forked from extern/shorewall_code
Add the 'noah' option to IPSEC tunnels
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1137 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
485a4d06ae
commit
c3b2e30934
@ -34,3 +34,5 @@ Changes since 1.4.10
|
||||
builtin actions dropBcast and dropNonSyn.
|
||||
|
||||
17) Make "trace" a synonym for "debug"
|
||||
|
||||
18) Add the ":noah" option to IPSEC tunnels.
|
||||
|
||||
@ -1115,15 +1115,29 @@ setup_tunnels() # $1 = name of tunnels file
|
||||
|
||||
setup_one_ipsec() # $1 = gateway $2 = Tunnel Kind $3 = gateway zones
|
||||
{
|
||||
local kind=$2 noah=
|
||||
|
||||
case $kind in
|
||||
*:*)
|
||||
noah=${kind#*:}
|
||||
[ $noah = noah -o $noah = NOAH ] || fatal_error "Invalid IPSEC modifier $noah in tunnel \"$tunnel\""
|
||||
kind=${kind%:*}
|
||||
;;
|
||||
esac
|
||||
|
||||
[ $kind = IPSEC ] && kind=ipsec
|
||||
|
||||
options="-m state --state NEW -j ACCEPT"
|
||||
addrule $inchain -p 50 -s $1 -j ACCEPT
|
||||
addrule $outchain -p 50 -d $1 -j ACCEPT
|
||||
if [ -z "$noah" ]; then
|
||||
run_iptables -A $inchain -p 51 -s $1 -j ACCEPT
|
||||
run_iptables -A $outchain -p 51 -d $1 -j ACCEPT
|
||||
fi
|
||||
|
||||
run_iptables -A $outchain -p udp -d $1 --dport 500 --sport 500 $options
|
||||
|
||||
if [ $2 = ipsec ]; then
|
||||
if [ $kind = ipsec ]; then
|
||||
run_iptables -A $inchain -p udp -s $1 --sport 500 --dport 500 $options
|
||||
else
|
||||
run_iptables -A $inchain -p udp -s $1 --dport 500 $options
|
||||
@ -1133,7 +1147,7 @@ setup_tunnels() # $1 = name of tunnels file
|
||||
for z in $(separate_list $3); do
|
||||
if validate_zone $z; then
|
||||
addrule ${FW}2${z} -p udp --sport 500 --dport 500 $options
|
||||
if [ $2 = ipsec ]; then
|
||||
if [ $kind = ipsec ]; then
|
||||
addrule ${z}2${FW} -p udp --sport 500 --dport 500 $options
|
||||
else
|
||||
addrule ${z}2${FW} -p udp --dport 500 $options
|
||||
@ -1238,11 +1252,11 @@ setup_tunnels() # $1 = name of tunnels file
|
||||
inchain=${z}2${FW}
|
||||
outchain=${FW}2${z}
|
||||
case $kind in
|
||||
ipsec|IPSEC)
|
||||
setup_one_ipsec $gateway ipsec $z1
|
||||
ipsec|IPSEC|ipsec:*|IPSEC:*)
|
||||
setup_one_ipsec $gateway $kind $z1
|
||||
;;
|
||||
ipsecnat|IPSECNAT)
|
||||
setup_one_ipsec $gateway ipsecnat $z1
|
||||
ipsecnat|IPSECNAT|ipsecnat:*|IPSECNAT:*)
|
||||
setup_one_ipsec $gateway $kind $z1
|
||||
;;
|
||||
ipip|IPIP)
|
||||
setup_one_other IPIP $gateway 4
|
||||
|
||||
@ -161,5 +161,10 @@ New Features:
|
||||
|
||||
The trace information would be written to the file /tmp/trace.
|
||||
|
||||
6) When defining an ipsec tunnel in /etc/shorewall/tunnels, if you
|
||||
follow the tunnel type ("ipsec" or "ipsecnet") with ":noah"
|
||||
(e.g., "ipsec:noah"), then Shorewall will only create rules for
|
||||
ESP (protocol 50) and will not create rules for AH (protocol 51).
|
||||
|
||||
|
||||
|
||||
|
||||
@ -13,6 +13,10 @@
|
||||
# "gre", "6to4", "pptpclient", "pptpserver", "openvpn" or
|
||||
# "generic"
|
||||
#
|
||||
# If the type is "ipsec" or "ipsecnat", it may be followed
|
||||
# by ":noah" to indicate that the Authentication Header
|
||||
# protocol (51) is not used by the tunnel.
|
||||
#
|
||||
# If type is "openvpn", it may optionally be followed
|
||||
# by ":" and the port number used by the tunnel. if no
|
||||
# ":" and port number are included, then the default port
|
||||
@ -42,9 +46,10 @@
|
||||
# Example 1:
|
||||
#
|
||||
# IPSec tunnel. The remote gateway is 4.33.99.124 and
|
||||
# the remote subnet is 192.168.9.0/24
|
||||
# the remote subnet is 192.168.9.0/24. The tunnel does
|
||||
# not use the AH protocol
|
||||
#
|
||||
# ipsec net 4.33.99.124
|
||||
# ipsec:noah net 4.33.99.124
|
||||
#
|
||||
# Example 2:
|
||||
#
|
||||
|
||||
Loading…
Reference in New Issue
Block a user