1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
|
#!/bin/sh
# NAT updown script
#
# Copyright (C) 2010 Andreas Steffen <andreas.steffen@strongswan.org>
#
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 2 of the License, or (at your
# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
# for more details.
#
# PLUTO_VERSION
# indicates what version of this interface is being
# used. This document describes version 1.1. This
# is upwardly compatible with version 1.0.
#
# PLUTO_VERB
# specifies the name of the operation to be performed
# (prepare-host, prepare-client, up-host, up-client,
# down-host, or down-client). If the address family
# for security gateway to security gateway communica-
# tions is IPv6, then a suffix of -v6 is added to the
# verb.
#
# PLUTO_CONNECTION
# is the name of the connection for which we are
# routing.
#
# PLUTO_INTERFACE
# is the name of the ipsec interface to be used.
#
# PLUTO_REQID
# is the requid of the AH|ESP policy
#
# PLUTO_PROTO
# is the negotiated IPsec protocol, ah|esp
#
# PLUTO_IPCOMP
# is not empty if IPComp was negotiated
#
# PLUTO_UNIQUEID
# is the unique identifier of the associated IKE_SA
#
# PLUTO_ME
# is the IP address of our host.
#
# PLUTO_MY_ID
# is the ID of our host.
#
# PLUTO_MY_CLIENT
# is the IP address / count of our client subnet. If
# the client is just the host, this will be the
# host's own IP address / max (where max is 32 for
# IPv4 and 128 for IPv6).
#
# PLUTO_MY_SOURCEIP
# PLUTO_MY_SOURCEIP4_$i
# PLUTO_MY_SOURCEIP6_$i
# contains IPv4/IPv6 virtual IP received from a responder,
# $i enumerates from 1 to the number of IP per address family.
# PLUTO_MY_SOURCEIP is a legacy variable and equal to the first
# virtual IP, IPv4 or IPv6.
#
# PLUTO_MY_PROTOCOL
# is the IP protocol that will be transported.
#
# PLUTO_MY_PORT
# is the UDP/TCP port to which the IPsec SA is
# restricted on our side. For ICMP/ICMPv6 this contains the
# message type, and PLUTO_PEER_PORT the message code.
#
# PLUTO_PEER
# is the IP address of our peer.
#
# PLUTO_PEER_ID
# is the ID of our peer.
#
# PLUTO_PEER_CLIENT
# is the IP address / count of the peer's client sub-
# net. If the client is just the peer, this will be
# the peer's own IP address / max (where max is 32
# for IPv4 and 128 for IPv6).
#
# PLUTO_PEER_SOURCEIP
# PLUTO_PEER_SOURCEIP4_$i
# PLUTO_PEER_SOURCEIP6_$i
# contains IPv4/IPv6 virtual IP sent to an initiator,
# $i enumerates from 1 to the number of IP per address family.
# PLUTO_PEER_SOURCEIP is a legacy variable and equal to the first
# virtual IP, IPv4 or IPv6.
#
# PLUTO_PEER_PROTOCOL
# is the IP protocol that will be transported.
#
# PLUTO_PEER_PORT
# is the UDP/TCP port to which the IPsec SA is
# restricted on the peer side. For ICMP/ICMPv6 this contains the
# message code, and PLUTO_MY_PORT the message type.
#
# PLUTO_XAUTH_ID
# is an optional user ID employed by the XAUTH protocol
#
# PLUTO_MARK_IN
# is an optional XFRM mark set on the inbound IPsec SA
#
# PLUTO_MARK_OUT
# is an optional XFRM mark set on the outbound IPsec SA
#
# PLUTO_UDP_ENC
# contains the remote UDP port in the case of ESP_IN_UDP
# encapsulation
#
# PLUTO_DNS4_$i
# PLUTO_DNS6_$i
# contains IPv4/IPv6 DNS server attribute received from a
# responder, $i enumerates from 1 to the number of servers per
# address family.
#
# define a minimum PATH environment in case it is not set
PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin"
export PATH
# resolve octal escape sequences
PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
case "$PLUTO_VERB:$1" in
up-host:)
# connection to me coming up
# If you are doing a custom version, firewall commands go here.
;;
down-host:)
# connection to me going down
# If you are doing a custom version, firewall commands go here.
;;
up-client:)
# connection to my client subnet coming up
# If you are doing a custom version, firewall commands go here.
iptables -A FORWARD -i eth1 -o $PLUTO_INTERFACE -s PH_IP_ALICE \
-d $PLUTO_PEER_CLIENT -j ACCEPT
iptables -A FORWARD -o eth1 -i $PLUTO_INTERFACE -d PH_IP_ALICE \
-s $PLUTO_PEER_CLIENT -j ACCEPT
iptables -t nat -A POSTROUTING -o $PLUTO_INTERFACE -s PH_IP_ALICE \
-d $PLUTO_PEER_CLIENT -j SNAT --to-source $PLUTO_MY_SOURCEIP
echo "inserted NAT rule mapping PH_IP_ALICE to virtual IP $PLUTO_MY_SOURCEIP" >&2
;;
down-client:)
# connection to my client subnet going down
# If you are doing a custom version, firewall commands go here.
iptables -D FORWARD -i eth1 -o $PLUTO_INTERFACE -s PH_IP_ALICE \
-d $PLUTO_PEER_CLIENT -j ACCEPT
iptables -D FORWARD -o eth1 -i $PLUTO_INTERFACE -d PH_IP_ALICE \
-s $PLUTO_PEER_CLIENT -j ACCEPT
iptables -t nat -D POSTROUTING -o $PLUTO_INTERFACE -s PH_IP_ALICE \
-d $PLUTO_PEER_CLIENT -j SNAT --to-source $PLUTO_MY_SOURCEIP
echo "deleted NAT rule mapping PH_IP_ALICE to virtual IP $PLUTO_MY_SOURCEIP" >&2
;;
*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
exit 1
;;
esac
|
