables -t nat -P POSTROUTING ACCEPT
- /sbin/iptables -t nat -P OUTPUT ACCEPT
- elif [ $a == mangle ]; then
- /sbin/iptables -t mangle -P PREROUTING ACCEPT
- /sbin/iptables -t mangle -P INPUT ACCEPT
- /sbin/iptables -t mangle -P FORWARD ACCEPT
- /sbin/iptables -t mangle -P OUTPUT ACCEPT
- /sbin/iptables -t mangle -P POSTROUTING ACCEPT
- elif [ $a == filter ]; then
- /sbin/iptables -t filter -P INPUT ACCEPT
- /sbin/iptables -t filter -P FORWARD ACCEPT
- /sbin/iptables -t filter -P OUTPUT ACCEPT
- fi
- done
- eend $?
-}
-
-reload() {
- ebegin "Flushing firewall"
- for a in `cat /proc/net/ip_tables_names`; do
- /sbin/iptables -F -t $a
- /sbin/iptables -X -t $a
- done;
- eend $?
- start
-}
-
--- /dev/null
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow RADIUS protocol with alice
+-A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+# allow RADIUS accounting protocol with alice
+-A INPUT -i eth1 -p udp --sport 1813 -s PH_IP_ALICE -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 1813 -d PH_IP_ALICE -j ACCEPT
+
+COMMIT
moon::ipsec stop
alice::killall radiusd
alice::cat /var/log/freeradius/radacct/PH_IP_MOON1/*
-carol::/etc/init.d/iptables stop 2> /dev/null
-moon::/etc/init.d/iptables stop 2> /dev/null
-
+carol::iptables-restore < /etc/iptables.flush
+moon::iptables-restore < /etc/iptables.flush
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
alice::rm /var/log/freeradius/radacct/PH_IP_MOON1/*
alice::radiusd
moon::ipsec start
+++ /dev/null
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
- before net
- need logger
-}
-
-start() {
- ebegin "Starting firewall"
-
- # enable IP forwarding
- echo 1 > /proc/sys/net/ipv4/ip_forward
-
- # default policy is DROP
- /sbin/iptables -P INPUT DROP
- /sbin/iptables -P OUTPUT DROP
- /sbin/iptables -P FORWARD DROP
-
- # allow esp
- iptables -A INPUT -i eth0 -p 50 -j ACCEPT
- iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
- # allow IKE
- iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
- iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
- # allow MobIKE
- iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
- iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
- # allow crl fetch from winnetou
- iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
- iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
- # allow ssh
- iptables -A INPUT -p tcp --dport 22 -j ACCEPT
- iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
- # allow icmp in local net
- iptables -A INPUT -i eth1 -p icmp -j ACCEPT
- iptables -A OUTPUT -o eth1 -p icmp -j ACCEPT
-
- eend $?
-}
-
-stop() {
- ebegin "Stopping firewall"
- for a in `cat /proc/net/ip_tables_names`; do
- /sbin/iptables -F -t $a
- /sbin/iptables -X -t $a
-
- if [ $a == nat ]; then
- /sbin/iptables -t nat -P PREROUTING ACCEPT
- /sbin/iptables -t nat -P POSTROUTING ACCEPT
- /sbin/iptables -t nat -P OUTPUT ACCEPT
- elif [ $a == mangle ]; then
- /sbin/iptables -t mangle -P PREROUTING ACCEPT
- /sbin/iptables -t mangle -P INPUT ACCEPT
- /sbin/iptables -t mangle -P FORWARD ACCEPT
- /sbin/iptables -t mangle -P OUTPUT ACCEPT
- /sbin/iptables -t mangle -P POSTROUTING ACCEPT
- elif [ $a == filter ]; then
- /sbin/iptables -t filter -P INPUT ACCEPT
- /sbin/iptables -t filter -P FORWARD ACCEPT
- /sbin/iptables -t filter -P OUTPUT ACCEPT
- fi
- done
- eend $?
-}
-
-reload() {
- ebegin "Flushing firewall"
- for a in `cat /proc/net/ip_tables_names`; do
- /sbin/iptables -F -t $a
- /sbin/iptables -X -t $a
- done;
- eend $?
- start
-}
-
--- /dev/null
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow icmp in local net
+-A INPUT -i eth1 -p icmp -j ACCEPT
+-A OUTPUT -o eth1 -p icmp -j ACCEPT
+
+COMMIT
moon::ipsec stop
sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
moon::ipsec start
sun::ipsec start
moon::sleep 1
projects / thirdparty / strongswan.git / commitdiff
