86d37066 |
1 | #!/bin/bash |
f1bba845 |
2 | # $Id$ |
86d37066 |
3 | iptables="/sbin/iptables" |
4 | iptablesrestore="/sbin/iptables-restore" |
f2893be6 |
5 | ifconfig="/sbin/ifconfig" |
6 | grep="/bin/grep" |
7 | cut="/usr/bin/cut" |
1fcbc04f |
8 | ipcalc="/usr/bin/ipcalc" |
86d37066 |
9 | |
10 | #pimp files must be generated by optional-tools/make-pimp utility |
3a4fe273 |
11 | pimp_2way_nat="/dev/shm/pimp-2way-nat.tmp" |
12 | pimp_snat="/dev/shm/pimp-snat.tmp" |
86d37066 |
13 | etchosts="/mnt/mtdblock0/hosts" |
3a4fe273 |
14 | restoretmp="/dev/shm/iptables-restore.tmp" |
86d37066 |
15 | restoredata="/mnt/mtdblock0/iptables-restore.in" |
16 | wan1="vlan770" |
17 | wan2="vlan771" |
18 | wan3="vlan772" |
3a4fe273 |
19 | wan4="vlan774" |
20 | czffirstbitmask="19" |
21 | czfsecondbitmask="22" |
22 | czfthirdbitmask="25" |
23 | czffourthbitmask="28" |
24 | pubfirstbitmask="26" |
25 | pubsecondbitmask="29" |
1fcbc04f |
26 | chaintrack="_" |
f1bba845 |
27 | |
3a4fe273 |
28 | echo "*nat" > $restoretmp |
29 | echo ":PREROUTING ACCEPT [0:0]" >> $restoretmp |
30 | echo ":POSTROUTING ACCEPT [0:0]" >> $restoretmp |
31 | echo ":OUTPUT ACCEPT [0:0]" >> $restoretmp |
86d37066 |
32 | |
33 | # =============================================================== |
34 | # Symetrical SNAT-DNAT using indexed iptables |
35 | # =============================================================== |
f2893be6 |
36 | echo -n "Generating new iptables-restore data - two way SNAT/DNAT " |
f1bba845 |
37 | |
f2893be6 |
38 | for czfip in `$grep -v ^# $pimp_2way_nat|$cut -f 1 -d " "` |
39 | do |
40 | pubip=`$grep "$czfip " $pimp_2way_nat|$cut -f 2 -d " "` |
1fcbc04f |
41 | czffirstindex=priv_`$ipcalc -n $czfip/$czffirstbitmask|$grep Network|$cut -f 4 -d \ |tr [./] _` |
42 | czfsecondindex=priv_`$ipcalc -n $czfip/$czfsecondbitmask|$grep Network|$cut -f 4 -d \ |tr [./] _` |
43 | czfthirdindex=priv_`$ipcalc -n $czfip/$czfthirdbitmask|$grep Network|$cut -f 4 -d \ |tr [./] _` |
44 | czffourthindex=priv_`$ipcalc -n $czfip/$czffourthbitmask|$grep Network|$cut -f 4 -d \ |tr [./] _` |
45 | pubfirstindex=pub_`$ipcalc -n $pubip/$pubfirstbitmask|$grep Network|$cut -f 4 -d \ |tr [./] _` |
46 | pubsecondindex=pub_`$ipcalc -n $pubip/$pubsecondbitmask|$grep Network|$cut -f 4 -d \ |tr [./] _` |
47 | |
48 | if ! [[ "$chaintrack" == *"$czffirstindex"* ]] |
86d37066 |
49 | then |
3a4fe273 |
50 | echo :$czffirstindex "- [0:0]" >> $restoretmp |
1fcbc04f |
51 | s=`$ipcalc -n $czfip/$czffirstbitmask|$grep Network|$cut -f 4 -d \ ` |
52 | echo -A POSTROUTING -d ! 10.0.0.0/8 -s $s -o $wan1 -j $czffirstindex >> $restoretmp |
53 | echo -A POSTROUTING -d ! 10.0.0.0/8 -s $s -o $wan2 -j $czffirstindex >> $restoretmp |
54 | echo -A POSTROUTING -d ! 10.0.0.0/8 -s $s -o $wan3 -j $czffirstindex >> $restoretmp |
