#!/bin/bash
-#
-# requires:
-#
-# /rw/etc/hosts ... configuration file for dashboard and snat/dnat
-# parses Prometheus compatible nodelist and generates some firewall
-# rules
-#
-./make-pimp
-./make-snat-dnat
-#
-# /rw/etc/network/snat-dnat is generated by make-snat-dnat
-#
-/rw/etc/network/snat-dnat
+cd /root/bin/
+/root/bin/updatehosts
+/root/bin/make-pimp
+/root/bin/make-iptables-restore
+/etc/network/setnet
+#echo -n "Running iptables restore ... "
+#/sbin/iptables-restore < /mnt/mtdblock0/iptables-restore.in
+#echo "done."
--- /dev/null
+#!/bin/bash
+iptables="/sbin/iptables"
+iptablesrestore="/sbin/iptables-restore"
+ifconfig="/sbin/ifconfig"
+
+#pimp files must be generated by optional-tools/make-pimp utility
+pimp_2way_nat="/mnt/mtdblock0/pimp-2way-nat.tmp"
+pimp_snat="/mnt/mtdblock0/pimp-snat.tmp"
+etchosts="/mnt/mtdblock0/hosts"
+restoredata="/mnt/mtdblock0/iptables-restore.in"
+wan1="vlan770"
+wan2="vlan771"
+wan3="vlan772"
+
+echo "*nat" > $restoredata
+echo ":PREROUTING ACCEPT [0:0]" >> $restoredata
+echo ":POSTROUTING ACCEPT [0:0]" >> $restoredata
+echo ":OUTPUT ACCEPT [0:0]" >> $restoredata
+
+# ===============================================================
+# Symetrical SNAT-DNAT using indexed iptables
+# ===============================================================
+
+echo -n "Generating new iptables-restore data - two way SNAT/DNAT "
+
+for czfip in `grep -v ^# $pimp_2way_nat|cut -f 1 -d " "`
+do
+ pubip=`grep "$czfip " $pimp_2way_nat|cut -f 2 -d " "`
+ czffirstindex=priv_`ipcalc -n $czfip/20|grep Network|cut -f 4 -d \ |tr [./] _`
+ czfsecondindex=priv_`ipcalc -n $czfip/23|grep Network|cut -f 4 -d \ |tr [./] _`
+ czfthirdindex=priv_`ipcalc -n $czfip/26|grep Network|cut -f 4 -d \ |tr [./] _`
+ pubfirstindex=pub_`ipcalc -n $pubip/27|grep Network|cut -f 4 -d \ |tr [./] _`
+ pubsecondindex=pub_`ipcalc -n $pubip/29|grep Network|cut -f 4 -d \ |tr [./] _`
+
+ if ! grep $czffirstindex $restoredata > /dev/null
+ then
+ echo :$czffirstindex "- [0:0]" >> $restoredata
+ echo -A POSTROUTING -d ! 10.0.0.0/8 -s `ipcalc -n $czfip/20|grep Network|cut -f 4 -d \ ` -o $wan1 -j $czffirstindex >> $restoredata
+ echo -A POSTROUTING -d ! 10.0.0.0/8 -s `ipcalc -n $czfip/20|grep Network|cut -f 4 -d \ ` -o $wan2 -j $czffirstindex >> $restoredata
+ echo -A POSTROUTING -d ! 10.0.0.0/8 -s `ipcalc -n $czfip/20|grep Network|cut -f 4 -d \ ` -o $wan3 -j $czffirstindex >> $restoredata
+ fi
+
+ if ! grep $czfsecondindex $restoredata > /dev/null
+ then
+ echo :$czfsecondindex "- [0:0]" >> $restoredata
+ echo -A $czffirstindex -s `ipcalc -n $czfip/23|grep Network|cut -f 4 -d \ ` -o $wan1 -j $czfsecondindex >> $restoredata
