"Fossies" - the Fresh Open Source Software Archive

Member "aif-2.1.1/share/arno-iptables-firewall/plugins/50pptp-vpn.plugin" (16 Sep 2020, 6959 Bytes) of package /linux/privat/aif-2.1.1.tar.gz:


As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. See also the latest Fossies "Diffs" side-by-side code changes report for "50pptp-vpn.plugin": 2.1.0_vs_2.1.1.

    1 # ------------------------------------------------------------------------------
    2 #             -= Arno's Iptables Firewall(AIF) - PPTP VPN plugin =-
    3 #
    4 PLUGIN_NAME="PPTP VPN plugin"
    5 PLUGIN_VERSION="1.00 BETA"
    6 PLUGIN_CONF_FILE="pptp-vpn.conf"
    7 #
    8 # Last changed          : February 21, 2011
    9 # Requirements          : AIF 2.0.0+
   10 # Comments              : This plugin adds all required rules for using a PPTP Server.
   11 #
   12 # Author                : (C) Copyright 2011 by Lonnie Abelbeck & Arno van Amersfoort
   13 # Homepage              : https://rocky.eld.leidenuniv.nl/
   14 # Email                 : a r n o v a AT r o c k y DOT e l d DOT l e i d e n u n i v DOT n l
   15 #                         (note: you must remove all spaces and substitute the @ and the .
   16 #                         at the proper locations!)
   17 # ------------------------------------------------------------------------------
   18 # This program is free software; you can redistribute it and/or
   19 # modify it under the terms of the GNU General Public License
   20 # version 2 as published by the Free Software Foundation.
   21 #
   22 # This program is distributed in the hope that it will be useful,
   23 # but WITHOUT ANY WARRANTY; without even the implied warranty of
   24 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   25 # GNU General Public License for more details.
   26 #
   27 # You should have received a copy of the GNU General Public License
   28 # along with this program; if not, write to the Free Software
   29 # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
   30 # ------------------------------------------------------------------------------
   31 
   32 # Plugin start function
   33 plugin_start()
   34 {
   35   local host net eif ppp_ifs="" IFS
   36 
   37   iptables -N PPTP_VPN_INPUT 2>/dev/null
   38   iptables -F PPTP_VPN_INPUT
   39 
   40   iptables -N PPTP_VPN_FORWARD_IN 2>/dev/null
   41   iptables -F PPTP_VPN_FORWARD_IN
   42 
   43   iptables -N PPTP_VPN_FORWARD_OUT 2>/dev/null
   44   iptables -F PPTP_VPN_FORWARD_OUT
   45 
   46   IFS=' ,'
   47   for eif in $EXT_IF; do
   48     case $eif in
   49       ppp+)
   50         echo "${INDENT}ERROR: Cannot distinguish between external and PPTP-VPN 'ppp+' interfaces."
   51         echo "${INDENT}       ${PLUGIN_NAME} functionally is disabled."
   52         return 0
   53         ;;
   54       ppp[0-9]*)
   55         ppp_ifs="$ppp_ifs${ppp_ifs:+ }$eif"
   56         ;;
   57     esac
   58   done
   59   
   60   # Setup PPTP VPN rules
   61   if [ -n "$ppp_ifs" ]; then
   62     echo "${INDENT}Excluding external interfaces '$ppp_ifs' from PPTP VPN"
   63     IFS=' ,'
   64     for eif in $ppp_ifs; do
   65       iptables -A PPTP_VPN_INPUT -i $eif -j RETURN
   66       iptables -A PPTP_VPN_FORWARD_IN -i $eif -j RETURN
   67       iptables -A PPTP_VPN_FORWARD_OUT -o $eif -j RETURN
   68     done
   69   fi
   70   if [ -n "$PPTP_VPN_ALLOW_HOSTS" ]; then
   71     echo "${INDENT}Allowing PPTP VPN packets to hosts: $PPTP_VPN_ALLOW_HOSTS"
   72     IFS=' ,'
   73     for host in $PPTP_VPN_ALLOW_HOSTS; do
   74       iptables -A PPTP_VPN_INPUT -d $host -j ACCEPT
   75       iptables -A PPTP_VPN_FORWARD_IN -d $host -j ACCEPT
   76       iptables -A PPTP_VPN_FORWARD_OUT -s $host -j ACCEPT
   77     done
   78   fi
   79   if [ -n "$PPTP_VPN_DENY_HOSTS" ]; then
   80     echo "${INDENT}Denying PPTP VPN packets to hosts: $PPTP_VPN_DENY_HOSTS"
   81     IFS=' ,'
   82     for host in $PPTP_VPN_DENY_HOSTS; do
   83       if [ "$PPTP_VPN_DENY_LOG" = "1" ]; then
   84         iptables -A PPTP_VPN_INPUT -d $host -m limit --limit 3/m -j LOG \
   85                  --log-level $LOGLEVEL --log-prefix "AIF:PPTP-VPN denied: "
   86         iptables -A PPTP_VPN_FORWARD_IN -d $host -m limit --limit 3/m -j LOG \
   87                  --log-level $LOGLEVEL --log-prefix "AIF:PPTP-VPN denied: "
