#!/bin/sh pktest="IP filter = " echo "$PLUTO_VERSION" echo "$pktest $1" case "$PLUTO_VERSION" in 1.*) #echo "hi" ;; 1.[0]) echo "$0 : older pluto version " >&2 ;; *) echo "$0 : unknown interface version \`$PLUTO_VERSION'" >&2 exit 2 ;; esac # check parameter(s) case "$*" in '') ;; ip6tables) ;; ipfwadm) # caused by (left/right)firewall=yes ;; *) echo "$0: unknown parameter \`$1'" >&2 exit 2 ;; esac # utility functions for route manipulation # Meddling with this stuff should never be necessary and is most unwise. uproutev4() { route add -net $PLUTO_PEER_CLIENT_NET netmask $PLUTO_PEER_CLIENT_MASK \ dev $PLUTO_INTERFACE gw $PLUTO_NEXT_HOP } downroutev4() { route del -net $PLUTO_PEER_CLIENT_NET netmask $PLUTO_PEER_CLIENT_MASK \ dev $PLUTO_INTERFACE gw $PLUTO_NEXT_HOP } uproutev6() { echo "route -A inet6 add $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK gw $PLUTO_NEXT_HOP dev $PLUTO_INTERFACE" route -A inet6 add $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK gw $PLUTO_NEXT_HOP dev $PLUTO_INTERFACE } downroutev6() { route -A inet6 del $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK gw $PLUTO_NEXT_HOP dev $PLUTO_INTERFACE } # the big choice case "$PLUTO_VERB:$1" in prepare-host-v4:*|prepare-client-v4:*|prepare-host:*|prepare-client:*) # delete possibly-existing route (preliminary to adding a route) oops="`route del -net $PLUTO_PEER_CLIENT_NET \ netmask $PLUTO_PEER_CLIENT_MASK 2>&1`" status="$?" if test " $oops" = " " -a " $status" != " 0" then oops="silent error in route command, exit status $status" fi case "$oops" in 'SIOCDELRT: No such process') # This is what route (currently -- not documented!) gives # for "could not find such a route". status=0 ;; esac exit $status ;; route-host-v4:*|route-client-v4:*|route-host:*|route-client:*) # connection to this host or client being routed uproutev4 ;; unroute-host-v4:*|unroute-client-v4:*|unroute-host:*|unroute-client:*) # connection to this host or client being unrouted downroutev4 ;; prepare-host-v6:*|prepare-client-v6:*) # delete possibly-existing route (preliminary to adding a route) echo "prepare-host-v6 and prepare-client-v6 working upto here ................" echo "route -A inet6 del $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK 2>&1" oops="`route -A inet6 del $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK 2>&1`" status="$?" if test " $oops" = " " -a " $status" != " 0" then oops="silent error in route command, exit status $status" fi case "$oops" in 'SIOCDELRT: No such process') # This is what route (currently -- not documented!) gives # for "could not find such a route". status=0 ;; esac exit $status #ip6tables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN ;; route-host-v6:*|route-client-v6:*) # connection to this host or client being routed uproutev6 #using iptables #before ipsec starts running iptables -A INPUT -p 51 -m ah --ahspi 500 -j DROP iptables -A INPUT -p 50 -m esp --espspi 500 -j DROP iptables -A INPUT -p icmp --icmp-type -j DROP iptables -A INPUT -p tcp --ports 20:23,80 -j DROP iptables -A OUTPUT -p 51 -m ah --ahspi 500 -j DROP iptables -A OUTPUT -p 50 -m esp --espspi 500 -j DROP iptables -A OUTPUT -p icmp --icmp-type -j DROP iptables -A OUTPUT -p tcp --ports 20:23,80 -j DROP ip6tables -I INPUT -p tcp --tcp-flags SYN,RST,ACK SYN -j DROP ip6tables -A OUTPUT -o sit+ -p tcp -s 3ffe:0:0:2::1/128 --sport 512:65535 --dport 22 -j DROP ip6tables -I INPUT -i sit+ -p tcp --syn -j DROP ip6tables -I OUTPUT -o sit+ -p tcp --syn -j DROP ;; unroute-host-v6:*|unroute-client-v6:*) # connection to this host or client being unrouted downroutev6 iptables -F INPUT iptables -F OUTPUT ip6tables -F INPUT ip6tables -F OUTPUT ;; up-host-v4:*|up-host-v6:*|up-host:*) # connection to this host coming up echo "up-host-v6 working upto here ................" ip6tables -I INPUT 1 -j ACCEPT -p 50 -s $PLUTO_PEER -d $PLUTO_ME ip6tables -I INPUT 2 -j ACCEPT -p 51 -s $PLUTO_PEER -d $PLUTO_ME ip6tables -A INPUT -i sit+ -p icmpv6 -j DROP ip6tables -A OUTPUT -o sit+ -p icmpv6 -j DROP ip6tables -A OUTPUT -o sit+ -p tcp --syn -j DROP -s 3ffe:0:0:2::1 ip6tables -A INPUT -s 0/0 -d 0/0 -i lo -j ACCEPT ip6tables -A INPUT -s 0/0 -d 0/0 -p tcp -j DROP ip6tables -A INPUT -s 0/0 -d 0/0 -p udp -j DROP ip6tables -A FORWARD -s 0/0 -d 0/0 -i lo -j ACCEPT ip6tables -A FORWARD -s 0/0 -d 0/0 -p tcp -j DROP ip6tables -A FORWARD -s 0/0 -d 0/0 -p udp -j DROP ip6tables -A OUTPUT -s 0/0 -d 0/0 -o lo -j ACCEPT ip6tables -A OUTPUT -s 0/0 -d 0/0 -p tcp -j DROP ip6tables -A OUTPUT -s 0/0 -d 0/0 -p udp -j DROP ;; down-host-v4:*|down-host-v6:*|down-host:*) # connection to this host going down echo "down-host-v6 working upto here ................" ip6tables -F INPUT ip6tables -F FORWARD ip6tables -F OUTPUT #ip6tables -D FORWARD 1 #ip6tables -D FORWARD 2 ;; up-client-v4:|up-client-v6:|up-client:) # connection to client subnet coming up ;; down-client-v4:|down-client-v6:|down-client:) # connection to client subnet going down ;; up-client-v4:ipfwadm|up-client:ipfwadm) # connection to client subnet, through forwarding firewall, coming up ipfwadm -F -i accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK -D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK ;; down-client-v4:ipfwadm|down-client:ipfwadm) # connection to client subnet, through forwarding firewall, going down ipfwadm -F -d accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK -D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK ;; up-client-v6:ipfwadm) # connection to client subnet, through forwarding firewall, coming up ;; down-client-v6:ipfwadm) # connection to client subnet, through forwarding firewall, going down ;; up-client-v6:ip6tables) # connection to my client subnet coming up # If you are doing a custom version, firewall commands go here. #50 for ESP ,51 for AH ;; down-client-v6:ip6tables) # connection to my client subnet going down # If you are doing a custom version, firewall commands go here. ;; *) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2 exit 1 ;; esac