add ipsec stuff

diff --git a/firewall.sh b/firewall.sh
index 145ee596f86c66d0d35b20feb5c2f1454f03e59e..8bf61607de02fcbf03af62915316e24eda5226b0 100755 (executable)
--- a/firewall.sh
+++ b/firewall.sh
@@ -43,12 +43,10 @@ $IP6TABLES -P OUTPUT ACCEPT
 
 # accept local traffic
 $IPTABLES -A INPUT -i lo -j ACCEPT
-
 $IP6TABLES -A INPUT -i lo -j ACCEPT
 
 # accept ICMP
 $IPTABLES -A INPUT -p icmp -j ACCEPT
-
 $IP6TABLES -A INPUT -p ipv6-icmp -j ACCEPT
 
 # drop source-route rh0 headery things
@@ -56,7 +54,6 @@ $IP6TABLES -A INPUT -m rt --rt-type 0 -j DROP || echo "MISSING RT MATCH" 1>&2
 
 # accept things we set up
 $IPTABLES -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-
 $IP6TABLES -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 
 # accept ipv6 link-local traffic
@@ -71,7 +68,15 @@ do
        $IPTABLES -A INPUT -p tcp --tcp-flags ${flags} -j DROP
 done
 
-./services ${EXT_IF}
+# accept ESP for IPSec
+$IPTABLES -A INPUT -p esp -j ACCEPT
+$IP6TABLES -A INPUT -p esp -j ACCEPT
+
+# accept all IPSec traffic
+$IPTABLES -A INPUT -m policy --dir in --pol ipsec -j ACCEPT
+$IP6TABLES -A INPUT -m policy --dir in --pol ipsec -j ACCEPT
+
+./services.sh ${EXT_IF}
 
 create_drop_chain xenophobe
 

diff --git a/services.caw b/services.caw
index 57b76c01f8c14d1964547ae5357a977423dd61f1..9a9138346d4ea14cf946609a7b8ccbb27da4d014 100644 (file)
--- a/services.caw
+++ b/services.caw
@@ -1,2 +1,4 @@
 12112/udp # openvpn
 60000-61000/udp # mosh
+isakmp
+ipsec-nat-t