webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-26 10:52:57 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'amarx/firewall' into fifteen

Browse Source
This commit is contained in:
Michael Tremer
2013-08-28 11:33:20 +02:00
parent 30156b054e eb95ce89a8
commit 2ac39db92e
63 changed files with 10053 additions and 4049 deletions
Download Patch File Download Diff File Expand all files Collapse all files

380
src/initscripts/init.d/firewall
View File

@@ -68,11 +68,171 @@ iptables_init() {
# SYN/FIN (QueSO or nmap OS probe)
/sbin/iptables -A BADTCP -p tcp --tcp-flags SYN,FIN SYN,FIN -j PSCAN
# NEW TCP without SYN
/sbin/iptables -A BADTCP -p tcp ! --syn -m state --state NEW -j NEWNOTSYN
/sbin/iptables -A BADTCP -p tcp ! --syn -m conntrack --ctstate NEW -j NEWNOTSYN
/sbin/iptables -A INPUT -j BADTCP
/sbin/iptables -A FORWARD -j BADTCP
/sbin/iptables -A INPUT -p tcp -j BADTCP
/sbin/iptables -A FORWARD -p tcp -j BADTCP
# Connection tracking chain
/sbin/iptables -N CONNTRACK
/sbin/iptables -A CONNTRACK -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Fix for braindead ISP's
/sbin/iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
# CUSTOM chains, can be used by the users themselves
/sbin/iptables -N CUSTOMINPUT
/sbin/iptables -A INPUT -j CUSTOMINPUT
/sbin/iptables -N CUSTOMFORWARD
/sbin/iptables -A FORWARD -j CUSTOMFORWARD
/sbin/iptables -N CUSTOMOUTPUT
/sbin/iptables -A OUTPUT -j CUSTOMOUTPUT
/sbin/iptables -t nat -N CUSTOMPREROUTING
/sbin/iptables -t nat -A PREROUTING -j CUSTOMPREROUTING
/sbin/iptables -t nat -N CUSTOMPOSTROUTING
/sbin/iptables -t nat -A POSTROUTING -j CUSTOMPOSTROUTING
# Guardian (IPS) chains
/sbin/iptables -N GUARDIAN
/sbin/iptables -A INPUT -j GUARDIAN
/sbin/iptables -A FORWARD -j GUARDIAN
# Block OpenVPN transfer networks
/sbin/iptables -N OVPNBLOCK
for i in INPUT FORWARD OUTPUT; do
/sbin/iptables -A ${i} -j OVPNBLOCK
done
# OpenVPN transfer network translation
/sbin/iptables -t nat -N OVPNNAT
/sbin/iptables -t nat -A POSTROUTING -j OVPNNAT
# IPTV chains for IGMPPROXY
/sbin/iptables -N IPTVINPUT
/sbin/iptables -A INPUT -j IPTVINPUT
/sbin/iptables -N IPTVFORWARD
/sbin/iptables -A FORWARD -j IPTVFORWARD
# filtering from GUI
/sbin/iptables -N GUIINPUT
/sbin/iptables -A INPUT -j GUIINPUT
/sbin/iptables -A GUIINPUT -p icmp --icmp-type 8 -j ACCEPT
# Accept everything on loopback
/sbin/iptables -N LOOPBACK
/sbin/iptables -A LOOPBACK -i lo -j ACCEPT
/sbin/iptables -A LOOPBACK -o lo -j ACCEPT
# Filter all packets with loopback addresses on non-loopback interfaces.
/sbin/iptables -A LOOPBACK -s 127.0.0.0/8 -j DROP
/sbin/iptables -A LOOPBACK -d 127.0.0.0/8 -j DROP
for i in INPUT FORWARD OUTPUT; do
/sbin/iptables -A ${i} -j LOOPBACK
done
# Accept everything connected
for i in INPUT FORWARD OUTPUT; do
/sbin/iptables -A ${i} -j CONNTRACK
done
# trafic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything
/sbin/iptables -N IPSECINPUT
/sbin/iptables -N IPSECFORWARD
/sbin/iptables -N IPSECOUTPUT
/sbin/iptables -A INPUT -j IPSECINPUT
/sbin/iptables -A FORWARD -j IPSECFORWARD
/sbin/iptables -A OUTPUT -j IPSECOUTPUT
/sbin/iptables -t nat -N IPSECNAT
/sbin/iptables -t nat -A POSTROUTING -j IPSECNAT
# localhost and ethernet.
/sbin/iptables -A INPUT -i $GREEN_DEV -m conntrack --ctstate NEW -j ACCEPT ! -p icmp
# allow DHCP on BLUE to be turned on/off
/sbin/iptables -N DHCPBLUEINPUT
/sbin/iptables -A INPUT -j DHCPBLUEINPUT
# WIRELESS chains
/sbin/iptables -N WIRELESSINPUT
/sbin/iptables -A INPUT -m conntrack --ctstate NEW -j WIRELESSINPUT
/sbin/iptables -N WIRELESSFORWARD
/sbin/iptables -A FORWARD -m conntrack --ctstate NEW -j WIRELESSFORWARD
# TOR
/sbin/iptables -N TOR_INPUT
/sbin/iptables -A INPUT -j TOR_INPUT
# Jump into the actual firewall ruleset.
/sbin/iptables -N INPUTFW
/sbin/iptables -A INPUT -j INPUTFW
/sbin/iptables -N OUTGOINGFW
/sbin/iptables -A OUTPUT -j OUTGOINGFW
/sbin/iptables -N FORWARDFW
/sbin/iptables -A FORWARD -j FORWARDFW
# RED chain, used for the red interface
/sbin/iptables -N REDINPUT
/sbin/iptables -A INPUT -j REDINPUT
/sbin/iptables -N REDFORWARD
/sbin/iptables -A FORWARD -j REDFORWARD
/sbin/iptables -t nat -N REDNAT
/sbin/iptables -t nat -A POSTROUTING -j REDNAT
iptables_red
# Custom prerouting chains (for transparent proxy)
/sbin/iptables -t nat -N SQUID
/sbin/iptables -t nat -A PREROUTING -j SQUID
# DNAT rules
/sbin/iptables -t nat -N NAT_DESTINATION
/sbin/iptables -t nat -A PREROUTING -j NAT_DESTINATION
# SNAT rules
/sbin/iptables -t nat -N NAT_SOURCE
/sbin/iptables -t nat -A POSTROUTING -j NAT_SOURCE
# upnp chain for our upnp daemon
/sbin/iptables -t nat -N UPNPFW
/sbin/iptables -t nat -A PREROUTING -j UPNPFW
/sbin/iptables -N UPNPFW
/sbin/iptables -A FORWARD -m conntrack --ctstate NEW -j UPNPFW
# run local firewall configuration, if present
if [ -x /etc/sysconfig/firewall.local ]; then
/etc/sysconfig/firewall.local start
fi
# run openvpn
/usr/local/bin/openvpnctrl --create-chains-and-rules
# run wirelessctrl
/usr/local/bin/wirelessctrl
#POLICY CHAIN
/sbin/iptables -N POLICYIN
/sbin/iptables -A INPUT -j POLICYIN
/sbin/iptables -N POLICYFWD
/sbin/iptables -A FORWARD -j POLICYFWD
/sbin/iptables -N POLICYOUT
/sbin/iptables -A OUTPUT -j POLICYOUT
/usr/sbin/firewall-policy
# read new firewall
/usr/local/bin/forwardfwctrl
if [ "$DROPINPUT" == "on" ]; then
/sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT"
fi
/sbin/iptables -A INPUT -j DROP -m comment --comment "DROP_INPUT"
if [ "$DROPFORWARD" == "on" ]; then
/sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD"
fi
/sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_FORWARD"
}
iptables_red() {
@@ -130,223 +290,23 @@ iptables_red() {
case "$1" in
start)
iptables_init
# Limit Packets- helps reduce dos/syn attacks
# original do nothing line
#/sbin/iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 10/sec
# the correct one, but the negative '!' do nothing...
#/sbin/iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN ! -m limit --limit 10/sec -j DROP
# Fix for braindead ISP's
/sbin/iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
# CUSTOM chains, can be used by the users themselves
/sbin/iptables -N CUSTOMINPUT
/sbin/iptables -A INPUT -j CUSTOMINPUT
/sbin/iptables -N GUARDIAN
/sbin/iptables -A INPUT -j GUARDIAN
/sbin/iptables -A FORWARD -j GUARDIAN
/sbin/iptables -N CUSTOMFORWARD
/sbin/iptables -A FORWARD -j CUSTOMFORWARD
/sbin/iptables -N CUSTOMOUTPUT
/sbin/iptables -A OUTPUT -j CUSTOMOUTPUT
/sbin/iptables -N OUTGOINGFW
/sbin/iptables -N OUTGOINGFWMAC
/sbin/iptables -A OUTPUT -j OUTGOINGFW
/sbin/iptables -t nat -N CUSTOMPREROUTING
/sbin/iptables -t nat -A PREROUTING -j CUSTOMPREROUTING
