GitLab/ocserv
1
0
Fork 0
mirror of https://gitlab.com/openconnect/ocserv.git synced 2026-02-10 08:46:58 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
fa6c7ac0e614d45e983b6631d1f35413817c819c
ocserv/src/ocserv-fw
Nikos Mavrogiannopoulos fa6c7ac0e6 ocserv-fw: when called with --removeall exit immediately after action
2015-11-23 18:12:09 +01:00

126 lines
3.2 KiB
Bash
Executable File
Raw Blame History

#!/bin/sh
PATH=/sbin:/usr/sbin:$PATH
COMMENT="ocserv-fw"
if test "$1" = "--removeall";then
eval "$(iptables -S | grep "comment ${COMMENT}" | sed -e 's/-A/-D/g' -e 's/^-/iptables -/g')"
eval "$(ip6tables -S | grep "comment ${COMMENT}" | sed -e 's/-A/-D/g' -e 's/^-/ip6tables -/g')"
exit 0
fi
if test "${REASON}" = "connect";then
MOD="-A"
#clear any leftover rules for thus device
eval "$(iptables -S | grep "comment ${COMMENT}" | grep -e "-[io] ${DEVICE}" | sed -e 's/-A/-D/g' -e 's/^-/iptables -/g')" 2>/dev/null
eval "$(ip6tables -S | grep "comment ${COMMENT}" | grep -e "-[io] ${DEVICE}" | sed -e 's/-A/-D/g' -e 's/^-/ip6tables -/g')" 2>/dev/null
else
if test "${REASON}" = "disconnect";then
MOD="-D"
else
logger -t ocserv-fw "unknown reason ${REASON}"
exit 1
fi
fi
set -e
allow_dns() {
"$1" ${MOD} INPUT -i ${DEVICE} -p udp -d "$2" --dport 53 -j ACCEPT --match comment --comment "${COMMENT}"
"$1" ${MOD} OUTPUT -o ${DEVICE} -p udp -s "$2" --sport 53 -j ACCEPT --match comment --comment "${COMMENT}"
"$1" ${MOD} INPUT -i ${DEVICE} -p tcp -d "$2" --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT --match comment --comment "${COMMENT}"
"$1" ${MOD} OUTPUT -o ${DEVICE} -p tcp -s "$2" --sport 53 -m state --state ESTABLISHED -j ACCEPT --match comment --comment "${COMMENT}"
}
allow_dns4() {
allow_dns iptables "$1"
}
allow_dns6() {
allow_dns ip6tables "$1"
}
allow_route() {
"$1" ${MOD} INPUT -i ${DEVICE} -s "$2" -j ACCEPT --match comment --comment "${COMMENT}"
"$1" ${MOD} OUTPUT -o ${DEVICE} -d "$2" -j ACCEPT --match comment --comment "${COMMENT}"
}
allow_route4() {
allow_route iptables "$1"
}
allow_route6() {
allow_route ip6tables "$1"
}
disallow_route() {
"$1" ${MOD} INPUT -i ${DEVICE} -s "$2" -j DROP --match comment --comment "${COMMENT}"
"$1" ${MOD} OUTPUT -o ${DEVICE} -d "$2" -j DROP --match comment --comment "${COMMENT}"
}
disallow_route4() {
disallow_route iptables "$1"
}
disallow_route6() {
disallow_route ip6tables "$1"
}
disallow_all() {
iptables ${MOD} INPUT -i ${DEVICE} -j DROP --match comment --comment "${COMMENT}"
iptables ${MOD} OUTPUT -o ${DEVICE} -j DROP --match comment --comment "${COMMENT}"
ip6tables ${MOD} INPUT -i ${DEVICE} -j DROP --match comment --comment "${COMMENT}"
ip6tables ${MOD} OUTPUT -o ${DEVICE} -j DROP --match comment --comment "${COMMENT}"
}
allow_all() {
iptables ${MOD} INPUT -i ${DEVICE} -j ACCEPT --match comment --comment "${COMMENT}"
iptables ${MOD} OUTPUT -o ${DEVICE} -j ACCEPT --match comment --comment "${COMMENT}"
ip6tables ${MOD} INPUT -i ${DEVICE} -j ACCEPT --match comment --comment "${COMMENT}"
ip6tables ${MOD} OUTPUT -o ${DEVICE} -j ACCEPT --match comment --comment "${COMMENT}"
}
# Allow DNS lookups
for i in $OCSERV_DNS4;do
allow_dns4 $i
done
for i in $OCSERV_DNS6;do
allow_dns6 $i
done
for i in $OCSERV_NO_ROUTES4;do
disallow_route4 $i
done
for i in $OCSERV_NO_ROUTES6;do
disallow_route6 $i
done
if test -n "$OCSERV_ROUTES";then
for i in $OCSERV_ROUTES4;do
allow_route4 $i
done
for i in $OCSERV_ROUTES6;do
allow_route6 $i
done
# no default route, don't allow anything except the configured routes
disallow_all
else
allow_all
fi
if test -n "${OCSERV_NEXT_SCRIPT}";then
TMP_SCRIPT="${OCSERV_NEXT_SCRIPT}"
unset OCSERV_NEXT_SCRIPT
/bin/sh "${TMP_SCRIPT}"
fi
exit 0
Reference in New Issue View Git Blame Copy Permalink