You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
662 lines
19 KiB
662 lines
19 KiB
Index: strongswan-2.8.2/programs/_updown/_updown.8
|
|
===================================================================
|
|
--- strongswan-2.8.2.orig/programs/_updown/_updown.8 2007-06-04 13:23:04.632029720 +0200
|
|
+++ strongswan-2.8.2/programs/_updown/_updown.8 2007-06-04 13:23:06.656721920 +0200
|
|
@@ -8,8 +8,23 @@
|
|
.I _updown
|
|
is invoked by pluto when it has brought up a new connection. This script
|
|
is used to insert the appropriate routing entries for IPsec operation.
|
|
-It can also be used to insert and delete dynamic iptables firewall rules.
|
|
-The interface to the script is documented in the pluto man page.
|
|
+It also inserts and deletes dynamic iptables firewall rules. IMPORTANT!
|
|
+By default, it will ACCEPT as appropriate on the INPUT, OUTPUT, FORWARD
|
|
+tables. Most distributions will want to change that to provide more
|
|
+flexibility in their firewall configuration.
|
|
+The script looks for the environment variables
|
|
+.B IPSEC_UPDOWN_RULE_IN
|
|
+for the iptables table it should insert into,
|
|
+.B IPSEC_UPDOWN_DEST_IN
|
|
+for where the rule should -j jump to,
|
|
+.B IPSEC_UPDOWN_RULE_OUT
|
|
+.B IPSEC_UPDOWN_DEST_OUT
|
|
+for the same on outgoing packets, and
|
|
+.B IPSEC_UPDOWN_FWD_RULE_IN
|
|
+.B IPSEC_UPDOWN_FWD_DEST_IN
|
|
+.B IPSEC_UPDOWN_FWD_RULE_OUT
|
|
+.B IPSEC_UPDOWN_FWD_DEST_OUT
|
|
+respectively for packets being forwarded to/from the local networks.
|
|
.SH "SEE ALSO"
|
|
ipsec(8), ipsec_pluto(8).
|
|
.SH HISTORY
|
|
Index: strongswan-2.8.2/programs/_updown/_updown.in
|
|
===================================================================
|
|
--- strongswan-2.8.2.orig/programs/_updown/_updown.in 2007-06-04 13:23:04.642028200 +0200
|
|
+++ strongswan-2.8.2/programs/_updown/_updown.in 2007-06-04 13:23:06.657721768 +0200
|
|
@@ -5,6 +5,7 @@
|
|
# Copyright (C) 2003-2004 Tuomo Soini
|
|
# Copyright (C) 2002-2004 Michael Richardson
|
|
# Copyright (C) 2005-2006 Andreas Steffen <andreas.steffen@strongswan.org>
|
|
+# Copyright (C) 2007 Kevin Cody Jr <kcody@vegaresearch.com>
|
|
#
|
|
# This program is free software; you can redistribute it and/or modify it
|
|
# under the terms of the GNU General Public License as published by the
|
|
@@ -118,20 +119,61 @@
|
|
# restricted on the peer side.
|
|
#
|
|
|
|
-# uncomment to log VPN connections
|
|
-VPN_LOGGING=1
|
|
-#
|
|
+# set to /bin/true to silence log messages
|
|
+LOGGER=logger
|
|
+
|
|
# tag put in front of each log entry:
|
|
TAG=vpn
|
|
-#
|
|
+
|
|
# syslog facility and priority used:
|
|
-FAC_PRIO=local0.notice
|
|
-#
|
|
-# to create a special vpn logging file, put the following line into
|
|
-# the syslog configuration file /etc/syslog.conf:
|
|
-#
|
|
-# local0.notice -/var/log/vpn
|
|
-#
|
|
+FAC_PRIO=authpriv.info
|
|
+
|
|
+
|
|
+# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
|
|
+if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ] ; then
|
|
+ IPSEC_POLICY_IN=""
|
|
+ IPSEC_POLICY_OUT=""
|
|
+else
|
|
+ IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
|
|
+ IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
|
|
+ IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
|
|
+fi
|
|
+
|
|
+# are there port numbers?