/sbin/iptables -t nat -N CUSTOMPOSTROUTING
/sbin/iptables -t nat -A POSTROUTING -j CUSTOMPOSTROUTING
# IPTV chains for IGMPPROXY
/sbin/iptables -N IPTVINPUT
/sbin/iptables -A INPUT -j IPTVINPUT
/sbin/iptables -N IPTVFORWARD
/sbin/iptables -A FORWARD -j IPTVFORWARD
# filtering from GUI
/sbin/iptables -N GUIINPUT
/sbin/iptables -A INPUT -j GUIINPUT
/sbin/iptables -A GUIINPUT -p icmp --icmp-type 8 -j ACCEPT
# Accept everything connected
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# trafic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything
/sbin/iptables -N IPSECINPUT
/sbin/iptables -N IPSECFORWARD
/sbin/iptables -N IPSECOUTPUT
/sbin/iptables -N OPENSSLVIRTUAL
/sbin/iptables -A INPUT -j IPSECINPUT
/sbin/iptables -A INPUT -j OPENSSLVIRTUAL -m comment --comment "OPENSSLVIRTUAL INPUT"
/sbin/iptables -A FORWARD -j IPSECFORWARD
/sbin/iptables -A FORWARD -j OPENSSLVIRTUAL -m comment --comment "OPENSSLVIRTUAL FORWARD"
/sbin/iptables -A OUTPUT -j IPSECOUTPUT
/sbin/iptables -t nat -N OVPNNAT
/sbin/iptables -t nat -N IPSECNAT
/sbin/iptables -t nat -A POSTROUTING -j OVPNNAT
/sbin/iptables -t nat -A POSTROUTING -j IPSECNAT
# TOR
/sbin/iptables -N TOR_INPUT
/sbin/iptables -A INPUT -j TOR_INPUT
# Outgoing Firewall
/sbin/iptables -A FORWARD -j OUTGOINGFWMAC
# localhost and ethernet.
/sbin/iptables -A INPUT -i lo -m state --state NEW -j ACCEPT
/sbin/iptables -A INPUT -s 127.0.0.0/8 -m state --state NEW -j DROP # Loopback not on lo
/sbin/iptables -A INPUT -d 127.0.0.0/8 -m state --state NEW -j DROP
/sbin/iptables -A FORWARD -i lo -m state --state NEW -j ACCEPT
/sbin/iptables -A FORWARD -s 127.0.0.0/8 -m state --state NEW -j DROP
/sbin/iptables -A FORWARD -d 127.0.0.0/8 -m state --state NEW -j DROP
/sbin/iptables -A INPUT -i $GREEN_DEV -m state --state NEW -j ACCEPT ! -p icmp
/sbin/iptables -A FORWARD -i $GREEN_DEV -m state --state NEW -j ACCEPT
# If a host on orange tries to initiate a connection to IPFire's red IP and
# the connection gets DNATed back through a port forward to a server on orange
# we end up with orange -> orange traffic passing through IPFire
[ "$ORANGE_DEV" != "" ] && /sbin/iptables -A FORWARD -i $ORANGE_DEV -o $ORANGE_DEV -m state --state NEW -j ACCEPT
# allow DHCP on BLUE to be turned on/off
/sbin/iptables -N DHCPBLUEINPUT
/sbin/iptables -A INPUT -j DHCPBLUEINPUT
# OPenSSL
/sbin/iptables -N OPENSSLPHYSICAL
/sbin/iptables -A INPUT -j OPENSSLPHYSICAL
# WIRELESS chains
/sbin/iptables -N WIRELESSINPUT
/sbin/iptables -A INPUT -m state --state NEW -j WIRELESSINPUT
/sbin/iptables -N WIRELESSFORWARD
/sbin/iptables -A FORWARD -m state --state NEW -j WIRELESSFORWARD
# RED chain, used for the red interface
/sbin/iptables -N REDINPUT
/sbin/iptables -A INPUT -j REDINPUT
/sbin/iptables -N REDFORWARD
/sbin/iptables -A FORWARD -j REDFORWARD
/sbin/iptables -t nat -N REDNAT
/sbin/iptables -t nat -A POSTROUTING -j REDNAT
iptables_red
# DMZ pinhole chain. setdmzholes setuid prog adds rules here to allow
# ORANGE to talk to GREEN / BLUE.
/sbin/iptables -N DMZHOLES
if [ "$ORANGE_DEV" != "" ]; then
/sbin/iptables -A FORWARD -i $ORANGE_DEV -m state --state NEW -j DMZHOLES
fi
# XTACCESS chain, used for external access
/sbin/iptables -N XTACCESS
/sbin/iptables -A INPUT -m state --state NEW -j XTACCESS
# PORTFWACCESS chain, used for portforwarding
/sbin/iptables -N PORTFWACCESS
/sbin/iptables -A FORWARD -m state --state NEW -j PORTFWACCESS
# Custom prerouting chains (for transparent proxy and port forwarding)
/sbin/iptables -t nat -N SQUID
/sbin/iptables -t nat -A PREROUTING -j SQUID
/sbin/iptables -t nat -N PORTFW
/sbin/iptables -t nat -A PREROUTING -j PORTFW
# upnp chain for our upnp daemon
/sbin/iptables -t nat -N UPNPFW
/sbin/iptables -t nat -A PREROUTING -j UPNPFW
/sbin/iptables -N UPNPFW
/sbin/iptables -A FORWARD -m state --state NEW -j UPNPFW
# Custom mangle chain (for port fowarding)
/sbin/iptables -t mangle -N PORTFWMANGLE
/sbin/iptables -t mangle -A PREROUTING -j PORTFWMANGLE
# Postrouting rules (for port forwarding)
/sbin/iptables -t nat -A POSTROUTING -m mark --mark 1 -j SNAT \
--to-source $GREEN_ADDRESS
if [ "$BLUE_DEV" != "" ]; then
/sbin/iptables -t nat -A POSTROUTING -m mark --mark 2 -j SNAT --to-source $BLUE_ADDRESS
fi
if [ "$ORANGE_DEV" != "" ]; then
/sbin/iptables -t nat -A POSTROUTING -m mark --mark 3 -j SNAT --to-source $ORANGE_ADDRESS
fi
# run local firewall configuration, if present
if [ -x /etc/sysconfig/firewall.local ]; then
/etc/sysconfig/firewall.local start
fi
# last rule in input and forward chain is for logging.
if [ "$DROPINPUT" == "on" ]; then
/sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT "
fi
/sbin/iptables -A INPUT -j DROP -m comment --comment "DROP_INPUT"
if [ "$DROPOUTPUT" == "on" ]; then
/sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_OUTPUT "
fi
/sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_OUTPUT"
;;
startovpn)
# run openvpn
/usr/local/bin/openvpnctrl --create-chains-and-rules
;;
stop)
iptables_init
# Accept everyting connected
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# localhost and ethernet.
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -i $GREEN_DEV -m state --state NEW -j ACCEPT
if [ "$RED_DEV" != "" -a "$RED_TYPE" == "DHCP" ]; then
/sbin/iptables -A INPUT -p tcp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
/sbin/iptables -A INPUT -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
fi
if [ "$PROTOCOL" == "RFC1483" -a "$METHOD" == "DHCP" ]; then
/sbin/iptables -A INPUT -p tcp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
/sbin/iptables -A INPUT -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
fi
# run local firewall configuration, if present
if [ -x /etc/sysconfig/firewall.local ]; then
/etc/sysconfig/firewall.local stop
fi
if [ "$DROPINPUT" == "on" ]; then
/sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT "
fi
/sbin/iptables -A INPUT -j DROP -m comment --comment "DROP_INPUT"
if [ "$DROPOUTPUT" == "on" ]; then
/sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_OUTPUT "
fi
/sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_OUTPUT"
;;
stopovpn)
# stop openvpn
/usr/local/bin/openvpnctrl --delete-chains-and-rules
;;
;;
reload)
iptables_red
# run local firewall configuration, if present
if [ -x /etc/sysconfig/firewall.local ]; then
if [ -x /etc/sysconfig/firewall.local ]; then
/etc/sysconfig/firewall.local reload
fi
;;
restart)
$0 stop
$0 stopovpn
# run local firewall configuration, if present
if [ -x /etc/sysconfig/firewall.local ]; then
/etc/sysconfig/firewall.local stop
fi
$0 start
$0 startovpn
;;
*)
echo "Usage: $0 {start|stop|reload|restart}"
echo "Usage: $0 {start|reload|restart}"
exit 1
;;
esac

