Created
October 18, 2020 09:35
-
-
Save danackerson/996edb69d75da79cf72070117531c3f6 to your computer and use it in GitHub Desktop.
custom leftupdown IPSec script
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| # default updown script | |
| # | |
| # Copyright (C) 2003-2004 Nigel Meteringham | |
| # Copyright (C) 2003-2004 Tuomo Soini | |
| # Copyright (C) 2002-2004 Michael Richardson | |
| # Copyright (C) 2005-2007 Andreas Steffen <[email protected]> | |
| # | |
| # This program is free software; you can redistribute it and/or modify it | |
| # under the terms of the GNU General Public License as published by the | |
| # Free Software Foundation; either version 2 of the License, or (at your | |
| # option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. | |
| # | |
| # This program is distributed in the hope that it will be useful, but | |
| # WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY | |
| # or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License | |
| # for more details. | |
| # CAUTION: Installing a new version of strongSwan will install a new | |
| # copy of this script, wiping out any custom changes you make. If | |
| # you need changes, make a copy of this under another name, and customize | |
| # that, and use the (left/right)updown parameters in ipsec.conf to make | |
| # strongSwan use yours instead of this default one. | |
| # PLUTO_VERSION | |
| # indicates what version of this interface is being | |
| # used. This document describes version 1.1. This | |
| # is upwardly compatible with version 1.0. | |
| # | |
| # PLUTO_VERB | |
| # specifies the name of the operation to be performed | |
| # (prepare-host, prepare-client, up-host, up-client, | |
| # down-host, or down-client). If the address family | |
| # for security gateway to security gateway communica- | |
| # tions is IPv6, then a suffix of -v6 is added to the | |
| # verb. | |
| # | |
| # PLUTO_CONNECTION | |
| # is the name of the connection for which we are | |
| # routing. | |
| # | |
| # PLUTO_INTERFACE | |
| # is the name of the ipsec interface to be used. | |
| # | |
| # PLUTO_REQID | |
| # is the requid of the AH|ESP policy | |
| # | |
| # PLUTO_PROTO | |
| # is the negotiated IPsec protocol, ah|esp | |
| # | |
| # PLUTO_IPCOMP | |
| # is not empty if IPComp was negotiated | |
| # | |
| # PLUTO_UNIQUEID | |
| # is the unique identifier of the associated IKE_SA | |
| # | |
| # PLUTO_ME | |
| # is the IP address of our host. | |
| # | |
| # PLUTO_MY_ID | |
| # is the ID of our host. | |
| # | |
| # PLUTO_MY_CLIENT | |
| # is the IP address / count of our client subnet. If | |
| # the client is just the host, this will be the | |
| # host's own IP address / max (where max is 32 for | |
| # IPv4 and 128 for IPv6). | |
| # | |
| # PLUTO_MY_SOURCEIP | |
| # PLUTO_MY_SOURCEIP4_$i | |
| # PLUTO_MY_SOURCEIP6_$i | |
| # contains IPv4/IPv6 virtual IP received from a responder, | |
| # $i enumerates from 1 to the number of IP per address family. | |
| # PLUTO_MY_SOURCEIP is a legacy variable and equal to the first | |
| # virtual IP, IPv4 or IPv6. | |
| # | |
| # PLUTO_MY_PROTOCOL | |
| # is the IP protocol that will be transported. | |
| # | |
| # PLUTO_MY_PORT | |
| # is the UDP/TCP port to which the IPsec SA is | |
| # restricted on our side. For ICMP/ICMPv6 this contains the | |
| # message type, and PLUTO_PEER_PORT the message code. | |
| # | |
| # PLUTO_PEER | |
| # is the IP address of our peer. | |
| # | |
| # PLUTO_PEER_ID | |
| # is the ID of our peer. | |
| # | |
| # PLUTO_PEER_CLIENT | |
| # is the IP address / count of the peer's client sub- | |
| # net. If the client is just the peer, this will be | |
| # the peer's own IP address / max (where max is 32 | |
| # for IPv4 and 128 for IPv6). | |
| # | |
| # PLUTO_PEER_SOURCEIP | |
| # PLUTO_PEER_SOURCEIP4_$i | |
| # PLUTO_PEER_SOURCEIP6_$i | |
| # contains IPv4/IPv6 virtual IP sent to an initiator, | |
| # $i enumerates from 1 to the number of IP per address family. | |
| # PLUTO_PEER_SOURCEIP is a legacy variable and equal to the first | |
| # virtual IP, IPv4 or IPv6. | |
| # | |
| # PLUTO_PEER_PROTOCOL | |
| # is the IP protocol that will be transported. | |
| # | |
| # PLUTO_PEER_PORT | |
| # is the UDP/TCP port to which the IPsec SA is | |
| # restricted on the peer side. For ICMP/ICMPv6 this contains the | |
| # message code, and PLUTO_MY_PORT the message type. | |
