"Fossies" - the Fresh Open Source Software Archive

Member "aif-2.1.1/share/arno-iptables-firewall/plugins/50ipsec-vpn.plugin" (16 Sep 2020, 6206 Bytes) of package /linux/privat/aif-2.1.1.tar.gz:


As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. See also the latest Fossies "Diffs" side-by-side code changes report for "50ipsec-vpn.plugin": 2.1.0_vs_2.1.1.

    1 # ------------------------------------------------------------------------------
    2 #             -= Arno's Iptables Firewall(AIF) - IPsec VPN plugin =-
    3 #
    4 PLUGIN_NAME="IPsec VPN plugin"
    5 PLUGIN_VERSION="0.85"
    6 PLUGIN_CONF_FILE="ipsec-vpn.conf"
    7 #
    8 # Last changed          : July 12, 2016
    9 # Requirements          : AIF 2.0.0+ and kernel 2.6 + ipt_policy + iptable_nat
   10 # Comments              : This plugin adds all required rules for using Racoon IPSEC.
   11 #
   12 # Author                : (C) Copyright 2006-2016 by Philip Prindeville & Arno van Amersfoort
   13 # Homepage              : https://rocky.eld.leidenuniv.nl/
   14 # Email                 : philipp AT redfish-solutions DOT com
   15 #                         (note: you must remove all spaces and substitute the @ and the .
   16 #                         at the proper locations!)
   17 # ------------------------------------------------------------------------------
   18 # This program is free software; you can redistribute it and/or
   19 # modify it under the terms of the GNU General Public License
   20 # version 2 as published by the Free Software Foundation.
   21 #
   22 # This program is distributed in the hope that it will be useful,
   23 # but WITHOUT ANY WARRANTY; without even the implied warranty of
   24 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   25 # GNU General Public License for more details.
   26 #
   27 # You should have received a copy of the GNU General Public License
   28 # along with this program; if not, write to the Free Software
   29 # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
   30 # ------------------------------------------------------------------------------
   31 
   32 # Plugin start function
   33 plugin_start()
   34 {
   35   local eif net ipver IFS
   36 
   37   modprobe_multi xt_policy ipt_policy  # Allows use of policy match
   38   modprobe iptable_nat                 # We need the NAT table
   39 
   40   iptables -N VPN_INPUT 2>/dev/null
   41   iptables -F VPN_INPUT
   42 
   43   iptables -N VPN_FORWARD 2>/dev/null
   44   iptables -F VPN_FORWARD
   45 
   46   # If the user has specified a subset of remote networks, only allow those.
   47   if [ -n "$IPSEC_VPN_NETS" ]; then
   48     echo "${INDENT}Applying rules for VPN nets $IPSEC_VPN_NETS"
   49     IFS=' ,'
   50     for vnet in $IPSEC_VPN_NETS; do
   51       iptables -A VPN_INPUT -s $vnet -j ACCEPT
   52       iptables -A VPN_FORWARD -s $vnet -j ACCEPT
   53     done
   54     iptables -A VPN_INPUT -j DROP
   55     iptables -A VPN_FORWARD -j DROP
   56   else
   57     # Otherwise, we allow everything.
   58     iptables -A VPN_INPUT -j ACCEPT
   59     iptables -A VPN_FORWARD -j ACCEPT
   60   fi
   61 
   62   # Don't apply the usual filters for the external interface on
   63   # traffic that's just been decapulated.  We treat it mostly like
   64   # internal traffic.
   65   # iptables -A EXT_INPUT_CHAIN -m policy --pol ipsec --dir in -j VPN_INPUT
   66   # (unnecessary since the -A INPUT...-j VPN_INPUT rule below supersedes this rule)
   67 
   68   echo "${INDENT}Allowing internet hosts $IPSEC_ALLOWED_HOSTS to access the VPN service"
   69   IFS=' ,'
   70   for host in `ip_range "$IPSEC_ALLOWED_HOSTS"`; do
   71     iptables -A EXT_INPUT_CHAIN -p udp --dport 500 -s $host -j ACCEPT
   72     get_numeric_ip_version "$host"
   73     ipver=$?
   74     if [ $ipver -eq 4 -o $ipver -eq 0 ]; then
