diff options
author | Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi> | 2018-09-05 16:43:10 +0300 |
---|---|---|
committer | Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi> | 2018-09-05 17:33:42 +0300 |
commit | 866b4ac69bca08d8b1fd0f1970933ce6e240d29b (patch) | |
tree | d340d2f10cfd4e228ba9a91b90a0010c469cefc0 | |
parent | 265aaf936458d4732e0fc10ba558a36129239a9a (diff) | |
download | dmvpn-tools-866b4ac69bca08d8b1fd0f1970933ce6e240d29b.tar.bz2 dmvpn-tools-866b4ac69bca08d8b1fd0f1970933ce6e240d29b.tar.xz |
setup-dmvpn: configure spoke firewall if active
-rw-r--r-- | dmvpn-hub.awall | 25 | ||||
-rw-r--r-- | dmvpn.awall | 24 | ||||
-rwxr-xr-x | setup-dmvpn | 53 |
3 files changed, 57 insertions, 45 deletions
diff --git a/dmvpn-hub.awall b/dmvpn-hub.awall index 067230e..7d9f8ef 100644 --- a/dmvpn-hub.awall +++ b/dmvpn-hub.awall @@ -1,12 +1,6 @@ { - "zone": { - "dmvpn-ipsec": { "addr": "0.0.0.0/0" }, - "dmvpn-gre": { "addr": "0.0.0.0/0", "ipsec": true }, - "dmvpn-bgp": { - "iface": "$dmvpn_gre_iface", "addr": "0.0.0.0/0" - }, - "dmvpn": { "iface": "$dmvpn_gre_iface", "route-back": true } - }, + "description": "DMVPN hub", + "import": "dmvpn", "log": { "dmvpn": { "mode": "nflog", @@ -19,18 +13,5 @@ } } }, - "packet-log": [ { "in": "dmvpn", "out": "dmvpn", "log": "dmvpn" } ], - "filter": [ - { - "in": "_fw", - "service": [ "dns", "http", "https", "ldap", "ldaps" ] - }, - { "in": "dmvpn-ipsec", "out": "_fw", "service": "ipsec" }, - { "in": "_fw", "out": "dmvpn-ipsec", "service": "ipsec" }, - { "in": "dmvpn-gre", "out": "_fw", "service": "gre" }, - { "in": "_fw", "out": "dmvpn-gre", "service": "gre" }, - { "in": "dmvpn-bgp", "out": "_fw", "service": "bgp" }, - { "in": "_fw", "out": "dmvpn-bgp", "service": "bgp" }, - { "in": "dmvpn", "out": "dmvpn" } - ] + "packet-log": [ { "in": "dmvpn", "out": "dmvpn", "log": "dmvpn" } ] } diff --git a/dmvpn.awall b/dmvpn.awall new file mode 100644 index 0000000..339e571 --- /dev/null +++ b/dmvpn.awall @@ -0,0 +1,24 @@ +{ + "description": "DMVPN router", + "zone": { + "dmvpn-ipsec": { "addr": "0.0.0.0/0" }, + "dmvpn-gre": { "addr": "0.0.0.0/0", "ipsec": true }, + "dmvpn-bgp": { + "iface": "$dmvpn_gre_iface", "addr": "0.0.0.0/0" + }, + "dmvpn": { "iface": "$dmvpn_gre_iface", "route-back": true } + }, + "filter": [ + { + "in": "_fw", + "service": [ "dns", "http", "https", "ldap", "ldaps" ] + }, + { "in": "dmvpn-ipsec", "out": "_fw", "service": "ipsec" }, + { "in": "_fw", "out": "dmvpn-ipsec", "service": "ipsec" }, + { "in": "dmvpn-gre", "out": "_fw", "service": "gre" }, + { "in": "_fw", "out": "dmvpn-gre", "service": "gre" }, + { "in": "dmvpn-bgp", "out": "_fw", "service": "bgp" }, + { "in": "_fw", "out": "dmvpn-bgp", "service": "bgp" }, + { "in": "dmvpn", "out": "dmvpn" } + ] +} diff --git a/setup-dmvpn b/setup-dmvpn index bcc5021..022c703 100755 --- a/setup-dmvpn +++ b/setup-dmvpn @@ -245,35 +245,42 @@ enable_service nhrpd vtysh -c "$(get_quagga_config)" -if [ "$NFLOG_GROUP" ]; then +if [ -f /etc/iptables/awall-save -o "$NFLOG_GROUP" ]; then apk add awall - cat > /etc/awall/dmvpn.json <<EOF -{ - "variable": { - "dmvpn_gre_iface": "$GRE_IFACE", - "dmvpn_nflog_group": $NFLOG_GROUP, - "dmvpn_site_mask": { "inet": $SITE_PREFIX_LEN_IPV4 } - } -} -EOF - [ "$SITE_PREFIX_LEN_IPV6" ] && augtool -s <<EOF -set /files/etc/awall/dmvpn.json/dict/entry/dict/entry['dmvpn_site_mask']/dict/entry[2] inet6 -set /files/etc/awall/dmvpn.json/dict/entry/dict/entry['dmvpn_site_mask']/dict/entry[2]/number $SITE_PREFIX_LEN_IPV6 -EOF - - awall enable dmvpn-hub - awall translate - enable_firewall iptables + echo "{ \"variable\": { \"dmvpn_gre_iface\": \"$GRE_IFACE\" } }" > \ + /etc/awall/dmvpn-config.json - cat > /etc/nhrp-events.conf <<EOF + if [ "$NFLOG_GROUP" ]; then + cat > /etc/nhrp-events.conf <<EOF max-prefix-length: ip: $SITE_PREFIX_LEN_IPV4 EOF - - if [ "$SITE_PREFIX_LEN_IPV6" ]; then - enable_firewall ip6tables - cat >> /etc/nhrp-events.conf <<EOF + [ "$SITE_PREFIX_LEN_IPV6" ] && \ + cat >> /etc/nhrp-events.conf <<EOF ipv6: $SITE_PREFIX_LEN_IPV6 EOF + + ( + PREFIX="set /files/etc/awall/dmvpn-config.json/dict/entry/dict/entry" + cat <<EOF +$PREFIX[2] dmvpn_nflog_group +$PREFIX[2]/number $NFLOG_GROUP +$PREFIX[3] dmvpn_site_mask +$PREFIX[3]/dict/entry inet +$PREFIX[3]/dict/entry/number $SITE_PREFIX_LEN_IPV4 +EOF + [ "$SITE_PREFIX_LEN_IPV6" ] && cat <<EOF +$PREFIX[3]/dict/entry[2] inet6 +$PREFIX[3]/dict/entry[2]/number $SITE_PREFIX_LEN_IPV6 +EOF + ) | augtool -s + awall enable dmvpn-hub + else + awall enable dmvpn fi + + awall translate + enable_firewall iptables + [ -f /etc/iptables/rules6-save -o "$SITE_PREFIX_LEN_IPV6" ] && \ + enable_firewall ip6tables fi |