4
src/initscripts/init.d/network
View File

@@ -47,9 +47,7 @@ init_networking() {
# (exit ${failed})
# evaluate_retval
boot_mesg "Setting up DMZ pinholes"
/usr/local/bin/setdmzholes; evaluate_retval
if [ "$CONFIG_TYPE" = "3" -o "$CONFIG_TYPE" = "4" ]; then
boot_mesg "Setting up wireless firewall rules"
/usr/local/bin/wirelessctrl; evaluate_retval

19
src/misc-progs/Makefile
View File

@@ -24,11 +24,10 @@ CFLAGS=-O2 -Wall
COMPILE=$(CC) $(CFLAGS)
PROGS = iowrap
SUID_PROGS = setdmzholes setportfw setxtaccess \
squidctrl sshctrl ipfirereboot \
SUID_PROGS = squidctrl sshctrl ipfirereboot \
ipsecctrl timectrl dhcpctrl snortctrl \
applejuicectrl rebuildhosts backupctrl \
logwatch openvpnctrl outgoingfwctrl \
logwatch openvpnctrl forwardfwctrl \
wirelessctrl getipstat qosctrl launch-ether-wake \
redctrl syslogdctrl extrahdctrl sambactrl upnpctrl tripwirectrl \
smartctrl clamavctrl addonctrl pakfire mpfirectrl wlanapctrl \
@@ -86,22 +85,16 @@ smartctrl: smartctrl.c setuid.o ../install+setup/libsmooth/varval.o
clamavctrl: clamavctrl.c setuid.o ../install+setup/libsmooth/varval.o
$(COMPILE) -I../install+setup/libsmooth/ clamavctrl.c setuid.o ../install+setup/libsmooth/varval.o -o $@
outgoingfwctrl: outgoingfwctrl.c setuid.o ../install+setup/libsmooth/varval.o
$(COMPILE) -I../install+setup/libsmooth/ outgoingfwctrl.c setuid.o ../install+setup/libsmooth/varval.o -o $@
forwardfwctrl: forwardfwctrl.c setuid.o ../install+setup/libsmooth/varval.o
$(COMPILE) -I../install+setup/libsmooth/ forwardfwctrl.c setuid.o ../install+setup/libsmooth/varval.o -o $@
timectrl: timectrl.c setuid.o ../install+setup/libsmooth/varval.o
$(COMPILE) -I../install+setup/libsmooth/ timectrl.c setuid.o ../install+setup/libsmooth/varval.o -o $@
launch-ether-wake: launch-ether-wake.c setuid.o ../install+setup/libsmooth/varval.o
$(COMPILE) -I../install+setup/libsmooth/ launch-ether-wake.c setuid.o ../install+setup/libsmooth/varval.o -o $@
setdmzholes: setdmzholes.c setuid.o ../install+setup/libsmooth/varval.o
$(COMPILE) -I../install+setup/libsmooth/ setdmzholes.c setuid.o ../install+setup/libsmooth/varval.o -o $@
setportfw: setportfw.c setuid.o ../install+setup/libsmooth/varval.o
$(COMPILE) -I../install+setup/libsmooth/ setportfw.c setuid.o ../install+setup/libsmooth/varval.o -o $@
rebuildhosts: rebuildhosts.c setuid.o ../install+setup/libsmooth/varval.o
$(COMPILE) -I../install+setup/libsmooth/ rebuildhosts.c setuid.o ../install+setup/libsmooth/varval.o -o $@

