diff options
| -rw-r--r-- | ipmasq/rules/A01interfaces.rul | 15 | ||||
| -rw-r--r-- | ipmasq/rules/A01precompute.rul | 56 | ||||
| -rw-r--r-- | ipmasq/rules/F50ipsec.rul | 26 | ||||
| -rw-r--r-- | ipmasq/rules/I50ipsec.rul | 22 | ||||
| -rw-r--r-- | ipmasq/rules/O50ipsec.rul | 22 |
5 files changed, 141 insertions, 0 deletions
diff --git a/ipmasq/rules/A01interfaces.rul b/ipmasq/rules/A01interfaces.rul new file mode 100644 index 0000000..3ce53da --- /dev/null +++ b/ipmasq/rules/A01interfaces.rul @@ -0,0 +1,15 @@ +# You should not edit this file. Instead, create a file with the same +# name as this one, but with a .rul extension instead of .def. The +# .rul file will override this one. +# +# However, any changes you make to this file will be preserved. + +# find interface names +EXTERNAL=$(default-if | sort -u) +INTERNAL=$(enumerate-if | sort -u | grep -v lo | grep -v irda | grep -v ipsec) +if [ -n "$EXTERNAL" ]; then + for i in $EXTERNAL; do + INTERNAL=$(echo $INTERNAL | sed -e s/$i//) + done +fi +IPSEC=$(enumerate-if | sort -u | grep ipsec) diff --git a/ipmasq/rules/A01precompute.rul b/ipmasq/rules/A01precompute.rul new file mode 100644 index 0000000..45786e6 --- /dev/null +++ b/ipmasq/rules/A01precompute.rul @@ -0,0 +1,56 @@ +if [ "$SHOWRULES" = "yes" ]; then + echo "Interfaces found:" +fi + +# precompute ips and netmasks +if [ -n "$EXTERNAL" -o -n "$INTERNAL" -o -n "$IPSEC" ]; then + for i in $EXTERNAL $INTERNAL $IPSEC; do + ii=$(echo $i | sed -e 's/\:/_/g') + ip=$(ipofif $i) + nm=$(nmofif $i) + peer=$(peerofif $i) + bc=$(bcofif $i) + eval "IPOFIF_$ii=$ip" + eval "NMOFIF_$ii=$nm" + eval "PEEROFIF_$ii=$peer" + eval "BCOFIF_$ii=$bc" + if [ "$SHOWRULES" = "yes" ]; then + echo -e " $i\t$ip/$nm" + fi + done +fi + +# precompute ipsec connections +if [ -n "$IPSEC" ]; then + if [ "$SHOWRULES" = "yes" ]; then + echo "IPSec connections found:" + fi + IPSECCONN="" + for i in $IPSEC; do + ii=$(echo $i | sed -e 's/\:/_/g') + eval "ip=\$IPOFIF_$ii" + eval "nm=\$IPOFIF_$ii" + igw=$(ipsec look | grep IPIP:.*src=$ip | sed 's/^\([^[:blank:]]*\).*/\1/') + conncollect="" + for ipsecgw in $igw; do + conn=$(ipsec look | grep "=> $ipsecgw" | sed 's/^.*=>[[:blank:]]*\([^@[:blank:]]*\).*/\1/') + conncollect="$conncollect $conn" + eval "IPSEC_IF_$conn=$i" + cidrleft=$(ipsec look | grep "=> $ipsecgw" | sed 's/^\([^[:blank:]]*\)[[:blank:]]*->[[:blank:]]*[^[:blank:]]*.*/\1/') + eval "IPSEC_HERE_$conn=$cidrleft" + cidrright=$(ipsec look | grep "=> $ipsecgw" | sed 's/^[^[:blank:]]*[[:blank:]]*->[[:blank:]]*\([^[:blank:]]*\).