X-Git-Url: https://git.harvie.cz/?a=blobdiff_plain;f=optional-tools%2Fmake-iptables-restore;h=449534f53e1deb68c448a48ef6bb6374c26e1012;hb=f1bba845e16fd073d1b5e05aacb85c4e82ca717f;hp=666d15b24a19619782476a75a92eaa174005387a;hpb=86d37066beb7298ec660b09f5efa0f2622352663;p=svn%2FPrometheus-QoS%2F.git diff --git a/optional-tools/make-iptables-restore b/optional-tools/make-iptables-restore index 666d15b..449534f 100755 --- a/optional-tools/make-iptables-restore +++ b/optional-tools/make-iptables-restore @@ -1,142 +1,219 @@ #!/bin/bash +# $Id$ iptables="/sbin/iptables" iptablesrestore="/sbin/iptables-restore" -ifconfig="/sbin/ifconfig" #pimp files must be generated by optional-tools/make-pimp utility -pimp_2way_nat="/mnt/mtdblock0/pimp-2way-nat.tmp" -pimp_snat="/mnt/mtdblock0/pimp-snat.tmp" +pimp_2way_nat="/dev/shm/pimp-2way-nat.tmp" +pimp_snat="/dev/shm/pimp-snat.tmp" etchosts="/mnt/mtdblock0/hosts" +restoretmp="/dev/shm/iptables-restore.tmp" restoredata="/mnt/mtdblock0/iptables-restore.in" wan1="vlan770" wan2="vlan771" wan3="vlan772" +wan4="vlan774" +czffirstbitmask="19" +czfsecondbitmask="22" +czfthirdbitmask="25" +czffourthbitmask="28" +pubfirstbitmask="26" +pubsecondbitmask="29" +chaintrack="_" -echo "*nat" > $restoredata -echo ":PREROUTING ACCEPT [0:0]" >> $restoredata -echo ":POSTROUTING ACCEPT [0:0]" >> $restoredata -echo ":OUTPUT ACCEPT [0:0]" >> $restoredata +# =============================================================== +# ipcalc rewrite +# =============================================================== + +gen_ipt_string() { +eval `echo $1 | awk -F\/ '{printf "IP=%s; CIDRMASK=%s; \n", $1, $2}'` + +MASK_FULL_OCTETS=$(($CIDRMASK/8)) +MASK_PART_OCTETS=$(($CIDRMASK%8)) +for i in `seq 0 3`; do + if [ "$i" -lt "$MASK_FULL_OCTETS" ]; then + MASK+="255" + elif [ "$i" -eq "$MASK_FULL_OCTETS" ]; then + MASK+=$((256 - 2**(8-$MASK_PART_OCTETS))) + else + MASK+="0" + fi + [ "$i" -lt "3" ] && MASK+="." +done + +eval `echo $IP | awk -F\. '{printf "IPBYTE1=%s; IPBYTE2=%s; IPBYTE3=%s; IPBYTE4=%s; \n", $1, $2, $3, $4}'` +eval `echo $MASK | awk -F\. '{printf "MASKBYTE1=%s; MASKBYTE2=%s; MASKBYTE3=%s; MASKBYTE4=%s; \n", $1, $2, $3, $4}'` + +IPT_STRING="$(($IPBYTE1 & $MASKBYTE1))_$(($IPBYTE2 & $MASKBYTE2))_$(($IPBYTE3 & $MASKBYTE3))_$(($IPBYTE4 & $MASKBYTE4))_$CIDRMASK" +echo $IPT_STRING +} + +echo "*nat" > $restoretmp +echo ":PREROUTING ACCEPT [0:0]" >> $restoretmp +echo ":POSTROUTING ACCEPT [0:0]" >> $restoretmp +echo ":OUTPUT ACCEPT [0:0]" >> $restoretmp # =============================================================== # Symetrical SNAT-DNAT using indexed iptables # =============================================================== - echo -n "Generating new iptables-restore data - two way SNAT/DNAT " -for czfip in `grep -v ^# $pimp_2way_nat|cut -f 