webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-23 17:32:57 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
b89ae1a4e3596153a192da3f220dc54565078cac
bpfire/config/firewall/ipsec-policy
Michael Tremer 5a9c9ff312 ipsec-policy: Don't install any block rules for connections with an interface 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2019-02-04 18:20:36 +00:00

121 lines
3.6 KiB
Bash
Raw Blame History

#!/bin/bash
###############################################################################
# #
# IPFire.org - A linux based firewall #
# Copyright (C) 2015 IPFire Team #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
# the Free Software Foundation, either version 3 of the License, or #
# (at your option) any later version. #
# #
# This program is distributed in the hope that it will be useful, #
# but WITHOUT ANY WARRANTY; without even the implied warranty of #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
# GNU General Public License for more details. #
# #
# You should have received a copy of the GNU General Public License #
# along with this program. If not, see <http://www.gnu.org/licenses/>. #
# #
###############################################################################
VPN_CONFIG="/var/ipfire/vpn/config"
eval $(/usr/local/bin/readhash /var/ipfire/vpn/settings)
VARS=(
id status name lefthost type ctype x1 x2 x3 leftsubnets
remote righthost rightsubnets x5 x6 x7 x8 x9 x10 x11 x12
x13 x14 x15 x16 x17 x18 x19 x20 x21 proto x22 x23 x24
route x26 mode interface_mode interface_address interface_mtu rest
)
block_subnet() {
local subnet="${1}"
local action="${2}"
# Don't block a wildcard subnet
if [ "${subnet}" = "0.0.0.0/0" ] || [ "${subnet}" = "0.0.0.0/0.0.0.0" ]; then
return 0
fi
case "${action}" in
reject)
iptables -A IPSECBLOCK -d "${subnet}" -j REJECT --reject-with icmp-net-unreachable
;;
drop)
iptables -A IPSECBLOCK -d "${subnet}" -j DROP
;;
*)
return 1
;;
esac
return 0
}
install_policy() {
# Flush existing rules
iptables -F IPSECINPUT
iptables -F IPSECOUTPUT
iptables -F IPSECBLOCK
# We are done when IPsec is not enabled
[ "${ENABLED}" = "on" ] || exit 0
# IKE
iptables -A IPSECINPUT -p udp --dport 500 -j ACCEPT
iptables -A IPSECOUTPUT -p udp --dport 500 -j ACCEPT
# IKE NAT
iptables -A IPSECINPUT -p udp --dport 4500 -j ACCEPT
iptables -A IPSECOUTPUT -p udp --dport 4500 -j ACCEPT
# Register local variables
local "${VARS[@]}"
local action
while IFS="," read -r "${VARS[@]}"; do
# Check if the connection is enabled
[ "${status}" = "on" ] || continue
# Check if this a net-to-net connection
[ "${type}" = "net" ] || continue
# Install permissions for GRE traffic
case "${interface_mode}" in
gre)
if [ -n "${remote}" ]; then
iptables -A IPSECINPUT -p gre \
-s "${remote}" -j ACCEPT
iptables -A IPSECOUTPUT -p gre \
-d "${remote}" -j ACCEPT
fi
;;
esac
# Install firewall rules only for interfaces without interface
[ -n "${interface_mode}" ] && continue
# Split multiple subnets
rightsubnets="${rightsubnets//\|/ }"
case "${route}" in
route)
action="drop"
;;
*)
action="reject"
;;
esac
local rightsubnet
for rightsubnet in ${rightsubnets}; do
block_subnet "${rightsubnet}" "${action}"
done
done < "${VPN_CONFIG}"
}
install_policy || exit $?
Reference in New Issue View Git Blame Copy Permalink