10
src/misc-progs/outgoingfwctrl.c → src/misc-progs/forwardfwctrl.c
View File

@@ -5,20 +5,12 @@
*
*/
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <fcntl.h>
#include "setuid.h"
int main(int argc, char *argv[]) {
if (!(initsetuid()))
exit(1);
safe_system("chmod 755 /var/ipfire/outgoing/bin/outgoingfw.pl");
safe_system("/var/ipfire/outgoing/bin/outgoingfw.pl");
safe_system("/var/ipfire/forward/bin/rules.pl");
return 0;
}

49
src/misc-progs/openvpnctrl.c
View File

@@ -27,6 +27,7 @@ char enableorange[STRING_SIZE] = "off";
char OVPNRED[STRING_SIZE] = "OVPN";
char OVPNBLUE[STRING_SIZE] = "OVPN_BLUE_";
char OVPNORANGE[STRING_SIZE] = "OVPN_ORANGE_";
char OVPNBLOCK[STRING_SIZE] = "OVPNBLOCK";
char OVPNNAT[STRING_SIZE] = "OVPNNAT";
char WRAPPERVERSION[STRING_SIZE] = "ipfire-2.2.3";
@@ -253,20 +254,13 @@ void setChainRules(char *chain, char *interface, char *protocol, char *port)
sprintf(str, "/sbin/iptables -A %sINPUT -i %s -p %s --dport %s -j ACCEPT", chain, interface, protocol, port);
executeCommand(str);
sprintf(str, "/sbin/iptables -A %sINPUT -i tun+ -j ACCEPT", chain);
executeCommand(str);
sprintf(str, "/sbin/iptables -A %sFORWARD -i tun+ -j ACCEPT", chain);
executeCommand(str);
}
void flushChain(char *chain) {
char str[STRING_SIZE];
sprintf(str, "/sbin/iptables -F %sINPUT", chain);
sprintf(str, "/sbin/iptables -F %s", chain);
executeCommand(str);
sprintf(str, "/sbin/iptables -F %sFORWARD", chain);
executeCommand(str);
safe_system(str);
}
void flushChainNAT(char *chain) {
@@ -276,15 +270,18 @@ void flushChainNAT(char *chain) {
executeCommand(str);
}
void flushChainINPUT(char *chain) {
char str[STRING_SIZE];
snprintf(str, STRING_SIZE, "%sINPUT", chain);
flushChain(str);
}
void deleteChainReference(char *chain) {
char str[STRING_SIZE];
sprintf(str, "/sbin/iptables -D INPUT -j %sINPUT", chain);
executeCommand(str);
safe_system(str);
sprintf(str, "/sbin/iptables -D FORWARD -j %sFORWARD", chain);
executeCommand(str);
safe_system(str);
}
void deleteChain(char *chain) {
@@ -292,8 +289,6 @@ void deleteChain(char *chain) {
sprintf(str, "/sbin/iptables -X %sINPUT", chain);
executeCommand(str);
sprintf(str, "/sbin/iptables -X %sFORWARD", chain);
executeCommand(str);
}
void deleteAllChains(void) {
@@ -301,28 +296,28 @@ void deleteAllChains(void) {
deleteChainReference(OVPNRED);
deleteChainReference(OVPNBLUE);
deleteChainReference(OVPNORANGE);
flushChain(OVPNRED);
flushChain(OVPNBLUE);
flushChain(OVPNORANGE);
flushChainINPUT(OVPNRED);
flushChainINPUT(OVPNBLUE);
flushChainINPUT(OVPNORANGE);
deleteChain(OVPNRED);
deleteChain(OVPNBLUE);
deleteChain(OVPNORANGE);
// Only flush chains that are created by the firewall
flushChain(OVPNBLOCK);
flushChainNAT(OVPNNAT);
}
void createChainReference(char *chain) {
char str[STRING_SIZE];
sprintf(str, "/sbin/iptables -I INPUT %s -j %sINPUT", "14", chain);
executeCommand(str);
sprintf(str, "/sbin/iptables -I FORWARD %s -j %sFORWARD", "12", chain);
executeCommand(str);
}
void createChain(char *chain) {
char str[STRING_SIZE];
sprintf(str, "/sbin/iptables -N %sINPUT", chain);
executeCommand(str);
sprintf(str, "/sbin/iptables -N %sFORWARD", chain);
executeCommand(str);
}
void createAllChains(void) {
@@ -471,9 +466,10 @@ void setFirewallRules(void) {
freekeyvalues(kv);
// Flush all chains.
flushChain(OVPNRED);
flushChain(OVPNBLUE);
flushChain(OVPNORANGE);
flushChainINPUT(OVPNRED);
flushChainINPUT(OVPNBLUE);
flushChainINPUT(OVPNORANGE);
flushChain(OVPNBLOCK);
flushChainNAT(OVPNNAT);
// set firewall rules
@@ -497,6 +493,11 @@ void setFirewallRules(void) {
OVPNRED, redif, conn->proto, conn->port);
executeCommand(command);
/* Block all communication from the transfer nets. */
snprintf(command, STRING_SIZE, "/sbin/iptables -A %s -s %s -j DROP",
OVPNBLOCK, conn->transfer_subnet);
executeCommand(command);
local_subnet_address = getLocalSubnetAddress(conn);
transfer_subnet_address = calcTransferNetAddress(conn);

