forked from extern/shorewall_code
ac3bb774b4
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5249 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
283 lines
6.8 KiB
Bash
283 lines
6.8 KiB
Bash
#!/bin/sh
|
|
#
|
|
# Shorewall 3.4 -- /usr/share/shorewall/lib.tunnels
|
|
#
|
|
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
|
#
|
|
# (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007 - Tom Eastep (teastep@shorewall.net)
|
|
#
|
|
# Complete documentation is available at http://shorewall.net
|
|
#
|
|
# This program is free software; you can redistribute it and/or modify
|
|
# it under the terms of Version 2 of the GNU General Public License
|
|
# as published by the Free Software Foundation.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program; if not, write to the Free Software
|
|
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
|
|
#
|
|
# This library is loaded by /usr/share/shorewall/compiler when the tunnels file is
|
|
# non-empty.
|
|
#
|
|
|
|
#
|
|
# Set up ipsec tunnels
|
|
#
|
|
setup_tunnels() # $1 = name of tunnels file
|
|
{
|
|
local inchain
|
|
local outchain
|
|
local source
|
|
local dest
|
|
|
|
setup_one_ipsec() # $1 = Tunnel Kind $2 = gateway zones
|
|
{
|
|
local kind=$1 noah=
|
|
|
|
case $kind in
|
|
*:*)
|
|
noah=${kind#*:}
|
|
[ $noah = noah -o $noah = NOAH ] || fatal_error "Invalid IPSEC modifier $noah in tunnel \"$tunnel\""
|
|
kind=${kind%:*}
|
|
;;
|
|
esac
|
|
|
|
[ $kind = IPSEC ] && kind=ipsec
|
|
|
|
[ $kind = ipsec ] || noah=noah
|
|
|
|
options="-m state --state NEW -j ACCEPT"
|
|
addrule2 $inchain -p 50 $source -j ACCEPT
|
|
addrule2 $outchain -p 50 $dest -j ACCEPT
|
|
|
|
if [ -z "$noah" ]; then
|
|
run_iptables -A $inchain -p 51 $source -j ACCEPT
|
|
run_iptables -A $outchain -p 51 $dest -j ACCEPT
|
|
fi
|
|
|
|
run_iptables -A $outchain -p udp $dest --dport 500 $options
|
|
|
|
if [ $kind = ipsec ]; then
|
|
run_iptables -A $inchain -p udp $source --dport 500 $options
|
|
else
|
|
run_iptables -A $inchain -p udp $source --dport 500 $options
|
|
run_iptables -A $inchain -p udp $source --dport 4500 $options
|
|
fi
|
|
|
|
for z in $(separate_list $2); do
|
|
if validate_zone $z; then
|
|
if [ -z "$POLICY_MATCH" ]; then
|
|
addrule ${z}2${FW} -p 50 $source -j ACCEPT
|
|
addrule ${FW}2${z} -p 50 $dest -j ACCEPT
|
|
if [ -z "$noah" ]; then
|
|
addrule ${z}2${FW} -p 51 $source -j ACCEPT
|
|
addrule ${FW}2${z} -p 51 $dest -j ACCEPT
|
|
fi
|
|
fi
|
|
if [ $kind = ipsec ]; then
|
|
addrule ${z}2${FW} -p udp $source --dport 500 $options
|
|
addrule ${FW}2${z} -p udp $dest --dport 500 $options
|
|
else
|
|
addrule ${z}2${FW} -p udp $source --dport 500 $options
|
|
addrule ${FW}2${z} -p udp $dest --dport 500 $options
|
|
addrule ${z}2${FW} -p udp $source --dport 4500 $options
|
|
addrule ${FW}2${z} -p udp $dest --dport 4500 $options
|
|
fi
|
|
else
|
|
fatal_error "Invalid gateway zone ($z) -- Tunnel \"$tunnel\""
|
|
fi
|
|
done
|
|
|
|
progress_message_and_save " IPSEC tunnel to $gateway defined."
|
|
}
|
|
|
|
setup_one_other() # $1 = TYPE, $2 = protocol
|
|
{
|
|
addrule2 $inchain -p $2 $source -j ACCEPT
|
|
addrule2 $outchain -p $2 $dest -j ACCEPT
|
|
|
|
progress_message_and_save " $1 tunnel to $gateway compiled."
|
|
}
|
|
|
|
setup_pptp_client()
|
|
{
|
|
addrule2 $outchain -p 47 $dest -j ACCEPT
|
|
addrule2 $inchain -p 47 $source -j ACCEPT
|
|
addrule2 $outchain -p tcp --dport 1723 $dest -j ACCEPT
|
|
|
|
progress_message_and_save " PPTP tunnel to $gateway defined."
|
|
}
|
|
|
|
setup_pptp_server()
|
|
{
|
|
addrule2 $inchain -p 47 $source -j ACCEPT
|
|
addrule2 $outchain -p 47 $dest -j ACCEPT
|
|
addrule2 $inchain -p tcp --dport 1723 $source -j ACCEPT
|
|
|
|
progress_message_and_save " PPTP server defined."
