mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-11 00:40:44 +01:00
IPSEC 2.6 Fixes
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1537 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
7d85e8d36c
commit
24e6d1191d
@ -36,3 +36,7 @@ Changes since 2.0.3
|
|||||||
16) Added DNAT ONLY column to /etc/shorewall/nat.
|
16) Added DNAT ONLY column to /etc/shorewall/nat.
|
||||||
|
|
||||||
17) Removed SNAT from ORIGINAL DESTINATION column.
|
17) Removed SNAT from ORIGINAL DESTINATION column.
|
||||||
|
|
||||||
|
18) Removed DNAT ONLY column.
|
||||||
|
|
||||||
|
19) Added IPSEC column to /etc/shorewall/masq.
|
||||||
|
@ -613,7 +613,11 @@ match_ipsec_in() # $1 = zone, $2 = host
|
|||||||
{
|
{
|
||||||
eval local hosts=\"\$${1}_ipsec_hosts\"
|
eval local hosts=\"\$${1}_ipsec_hosts\"
|
||||||
|
|
||||||
list_search $2 $hosts && echo "-m policy --pol ipsec --dir in"
|
if list_search $2 $hosts; then
|
||||||
|
echo "-m policy --pol ipsec --dir in"
|
||||||
|
elif [ -n "$POLICY_MATCH" ]; then
|
||||||
|
echo "-m policy --pol none --dir in"
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -623,26 +627,10 @@ match_ipsec_out() # $1 = zone, $2 = host
|
|||||||
{
|
{
|
||||||
eval local hosts=\"\$${1}_ipsec_hosts\"
|
eval local hosts=\"\$${1}_ipsec_hosts\"
|
||||||
|
|
||||||
list_search $2 $hosts && echo "-m policy --pol ipsec --dir out"
|
if list_search $2 $hosts; then
|
||||||
}
|
echo "-m policy --pol ipsec --dir out"
|
||||||
|
elif [ -n "$POLICY_MATCH" ]; then
|
||||||
#
|
echo "-m policy --pol none --dir out"
|
||||||
# Generate a match for packets that have been decrypted and that will be encrypted
|
|
||||||
#
|
|
||||||
match_ipsec_inout() # $1 =input zone, $2 = input host, $3 = output zone, $4 = output host"
|
|
||||||
{
|
|
||||||
local result="-m policy --pol ipsec"
|
|
||||||
eval local input_hosts=\"\$${1}_ipsec_hosts\"
|
|
||||||
eval local output_hosts=\"\$${3}_ipsec_hosts\"
|
|
||||||
|
|
||||||
if list_search $2 $input_hosts; then
|
|
||||||
result="$result --dir in"
|
|
||||||
if list_search $4 $output_hosts; then
|
|
||||||
result="$result --dir out"
|
|
||||||
fi
|
|
||||||
echo $result
|
|
||||||
elif list_search $4 $output_hosts; then
|
|
||||||
echo "$result --dir out"
|
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -898,7 +886,10 @@ validate_hosts_file() {
|
|||||||
maclist|norfc1918|nobogons|blacklist|tcpflags|nosmurfs|newnotsyn|-)
|
maclist|norfc1918|nobogons|blacklist|tcpflags|nosmurfs|newnotsyn|-)
|
||||||
;;
|
;;
|
||||||
ipsec)
|
ipsec)
|
||||||
|
[ -n "$POLICY_MATCH" ] || \
|
||||||
|
startup_error "Your kernel and/or iptables does not not support policy match: ipsec"
|
||||||
eval ${z}_ipsec_hosts=\"\$${z}_ipsec_hosts $interface:$host\"
|
eval ${z}_ipsec_hosts=\"\$${z}_ipsec_hosts $interface:$host\"
|
||||||
|
eval ${z}_is_complex=Yes
|
||||||
;;
|
;;
|
||||||
routeback)
|
routeback)
|
||||||
[ -z "$ports" ] && \
|
[ -z "$ports" ] && \
|
||||||
@ -4464,7 +4455,27 @@ get_routed_networks() # $1 = interface name
|
|||||||
setup_masq()
|
setup_masq()
|
||||||
{
|
{
|
||||||
setup_one() {
|
setup_one() {
|
||||||
local add_snat_aliases=$ADD_SNAT_ALIASES, pre_nat=
|
local add_snat_aliases=$ADD_SNAT_ALIASES, pre_nat= policy=
|
||||||
|
|
||||||
|
[ "x$ipsec" = x- ] && ipsec=
|
||||||
|
|
||||||
|
case $ipsec in
|
||||||
|
Yes|yes)
|
||||||
|
[ -n "$POLICY_MATCH" ] || \
|
||||||
|
fatal_error "IPSEC=Yes requires policy match support in your kernel and iptables"
|
||||||
|
policy="-m policy --pol ipsec --dir out"
|
||||||
|
;;
|
||||||
|
No|no)
|
||||||
|
[ -n "$POLICY_MATCH" ] || \
|
||||||
|
fatal_error "IPSEC=No requires policy match support in your kernel and iptables"
|
||||||
|
policy="-m policy --pol none --dir out"
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
[ -n "$ipsec" ] && \
|
||||||
|
fatal_error "Invalid value in IPSEC column: $ipsec"
|
||||||
|
[ -n "$POLICY_MATCH" ] && policy="-m policy --pol none --dir out"
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