| # | |
| # PLUTO_XAUTH_ID | |
| # is an optional user ID employed by the XAUTH protocol | |
| # | |
| # PLUTO_MARK_IN | |
| # is an optional XFRM mark set on the inbound IPsec SA | |
| # | |
| # PLUTO_MARK_OUT | |
| # is an optional XFRM mark set on the outbound IPsec SA | |
| # | |
| # PLUTO_IF_ID_IN | |
| # is an optional XFRM interface ID set on the inbound IPsec SA | |
| # | |
| # PLUTO_IF_ID_OUT | |
| # is an optional XFRM interface ID set on the outbound IPsec SA | |
| # | |
| # PLUTO_UDP_ENC | |
| # contains the remote UDP port in the case of ESP_IN_UDP | |
| # encapsulation | |
| # | |
| # PLUTO_DNS4_$i | |
| # PLUTO_DNS6_$i | |
| # contains IPv4/IPv6 DNS server attribute received from a | |
| # responder, $i enumerates from 1 to the number of servers per | |
| # address family. | |
| # | |
| # define a minimum PATH environment in case it is not set | |
| PATH="/sbin:/bin:/usr/sbin:/usr/bin:@sbindir@" | |
| export PATH | |
| # comment to disable logging VPN connections to syslog | |
| VPN_LOGGING=1 | |
| # | |
| # tag put in front of each log entry: | |
| TAG=vpn | |
| # | |
| # syslog facility and priority used: | |
| FAC_PRIO=local0.notice | |
| # | |
| # to create a special vpn logging file, put the following line into | |
| # the syslog configuration file /etc/syslog.conf: | |
| # | |
| # local0.notice -/var/log/vpn | |
| # check interface version | |
| case "$PLUTO_VERSION" in | |
| 1.[0|1]) # Older release?!? Play it safe, script may be using new features. | |
| echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 | |
| echo "$0: called by obsolete release?" >&2 | |
| exit 2 | |
| ;; | |
| 1.*) ;; | |
| *) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2 | |
| exit 2 | |
| ;; | |
| esac | |
| # check parameter(s) | |
| case "$1:$*" in | |
| ':') # no parameters | |
| ;; | |
| iptables:iptables) # due to (left/right)firewall; for default script only | |
| ;; | |
| custom:*) # custom parameters (see above CAUTION comment) | |
| ;; | |
| *) echo "$0: unknown parameters \`$*'" >&2 | |
| exit 2 | |
| ;; | |
| esac | |
| IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID" | |
| IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" | |
| IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" | |
| # use protocol specific options to set ports | |
| case "$PLUTO_MY_PROTOCOL" in | |
| 1) # ICMP | |
| ICMP_TYPE_OPTION="--icmp-type" | |
| ;; | |
| 58) # ICMPv6 | |
| ICMP_TYPE_OPTION="--icmpv6-type" | |
| ;; | |
| *) | |
| ;; | |
| esac | |
| # are there port numbers? | |
| if [ "$PLUTO_MY_PORT" != 0 ] | |
| then | |
| if [ -n "$ICMP_TYPE_OPTION" ] | |
| then | |
| S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" | |
| D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" | |
| else | |
| S_MY_PORT="--sport $PLUTO_MY_PORT" | |
| D_MY_PORT="--dport $PLUTO_MY_PORT" | |
| fi | |
| fi | |
| if [ "$PLUTO_PEER_PORT" != 0 ] | |
| then | |
| if [ -n "$ICMP_TYPE_OPTION" ] | |
| then | |
| # the syntax is --icmp[v6]-type type[/code], so add it to the existing option | |
| S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT" | |
| D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT" | |
| else | |
| S_PEER_PORT="--sport $PLUTO_PEER_PORT" | |
| D_PEER_PORT="--dport $PLUTO_PEER_PORT" | |
| fi | |
| fi | |
| case "$PLUTO_VERB:$1" in | |
| up-host:) | |
| # connection to me coming up | |
| # If you are doing a custom version, firewall commands go here. | |
| ;; | |
| down-host:) | |
| # connection to me going down | |
| # If you are doing a custom version, firewall commands go here. | |
| ;; | |
| up-client:) | |
| # connection to my client subnet coming up | |
| # If you are doing a custom version, firewall commands go here. | |
| ip rule add priority 219 to 192.168.178.0/24 lookup main | |
| ;; | |
| down-client:) | |
| # connection to my client subnet going down | |
| # If you are doing a custom version, firewall commands go here. | |
| ip rule delete priority 219 | |
| ;; | |
| up-host:iptables) | |
| # connection to me, with (left/right)firewall=yes, coming up | |
| # This is used only by the default updown script, not by your custom | |
| # ones, so do not mess with it; see CAUTION comment up at top. | |
| iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
| -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
| -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
| iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
| -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ | |
| -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT | |
| # | |
| # allow IPIP traffic because of the implicit SA created by the kernel if | |
| # IPComp is used (for small inbound packets that are not compressed) | |
| if [ -n "$PLUTO_IPCOMP" ] | |
| then | |
| iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ | |
| -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT | |
| fi | |
| # | |
| # log IPsec host connection setup | |
| if [ $VPN_LOGGING ] | |
| then | |
| if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] | |
| then | |
| logger -t $TAG -p $FAC_PRIO \ | |
| "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" | |
| else | |
| logger -t $TAG -p $FAC_PRIO \ | |
| "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" | |
| fi | |
| fi | |
| ;; | |
| down-host:iptables) | |
| # connection to me, with (left/right)firewall=yes, going down | |
| # This is used only by the default updown script, not by your custom | |
| # ones, so do not mess with it; see CAUTION comment up at top. | |
| iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
| -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
| -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
| iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
| -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ | |
| -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT | |
| # | |
| # IPIP exception teardown | |
| if [ -n "$PLUTO_IPCOMP" ] | |
| then | |
| iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ | |
| -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT | |
| fi | |
| # | |
| # log IPsec host connection teardown | |
| if [ $VPN_LOGGING ] | |
| then | |
| if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] | |
| then | |
| logger -t $TAG -p $FAC_PRIO -- \ | |
| "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" | |
| else | |
| logger -t $TAG -p $FAC_PRIO -- \ | |
| "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" | |
| fi | |
| fi | |
| ;; | |
| up-client:iptables) | |
| # connection to client subnet, with (left/right)firewall=yes, coming up | |
| # This is used only by the default updown script, not by your custom | |
| # ones, so do not mess with it; see CAUTION comment up at top. | |
| if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] | |
| then | |
| iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
| -s $PLUTO_MY_CLIENT $S_MY_PORT \ | |
| -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT | |
| iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
| -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
| -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
| fi | |
| # | |
| # a virtual IP requires an INPUT and OUTPUT rule on the host | |
| # or sometimes host access via the internal IP is needed | |
| if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] | |
| then | |
| iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
| -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
| -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
| iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
| -s $PLUTO_MY_CLIENT $S_MY_PORT \ | |
| -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT | |
| fi | |
| # | |
| # allow IPIP traffic because of the implicit SA created by the kernel if | |
| # IPComp is used (for small inbound packets that are not compressed). | |
| # INPUT is correct here even for forwarded traffic. | |
| if [ -n "$PLUTO_IPCOMP" ] | |
| then | |
| iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ | |
| -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT | |
| fi | |
| # | |
| # log IPsec client connection setup | |
| if [ $VPN_LOGGING ] | |
| then | |
| if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] | |
| then | |
| logger -t $TAG -p $FAC_PRIO \ | |
| "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" | |
| else | |
| logger -t $TAG -p $FAC_PRIO \ | |
| "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" | |
| fi | |
| fi | |
| ;; | |
| down-client:iptables) | |
| # connection to client subnet, with (left/right)firewall=yes, going down | |
| # This is used only by the default updown script, not by your custom | |
| # ones, so do not mess with it; see CAUTION comment up at top. | |
| if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] | |