*/\1/') + eval "IPSEC_THERE_$conn=$cidrright" + eval "IPSEC_THERE_$conn=$cidrright" + done + IPSECCONN="$IPSECCONN $conncollect" + eval "IPSECCONN_${ii}=\"$conncollect\"" + if [ "$SHOWRULES" = "yes" ]; then + echo -e " $i\t$ip/$nm" + for conn in $conncollect; do + eval "IPSEC_HERE=\$IPSEC_HERE_$conn" + eval "IPSEC_THERE=\$IPSEC_THERE_$conn" + echo -e " $IPSEC_HERE -> $IPSEC_THERE" + done + fi + done +fi diff --git a/ipmasq/rules/F50ipsec.rul b/ipmasq/rules/F50ipsec.rul new file mode 100644 index 0000000..817325a --- /dev/null +++ b/ipmasq/rules/F50ipsec.rul @@ -0,0 +1,26 @@ +#: forward packets between internal and ipsec networks +if [ -n "$IPSECCONN" ]; then + for j in $IPSECCONN; do + eval "IPSEC_IF=\$IPSEC_IF_$j" + eval "IPSEC_HERE=\$IPSEC_HERE_$j" + eval "IPSEC_THERE=\$IPSEC_THERE_$j" + for i in $INTERNAL; do + ipnm_cache $i + case $MASQMETHOD in + ipfwadm) + $IPFWADM -F -a accept -b -S $IPOFIF/$NMOFIF -D $IPSEC_THERE + ;; + ipchains) + $IPCHAINS -A forward -b -j ACCEPT -s $IPSEC_HERE -d $IPSEC_THERE + ;; + netfilter) + $IPTABLES -t nat -A POSTROUTING -s $IPSEC_HERE -d $IPSEC_THERE -j ACCEPT + $IPTABLES -A FORWARD -j ACCEPT -s $IPSEC_HERE -d $IPSEC_THERE + $IPTABLES -A FORWARD -j ACCEPT -d $IPSEC_HERE -s $IPSEC_THERE +# $IPTABLES -A FORWARD -j ACCEPT -s $IPOFIF/$NMOFIF -d $IPSEC_THERE +# $IPTABLES -A FORWARD -j ACCEPT -d $IPOFIF/$NMOFIF -s $IPSEC_THERE + ;; + esac + done + done +fi diff --git a/ipmasq/rules/I50ipsec.rul b/ipmasq/rules/I50ipsec.rul new file mode 100644 index 0000000..8d6e859 --- /dev/null +++ b/ipmasq/rules/I50ipsec.rul @@ -0,0 +1,22 @@ +#: Accept packets from remote ipsec networks on ipsec interfaces +if [ -n "$IPSECCONN" ]; then + for i in $IPSECCONN; do + eval "IPSEC_IF=\$IPSEC_IF_$i" + eval "IPSEC_HERE=\$IPSEC_HERE_$i" + eval "IPSEC_THERE=\$IPSEC_THERE_$i" + case $MASQMETHOD in + ipfwadm) + $IPFWADM -I -a accept -W ${IPSEC_IF%%:*} -S $IPSEC_HERE + $IPFWADM -I -a accept -W ${IPSEC_IF%%:*} -S $IPSEC_THERE + ;; + ipchains) + $IPCHAINS -A input -j ACCEPT -i ${IPSEC_IF%%:*} -s $IPSEC_HERE + $IPCHAINS -A input -j ACCEPT -i ${IPSEC_IF%%:*} -s $IPSEC_THERE + ;; + netfilter) + $IPTABLES -A INPUT -j ACCEPT -i ${IPSEC_IF%%:*} -s $IPSEC_HERE + $IPTABLES -A INPUT -j ACCEPT -i ${IPSEC_IF%%:*} -s $IPSEC_THERE + ;; + esac + done +fi diff --git a/ipmasq/rules/O50ipsec.rul b/ipmasq/rules/O50ipsec.rul new file mode 100644 index 0000000..c0b5b5c --- /dev/null +++ b/ipmasq/rules/O50ipsec.rul @@ -0,0 +1,22 @@ +#: Allow packets for ipsec hosts to be delivered using ipsec interfaces +if [ -n "$IPSECCONN" ]; then + for i in $IPSECCONN; do + eval "IPSEC_IF=\$IPSEC_IF_$i" + eval "IPSEC_HERE=\$IPSEC_HERE_$i" + eval "IPSEC_THERE=\$IPSEC_THERE_$i" + case $MASQMETHOD in + ipfwadm) + $IPFWADM -O -a accept -W ${i%%:*} -D $IPSEC_HERE + $IPFWADM -O -a accept -W ${i%%:*} -D $IPSEC_THERE + ;; + ipchains) + $IPCHAINS -A output -j ACCEPT -i ${IPSEC_IF%%:*} -d $IPSEC_HERE + $IPCHAINS -A output -j ACCEPT -i ${IPSEC_IF%%:*} -d $IPSEC_THERE + ;; + netfilter) + $IPTABLES -A OUTPUT -j ACCEPT -o ${IPSEC_IF%%:*} -d $IPSEC_HERE + $IPTABLES -A OUTPUT -j ACCEPT -o ${IPSEC_IF%%:*} -d $IPSEC_THERE + ;; + esac + done +fi |