Add the 'noah' option to IPSEC tunnels

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1137 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-02-12 17:45:24 +00:00
parent 485a4d06ae
commit c3b2e30934
4 changed files with 36 additions and 10 deletions

View File

@ -34,3 +34,5 @@ Changes since 1.4.10
builtin actions dropBcast and dropNonSyn. builtin actions dropBcast and dropNonSyn.
17) Make "trace" a synonym for "debug" 17) Make "trace" a synonym for "debug"
18) Add the ":noah" option to IPSEC tunnels.

View File

@ -1115,15 +1115,29 @@ setup_tunnels() # $1 = name of tunnels file
setup_one_ipsec() # $1 = gateway $2 = Tunnel Kind $3 = gateway zones setup_one_ipsec() # $1 = gateway $2 = Tunnel Kind $3 = gateway zones
{ {
local kind=$2 noah=
case $kind in
*:*)
noah=${kind#*:}
[ $noah = noah -o $noah = NOAH ] || fatal_error "Invalid IPSEC modifier $noah in tunnel \"$tunnel\""
kind=${kind%:*}
;;
esac
[ $kind = IPSEC ] && kind=ipsec
options="-m state --state NEW -j ACCEPT" options="-m state --state NEW -j ACCEPT"
addrule $inchain -p 50 -s $1 -j ACCEPT addrule $inchain -p 50 -s $1 -j ACCEPT
addrule $outchain -p 50 -d $1 -j ACCEPT addrule $outchain -p 50 -d $1 -j ACCEPT
if [ -z "$noah" ]; then
run_iptables -A $inchain -p 51 -s $1 -j ACCEPT run_iptables -A $inchain -p 51 -s $1 -j ACCEPT
run_iptables -A $outchain -p 51 -d $1 -j ACCEPT run_iptables -A $outchain -p 51 -d $1 -j ACCEPT
fi
run_iptables -A $outchain -p udp -d $1 --dport 500 --sport 500 $options run_iptables -A $outchain -p udp -d $1 --dport 500 --sport 500 $options
if [ $2 = ipsec ]; then if [ $kind = ipsec ]; then
run_iptables -A $inchain -p udp -s $1 --sport 500 --dport 500 $options run_iptables -A $inchain -p udp -s $1 --sport 500 --dport 500 $options
else else
run_iptables -A $inchain -p udp -s $1 --dport 500 $options run_iptables -A $inchain -p udp -s $1 --dport 500 $options
@ -1133,7 +1147,7 @@ setup_tunnels() # $1 = name of tunnels file
for z in $(separate_list $3); do for z in $(separate_list $3); do
if validate_zone $z; then if validate_zone $z; then
addrule ${FW}2${z} -p udp --sport 500 --dport 500 $options addrule ${FW}2${z} -p udp --sport 500 --dport 500 $options
if [ $2 = ipsec ]; then if [ $kind = ipsec ]; then
addrule ${z}2${FW} -p udp --sport 500 --dport 500 $options addrule ${z}2${FW} -p udp --sport 500 --dport 500 $options
else else
addrule ${z}2${FW} -p udp --dport 500 $options addrule ${z}2${FW} -p udp --dport 500 $options
@ -1238,11 +1252,11 @@ setup_tunnels() # $1 = name of tunnels file
inchain=${z}2${FW} inchain=${z}2${FW}
outchain=${FW}2${z} outchain=${FW}2${z}
case $kind in case $kind in
ipsec|IPSEC) ipsec|IPSEC|ipsec:*|IPSEC:*)
setup_one_ipsec $gateway ipsec $z1 setup_one_ipsec $gateway $kind $z1
;; ;;
ipsecnat|IPSECNAT) ipsecnat|IPSECNAT|ipsecnat:*|IPSECNAT:*)
setup_one_ipsec $gateway ipsecnat $z1 setup_one_ipsec $gateway $kind $z1
;; ;;
ipip|IPIP) ipip|IPIP)
setup_one_other IPIP $gateway 4 setup_one_other IPIP $gateway 4

View File

@ -161,5 +161,10 @@ New Features:
The trace information would be written to the file /tmp/trace. The trace information would be written to the file /tmp/trace.
6) When defining an ipsec tunnel in /etc/shorewall/tunnels, if you
follow the tunnel type ("ipsec" or "ipsecnet") with ":noah"
(e.g., "ipsec:noah"), then Shorewall will only create rules for
ESP (protocol 50) and will not create rules for AH (protocol 51).

View File

@ -13,6 +13,10 @@
# "gre", "6to4", "pptpclient", "pptpserver", "openvpn" or # "gre", "6to4", "pptpclient", "pptpserver", "openvpn" or
# "generic" # "generic"
# #
# If the type is "ipsec" or "ipsecnat", it may be followed
# by ":noah" to indicate that the Authentication Header
# protocol (51) is not used by the tunnel.
#
# If type is "openvpn", it may optionally be followed # If type is "openvpn", it may optionally be followed
# by ":" and the port number used by the tunnel. if no # by ":" and the port number used by the tunnel. if no
# ":" and port number are included, then the default port # ":" and port number are included, then the default port
@ -42,9 +46,10 @@
# Example 1: # Example 1:
# #
# IPSec tunnel. The remote gateway is 4.33.99.124 and # IPSec tunnel. The remote gateway is 4.33.99.124 and
# the remote subnet is 192.168.9.0/24 # the remote subnet is 192.168.9.0/24. The tunnel does
# not use the AH protocol
# #
# ipsec net 4.33.99.124 # ipsec:noah net 4.33.99.124
# #
# Example 2: # Example 2:
# #