|
|
+if [ "$PLUTO_MY_PORT" != 0 ] ; then
|
|
+ S_MY_PORT="--sport $PLUTO_MY_PORT"
|
|
+ D_MY_PORT="--dport $PLUTO_MY_PORT"
|
|
+fi
|
|
+
|
|
+if [ "$PLUTO_PEER_PORT" != 0 ] ; then
|
|
+ S_PEER_PORT="--sport $PLUTO_PEER_PORT"
|
|
+ D_PEER_PORT="--dport $PLUTO_PEER_PORT"
|
|
+fi
|
|
+
|
|
+# import firewall behavior
|
|
+IPT_RULE_IN=$IPSEC_UPDOWN_RULE_IN
|
|
+IPT_DEST_IN=$IPSEC_UPDOWN_DEST_IN
|
|
+IPT_RULE_OUT=$IPSEC_UPDOWN_RULE_OUT
|
|
+IPT_DEST_OUT=$IPSEC_UPDOWN_DEST_OUT
|
|
+
|
|
+# import forwarding behavior
|
|
+FWD_RULE_IN=$IPSEC_UPDOWN_FWD_RULE_IN
|
|
+FWD_DEST_IN=$IPSEC_UPDOWN_FWD_DEST_IN
|
|
+FWD_RULE_OUT=$IPSEC_UPDOWN_FWD_RULE_OUT
|
|
+FWD_DEST_OUT=$IPSEC_UPDOWN_FWD_DEST_OUT
|
|
+
|
|
+# default firewall behavior
|
|
+[ -z "$IPT_RULE_IN" ] && IPT_RULE_IN=INPUT
|
|
+[ -z "$IPT_DEST_IN" ] && IPT_DEST_IN=ACCEPT
|
|
+[ -z "$IPT_RULE_OUT" ] && IPT_RULE_OUT=OUTPUT
|
|
+[ -z "$IPT_DEST_OUT" ] && IPT_DEST_OUT=ACCEPT
|
|
+
|
|
+# default forwarding behavior
|
|
+[ -z "$FWD_RULE_IN" ] && FWD_RULE_IN=FORWARD
|
|
+[ -z "$FWD_DEST_IN" ] && FWD_DEST_IN=ACCEPT
|
|
+[ -z "$FWD_RULE_OUT" ] && FWD_RULE_OUT=FORWARD
|
|
+[ -z "$FWD_DEST_OUT" ] && FWD_DEST_OUT=ACCEPT
|
|
+
|
|
|
|
# check interface version
|
|
case "$PLUTO_VERSION" in
|
|
@@ -150,8 +192,6 @@
|
|
case "$1:$*" in
|
|
':') # no parameters
|
|
;;
|
|
-iptables:iptables) # due to (left/right)firewall; for default script only
|
|
- ;;
|
|
custom:*) # custom parameters (see above CAUTION comment)
|
|
;;
|
|
*) echo "$0: unknown parameters \`$*'" >&2
|
|
@@ -159,345 +199,307 @@
|
|
;;
|
|
esac
|
|
|
|
+
|
|
# utility functions for route manipulation
|
|
# Meddling with this stuff should not be necessary and requires great care.
|
|
+
|
|
uproute() {
|
|
doroute add
|
|
ip route flush cache
|
|
}
|
|
+
|
|
downroute() {
|
|
doroute delete
|
|
ip route flush cache
|
|
}
|
|
|
|
+upfirewall() {
|
|
+ in_rule=$1
|
|
+ in_dest=$2
|
|
+ out_rule=$3
|
|
+ out_dest=$4
|
|
+
|
|
+ [ -n "$in_rule" -a -n "$in_dest" ] && \
|
|
+ iptables -I $in_rule 1 \
|
|
+ -i $PLUTO_INTERFACE \
|
|
+ -p $PLUTO_MY_PROTOCOL \
|
|
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
|
|
+ -d $PLUTO_MY_CLIENT $D_MY_PORT \
|
|
+ $IPSEC_POLICY_IN \
|
|
+ -j $in_dest
|
|
+
|
|
+ [ -n "$out_rule" -a -n "$out_dest" ] && \
|
|
+ iptables -I $out_rule 1 \
|
|
+ -o $PLUTO_INTERFACE \
|
|
+ -p $PLUTO_PEER_PROTOCOL \
|
|
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
|
|
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
|
|
+ $IPSEC_POLICY_OUT \
|
|
+ -j $out_dest
|
|
+
|
|
+}
|
|
+
|
|
+downfirewall() {
|
|
+ in_rule=$1
|
|
+ in_dest=$2
|
|
+ out_rule=$3
|
|
+ out_dest=$4
|
|
+
|
|
+ [ -n "$in_rule" -a -n "$in_dest" ] && \
|
|
+ iptables -D $in_rule \
|
|
+ -i $PLUTO_INTERFACE \
|
|
+ -p $PLUTO_MY_PROTOCOL \
|
|
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
|
|
+ -d $PLUTO_MY_CLIENT $D_MY_PORT \
|
|
+ $IPSEC_POLICY_IN \
|
|
+ -j $in_dest
|
|
+
|
|
+ [ -n "$out_rule" -a -n "$out_dest" ] && \
|
|
+ iptables -D $out_rule \
|
|
+ -o $PLUTO_INTERFACE \
|
|
+ -p $PLUTO_PEER_PROTOCOL \
|
|
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
|
|
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
|
|
+ $IPSEC_POLICY_OUT \
|
|
+ -j $out_dest
|
|
+
|
|
+}
|
|
+
|
|
addsource() {
|
|
st=0
|
|
- if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
|
|
- then
|
|
+
|
|
+ if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local ; then
|
|
+
|
|
it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
|
|
oops="`eval $it 2>&1`"
|
|
st=$?
