Revision: 2737
http://ipcop.svn.sourceforge.net/ipcop/?rev=2737&view=rev
Author: owes
Date: 2009-04-20 15:19:41 +0000 (Mon, 20 Apr 2009)
Log Message:
-----------
Handle access to OpenVPN (default udp/1194) in puzzleFwRules.pl and friends.
OpenVPN can be accessed:
on BLUE if Blue Access is active
on BLUE if policy is open/half-open
on ORANGE if policy is open (there is no half-open policy for Orange)
on RED
If policy is closed you need to add a firewall rule (as for all other IPCop
services that you want to use).
Modified Paths:
--------------
ipcop/trunk/src/libs/DataAccess.pl
ipcop/trunk/src/misc-progs/openvpnctrl.c
ipcop/trunk/src/rc.d/rc.firewall
ipcop/trunk/src/scripts/puzzleFwRules.pl
Modified: ipcop/trunk/src/libs/DataAccess.pl
===================================================================
--- ipcop/trunk/src/libs/DataAccess.pl 2009-04-20 13:20:15 UTC (rev 2736)
+++ ipcop/trunk/src/libs/DataAccess.pl 2009-04-20 15:19:41 UTC (rev 2737)
@@ -156,6 +156,25 @@
$dServices->{'IPCop ssh'}{'PORT_IPT'} = "--dport $ssh";
$dServices->{'IPCop ssh'}{'PORT_NR'} = $ssh;
$dServices->{'IPCop ssh'}{'PROTOCOL'} = 'tcp';
+
+ if (-e "/var/ipcop/ovpn/settings") {
+ my %ovpnSettings = ();
+ &General::readhash("/var/ipcop/ovpn/settings", \%ovpnSettings);
+
+ my $ovpnport = '1194';
+ my $ovpnproto = 'udp';
+ if ($ovpnSettings{'DDEST_PORT'} =~ /^(\d+)$/) {
+ $ovpnport = $1;
+ }
+ if ($ovpnSettings{'DPROTOCOL'} =~ /^(tcp|udp)$/) {
+ $ovpnproto = $1;
+ }
+ $dServices->{'IPCop OpenVPN'}{'PORT_IPT'} = "--dport $ovpnport ";
+ $dServices->{'IPCop OpenVPN'}{'PORT_NR'} = $ovpnport;
+ $dServices->{'IPCop OpenVPN'}{'PROTOCOL'} = $ovpnproto;
+ }
+
+ # TODO: add IPCop services for IPsec
}
#######################################################
Modified: ipcop/trunk/src/misc-progs/openvpnctrl.c
===================================================================
--- ipcop/trunk/src/misc-progs/openvpnctrl.c 2009-04-20 13:20:15 UTC (rev
2736)
+++ ipcop/trunk/src/misc-progs/openvpnctrl.c 2009-04-20 15:19:41 UTC (rev
2737)
@@ -34,38 +34,8 @@
static int flag_restart = 0;
static int enabled[CFG_COLOURS_COUNT][MAX_NETWORK_COLOUR + 1];
static int enabled_count;
-static char protocol[STRING_SIZE] = "udp";
-static char port[STRING_SIZE] = "1194";
-static void close_firewall(void)
-{
- verbose_printf(2, "Flushing OpenVPN iptables chain ... \n");
- safe_system("/sbin/iptables -F OPENVPNPHYSICAL");
-}
-
-
-static void open_firewall(void)
-{
- int i, j;
- char command[STRING_SIZE];
-
- verbose_printf(1, "Filling OpenVPN iptables chain ... \n");
-
- for (i = 0; i < CFG_COLOURS_COUNT; i++) {
- for (j = 1; j <= MAX_NETWORK_COLOUR; j++) {
- if (enabled[i][j]) {
- verbose_printf(2, " -A %s %d\n", ipcop_colours_text[i], j);
- snprintf(command, STRING_SIZE,
- "/sbin/iptables -A OPENVPNPHYSICAL -i %s -p %s --dport %s
-j ACCEPT > /dev/null 2>&1",
- ipcop_ethernet.device[i][j], protocol, port);
