shorewall_code/Shorewall/clib.tunnels

656 lines
16 KiB
Plaintext
Raw Normal View History

#!/bin/sh
#
# Shorewall 3.2 -- /usr/share/shorewall/clib.tunnels
#
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
#
# (c) 2002,2003,2004,2005,2006 - Tom Eastep (teastep@shorewall.net)
#
# Complete documentation is available at http://shorewall.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of Version 2 of the GNU General Public License
# as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
#
# Process the ipsec information in the zones file
#
setup_ipsec() {
local zone using_ipsec=
#
# Add a --set-mss rule to the passed chain
#
set_mss1() # $1 = chain, $2 = MSS
{
eval local policy=\$${1}_policy
if [ "$policy" != NONE ]; then
ensurechain $1
run_iptables -I $1 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss $2
fi
}
#
# Set up rules to set MSS to and/or from zone "$zone"
#
set_mss() # $1 = MSS value, $2 = _in, _out or ""
{
for z in $ZONES $FW; do
case $2 in
_in)
set_mss1 ${zone}2${z} $1
;;
_out)
set_mss1 ${z}2${zone} $1
;;
*)
set_mss1 ${z}2${zone} $1
set_mss1 ${zone}2${z} $1
;;
esac
done
}
do_options() # $1 = _in, _out or "" - $2 = option list
{
local option newoptions= val
[ x${2} = x- ] && return
for option in $(separate_list $2); do
val=${option#*=}
case $option in
mss=[0-9]*) set_mss $val $1 ;;
strict) newoptions="$newoptions --strict" ;;
next) newoptions="$newoptions --next" ;;
reqid=*) newoptions="$newoptions --reqid $val" ;;
spi=*) newoptions="$newoptions --spi $val" ;;
proto=*) newoptions="$newoptions --proto $val" ;;
mode=*) newoptions="$newoptions --mode $val" ;;
tunnel-src=*) newoptions="$newoptions --tunnel-src $val" ;;
tunnel-dst=*) newoptions="$newoptions --tunnel-dst $val" ;;
reqid!=*) newoptions="$newoptions ! --reqid $val" ;;
spi!=*) newoptions="$newoptions ! --spi $val" ;;
proto!=*) newoptions="$newoptions ! --proto $val" ;;
mode!=*) newoptions="$newoptions ! --mode $val" ;;
tunnel-src!=*) newoptions="$newoptions ! --tunnel-src $val" ;;
tunnel-dst!=*) newoptions="$newoptions ! --tunnel-dst $val" ;;
*) fatal_error "Invalid option \"$option\" for zone $zone" ;;
esac
done
if [ -n "$newoptions" ]; then
[ -n "$POLICY_MATCH" ] || fatal_error "Your kernel and/or iptables does not support policy match"
eval ${zone}_is_complex=Yes
eval ${zone}_ipsec${1}_options=\"${newoptions# }\"
fi
}
case $IPSECFILE in
zones)
f=zones
progress_message2 "$DOING IPSEC..."
;;
*)
f=$IPSECFILE
strip_file $f
progress_message2 "$DOING $f..."
using_ipsec=Yes
;;
esac
while read zone type options in_options out_options mss; do
expandv zone type options in_options out_options mss
if [ -n "$using_ipsec" ]; then
validate_zone1 $zone || fatal_error "Unknown zone: $zone"
fi
if [ -n "$type" ]; then
if [ -n "$using_ipsec" ]; then
case $type in
No|no)
;;
Yes|yes)
[ -n "$POLICY_MATCH" ] || fatal_error "Your kernel and/or iptables does not support policy match"
eval ${zone}_is_ipsec=Yes
eval ${zone}_is_complex=Yes
eval ${zone}_type=ipsec4
;;
*)
fatal_error "Invalid IPSEC column contents"
;;
esac
fi
do_options "" $options
do_options "_in" $in_options
do_options "_out" $out_options
fi
done < $TMP_DIR/$f
}
#
# Set up tunnels
#
setup_tunnels() # $1 = name of tunnels file
{
local inchain
local outchain
local source
local dest
setup_one_ipsec() # $1 = Tunnel Kind $2 = gateway zones
{
local kind=$1 noah=
case $kind in
*:*)
noah=${kind#*:}
[ $noah = noah -o $noah = NOAH ] || fatal_error "Invalid IPSEC modifier $noah in tunnel \"$tunnel\""
kind=${kind%:*}
;;
esac
[ $kind = IPSEC ] && kind=ipsec
options="-m state --state NEW -j ACCEPT"
addrule2 $inchain -p 50 $source -j ACCEPT
addrule2 $outchain -p 50 $dest -j ACCEPT
if [ -z "$noah" ]; then
run_iptables -A $inchain -p 51 $source -j ACCEPT
run_iptables -A $outchain -p 51 $dest -j ACCEPT
fi
run_iptables -A $outchain -p udp $dest --dport 500 $options
if [ $kind = ipsec ]; then
run_iptables -A $inchain -p udp $source --dport 500 $options