|
|
- if test " $oops" = " " -a " $st" != " 0"
|
|
- then
|
|
+
|
|
+ if [ " $oops" = " " -a " $st" != " 0" ] ; then
|
|
oops="silent error, exit status $st"
|
|
fi
|
|
- if test " $oops" != " " -o " $st" != " 0"
|
|
- then
|
|
+
|
|
+ if [ " $oops" != " " -o " $st" != " 0" ] ; then
|
|
echo "$0: addsource \`$it' failed ($oops)" >&2
|
|
fi
|
|
fi
|
|
+
|
|
return $st
|
|
}
|
|
|
|
doroute() {
|
|
st=0
|
|
parms="$PLUTO_PEER_CLIENT"
|
|
+ parms2="dev $PLUTO_INTERFACE"
|
|
|
|
- parms2=
|
|
- if [ -n "$PLUTO_NEXT_HOP" ]
|
|
- then
|
|
- parms2="via $PLUTO_NEXT_HOP"
|
|
- fi
|
|
- parms2="$parms2 dev $PLUTO_INTERFACE"
|
|
-
|
|
- if [ -z "$PLUTO_MY_SOURCEIP" ]
|
|
- then
|
|
- if [ -f /etc/sysconfig/defaultsource ]
|
|
- then
|
|
- . /etc/sysconfig/defaultsource
|
|
- fi
|
|
+ if [ -z "$PLUTO_MY_SOURCEIP" ] ; then
|
|
|
|
- if [ -f /etc/conf.d/defaultsource ]
|
|
- then
|
|
- . /etc/conf.d/defaultsource
|
|
- fi
|
|
+ [ -f /etc/sysconfig/defaultsource ] && \
|
|
+ . /etc/sysconfig/defaultsource
|
|
+
|
|
+ [ -f /etc/conf.d/defaultsource ] && \
|
|
+ . /etc/conf.d/defaultsource
|
|
+
|
|
+ [ -n "$DEFAULTSOURCE" ] && \
|
|
+ PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
|
|
|
|
- if [ -n "$DEFAULTSOURCE" ]
|
|
- then
|
|
- PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
|
|
- fi
|
|
fi
|
|
|
|
parms3=
|
|
- if test "$1" = "add" -a -n "$PLUTO_MY_SOURCEIP"
|
|
- then
|
|
+ if [ "$1" = "add" -a -n "$PLUTO_MY_SOURCEIP" ] ; then
|
|
addsource
|
|
parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*}"
|
|
fi
|
|
|
|
- case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
|
|
- "0.0.0.0/0.0.0.0")
|
|
+ if [ "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" = \
|
|
+ "0.0.0.0/0.0.0.0" ] ; then
|
|
# opportunistic encryption work around
|
|
# need to provide route that eclipses default, without
|
|
# replacing it.
|
|
- it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
|
|
- ip route $1 128.0.0.0/1 $parms2 $parms3"
|
|
- ;;
|
|
- *) it="ip route $1 $parms $parms2 $parms3"
|
|
- ;;
|
|
- esac
|
|
+ it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
|
|
+ ip route $1 128.0.0.0/1 $parms2 $parms3"
|
|
+ else
|
|
+ it="ip route $1 $parms $parms2 $parms3"
|
|
+ fi
|
|
+
|
|
oops="`eval $it 2>&1`"
|
|
st=$?