162
src/misc-progs/setdmzholes.c
View File

@@ -1,162 +0,0 @@
/* SmoothWall helper program - setdmzhole
*
* This program is distributed under the terms of the GNU General Public
* Licence. See the file COPYING for details.
*
* (c) Daniel Goscomb, 2001
*
* Modifications and improvements by Lawrence Manning.
*
* 10/04/01 Aslak added protocol support
* This program reads the list of ports to forward and setups iptables
* and rules in ipmasqadm to enable them.
*
* $Id: setdmzholes.c,v 1.5.2.3 2005/10/18 17:05:27 franck78 Exp $
*
*/
#include "libsmooth.h"
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include "setuid.h"
FILE *fwdfile = NULL;
void exithandler(void)
{
if (fwdfile)
fclose(fwdfile);
}
int main(void)
{
int count;
char *protocol;
char *locip;
char *remip;
char *remport;
char *enabled;
char *src_net;
char *dst_net;
char s[STRING_SIZE];
char *result;
struct keyvalue *kv = NULL;
char orange_dev[STRING_SIZE] = "";
char blue_dev[STRING_SIZE] = "";
char green_dev[STRING_SIZE] = "";
char *idev;
char *odev;
char command[STRING_SIZE];
if (!(initsetuid()))
exit(1);
atexit(exithandler);
kv=initkeyvalues();
if (!readkeyvalues(kv, CONFIG_ROOT "/ethernet/settings"))
{
fprintf(stderr, "Cannot read ethernet settings\n");
exit(1);
}
if (!findkey(kv, "GREEN_DEV", green_dev))
{
fprintf(stderr, "Cannot read GREEN_DEV\n");
exit(1);
}
findkey(kv, "BLUE_DEV", blue_dev);
findkey(kv, "ORANGE_DEV", orange_dev);
if (!(fwdfile = fopen(CONFIG_ROOT "/dmzholes/config", "r")))
{
fprintf(stderr, "Couldn't open dmzholes settings file\n");
exit(1);
}
safe_system("/sbin/iptables -F DMZHOLES");
while (fgets(s, STRING_SIZE, fwdfile) != NULL)
{
if (s[strlen(s) - 1] == '\n')
s[strlen(s) - 1] = '\0';
result = strtok(s, ",");
count = 0;
protocol = NULL;
locip = NULL; remip = NULL;
remport = NULL;
enabled = NULL;
src_net = NULL;
dst_net = NULL;
idev = NULL;
odev = NULL;
while (result)
{
if (count == 0)
protocol = result;
else if (count == 1)
locip = result;
else if (count == 2)
remip = result;
else if (count == 3)
remport = result;
else if (count == 4)
enabled = result;
else if (count == 5)
src_net = result;
else if (count == 6)
dst_net = result;
count++;
result = strtok(NULL, ",");
}
if (!(protocol && locip && remip && remport && enabled))
{
fprintf(stderr, "Bad line:\n");
break;
}
if (!VALID_PROTOCOL(protocol))
{
fprintf(stderr, "Bad protocol: %s\n", protocol);
exit(1);
}
if (!VALID_IP_AND_MASK(locip))
{
fprintf(stderr, "Bad local IP: %s\n", locip);
exit(1);
}
if (!VALID_IP_AND_MASK(remip))
{
fprintf(stderr, "Bad remote IP: %s\n", remip);
exit(1);
}
if (!VALID_PORT_RANGE(remport))
{
fprintf(stderr, "Bad remote port: %s\n", remport);
exit(1);
}
if (!src_net) { src_net = strdup ("orange");}
if (!dst_net) { dst_net = strdup ("green");}
if (!strcmp(src_net, "blue")) { idev = blue_dev; }
if (!strcmp(src_net, "orange")) { idev = orange_dev; }
if (!strcmp(dst_net, "blue")) { odev = blue_dev; }
if (!strcmp(dst_net, "green")) { odev = green_dev; }
if (!strcmp(enabled, "on") && strlen(idev) && strlen (odev))
{
char *ctr;
/* If remport contains a - we need to change it to a : */
if ((ctr = strchr(remport,'-')) != NULL){*ctr = ':';}
memset(command, 0, STRING_SIZE);
snprintf(command, STRING_SIZE - 1, "/sbin/iptables -A DMZHOLES -p %s -i %s -o %s -s %s -d %s --dport %s -j ACCEPT", protocol, idev, odev, locip, remip, remport);
safe_system(command);
}
}
return 0;
}