case $fullinterface in
|
case $fullinterface in
|
||||||
+*)
|
+*)
|
||||||
@ -4612,7 +4623,7 @@ setup_masq()
|
|||||||
|
|
||||||
if [ -n "$networks" ]; then
|
if [ -n "$networks" ]; then
|
||||||
for s in $networks; do
|
for s in $networks; do
|
||||||
addnatrule $chain -s $s $proto $ports -j $newchain
|
addnatrule $chain -s $s $proto $ports $policy -j $newchain
|
||||||
done
|
done
|
||||||
networks=
|
networks=
|
||||||
else
|
else
|
||||||
@ -4624,6 +4635,7 @@ setup_masq()
|
|||||||
destnets=0.0.0.0/0
|
destnets=0.0.0.0/0
|
||||||
proto=
|
proto=
|
||||||
ports=
|
ports=
|
||||||
|
policy=
|
||||||
|
|
||||||
if [ -n "$nomasq" ]; then
|
if [ -n "$nomasq" ]; then
|
||||||
for addr in $(separate_list $nomasq); do
|
for addr in $(separate_list $nomasq); do
|
||||||
@ -4645,7 +4657,7 @@ setup_masq()
|
|||||||
done
|
done
|
||||||
else
|
else
|
||||||
for destnet in $(separate_list $destnets); do
|
for destnet in $(separate_list $destnets); do
|
||||||
addnatrule $chain -d $destnet $proto $ports -j $newchain
|
addnatrule $chain -d $destnet $proto $ports $policy -j $newchain
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -4655,6 +4667,7 @@ setup_masq()
|
|||||||
destnets=0.0.0.0/0
|
destnets=0.0.0.0/0
|
||||||
proto=
|
proto=
|
||||||
ports=
|
ports=
|
||||||
|
policy=
|
||||||
|
|
||||||
for addr in $(separate_list $nomasq); do
|
for addr in $(separate_list $nomasq); do
|
||||||
addnatrule $chain -s $addr -j RETURN
|
addnatrule $chain -s $addr -j RETURN
|
||||||
@ -4677,24 +4690,24 @@ setup_masq()
|
|||||||
for s in $networks; do
|
for s in $networks; do
|
||||||
if [ -n "$addresses" ]; then
|
if [ -n "$addresses" ]; then
|
||||||
for destnet in $(separate_list $destnets); do
|
for destnet in $(separate_list $destnets); do
|
||||||
addnatrule $chain -s $s -d $destnet $proto $ports -j SNAT $addrlist
|
addnatrule $chain -s $s -d $destnet $proto $ports $policy -j SNAT $addrlist
|
||||||
done
|
done
|
||||||
progress_message " To $destination $displayproto from $s through ${interface} using $addresses"
|
progress_message " To $destination $displayproto from $s through ${interface} using $addresses"
|
||||||
else
|
else
|
||||||
for destnet in $(separate_list $destnets); do
|
for destnet in $(separate_list $destnets); do
|
||||||
addnatrule $chain -s $s -d $destnet $proto $ports -j MASQUERADE
|
addnatrule $chain -s $s -d $destnet $proto $ports $policy -j MASQUERADE
|
||||||
done
|
done
|
||||||
progress_message " To $destination $displayproto from $s through ${interface}"
|
progress_message " To $destination $displayproto from $s through ${interface}"
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
elif [ -n "$addresses" ]; then
|
elif [ -n "$addresses" ]; then
|
||||||
for destnet in $(separate_list $destnets); do
|
for destnet in $(separate_list $destnets); do
|
||||||
addnatrule $chain -d $destnet $proto $ports -j SNAT $addrlist
|
addnatrule $chain -d $destnet $proto $ports $policy -j SNAT $addrlist
|
||||||
done
|
done
|
||||||
echo " To $destination $displayproto from $source through ${interface} using $addresses"
|
echo " To $destination $displayproto from $source through ${interface} using $addresses"
|
||||||
else
|
else
|
||||||
for destnet in $(separate_list $destnets); do
|
for destnet in $(separate_list $destnets); do
|
||||||
addnatrule $chain -d $destnet $proto $ports -j MASQUERADE
|
addnatrule $chain -d $destnet $proto $ports $policy -j MASQUERADE
|
||||||
done
|
done
|
||||||
progress_message " To $destination $displayproto from $source through ${interface}"
|
progress_message " To $destination $displayproto from $source through ${interface}"
|
||||||
fi
|
fi
|
||||||
@ -4705,8 +4718,8 @@ setup_masq()
|
|||||||
|
|
||||||
[ -n "$NAT_ENABLED" ] && echo "Masqueraded Networks and Hosts:" && save_progress_message "Restoring Masquerading/SNAT..."
|
[ -n "$NAT_ENABLED" ] && echo "Masqueraded Networks and Hosts:" && save_progress_message "Restoring Masquerading/SNAT..."
