X-Git-Url: http://git.harvie.cz/?p=svn%2FPrometheus-QoS%2F.git;a=blobdiff_plain;f=optional-tools%2Fmake-iptables-restore;fp=optional-tools%2Fmake-iptables-restore;h=666d15b24a19619782476a75a92eaa174005387a;hp=0000000000000000000000000000000000000000;hb=86d37066beb7298ec660b09f5efa0f2622352663;hpb=7cf6da16e9b30099942458c113ccce7d0f29ee67 diff --git a/optional-tools/make-iptables-restore b/optional-tools/make-iptables-restore new file mode 100755 index 0000000..666d15b --- /dev/null +++ b/optional-tools/make-iptables-restore @@ -0,0 +1,142 @@ +#!/bin/bash +iptables="/sbin/iptables" +iptablesrestore="/sbin/iptables-restore" +ifconfig="/sbin/ifconfig" + +#pimp files must be generated by optional-tools/make-pimp utility +pimp_2way_nat="/mnt/mtdblock0/pimp-2way-nat.tmp" +pimp_snat="/mnt/mtdblock0/pimp-snat.tmp" +etchosts="/mnt/mtdblock0/hosts" +restoredata="/mnt/mtdblock0/iptables-restore.in" +wan1="vlan770" +wan2="vlan771" +wan3="vlan772" + +echo "*nat" > $restoredata +echo ":PREROUTING ACCEPT [0:0]" >> $restoredata +echo ":POSTROUTING ACCEPT [0:0]" >> $restoredata +echo ":OUTPUT ACCEPT [0:0]" >> $restoredata + +# =============================================================== +# Symetrical SNAT-DNAT using indexed iptables +# =============================================================== + +echo -n "Generating new iptables-restore data - two way SNAT/DNAT " + +for czfip in `grep -v ^# $pimp_2way_nat|cut -f 1 -d " "` +do + pubip=`grep "$czfip " $pimp_2way_nat|cut -f 2 -d " "` + czffirstindex=priv_`ipcalc -n $czfip/20|grep Network|cut -f 4 -d \ |tr [./] _` + czfsecondindex=priv_`ipcalc -n $czfip/23|grep Network|cut -f 4 -d \ |tr [./] _` + czfthirdindex=priv_`ipcalc -n $czfip/26|grep Network|cut -f 4 -d \ |tr [./] _` + pubfirstindex=pub_`ipcalc -n $pubip/27|grep Network|cut -f 4 -d \ |tr [./] _` + pubsecondindex=pub_`ipcalc -n $pubip/29|grep Network|cut -f 4 -d \ |tr [./] _` + + if ! grep $czffirstindex $restoredata > /dev/null + then + echo :$czffirstindex "- [0:0]" >> $restoredata + echo -A POSTROUTING -d ! 10.0.0.0/8 -s `ipcalc -n $czfip/20|grep Network|cut -f 4 -d \ ` -o $wan1 -j $czffirstindex >> $restoredata + echo -A POSTROUTING -d ! 10.0.0.0/8 -s `ipcalc -n $czfip/20|grep Network|cut -f 4 -d \ ` -o $wan2 -j $czffirstindex >> $restoredata + echo -A POSTROUTING -d ! 10.0.0.0/8 -s `ipcalc -n $czfip/20|grep Network|cut -f 4 -d \ ` -o $wan3 -j $czffirstindex >> $restoredata + fi + + if ! grep $czfsecondindex $restoredata > /dev/null + then + echo :$czfsecondindex "- [0:0]" >> $restoredata + echo -A $czffirstindex -s `ipcalc -n $czfip/23|grep Network|cut -f 4 -d \ ` -o $wan1 -j $czfsecondindex >> $restoredata + echo -A $czffirstindex -s `ipcalc -n $czfip/23|grep Network|cut -f 4 -d \ ` -o $wan2 -j $czfsecondindex >> $restoredata + echo -A $czffirstindex -s `ipcalc -n $czfip/23|grep Network|cut -f 4 -d \ ` -o $wan3 -j $czfsecondindex >> $restoredata + fi + + if ! grep $czfthirdindex $restoredata > /dev/null + then + echo :$czfthirdindex "- [0:0]" >> $restoredata + echo -A $czfsecondindex -s `ipcalc -n $czfip/26|grep Network|cut -f 4 -d \ ` -o $wan1 -j $czfthirdindex >> $restoredata + echo -A $czfsecondindex -s `ipcalc -n $czfip/26|grep Network|cut -f 4 -d \ ` -o $wan2 -j $czfthirdindex >> $restoredata + echo -A $czfsecondindex -s `ipcalc -n $czfip/26|grep Network|cut -f 4 -d \ ` -o $wan3 -j $czfthirdindex >> $restoredata + fi + + if ! grep $pubfirstindex $restoredata > /dev/null + then + echo :$pubfirstindex "- [0:0]" >> $restoredata + echo -A PREROUTING -i $wan1 -d `ipcalc -n $pubip/27|grep Network|cut -f 4 -d \ ` -j $pubfirstindex >> $restoredata + echo -A PREROUTING -i $wan2 -d `ipcalc -n $pubip/27|grep Network|cut -f 4 -d \ ` -j $pubfirstindex >> $restoredata + echo -A PREROUTING -i $wan3 -d `ipcalc -n $pubip/27|grep Network|cut -f 4 -d \ ` -j $pubfirstindex >> $restoredata + fi + + if ! grep $pubsecondindex $restoredata > /dev/null + then + echo :$pubsecondindex "- [0:0]" >> $restoredata + echo -A $pubfirstindex -i $wan1 -d `ipcalc -n $pubip/29|grep