|
|
- if test " $oops" = " " -a " $st" != " 0"
|
|
- then
|
|
- oops="silent error, exit status $st"
|
|
- fi
|
|
- if test " $oops" != " " -o " $st" != " 0"
|
|
- then
|
|
- echo "$0: doroute \`$it' failed ($oops)" >&2
|
|
+
|
|
+ if [ " $oops" = " " -a " $st" != " 0" ] ; then
|
|
+ oops="silent error, exit status $st"
|
|
fi
|
|
+
|
|
+ if [ " $oops" != " " -o " $st" != " 0" ] ; then
|
|
+ echo "$0: doroute \`$it' failed ($oops)" >&2
|
|
+ fi
|
|
+
|
|
return $st
|
|
}
|
|
-
|
|
-# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
|
|
-if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
|
|
-then
|
|
- IPSEC_POLICY_IN=""
|
|
- IPSEC_POLICY_OUT=""
|
|
-else
|
|
- IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
|
|
- IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
|
|
- IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
|
|
-fi
|
|
|
|
-# are there port numbers?
|
|
-if [ "$PLUTO_MY_PORT" != 0 ]
|
|
-then
|
|
- S_MY_PORT="--sport $PLUTO_MY_PORT"
|
|
- D_MY_PORT="--dport $PLUTO_MY_PORT"
|
|
-fi
|
|
-if [ "$PLUTO_PEER_PORT" != 0 ]
|
|
-then
|
|
- S_PEER_PORT="--sport $PLUTO_PEER_PORT"
|
|
- D_PEER_PORT="--dport $PLUTO_PEER_PORT"
|
|
-fi
|
|
+dologentry() {
|
|
+ action=$1
|
|
+
|
|
+ if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ] ; then
|
|
+ rem="$PLUTO_PEER"
|
|
+ else
|
|
+ rem="$PLUTO_PEER_CLIENT == $PLUTO_PEER"
|
|
+ fi
|
|
+
|
|
+ if [ "$PLUTO_MY_CLIENT" == "$PLUTO_ME/32" ] ; then
|
|
+ loc="$PLUTO_ME"
|
|
+ else
|
|
+ loc="$PLUTO_ME == $PLUTO_MY_CLIENT"
|
|
+ fi
|
|
+
|
|
+ $LOGGER -t $TAG -p $FAC_PRIO "$action $rem -- $loc ($PLUTO_PEER_ID)"
|
|
+}
|
|
+
|
|
|
|
# the big choice
|
|
+
|
|
case "$PLUTO_VERB:$1" in
|
|
prepare-host:*|prepare-client:*)
|
|
# delete possibly-existing route (preliminary to adding a route)
|
|
- case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
|
|
- "0.0.0.0/0.0.0.0")
|
|
- # need to provide route that eclipses default, without
|
|
+
|
|
+ if [ "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" = \
|
|
+ "0.0.0.0/0.0.0.0" ] ; then
|
|
+ # need to remove the route that eclipses default, without
|
|
# replacing it.
|
|
- parms1="0.0.0.0/1"
|
|
- parms2="128.0.0.0/1"
|
|
- it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
|
|
- oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
|
|
- ;;
|
|
- *)
|
|
- parms="$PLUTO_PEER_CLIENT"
|
|
- it="ip route delete $parms 2>&1"
|
|
- oops="`ip route delete $parms 2>&1`"
|
|
- ;;
|
|
- esac
|
|
- status="$?"
|
|
- if test " $oops" = " " -a " $status" != " 0"
|
|
- then
|
|
- oops="silent error, exit status $status"
|
|
+ it="( ip route delete 0.0.0.0/1 ;
|
|
+ ip route delete 128.0.0.0/1 )"
|
|
+ else
|
|
+ it="ip route delete $PLUTO_PEER_CLIENT"
|
|
+ fi
|
|
+
|
|
+ oops="`$it 2>&1`"
|
|
+ st="$?"
|
|
+
|
|
+ if [ " $oops" = " " -a " $st" != " 0" ] ; then
|
|
+ oops="silent error, exit status $st"
|
|
fi
|
|
+
|
|
case "$oops" in
|
|
*'RTNETLINK answers: No such process'*)
|
|
# This is what route (currently -- not documented!) gives
|
|
# for "could not find such a route".
|
|
oops=
|
|
- status=0
|
|
+ st=0
|
|
;;
|
|
esac
|
|
- if test " $oops" != " " -o " $status" != " 0"
|
|
- then
|
|
+
|
|
+ if [ " $oops" != " " -o " $st" != " 0" ] ; then
|
|
echo "$0: \`$it' failed ($oops)" >&2
|
|
fi
|
|
- exit $status
|
|
+
|
|
+ exit $st
|
|
+
|
|
;;
|
|
route-host:*|route-client:*)
|
|
# connection to me or my client subnet being routed
|
|
+
|
|
+ ipsec _showstatus valid
|
|
uproute
|
|
+
|
|
;;
|
|
unroute-host:*|unroute-client:*)
|
|
# connection to me or my client subnet being unrouted
|
|
+
|
|
+ ipsec _showstatus invalid
|
|
downroute
|
|
+
|
|
;;
|
|
-up-host:)
|
|
+up-host:*)
|
|
# connection to me coming up
|
|
- # If you are doing a custom version, firewall commands go here.