|
||||||
|
|
||||||
while read fullinterface networks addresses proto ports; do
|
while read fullinterface networks addresses proto ports ipsec; do
|
||||||
expandv fullinterface networks addresses proto ports
|
expandv fullinterface networks addresses proto ports ipsec
|
||||||
[ -n "$NAT_ENABLED" ] && setup_one || \
|
[ -n "$NAT_ENABLED" ] && setup_one || \
|
||||||
error_message "Warning: NAT disabled; masq rule ignored"
|
error_message "Warning: NAT disabled; masq rule ignored"
|
||||||
done < $TMP_DIR/masq
|
done < $TMP_DIR/masq
|
||||||
@ -5000,10 +5013,13 @@ determine_capabilities() {
|
|||||||
|
|
||||||
CONNTRACK_MATCH=
|
CONNTRACK_MATCH=
|
||||||
MULTIPORT=
|
MULTIPORT=
|
||||||
|
POLICY_MATCH=
|
||||||
|
|
||||||
if qt iptables -N fooX1234 ; then
|
if qt iptables -N fooX1234 ; then
|
||||||
qt iptables -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
|
qt iptables -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
|
||||||
qt iptables -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT && MULTIPORT=Yes
|
qt iptables -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT && MULTIPORT=Yes
|
||||||
|
qt iptables -A fooX1234 -m policy --pol ipsec --dir in -j ACCEPT && POLICY_MATCH=Yes
|
||||||
|
|
||||||
|
|
||||||
qt iptables -F fooX1234
|
qt iptables -F fooX1234
|
||||||
qt iptables -X fooX1234
|
qt iptables -X fooX1234
|
||||||
@ -5035,6 +5051,7 @@ report_capabilities() {
|
|||||||
report_capability $MULTIPORT "Multi-port Match"
|
report_capability $MULTIPORT "Multi-port Match"
|
||||||
report_capability $CONNTRACK_MATCH "Connection Tracking Match"
|
report_capability $CONNTRACK_MATCH "Connection Tracking Match"
|
||||||
report_capability $PKTTYPE "Packet Type Match"
|
report_capability $PKTTYPE "Packet Type Match"
|
||||||
|
report_capability $POLICY_MATCH "Policy Match"
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -5796,7 +5813,7 @@ activate_rules()
|
|||||||
networks1=${host1#*:}
|
networks1=${host1#*:}
|
||||||
|
|
||||||
if [ "$host" != "$host1" ] || list_search $host $routeback; then
|
if [ "$host" != "$host1" ] || list_search $host $routeback; then
|
||||||
run_iptables -A $chain1 $(match_source_hosts $networks) -o $interface1 $(match_dest_hosts $networks1) $(match_ipsec_inout $zone $host $zone1 $host1) -j $chain
|
run_iptables -A $chain1 $(match_source_hosts $networks) -o $interface1 $(match_dest_hosts $networks1) $(match_ipsec_out $zone1 $host1) -j $chain
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
done
|
done
|
||||||
|
@ -93,6 +93,22 @@
|
|||||||
# support and a maximum of 15 ports may be
|
# support and a maximum of 15 ports may be
|
||||||
# listed.
|
# listed.
|
||||||
#
|
#
|
||||||
|
# IPSEC -- (Optional) If you specify a value other than "-" in this
|
||||||
|
# column, you must be running kernel 2.6 and
|
||||||
|
# your kernel and iptables must include policy
|
||||||
|
# match support.
|
||||||
|
#
|
||||||
|
# Yes -- Only packets that will be encrypted using
|
||||||
|
# an ipsec policy will have their source
|
||||||
|
# address changed.
|
||||||
|
#
|
||||||
|
# No -- Only packets that will not be encrypted
|
||||||
|
# using an ipsec policy will have their
|
||||||
|
# source address changed.
|
||||||
|
#
|
||||||
|
# - or empty is the same as No providing that
|
||||||
|
# your kernel and iptables contain policy match
|
||||||
|
# support.
|
||||||
#
|
#
|
||||||
# Example 1:
|
# Example 1:
|
||||||
#
|
#
|
||||||
@ -147,5 +163,5 @@
|
|||||||
# THE ORDER OF THE ABOVE TWO RULES IS SIGNIFICANT!!!!!
|
# THE ORDER OF THE ABOVE TWO RULES IS SIGNIFICANT!!!!!
|
||||||
#
|
#
|
||||||
###############################################################################
|
###############################################################################
|
||||||
#INTERFACE SUBNET ADDRESS PROTO PORT(S)
|
#INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC
|
||||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
||||||
|
@ -256,3 +256,9 @@ New Features:
|
|||||||
/etc/shorewall/hosts:
|
/etc/shorewall/hosts:
|
||||||
|
|
||||||
vpn eth0:0.0.0.0/0 ipsec
|
vpn eth0:0.0.0.0/0 ipsec
|
||||||
|
|
||||||
|
The /etc/shorewall/masq file has a new IPSEC column added. If you
|
||||||
|
specify Yes or yes in that column then the unencrypted packets will
|
||||||
|
have their source address changed. Otherwise, the unencrypted
|
||||||
|
packets will not have their source addresses changed.
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user