forked from extern/shorewall_code
Add the 'noah' option to IPSEC tunnels
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1137 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
485a4d06ae
commit
c3b2e30934
@ -34,3 +34,5 @@ Changes since 1.4.10
|
|||||||
builtin actions dropBcast and dropNonSyn.
|
builtin actions dropBcast and dropNonSyn.
|
||||||
|
|
||||||
17) Make "trace" a synonym for "debug"
|
17) Make "trace" a synonym for "debug"
|
||||||
|
|
||||||
|
18) Add the ":noah" option to IPSEC tunnels.
|
||||||
|
@ -1115,15 +1115,29 @@ setup_tunnels() # $1 = name of tunnels file
|
|||||||
|
|
||||||
setup_one_ipsec() # $1 = gateway $2 = Tunnel Kind $3 = gateway zones
|
setup_one_ipsec() # $1 = gateway $2 = Tunnel Kind $3 = gateway zones
|
||||||
{
|
{
|
||||||
|
local kind=$2 noah=
|
||||||
|
|
||||||
|
case $kind in
|
||||||
|
*:*)
|
||||||
|
noah=${kind#*:}
|
||||||
|
[ $noah = noah -o $noah = NOAH ] || fatal_error "Invalid IPSEC modifier $noah in tunnel \"$tunnel\""
|
||||||
|
kind=${kind%:*}
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
[ $kind = IPSEC ] && kind=ipsec
|
||||||
|
|
||||||
options="-m state --state NEW -j ACCEPT"
|
options="-m state --state NEW -j ACCEPT"
|
||||||
addrule $inchain -p 50 -s $1 -j ACCEPT
|
addrule $inchain -p 50 -s $1 -j ACCEPT
|
||||||
addrule $outchain -p 50 -d $1 -j ACCEPT
|
addrule $outchain -p 50 -d $1 -j ACCEPT
|
||||||
run_iptables -A $inchain -p 51 -s $1 -j ACCEPT
|
if [ -z "$noah" ]; then
|
||||||
run_iptables -A $outchain -p 51 -d $1 -j ACCEPT
|
run_iptables -A $inchain -p 51 -s $1 -j ACCEPT
|
||||||
|
run_iptables -A $outchain -p 51 -d $1 -j ACCEPT
|
||||||
|
fi
|
||||||
|
|
||||||
run_iptables -A $outchain -p udp -d $1 --dport 500 --sport 500 $options
|
run_iptables -A $outchain -p udp -d $1 --dport 500 --sport 500 $options
|
||||||
|
|
||||||
if [ $2 = ipsec ]; then
|
if [ $kind = ipsec ]; then
|
||||||
run_iptables -A $inchain -p udp -s $1 --sport 500 --dport 500 $options
|
run_iptables -A $inchain -p udp -s $1 --sport 500 --dport 500 $options
|
||||||
else
|
else
|
||||||
run_iptables -A $inchain -p udp -s $1 --dport 500 $options
|
run_iptables -A $inchain -p udp -s $1 --dport 500 $options
|
||||||
@ -1133,7 +1147,7 @@ setup_tunnels() # $1 = name of tunnels file
|
|||||||
for z in $(separate_list $3); do
|
for z in $(separate_list $3); do
|
||||||
if validate_zone $z; then
|
if validate_zone $z; then
|
||||||
addrule ${FW}2${z} -p udp --sport 500 --dport 500 $options
|
addrule ${FW}2${z} -p udp --sport 500 --dport 500 $options
|
||||||
if [ $2 = ipsec ]; then
|
if [ $kind = ipsec ]; then
|
||||||
addrule ${z}2${FW} -p udp --sport 500 --dport 500 $options
|
addrule ${z}2${FW} -p udp --sport 500 --dport 500 $options
|
||||||
else
|
else
|
||||||
addrule ${z}2${FW} -p udp --dport 500 $options
|
addrule ${z}2${FW} -p udp --dport 500 $options
|
||||||
@ -1238,11 +1252,11 @@ setup_tunnels() # $1 = name of tunnels file
|
|||||||
inchain=${z}2${FW}
|
inchain=${z}2${FW}
|
||||||
outchain=${FW}2${z}
|
outchain=${FW}2${z}
|
||||||
case $kind in
|
case $kind in
|
||||||
ipsec|IPSEC)
|
ipsec|IPSEC|ipsec:*|IPSEC:*)
|
||||||
setup_one_ipsec $gateway ipsec $z1
|
setup_one_ipsec $gateway $kind $z1
|
||||||
;;
|
;;
|
||||||
ipsecnat|IPSECNAT)
|
ipsecnat|IPSECNAT|ipsecnat:*|IPSECNAT:*)
|
||||||
setup_one_ipsec $gateway ipsecnat $z1
|
setup_one_ipsec $gateway $kind $z1
|
||||||
;;
|
;;
|
||||||
ipip|IPIP)
|
ipip|IPIP)
|
||||||
setup_one_other IPIP $gateway 4
|
setup_one_other IPIP $gateway 4
|
||||||
|
@ -161,5 +161,10 @@ New Features:
|
|||||||
|
|
||||||
The trace information would be written to the file /tmp/trace.
|
The trace information would be written to the file /tmp/trace.
|
||||||
|
|
||||||
|
6) When defining an ipsec tunnel in /etc/shorewall/tunnels, if you
|
||||||
|
follow the tunnel type ("ipsec" or "ipsecnet") with ":noah"
|
||||||
|
(e.g., "ipsec:noah"), then Shorewall will only create rules for
|
||||||
|
ESP (protocol 50) and will not create rules for AH (protocol 51).
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
@ -13,6 +13,10 @@
|
|||||||
# "gre", "6to4", "pptpclient", "pptpserver", "openvpn" or
|
# "gre", "6to4", "pptpclient", "pptpserver", "openvpn" or
|
||||||
# "generic"
|
# "generic"
|
||||||
#
|
#
|
||||||
|
# If the type is "ipsec" or "ipsecnat", it may be followed
|
||||||
|
# by ":noah" to indicate that the Authentication Header
|
||||||
|
# protocol (51) is not used by the tunnel.
|
||||||
|
#
|
||||||
# If type is "openvpn", it may optionally be followed
|
# If type is "openvpn", it may optionally be followed
|
||||||
# by ":" and the port number used by the tunnel. if no
|
# by ":" and the port number used by the tunnel. if no
|
||||||
# ":" and port number are included, then the default port
|
# ":" and port number are included, then the default port
|
||||||
@ -42,9 +46,10 @@
|
|||||||
# Example 1:
|
# Example 1:
|
||||||
#
|
#
|
||||||
# IPSec tunnel. The remote gateway is 4.33.99.124 and
|
# IPSec tunnel. The remote gateway is 4.33.99.124 and
|
||||||
# the remote subnet is 192.168.9.0/24
|
# the remote subnet is 192.168.9.0/24. The tunnel does
|
||||||
|
# not use the AH protocol
|
||||||
#
|
#
|
||||||
# ipsec net 4.33.99.124
|
# ipsec:noah net 4.33.99.124
|
||||||
#
|
#
|
||||||
# Example 2:
|
# Example 2:
|
||||||
#
|
#
|
||||||
|
Loading…
Reference in New Issue
Block a user