Network|cut -f 4 -d \ ` -j $pubsecondindex >> $restoredata + echo -A $pubfirstindex -i $wan2 -d `ipcalc -n $pubip/29|grep Network|cut -f 4 -d \ ` -j $pubsecondindex >> $restoredata + echo -A $pubfirstindex -i $wan3 -d `ipcalc -n $pubip/29|grep Network|cut -f 4 -d \ ` -j $pubsecondindex >> $restoredata + fi + + echo -A $pubsecondindex -i $wan1 -d $pubip/32 -j DNAT --to-destination $czfip >> $restoredata + echo -A $pubsecondindex -i $wan2 -d $pubip/32 -j DNAT --to-destination $czfip >> $restoredata + echo -A $pubsecondindex -i $wan3 -d $pubip/32 -j DNAT --to-destination $czfip >> $restoredata + echo -A $pubsecondindex -i $wan1 -d $pubip/32 -j ACCEPT >> $restoredata + echo -A $pubsecondindex -i $wan2 -d $pubip/32 -j ACCEPT >> $restoredata + echo -A $pubsecondindex -i $wan3 -d $pubip/32 -j ACCEPT >> $restoredata + + + echo -A $czfthirdindex -s $czfip/32 -o $wan1 -j SNAT --to-source $pubip >> $restoredata + echo -A $czfthirdindex -s $czfip/32 -o $wan2 -j SNAT --to-source $pubip >> $restoredata + echo -A $czfthirdindex -s $czfip/32 -o $wan3 -j SNAT --to-source $pubip >> $restoredata + echo -A $czfthirdindex -s $czfip/32 -o $wan1 -j ACCEPT >> $restoredata + echo -A $czfthirdindex -s $czfip/32 -o $wan2 -j ACCEPT >> $restoredata + echo -A $czfthirdindex -s $czfip/32 -o $wan3 -j ACCEPT >> $restoredata + + echo -n . +done +echo " done." + +echo -n "Generating new iptables-restore data - one way SNAT " + +# =============================================================== +# SNAT only using indexed iptables (should be rather function, hmm) +# =============================================================== + +for czfip in `grep -v ^# $pimp_snat|cut -f 1 -d " "` +do + pubip=`grep "$czfip " $pimp_snat|cut -f 2 -d " "` + czffirstindex=priv_`ipcalc -n $czfip/20|grep Network|cut -f 4 -d \ |tr [./] _` + czfsecondindex=priv_`ipcalc -n $czfip/23|grep Network|cut -f 4 -d \ |tr [./] _` + czfthirdindex=priv_`ipcalc -n $czfip/26|grep Network|cut -f 4 -d \ |tr [./] _` + + if ! grep $czffirstindex $restoredata > /dev/null + then + echo :$czffirstindex "- [0:0]" >> $restoredata + echo -A POSTROUTING -d ! 10.0.0.0/8 -s `ipcalc -n $czfip/20|grep Network|cut -f 4 -d \ ` -o $wan1 -j $czffirstindex >> $restoredata + echo -A POSTROUTING -d ! 10.0.0.0/8 -s `ipcalc -n $czfip/20|grep Network|cut -f 4 -d \ ` -o $wan2 -j $czffirstindex >> $restoredata + echo -A POSTROUTING -d ! 10.0.0.0/8 -s `ipcalc -n $czfip/20|grep Network|cut -f 4 -d \ ` -o $wan3 -j $czffirstindex >> $restoredata + fi + + if ! grep $czfsecondindex $restoredata > /dev/null + then + echo :$czfsecondindex "- [0:0]" >> $restoredata + echo -A $czffirstindex -s `ipcalc -n $czfip/23|grep Network|cut -f 4 -d \ ` -o $wan1 -j $czfsecondindex >> $restoredata + echo -A $czffirstindex -s `ipcalc -n $czfip/23|grep Network|cut -f 4 -d \ ` -o $wan2 -j $czfsecondindex >> $restoredata + echo -A $czffirstindex -s `ipcalc -n $czfip/23|grep Network|cut -f 4 -d \ ` -o $wan3 -j $czfsecondindex >> $restoredata + fi + + if ! grep $czfthirdindex $restoredata > /dev/null + then + echo :$czfthirdindex "- [0:0]" >> $restoredata + echo -A $czfsecondindex -s `ipcalc -n $czfip/26|grep Network|cut -f 4 -d \ ` -o $wan1 -j $czfthirdindex >> $restoredata + echo -A $czfsecondindex -s `ipcalc -n $czfip/26|grep Network|cut -f 4 -d \ ` -o $wan2 -j $czfthirdindex >> $restoredata + echo -A $czfsecondindex -s `ipcalc -n $czfip/26|grep Network|cut -f 4 -d \ ` -o $wan3 -j $czfthirdindex >> $restoredata + fi + + echo -A $czfthirdindex -s $czfip/32 -o $wan1 -j SNAT --to-source $pubip >> $restoredata + echo -A $czfthirdindex -s $czfip/32 -o $wan2 -j SNAT --to-source $pubip >> $restoredata + echo -A $czfthirdindex -s $czfip/32 -o $wan3 -j SNAT --to-source $pubip >> $restoredata + echo -A $czfthirdindex -s $czfip/32 -o $wan1 -j ACCEPT >> $restoredata + echo -A $czfthirdindex -s $czfip/32 -o $wan2 -j ACCEPT >> $restoredata + echo -A $czfthirdindex -s $czfip/32 -o $wan3 -j ACCEPT >> $restoredata + + echo -n . +done +echo " done." + +echo COMMIT >> $restoredata