+ echo -A $czffirstindex -s `ipcalc -n $czfip/23|grep Network|cut -f 4 -d \ ` -o $wan2 -j $czfsecondindex >> $restoredata
+ echo -A $czffirstindex -s `ipcalc -n $czfip/23|grep Network|cut -f 4 -d \ ` -o $wan3 -j $czfsecondindex >> $restoredata
+ fi
+
+ if ! grep $czfthirdindex $restoredata > /dev/null
+ then
+ echo :$czfthirdindex "- [0:0]" >> $restoredata
+ echo -A $czfsecondindex -s `ipcalc -n $czfip/26|grep Network|cut -f 4 -d \ ` -o $wan1 -j $czfthirdindex >> $restoredata
+ echo -A $czfsecondindex -s `ipcalc -n $czfip/26|grep Network|cut -f 4 -d \ ` -o $wan2 -j $czfthirdindex >> $restoredata
+ echo -A $czfsecondindex -s `ipcalc -n $czfip/26|grep Network|cut -f 4 -d \ ` -o $wan3 -j $czfthirdindex >> $restoredata
+ fi
+
+ if ! grep $pubfirstindex $restoredata > /dev/null
+ then
+ echo :$pubfirstindex "- [0:0]" >> $restoredata
+ echo -A PREROUTING -i $wan1 -d `ipcalc -n $pubip/27|grep Network|cut -f 4 -d \ ` -j $pubfirstindex >> $restoredata
+ echo -A PREROUTING -i $wan2 -d `ipcalc -n $pubip/27|grep Network|cut -f 4 -d \ ` -j $pubfirstindex >> $restoredata
+ echo -A PREROUTING -i $wan3 -d `ipcalc -n $pubip/27|grep Network|cut -f 4 -d \ ` -j $pubfirstindex >> $restoredata
+ fi
+
+ if ! grep $pubsecondindex $restoredata > /dev/null
+ then
+ echo :$pubsecondindex "- [0:0]" >> $restoredata
+ echo -A $pubfirstindex -i $wan1 -d `ipcalc -n $pubip/29|grep Network|cut -f 4 -d \ ` -j $pubsecondindex >> $restoredata
+ echo -A $pubfirstindex -i $wan2 -d `ipcalc -n $pubip/29|grep Network|cut -f 4 -d \ ` -j $pubsecondindex >> $restoredata
+ echo -A $pubfirstindex -i $wan3 -d `ipcalc -n $pubip/29|grep Network|cut -f 4 -d \ ` -j $pubsecondindex >> $restoredata
+ fi
+
+ echo -A $pubsecondindex -i $wan1 -d $pubip/32 -j DNAT --to-destination $czfip >> $restoredata
+ echo -A $pubsecondindex -i $wan2 -d $pubip/32 -j DNAT --to-destination $czfip >> $restoredata
+ echo -A $pubsecondindex -i $wan3 -d $pubip/32 -j DNAT --to-destination $czfip >> $restoredata
+ echo -A $pubsecondindex -i $wan1 -d $pubip/32 -j ACCEPT >> $restoredata
+ echo -A $pubsecondindex -i $wan2 -d $pubip/32 -j ACCEPT >> $restoredata
+ echo -A $pubsecondindex -i $wan3 -d $pubip/32 -j ACCEPT >> $restoredata
+
+
+ echo -A $czfthirdindex -s $czfip/32 -o $wan1 -j SNAT --to-source $pubip >> $restoredata
+ echo -A $czfthirdindex -s $czfip/32 -o $wan2 -j SNAT --to-source $pubip >> $restoredata
+ echo -A $czfthirdindex -s $czfip/32 -o $wan3 -j SNAT --to-source $pubip >> $restoredata
+ echo -A $czfthirdindex -s $czfip/32 -o $wan1 -j ACCEPT >> $restoredata
+ echo -A $czfthirdindex -s $czfip/32 -o $wan2 -j ACCEPT >> $restoredata
+ echo -A $czfthirdindex -s $czfip/32 -o $wan3 -j ACCEPT >> $restoredata
+
+ echo -n .
+done
+echo " done."
