From ae15ea262c2cc0ffe65cea992b8edd7bfafbcfd5 Mon Sep 17 00:00:00 2001
From: teastep <teastep@fbd18981-670d-0410-9b5c-8dc0c1a9a2bb>
Date: Sun, 27 Aug 2006 20:26:29 +0000
Subject: [PATCH] Also forgot lib.tunnels

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4458 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
---
 Shorewall/lib.tunnels | 278 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 278 insertions(+)
 create mode 100644 Shorewall/lib.tunnels

diff --git a/Shorewall/lib.tunnels b/Shorewall/lib.tunnels
new file mode 100644
index 000000000..dad020dfb
--- /dev/null
+++ b/Shorewall/lib.tunnels
@@ -0,0 +1,278 @@
+#!/bin/sh
+#
+# Shorewall 3.2 -- /usr/share/shorewall/lib.tunnels
+#
+#     This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
+#
+#     (c) 1999,2000,2001,2002,2003,2004,2005,2006 - Tom Eastep (teastep@shorewall.net)
+#
+#	Complete documentation is available at http://shorewall.net
+#
+#	This program is free software; you can redistribute it and/or modify
+#	it under the terms of Version 2 of the GNU General Public License
+#	as published by the Free Software Foundation.
+#
+#	This program is distributed in the hope that it will be useful,
+#	but WITHOUT ANY WARRANTY; without even the implied warranty of
+#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#	GNU General Public License for more details.
+#
+#	You should have received a copy of the GNU General Public License
+#	along with this program; if not, write to the Free Software
+#	Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
+
+#
+# Set up ipsec tunnels
+#
+setup_tunnels() # $1 = name of tunnels file
+{
+    local inchain
+    local outchain
+    local source
+    local dest
+
+    setup_one_ipsec() # $1 = Tunnel Kind $2 = gateway zones
+    {
+    	local kind=$1 noah=
+
+	case $kind in
+	    *:*)
+	    	noah=${kind#*:}
+		[ $noah = noah -o $noah = NOAH ] || fatal_error "Invalid IPSEC modifier $noah in tunnel \"$tunnel\""
+		kind=${kind%:*}
+		;;
+	esac
+
+	[ $kind = IPSEC ] && kind=ipsec
+
+	options="-m state --state NEW -j ACCEPT"
+	addrule2 $inchain	  -p 50	 $source -j ACCEPT
+	addrule2 $outchain	  -p 50	 $dest   -j ACCEPT
+
+	if [ -z "$noah" ]; then
+	    run_iptables -A $inchain  -p 51 $source -j ACCEPT
+	    run_iptables -A $outchain -p 51 $dest   -j ACCEPT
+	fi
+
+	run_iptables -A $outchain -p udp $dest --dport 500 $options
+
+	if [ $kind = ipsec ]; then
+	    run_iptables -A $inchain  -p udp $source --dport 500 $options
+	else
+	    run_iptables -A $inchain  -p udp $source --dport 500 $options
+	    run_iptables -A $inchain  -p udp $source --dport 4500 $options
+	fi
+
+	for z in $(separate_list $2); do
+	    if validate_zone $z; then
+		if [ -z "$POLICY_MATCH" ]; then
+		    addrule ${z}2${FW} -p 50 $source -j ACCEPT
+		    addrule ${FW}2${z} -p 50 $dest   -j ACCEPT
+		    if [ -z "$noah" ]; then
+			addrule ${z}2${FW} -p 51 $source -j ACCEPT
+			addrule ${FW}2${z} -p 51 $dest   -j ACCEPT
+		    fi
+		fi
+		if [ $kind = ipsec ]; then
+		    addrule ${z}2${FW} -p udp $source --dport 500 $options
+		    addrule ${FW}2${z} -p udp $dest   --dport 500 $options
+		else
+		    addrule ${z}2${FW} -p udp $source --dport 500 $options
+		    addrule ${FW}2${z} -p udp $dest   --dport 500 $options
+		    addrule ${z}2${FW} -p udp $source --dport 4500 $options
+		    addrule ${FW}2${z} -p udp $dest   --dport 4500 $options
+		fi
+	    else
+		fatal_error "Invalid gateway zone ($z) -- Tunnel \"$tunnel\""
+	    fi
+	done
+
+	progress_message_and_save "   IPSEC tunnel to $gateway defined."
+    }
+
+    setup_one_other() # $1 = TYPE, $2 = protocol
+    {
+	addrule2 $inchain  -p $2 $source -j ACCEPT
+	addrule2 $outchain -p $2 $dest   -j ACCEPT
+
+	progress_message_and_save "   $1 tunnel to $gateway compiled."
+    }
+
+    setup_pptp_client()
+    {
+	addrule2 $outchain -p 47               $dest   -j ACCEPT
+	addrule2 $inchain  -p 47               $source -j ACCEPT
+	addrule2 $outchain -p tcp --dport 1723 $dest   -j ACCEPT
+
+	progress_message_and_save "   PPTP tunnel to $gateway defined."
+    }
+
+    setup_pptp_server()
+    {
+	addrule2 $inchain  -p 47               $source -j ACCEPT
+	addrule2 $outchain -p 47               $dest   -j ACCEPT
+	addrule2 $inchain  -p tcp --dport 1723 $source -j ACCEPT
+
+	progress_message_and_save "   PPTP server defined."