55 | echo -A POSTROUTING -d ! 10.0.0.0/8 -s $s -o $wan4 -j $czffirstindex >> $restoretmp |
56 | chaintrack=\ ${czffirstindex}\ ${chaintrack} |
86d37066 |
57 | fi |
58 | |
1fcbc04f |
59 | if ! [[ "$chaintrack" == *"$czfsecondindex"* ]] |
86d37066 |
60 | then |
3a4fe273 |
61 | echo :$czfsecondindex "- [0:0]" >> $restoretmp |
1fcbc04f |
62 | s=`$ipcalc -n $czfip/$czfsecondbitmask|$grep Network|$cut -f 4 -d \ ` |
63 | echo -A $czffirstindex -s $s -o $wan1 -j $czfsecondindex >> $restoretmp |
64 | echo -A $czffirstindex -s $s -o $wan2 -j $czfsecondindex >> $restoretmp |
65 | echo -A $czffirstindex -s $s -o $wan3 -j $czfsecondindex >> $restoretmp |
66 | echo -A $czffirstindex -s $s -o $wan4 -j $czfsecondindex >> $restoretmp |
67 | chaintrack=\ ${czfsecondindex}\ ${chaintrack} |
86d37066 |
68 | fi |
69 | |
1fcbc04f |
70 | if ! [[ "$chaintrack" == *"$czfthirdindex"* ]] |
86d37066 |
71 | then |
3a4fe273 |
72 | echo :$czfthirdindex "- [0:0]" >> $restoretmp |
1fcbc04f |
73 | s=`$ipcalc -n $czfip/$czfthirdbitmask|$grep Network|$cut -f 4 -d \ ` |
74 | echo -A $czfsecondindex -s $s -o $wan1 -j $czfthirdindex >> $restoretmp |
75 | echo -A $czfsecondindex -s $s -o $wan2 -j $czfthirdindex >> $restoretmp |
76 | echo -A $czfsecondindex -s $s -o $wan3 -j $czfthirdindex >> $restoretmp |
77 | echo -A $czfsecondindex -s $s -o $wan4 -j $czfthirdindex >> $restoretmp |
78 | chaintrack=\ ${czfthirdindex}\ ${chaintrack} |
86d37066 |
79 | fi |
80 | |
1fcbc04f |
81 | if ! [[ "$chaintrack" == *"$czffourthindex"* ]] |
86d37066 |
82 | then |
3a4fe273 |
83 | echo :$czffourthindex "- [0:0]" >> $restoretmp |
1fcbc04f |
84 | s=`$ipcalc -n $czfip/$czffourthbitmask|$grep Network|$cut -f 4 -d \ ` |
85 | echo -A $czfthirdindex -s $s -o $wan1 -j $czffourthindex >> $restoretmp |
86 | echo -A $czfthirdindex -s $s -o $wan2 -j $czffourthindex >> $restoretmp |
87 | echo -A $czfthirdindex -s $s -o $wan3 -j $czffourthindex >> $restoretmp |
88 | echo -A $czfthirdindex -s $s -o $wan4 -j $czffourthindex >> $restoretmp |
89 | chaintrack=\ ${czffourthindex}\ ${chaintrack} |
86d37066 |
90 | fi |
91 | |
1fcbc04f |
92 | if ! [[ "$chaintrack" == *"$pubfirstindex"* ]] |
86d37066 |
93 | then |
3a4fe273 |
94 | echo :$pubfirstindex "- [0:0]" >> $restoretmp |
1fcbc04f |
95 | s=`$ipcalc -n $pubip/$pubfirstbitmask|$grep Network|$cut -f 4 -d \ ` |
96 | echo -A PREROUTING -i $wan1 -d $s -j $pubfirstindex >> $restoretmp |
97 | echo -A PREROUTING -i $wan2 -d $s -j $pubfirstindex >> $restoretmp |
98 | echo -A PREROUTING -i $wan3 -d $s -j $pubfirstindex >> $restoretmp |
99 | echo -A PREROUTING -i $wan4 -d $s -j $pubfirstindex >> $restoretmp |
100 | chaintrack=\ ${pubfirstindex}\ ${chaintrack} |
86d37066 |
101 | fi |
102 | |
1fcbc04f |
103 | if ! [[ "$chaintrack" == *"$pubsecondindex"* ]] |
3a4fe273 |
104 | then |
105 | echo :$pubsecondindex "- [0:0]" >> $restoretmp |
1fcbc04f |