| then | |
| iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
| -s $PLUTO_MY_CLIENT $S_MY_PORT \ | |
| -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ | |
| $IPSEC_POLICY_OUT -j ACCEPT | |
| iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
| -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
| -d $PLUTO_MY_CLIENT $D_MY_PORT \ | |
| $IPSEC_POLICY_IN -j ACCEPT | |
| fi | |
| # | |
| # a virtual IP requires an INPUT and OUTPUT rule on the host | |
| # or sometimes host access via the internal IP is needed | |
| if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] | |
| then | |
| iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
| -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
| -d $PLUTO_MY_CLIENT $D_MY_PORT \ | |
| $IPSEC_POLICY_IN -j ACCEPT | |
| iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
| -s $PLUTO_MY_CLIENT $S_MY_PORT \ | |
| -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ | |
| $IPSEC_POLICY_OUT -j ACCEPT | |
| fi | |
| # | |
| # IPIP exception teardown | |
| if [ -n "$PLUTO_IPCOMP" ] | |
| then | |
| iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ | |
| -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT | |
| fi | |
| # | |
| # log IPsec client connection teardown | |
| if [ $VPN_LOGGING ] | |
| then | |
| if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] | |
| then | |
| logger -t $TAG -p $FAC_PRIO -- \ | |
| "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" | |
| else | |
| logger -t $TAG -p $FAC_PRIO -- \ | |
| "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" | |
| fi | |
| fi | |
| ;; | |
| # | |
| # IPv6 | |
| # | |
| up-host-v6:) | |
| # connection to me coming up | |
| # If you are doing a custom version, firewall commands go here. | |
| ;; | |
| down-host-v6:) | |
| # connection to me going down | |
| # If you are doing a custom version, firewall commands go here. | |
| ;; | |
| up-client-v6:) | |
| # connection to my client subnet coming up | |
| # If you are doing a custom version, firewall commands go here. | |
| ;; | |
| down-client-v6:) | |
| # connection to my client subnet going down | |
| # If you are doing a custom version, firewall commands go here. | |
| ;; | |
| up-host-v6:iptables) | |
| # connection to me, with (left/right)firewall=yes, coming up | |
| # This is used only by the default updown script, not by your custom | |
| # ones, so do not mess with it; see CAUTION comment up at top. | |
| ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
| -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
| -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
| ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
| -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ | |
| -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT | |
| # | |
| # allow IP6IP6 traffic because of the implicit SA created by the kernel if | |
| # IPComp is used (for small inbound packets that are not compressed) | |
| if [ -n "$PLUTO_IPCOMP" ] | |
| then | |
| ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p 41 \ | |
| -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT | |
| fi | |
| # | |
| # log IPsec host connection setup | |
| if [ $VPN_LOGGING ] | |
| then | |
| if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] | |
| then | |
| logger -t $TAG -p $FAC_PRIO \ | |
| "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" | |
| else | |
| logger -t $TAG -p $FAC_PRIO \ | |
| "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" | |
| fi | |
| fi | |
| ;; | |
| down-host-v6:iptables) | |
| # connection to me, with (left/right)firewall=yes, going down | |
| # This is used only by the default updown script, not by your custom | |
| # ones, so do not mess with it; see CAUTION comment up at top. | |
| ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
| -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
| -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
| ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
| -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ | |
| -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT | |
| # | |
| # IP6IP6 exception teardown | |
| if [ -n "$PLUTO_IPCOMP" ] | |
| then | |
| ip6tables -D INPUT -i $PLUTO_INTERFACE -p 41 \ | |
| -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT | |
| fi | |
| # | |
| # log IPsec host connection teardown | |
| if [ $VPN_LOGGING ] | |