+    }
+
+    setup_one_openvpn() # $1 = kind[:port]
+    {
+	local protocol=udp
+	local p=1194
+
+	case $1 in
+	    *:*:*)
+		protocol=${1%:*}
+		protocol=${protocol#*:}
+		p=${1##*:}
+		;;
+	    *:tcp|*:udp|*:TCP|*:UDP)
+		protocol=${1#*:}
+		;;
+	    *:*)
+		p=${1#*:}
+		;;
+	esac
+
+	addrule2 $inchain  -p $protocol $source --dport $p -j ACCEPT
+	addrule2 $outchain -p $protocol $dest   --dport $p -j ACCEPT
+
+	progress_message_and_save "   OPENVPN tunnel to $gateway:$protocol:$p defined."
+    }
+
+    setup_one_openvpn_server() # $1 = kind[:port]
+    {
+	local protocol=udp
+	local p=1194
+
+	case $1 in
+	    *:*:*)
+		protocol=${1%:*}
+		protocol=${protocol#*:}
+		p=${1##*:}
+		;;
+	    *:tcp|*:udp|*:TCP|*:UDP)
+		protocol=${1#*:}
+		;;
+	    *:*)
+		p=${1#*:}
+		;;
+	esac
+
+	addrule2 $inchain  -p $protocol $source --dport $p -j ACCEPT
+	addrule2 $outchain -p $protocol $dest   --sport $p -j ACCEPT
+
+	progress_message_and_save "   OPENVPN server tunnel from $gateway:$protocol:$p defined."
+    }
+
+    setup_one_openvpn_client() # $1 = kind[:port]
+    {
+	local protocol=udp
+	local p=1194
+
+	case $1 in
+	    *:*:*)
+		protocol=${1%:*}
+		protocol=${protocol#*:}
+		p=${1##*:}
+		;;
+	    *:tcp|*:udp|*:TCP|*:UDP)
+		protocol=${1#*:}
+		;;
+	    *:*)
+		p=${1#*:}
+		;;
+	esac
+
+	addrule2 $inchain  -p $protocol $source --sport $p -j ACCEPT
+	addrule2 $outchain -p $protocol $dest   --dport $p -j ACCEPT
+
+	progress_message_and_save "   OPENVPN client tunnel to $gateway:$protocol:$p defined."
+    }
+
+    setup_one_generic() # $1 = kind:protocol[:port]
+    {
+	local protocol
+	local p=
+
+	case $1 in
+	    *:*:*)
+		p=${1##*:}
+		protocol=${1%:*}
+		protocol=${protocol#*:}
+		;;
+	    *:*)
+		protocol=${1#*:}
+		;;
+	    *)
+		protocol=udp
+		p=5000
+		;;
+	esac
+
+	p=${p:+--dport $p}
+
+	addrule2 $inchain  -p $protocol $source $p -j ACCEPT
+	addrule2 $outchain -p $protocol $dest   $p -j ACCEPT
+
+	progress_message_and_save "   GENERIC tunnel to $1:$p defined."
+    }
+
+    strip_file tunnels $1
+
+    while read kind z gateway z1; do
+	expandv kind z gateway z1
+	tunnel="$(echo $kind $z $gateway $z1)"
+	if validate_zone $z; then
+	    inchain=${z}2${FW}
+	    outchain=${FW}2${z}
+	    gateway=${gateway:-0.0.0.0/0}
+	    source=$(source_ip_range $gateway)
+	    dest=$(dest_ip_range $gateway)
+
+	    case $kind in
+		ipsec|IPSEC|ipsec:*|IPSEC:*)
+		    setup_one_ipsec $kind $z1
+		    ;;
+		ipsecnat|IPSECNAT|ipsecnat:*|IPSECNAT:*)
+		    setup_one_ipsec $kind $z1
+		    ;;
+		ipip|IPIP)
+		    setup_one_other IPIP 4
+		    ;;
+		gre|GRE)
+		    setup_one_other GRE 47
+		    ;;
+		6to4|6TO4)
+		    setup_one_other 6to4 41
+		    ;;
+		pptpclient|PPTPCLIENT)
+		    setup_pptp_client
+		    ;;
+		pptpserver|PPTPSERVER)
+		    setup_pptp_server
+		    ;;
+		openvpn|OPENVPN|openvpn:*|OPENVPN:*)
+		    setup_one_openvpn $kind
+		    ;;
+		openvpnclient|OPENVPNCLIENT|openvpnclient:*|OPENVPNCLIENT:*)
+		    setup_one_openvpn_client $kind
+		    ;;
+		openvpnserver|OPENVPNSERVER|openvpnserver:*|OPENVPNSERVER:*)
+		    setup_one_openvpn_server $kind
+		    ;;
+		generic:*|GENERIC:*)
+		    setup_one_generic $kind
+		    ;;
+		*)
+		    error_message "WARNING: Tunnels of type $kind are not supported:" \
+			"Tunnel \"$tunnel\" Ignored"
+		    ;;
+	    esac
+	else
+	    error_message "ERROR: Invalid gateway zone ($z)" \
+		" -- Tunnel \"$tunnel\" Ignored"
+	fi
+    done < $TMP_DIR/tunnels
+}