1 -d " "` -do - pubip=`grep "$czfip " $pimp_2way_nat|cut -f 2 -d " "` - czffirstindex=priv_`ipcalc -n $czfip/20|grep Network|cut -f 4 -d \ |tr [./] _` - czfsecondindex=priv_`ipcalc -n $czfip/23|grep Network|cut -f 4 -d \ |tr [./] _` - czfthirdindex=priv_`ipcalc -n $czfip/26|grep Network|cut -f 4 -d \ |tr [./] _` - pubfirstindex=pub_`ipcalc -n $pubip/27|grep Network|cut -f 4 -d \ |tr [./] _` - pubsecondindex=pub_`ipcalc -n $pubip/29|grep Network|cut -f 4 -d \ |tr [./] _` - if ! grep $czffirstindex $restoredata > /dev/null +while read LINE; do + eval `echo -e $LINE | awk '{printf "czfip=%s; pubip=%s\n", $1, $2}'` + czffirstindex=priv_`gen_ipt_string $czfip/$czffirstbitmask` + czfsecondindex=priv_`gen_ipt_string $czfip/$czfsecondbitmask` + czfthirdindex=priv_`gen_ipt_string $czfip/$czfthirdbitmask` + czffourthindex=priv_`gen_ipt_string $czfip/$czffourthbitmask` + pubfirstindex=pub_`gen_ipt_string $pubip/$pubfirstbitmask` + pubsecondindex=pub_`gen_ipt_string $pubip/$pubsecondbitmask` + + if ! [[ "$chaintrack" == *"$czffirstindex"* ]] then - echo :$czffirstindex "- [0:0]" >> $restoredata - echo -A POSTROUTING -d ! 10.0.0.0/8 -s `ipcalc -n $czfip/20|grep Network|cut -f 4 -d \ ` -o $wan1 -j $czffirstindex >> $restoredata - echo -A POSTROUTING -d ! 10.0.0.0/8 -s `ipcalc -n $czfip/20|grep Network|cut -f 4 -d \ ` -o $wan2 -j $czffirstindex >> $restoredata - echo -A POSTROUTING -d ! 10.0.0.0/8 -s `ipcalc -n $czfip/20|grep Network|cut -f 4 -d \ ` -o $wan3 -j $czffirstindex >> $restoredata + echo :$czffirstindex "- [0:0]" >> $restoretmp + s=`gen_ipt_string $czfip/$czffirstbitmask| sed 's/_[0-9]*//4; s/_/./g'` + echo -A POSTROUTING -d ! 10.0.0.0/8 -s $s -o $wan1 -j $czffirstindex >> $restoretmp + echo -A POSTROUTING -d ! 10.0.0.0/8 -s $s -o $wan2 -j $czffirstindex >> $restoretmp + echo -A POSTROUTING -d ! 10.0.0.0/8 -s $s -o $wan3 -j $czffirstindex >> $restoretmp + echo -A POSTROUTING -d ! 10.0.0.0/8 -s $s -o $wan4 -j $czffirstindex >> $restoretmp + chaintrack=\ ${czffirstindex}\ ${chaintrack} fi - if ! grep $czfsecondindex $restoredata > /dev/null + if ! [[ "$chaintrack" == *"$czfsecondindex"* ]] then - echo :$czfsecondindex "- [0:0]" >> $restoredata - echo -A $czffirstindex -s `ipcalc -n $czfip/23|grep Network|cut -f 4 -d \ ` -o $wan1 -j $czfsecondindex >> $restoredata - echo -A $czffirstindex -s `ipcalc -n $czfip/23|grep Network|cut -f 4 -d \ ` -o $wan2 -j $czfsecondindex >> $restoredata - echo -A $czffirstindex -s `ipcalc -n $czfip/23|grep Network|cut -f 4 -d \ ` -o $wan3 -j $czfsecondindex >> $restoredata + echo :$czfsecondindex "- [0:0]" >> $restoretmp + s=`gen_ipt_string $czfip/$czfsecondbitmask| sed 's/_[0-9]*//4; s/_/./g'` + echo -A $czffirstindex -s $s -o $wan1 -j $czfsecondindex >> $restoretmp + echo -A $czffirstindex -s $s -o $wan2 -j $czfsecondindex >> $restoretmp + echo -A $czffirstindex -s $s -o $wan3 -j $czfsecondindex >> $restoretmp + echo -A $czffirstindex -s $s -o $wan4 -j $czfsecondindex >> $restoretmp + chaintrack=\ ${czfsecondindex}\ ${chaintrack} fi - if ! grep $czfthirdindex $restoredata > /dev/null + if ! [[ "$chaintrack" == *"$czfthirdindex"* ]] then - echo :$czfthirdindex "- [0:0]" >> $restoredata - echo -A $czfsecondindex -s `ipcalc -n $czfip/26|grep Network|cut -f 4 -d \ ` -o $wan1 -j $czfthirdindex >> $restoredata - echo -A $czfsecondindex -s `ipcalc -n $czfip/26|grep Network|cut -f 4 -d \ ` -o $wan2 -j $czfthirdindex >> $restoredata - echo -A $czfsecondindex -s `ipcalc -n $czfip/26|grep Network|cut -f 4 -d \ ` -o $wan3 -j $czfthirdindex >> $restoredata + echo :$czfthirdindex "- [0:0]" >> $restoretmp + s=`gen_ipt_string $czfip/$czfthirdbitmask| sed 's/_[0-9]*//4; s/_/./g'` + echo -A $czfsecondindex -s $s -o $wan1 -j $czfthirdindex >> $restoretmp + echo -A $czfsecondindex -s $s -o $wan2 -j $czfthirdindex >> $restoretmp + echo -A $czfsecondindex -s $s -o $wan3 -j $czfthirdindex >> $restoretmp + echo -A $czfsecondindex -s $s -o $wan4 -j $czfthirdindex >> $restoretmp + chaintrack=\ ${czfthirdindex}\ ${chaintrack} fi - if ! grep $pubfirstindex $restoredata > /dev/null + if ! [[ "$chaintrack" == *"$czffourthindex"* ]] then - echo :$pubfirstindex "- [0:0]" >> $restoredata - echo -A PREROUTING -i $wan1 -d `ipcalc -n $pubip/27|grep Network|cut -f 4 -d \ ` -j $pubfirstindex >> $restoredata - echo -A PREROUTING -i $wan2 -d `ipcalc -n $pubip/27|grep Network|cut -f 4 -d \ ` -j $pubfirstindex >> $restoredata - echo -A PREROUTING -i $wan3 -d `ipcalc -n $pubip/27|grep Network|cut -f 4 -d \ ` -j $pubfirstindex >> $restoredata + echo :$czffourthindex "- [0:0]" >> $restoretmp + s=`gen_ipt_string $czfip/$czffourthbitmask| sed 's/_[0-9]*//4; s/_/./g'` + echo -A $czfthirdindex -s $s -o $wan1 -j $czffourthindex >> $restoretmp + echo -A $czfthirdindex -s $s -o $wan2 -j $czffourthindex >> $restoretmp + echo -A $czfthirdindex -s $s -o $wan3 -j $czffourthindex >> $restoretmp + echo -A $czfthirdindex -s $s -o $wan4 -j $czffourthindex >> $restoretmp + chaintrack=\ ${czffourthindex}\ ${chaintrack} fi - if ! grep $pubsecondindex $restoredata > /dev/null + if ! [[ "$chaintrack" == *"$pubfirstindex"* ]] then - echo :$pubsecondindex "- [0:0]" >> $restoredata - echo -A $pubfirstindex -i $wan1 -d `ipcalc -n $pubip/29|grep Network|cut -f 4 -d \ ` -j $pubsecondindex >> $restoredata - echo -A $pubfirstindex -i $wan2 -d `ipcalc -n $pubip/29|grep Network|cut -f 4 -d \ ` -j $pubsecondindex >> $restoredata - echo -A $pubfirstindex -i $wan3 -d `ipcalc -n $pubip/29|grep Network|cut -f 4 -d \ ` -j $pubsecondindex >> $restoredata + echo :$pubfirstindex "- [0:0]" >> $restoretmp + s=`gen_ipt_string $pubip/$pubfirstbitmask| sed 's/_[0-9]*//4; s/_/./g'` + echo -A PREROUTING -i $wan1 -d $s -j $pubfirstindex >> $restoretmp + echo -A PREROUTING -i $wan2 -d $s -j $pubfirstindex >> $restoretmp + echo -A PREROUTING -i $wan3 -d $s -j $pubfirstindex >> $restoretmp + echo -A PREROUTING -i $wan4 -d $s -j $pubfirstindex >> $restoretmp + chaintrack=\ ${pubfirstindex}\ ${chaintrack} fi - echo -A $pubsecondindex -i $wan1 -d $pubip/32 -j DNAT --to-destination $czfip >> $restoredata - echo -A $pubsecondindex -i $wan2 -d $pubip/32 -j DNAT --to-destination $czfip >> $restoredata - echo -A $pubsecondindex -i $wan3 -d $pubip/32 -j DNAT --to-destination $czfip >> $restoredata - echo -A $pubsecondindex -i $wan1 -d $pubip/32 -j ACCEPT >> $restoredata - echo -A $pubsecondindex -i $wan2 -d $pubip/32 -j ACCEPT >> $restoredata - echo -A $pubsecondindex -i $wan3 -d $pubip/32 -j ACCEPT >> $restoredata + if ! [[ "$chaintrack" == *"$pubsecondindex"* ]] + then + echo :$pubsecondindex "- [0:0]" >> $restoretmp + s=`gen_ipt_string $pubip/$pubsecondbitmask| sed 's/_[0-9]*//4; s/_/./g'` + echo -A $pubfirstindex -i $wan1 -d $s -j $pubsecondindex >> $restoretmp + echo -A $pubfirstindex -i $wan2 -d $s -j $pubsecondindex >> $restoretmp + echo -A $pubfirstindex -i $wan3 -d $s -j $pubsecondindex >> $restoretmp + echo -A $pubfirstindex -i $wan4 -d $s -j $pubsecondindex >> $restoretmp + chaintrack=\ ${pubsecondindex}\ ${chaintrack} + fi + echo -A $pubsecondindex -i $wan1 -d $pubip/32 -j DNAT --to-destination $czfip >> $restoretmp + echo -A $pubsecondindex -i $wan2 -d $pubip/32 -j DNAT --to-destination $czfip >> $restoretmp + echo -A $pubsecondindex -i $wan3 -d $pubip/32 -j DNAT --to-destination $czfip >> $restoretmp + echo -A $pubsecondindex -i $wan4 -d $pubip/32 -j DNAT --to-destination $czfip >> $restoretmp - echo -A $czfthirdindex -s $czfip/32 -o $wan1 -j SNAT --to-source $pubip >> $restoredata - echo -A $czfthirdindex -s $czfip/32 -o $wan2 -j SNAT --to-source $pubip >> $restoredata - echo -A $czfthirdindex -s $czfip/32 -o $wan3 -j SNAT --to-source $pubip >> $restoredata - echo -A $czfthirdindex -s $czfip/32 -o $wan1 -j ACCEPT >> $restoredata - echo -A $czfthirdindex -s $czfip/32 -o $wan2 -j ACCEPT >> $restoredata - echo -A $czfthirdindex -s $czfip/32 -o $wan3 -j ACCEPT >> $restoredata + echo -A $czffourthindex -s $czfip/32 -o $wan1 -j SNAT --to-source $pubip >> $restoretmp + echo -A $czffourthindex -s $czfip/32 -o $wan2 -j SNAT --to-source $pubip >> $restoretmp + echo -A $czffourthindex -s $czfip/32 -o $wan3 -j SNAT --to-source $pubip >> $restoretmp + echo -A $czffourthindex -s $czfip/32 -o $wan4 -j SNAT --to-source $pubip >> $restoretmp echo -n . -done -echo " done." -echo -n "Generating new iptables-restore data - one way SNAT " +done < $pimp_2way_nat +echo " done." # =============================================================== # SNAT only using indexed iptables (should be rather function, hmm) # =============================================================== +echo -n "Generating new iptables-restore data - one way SNAT " -for czfip in `grep -v ^# $pimp_snat|cut -f 1 -d " "` -do - pubip=`grep "$czfip " $pimp_snat|cut -f 2 -d " "` - czffirstindex=priv_`ipcalc -n $czfip/20|grep Network|cut -f 4 -d \ |tr [./] _` - czfsecondindex=priv_`ipcalc -n $czfip/23|grep Network|cut -f 4 -d \ |tr [./] _` - czfthirdindex=priv_`ipcalc -n $czfip/26|grep Network|cut -f 4 -d \ |tr [./] _` +while read LINE; do + eval `echo -e $LINE | awk '{printf "czfip=%s; pubip=%s\n", $1, $2}'` + czffirstindex=priv_`gen_ipt_string $czfip/$czffirstbitmask` + czfsecondindex=priv_`gen_ipt_string $czfip/$czfsecondbitmask` + czfthirdindex=priv_`gen_ipt_string $czfip/$czfthirdbitmask` + czffourthindex=priv_`gen_ipt_string $czfip/$czffourthbitmask` - if ! grep $czffirstindex $restoredata > /dev/null + if ! [[ "$chaintrack" == *"$czffirstindex"* ]] then - echo :$czffirstindex "- [0:0]" >> $restoredata - echo -A POSTROUTING -d ! 10.0.0.0/8 -s `ipcalc -n $czfip/20|grep Network|cut -f 4 -d \ ` -o $wan1 -j $czffirstindex >> $restoredata - echo -A POSTROUTING -d ! 10.0.0.0/8 -s `ipcalc -n $czfip/20|grep Network|cut -f 4 -d \ ` -o $wan2 -j $czffirstindex >> $restoredata - echo -A POSTROUTING -d ! 10.0.0.0/8 -s `ipcalc -n $czfip/20|grep Network|cut -f 4 -d \ ` -o $wan3 -j $czffirstindex >> $restoredata + echo :$czffirstindex "- [0:0]" >> $restoretmp + s=`gen_ipt_string $czfip/$czffirstbitmask| sed 's/_[0-9]*//4; s/_/./g'` + echo -A POSTROUTING -d ! 10.0.0.0/8 -s $s -o $wan1 -j $czffirstindex >> $restoretmp + echo -A POSTROUTING -d ! 10.0.0.0/8 -s $s -o $wan2 -j $czffirstindex >> $restoretmp + echo -A POSTROUTING -d ! 10.0.0.0/8 -s $s -o $wan3 -j $czffirstindex >> $restoretmp + echo -A POSTROUTING -d ! 10.0.0.0/8 -s $s -o $wan4 -j $czffirstindex >> $restoretmp + chaintrack=\ ${czffirstindex}\ ${chaintrack} fi - if ! grep $czfsecondindex $restoredata > /dev/null + if ! [[ "$chaintrack" == *"$czfsecondindex"* ]] then - echo :$czfsecondindex "- [0:0]" >> $restoredata - echo -A $czffirstindex -s `ipcalc -n $czfip/23|grep Network|cut -f 4 -d \ ` -o $wan1 -j $czfsecondindex >> $restoredata - echo -A $czffirstindex -s `ipcalc -n $czfip/23|grep Network|cut -f 4 -d \ ` -o $wan2 -j $czfsecondindex >> $restoredata - echo -A $czffirstindex -s `ipcalc -n $czfip/23|grep Network|cut -f 4 -d \ ` -o $wan3 -j $czfsecondindex >> $restoredata + echo :$czfsecondindex "- [0:0]" >> $restoretmp + s=`gen_ipt_string $czfip/$czfsecondbitmask| sed 's/_[0-9]*//4; s/_/./g'` + echo -A $czffirstindex -s $s -o $wan1 -j $czfsecondindex >> $restoretmp + echo -A $czffirstindex -s $s -o $wan2 -j $czfsecondindex >> $restoretmp + echo -A $czffirstindex -s $s -o $wan3 -j $czfsecondindex >> $restoretmp + echo -A $czffirstindex -s $s -o $wan4 -j $czfsecondindex >> $restoretmp + chaintrack=\ ${czfsecondindex}\ ${chaintrack} fi - if ! grep $czfthirdindex $restoredata > /dev/null + if ! [[ "$chaintrack" == *"$czfthirdindex"* ]] then - echo :$czfthirdindex "- [0:0]" >> $restoredata - echo -A $czfsecondindex -s `ipcalc -n $czfip/26|grep Network|cut -f 4 -d \ ` -o $wan1 -j $czfthirdindex >> $restoredata - echo -A $czfsecondindex -s `ipcalc -n $czfip/26|grep Network|cut -f 4 -d \ ` -o $wan2 -j $czfthirdindex >> $restoredata - echo -A $czfsecondindex -s `ipcalc -n $czfip/26|grep Network|cut -f 4 -d \ ` -o $wan3 -j $czfthirdindex >> $restoredata + echo :$czfthirdindex "- [0:0]" >> $restoretmp + s=`gen_ipt_string $czfip/$czfthirdbitmask| sed 's/_[0-9]*//4; s/_/./g'` + echo -A $czfsecondindex -s $s -o $wan1 -j $czfthirdindex >> $restoretmp + echo -A $czfsecondindex -s $s -o $wan2 -j $czfthirdindex >> $restoretmp + echo -A $czfsecondindex -s $s -o $wan3 -j $czfthirdindex >> $restoretmp + echo -A $czfsecondindex -s $s -o $wan4 -j $czfthirdindex >> $restoretmp + chaintrack=\ ${czfthirdindex}\ ${chaintrack} fi - echo -A $czfthirdindex -s $czfip/32 -o $wan1 -j SNAT --to-source $pubip >> $restoredata - echo -A $czfthirdindex -s $czfip/32 -o $wan2 -j SNAT --to-source $pubip >> $restoredata - echo -A $czfthirdindex -s $czfip/32 -o $wan3 -j SNAT --to-source $pubip >> $restoredata - echo -A $czfthirdindex -s $czfip/32 -o $wan1 -j ACCEPT >> $restoredata - echo -A $czfthirdindex -s $czfip/32 -o $wan2 -j ACCEPT >> $restoredata - echo -A $czfthirdindex -s $czfip/32 -o $wan3 -j ACCEPT >> $restoredata + if ! [[ "$chaintrack" == *"$czffourthindex"* ]] + then + echo :$czffourthindex "- [0:0]" >> $restoretmp + s=`gen_ipt_string $czfip/$czffourthbitmask| sed 's/_[0-9]*//4; s/_/./g'` + echo -A $czfthirdindex -s $s -o $wan1 -j $czffourthindex >> $restoretmp + echo -A $czfthirdindex -s $s -o $wan2 -j $czffourthindex >> $restoretmp + echo -A $czfthirdindex -s $s -o $wan3 -j $czffourthindex >> $restoretmp + echo -A $czfthirdindex -s $s -o $wan4 -j $czffourthindex >> $restoretmp + chaintrack=\ ${czffourthindex}\ ${chaintrack} + fi + + echo -A $czffourthindex -s $czfip/32 -o $wan1 -j SNAT --to-source $pubip >> $restoretmp + echo -A $czffourthindex -s $czfip/32 -o $wan2 -j SNAT --to-source $pubip >> $restoretmp + echo -A $czffourthindex -s $czfip/32 -o $wan3 -j SNAT --to-source $pubip >> $restoretmp + echo -A $czffourthindex -s $czfip/32 -o $wan4 -j SNAT --to-source $pubip >> $restoretmp echo -n . -done +done < $pimp_snat echo " done." -echo COMMIT >> $restoredata +echo COMMIT >> $restoretmp +echo -n "Writing $restoredata" +mv $restoretmp $restoredata