369
src/misc-progs/setportfw.c
View File

@@ -1,369 +0,0 @@
/* SmoothWall helper program - setportfw
*
* This program is distributed under the terms of the GNU General Public
* Licence. See the file COPYING for details.
*
* (c) Daniel Goscomb, 2001
* Copyright (c) 2002/04/13 Steve Bootes - Added source ip support for aliases
*
* Modifications and improvements by Lawrence Manning.
*
* 10/04/01 Aslak added protocol support
* This program reads the list of ports to forward and setups iptables
* and rules in ipmasqadm to enable them.
*
* 02/11/03 Darren Critchley modifications to allow it to open multiple
* source ip addresses
* 02/25/03 Darren Critchley modifications to allow port ranges
* 04/01/03 Darren Critchley modifications to allow gre protocol
* 20/04/03 Robert Kerr Fixed root exploit, validated all variables properly,
* tidied up the iptables logic, killed duplicated code,
* removed srciptmp (unecessary)
*
* $Id: setportfw.c,v 1.3.2.6 2005/08/24 18:44:19 gespinasse Exp $
*
*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include "libsmooth.h"
#include "setuid.h"
struct keyvalue *kv = NULL;
FILE *fwdfile = NULL;
void exithandler(void)
{
if(kv)
freekeyvalues(kv);
if (fwdfile)
fclose(fwdfile);
}
int main(void)
{
FILE *ipfile = NULL, *ifacefile = NULL;
int count;
char iface[STRING_SIZE] ="";
char locip[STRING_SIZE] ="";
char greenip[STRING_SIZE] ="", greenmask[STRING_SIZE] ="";
char bluedev[STRING_SIZE] ="", blueip[STRING_SIZE] ="", bluemask[STRING_SIZE] ="";
char orangedev[STRING_SIZE] ="", orangeip[STRING_SIZE] ="", orangemask[STRING_SIZE] ="";
char *protocol;
char *srcip;
char *locport;
char *remip;
char *remport;
char *origip;
char *enabled;
char s[STRING_SIZE];
char *result;
char *key1;
char *key2;
char command[STRING_SIZE];
if (!(initsetuid()))
exit(1);
atexit(exithandler);
/* Read in and verify config */
kv=initkeyvalues();
if (!readkeyvalues(kv, CONFIG_ROOT "/ethernet/settings"))
{
fprintf(stderr, "Cannot read ethernet settings\n");
exit(1);
}
if (!findkey(kv, "GREEN_ADDRESS", greenip))
{
fprintf(stderr, "Cannot read GREEN_ADDRESS\n");
exit(1);
}
if (!VALID_IP(greenip))
{
fprintf(stderr, "Bad GREEN_ADDRESS: %s\n", greenip);
exit(1);
}
if (!findkey(kv, "GREEN_NETMASK", greenmask))
{
fprintf(stderr, "Cannot read GREEN_NETMASK\n");
exit(1);
}
if (!VALID_IP(greenmask))
{
fprintf(stderr, "Bad GREEN_NETMASK: %s\n", greenmask);
exit(1);
}
/* Get the BLUE interface details */
findkey(kv, "BLUE_DEV", bluedev);
if (strlen(bluedev))
{
if (!VALID_DEVICE(bluedev))
{
fprintf(stderr, "Bad BLUE_DEV: %s\n", bluedev);
exit(1);
}
if (!findkey(kv, "BLUE_ADDRESS", blueip))
{
fprintf(stderr, "Cannot read BLUE_ADDRESS\n");
exit(1);
}
if (!VALID_IP(blueip))
{
fprintf(stderr, "Bad BLUE_ADDRESS: %s\n", blueip);
exit(1);
}
if (!findkey(kv, "BLUE_NETMASK", bluemask))
{
fprintf(stderr, "Cannot read BLUE_NETMASK\n");
exit(1);
}
if (!VALID_IP(bluemask))
{
fprintf(stderr, "Bad BLUE_NETMASK: %s\n", bluemask);
exit(1);
}
}
/* Get the ORANGE interface details */
findkey(kv, "ORANGE_DEV", orangedev);
if (strlen(orangedev))
{
if (!VALID_DEVICE(orangedev))
{
fprintf(stderr, "Bad ORANGE_DEV: %s\n", orangedev);
exit(1);
}
if (!findkey(kv, "ORANGE_ADDRESS", orangeip))
{
fprintf(stderr, "Cannot read ORANGE_ADDRESS\n");
exit(1);
}
if (!VALID_IP(orangeip))
{
fprintf(stderr, "Bad ORANGE_ADDRESS: %s\n", orangeip);
exit(1);
}
if (!findkey(kv, "ORANGE_NETMASK", orangemask))
{
fprintf(stderr, "Cannot read ORANGE_NETMASK\n");
exit(1);
}
if (!VALID_IP(orangemask))
{
fprintf(stderr, "Bad ORANGE_NETMASK: %s\n", orangemask);
exit(1);
}
}
if (!(ipfile = fopen(CONFIG_ROOT "/red/local-ipaddress", "r")))
{
fprintf(stderr, "Couldn't open local ip file\n");
exit(1);
}
fgets(locip, STRING_SIZE, ipfile);
if (locip[strlen(locip) - 1] == '\n')
locip[strlen(locip) - 1] = '\0';
fclose (ipfile);
if (!VALID_IP(locip))
{
fprintf(stderr, "Bad local IP: %s\n", locip);
exit(1);
}
if (!(ifacefile = fopen(CONFIG_ROOT "/red/iface", "r")))
{
fprintf(stderr, "Couldn't open iface file\n");
exit(1);
}
fgets(iface, STRING_SIZE, ifacefile);
if (iface[strlen(iface) - 1] == '\n')
iface[strlen(iface) - 1] = '\0';
fclose (ifacefile);
if (!VALID_DEVICE(iface))
{
fprintf(stderr, "Bad iface: %s\n", iface);
exit(1);
}
if (!(fwdfile = fopen(CONFIG_ROOT "/portfw/config", "r")))
{
fprintf(stderr, "Couldn't open portfw settings file\n");
exit(1);
}
safe_system("/sbin/iptables -t nat -F PORTFW");
safe_system("/sbin/iptables -t mangle -F PORTFWMANGLE");
safe_system("/sbin/iptables -F PORTFWACCESS");
while (fgets(s, STRING_SIZE, fwdfile) != NULL)
{
if (s[strlen(s) - 1] == '\n')
s[strlen(s) - 1] = '\0';
result = strtok(s, ",");
count = 0;
key1 = NULL;
key2 = NULL;
protocol = NULL;
srcip = NULL;
locport = NULL;
remip = NULL;
origip = NULL;
remport = NULL;
enabled = NULL;
while (result)
{
if (count == 0)
key1 = result;
else if (count == 1)
key2 = result;
else if (count == 2)
protocol = result;
else if (count == 3)
locport = result;
else if (count == 4)
remip = result;
else if (count == 5)
remport = result;
else if (count == 6)
enabled = result;
else if (count == 7)
srcip = result;
else if (count == 8)
origip = result;
count++;
result = strtok(NULL, ",");
}
if (!(key1 && key2 && protocol && locport && remip && remport && enabled
&& srcip && origip))
break;
if (!VALID_PROTOCOL(protocol))
{
fprintf(stderr, "Bad protocol: %s\n", protocol);
exit(1);
}
if (strcmp(protocol, "gre") == 0)
{
locport = "0";
remport = "0";
}
if (strcmp(origip,"0") && !VALID_IP_AND_MASK(origip))
{
fprintf(stderr, "Bad IP: %s\n", origip);
exit(1);
}
if (!VALID_PORT_RANGE(locport))
{
fprintf(stderr, "Bad local port: %s\n", locport);
exit(1);
}
if (!VALID_IP(remip))
{
fprintf(stderr, "Bad remote IP: %s\n", remip);
exit(1);
}
if (!VALID_PORT_RANGE(remport))
{
fprintf(stderr, "Bad remote port: %s\n", remport);
exit(1);
}
/* check for source ip in config file. If it's there
* and it's not 0.0.0.0, use it; else use the
* local ip address. (This makes sure we can use old-style
* config files without the source ip) */
if (!srcip || !strcmp(srcip, "0.0.0.0"))
srcip = locip;
if (strcmp(srcip,"0") && !VALID_IP(srcip))
{
fprintf(stderr, "Bad source IP: %s\n", srcip);
exit(1);
}
/* This may seem complicated... refer to portfw.pl for an explanation of
* the keys and their meaning in certain circumstances */
if (strcmp(enabled, "on") == 0)
{
/* If key2 is a zero, then it is a portfw command, otherwise it is an
* external access command */
if (strcmp(key2, "0") == 0)
{
memset(command, 0, STRING_SIZE);
if (strcmp(protocol, "gre") == 0)
snprintf(command, STRING_SIZE - 1, "/sbin/iptables -t nat -A PORTFW -p %s -d %s -j DNAT --to %s", protocol, srcip, remip);
else
{
char *ctr;
/* If locport contains a - we need to change it to a : */
if ((ctr = strchr(locport, '-')) != NULL) {*ctr = ':';}
/* If remport contains a : we need to change it to a - */
if ((ctr = strchr(remport,':')) != NULL){*ctr = '-';}
snprintf(command, STRING_SIZE - 1, "/sbin/iptables -t nat -A PORTFW -p %s -d %s --dport %s -j DNAT --to %s:%s", protocol, srcip, locport, remip, remport);
safe_system(command);
/* Now if remport contains a - we need to change it to a : */
if ((ctr = strchr(remport,'-')) != NULL){*ctr = ':';}
snprintf(command, STRING_SIZE - 1, "/sbin/iptables -t mangle -A PORTFWMANGLE -p %s -s %s/%s -d %s --dport %s -j MARK --set-mark 1", protocol, greenip, greenmask, srcip, locport);
if (strlen(bluedev))
{
safe_system(command);
snprintf(command, STRING_SIZE - 1, "/sbin/iptables -t mangle -A PORTFWMANGLE -p %s -s %s/%s -d %s --dport %s -j MARK --set-mark 2", protocol, blueip, bluemask, srcip, locport);
}
if (strlen(orangedev))
{
safe_system(command);
snprintf(command, STRING_SIZE - 1, "/sbin/iptables -t mangle -A PORTFWMANGLE -p %s -s %s/%s -d %s --dport %s -j MARK --set-mark 3", protocol, orangeip, orangemask, srcip, locport);
}
}
safe_system(command);
}
/* if key2 is not "0" then it's an external access rule, if key2 is "0"
* then the portfw rule may contain external access information if origip
* is not "0" (the only defined not 0 value seems to be 0.0.0.0 - open
* to all; again, check portfw.pl for more details) */
if(strcmp(key2, "0") || strcmp(origip,"0") )
{
memset(command, 0, STRING_SIZE);
if (strcmp(protocol, "gre") == 0)
snprintf(command, STRING_SIZE - 1, "/sbin/iptables -A PORTFWACCESS -i %s -p %s -s %s -d %s -j ACCEPT", iface, protocol, origip, remip);
else
{
char *ctr;
/* If remport contains a - we need to change it to a : */
if ((ctr = strchr(remport,'-')) != NULL){*ctr = ':';}
snprintf(command, STRING_SIZE - 1, "/sbin/iptables -A PORTFWACCESS -i %s -p %s -s %s -d %s --dport %s -j ACCEPT", iface, protocol, origip, remip, remport);
}
safe_system(command);
}
}
}
return 0;
}

