mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-30 19:43:45 +01:00
IPSEC 2.6 Fixes
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1537 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
7d85e8d36c
commit
24e6d1191d
@ -36,3 +36,7 @@ Changes since 2.0.3
|
||||
16) Added DNAT ONLY column to /etc/shorewall/nat.
|
||||
|
||||
17) Removed SNAT from ORIGINAL DESTINATION column.
|
||||
|
||||
18) Removed DNAT ONLY column.
|
||||
|
||||
19) Added IPSEC column to /etc/shorewall/masq.
|
||||
|
@ -613,7 +613,11 @@ match_ipsec_in() # $1 = zone, $2 = host
|
||||
{
|
||||
eval local hosts=\"\$${1}_ipsec_hosts\"
|
||||
|
||||
list_search $2 $hosts && echo "-m policy --pol ipsec --dir in"
|
||||
if list_search $2 $hosts; then
|
||||
echo "-m policy --pol ipsec --dir in"
|
||||
elif [ -n "$POLICY_MATCH" ]; then
|
||||
echo "-m policy --pol none --dir in"
|
||||
fi
|
||||
}
|
||||
|
||||
#
|
||||
@ -623,26 +627,10 @@ match_ipsec_out() # $1 = zone, $2 = host
|
||||
{
|
||||
eval local hosts=\"\$${1}_ipsec_hosts\"
|
||||
|
||||
list_search $2 $hosts && echo "-m policy --pol ipsec --dir out"
|
||||
}
|
||||
|
||||
#
|
||||
# Generate a match for packets that have been decrypted and that will be encrypted
|
||||
#
|
||||
match_ipsec_inout() # $1 =input zone, $2 = input host, $3 = output zone, $4 = output host"
|
||||
{
|
||||
local result="-m policy --pol ipsec"
|
||||
eval local input_hosts=\"\$${1}_ipsec_hosts\"
|
||||
eval local output_hosts=\"\$${3}_ipsec_hosts\"
|
||||
|
||||
if list_search $2 $input_hosts; then
|
||||
result="$result --dir in"
|
||||
if list_search $4 $output_hosts; then
|
||||
result="$result --dir out"
|
||||
fi
|
||||
echo $result
|
||||
elif list_search $4 $output_hosts; then
|
||||
echo "$result --dir out"
|
||||
if list_search $2 $hosts; then
|
||||
echo "-m policy --pol ipsec --dir out"
|
||||
elif [ -n "$POLICY_MATCH" ]; then
|
||||
echo "-m policy --pol none --dir out"
|
||||
fi
|
||||
}
|
||||
|
||||
@ -898,7 +886,10 @@ validate_hosts_file() {
|
||||
maclist|norfc1918|nobogons|blacklist|tcpflags|nosmurfs|newnotsyn|-)
|
||||
;;
|
||||
ipsec)
|
||||
[ -n "$POLICY_MATCH" ] || \
|
||||
startup_error "Your kernel and/or iptables does not not support policy match: ipsec"
|
||||
eval ${z}_ipsec_hosts=\"\$${z}_ipsec_hosts $interface:$host\"
|
||||
eval ${z}_is_complex=Yes
|
||||
;;
|
||||
routeback)
|
||||
[ -z "$ports" ] && \
|
||||
@ -4464,7 +4455,27 @@ get_routed_networks() # $1 = interface name
|
||||
setup_masq()
|
||||
{
|
||||
setup_one() {
|
||||
local add_snat_aliases=$ADD_SNAT_ALIASES, pre_nat=
|
||||
local add_snat_aliases=$ADD_SNAT_ALIASES, pre_nat= policy=
|
||||
|
||||
[ "x$ipsec" = x- ] && ipsec=
|
||||
|
||||
case $ipsec in
|
||||
Yes|yes)
|
||||
[ -n "$POLICY_MATCH" ] || \
|
||||
fatal_error "IPSEC=Yes requires policy match support in your kernel and iptables"
|
||||
policy="-m policy --pol ipsec --dir out"
|
||||
;;
|
||||
No|no)
|
||||
[ -n "$POLICY_MATCH" ] || \
|