+
+echo -n "Generating new iptables-restore data - one way SNAT "
+
+# ===============================================================
+# SNAT only using indexed iptables (should be rather function, hmm)
+# ===============================================================
+
+for czfip in `grep -v ^# $pimp_snat|cut -f 1 -d " "`
+do
+ pubip=`grep "$czfip " $pimp_snat|cut -f 2 -d " "`
+ czffirstindex=priv_`ipcalc -n $czfip/20|grep Network|cut -f 4 -d \ |tr [./] _`
+ czfsecondindex=priv_`ipcalc -n $czfip/23|grep Network|cut -f 4 -d \ |tr [./] _`
+ czfthirdindex=priv_`ipcalc -n $czfip/26|grep Network|cut -f 4 -d \ |tr [./] _`
+
+ if ! grep $czffirstindex $restoredata > /dev/null
+ then
+ echo :$czffirstindex "- [0:0]" >> $restoredata
+ echo -A POSTROUTING -d ! 10.0.0.0/8 -s `ipcalc -n $czfip/20|grep Network|cut -f 4 -d \ ` -o $wan1 -j $czffirstindex >> $restoredata
+ echo -A POSTROUTING -d ! 10.0.0.0/8 -s `ipcalc -n $czfip/20|grep Network|cut -f 4 -d \ ` -o $wan2 -j $czffirstindex >> $restoredata
+ echo -A POSTROUTING -d ! 10.0.0.0/8 -s `ipcalc -n $czfip/20|grep Network|cut -f 4 -d \ ` -o $wan3 -j $czffirstindex >> $restoredata
+ fi
+
+ if ! grep $czfsecondindex $restoredata > /dev/null
+ then
+ echo :$czfsecondindex "- [0:0]" >> $restoredata
+ echo -A $czffirstindex -s `ipcalc -n $czfip/23|grep Network|cut -f 4 -d \ ` -o $wan1 -j $czfsecondindex >> $restoredata
+ echo -A $czffirstindex -s `ipcalc -n $czfip/23|grep Network|cut -f 4 -d \ ` -o $wan2 -j $czfsecondindex >> $restoredata
+ echo -A $czffirstindex -s `ipcalc -n $czfip/23|grep Network|cut -f 4 -d \ ` -o $wan3 -j $czfsecondindex >> $restoredata
+ fi
+
+ if ! grep $czfthirdindex $restoredata > /dev/null
+ then
+ echo :$czfthirdindex "- [0:0]" >> $restoredata
+ echo -A $czfsecondindex -s `ipcalc -n $czfip/26|grep Network|cut -f 4 -d \ ` -o $wan1 -j $czfthirdindex >> $restoredata
+ echo -A $czfsecondindex -s `ipcalc -n $czfip/26|grep Network|cut -f 4 -d \ ` -o $wan2 -j $czfthirdindex >> $restoredata
+ echo -A $czfsecondindex -s `ipcalc -n $czfip/26|grep Network|cut -f 4 -d \ ` -o $wan3 -j $czfthirdindex >> $restoredata
+ fi
+
+ echo -A $czfthirdindex -s $czfip/32 -o $wan1 -j SNAT --to-source $pubip >> $restoredata
+ echo -A $czfthirdindex -s $czfip/32 -o $wan2 -j SNAT --to-source $pubip >> $restoredata
+ echo -A $czfthirdindex -s $czfip/32 -o $wan3 -j SNAT --to-source $pubip >> $restoredata
+ echo -A $czfthirdindex -s $czfip/32 -o $wan1 -j ACCEPT >> $restoredata
+ echo -A $czfthirdindex -s $czfip/32 -o $wan2 -j ACCEPT >> $restoredata
+ echo -A $czfthirdindex -s $czfip/32 -o $wan3 -j ACCEPT >> $restoredata
+
+ echo -n .
+done
+echo " done."
+
+echo COMMIT >> $restoredata
#!/bin/bash
-pimp_2way_nat="/rw/var/run/pimp-2way-nat.tmp"
-pimp_snat="/rw/var/run/pimp-snat.tmp"
-etchosts="/rw/etc/hosts"
+pimp_2way_nat="/mnt/mtdblock0/pimp-2way-nat.tmp"
+pimp_snat="/mnt/mtdblock0/pimp-snat.tmp"
+etchosts="/mnt/mtdblock0/hosts"
echo -n "Writing $pimp_2way_nat"
echo "#This file was generated by Prometheus-tools/make-pimp" > $pimp_2way_nat
for czfip in `grep -v ^# $etchosts|grep "("|cut -f 1`
do
pubip=`grep "^$czfip " $etchosts|cut -f 2 -d "("|cut -f 1 -d ")"`
- if ! [ -z $pubip ]
+ if ! [ -z "$pubip" ]
then
echo "$czfip $pubip" >> $pimp_snat
echo -n .