else
run_iptables -A $inchain -p udp $source --dport 500 $options
run_iptables -A $inchain -p udp $source --dport 4500 $options
fi
for z in $(separate_list $2); do
if validate_zone $z; then
if [ -z "$POLICY_MATCH" ]; then
addrule ${z}2${FW} -p 50 $source -j ACCEPT
addrule ${FW}2${z} -p 50 $dest -j ACCEPT
if [ -z "$noah" ]; then
addrule ${z}2${FW} -p 51 $source -j ACCEPT
addrule ${FW}2${z} -p 51 $dest -j ACCEPT
fi
fi
if [ $kind = ipsec ]; then
addrule ${z}2${FW} -p udp $source --dport 500 $options
addrule ${FW}2${z} -p udp $dest --dport 500 $options
else
addrule ${z}2${FW} -p udp $source --dport 500 $options
addrule ${FW}2${z} -p udp $dest --dport 500 $options
addrule ${z}2${FW} -p udp $source --dport 4500 $options
addrule ${FW}2${z} -p udp $dest --dport 4500 $options
fi
else
fatal_error "Invalid gateway zone ($z) -- Tunnel \"$tunnel\""
fi
done
progress_message_and_save " IPSEC tunnel to $gateway defined."
}
setup_one_other() # $1 = TYPE, $2 = protocol
{
addrule2 $inchain -p $2 $source -j ACCEPT
addrule2 $outchain -p $2 $dest -j ACCEPT
progress_message_and_save " $1 tunnel to $gateway compiled."
}
setup_pptp_client()
{
addrule2 $outchain -p 47 $dest -j ACCEPT
addrule2 $inchain -p 47 $source -j ACCEPT
addrule2 $outchain -p tcp --dport 1723 $dest -j ACCEPT
progress_message_and_save " PPTP tunnel to $gateway defined."
}
setup_pptp_server()
{
addrule2 $inchain -p 47 $source -j ACCEPT
addrule2 $outchain -p 47 $dest -j ACCEPT
addrule2 $inchain -p tcp --dport 1723 $source -j ACCEPT
progress_message_and_save " PPTP server defined."
}
setup_one_openvpn() # $1 = kind[:port]
{
local protocol=udp
local p=1194
case $1 in
*:*:*)
protocol=${1%:*}
protocol=${protocol#*:}
p=${1##*:}
;;
*:tcp|*:udp|*:TCP|*:UDP)
protocol=${1#*:}
;;
*:*)
p=${1#*:}
;;
esac
addrule2 $inchain -p $protocol $source --dport $p -j ACCEPT
addrule2 $outchain -p $protocol $dest --dport $p -j ACCEPT
progress_message_and_save " OPENVPN tunnel to $gateway:$protocol:$p defined."
}
setup_one_openvpn_server() # $1 = kind[:port]
{
local protocol=udp
local p=1194
case $1 in
*:*:*)
protocol=${1%:*}
protocol=${protocol#*:}
p=${1##*:}
;;
*:tcp|*:udp|*:TCP|*:UDP)
protocol=${1#*:}
;;
*:*)
p=${1#*:}
;;
esac
#
# Set up ipsec tunnels
#
setup_tunnels() # $1 = name of tunnels file
{
local inchain
local outchain
local source
local dest
setup_one_ipsec() # $1 = Tunnel Kind $2 = gateway zones
{
local kind=$1 noah=
case $kind in
*:*)
noah=${kind#*:}
[ $noah = noah -o $noah = NOAH ] || fatal_error "Invalid IPSEC modifier $noah in tunnel \"$tunnel\""
kind=${kind%:*}
;;
esac
[ $kind = IPSEC ] && kind=ipsec
options="-m state --state NEW -j ACCEPT"
addrule2 $inchain -p 50 $source -j ACCEPT
addrule2 $outchain -p 50 $dest -j ACCEPT
if [ -z "$noah" ]; then
run_iptables -A $inchain -p 51 $source -j ACCEPT
run_iptables -A $outchain -p 51 $dest -j ACCEPT
fi
run_iptables -A $outchain -p udp $dest --dport 500 $options
if [ $kind = ipsec ]; then
run_iptables -A $inchain -p udp $source --dport 500 $options
else
run_iptables -A $inchain -p udp $source --dport 500 $options
run_iptables -A $inchain -p udp $source --dport 4500 $options
fi
for z in $(separate_list $2); do
if validate_zone $z; then
if [ -z "$POLICY_MATCH" ]; then
addrule ${z}2${FW} -p 50 $source -j ACCEPT
addrule ${FW}2${z} -p 50 $dest -j ACCEPT
if [ -z "$noah" ]; then
addrule ${z}2${FW} -p 51 $source -j ACCEPT
addrule ${FW}2${z} -p 51 $dest -j ACCEPT
fi
fi
if [ $kind = ipsec ]; then
addrule ${z}2${FW} -p udp $source --dport 500 $options
addrule ${FW}2${z} -p udp $dest --dport 500 $options
else
addrule ${z}2${FW} -p udp $source --dport 500 $options
addrule ${FW}2${z} -p udp $dest --dport 500 $options
addrule ${z}2${FW} -p udp $source --dport 4500 $options
addrule ${FW}2${z} -p udp $dest --dport 4500 $options
fi
else
fatal_error "Invalid gateway zone ($z) -- Tunnel \"$tunnel\""
fi
done
progress_message_and_save " IPSEC tunnel to $gateway defined."
