Revision: 2748
http://ipcop.svn.sourceforge.net/ipcop/?rev=2748&view=rev
Author: owes
Date: 2009-04-27 20:29:24 +0000 (Mon, 27 Apr 2009)
Log Message:
-----------
Add IPsec to firewall rules handling, similar to OpenVPN.
This may or may not work, but I want to push this out for others to test.
Modified Paths:
--------------
ipcop/trunk/src/libs/DataAccess.pl
ipcop/trunk/src/misc-progs/ipsecctrl.c
ipcop/trunk/src/rc.d/rc.firewall
ipcop/trunk/src/scripts/puzzleFwRules.pl
Modified: ipcop/trunk/src/libs/DataAccess.pl
===================================================================
--- ipcop/trunk/src/libs/DataAccess.pl 2009-04-27 20:20:52 UTC (rev 2747)
+++ ipcop/trunk/src/libs/DataAccess.pl 2009-04-27 20:29:24 UTC (rev 2748)
@@ -157,6 +157,20 @@
$dServices->{'IPCop ssh'}{'PORT_NR'} = $ssh;
$dServices->{'IPCop ssh'}{'PROTOCOL'} = 'tcp';
+ # TODO: limit IKE source port to 500. Add udp/4500 for NAT-Traversal. Do
we need GRE ?
+ # IPsec IKE (udp/500)
+ $dServices->{'IPCop isakmp'}{'PORT_IPT'} = "--dport 500";
+ $dServices->{'IPCop isakmp'}{'PORT_NR'} = '500';
+ $dServices->{'IPCop isakmp'}{'PROTOCOL'} = 'udp';
+ # IPsec ESP
+ $dServices->{'IPCop ESP'}{'PORT_IPT'} = "";
+ $dServices->{'IPCop ESP'}{'PORT_NR'} = '-';
+ $dServices->{'IPCop ESP'}{'PROTOCOL'} = 'esp';
+ # IPsec AH
+ $dServices->{'IPCop AH'}{'PORT_IPT'} = "";
+ $dServices->{'IPCop AH'}{'PORT_NR'} = '-';
+ $dServices->{'IPCop AH'}{'PROTOCOL'} = 'ah';
+
if (-e "/var/ipcop/ovpn/settings") {
my %ovpnSettings = ();
&General::readhash("/var/ipcop/ovpn/settings", \%ovpnSettings);
@@ -169,12 +183,11 @@
if ($ovpnSettings{'DPROTOCOL'} =~ /^(tcp|udp)$/) {
$ovpnproto = $1;
}
- $dServices->{'IPCop OpenVPN'}{'PORT_IPT'} = "--dport $ovpnport ";
+ $dServices->{'IPCop OpenVPN'}{'PORT_IPT'} = "--dport $ovpnport";
$dServices->{'IPCop OpenVPN'}{'PORT_NR'} = $ovpnport;
$dServices->{'IPCop OpenVPN'}{'PROTOCOL'} = $ovpnproto;
}
- # TODO: add IPCop services for IPsec
}
#######################################################
Modified: ipcop/trunk/src/misc-progs/ipsecctrl.c
===================================================================
--- ipcop/trunk/src/misc-progs/ipsecctrl.c 2009-04-27 20:20:52 UTC (rev
2747)
+++ ipcop/trunk/src/misc-progs/ipsecctrl.c 2009-04-27 20:29:24 UTC (rev
2748)
@@ -50,8 +50,6 @@
*/
-#define phystable "IPSECPHYSICAL"
-#define virtualtable "IPSECVIRTUAL"
void usage()
{
@@ -64,56 +62,7 @@
fprintf(stderr, "\t\tR : Reload Certificates and Secrets\n");
}
-/*
- ACCEPT the ipsec protocol ah, esp & udp (for nat traversal) on the
specified interface
-*/
-void open_physical(char *interface, int nat_traversal_port)
-{
- char str[STRING_SIZE];
- // GRE ???
- sprintf(str, "/sbin/iptables -A " phystable " -p 47 -i %s -j ACCEPT",
interface);
- safe_system(str);
- // ESP
- sprintf(str, "/sbin/iptables -A " phystable " -p 50 -i %s -j ACCEPT",
interface);
- safe_system(str);
- // AH
- sprintf(str, "/sbin/iptables -A " phystable " -p 51 -i %s -j ACCEPT",
interface);
- safe_system(str);
- // IKE
- sprintf(str, "/sbin/iptables -A " phystable " -p udp -i %s --sport 500
--dport 500 -j ACCEPT", interface);
- safe_system(str);
-
- if (!nat_traversal_port)
- return;
-
- sprintf(str, "/sbin/iptables -A " phystable " -p udp -i %s --dport %i -j
ACCEPT", interface, nat_traversal_port);
- safe_system(str);
-}
-
-/*
- Basic control for what can flow from/to ipsecX interfaces.
-
- rc.firewall call this chain just before ACCEPTing everything
- from green (-i DEV_GREEN -j ACCEPT).