+++ /dev/null
-#!/bin/bash
-
-iptables="/sbin/iptables"
-ifconfig="/sbin/ifconfig"
-
-#pimp files must be generated by optional-tools/make-pimp utility
-pimp_2way_nat="/rw/var/run/pimp-2way-nat.tmp"
-pimp_snat="/rw/var/run/pimp-snat.tmp"
-etchosts="/rw/etc/hosts"
-script="/rw/etc/network/snat-dnat"
-
-echo "#!/bin/bash" > $script
-echo $iptables -t nat -F >> $script
-echo $iptables -t nat -X >> $script
-echo "echo -n \"Setting firewall rules \"" >> $script
-
-# ===============================================================
-# Symetrical SNAT-DNAT using indexed iptables
-# ===============================================================
-
-echo -n "Generating new iptables rules "
-
-for czfip in `grep -v ^# $pimp_2way_nat|cut -f 1 -d " "`
-do
- pubip=`grep "$czfip " $pimp_2way_nat|cut -f 2 -d " "`
- czffirstindex=priv_`ipcalc -n $czfip/20|grep Network|cut -f 4 -d \ |tr [./] _`
- czfsecondindex=priv_`ipcalc -n $czfip/23|grep Network|cut -f 4 -d \ |tr [./] _`
- czfthirdindex=priv_`ipcalc -n $czfip/26|grep Network|cut -f 4 -d \ |tr [./] _`
- pubfirstindex=pub_`ipcalc -n $pubip/27|grep Network|cut -f 4 -d \ |tr [./] _`
- pubsecondindex=pub_`ipcalc -n $pubip/29|grep Network|cut -f 4 -d \ |tr [./] _`
-
- if ! grep $czffirstindex $script > /dev/null
- then
- echo $iptables -t nat -N $czffirstindex >> $script
- echo $iptables -t nat -F $czffirstindex >> $script
- echo $iptables -t nat -A POSTROUTING -s `ipcalc -n $czfip/20|grep Network|cut -f 4 -d \ ` -o eth1 -j $czffirstindex >> $script
- fi
-
- if ! grep $czfsecondindex $script > /dev/null
- then
- echo $iptables -t nat -N $czfsecondindex >> $script
- echo $iptables -t nat -F $czfsecondindex >> $script
- echo $iptables -t nat -A $czffirstindex -s `ipcalc -n $czfip/23|grep Network|cut -f 4 -d \ ` -o eth1 -j $czfsecondindex >> $script
- fi
-
- if ! grep $czfthirdindex $script > /dev/null
- then
- echo $iptables -t nat -N $czfthirdindex >> $script
- echo $iptables -t nat -F $czfthirdindex >> $script
- echo $iptables -t nat -A $czfsecondindex -s `ipcalc -n $czfip/26|grep Network|cut -f 4 -d \ ` -o eth1 -j $czfthirdindex >> $script
- fi
-
- if ! grep $pubfirstindex $script > /dev/null
- then
- echo $iptables -t nat -N $pubfirstindex >> $script
- echo $iptables -t nat -F $pubfirstindex >> $script
- echo $iptables -t nat -A PREROUTING -i eth1 -d `ipcalc -n $pubip/27|grep Network|cut -f 4 -d \ ` -j $pubfirstindex >> $script
- fi
-
- if ! grep $pubsecondindex $script > /dev/null
- then
- echo $iptables -t nat -N $pubsecondindex >> $script
- echo $iptables -t nat -F $pubsecondindex >> $script
- echo $iptables -t nat -A $pubfirstindex -i eth1 -d `ipcalc -n $pubip/29|grep Network|cut -f 4 -d \ ` -j $pubsecondindex >> $script
- fi
-
- echo $iptables -t nat -A $pubsecondindex -i eth1 -d $pubip/32 -j DNAT --to-destination $czfip >> $script
- echo $iptables -t nat -A $pubsecondindex -i eth1 -d $pubip/32 -j ACCEPT >> $script
-
- echo $iptables -t nat -A $czfthirdindex -s $czfip/32 -o eth1 -j SNAT --to-source $pubip >> $script
- echo $iptables -t nat -A $czfthirdindex -s $czfip/32 -o eth1 -j ACCEPT >> $script
-
- echo -n .
- echo "echo -n ." >>$script
-done
-echo " done."