}
setup_one_other() # $1 = TYPE, $2 = protocol
{
addrule2 $inchain -p $2 $source -j ACCEPT
addrule2 $outchain -p $2 $dest -j ACCEPT
progress_message_and_save " $1 tunnel to $gateway compiled."
}
setup_pptp_client()
{
addrule2 $outchain -p 47 $dest -j ACCEPT
addrule2 $inchain -p 47 $source -j ACCEPT
addrule2 $outchain -p tcp --dport 1723 $dest -j ACCEPT
progress_message_and_save " PPTP tunnel to $gateway defined."
}
setup_pptp_server()
{
addrule2 $inchain -p 47 $source -j ACCEPT
addrule2 $outchain -p 47 $dest -j ACCEPT
addrule2 $inchain -p tcp --dport 1723 $source -j ACCEPT
progress_message_and_save " PPTP server defined."
}
setup_one_openvpn() # $1 = kind[:port]
{
local protocol=udp
local p=1194
case $1 in
*:*:*)
protocol=${1%:*}
protocol=${protocol#*:}
p=${1##*:}
;;
*:tcp|*:udp|*:TCP|*:UDP)
protocol=${1#*:}
;;
*:*)
p=${1#*:}
;;
esac
addrule2 $inchain -p $protocol $source --dport $p -j ACCEPT
addrule2 $outchain -p $protocol $dest --dport $p -j ACCEPT
progress_message_and_save " OPENVPN tunnel to $gateway:$protocol:$p defined."
}
setup_one_openvpn_server() # $1 = kind[:port]
{
local protocol=udp
local p=1194
case $1 in
*:*:*)
protocol=${1%:*}
protocol=${protocol#*:}
p=${1##*:}
;;
*:tcp|*:udp|*:TCP|*:UDP)
protocol=${1#*:}
;;
*:*)
p=${1#*:}
;;
esac
addrule2 $inchain -p $protocol $source --dport $p -j ACCEPT
addrule2 $outchain -p $protocol $dest --sport $p -j ACCEPT
progress_message_and_save " OPENVPN server tunnel from $gateway:$protocol:$p defined."
}
setup_one_openvpn_client() # $1 = kind[:port]
{
local protocol=udp
local p=1194
case $1 in
*:*:*)
protocol=${1%:*}
protocol=${protocol#*:}
p=${1##*:}
;;
*:tcp|*:udp|*:TCP|*:UDP)
protocol=${1#*:}
;;
*:*)
p=${1#*:}
;;
esac
addrule2 $inchain -p $protocol $source --sport $p -j ACCEPT
addrule2 $outchain -p $protocol $dest --dport $p -j ACCEPT
progress_message_and_save " OPENVPN client tunnel to $gateway:$protocol:$p defined."
}
setup_one_generic() # $1 = kind:protocol[:port]
{
local protocol
local p=
case $1 in
*:*:*)
p=${1##*:}
protocol=${1%:*}
protocol=${protocol#*:}
;;
*:*)
protocol=${1#*:}
;;
*)
protocol=udp
p=5000
;;
esac
p=${p:+--dport $p}
addrule2 $inchain -p $protocol $source $p -j ACCEPT
addrule2 $outchain -p $protocol $dest $p -j ACCEPT
progress_message_and_save " GENERIC tunnel to $1:$p defined."