|
|
+
|
|
+ ipsec _showstatus up
|
|
+ upfirewall $IPT_RULE_IN $IPT_DEST_IN $IPT_RULE_OUT $OUT_DEST_OUT
|
|
+ dologentry "VPN-UP"
|
|
+
|
|
;;
|
|
-down-host:)
|
|
+down-host:*)
|
|
# connection to me going down
|
|
- # If you are doing a custom version, firewall commands go here.
|
|
- ;;
|
|
-up-client:)
|
|
- # connection to my client subnet coming up
|
|
- # If you are doing a custom version, firewall commands go here.
|
|
- ;;
|
|
-down-client:)
|
|
- # connection to my client subnet going down
|
|
- # If you are doing a custom version, firewall commands go here.
|
|
+
|
|
+ ipsec _showstatus down
|
|
+ downfirewall $IPT_RULE_IN $IPT_DEST_IN $IPT_RULE_OUT $OUT_DEST_OUT
|
|
+ dologentry "VPN-DN"
|
|
+
|
|
;;
|
|
-up-host:iptables)
|
|
- # connection to me, with (left/right)firewall=yes, coming up
|
|
- # This is used only by the default updown script, not by your custom
|
|
- # ones, so do not mess with it; see CAUTION comment up at top.
|
|
- iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
|
|
- -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
|
|
- -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
|
|
- iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
|
|
- -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
|
|
- -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
|
|
- #
|
|
- # log IPsec host connection setup
|
|
- if [ $VPN_LOGGING ]
|
|
- then
|
|
- if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
|
|
- then
|
|
- logger -t $TAG -p $FAC_PRIO \
|
|
- "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME"
|
|
- else
|
|
- logger -t $TAG -p $FAC_PRIO \
|
|
- "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
|
|
- fi
|
|
- fi
|
|
- ;;
|
|
-down-host:iptables)
|
|
- # connection to me, with (left/right)firewall=yes, going down
|
|
- # This is used only by the default updown script, not by your custom
|
|
- # ones, so do not mess with it; see CAUTION comment up at top.
|
|
- iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
|
|
- -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
|
|
- -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
|
|
- iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
|
|
- -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
|
|
- -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
|
|
- #
|
|
- # log IPsec host connection teardown
|
|
- if [ $VPN_LOGGING ]
|
|
- then
|
|
- if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
|
|
- then
|
|
- logger -t $TAG -p $FAC_PRIO -- \
|
|
- "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME"
|
|
- else
|
|
- logger -t $TAG -p $FAC_PRIO -- \
|
|
- "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
|
|
- fi
|
|
- fi
|
|
- ;;
|
|
-up-client:iptables)
|
|
- # connection to client subnet, with (left/right)firewall=yes, coming up
|
|
- # This is used only by the default updown script, not by your custom
|
|
- # ones, so do not mess with it; see CAUTION comment up at top.
|
|
- if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
|
|
- then
|
|
- iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
|
|
- -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
|
|
- -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT \
|
|
- $IPSEC_POLICY_OUT -j ACCEPT
|
|
- iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
|
|
- -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
|
|
- -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \
|
|
- $IPSEC_POLICY_IN -j ACCEPT
|
|
+up-client:*)
|
|
+ # connection to client subnet coming up
|
|
+
|
|
+ ipsec _showstatus up
|
|
+
|
|
+ if [ "$PLUTO_MY_CLIENT" != "$PLUTO_ME/32" -a \
|
|
+ "$PLUTO_MY_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] ; then
|
|
+ upfirewall $FWD_RULE_IN $FWD_DEST_IN $FWD_RULE_OUT $FWD_DEST_OUT
|
|
fi
|
|
- #
|
|
+
|
|
# a virtual IP requires an INPUT and OUTPUT rule on the host
|
|
# or sometimes host access via the internal IP is needed
|
|
- if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
|
|
- then
|
|
- iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
|
|
- -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
|
|
- -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \
|
|
- $IPSEC_POLICY_IN -j ACCEPT
|
|
- iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
|
|
- -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
|
|
- -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT \
|
|
- $IPSEC_POLICY_OUT -j ACCEPT
|
|
- fi
|
|
- #
|
|
- # log IPsec client connection setup
|
|
- if [ $VPN_LOGGING ]
|
|
- then
|
|
- if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
|
|
- then
|
|
- logger -t $TAG -p $FAC_PRIO \
|
|
- "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
|
|
- else
|
|
- logger -t $TAG -p $FAC_PRIO \
|
|
- "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
|
|
- fi
|
|
- fi
|
|
- ;;
|
|
-down-client:iptables)
|
|
- # connection to client subnet, with (left/right)firewall=yes, going down
|
|
- # This is used only by the default updown script, not by your custom
|
|
- # ones, so do not mess with it; see CAUTION comment up at top.