| then | |
| if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] | |
| then | |
| logger -t $TAG -p $FAC_PRIO -- \ | |
| "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" | |
| else | |
| logger -t $TAG -p $FAC_PRIO -- \ | |
| "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" | |
| fi | |
| fi | |
| ;; | |
| up-client-v6:iptables) | |
| # connection to client subnet, with (left/right)firewall=yes, coming up | |
| # This is used only by the default updown script, not by your custom | |
| # ones, so do not mess with it; see CAUTION comment up at top. | |
| if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] | |
| then | |
| ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
| -s $PLUTO_MY_CLIENT $S_MY_PORT \ | |
| -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT | |
| ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
| -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
| -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
| fi | |
| # | |
| # a virtual IP requires an INPUT and OUTPUT rule on the host | |
| # or sometimes host access via the internal IP is needed | |
| if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] | |
| then | |
| ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
| -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
| -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
| ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
| -s $PLUTO_MY_CLIENT $S_MY_PORT \ | |
| -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT | |
| fi | |
| # | |
| # allow IP6IP6 traffic because of the implicit SA created by the kernel if | |
| # IPComp is used (for small inbound packets that are not compressed). | |
| # INPUT is correct here even for forwarded traffic. | |
| if [ -n "$PLUTO_IPCOMP" ] | |
| then | |
| ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p 41 \ | |
| -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT | |
| fi | |
| # | |
| # log IPsec client connection setup | |
| if [ $VPN_LOGGING ] | |
| then | |
| if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] | |
| then | |
| logger -t $TAG -p $FAC_PRIO \ | |
| "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" | |
| else | |
| logger -t $TAG -p $FAC_PRIO \ | |
| "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" | |
| fi | |
| fi | |
| ;; | |
| down-client-v6:iptables) | |
| # connection to client subnet, with (left/right)firewall=yes, going down | |
| # This is used only by the default updown script, not by your custom | |
| # ones, so do not mess with it; see CAUTION comment up at top. | |
| if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] | |
| then | |
| ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
| -s $PLUTO_MY_CLIENT $S_MY_PORT \ | |
| -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ | |
| $IPSEC_POLICY_OUT -j ACCEPT | |
| ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
| -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
| -d $PLUTO_MY_CLIENT $D_MY_PORT \ | |
| $IPSEC_POLICY_IN -j ACCEPT | |
| fi | |
| # | |
| # a virtual IP requires an INPUT and OUTPUT rule on the host | |
| # or sometimes host access via the internal IP is needed | |
| if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] | |
| then | |
| ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
| -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
| -d $PLUTO_MY_CLIENT $D_MY_PORT \ | |
| $IPSEC_POLICY_IN -j ACCEPT | |
| ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
| -s $PLUTO_MY_CLIENT $S_MY_PORT \ | |
| -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ | |
| $IPSEC_POLICY_OUT -j ACCEPT | |
| fi | |
| # | |
| # IP6IP6 exception teardown | |
| if [ -n "$PLUTO_IPCOMP" ] | |
| then | |
| ip6tables -D INPUT -i $PLUTO_INTERFACE -p 41 \ | |
| -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT | |
| fi | |
| # | |
| # log IPsec client connection teardown | |
| if [ $VPN_LOGGING ] | |
| then | |
| if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] | |
| then | |
| logger -t $TAG -p $FAC_PRIO -- \ | |
| "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" | |
| else | |
| logger -t $TAG -p $FAC_PRIO -- \ | |
| "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" | |
| fi | |
| fi | |
| ;; | |
| *) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2 | |
| exit 1 | |
| ;; | |
| esac |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment