diff options
author | Guilhem Moulin <guilhem@fripost.org> | 2013-11-03 05:54:11 +0100 |
---|---|---|
committer | Guilhem Moulin <guilhem@fripost.org> | 2015-06-07 02:50:35 +0200 |
commit | 2bcaaf01a5fcc2d2ce618da6af30a43a70d03d80 (patch) | |
tree | 020bd450fbc622e49c7284f70785749c31aa4429 /roles/common/files/etc/network/if-post-down.d/iptables | |
parent | 6c30a3f5a131b6e628b588c0723d5e5374e115e1 (diff) |
Use a dedicated, non-routable, IPv4 for IPSec.
At the each IPSec end-point the traffic is DNAT'ed to / MASQUERADE'd
from our dedicated IP after ESP decapsulation. Also, some IP tables
ensure that alien (not coming from / going to the tunnel end-point) is
dropped.
Diffstat (limited to 'roles/common/files/etc/network/if-post-down.d/iptables')
-rwxr-xr-x | roles/common/files/etc/network/if-post-down.d/iptables | 27 |
1 files changed, 27 insertions, 0 deletions
diff --git a/roles/common/files/etc/network/if-post-down.d/iptables b/roles/common/files/etc/network/if-post-down.d/iptables new file mode 100755 index 0000000..944ff3a --- /dev/null +++ b/roles/common/files/etc/network/if-post-down.d/iptables @@ -0,0 +1,27 @@ +#!/bin/sh +# +# A post-down hook to flush ip tables and delete custom chains in the +# loaded v4 and v6 rulesets. +# +# Copyright 2013 Guilhem Moulin <guilhem@fripost.org> +# +# Licensed under the GNU GPL version 3 or higher. +# + +set -ue +PATH=/usr/sbin:/usr/bin:/sbin:/bin + +# Ignore the loopback interface; run the script for ifdown only. +[ "$IFACE" != lo -a "$MODE" = stop ] || exit 0 + +case "$ADDRFAM" in + inet) ipts=/sbin/iptables-save; ipt=/sbin/iptables;; + inet6) ipts=/sbin/ip6tables-save; ipt=/sbin/ip6tables;; + *) exit 0 +esac + +$ipts | sed -nr 's/^\*//p' | \ +while read table; do + $ipt -t "$table" -F + $ipt -t "$table" -X +done |