168
src/misc-progs/setxtaccess.c
View File

@@ -1,168 +0,0 @@
/* SmoothWall helper program - setxtaccess
*
* This program is distributed under the terms of the GNU General Public
* Licence. See the file COPYING for details.
*
* (c) Daniel Goscomb, 2001
*
* Modifications and improvements by Lawrence Manning.
*
* 10/04/01 Aslak added protocol support
*
* (c) Steve Bootes 2002/04/14 - Added source IP support for aliases
*
* 19/04/03 Robert Kerr Fixed root exploit
*
* $Id: setxtaccess.c,v 1.3.2.1 2005/01/04 17:21:40 eoberlander Exp $
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include "setuid.h"
FILE *ifacefile = NULL;
FILE *fwdfile = NULL;
FILE *ipfile = NULL;
void exithandler(void)
{
if (fwdfile)
fclose(fwdfile);
}
int main(void)
{
char iface[STRING_SIZE] = "";
char locip[STRING_SIZE] = "";
char s[STRING_SIZE] = "";
int count;
char *protocol;
char *destip;
char *remip;
char *locport;
char *enabled;
char *information;
char *result;
char command[STRING_SIZE];
if (!(initsetuid()))
exit(1);
atexit(exithandler);
if (!(ipfile = fopen(CONFIG_ROOT "/red/local-ipaddress", "r")))
{
fprintf(stderr, "Couldn't open local ip file\n");
exit(1);
}
if (fgets(locip, STRING_SIZE, ipfile))
{
if (locip[strlen(locip) - 1] == '\n')
locip[strlen(locip) - 1] = '\0';
}
fclose (ipfile);
if (!VALID_IP(locip))
{
fprintf(stderr, "Bad local IP: %s\n", locip);
exit(1);
}
if (!(ifacefile = fopen(CONFIG_ROOT "/red/iface", "r")))
{
fprintf(stderr, "Couldn't open iface file\n");
exit(1);
}
if (fgets(iface, STRING_SIZE, ifacefile))
{
if (iface[strlen(iface) - 1] == '\n')
iface[strlen(iface) - 1] = '\0';
}
fclose (ifacefile);
if (!VALID_DEVICE(iface))
{
fprintf(stderr, "Bad iface: %s\n", iface);
exit(1);
}
if (!(fwdfile = fopen(CONFIG_ROOT "/xtaccess/config", "r")))
{
fprintf(stderr, "Couldn't open xtaccess settings file\n");
exit(1);
}
safe_system("/sbin/iptables -F XTACCESS");
while (fgets(s, STRING_SIZE, fwdfile) != NULL)
{
if (s[strlen(s) - 1] == '\n')
s[strlen(s) - 1] = '\0';
count = 0;
protocol = NULL;
remip = NULL;
destip = NULL;
locport = NULL;
enabled = NULL;
information = NULL;
result = strtok(s, ",");
while (result)
{
if (count == 0)
protocol = result;
else if (count == 1)
remip = result;
else if (count == 2)
locport = result;
else if (count == 3)
enabled = result;
else if (count == 4)
destip = result;
else
information = result;
count++;
result = strtok(NULL, ",");
}
if (!(protocol && remip && locport && enabled))
break;
if (!VALID_PROTOCOL(protocol))
{
fprintf(stderr, "Bad protocol: %s\n", protocol);
exit(1);
}
if (!VALID_IP_AND_MASK(remip))
{
fprintf(stderr, "Bad remote IP: %s\n", remip);
exit(1);
}
if (!VALID_PORT_RANGE(locport))
{
fprintf(stderr, "Bad local port: %s\n", locport);
exit(1);
}
/* check for destination ip in config file. If it's there
* and it's not 0.0.0.0, use it; else use the current
* local ip address. (This makes sure we can use old-style
* config files without the destination ip) */
if (!destip || !strcmp(destip, "0.0.0.0"))
destip = locip;
if (!VALID_IP(destip))
{
fprintf(stderr, "Bad destination IP: %s\n", remip);
exit(1);
}
if (strcmp(enabled, "on") == 0)
{
memset(command, 0, STRING_SIZE);
snprintf(command, STRING_SIZE - 1, "/sbin/iptables -A XTACCESS -i %s -p %s -s %s -d %s --dport %s -j ACCEPT",
iface, protocol, remip, destip, locport);
safe_system(command);
}
}
return 0;
}

12
src/misc-progs/wirelessctrl.c
View File

@@ -154,9 +154,7 @@ int main(void)
(VALID_IP_AND_MASK(ipaddress))) {
snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -m mac --mac-source %s -s %s -i %s -j ACCEPT", macaddress, ipaddress, blue_dev);
safe_system(command);
snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -s %s -i %s ! -o %s -j ACCEPT", macaddress, ipaddress, blue_dev, green_dev);
safe_system(command);
snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -s %s -i %s -j DMZHOLES", macaddress, ipaddress, blue_dev);
snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -s %s -i %s -j RETURN", macaddress, ipaddress, blue_dev);
safe_system(command);
} else {
@@ -164,18 +162,14 @@ int main(void)
if (strlen(macaddress) == 17) {
snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -m mac --mac-source %s -i %s -j ACCEPT", macaddress, blue_dev);
safe_system(command);
snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -i %s ! -o %s -j ACCEPT", macaddress, blue_dev, green_dev);
safe_system(command);
snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -i %s -j DMZHOLES", macaddress, blue_dev);
snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -i %s -j RETURN", macaddress, blue_dev);
safe_system(command);
}
if (VALID_IP_AND_MASK(ipaddress)) {
snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -s %s -i %s -j ACCEPT", ipaddress, blue_dev);
safe_system(command);
snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -s %s -i %s ! -o %s -j ACCEPT", ipaddress, blue_dev, green_dev);
safe_system(command);
snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -s %s -i %s -j DMZHOLES", ipaddress, blue_dev);
snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -s %s -i %s -j RETURN", ipaddress, blue_dev);
safe_system(command);
}
}

50
src/patches/strongswan-4.5.3_ipfire.patch → src/patches/strongswan-5.0.2_ipfire.patch
View File