-
-# ===============================================================
-# SNAT only using indexed iptables (should be rather function, hmm)
-# ===============================================================
-
-for czfip in `grep -v ^# $pimp_snat|cut -f 1 -d " "`
-do
- pubip=`grep "$czfip " $pimp_snat|cut -f 2 -d " "`
- czffirstindex=priv_`ipcalc -n $czfip/20|grep Network|cut -f 4 -d \ |tr [./] _`
- czfsecondindex=priv_`ipcalc -n $czfip/23|grep Network|cut -f 4 -d \ |tr [./] _`
- czfthirdindex=priv_`ipcalc -n $czfip/26|grep Network|cut -f 4 -d \ |tr [./] _`
-
- if ! grep $czffirstindex $script > /dev/null
- then
- echo $iptables -t nat -N $czffirstindex >> $script
- echo $iptables -t nat -F $czffirstindex >> $script
- echo $iptables -t nat -A POSTROUTING -s `ipcalc -n $czfip/20|grep Network|cut -f 4 -d \ ` -o eth1 -j $czffirstindex >> $script
- fi
-
- if ! grep $czfsecondindex $script > /dev/null
- then
- echo $iptables -t nat -N $czfsecondindex >> $script
- echo $iptables -t nat -F $czfsecondindex >> $script
- echo $iptables -t nat -A $czffirstindex -s `ipcalc -n $czfip/23|grep Network|cut -f 4 -d \ ` -o eth1 -j $czfsecondindex >> $script
- fi
-
- if ! grep $czfthirdindex $script > /dev/null
- then
- echo $iptables -t nat -N $czfthirdindex >> $script
- echo $iptables -t nat -F $czfthirdindex >> $script
- echo $iptables -t nat -A $czfsecondindex -s `ipcalc -n $czfip/26|grep Network|cut -f 4 -d \ ` -o eth1 -j $czfthirdindex >> $script
- fi
-
- echo $iptables -t nat -A $czfthirdindex -s $czfip/32 -o eth1 -j SNAT --to-source $pubip >> $script
- echo $iptables -t nat -A $czfthirdindex -s $czfip/32 -o eth1 -j ACCEPT >> $script
-
- echo -n .
- echo "echo -n ." >>$script
-done
-echo " done."
-
-# ===============================================================
-# Dashboard rules
-# ===============================================================
-
-echo -n "Generating dashboard index rules "
-
-for czfip in `grep ^10[.] $etchosts|grep dashboard-|cut -f 1`
-do
- czffirstindex=dash_`ipcalc -n $czfip/20|grep Network|cut -f 4 -d \ |tr [./] _`
- czfsecondindex=dash_`ipcalc -n $czfip/23|grep Network|cut -f 4 -d \ |tr [./] _`
- czfthirdindex=dash_`ipcalc -n $czfip/26|grep Network|cut -f 4 -d \ |tr [./] _`
-
- if ! grep $czffirstindex $script > /dev/null
- then
- echo $iptables -t nat -N $czffirstindex >> $script
- echo $iptables -t nat -F $czffirstindex >> $script
- echo $iptables -t nat -A PREROUTING -s `ipcalc -n $czfip/20|grep Network|cut -f 4 -d \ ` -i eth0 -j $czffirstindex >> $script
- fi
-
- if ! grep $czfsecondindex $script > /dev/null
- then
- echo $iptables -t nat -N $czfsecondindex >> $script
- echo $iptables -t nat -F $czfsecondindex >> $script
- echo $iptables -t nat -A $czffirstindex -s `ipcalc -n $czfip/23|grep Network|cut -f 4 -d \ ` -i eth0 -j $czfsecondindex >> $script
- fi
-
- if ! grep $czfthirdindex $script > /dev/null
- then
- echo $iptables -t nat -N $czfthirdindex >> $script
- echo $iptables -t nat -F $czfthirdindex >> $script
- echo $iptables -t nat -A $czfsecondindex -s `ipcalc -n $czfip/26|grep Network|cut -f 4 -d \ ` -i eth0 -j $czfthirdindex >> $script
- fi
-
- echo $iptables -t nat -A $czfthirdindex -s $czfip -d ! 10.0.0.0/8 -p tcp --dport 80 -j REDIRECT --to 8080 >> $script
- echo $iptables -t nat -A $czfthirdindex -s $czfip -d ! 10.0.0.0/8 -p tcp --dport 3128 -j REDIRECT --to 8080 >> $script
- echo $iptables -t nat -A $czfthirdindex -s $czfip -d ! 10.0.0.0/8 -p tcp --dport 8080 -j ACCEPT >> $script
- echo $iptables -t nat -A $czfthirdindex -s $czfip -d ! 10.0.0.0/8 -j DROP >> $script
-
- echo -n .
- echo "echo -n ." >>$script
-
-done
-echo " done."
-
-chmod a+x $script
GIT.Harvie.CZ / svn / Prometheus-QoS / .git / commitdiff
