summaryrefslogtreecommitdiffstats
path: root/roles/common/files/etc/network/if-post-down.d/iptables
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2013-11-03 05:54:11 +0100
committerGuilhem Moulin <guilhem@fripost.org>2015-06-07 02:50:35 +0200
commit2bcaaf01a5fcc2d2ce618da6af30a43a70d03d80 (patch)
tree020bd450fbc622e49c7284f70785749c31aa4429 /roles/common/files/etc/network/if-post-down.d/iptables
parent6c30a3f5a131b6e628b588c0723d5e5374e115e1 (diff)
Use a dedicated, non-routable, IPv4 for IPSec.
At the each IPSec end-point the traffic is DNAT'ed to / MASQUERADE'd from our dedicated IP after ESP decapsulation. Also, some IP tables ensure that alien (not coming from / going to the tunnel end-point) is dropped.
Diffstat (limited to 'roles/common/files/etc/network/if-post-down.d/iptables')
-rwxr-xr-xroles/common/files/etc/network/if-post-down.d/iptables27
1 files changed, 27 insertions, 0 deletions
diff --git a/roles/common/files/etc/network/if-post-down.d/iptables b/roles/common/files/etc/network/if-post-down.d/iptables
new file mode 100755
index 0000000..944ff3a
--- /dev/null
+++ b/roles/common/files/etc/network/if-post-down.d/iptables
@@ -0,0 +1,27 @@
+#!/bin/sh
+#
+# A post-down hook to flush ip tables and delete custom chains in the
+# loaded v4 and v6 rulesets.
+#
+# Copyright 2013 Guilhem Moulin <guilhem@fripost.org>
+#
+# Licensed under the GNU GPL version 3 or higher.
+#
+
+set -ue
+PATH=/usr/sbin:/usr/bin:/sbin:/bin
+
+# Ignore the loopback interface; run the script for ifdown only.
+[ "$IFACE" != lo -a "$MODE" = stop ] || exit 0
+
+case "$ADDRFAM" in
+ inet) ipts=/sbin/iptables-save; ipt=/sbin/iptables;;
+ inet6) ipts=/sbin/ip6tables-save; ipt=/sbin/ip6tables;;
+ *) exit 0
+esac
+
+$ipts | sed -nr 's/^\*//p' | \
+while read table; do
+ $ipt -t "$table" -F
+ $ipt -t "$table" -X
+done