||||
fatal_error "IPSEC=No requires policy match support in your kernel and iptables"
|
||||
policy="-m policy --pol none --dir out"
|
||||
;;
|
||||
*)
|
||||
[ -n "$ipsec" ] && \
|
||||
fatal_error "Invalid value in IPSEC column: $ipsec"
|
||||
[ -n "$POLICY_MATCH" ] && policy="-m policy --pol none --dir out"
|
||||
;;
|
||||
esac
|
||||
|
||||
case $fullinterface in
|
||||
+*)
|
||||
@ -4612,7 +4623,7 @@ setup_masq()
|
||||
|
||||
if [ -n "$networks" ]; then
|
||||
for s in $networks; do
|
||||
addnatrule $chain -s $s $proto $ports -j $newchain
|
||||
addnatrule $chain -s $s $proto $ports $policy -j $newchain
|
||||
done
|
||||
networks=
|
||||
else
|
||||
@ -4624,6 +4635,7 @@ setup_masq()
|
||||
destnets=0.0.0.0/0
|
||||
proto=
|
||||
ports=
|
||||
policy=
|
||||
|
||||
if [ -n "$nomasq" ]; then
|
||||
for addr in $(separate_list $nomasq); do
|
||||
@ -4645,7 +4657,7 @@ setup_masq()
|
||||
done
|
||||
else
|
||||
for destnet in $(separate_list $destnets); do
|
||||
addnatrule $chain -d $destnet $proto $ports -j $newchain
|
||||
addnatrule $chain -d $destnet $proto $ports $policy -j $newchain
|
||||
done
|
||||
fi
|
||||
|
||||
@ -4655,6 +4667,7 @@ setup_masq()
|
||||
destnets=0.0.0.0/0
|
||||
proto=
|
||||
ports=
|
||||
policy=
|
||||
|
||||
for addr in $(separate_list $nomasq); do
|
||||
addnatrule $chain -s $addr -j RETURN
|
||||
@ -4677,24 +4690,24 @@ setup_masq()
|
||||
for s in $networks; do
|
||||
if [ -n "$addresses" ]; then
|
||||
for destnet in $(separate_list $destnets); do
|
||||
addnatrule $chain -s $s -d $destnet $proto $ports -j SNAT $addrlist
|
||||
addnatrule $chain -s $s -d $destnet $proto $ports $policy -j SNAT $addrlist
|
||||
done
|
||||
progress_message " To $destination $displayproto from $s through ${interface} using $addresses"
|
||||
else
|
||||
for destnet in $(separate_list $destnets); do
|
||||
addnatrule $chain -s $s -d $destnet $proto $ports -j MASQUERADE
|
||||
addnatrule $chain -s $s -d $destnet $proto $ports $policy -j MASQUERADE
|
||||
done
|
||||
progress_message " To $destination $displayproto from $s through ${interface}"
|
||||
fi
|
||||
done
|
||||
elif [ -n "$addresses" ]; then
|
||||
for destnet in $(separate_list $destnets); do
|
||||
addnatrule $chain -d $destnet $proto $ports -j SNAT $addrlist
|
||||
addnatrule $chain -d $destnet $proto $ports $policy -j SNAT $addrlist
|
||||
done
|
||||
echo " To $destination $displayproto from $source through ${interface} using $addresses"
|
||||
else
|
||||
for destnet in $(separate_list $destnets); do
|
||||
addnatrule $chain -d $destnet $proto $ports -j MASQUERADE
|
||||
addnatrule $chain -d $destnet $proto $ports $policy -j MASQUERADE
|
||||
done
|
||||
progress_message " To $destination $displayproto from $source through ${interface}"
|
||||
fi
|
||||
@ -4705,8 +4718,8 @@ setup_masq()
|
||||
|
||||
[ -n "$NAT_ENABLED" ] && echo "Masqueraded Networks and Hosts:" && save_progress_message "Restoring Masquerading/SNAT..."