   88         iptables -A PPTP_VPN_FORWARD_OUT -s $host -m limit --limit 3/m -j LOG \
   89                  --log-level $LOGLEVEL --log-prefix "AIF:PPTP-VPN denied: "
   90       fi
   91       iptables -A PPTP_VPN_INPUT -d $host -j DROP
   92       iptables -A PPTP_VPN_FORWARD_IN -d $host -j DROP
   93       iptables -A PPTP_VPN_FORWARD_OUT -s $host -j DROP
   94     done
   95   fi
   96   # Default policy, allow all the rest
   97   iptables -A PPTP_VPN_INPUT -j ACCEPT
   98   iptables -A PPTP_VPN_FORWARD_IN -j ACCEPT
   99   iptables -A PPTP_VPN_FORWARD_OUT -j ACCEPT
  100 
  101   # Filter ppp+ traffic related to the PPTP VPN
  102   if [ -n "$PPTP_VPN_NETS" ]; then
  103     echo "${INDENT}Applying rules for PPTP VPN nets $PPTP_VPN_NETS"
  104     IFS=' ,'
  105     for net in $PPTP_VPN_NETS; do
  106       # Adjust spoof check
  107       iptables -I SPOOF_CHK -i ppp+ -s $net -j RETURN
  108       
  109       # Insert rule in the INPUT chain
  110       iptables -A INPUT -i ppp+ -s $net -j PPTP_VPN_INPUT
  111       
  112       # Insert rules in the FORWARD chain
  113       iptables -A FORWARD -i ppp+ -s $net -j PPTP_VPN_FORWARD_IN
  114       iptables -A FORWARD -o ppp+ -d $net -j PPTP_VPN_FORWARD_OUT
  115     done
  116   fi
  117 
  118   echo "${INDENT}Allowing internet hosts $PPTP_VPN_TUNNEL_HOSTS to access the PPTP VPN service"
  119   IFS=' ,'
  120   for host in $(ip_range "$PPTP_VPN_TUNNEL_HOSTS"); do
  121     iptables -A EXT_INPUT_CHAIN -p gre -s $host -j ACCEPT
  122     iptables -A EXT_INPUT_CHAIN -p tcp --dport 1723 -s $host -j ACCEPT
  123   done
  124   
  125   return 0
  126 }
  127 
  128 
  129 # Plugin restart function
  130 plugin_restart()
  131 {
  132 
  133   # Skip plugin_stop on a restart
  134   plugin_start
  135 
  136   return 0
  137 }
  138 
  139 
  140 # Plugin stop function
  141 plugin_stop()
  142 {
  143 
  144   iptables -F PPTP_VPN_INPUT
  145   iptables -X PPTP_VPN_INPUT 2>/dev/null
  146 
  147   iptables -F PPTP_VPN_FORWARD_IN
  148   iptables -X PPTP_VPN_FORWARD_IN 2>/dev/null
  149 
  150   iptables -F PPTP_VPN_FORWARD_OUT
  151   iptables -X PPTP_VPN_FORWARD_OUT 2>/dev/null
  152 
  153   return 0
  154 }
  155 
  156 
  157 # Plugin status function
  158 plugin_status()
  159 {
  160   return 0
  161 }
  162 
  163 
  164 # Check sanity of eg. environment
  165 plugin_sanity_check()
  166 {
  167   # Sanity check
  168   if [ -z "$PPTP_VPN_TUNNEL_HOSTS" ]; then
  169     printf "\033[40m\033[1;31m${INDENT}ERROR: The plugin config file is not properly set!\033[0m\n" >&2
  170     return 1
  171   fi
  172 
  173   return 0
  174 }
  175 
  176 
  177 ############
  178 # Mainline #
  179 ############
  180 
  181 # Check where to find the config file
  182 CONF_FILE=""
  183 if [ -n "$PLUGIN_CONF_PATH" ]; then
  184   CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE"
  185 fi
  186 
  187 # Preinit to success:
  188 PLUGIN_RET_VAL=0
  189 
  190 # Check if the config file exists
  191 if [ ! -f "$CONF_FILE" ]; then
  192   printf "NOTE: Config file \"$CONF_FILE\" not found!\n        Plugin \"$PLUGIN_NAME v$PLUGIN_VERSION\" ignored!\n" >&2
  193 else
  194   # Source the plugin config file
  195   . "$CONF_FILE"
  196 
  197   if [ "$ENABLED" = "1" -a "$PLUGIN_CMD" != "stop-restart" ] ||
  198      [ "$ENABLED" = "0" -a "$PLUGIN_CMD" = "stop-restart" ] ||
  199      [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "stop" ] ||
  200      [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "status" ]; then
  201     # Show who we are:
  202     echo "${INDENT}$PLUGIN_NAME v$PLUGIN_VERSION"
  203 
  204     # Increment indention
  205     INDENT="$INDENT "
  206 
  207     # Only proceed if environment ok
  208     if ! plugin_sanity_check; then
  209       PLUGIN_RET_VAL=1
  210     else
  211       case $PLUGIN_CMD in
  212         start|'') plugin_start; PLUGIN_RET_VAL=$? ;;
  213         restart ) plugin_restart; PLUGIN_RET_VAL=$? ;;
  214         stop|stop-restart) plugin_stop; PLUGIN_RET_VAL=$? ;;
  215         status  ) plugin_status; PLUGIN_RET_VAL=$? ;;
  216         *       ) PLUGIN_RET_VAL=1; printf "\033[40m\033[1;31m${INDENT}ERROR: Invalid plugin option \"$PLUGIN_CMD\"!\033[0m\n" >&2 ;;
  217       esac
  218     fi
  219   fi
  220 fi