- safe_system(command);
- }
- }
- }
-}
-
-
void usage(char *prg, int exit_code)
{
printf("Usage: %s [OPTION]\n\n", prg);
@@ -133,9 +103,6 @@
}
}
- /* flush iptables chain */
- close_firewall();
-
/* Fetch ethernet/settings, exit on error */
read_ethernet_settings(1);
@@ -173,20 +140,18 @@
verbose_printf(2, " %d enabled interface(s)\n", enabled_count);
if (enabled_count == 0) {
- verbose_printf(1, "OpenVPN not enabled ... exit ... \n");
- return 0;
+ verbose_printf(1, "OpenVPN not enabled ... \n");
}
- find_kv_default(ovpn_kv, "DPROTOCOL", protocol);
- find_kv_default(ovpn_kv, "DPORT", port);
-
- if (flag_start || flag_restart) {
- /* fill iptables chain */
- open_firewall();
+ if (enabled_count && (flag_start || flag_restart)) {
safe_system("/sbin/modprobe tun");
verbose_printf(1, "Starting OpenVPN server ... \n");
safe_system("/usr/sbin/openvpn --config /var/ipcop/ovpn/server.conf");
}
+ /* rebuild rules, maybe server is now disabled, or some other change */
+ verbose_printf(1, "Rebuild firewall rules ... \n");
+ safe_system("/usr/local/bin/setfwrules --ipcop");
+
return(0);
}
Modified: ipcop/trunk/src/rc.d/rc.firewall
===================================================================
--- ipcop/trunk/src/rc.d/rc.firewall 2009-04-20 13:20:15 UTC (rev 2736)
+++ ipcop/trunk/src/rc.d/rc.firewall 2009-04-20 15:19:41 UTC (rev 2737)
@@ -169,13 +169,10 @@
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
- # traffic from ipsecX/tun/tap interfaces, before "-i GREEN_DEV" accept
everything
+ # TODO: handle ipsecX traffic through puzzleFwRules.pl and friends
/sbin/iptables -N IPSECVIRTUAL
- /sbin/iptables -N OPENVPNVIRTUAL
/sbin/iptables -A INPUT -j IPSECVIRTUAL
- /sbin/iptables -A INPUT -j OPENVPNVIRTUAL
/sbin/iptables -A FORWARD -j IPSECVIRTUAL
- /sbin/iptables -A FORWARD -j OPENVPNVIRTUAL
# localhost and ethernet.
/sbin/iptables -A INPUT -i lo -m state --state NEW -j ACCEPT
@@ -196,14 +193,10 @@
#~ /sbin/iptables -N DHCPBLUEINPUT
#~ /sbin/iptables -A INPUT -j DHCPBLUEINPUT
- # IPsec
+ # TODO: handle IPsec through puzzleFwRules.pl and friends
/sbin/iptables -N IPSECPHYSICAL
/sbin/iptables -A INPUT -j IPSECPHYSICAL
- # OpenVPN
- /sbin/iptables -N OPENVPNPHYSICAL
- /sbin/iptables -A INPUT -j OPENVPNPHYSICAL
-
# WIRELESS chains
/sbin/iptables -N WIRELESSINPUT
/sbin/iptables -N WIRELESSFORWARD
Modified: ipcop/trunk/src/scripts/puzzleFwRules.pl
===================================================================
--- ipcop/trunk/src/scripts/puzzleFwRules.pl 2009-04-20 13:20:15 UTC (rev
2736)
+++ ipcop/trunk/src/scripts/puzzleFwRules.pl 2009-04-20 15:19:41 UTC (rev
2737)
@@ -749,6 +749,14 @@
&prepareRule("-F FW_IPCOP_FORWARD");
&prepareRule("-F FW_LOG");
+ # Retrieve OpenVPN settings
+ my %ovpnSettings = ();
+ if (-e "/var/ipcop/ovpn/settings") {
+ &General::readhash("/var/ipcop/ovpn/settings", \%ovpnSettings);