}
strip_file tunnels $1
while read kind z gateway z1; do
expandv kind z gateway z1
tunnel="$(echo $kind $z $gateway $z1)"
if validate_zone $z; then
inchain=${z}2${FW}
outchain=${FW}2${z}
gateway=${gateway:-0.0.0.0/0}
source=$(source_ip_range $gateway)
dest=$(dest_ip_range $gateway)
case $kind in
ipsec|IPSEC|ipsec:*|IPSEC:*)
setup_one_ipsec $kind $z1
;;
ipsecnat|IPSECNAT|ipsecnat:*|IPSECNAT:*)
setup_one_ipsec $kind $z1
;;
ipip|IPIP)
setup_one_other IPIP 4
;;
gre|GRE)
setup_one_other GRE 47
;;
6to4|6TO4)
setup_one_other 6to4 41
;;
pptpclient|PPTPCLIENT)
setup_pptp_client
;;
pptpserver|PPTPSERVER)
setup_pptp_server
;;
openvpn|OPENVPN|openvpn:*|OPENVPN:*)
setup_one_openvpn $kind
;;
openvpnclient|OPENVPNCLIENT|openvpnclient:*|OPENVPNCLIENT:*)
setup_one_openvpn_client $kind
;;
openvpnserver|OPENVPNSERVER|openvpnserver:*|OPENVPNSERVER:*)
setup_one_openvpn_server $kind
;;
generic:*|GENERIC:*)
setup_one_generic $kind
;;
*)
error_message "WARNING: Tunnels of type $kind are not supported:" \
"Tunnel \"$tunnel\" Ignored"
;;
esac
else
error_message "ERROR: Invalid gateway zone ($z)" \
" -- Tunnel \"$tunnel\" Ignored"
fi
done < $TMP_DIR/tunnels
}
addrule2 $inchain -p $protocol $source --dport $p -j ACCEPT
addrule2 $outchain -p $protocol $dest --sport $p -j ACCEPT
progress_message_and_save " OPENVPN server tunnel from $gateway:$protocol:$p defined."
}
setup_one_openvpn_client() # $1 = kind[:port]
{
local protocol=udp
local p=1194
case $1 in
*:*:*)
protocol=${1%:*}
protocol=${protocol#*:}
p=${1##*:}
;;
*:tcp|*:udp|*:TCP|*:UDP)
protocol=${1#*:}
;;
*:*)
p=${1#*:}
;;
esac
addrule2 $inchain -p $protocol $source --sport $p -j ACCEPT
addrule2 $outchain -p $protocol $dest --dport $p -j ACCEPT
progress_message_and_save " OPENVPN client tunnel to $gateway:$protocol:$p defined."
}
setup_one_generic() # $1 = kind:protocol[:port]
{
local protocol
local p=
case $1 in
*:*:*)
p=${1##*:}
protocol=${1%:*}
protocol=${protocol#*:}
;;
*:*)
protocol=${1#*:}
;;
*)
protocol=udp
p=5000
;;
esac
p=${p:+--dport $p}
addrule2 $inchain -p $protocol $source $p -j ACCEPT
addrule2 $outchain -p $protocol $dest $p -j ACCEPT
progress_message_and_save " GENERIC tunnel to $1:$p defined."
}
strip_file tunnels $1
while read kind z gateway z1; do
expandv kind z gateway z1
tunnel="$(echo $kind $z $gateway $z1)"
if validate_zone $z; then
inchain=${z}2${FW}
outchain=${FW}2${z}
gateway=${gateway:-0.0.0.0/0}
source=$(source_ip_range $gateway)
dest=$(dest_ip_range $gateway)
case $kind in
ipsec|IPSEC|ipsec:*|IPSEC:*)
setup_one_ipsec $kind $z1
;;
ipsecnat|IPSECNAT|ipsecnat:*|IPSECNAT:*)
setup_one_ipsec $kind $z1
;;
ipip|IPIP)
setup_one_other IPIP 4
;;
gre|GRE)
setup_one_other GRE 47
;;
6to4|6TO4)
setup_one_other 6to4 41
;;
pptpclient|PPTPCLIENT)
setup_pptp_client
;;
pptpserver|PPTPSERVER)
setup_pptp_server
;;
openvpn|OPENVPN|openvpn:*|OPENVPN:*)
setup_one_openvpn $kind
;;
openvpnclient|OPENVPNCLIENT|openvpnclient:*|OPENVPNCLIENT:*)
setup_one_openvpn_client $kind
;;
openvpnserver|OPENVPNSERVER|openvpnserver:*|OPENVPNSERVER:*)
setup_one_openvpn_server $kind
;;
generic:*|GENERIC:*)
setup_one_generic $kind
;;
*)
error_message "WARNING: Tunnels of type $kind are not supported:" \
"Tunnel \"$tunnel\" Ignored"
;;
esac
else
error_message "ERROR: Invalid gateway zone ($z)" \
" -- Tunnel \"$tunnel\" Ignored"
fi
done < $TMP_DIR/tunnels
}
CLIB_TUNNELS_LOADED=Yes