   75       ip4tables -A EXT_INPUT_CHAIN -p esp -s $host -j ACCEPT
   76       ip4tables -A EXT_INPUT_CHAIN -p ah -s $host -j ACCEPT
   77     fi
   78     if [ "$IPV6_SUPPORT" = "1" ]; then
   79       if [ $ipver -eq 6 -o $ipver -eq 0 ]; then
   80         ip6tables -A EXT_INPUT_CHAIN -m esp -p esp -s $host -j ACCEPT
   81         ip6tables -A EXT_INPUT_CHAIN -m ah -s $host -j ACCEPT
   82       fi
   83     fi
   84 
   85     if [ "$IPSEC_NAT_TRAVERSAL" = "1" ]; then
   86       iptables -A EXT_INPUT_CHAIN -p udp --dport 4500 -s $host -j ACCEPT
   87     fi
   88   done
   89 
   90   local cnt=0
   91   IFS=' ,'
   92   for eif in $EXT_IF; do
   93     for net in $INTERNAL_NET; do
   94       cnt=$((cnt + 1))
   95       iptables -I SPOOF_CHK $cnt -i $eif -s $net -m policy --pol ipsec --dir in -j RETURN
   96     done
   97   done
   98 
   99   IFS=' ,'
  100   for eif in ${NAT_IF:-$EXT_IF}; do
  101     # Allow IPSEC packets in after decapsulation
  102     ip4tables -t nat -A PREROUTING -i $eif -m policy --pol ipsec --dir in -j ACCEPT
  103 
  104     # Do not apply masquerading to outbound traffic
  105     ip4tables -t nat -A POSTROUTING -o $eif -m policy --pol ipsec --dir out -j ACCEPT
  106   done
  107 
  108   IFS=' ,'
  109   for eif in $EXT_IF; do
  110     iptables -A FORWARD -i $eif -m policy --pol ipsec --dir in -j VPN_FORWARD
  111     iptables -A INPUT -i $eif -m policy --pol ipsec --dir in -j VPN_INPUT
  112   done
  113 
  114   return 0
  115 }
  116 
  117 
  118 # Plugin stop function
  119 plugin_stop()
  120 {
  121   local eif net IFS
  122 
  123   iptables -F VPN_INPUT
  124   iptables -X VPN_INPUT 2>/dev/null
  125   iptables -F VPN_FORWARD
  126   iptables -X VPN_FORWARD 2>/dev/null
  127 
  128   IFS=' ,'
  129   for eif in $EXT_IF; do
  130     for net in $INTERNAL_NET; do
  131       iptables -D SPOOF_CHK -i $eif -s $net -m policy --pol ipsec --dir in -j RETURN
  132     done
  133   done
  134 
  135   return 0
  136 }
  137 
  138 
  139 # Plugin status function
  140 plugin_status()
  141 {
  142   return 0
  143 }
  144 
  145 
  146 # Check sanity of eg. environment
  147 plugin_sanity_check()
  148 {
  149   # Sanity check
  150   if [ -z "$IPSEC_ALLOWED_HOSTS" ]; then
  151     printf "\033[40m\033[1;31m${INDENT}ERROR: The plugin config file is not properly set!\033[0m\n" >&2
  152     return 1
  153   fi
  154 
  155   return 0
  156 }
  157 
  158 
  159 ############
  160 # Mainline #
  161 ############
  162 
  163 # Check where to find the config file
  164 CONF_FILE=""
  165 if [ -n "$PLUGIN_CONF_PATH" ]; then
  166   CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE"
  167 fi
  168 
  169 # Preinit to success:
  170 PLUGIN_RET_VAL=0
  171 
  172 # Check if the config file exists
  173 if [ ! -f "$CONF_FILE" ]; then
  174   printf "NOTE: Config file \"$CONF_FILE\" not found!\n        Plugin \"$PLUGIN_NAME v$PLUGIN_VERSION\" ignored!\n" >&2
  175 else
  176   # Source the plugin config file
  177   . "$CONF_FILE"
  178 
  179   if [ "$ENABLED" = "1" ] ||
  180      [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "stop" ] ||
  181      [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "status" ]; then
  182     # Show who we are:
  183     echo "${INDENT}$PLUGIN_NAME v$PLUGIN_VERSION"
  184 
  185     # Increment indention
  186     INDENT="$INDENT "
  187 
  188     # Only proceed if environment ok
  189     if ! plugin_sanity_check; then
  190       PLUGIN_RET_VAL=1
  191     else
  192       case $PLUGIN_CMD in
  193         start|'') plugin_start; PLUGIN_RET_VAL=$? ;;
  194         stop    ) plugin_stop; PLUGIN_RET_VAL=$? ;;
  195         status  ) plugin_status; PLUGIN_RET_VAL=$? ;;
  196         *       ) PLUGIN_RET_VAL=1; printf "\033[40m\033[1;31m  ERROR: Invalid plugin option \"$PLUGIN_CMD\"!\033[0m\n" >&2 ;;
  197       esac
  198     fi
  199   fi
  200 fi