From: Justin Wind <justin.wind+git@gmail.com>
Date: Sat, 30 Dec 2017 22:10:58 +0000 (-0800)
Subject: add ipsec stuff
X-Git-Url: https://git.squeep.com/?a=commitdiff_plain;h=ea597cfe15ea9d324c5aa56aa51637bbb9a3bd7c;p=firewall-squeep

add ipsec stuff
---

diff --git a/firewall.sh b/firewall.sh
index 145ee59..8bf6160 100755
--- a/firewall.sh
+++ b/firewall.sh
@@ -43,12 +43,10 @@ $IP6TABLES -P OUTPUT ACCEPT
 
 # accept local traffic
 $IPTABLES -A INPUT -i lo -j ACCEPT
-
 $IP6TABLES -A INPUT -i lo -j ACCEPT
 
 # accept ICMP
 $IPTABLES -A INPUT -p icmp -j ACCEPT
-
 $IP6TABLES -A INPUT -p ipv6-icmp -j ACCEPT
 
 # drop source-route rh0 headery things
@@ -56,7 +54,6 @@ $IP6TABLES -A INPUT -m rt --rt-type 0 -j DROP || echo "MISSING RT MATCH" 1>&2
 
 # accept things we set up
 $IPTABLES -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-
 $IP6TABLES -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 
 # accept ipv6 link-local traffic
@@ -71,7 +68,15 @@ do
 	$IPTABLES -A INPUT -p tcp --tcp-flags ${flags} -j DROP
 done
 
-./services ${EXT_IF}
+# accept ESP for IPSec
+$IPTABLES -A INPUT -p esp -j ACCEPT
+$IP6TABLES -A INPUT -p esp -j ACCEPT
+
+# accept all IPSec traffic
+$IPTABLES -A INPUT -m policy --dir in --pol ipsec -j ACCEPT
+$IP6TABLES -A INPUT -m policy --dir in --pol ipsec -j ACCEPT
+
+./services.sh ${EXT_IF}
 
 create_drop_chain xenophobe
 
diff --git a/services.caw b/services.caw
index 57b76c0..9a91383 100644
--- a/services.caw
+++ b/services.caw
@@ -1,2 +1,4 @@
 12112/udp # openvpn
 60000-61000/udp # mosh
+isakmp
+ipsec-nat-t