-*/
-void open_virtual(void)
-{
- // allow anything from any ipsec to go on all interface, including other
ipsec
- safe_system("/sbin/iptables -A " virtualtable " -i ipsec+ -j ACCEPT");
- //todo: BOT extension?; allowing ipsec0<<==port-list-filter==>>GREEN ?
-}
-
-void ipsec_norules()
-{
- /* clear input rules */
- safe_system("/sbin/iptables -F " phystable);
- safe_system("/sbin/iptables -F " virtualtable);
-
- // unmap red alias ????
-}
-
-
void add_alias_interfaces(char *configtype, char *redtype, char *redif, int
offset) //reserve room for ipsec0=red, ipsec1=green,
ipsec2=orange,ipsec3=blue
{
FILE *file = NULL;
@@ -286,7 +235,6 @@
if (argc == 2) {
if (strcmp(argv[1], "D") == 0) {
safe_system("/usr/local/bin/vpn-watch --stop");
- ipsec_norules();
/* Only shutdown pluto if it really is running */
int fd;
/* Get pluto pid */
@@ -311,9 +259,6 @@
/* stop the watch script as soon as possible */
safe_system("/usr/local/bin/vpn-watch --stop");
- /* clear iptables vpn rules */
- ipsec_norules();
-
/* read vpn config */
if (read_kv_from_file(&ipsec_kv, "/var/ipcop/vpn/settings") != SUCCESS) {
fprintf(stderr, "Cannot read vpn settings\n");
@@ -422,27 +367,13 @@
if ((enable_red == 1) || (enable_green == 1) || (enable_orange == 1) ||
(enable_blue == 1))
exit(1);
+ // reset firewall rules
+ safe_system("/usr/local/bin/setfwrules --ipcop");
+
// exit if nothing to do
if ((enable_red + enable_green + enable_orange + enable_blue) == 0)
exit(0);
- // open needed ports
- // todo: read a nat_t indicator to allow or not openning UDP/4500
- if (enable_red == 2)
- open_physical(if_red, 4500);
-
- if (enable_green == 2)
- open_physical(if_green, 4500);
-
- if (enable_orange == 2)
- open_physical(if_orange, 4500);
-
- if (enable_blue == 2)
- open_physical(if_blue, 4500);
-
- // then open the ipsecX
- open_virtual();
-
// start the system
if ((argc == 2) && strcmp(argv[1], "S") == 0) {
safe_system("/sbin/modprobe ipsec");
@@ -457,7 +388,6 @@
// it is a selective start or stop
// second param is only a number 'key'
if ((argc == 2) || strspn(argv[2], NUMBERS) != strlen(argv[2])) {
- ipsec_norules();
fprintf(stderr, "Bad arg\n");
usage();
exit(1);
@@ -465,7 +395,6 @@
// search the vpn pointed by 'key'
if (!(file = fopen("/var/ipcop/vpn/config", "r"))) {
- ipsec_norules();
fprintf(stderr, "Couldn't open vpn settings file");
exit(1);
}
@@ -494,7 +423,6 @@
else if (strcmp(argv[1], "D") == 0)
turn_connection_off(name);
else {
- ipsec_norules();
fprintf(stderr, "Bad command\n");
exit(1);
}
Modified: ipcop/trunk/src/rc.d/rc.firewall
===================================================================
--- ipcop/trunk/src/rc.d/rc.firewall 2009-04-27 20:20:52 UTC (rev 2747)
+++ ipcop/trunk/src/rc.d/rc.firewall 2009-04-27 20:29:24 UTC (rev 2748)
@@ -169,11 +169,6 @@
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
- # TODO: handle ipsecX traffic through puzzleFwRules.pl and friends
- /sbin/iptables -N IPSECVIRTUAL
- /sbin/iptables -A INPUT -j IPSECVIRTUAL
- /sbin/iptables -A FORWARD -j IPSECVIRTUAL
-
# localhost and ethernet.
/sbin/iptables -A INPUT -i lo -m state --state NEW -j ACCEPT
/sbin/iptables -A INPUT -s 127.0.0.0/8 -m state --state NEW -j DROP #
Loopback not on lo
@@ -193,10 +188,6 @@
#~ /sbin/iptables -N DHCPBLUEINPUT
#~ /sbin/iptables -A INPUT -j DHCPBLUEINPUT
- # TODO: handle IPsec through puzzleFwRules.pl and friends
- /sbin/iptables -N IPSECPHYSICAL
- /sbin/iptables -A INPUT -j IPSECPHYSICAL
-
# WIRELESS chains
/sbin/iptables -N WIRELESSINPUT
/sbin/iptables -N WIRELESSFORWARD
Modified: ipcop/trunk/src/scripts/puzzleFwRules.pl
===================================================================
--- ipcop/trunk/src/scripts/puzzleFwRules.pl 2009-04-27 20:20:52 UTC (rev
2747)
+++ ipcop/trunk/src/scripts/puzzleFwRules.pl 2009-04-27 20:29:24 UTC (rev
2748)
@@ -749,14 +749,18 @@
&prepareRule("-F FW_IPCOP_FORWARD");
&prepareRule("-F FW_LOG");
+ # Retrieve IPsec settings
+ my %ipsecSettings = ();
+ if (-e "/var/ipcop/vpn/settings") {
+ &General::readhash("/var/ipcop/vpn/settings", \%ipsecSettings);
+ }
+
# Retrieve OpenVPN settings
my %ovpnSettings = ();
if (-e "/var/ipcop/ovpn/settings") {
&General::readhash("/var/ipcop/ovpn/settings", \%ovpnSettings);
