Dear all,
I have changed the default updown script so that
it will work according to my configurations.i wanted
to do firewall configurations for ipv6.Iptables
1.2.5,kernel 2.4.16 and freeswan 1.96 are
already installed and working fine.I wanted to stop
every facility like telnet,ping,ftp,icmpv6 etc except
ssh between the ipsec tunnel using ip6tables.
I am attaching my "_updown" file and if need arises
kindly let me know the changes i have to do in order
to make it compatible with my configuration.
#!/bin/sh
pktest="IP filter = "
echo "$PLUTO_VERSION"
echo "$pktest $1"
case "$PLUTO_VERSION" in
1.*) #echo "hi"
;;
1.[0]) echo "$0 : older pluto version " >&2
;;
*) echo "$0 : unknown interface version
\`$PLUTO_VERSION'" >&2
exit 2
;;
esac
# check parameter(s)
case "$*" in
'') ;;
ip6tables)
;;
ipfwadm) # caused by (left/right)firewall=yes
;;
*) echo "$0: unknown parameter \`$1'" >&2
exit 2
;;
esac
# utility functions for route manipulation
# Meddling with this stuff should never be necessary
and is most unwise.
uproutev4() {
route add -net $PLUTO_PEER_CLIENT_NET netmask
$PLUTO_PEER_CLIENT_MASK \
dev $PLUTO_INTERFACE gw
$PLUTO_NEXT_HOP
}
downroutev4() {
route del -net $PLUTO_PEER_CLIENT_NET netmask
$PLUTO_PEER_CLIENT_MASK \
dev $PLUTO_INTERFACE gw
$PLUTO_NEXT_HOP
}
uproutev6() {
echo "route -A inet6 add
$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK gw
$PLUTO_NEXT_HOP dev $PLUTO$
route -A inet6 add
$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK gw
$PLUTO_NEXT_HOP dev $PLUTO_INTER$
}
downroutev6() {
route -A inet6 del
$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK gw
$PLUTO_NEXT_HOP dev $PLUTO_INTER$
}
# the big choice
case "$PLUTO_VERB:$1" in
prepare-host-v4:*|prepare-client-v4:*|prepare-host:*|prepare-client:*)
# delete possibly-existing route (preliminary
to adding a route)
oops="`route del -net $PLUTO_PEER_CLIENT_NET \
netmask
$PLUTO_PEER_CLIENT_MASK 2>&1`"
status="$?"
if test " $oops" = " " -a " $status" != " 0"
then
oops="silent error in route command,
exit status $status"
fi
case "$oops" in
'SIOCDELRT: No such process')
# This is what route (currently -- not
documented!) gives
# for "could not find such a route".
status=0
;;
esac
exit $status
;;
route-host-v4:*|route-client-v4:*|route-host:*|route-client:*)
# connection to this host or client being
routed
uproutev4
;;
unroute-host-v4:*|unroute-client-v4:*|unroute-host:*|unroute-client:*)
# connection to this host or client being
unrouted
downroutev4
;;
prepare-host-v6:*|prepare-client-v6:*)
# delete possibly-existing route (preliminary
to adding a route)
echo "prepare-host-v6 and prepare-client-v6
working upto here ................"
echo "route -A inet6 del
$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK 2>&1"
oops="`route -A inet6 del
$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK 2>&1`"
status="$?"
if test " $oops" = " " -a " $status" != " 0"
then
oops="silent error in route command,
exit status $status"
fi
case "$oops" in
'SIOCDELRT: No such process')