@@ -1,7 +1,8 @@
diff -Naur strongswan-4.5.3.org/src/_updown/_updown.in strongswan-4.5.3/src/_updown/_updown.in
--- strongswan-4.5.3.org/src/_updown/_updown.in 2010-10-22 16:33:30.000000000 +0200
+++ strongswan-4.5.3/src/_updown/_updown.in 2011-09-13 14:19:31.000000000 +0200
@@ -183,6 +183,29 @@
diff --git a/src/_updown/_updown.in b/src/_updown/_updown.in
index 3a40e21..d9f3ea0 100644
--- a/src/_updown/_updown.in
+++ b/src/_updown/_updown.in
@@ -193,6 +193,29 @@ custom:*) # custom parameters (see above CAUTION comment)
;;
esac
@@ -31,7 +32,7 @@ diff -Naur strongswan-4.5.3.org/src/_updown/_updown.in strongswan-4.5.3/src/_upd
# utility functions for route manipulation
# Meddling with this stuff should not be necessary and requires great care.
uproute() {
@@ -387,12 +410,12 @@
@@ -397,12 +420,12 @@ up-host:iptables)
# connection to me, with (left/right)firewall=yes, coming up
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
@@ -47,7 +48,7 @@ diff -Naur strongswan-4.5.3.org/src/_updown/_updown.in strongswan-4.5.3/src/_upd
#
# log IPsec host connection setup
if [ $VPN_LOGGING ]
@@ -400,10 +423,10 @@
@@ -410,10 +433,10 @@ up-host:iptables)
if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
then
logger -t $TAG -p $FAC_PRIO \
@@ -60,7 +61,7 @@ diff -Naur strongswan-4.5.3.org/src/_updown/_updown.in strongswan-4.5.3/src/_upd
fi
fi
;;
@@ -411,12 +434,12 @@
@@ -421,12 +444,12 @@ down-host:iptables)
# connection to me, with (left/right)firewall=yes, going down
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
@@ -76,7 +77,7 @@ diff -Naur strongswan-4.5.3.org/src/_updown/_updown.in strongswan-4.5.3/src/_upd
#
# log IPsec host connection teardown
if [ $VPN_LOGGING ]
@@ -424,10 +447,10 @@
@@ -434,10 +457,10 @@ down-host:iptables)
if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
then
logger -t $TAG -p $FAC_PRIO -- \
@@ -89,7 +90,7 @@ diff -Naur strongswan-4.5.3.org/src/_updown/_updown.in strongswan-4.5.3/src/_upd
fi
fi
;;
@@ -437,10 +460,10 @@
@@ -447,24 +470,24 @@ up-client:iptables)
# ones, so do not mess with it; see CAUTION comment up at top.
if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
then
@@ -101,9 +102,11 @@ diff -Naur strongswan-4.5.3.org/src/_updown/_updown.in strongswan-4.5.3/src/_upd
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j MARK --set-mark 50
+ iptables -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
- -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+ -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j RETURN
fi
@@ -449,12 +472,12 @@
#
# a virtual IP requires an INPUT and OUTPUT rule on the host
# or sometimes host access via the internal IP is needed
if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
then
@@ -119,7 +122,7 @@ diff -Naur strongswan-4.5.3.org/src/_updown/_updown.in strongswan-4.5.3/src/_upd
fi
#
# log IPsec client connection setup
@@ -463,12 +486,51 @@
@@ -473,12 +496,51 @@ up-client:iptables)
if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
then
logger -t $TAG -p $FAC_PRIO \
@@ -173,7 +176,7 @@ diff -Naur strongswan-4.5.3.org/src/_updown/_updown.in strongswan-4.5.3/src/_upd
;;
down-client:iptables)
# connection to client subnet, with (left/right)firewall=yes, going down
@@ -476,11 +538,11 @@
@@ -486,28 +548,28 @@ down-client:iptables)
# ones, so do not mess with it; see CAUTION comment up at top.
if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
then
@@ -187,8 +190,11 @@ diff -Naur strongswan-4.5.3.org/src/_updown/_updown.in strongswan-4.5.3/src/_upd
+ iptables -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-d $PLUTO_MY_CLIENT $D_MY_PORT \
$IPSEC_POLICY_IN -j ACCEPT
@@ -490,14 +552,14 @@
- $IPSEC_POLICY_IN -j ACCEPT
+ $IPSEC_POLICY_IN -j RETURN
fi
#
# a virtual IP requires an INPUT and OUTPUT rule on the host
# or sometimes host access via the internal IP is needed
if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
then
@@ -206,7 +212,7 @@ diff -Naur strongswan-4.5.3.org/src/_updown/_updown.in strongswan-4.5.3/src/_upd
fi
#
# log IPsec client connection teardown
@@ -506,12 +568,51 @@
@@ -516,12 +578,51 @@ down-client:iptables)
if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
then
logger -t $TAG -p $FAC_PRIO -- \
@@ -260,7 +266,7 @@ diff -Naur strongswan-4.5.3.org/src/_updown/_updown.in strongswan-4.5.3/src/_upd
;;
#
# IPv6
@@ -546,10 +647,10 @@
@@ -556,10 +657,10 @@ up-host-v6:iptables)
# connection to me, with (left/right)firewall=yes, coming up
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
@@ -273,7 +279,7 @@ diff -Naur strongswan-4.5.3.org/src/_updown/_updown.in strongswan-4.5.3/src/_upd
-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
#
@@ -570,10 +671,10 @@
@@ -580,10 +681,10 @@ down-host-v6:iptables)
# connection to me, with (left/right)firewall=yes, going down
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
@@ -286,7 +292,7 @@ diff -Naur strongswan-4.5.3.org/src/_updown/_updown.in strongswan-4.5.3/src/_upd
-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
#
@@ -596,10 +697,10 @@
@@ -606,10 +707,10 @@ up-client-v6:iptables)
# ones, so do not mess with it; see CAUTION comment up at top.
if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
then
@@ -299,7 +305,7 @@ diff -Naur strongswan-4.5.3.org/src/_updown/_updown.in strongswan-4.5.3/src/_upd
-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
fi
@@ -608,10 +709,10 @@
@@ -618,10 +719,10 @@ up-client-v6:iptables)
# or sometimes host access via the internal IP is needed
if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
then
@@ -312,7 +318,7 @@ diff -Naur strongswan-4.5.3.org/src/_updown/_updown.in strongswan-4.5.3/src/_upd
-s $PLUTO_MY_CLIENT $S_MY_PORT \
-d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
fi
@@ -635,11 +736,11 @@
@@ -645,11 +746,11 @@ down-client-v6:iptables)
# ones, so do not mess with it; see CAUTION comment up at top.
if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
then
@@ -326,7 +332,7 @@ diff -Naur strongswan-4.5.3.org/src/_updown/_updown.in strongswan-4.5.3/src/_upd
-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-d $PLUTO_MY_CLIENT $D_MY_PORT \
$IPSEC_POLICY_IN -j ACCEPT
@@ -649,11 +750,11 @@
@@ -659,11 +760,11 @@ down-client-v6:iptables)
# or sometimes host access via the internal IP is needed
if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
then