diff options
Diffstat (limited to 'testing/tests/sql/shunt-policies/hosts')
6 files changed, 34 insertions, 92 deletions
diff --git a/testing/tests/sql/shunt-policies/hosts/moon/etc/init.d/iptables b/testing/tests/sql/shunt-policies/hosts/moon/etc/init.d/iptables deleted file mode 100755 index 2b90a14c7..000000000 --- a/testing/tests/sql/shunt-policies/hosts/moon/etc/init.d/iptables +++ /dev/null @@ -1,84 +0,0 @@ -#!/sbin/runscript -# Copyright 1999-2004 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -opts="start stop reload" - -depend() { - before net - need logger -} - -start() { - ebegin "Starting firewall" - - # enable IP forwarding - echo 1 > /proc/sys/net/ipv4/ip_forward - - # default policy is DROP - /sbin/iptables -P INPUT DROP - /sbin/iptables -P OUTPUT DROP - /sbin/iptables -P FORWARD DROP - - # allow esp - iptables -A INPUT -i eth0 -p 50 -j ACCEPT - iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT - - # allow IKE - iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT - - # allow MobIKE - iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT - - # allow crl fetch from winnetou - iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT - iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT - - # allow ssh - iptables -A INPUT -p tcp --dport 22 -j ACCEPT - iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT - - # allow icmp in local net - iptables -A INPUT -i eth1 -p icmp -j ACCEPT - iptables -A OUTPUT -o eth1 -p icmp -j ACCEPT - - eend $? -} - -stop() { - ebegin "Stopping firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - - if [ $a == nat ]; then - /sbin/iptables -t nat -P PREROUTING ACCEPT - /sbin/iptables -t nat -P POSTROUTING ACCEPT - /sbin/iptables -t nat -P OUTPUT ACCEPT - elif [ $a == mangle ]; then - /sbin/iptables -t mangle -P PREROUTING ACCEPT - /sbin/iptables -t mangle -P INPUT ACCEPT - /sbin/iptables -t mangle -P FORWARD ACCEPT - /sbin/iptables -t mangle -P OUTPUT ACCEPT - /sbin/iptables -t mangle -P POSTROUTING ACCEPT - elif [ $a == filter ]; then - /sbin/iptables -t filter -P INPUT ACCEPT - /sbin/iptables -t filter -P FORWARD ACCEPT - /sbin/iptables -t filter -P OUTPUT ACCEPT - fi - done - eend $? -} - -reload() { - ebegin "Flushing firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - done; - eend $? - start -} - diff --git a/testing/tests/sql/shunt-policies/hosts/moon/etc/ipsec.conf b/testing/tests/sql/shunt-policies/hosts/moon/etc/ipsec.conf index 3bc29625f..a7fa09213 100644 --- a/testing/tests/sql/shunt-policies/hosts/moon/etc/ipsec.conf +++ b/testing/tests/sql/shunt-policies/hosts/moon/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no # configuration is read from SQLite database diff --git a/testing/tests/sql/shunt-policies/hosts/moon/etc/iptables.rules b/testing/tests/sql/shunt-policies/hosts/moon/etc/iptables.rules new file mode 100644 index 000000000..af0f25209 --- /dev/null +++ b/testing/tests/sql/shunt-policies/hosts/moon/etc/iptables.rules @@ -0,0 +1,32 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow esp +-A INPUT -i eth0 -p 50 -j ACCEPT +-A OUTPUT -o eth0 -p 50 -j ACCEPT + +# allow IKE +-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + +# allow icmp in local net +-A INPUT -i eth1 -p icmp -j ACCEPT +-A OUTPUT -o eth1 -p icmp -j ACCEPT + +COMMIT diff --git a/testing/tests/sql/shunt-policies/hosts/moon/etc/strongswan.conf b/testing/tests/sql/shunt-policies/hosts/moon/etc/strongswan.conf index 90be03f69..b3a7bc0de 100644 --- a/testing/tests/sql/shunt-policies/hosts/moon/etc/strongswan.conf +++ b/testing/tests/sql/shunt-policies/hosts/moon/etc/strongswan.conf @@ -6,6 +6,6 @@ charon { database = sqlite:///etc/ipsec.d/ipsec.db } } - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql install_routes = no } diff --git a/testing/tests/sql/shunt-policies/hosts/sun/etc/ipsec.conf b/testing/tests/sql/shunt-policies/hosts/sun/etc/ipsec.conf index 3bc29625f..a7fa09213 100755..100644 --- a/testing/tests/sql/shunt-policies/hosts/sun/etc/ipsec.conf +++ b/testing/tests/sql/shunt-policies/hosts/sun/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no # configuration is read from SQLite database diff --git a/testing/tests/sql/shunt-policies/hosts/sun/etc/strongswan.conf b/testing/tests/sql/shunt-policies/hosts/sun/etc/strongswan.conf index ee9fbbc66..930b72578 100644 --- a/testing/tests/sql/shunt-policies/hosts/sun/etc/strongswan.conf +++ b/testing/tests/sql/shunt-policies/hosts/sun/etc/strongswan.conf @@ -6,5 +6,5 @@ charon { database = sqlite:///etc/ipsec.d/ipsec.db } } - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql } |