forked from extern/shorewall_code
Horrible Hack to make the Tunnels file still work with the sectioned Rules file
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2568 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
bf8fcea9a6
commit
2a55b70b32
@ -2192,7 +2192,7 @@ setup_tunnels() # $1 = name of tunnels file
|
|||||||
{
|
{
|
||||||
local inchain
|
local inchain
|
||||||
local outchain
|
local outchain
|
||||||
|
local options="-m state --state NEW,INVALID -j ACCEPT"
|
||||||
|
|
||||||
setup_one_ipsec() # $1 = gateway $2 = Tunnel Kind $3 = gateway zones
|
setup_one_ipsec() # $1 = gateway $2 = Tunnel Kind $3 = gateway zones
|
||||||
{
|
{
|
||||||
@ -2208,16 +2208,16 @@ setup_tunnels() # $1 = name of tunnels file
|
|||||||
|
|
||||||
[ $kind = IPSEC ] && kind=ipsec
|
[ $kind = IPSEC ] && kind=ipsec
|
||||||
|
|
||||||
options="-m state --state NEW -j ACCEPT"
|
|
||||||
addrule2 $inchain -p 50 $(source_ip_range $1) -j ACCEPT
|
addrule2 $inchain -p 50 $(source_ip_range $1) $options
|
||||||
addrule2 $outchain -p 50 $(dest_ip_range $1) -j ACCEPT
|
addrule2 $outchain -p 50 $(dest_ip_range $1) $options
|
||||||
|
|
||||||
if [ -z "$noah" ]; then
|
if [ -z "$noah" ]; then
|
||||||
run_iptables -A $inchain -p 51 $(source_ip_range $1) -j ACCEPT
|
run_iptables -A $inchain -p 51 $(source_ip_range $1) $options
|
||||||
run_iptables -A $outchain -p 51 $(dest_ip_range $1) -j ACCEPT
|
run_iptables -A $outchain -p 51 $(dest_ip_range $1) $options
|
||||||
fi
|
fi
|
||||||
|
|
||||||
run_iptables -A $outchain -p udp $(dest_ip_range $1) --dport 500 $options
|
run_iptables -A $outchain -p udp $(dest_ip_range $1) --dport 500 $options
|
||||||
|
|
||||||
if [ $kind = ipsec ]; then
|
if [ $kind = ipsec ]; then
|
||||||
run_iptables -A $inchain -p udp $(source_ip_range $1) --dport 500 $options
|
run_iptables -A $inchain -p udp $(source_ip_range $1) --dport 500 $options
|
||||||
@ -2245,26 +2245,26 @@ setup_tunnels() # $1 = name of tunnels file
|
|||||||
|
|
||||||
setup_one_other() # $1 = TYPE, $2 = gateway, $3 = protocol
|
setup_one_other() # $1 = TYPE, $2 = gateway, $3 = protocol
|
||||||
{
|
{
|
||||||
addrule2 $inchain -p $3 $(source_ip_range $2) -j ACCEPT
|
addrule2 $inchain -p $3 $(source_ip_range $2) $options
|
||||||
addrule2 $outchain -p $3 $(dest_ip_range $2) -j ACCEPT
|
addrule2 $outchain -p $3 $(dest_ip_range $2) $options
|
||||||
|
|
||||||
progress_message " $1 tunnel to $2 defined."
|
progress_message " $1 tunnel to $2 defined."
|
||||||
}
|
}
|
||||||
|
|
||||||
setup_pptp_client() # $1 = gateway
|
setup_pptp_client() # $1 = gateway
|
||||||
{
|
{
|
||||||
addrule2 $outchain -p 47 $(dest_ip_range $1) -j ACCEPT
|
addrule2 $outchain -p 47 $(dest_ip_range $1) $options
|
||||||
addrule2 $inchain -p 47 $(source_ip_range $1) -j ACCEPT
|
addrule2 $inchain -p 47 $(source_ip_range $1) $options
|
||||||
addrule2 $outchain -p tcp --dport 1723 $(dest_ip_range $1) -j ACCEPT
|
addrule2 $outchain -p tcp --dport 1723 $(dest_ip_range $1) $options
|
||||||
|
|
||||||
progress_message " PPTP tunnel to $1 defined."
|
progress_message " PPTP tunnel to $1 defined."
|
||||||
}
|
}
|
||||||
|
|
||||||
setup_pptp_server() # $1 = gateway
|
setup_pptp_server() # $1 = gateway
|
||||||
{
|
{
|
||||||
addrule2 $inchain -p 47 $(source_ip_range $1) -j ACCEPT
|
addrule2 $inchain -p 47 $(source_ip_range $1) $options
|
||||||
addrule2 $outchain -p 47 $(dest_ip_range $1) -j ACCEPT
|
addrule2 $outchain -p 47 $(dest_ip_range $1) $options
|
||||||
addrule2 $inchain -p tcp --dport 1723 $(source_ip_range $1) -j ACCEPT
|
addrule2 $inchain -p tcp --dport 1723 $(source_ip_range $1) $options
|
||||||
|
|
||||||
progress_message " PPTP server defined."
|
progress_message " PPTP server defined."
|
||||||
}
|
}
|
||||||
@ -2285,8 +2285,8 @@ setup_tunnels() # $1 = name of tunnels file
|
|||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
addrule2 $inchain -p $protocol $(source_ip_range $1) --dport $p -j ACCEPT
|
addrule2 $inchain -p $protocol $(source_ip_range $1) --dport $p $options
|
||||||
addrule2 $outchain -p $protocol $(dest_ip_range $1) --dport $p -j ACCEPT
|
addrule2 $outchain -p $protocol $(dest_ip_range $1) --dport $p $options
|
||||||
|
|
||||||
progress_message " OPENVPN tunnel to $1:$protocol:$p defined."
|
progress_message " OPENVPN tunnel to $1:$protocol:$p defined."
|
||||||
}
|
}
|
||||||
@ -2307,8 +2307,8 @@ setup_tunnels() # $1 = name of tunnels file
|
|||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
addrule2 $inchain -p $protocol $(source_ip_range $1) --dport $p -j ACCEPT
|
addrule2 $inchain -p $protocol $(source_ip_range $1) --dport $p $options
|
||||||
addrule2 $outchain -p $protocol $(dest_ip_range $1) --sport $p -j ACCEPT
|
addrule2 $outchain -p $protocol $(dest_ip_range $1) --sport $p $options
|
||||||
|
|
||||||
progress_message " OPENVPN server tunnel from $1:$protocol:$p defined."
|
progress_message " OPENVPN server tunnel from $1:$protocol:$p defined."
|
||||||
}
|
}
|
||||||
@ -2329,8 +2329,8 @@ setup_tunnels() # $1 = name of tunnels file
|
|||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
addrule2 $inchain -p $protocol $(source_ip_range $1) --dsport $p -j ACCEPT
|
addrule2 $inchain -p $protocol $(source_ip_range $1) --dsport $p $options
|
||||||
addrule2 $outchain -p $protocol $(dest_ip_range $1) --dport $p -j ACCEPT
|
addrule2 $outchain -p $protocol $(dest_ip_range $1) --dport $p $options
|
||||||
|
|
||||||
progress_message " OPENVPN client tunnel to $1:$protocol:$p defined."
|
progress_message " OPENVPN client tunnel to $1:$protocol:$p defined."
|
||||||
}
|
}
|
||||||
@ -2357,13 +2357,13 @@ setup_tunnels() # $1 = name of tunnels file
|
|||||||
|
|
||||||
p=${p:+--dport $p}
|
p=${p:+--dport $p}
|
||||||
|
|
||||||
addrule2 $inchain -p $protocol $(source_ip_range $1) $p -j ACCEPT
|
addrule2 $inchain -p $protocol $(source_ip_range $1) $p $options
|
||||||
addrule2 $outchain -p $protocol $(dest_ip_range $1) $p -j ACCEPT
|
addrule2 $outchain -p $protocol $(dest_ip_range $1) $p $options
|
||||||
|
|
||||||
for z in $(separate_list $3); do
|
for z in $(separate_list $3); do
|
||||||
if validate_zone $z; then
|
if validate_zone $z; then
|
||||||
addrule ${FW}2${z} -p $protocol $p -j ACCEPT
|
addrule ${FW}2${z} -p $protocol $p $options
|
||||||
addrule ${z}2${FW} -p $protocol $p -j ACCEPT
|
addrule ${z}2${FW} -p $protocol $p $options
|
||||||
else
|
else
|
||||||
error_message "WARNING: Invalid gateway zone ($z)" \
|
error_message "WARNING: Invalid gateway zone ($z)" \
|
||||||
" -- Tunnel \"$tunnel\" may encounter problems"
|
" -- Tunnel \"$tunnel\" may encounter problems"
|
||||||
@ -5873,7 +5873,11 @@ process_rules() # $1 = "Yes" if the target is a macro.
|
|||||||
{
|
{
|
||||||
expandv xprotocol xports xcports xaddress xratelimit xuserspec intrazone=
|
expandv xprotocol xports xcports xaddress xratelimit xuserspec intrazone=
|
||||||
|
|
||||||
[ -z "$SECTIONS" ] && SECTIONS="ESTABLISHED RELATED NEW"
|
if [ -z "$SECTIONS" ]; then
|
||||||
|
finish_section ESTABLISHED,RELATED
|
||||||
|
SECTIONS="ESTABLISHED RELATED NEW"
|
||||||
|
SECTION=NEW
|
||||||
|
fi
|
||||||
|
|
||||||
case $xclients in
|
case $xclients in
|
||||||
all+)
|
all+)
|
||||||
@ -8846,7 +8850,7 @@ do_initialize() {
|
|||||||
STOPPING=
|
STOPPING=
|
||||||
HAVE_MUTEX=
|
HAVE_MUTEX=
|
||||||
ALIASES_TO_ADD=
|
ALIASES_TO_ADD=
|
||||||
SECTION=NEW
|
SECTION=ESTABLISHED
|
||||||
SECTIONS=
|
SECTIONS=
|
||||||
|
|
||||||
FUNCTIONS=$SHARED_DIR/functions
|
FUNCTIONS=$SHARED_DIR/functions
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user