}
- # TODO: IPsec settings and rules
-
# Deny only those traffic which is open in vanila IPCop.
# Other traffic blocked by IPCop rules. So it is possible by using
related, established connections
foreach my $inIface (keys %FW::interfaces) {
@@ -775,6 +779,18 @@
# Special treatment for Blue / Blue Access first
if ($FW::interfaces{$inIface}{'COLOR'} eq 'BLUE_COLOR') {
+ # Allow IPsec if enabled, IPsec access does not need Blue Access
entry so it much come first
+ # but only if we have policy half-open/open
+ if (($ipsecSettings{'ENABLED'} eq 'on') &&
($ifacePolicies{$inIface}{'POLICY'} =~ /^half-open|open$/)) {
+ my @ipcopServices = ('IPCop isakmp', 'IPCop ESP', 'IPCop AH');
+ foreach my $service (@ipcopServices) {
+ my @serviceXYZ = &buildServiceParamsDefault($service, "");
+ foreach my $protoPort (@serviceXYZ) {
+ &prepareRule("-A FW_IPCOP -i
$FW::interfaces{$inIface}{'IFACE'} $protoPort -j ACCEPT");
+ }
+ }
+ }
+
# Allow OpenVPN if enabled on blue, OpenVPN access does not need
Blue Access entry so it much come first
# but only if we have policy half-open/open
if (($ovpnSettings{'ENABLED_BLUE_1'} eq 'on') &&
($ifacePolicies{$inIface}{'POLICY'} =~ /^half-open|open$/)) {
@@ -806,6 +822,17 @@
&prepareRule("-A FW_IPCOP -i
$FW::interfaces{$inIface}{'IFACE'} $protoPort -j ACCEPT");
}
+ # allow IPsec if enabled
+ if ($ipsecSettings{'ENABLED'} eq 'on') {
+ my @ipcopServices = ('IPCop isakmp', 'IPCop ESP', 'IPCop AH');
+ foreach my $service (@ipcopServices) {
+ my @serviceXYZ = &buildServiceParamsDefault($service, "");
+ foreach my $protoPort (@serviceXYZ) {
+ &prepareRule("-A FW_IPCOP -i
$FW::interfaces{$inIface}{'IFACE'} $protoPort -j ACCEPT");
+ }
+ }
+ }
+
# allow OpenVPN if enabled on red
if ($ovpnSettings{'ENABLED_RED_1'} eq 'on') {
my @serviceXYZ = &buildServiceParamsDefault('IPCop OpenVPN',
"");
@@ -813,8 +840,6 @@
&prepareRule("-A FW_IPCOP -i
$FW::interfaces{$inIface}{'IFACE'} $protoPort -j ACCEPT");
}
}
-
- # TODO: open firewall for IPsec
}
@@ -826,12 +851,15 @@
if ($FW::interfaces{$inIface}{'COLOR'} =~ /^GREEN_COLOR$/) {
@ipcopServices = ('IPCop dhcp', 'IPCop dns', 'IPCop ntp',
'IPCop proxy', 'Ping');
}
- # Some IPCop services for Blue (OpenVPN is already opened above)
+ # Some IPCop services for Blue (IPsec and/or OpenVPN are already
opened above)
if ($FW::interfaces{$inIface}{'COLOR'} =~ /^BLUE_COLOR$/) {
@ipcopServices = ('IPCop dhcp', 'IPCop dns', 'IPCop ntp',
'IPCop proxy', 'Ping');
}
# Some IPCop services for Orange
if ($FW::interfaces{$inIface}{'COLOR'} =~ /^ORANGE_COLOR$/) {
+ if ($ipsecSettings{'ENABLED'} eq 'on') {
+ push(@ipcopServices, 'IPCop isakmp', 'IPCop ESP', 'IPCop
AH');
+ }
if ($ovpnSettings{'ENABLED_ORANGE_1'} eq 'on') {
push(@ipcopServices, 'IPCop OpenVPN');
}
This was sent by the SourceForge.net collaborative development platform, the
world's largest Open Source development site.
------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensign option that enables unlimited
royalty-free distribution of the report engine for externally facing
server and web deployment.
http://p.sf.net/sfu/businessobjects
_______________________________________________
Ipcop-svn mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/ipcop-svn