|
|
}
|
|
|
|
setup_one_openvpn() # $1 = kind[:port]
|
|
{
|
|
local protocol=udp
|
|
local p=1194
|
|
|
|
case $1 in
|
|
*:*:*)
|
|
protocol=${1%:*}
|
|
protocol=${protocol#*:}
|
|
p=${1##*:}
|
|
;;
|
|
*:tcp|*:udp|*:TCP|*:UDP)
|
|
protocol=${1#*:}
|
|
;;
|
|
*:*)
|
|
p=${1#*:}
|
|
;;
|
|
esac
|
|
|
|
addrule2 $inchain -p $protocol $source --dport $p -j ACCEPT
|
|
addrule2 $outchain -p $protocol $dest --dport $p -j ACCEPT
|
|
|
|
progress_message_and_save " OPENVPN tunnel to $gateway:$protocol:$p defined."
|
|
}
|
|
|
|
setup_one_openvpn_server() # $1 = kind[:port]
|
|
{
|
|
local protocol=udp
|
|
local p=1194
|
|
|
|
case $1 in
|
|
*:*:*)
|
|
protocol=${1%:*}
|
|
protocol=${protocol#*:}
|
|
p=${1##*:}
|
|
;;
|
|
*:tcp|*:udp|*:TCP|*:UDP)
|
|
protocol=${1#*:}
|
|
;;
|
|
*:*)
|
|
p=${1#*:}
|
|
;;
|
|
esac
|
|
|
|
addrule2 $inchain -p $protocol $source --dport $p -j ACCEPT
|
|
addrule2 $outchain -p $protocol $dest --sport $p -j ACCEPT
|
|
|
|
progress_message_and_save " OPENVPN server tunnel from $gateway:$protocol:$p defined."
|
|
}
|
|
|
|
setup_one_openvpn_client() # $1 = kind[:port]
|
|
{
|
|
local protocol=udp
|
|
local p=1194
|
|
|
|
case $1 in
|
|
*:*:*)
|
|
protocol=${1%:*}
|
|
protocol=${protocol#*:}
|
|
p=${1##*:}
|
|
;;
|
|
*:tcp|*:udp|*:TCP|*:UDP)
|
|
protocol=${1#*:}
|
|
;;
|
|
*:*)
|
|
p=${1#*:}
|
|
;;
|
|
esac
|
|
|
|
addrule2 $inchain -p $protocol $source --sport $p -j ACCEPT
|
|
addrule2 $outchain -p $protocol $dest --dport $p -j ACCEPT
|
|
|
|
progress_message_and_save " OPENVPN client tunnel to $gateway:$protocol:$p defined."
|
|
}
|
|
|
|
setup_one_generic() # $1 = kind:protocol[:port]
|
|
{
|
|
local protocol
|
|
local p=
|
|
|
|
case $1 in
|
|
*:*:*)
|
|
p=${1##*:}
|
|
protocol=${1%:*}
|
|
protocol=${protocol#*:}
|
|
;;
|
|
*:*)
|
|
protocol=${1#*:}
|
|
;;
|
|
*)
|
|
protocol=udp
|
|
p=5000
|
|
;;
|
|
esac
|
|
|
|
p=${p:+--dport $p}
|
|
|
|
addrule2 $inchain -p $protocol $source $p -j ACCEPT
|
|
addrule2 $outchain -p $protocol $dest $p -j ACCEPT
|
|
|
|
progress_message_and_save " GENERIC tunnel to $1:$p defined."
|
|
}
|
|
|
|
while read kind z gateway z1; do
|
|
tunnel="$(echo $kind $z $gateway $z1)"
|
|
if validate_zone $z; then
|
|
inchain=${z}2${FW}
|
|
outchain=${FW}2${z}
|
|
gateway=${gateway:-0.0.0.0/0}
|
|
source=$(source_ip_range $gateway)
|
|
dest=$(dest_ip_range $gateway)
|
|
|
|
case $kind in
|
|
ipsec|IPSEC|ipsec:*|IPSEC:*)
|
|
setup_one_ipsec $kind $z1
|
|
;;
|
|
ipsecnat|IPSECNAT|ipsecnat:*|IPSECNAT:*)
|
|
setup_one_ipsec $kind $z1
|
|
;;
|
|
ipip|IPIP)
|
|
setup_one_other IPIP 4
|
|
;;
|
|
gre|GRE)
|
|
setup_one_other GRE 47
|
|
;;
|
|
6to4|6TO4)
|
|
setup_one_other 6to4 41
|
|
;;
|
|
pptpclient|PPTPCLIENT)
|
|
setup_pptp_client
|
|
;;
|
|
pptpserver|PPTPSERVER)
|
|
setup_pptp_server
|
|
;;
|
|
openvpn|OPENVPN|openvpn:*|OPENVPN:*)
|
|
setup_one_openvpn $kind
|
|
;;
|
|
openvpnclient|OPENVPNCLIENT|openvpnclient:*|OPENVPNCLIENT:*)
|
|
setup_one_openvpn_client $kind
|
|
;;
|
|
openvpnserver|OPENVPNSERVER|openvpnserver:*|OPENVPNSERVER:*)
|
|
setup_one_openvpn_server $kind
|
|
;;
|
|
generic:*|GENERIC:*)
|
|
setup_one_generic $kind
|
|
;;
|
|
*)
|
|
error_message "WARNING: Tunnels of type $kind are not supported:" \
|
|
"Tunnel \"$tunnel\" Ignored"
|
|
;;
|
|
esac
|
|
save_command
|
|
else
|
|
error_message "ERROR: Invalid gateway zone ($z)" \
|
|
" -- Tunnel \"$tunnel\" Ignored"
|
|
fi
|
|
done < $TMP_DIR/tunnels
|
|
}
|