|
|
- if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
|
|
- then
|
|
- iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
|
|
- -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
|
|
- -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT \
|
|
- $IPSEC_POLICY_OUT -j ACCEPT
|
|
- iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
|
|
- -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
|
|
- -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \
|
|
- $IPSEC_POLICY_IN -j ACCEPT
|
|
+ if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] ; then
|
|
+ upfirewall $IPT_RULE_IN $IPT_DEST_IN $IPT_RULE_OUT $OUT_DEST_OUT
|
|
+ fi
|
|
+
|
|
+ dologentry "VPN-UP"
|
|
+
|
|
+ ;;
|
|
+down-client:*)
|
|
+ # connection to client subnet going down
|
|
+
|
|
+ ipsec _showstatus down
|
|
+
|
|
+ if [ "$PLUTO_MY_CLIENT" != "$PLUTO_ME/32" -a \
|
|
+ "$PLUTO_MY_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] ; then
|
|
+ downfirewall $FWD_RULE_IN $FWD_DEST_IN $FWD_RULE_OUT $FWD_DEST_OUT
|
|
fi
|
|
- #
|
|
+
|
|
# a virtual IP requires an INPUT and OUTPUT rule on the host
|
|
# or sometimes host access via the internal IP is needed
|
|
- if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
|
|
- then
|
|
- iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
|
|
- -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
|
|
- -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \
|
|
- $IPSEC_POLICY_IN -j ACCEPT
|
|
- iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
|
|
- -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
|
|
- -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT \
|
|
- $IPSEC_POLICY_OUT -j ACCEPT
|
|
- fi
|
|
- #
|
|
- # log IPsec client connection teardown
|
|
- if [ $VPN_LOGGING ]
|
|
- then
|
|
- if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
|
|
- then
|
|
- logger -t $TAG -p $FAC_PRIO -- \
|
|
- "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
|
|
- else
|
|
- logger -t $TAG -p $FAC_PRIO -- \
|
|
- "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
|
|
- fi
|
|
+ if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] ; then
|
|
+ downfirewall $IPT_RULE_IN $IPT_DEST_IN $IPT_RULE_OUT $OUT_DEST_OUT
|
|
fi
|
|
+
|
|
+ dologentry "VPN-DN"
|
|
+
|
|
;;
|
|
-#
|
|
-# IPv6
|
|
-#
|
|
prepare-host-v6:*|prepare-client-v6:*)
|
|
+
|
|
;;
|
|
route-host-v6:*|route-client-v6:*)
|
|
# connection to me or my client subnet being routed
|
|
+
|
|
#uproute_v6
|
|
+
|
|
;;
|
|
unroute-host-v6:*|unroute-client-v6:*)
|
|
# connection to me or my client subnet being unrouted
|
|
+
|
|
#downroute_v6
|
|
+
|
|
;;
|
|
up-host-v6:*)
|
|
# connection to me coming up
|
|
# If you are doing a custom version, firewall commands go here.
|
|
+
|
|
;;
|
|
down-host-v6:*)
|
|
# connection to me going down
|
|
# If you are doing a custom version, firewall commands go here.
|
|
+
|
|
;;
|
|
up-client-v6:)
|
|
# connection to my client subnet coming up
|
|
# If you are doing a custom version, firewall commands go here.
|
|
+
|
|
;;
|
|
down-client-v6:)
|
|
# connection to my client subnet going down
|
|
# If you are doing a custom version, firewall commands go here.
|
|
+
|
|
;;
|
|
-*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
|
|
+*)
|
|
+ echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
|
|
exit 1
|
|
+
|
|
;;
|
|
esac
|
|
+
|
|
|