|
||||
|
||||
while read fullinterface networks addresses proto ports; do
|
||||
expandv fullinterface networks addresses proto ports
|
||||
while read fullinterface networks addresses proto ports ipsec; do
|
||||
expandv fullinterface networks addresses proto ports ipsec
|
||||
[ -n "$NAT_ENABLED" ] && setup_one || \
|
||||
error_message "Warning: NAT disabled; masq rule ignored"
|
||||
done < $TMP_DIR/masq
|
||||
@ -5000,10 +5013,13 @@ determine_capabilities() {
|
||||
|
||||
CONNTRACK_MATCH=
|
||||
MULTIPORT=
|
||||
POLICY_MATCH=
|
||||
|
||||
if qt iptables -N fooX1234 ; then
|
||||
qt iptables -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
|
||||
qt iptables -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT && MULTIPORT=Yes
|
||||
qt iptables -A fooX1234 -m policy --pol ipsec --dir in -j ACCEPT && POLICY_MATCH=Yes
|
||||
|
||||
|
||||
qt iptables -F fooX1234
|
||||
qt iptables -X fooX1234
|
||||
@ -5035,6 +5051,7 @@ report_capabilities() {
|
||||
report_capability $MULTIPORT "Multi-port Match"
|
||||
report_capability $CONNTRACK_MATCH "Connection Tracking Match"
|
||||
report_capability $PKTTYPE "Packet Type Match"
|
||||
report_capability $POLICY_MATCH "Policy Match"
|
||||
}
|
||||
|
||||
#
|
||||
@ -5796,7 +5813,7 @@ activate_rules()
|
||||
networks1=${host1#*:}
|
||||
|
||||
if [ "$host" != "$host1" ] || list_search $host $routeback; then
|
||||
run_iptables -A $chain1 $(match_source_hosts $networks) -o $interface1 $(match_dest_hosts $networks1) $(match_ipsec_inout $zone $host $zone1 $host1) -j $chain
|
||||
run_iptables -A $chain1 $(match_source_hosts $networks) -o $interface1 $(match_dest_hosts $networks1) $(match_ipsec_out $zone1 $host1) -j $chain
|
||||
fi
|
||||
done
|
||||
done
|
||||
|
@ -93,6 +93,22 @@
|
||||
# support and a maximum of 15 ports may be
|
||||
# listed.
|
||||
#
|
||||
# IPSEC -- (Optional) If you specify a value other than "-" in this
|
||||
# column, you must be running kernel 2.6 and
|
||||
# your kernel and iptables must include policy
|
||||
# match support.
|
||||
#
|
||||
# Yes -- Only packets that will be encrypted using
|
||||
# an ipsec policy will have their source
|
||||
# address changed.
|
||||
#
|
||||
# No -- Only packets that will not be encrypted
|
||||
# using an ipsec policy will have their
|
||||
# source address changed.
|
||||
#
|
||||
# - or empty is the same as No providing that
|
||||
# your kernel and iptables contain policy match
|
||||
# support.
|
||||
#
|
||||
# Example 1:
|
||||
#
|
||||
@ -147,5 +163,5 @@
|
||||
# THE ORDER OF THE ABOVE TWO RULES IS SIGNIFICANT!!!!!
|
||||
#
|
||||
###############################################################################
|
||||
#INTERFACE SUBNET ADDRESS PROTO PORT(S)
|
||||
#INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
||||
|
@ -256,3 +256,9 @@ New Features:
|
||||
/etc/shorewall/hosts:
|
||||
|
||||
vpn eth0:0.0.0.0/0 ipsec
|
||||
|
||||
The /etc/shorewall/masq file has a new IPSEC column added. If you
|
||||
specify Yes or yes in that column then the unencrypted packets will
|
||||
have their source address changed. Otherwise, the unencrypted
|
||||
packets will not have their source addresses changed.
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user