+ }
+
+ # TODO: IPsec settings and rules
+
# Deny only those traffic which is open in vanila IPCop.
# Other traffic blocked by IPCop rules. So it is possible by using
related, established connections
foreach my $inIface (keys %FW::interfaces) {
@@ -767,6 +775,15 @@
if ($FW::interfaces{$inIface}{'COLOR'} eq 'BLUE_COLOR' &&
$ifacePolicies{$inIface}{'BLUE_ACCESS'} eq 'on') {
$doUpdateWirelessRules = 1;
+
+ # allow OpenVPN if enabled on blue, OpenVPN access does not need
Blue Access entry
+ if ($ovpnSettings{'ENABLED_BLUE_1'} eq 'on') {
+ my @serviceXYZ = &buildServiceParamsDefault('IPCop OpenVPN',
"");
+ foreach my $protoPort (@serviceXYZ) {
+ &prepareRule("-A FW_IPCOP -i
$FW::interfaces{$inIface}{'IFACE'} $protoPort -j ACCEPT");
+ }
+ }
+
&prepareRule("-A FW_IPCOP -i $FW::interfaces{$inIface}{'IFACE'} -j
WIRELESSINPUT");
&prepareRule("-A FW_IPCOP_FORWARD -i
$FW::interfaces{$inIface}{'IFACE'} -j WIRELESSFORWARD");
}
@@ -775,11 +792,24 @@
# open some default ipcop services for policy 'half-open' and
'open'
if ($ifacePolicies{$inIface}{'POLICY'} =~ /^half-open|open$/) {
- # Some IPCop services for Green and Blue
my @ipcopServices = ();
- if ($FW::interfaces{$inIface}{'COLOR'} =~
/^GREEN_COLOR|BLUE_COLOR$/) {
+ # Some IPCop services for Green
+ if ($FW::interfaces{$inIface}{'COLOR'} =~ /^GREEN_COLOR$/) {
@ipcopServices = ('IPCop dhcp', 'IPCop dns', 'IPCop ntp',
'IPCop proxy', 'Ping');
}
+ # Some IPCop services for Blue
+ if ($FW::interfaces{$inIface}{'COLOR'} =~ /^BLUE_COLOR$/) {
+ @ipcopServices = ('IPCop dhcp', 'IPCop dns', 'IPCop ntp',
'IPCop proxy', 'Ping');
+ if ($ovpnSettings{'ENABLED_BLUE_1'} eq 'on') {
+ push(@ipcopServices, 'IPCop OpenVPN');
+ }
+ }
+ # Some IPCop services for Orange
+ if ($FW::interfaces{$inIface}{'COLOR'} =~ /^ORANGE_COLOR$/) {
+ if ($ovpnSettings{'ENABLED_ORANGE_1'} eq 'on') {
+ push(@ipcopServices, 'IPCop OpenVPN');
+ }
+ }
# Some IPCop services for IPsec and OpenVPN (no DHCP needed
for VPN)
if ($FW::interfaces{$inIface}{'COLOR'} =~
/^IPSEC_COLOR|OVPN_COLOR$/) {
@ipcopServices = ('IPCop dns', 'IPCop ntp', 'IPCop proxy',
'Ping');
@@ -818,6 +848,16 @@
foreach my $protoPort (@serviceXYZ) {
&prepareRule("-A FW_IPCOP -i
$FW::interfaces{$inIface}{'IFACE'} $protoPort -j ACCEPT");
}
+
+ # allow OpenVPN if enabled on red
+ if ($ovpnSettings{'ENABLED_RED_1'} eq 'on') {
+ my @serviceXYZ = &buildServiceParamsDefault('IPCop
OpenVPN', "");
+ foreach my $protoPort (@serviceXYZ) {
+ &prepareRule("-A FW_IPCOP -i
$FW::interfaces{$inIface}{'IFACE'} $protoPort -j ACCEPT");
+ }
+ }
+
+ # TODO: open firewall for IPsec
}
}
@@ -889,7 +929,7 @@
# open some default ipcop services for policy 'half-open' and 'open'
if ($ifacePolicies{$inIface}{'POLICY'} =~ /^half-open|open$/) {
- # Some IPCop services
+ # Some IPCop services, no need for OpenVPN here as that is opened
for everybody
my @ipcopServices = ('IPCop dhcp', 'IPCop dns', 'IPCop ntp',
'IPCop proxy', 'Ping');
foreach my $key (keys %blueAdresses) {
next if ($blueAdresses{$key}{'SOURCE_ADR_IPT'} eq '');
This was sent by the SourceForge.net collaborative development platform, the
world's largest Open Source development site.
------------------------------------------------------------------------------
Stay on top of everything new and different, both inside and
around Java (TM) technology - register by April 22, and save
$200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
300 plus technical and hands-on sessions. Register today.
Use priority code J9JMT32. http://p.sf.net/sfu/p
_______________________________________________
Ipcop-svn mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/ipcop-svn