# This is what route (currently -- not
documented!) gives
# for "could not find such a route".
status=0
;;
esac
exit $status
#ip6tables -A FORWARD -p tcp --tcp-flags
SYN,ACK,FIN,RST SYN
;;
route-host-v6:*|route-client-v6:*)
# connection to this host or client being
routed
uproutev6
#using iptables
#before ipsec starts running
iptables -A INPUT -p 51 -m ah --ahspi 500 -j
DROP
iptables -A INPUT -p 50 -m esp --espspi 500 -j
DROP
iptables -A INPUT -p icmp --icmp-type -j DROP
iptables -A INPUT -p tcp --ports 20:23,80 -j
DROP
iptables -A OUTPUT -p 51 -m ah --ahspi 500 -j
DROP
iptables -A OUTPUT -p 50 -m esp --espspi 500
-j DROP
iptables -A OUTPUT -p icmp --icmp-type -j DROP
iptables -A OUTPUT -p tcp --ports 20:23,80 -j
DROP
ip6tables -I INPUT -p tcp --tcp-flags
SYN,RST,ACK SYN -j DROP
ip6tables -A OUTPUT -o sit+ -p tcp -s
3ffe:0:0:2::1/128 --sport 512:65535 --dport 22 -j DROP
ip6tables -I INPUT -i sit+ -p tcp --syn -j
DROP
ip6tables -I OUTPUT -o sit+ -p tcp --syn -j
DROP
;;
unroute-host-v6:*|unroute-client-v6:*)
# connection to this host or client being
unrouted
downroutev6
iptables -F INPUT
iptables -F OUTPUT
ip6tables -F INPUT
ip6tables -F OUTPUT
;;
up-host-v4:*|up-host-v6:*|up-host:*)
# connection to this host coming up
echo "up-host-v6 working upto here
................"
ip6tables -I INPUT 1 -j ACCEPT -p 50 -s
$PLUTO_PEER -d $PLUTO_ME
ip6tables -I INPUT 2 -j ACCEPT -p 51 -s
$PLUTO_PEER -d $PLUTO_ME
ip6tables -A INPUT -i sit+ -p icmpv6 -j DROP
ip6tables -A OUTPUT -o sit+ -p icmpv6 -j DROP
ip6tables -A OUTPUT -o sit+ -p tcp --syn -j
DROP -s 3ffe:0:0:2::1
ip6tables -A INPUT -s 0/0 -d 0/0 -i lo -j
ACCEPT
ip6tables -A INPUT -s 0/0 -d 0/0 -p tcp -j
DROP
ip6tables -A INPUT -s 0/0 -d 0/0 -p udp -j
DROP
ip6tables -A FORWARD -s 0/0 -d 0/0 -i lo -j
ACCEPT
ip6tables -A FORWARD -s 0/0 -d 0/0 -p tcp -j
DROP
ip6tables -A FORWARD -s 0/0 -d 0/0 -p udp -j
DROP
ip6tables -A OUTPUT -s 0/0 -d 0/0 -o lo -j
ACCEPT
ip6tables -A OUTPUT -s 0/0 -d 0/0 -p tcp -j
DROP
ip6tables -A OUTPUT -s 0/0 -d 0/0 -p udp -j
DROP
;;
down-host-v4:*|down-host-v6:*|down-host:*)
# connection to this host going down
echo "down-host-v6 working upto here
................"
ip6tables -F INPUT
ip6tables -F FORWARD
ip6tables -F OUTPUT
#ip6tables -D FORWARD 1
#ip6tables -D FORWARD 2
;;
up-client-v4:|up-client-v6:|up-client:)
# connection to client subnet coming up
;;
down-client-v4:|down-client-v6:|down-client:)
# connection to client subnet going down
;;
up-client-v4:ipfwadm|up-client:ipfwadm)
# connection to client subnet, through
forwarding firewall, coming up
ipfwadm -F -i accept -b -S
$PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK -D
$PLUTO_PEER_CLIENT_NET/$PLUT$
;;
down-client-v4:ipfwadm|down-client:ipfwadm)
# connection to client subnet, through
forwarding firewall, going down
ipfwadm -F -d accept -b -S
$PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK -D
$PLUTO_PEER_CLIENT_NET/$PLUT$
;;
up-client-v6:ipfwadm)
# connection to client subnet, through
forwarding firewall, coming up
;;
down-client-v6:ipfwadm)
# connection to client subnet, through
forwarding firewall, going down
;;
up-client-v6:ip6tables)
# connection to my client subnet coming up
# If you are doing a custom version, firewall
commands go here.
#50 for ESP ,51 for AH
;;
down-client-v6:ip6tables)
# connection to my client subnet going down
# If you are doing a custom version, firewall
commands go here.
;;
*) echo "$0: unknown verb \`$PLUTO_VERB' or
parameter \`$1'" >&2
exit 1
;;
esac
thanx in advance,
pawan kumar
__________________________________________________
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com
This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:20:17 CEST