106 | s=`$ipcalc -n $pubip/$pubsecondbitmask|$grep Network|$cut -f 4 -d \ ` |
107 | echo -A $pubfirstindex -i $wan1 -d $s -j $pubsecondindex >> $restoretmp |
108 | echo -A $pubfirstindex -i $wan2 -d $s -j $pubsecondindex >> $restoretmp |
109 | echo -A $pubfirstindex -i $wan3 -d $s -j $pubsecondindex >> $restoretmp |
110 | echo -A $pubfirstindex -i $wan4 -d $s -j $pubsecondindex >> $restoretmp |
111 | chaintrack=\ ${pubsecondindex}\ ${chaintrack} |
3a4fe273 |
112 | fi |
86d37066 |
113 | |
3a4fe273 |
114 | echo -A $pubsecondindex -i $wan1 -d $pubip/32 -j DNAT --to-destination $czfip >> $restoretmp |
115 | echo -A $pubsecondindex -i $wan2 -d $pubip/32 -j DNAT --to-destination $czfip >> $restoretmp |
116 | echo -A $pubsecondindex -i $wan3 -d $pubip/32 -j DNAT --to-destination $czfip >> $restoretmp |
117 | echo -A $pubsecondindex -i $wan4 -d $pubip/32 -j DNAT --to-destination $czfip >> $restoretmp |
86d37066 |
118 | |
3a4fe273 |
119 | echo -A $czffourthindex -s $czfip/32 -o $wan1 -j SNAT --to-source $pubip >> $restoretmp |
120 | echo -A $czffourthindex -s $czfip/32 -o $wan2 -j SNAT --to-source $pubip >> $restoretmp |
121 | echo -A $czffourthindex -s $czfip/32 -o $wan3 -j SNAT --to-source $pubip >> $restoretmp |
122 | echo -A $czffourthindex -s $czfip/32 -o $wan4 -j SNAT --to-source $pubip >> $restoretmp |
86d37066 |
123 | |
124 | echo -n . |
1fcbc04f |
125 | |
f2893be6 |
126 | done |
86d37066 |
127 | echo " done." |
128 | |
86d37066 |
129 | # =============================================================== |
130 | # SNAT only using indexed iptables (should be rather function, hmm) |
131 | # =============================================================== |
1fcbc04f |
132 | echo -n "Generating new iptables-restore data - one way SNAT " |
86d37066 |
133 | |
f2893be6 |
134 | for czfip in `$grep -v ^# $pimp_snat|$cut -f 1 -d " "` |
135 | do |
136 | pubip=`$grep "$czfip " $pimp_snat|$cut -f 2 -d " "` |
1fcbc04f |
137 | czffirstindex=priv_`$ipcalc -n $czfip/$czffirstbitmask|$grep Network|$cut -f 4 -d \ |tr [./] _` |
138 | czfsecondindex=priv_`$ipcalc -n $czfip/$czfsecondbitmask|$grep Network|$cut -f 4 -d \ |tr [./] _` |
139 | czfthirdindex=priv_`$ipcalc -n $czfip/$czfthirdbitmask|$grep Network|$cut -f 4 -d \ |tr [./] _` |
140 | czffourthindex=priv_`$ipcalc -n $czfip/$czffourthbitmask|$grep Network|$cut -f 4 -d \ |tr [./] _` |
3a4fe273 |
141 | |
1fcbc04f |
142 | if ! [[ "$chaintrack" == *"$czffirstindex"* ]] |
3a4fe273 |
143 | then |
144 | echo :$czffirstindex "- [0:0]" >> $restoretmp |
1fcbc04f |
145 | s=`$ipcalc -n $czfip/$czffirstbitmask|$grep Network|$cut -f 4 -d \ ` |
146 | echo -A POSTROUTING -d ! 10.0.0.0/8 -s $s -o $wan1 -j $czffirstindex >> $restoretmp |
147 | echo -A POSTROUTING -d ! 10.0.0.0/8 -s $s -o $wan2 -j $czffirstindex >> $restoretmp |
148 | echo -A POSTROUTING -d ! 10.0.0.0/8 -s $s -o $wan3 -j $czffirstindex >> $restoretmp |
149 | echo -A POSTROUTING -d ! 10.0.0.0/8 -s $s -o $wan4 -j $czffirstindex >> $restoretmp |
150 | chaintrack=\ ${czffirstindex}\ ${chaintrack} |
3a4fe273 |
151 | fi |
86d37066 |
152 | |
1fcbc04f |
153 | if ! [[ "$chaintrack" == *"$czfsecondindex"* ]] |
86d37066 |
154 | then |
3a4fe273 |
155 | echo :$czfsecondindex "- [0:0]" >> $restoretmp |
1fcbc04f |
156 | s=`$ipcalc -n $czfip/$czfsecondbitmask|$grep Network|$cut -f 4 -d \ ` |
157 | echo -A $czffirstindex -s $s -o $wan1 -j $czfsecondindex >> $restoretmp |
158 | echo -A $czffirstindex -s $s -o $wan2 -j $czfsecondindex >> $restoretmp |
159 | echo -A $czffirstindex -s $s -o $wan3 -j $czfsecondindex >> $restoretmp |
160 | echo -A $czffirstindex -s $s -o $wan4 -j $czfsecondindex >> $restoretmp |
161 | chaintrack=\ ${czfsecondindex}\ ${chaintrack} |
86d37066 |
162 | fi |
163 | |
1fcbc04f |
164 | if ! [[ "$chaintrack" == *"$czfthirdindex"* ]] |
86d37066 |
165 | then |
3a4fe273 |
166 | echo :$czfthirdindex "- [0:0]" >> $restoretmp |
1fcbc04f |
167 | s=`$ipcalc -n $czfip/$czfthirdbitmask|$grep Network|$cut -f 4 -d \ ` |
168 | echo -A $czfsecondindex -s $s -o $wan1 -j $czfthirdindex >> $restoretmp |
169 | echo -A $czfsecondindex -s $s -o $wan2 -j $czfthirdindex >> $restoretmp |
170 | echo -A $czfsecondindex -s $s -o $wan3 -j $czfthirdindex >> $restoretmp |
171 | echo -A $czfsecondindex -s $s -o $wan4 -j $czfthirdindex >> $restoretmp |
172 | chaintrack=\ ${czfthirdindex}\ ${chaintrack} |
86d37066 |
173 | fi |
174 | |
1fcbc04f |
175 | if ! [[ "$chaintrack" == *"$czffourthindex"* ]] |
86d37066 |
176 | then |
3a4fe273 |
177 | echo :$czffourthindex "- [0:0]" >> $restoretmp |
1fcbc04f |
178 | s=`$ipcalc -n $czfip/$czffourthbitmask|$grep Network|$cut -f 4 -d \ ` |
179 | echo -A $czfthirdindex -s $s -o $wan1 -j $czffourthindex >> $restoretmp |
180 | echo -A $czfthirdindex -s $s -o $wan2 -j $czffourthindex >> $restoretmp |
181 | echo -A $czfthirdindex -s $s -o $wan3 -j $czffourthindex >> $restoretmp |
182 | echo -A $czfthirdindex -s $s -o $wan4 -j $czffourthindex >> $restoretmp |
183 | chaintrack=\ ${czffourthindex}\ ${chaintrack} |
86d37066 |
184 | fi |
185 | |
3a4fe273 |
186 | echo -A $czffourthindex -s $czfip/32 -o $wan1 -j SNAT --to-source $pubip >> $restoretmp |
187 | echo -A $czffourthindex -s $czfip/32 -o $wan2 -j SNAT --to-source $pubip >> $restoretmp |
188 | echo -A $czffourthindex -s $czfip/32 -o $wan3 -j SNAT --to-source $pubip >> $restoretmp |
189 | echo -A $czffourthindex -s $czfip/32 -o $wan4 -j SNAT --to-source $pubip >> $restoretmp |
86d37066 |
190 | |
191 | echo -n . |
f2893be6 |
192 | done |
86d37066 |
193 | echo " done." |
194 | |
3a4fe273 |
195 | echo COMMIT >> $restoretmp |
1fcbc04f |
196 | echo -n "Writing $restoredata" |
143c9a45 |
197 | mv $restoretmp $restoredata |