403 |
406 |
#Autoriser le FW a acceder au RVP
|
404 |
407 |
/sbin/iptables -I OUTPUT -m state --state NEW -m policy --pol ipsec --proto esp --dir out -o %%interface_gw -d $PLUTO_PEER_CLIENT -j ACCEPT
|
405 |
408 |
/sbin/iptables -I OUTPUT -m state --state ESTABLISHED,RELATED -m policy --pol ipsec --proto esp --dir out -o %%interface_gw -d $PLUTO_PEER_CLIENT -j ACCEPT
|
|
409 |
# xfrm policies
|
|
410 |
%set %%reseau = []
|
|
411 |
%for %%int_num in %%range(%%int(%%nombre_interfaces))
|
|
412 |
%%reseau.append(%%getVar('adresse_network_eth' + %%str(%%int_num)) + "/" + %%calc_classe(%%getVar('adresse_netmask_eth' + %%str(%%int_num))))%slurp
|
|
413 |
%if %%getVar('alias_eth' + %%str(%%int_num)) == 'oui'
|
|
414 |
%for %%alias in %%getVar('alias_ip_eth' + %%str(%%int_num))
|
|
415 |
%set %%network_key = "alias_network_eth" + %%str(%%int_num)
|
|
416 |
%set %%netmask_key = "alias_netmask_eth" + %%str(%%int_num)
|
|
417 |
%set %%calc_net = %%getattr(alias, %%network_key)+ "/" + %%calc_classe(%%getattr(alias, %%netmask_key))
|
|
418 |
%%reseau.append(%%calc_net)%slurp
|
|
419 |
%end for
|
|
420 |
%end if
|
|
421 |
%if %%getVar('vlan_eth' + %%str(%%int_num)) == 'oui'
|
|
422 |
%for %%vlan_id in %%getVar('vlan_id_eth' + %%str(%%int_num))
|
|
423 |
%set %%network_key = "vlan_network_eth" + str(%%int_num)
|
|
424 |
%set %%netmask_key = "vlan_netmask_eth" + str(%%int_num)
|
|
425 |
%set %%calc_net = %%getattr(%%vlan_id, %%network_key)+ "/" + %%calc_classe(%%getattr(vlan_id, %%netmask_key))
|
|
426 |
%%reseau.append(%%calc_net)%slurp
|
|
427 |
%end for
|
|
428 |
%end if
|
|
429 |
%end for
|
|
430 |
%if %%activer_route == 'oui'
|
|
431 |
%for %%route in %%route_adresse
|
|
432 |
%if %%route.route_int != '0'
|
|
433 |
%set %%net_route = %%str(%%route) + "/" + %%str(%%calc_classe(%%route.route_netmask))
|
|
434 |
%%reseau.append(%%net_route)%slurp
|
|
435 |
%end if
|
|
436 |
%end for
|
|
437 |
%end if
|
|
438 |
%for %%res1 in %%reseau
|
|
439 |
%for %%res2 in %%reseau
|
|
440 |
ip xfrm policy add src %%res1 dst %%res2 dir in
|
|
441 |
ip xfrm policy add src %%res1 dst %%res2 dir out
|
|
442 |
ip xfrm policy add src %%res1 dst %%res2 dir fwd
|
|
443 |
%end for
|
|
444 |
%end for
|
406 |
445 |
%if %%mode_conteneur_actif == "oui"
|
407 |
446 |
# Si mode conteneur, on translate le réseau des conteneurs dans les tunnels du réseau de l'interface 1
|
408 |
447 |
for ip in $(hostname -I)
|
... | ... | |
441 |
480 |
##
|
442 |
481 |
/sbin/iptables -D OUTPUT -m state --state NEW -m policy --pol ipsec --proto esp --dir out -o %%interface_gw -d $PLUTO_PEER_CLIENT -j ACCEPT
|
443 |
482 |
/sbin/iptables -D OUTPUT -m state --state ESTABLISHED,RELATED -m policy --pol ipsec --proto esp --dir out -o %%interface_gw -d $PLUTO_PEER_CLIENT -j ACCEPT
|
|
483 |
# xfrm policies
|
|
484 |
%set %%reseau = []
|
|
485 |
%for %%int_num in %%range(%%int(%%nombre_interfaces))
|
|
486 |
%%reseau.append(%%getVar('adresse_network_eth' + %%str(%%int_num)) + "/" + %%calc_classe(%%getVar('adresse_netmask_eth' + %%str(%%int_num))))%slurp
|
|
487 |
%if %%getVar('alias_eth' + %%str(%%int_num)) == 'oui'
|
|
488 |
%for %%alias in %%getVar('alias_ip_eth' + %%str(%%int_num))
|
|
489 |
%set %%network_key = "alias_network_eth" + %%str(%%int_num)
|
|
490 |
%set %%netmask_key = "alias_netmask_eth" + %%str(%%int_num)
|
|
491 |
%set %%calc_net = %%getattr(alias, %%network_key)+ "/" + %%calc_classe(%%getattr(alias, %%netmask_key))
|
|
492 |
%%reseau.append(%%calc_net)%slurp
|
|
493 |
%end for
|
|
494 |
%end if
|
|
495 |
%if %%getVar('vlan_eth' + %%str(%%int_num)) == 'oui'
|
|
496 |
%for %%vlan_id in %%getVar('vlan_id_eth' + %%str(%%int_num))
|
|
497 |
%set %%network_key = "vlan_network_eth" + str(%%int_num)
|
|
498 |
%set %%netmask_key = "vlan_netmask_eth" + str(%%int_num)
|
|
499 |
%set %%calc_net = %%getattr(%%vlan_id, %%network_key)+ "/" + %%calc_classe(%%getattr(vlan_id, %%netmask_key))
|
|
500 |
%%reseau.append(%%calc_net)%slurp
|
|
501 |
%end for
|
|
502 |
%end if
|
|
503 |
%end for
|
|
504 |
%if %%activer_route == 'oui'
|
|
505 |
%for %%route in %%route_adresse
|
|
506 |
%if %%route.route_int != '0'
|
|
507 |
%set %%net_route = %%str(%%route) + "/" + %%str(%%calc_classe(%%route.route_netmask))
|
|
508 |
%%reseau.append(%%net_route)%slurp
|
|
509 |
%end if
|
|
510 |
%end for
|
|
511 |
%end if
|
|
512 |
%for %%res1 in %%reseau
|
|
513 |
%for %%res2 in %%reseau
|
|
514 |
ip xfrm policy del src %%res1 dst %%res2 dir in
|
|
515 |
ip xfrm policy del src %%res1 dst %%res2 dir out
|
|
516 |
ip xfrm policy del src %%res1 dst %%res2 dir fwd
|
|
517 |
%end for
|
|
518 |
%end for
|
444 |
519 |
%if %%mode_conteneur_actif == "oui"
|
445 |
520 |
# Si mode conteneur, on supprime la tranlation du réseau des conteneurs dans les tunnels du réseau ide l'interface 1
|
446 |
521 |
for ip in $(hostname -I)
|