[strongSwan] local_ts based on user/group
Christian Salway
christian.salway at naimuri.com
Fri Nov 1 00:31:30 CET 2019
... for completeness, this is the down-client script
down-client)
iptables -S FORWARD | grep "reqid \${PLUTO_REQID}" | cut -d' ' -f2- | while read RULE
do
iptables -D \$RULE
logger -t \$TAG -p \$FAC_PRIO -- \\
"- \$PLUTO_XAUTH_ID (\$PLUTO_REQID) \$RULE"
done
;;
> On 31 Oct 2019, at 22:56, Christian Salway <christian.salway at naimuri.com> wrote:
>
> Thanks, Tobias,
>
> I went down the route of writing a custom updown script as I didn’t know how to write hooks so this seemed easiest.
>
> cat <<EOF > /opt/strongswan/_updown
> #!/bin/bash
>
> LDAPURL='${LDAPURL}'
> BASEOU='${BASEOU}'
> BINDUN='${BINDUN}'
> BINDPW='${BINDPW}'
>
> TAG=charon-route
> FAC_PRIO=local0.notice
>
> IPSEC_POLICY="-m policy --pol ipsec --proto \$PLUTO_PROTO --reqid \$PLUTO_REQID"
> IPSEC_POLICY_IN="\$IPSEC_POLICY --dir in"
> IPSEC_POLICY_OUT="\$IPSEC_POLICY --dir out"
>
> case "\$PLUTO_VERB" in
> up-client)
> # expects a group name in the format cidr-xx.xx.xx.xx-nn, eg: cidr-172.31.0.0-16
> ldapsearch -H "\${LDAPURL}" -x -D "\${BINDUN}" -w "\${BINDPW}" -b "\${BASEOU}" -LLL "(sAMAccountName=\${PLUTO_XAUTH_ID})" memberOf | \\
> grep -oP '(?<=memberOf: CN=cidr-).+?(?=,OU.+)' | \\
> sed 's|-|/|' | while read CIDR
> do
> iptables -I FORWARD 1 -o \$PLUTO_INTERFACE -p \$PLUTO_PEER_PROTOCOL \\
> -s \$CIDR -d \$PLUTO_PEER_CLIENT \$IPSEC_POLICY_OUT -j ACCEPT
>
> iptables -I FORWARD 1 -i \$PLUTO_INTERFACE -p \$PLUTO_MY_PROTOCOL \\
> -s \$PLUTO_PEER_CLIENT -d \$CIDR \$IPSEC_POLICY_IN -j ACCEPT
>
> logger -t \$TAG -p \$FAC_PRIO \\
> "+ \$PLUTO_XAUTH_ID (\$PLUTO_REQID) \$PLUTO_PEER_CLIENT == \$PLUTO_PEER -- \$PLUTO_ME == \$CIDR"
> done
> ;;
> down-client)
> # remove rules - yet to be written. Needs to assume the user might have been removed from the Group before disconnection
> iptables -F FORWARD # TESTING ONLY
> ;;
> *) echo "\$0: unknown verb '\$PLUTO_VERB'" >&2
> ;;
> esac
> EOF
> chmod +x /opt/strongswan/_updown
>
>
>
> children {
> child {
> local_ts = ${CLIENT_ROUTES}
> updown = /opt/strongswan/_updown
> }
> }
>
>
>> On 31 Oct 2019, at 09:22, Tobias Brunner <tobias at strongswan.org <mailto:tobias at strongswan.org>> wrote:
>>
>> Hi Christian,
>>
>>> How would that work? Because a user can be a member of one or more groups and thus how does strongswan select the connection with all the groups.
>>
>> Since a single group match is currently enough to satisfy the group
>> constraint (there is also no "best"-match based on groups), you'll have
>> to assign unique groups to the users that have access to specific
>> networks. That is, groups for individual networks won't work (unless
>> members of such groups only have access to one network), you need groups
>> that allow access to combinations of networks. If you can't change the
>> original group assignment, you'll need to map them somehow, for
>> instance, write a plugin that implements the authorize hook and assign a
>> new group based on the ones already assigned. Alternatively, write a
>> plugin that implements the narrow hook and assigns traffic selectors
>> based on whatever strategy you like.
>>
>> Regards,
>> Tobias
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20191031/8f3104c9/attachment.html>
More information about the Users
mailing list