From: "Peter Müller" <peter.mueller@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH] strongswan: Create firewall rules for outgoing IPsec traffic as well
Date: Sun, 16 Jun 2024 15:36:00 +0000 [thread overview]
Message-ID: <ecba3f2f-fe82-4085-916e-7efa57fa3ed4@ipfire.org> (raw)
[-- Attachment #1: Type: text/plain, Size: 6501 bytes --]
This will avoid outgoing IPsec traffic being dropped by IPFire itself,
if the default firewall behavior for outgoing traffic is set to
"blocked", and no appropriate rules have been manually configured in the
web interface.
To ensure configured IPsec tunnels will always work flawlessly,
regardless of the firewall default policy and any manually created
firewall rules, create and delete outgoing iptables rules accordingly
when bringing an IPsec connection up or down.
Tested-by: Peter Müller <peter.mueller(a)ipfire.org>
Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
---
src/patches/strongswan-ipfire.patch | 49 +++++++++++++++++------------
1 file changed, 29 insertions(+), 20 deletions(-)
diff --git a/src/patches/strongswan-ipfire.patch b/src/patches/strongswan-ipfire.patch
index d8e35cd52..a1f80d361 100644
--- a/src/patches/strongswan-ipfire.patch
+++ b/src/patches/strongswan-ipfire.patch
@@ -1,13 +1,5 @@
-commit b439f74361d393bcb85109b6c41a905cf613a296
-Author: Peter Müller <peter.mueller(a)ipfire.org>
-Date: Wed May 18 17:46:57 2022 +0000
-
- IPFire modifications to _updown script
-
- Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
-
diff --git a/src/_updown/_updown.in b/src/_updown/_updown.in
-index 34eaf68c7..9ed387a0a 100644
+index 34eaf68c7..38aa63354 100644
--- a/src/_updown/_updown.in
+++ b/src/_updown/_updown.in
@@ -242,10 +242,10 @@ up-host:iptables)
@@ -98,7 +90,7 @@ index 34eaf68c7..9ed387a0a 100644
-s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
fi
#
-@@ -342,47 +324,37 @@ up-client:iptables)
+@@ -342,47 +324,46 @@ up-client:iptables)
if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
then
logger -t $TAG -p $FAC_PRIO \
@@ -111,7 +103,7 @@ index 34eaf68c7..9ed387a0a 100644
fi
fi
+
-+ # Open Firewall for IPinIP + AH + ESP Traffic
++ # Open firewall for incoming and outgoing IPinIP + AH + ESP traffic to the peers' IP
+ iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p IPIP \
+ -s $PLUTO_PEER $S_PEER_PORT \
+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
@@ -121,6 +113,15 @@ index 34eaf68c7..9ed387a0a 100644
+ iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p ESP \
+ -s $PLUTO_PEER $S_PEER_PORT \
+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
++ iptables --wait -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p IPIP \
++ -s $PLUTO_ME $D_MY_PORT \
++ -d $PLUTO_PEER $S_PEER_PORT -j ACCEPT
++ iptables --wait -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p AH \
++ -s $PLUTO_ME $D_MY_PORT \
++ -d $PLUTO_PEER $S_PEER_PORT -j ACCEPT
++ iptables --wait -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p ESP \
++ -s $PLUTO_ME $D_MY_PORT \
++ -d $PLUTO_PEER $S_PEER_PORT -j ACCEPT
+
;;
down-client:iptables)
@@ -161,7 +162,7 @@ index 34eaf68c7..9ed387a0a 100644
-s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
fi
#
-@@ -392,12 +364,24 @@ down-client:iptables)
+@@ -392,12 +373,32 @@ down-client:iptables)
if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
then
logger -t $TAG -p $FAC_PRIO -- \
@@ -174,7 +175,7 @@ index 34eaf68c7..9ed387a0a 100644
fi
fi
+
-+ # Close Firewall for IPinIP + AH + ESP Traffic
++ # Close firewall for incoming and outgoing IPinIP + AH + ESP traffic to the peers' IP
+ iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p IPIP \
+ -s $PLUTO_PEER $S_PEER_PORT \
+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
@@ -184,11 +185,19 @@ index 34eaf68c7..9ed387a0a 100644
+ iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p ESP \
+ -s $PLUTO_PEER $S_PEER_PORT \
+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
-+
++ iptables --wait -D IPSECINPUT -o $PLUTO_INTERFACE -p IPIP \
++ -s $PLUTO_ME $D_MY_PORT \
++ -d $PLUTO_PEER $S_PEER_PORT -j ACCEPT
++ iptables --wait -D IPSECINPUT -o $PLUTO_INTERFACE -p AH \
++ -s $PLUTO_ME $D_MY_PORT \
++ -d $PLUTO_PEER $S_PEER_PORT -j ACCEPT
++ iptables --wait -D IPSECINPUT -o $PLUTO_INTERFACE -p ESP \
++ -s $PLUTO_ME $D_MY_PORT \
++ -d $PLUTO_PEER $S_PEER_PORT -j ACCEPT
;;
#
# IPv6
-@@ -422,10 +406,10 @@ up-host-v6:iptables)
+@@ -422,10 +423,10 @@ up-host-v6:iptables)
# connection to me, with (left/right)firewall=yes, coming up
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
@@ -201,7 +210,7 @@ index 34eaf68c7..9ed387a0a 100644
-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
#
-@@ -454,10 +438,10 @@ down-host-v6:iptables)
+@@ -454,10 +455,10 @@ down-host-v6:iptables)
# connection to me, with (left/right)firewall=yes, going down
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
@@ -214,7 +223,7 @@ index 34eaf68c7..9ed387a0a 100644
-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
#
-@@ -487,10 +471,10 @@ up-client-v6:iptables)
+@@ -487,10 +488,10 @@ up-client-v6:iptables)
# ones, so do not mess with it; see CAUTION comment up at top.
if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
then
@@ -227,7 +236,7 @@ index 34eaf68c7..9ed387a0a 100644
-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
fi
-@@ -499,10 +483,10 @@ up-client-v6:iptables)
+@@ -499,10 +500,10 @@ up-client-v6:iptables)
# or sometimes host access via the internal IP is needed
if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
then
@@ -240,7 +249,7 @@ index 34eaf68c7..9ed387a0a 100644
-s $PLUTO_MY_CLIENT $S_MY_PORT \
-d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
fi
-@@ -535,11 +519,11 @@ down-client-v6:iptables)
+@@ -535,11 +536,11 @@ down-client-v6:iptables)
# ones, so do not mess with it; see CAUTION comment up at top.
if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
then
@@ -254,7 +263,7 @@ index 34eaf68c7..9ed387a0a 100644
-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-d $PLUTO_MY_CLIENT $D_MY_PORT \
$IPSEC_POLICY_IN -j ACCEPT
-@@ -549,11 +533,11 @@ down-client-v6:iptables)
+@@ -549,11 +550,11 @@ down-client-v6:iptables)
# or sometimes host access via the internal IP is needed
if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
then
--
2.35.3
reply other threads:[~2024-06-16 15:36 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ecba3f2f-fe82-4085-916e-7efa57fa3ed4@ipfire.org \
--to=peter.mueller@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox