SNAT-only (firwalled) version of public-ip mapping (/optional-tools/make-snat-dnat...

git-svn-id: https://dev.arachne.cz/repos/prometheus/trunk@95 251d49ef-1d17-4917-a970-b30cf55b089b

diff --git a/examples/hosts b/examples/hosts
index fcfa61093aa008aa0a6b0552b82067e4161b535c..1780cc73476a69646564514b47841ac8c3eda887 100644 (file)
--- a/examples/hosts
+++ b/examples/hosts
@@ -557,7 +557,7 @@
 10.XX.4.21     nadkajetankou11.xchaos                  #wifi-plus-256-640
 10.XX.4.65     bridge-xchaos.dave263 dave263
 10.XX.4.66     pc.dave263                              #[XX.YY.90.18] wifi-normal-128-896
-10.XX.4.67     nb.dave263                              #sharing-pc.dave263
+10.XX.4.67     nb.dave263                              #(XX.YY.90.18) sharing-pc.dave263
 10.XX.4.68     soused.dave263                          #wifi-normal-128-512
 10.XX.4.90     bridge-xchaos.cisticz-hq cisticz-hq cisticz
 10.XX.4.91     91-4.cisticz-hq                         #wifi-plus-256-256

diff --git a/optional-tools/make-pimp b/optional-tools/make-pimp
index 563725dd05367f91b2e50dfe2a3cadcad357540c..6a1d69aaa2a7c98716efd37292a3fb5799ca44c5 100755 (executable)
--- a/optional-tools/make-pimp
+++ b/optional-tools/make-pimp
@@ -1,15 +1,29 @@
 #!/bin/bash
-pimp=/rw/etc/pimp.conf
-etchosts=/rw/etc/hosts
+pimp_2way_nat="/rw/var/run/pimp-2way-nat.tmp"
+pimp_snat="/rw/var/run/pimp-snat.tmp"
+etchosts="/rw/etc/hosts"
 
-echo -n "Writing $pimp "
-echo "#This is $pimp generated by Prometheus-tools/make-pimp" > $pimp
+echo -n "Writing $pimp_2way_nat"
+echo "#This file was generated by Prometheus-tools/make-pimp" > $pimp_2way_nat
 for czfip in `grep [[] $etchosts|cut -f 1`
 do
  pubip=`grep "^$czfip  " $etchosts|cut -f 2 -d "["|cut -f 1 -d "]"`
  if ! [ -z $pubip ] 
  then
-  echo "$czfip $pubip" >> $pimp
+  echo "$czfip $pubip" >> $pimp_2way_nat
+  echo -n .  
+ fi
+done
+echo " done."
+
+echo -n "Writing $pimp_snat"
+echo "#This file was generated by Prometheus-tools/make-pimp" > $pimp_snat
+for czfip in `grep "(" $etchosts|cut -f 1`
+do
+ pubip=`grep "^$czfip  " $etchosts|cut -f 2 -d "("|cut -f 1 -d ")"`
+ if ! [ -z $pubip ] 
+ then
+  echo "$czfip $pubip" >> $pimp_snat
   echo -n .  
  fi
 done

diff --git a/optional-tools/make-snat-dnat b/optional-tools/make-snat-dnat
index 165dc6e0fb75be5fa348378d64cfa10b28dad47d..3785557d47e96894e9fa3639cee2bb2af0c5bde2 100755 (executable)
--- a/optional-tools/make-snat-dnat
+++ b/optional-tools/make-snat-dnat
@@ -3,8 +3,10 @@
 iptables="/sbin/iptables"
 ifconfig="/sbin/ifconfig"
 
-#pimp.conf should be regularly updated!
-pimp="/rw/etc/pimp.conf"
+#pimp files must be generated by optional-tools/make-pimp utility
+pimp_2way_nat="/rw/var/run/pimp-2way-nat.tmp"
+pimp_snat="/rw/var/run/pimp-snat.tmp"
+etchosts="/rw/etc/hosts"
 script="/rw/etc/network/snat-dnat"
 
 echo "#!/bin/bash" > $script
@@ -13,21 +15,20 @@ echo $iptables -t nat -X >> $script
 echo "echo -n \"Setting firewall rules \"" >> $script
 
 # ===============================================================
-#  Symetricky SNAT-DNAT, zarazeny do indexovanych iptables
+#  Symetrical SNAT-DNAT using indexed iptables
 # ===============================================================
 
-echo -n "Generating new pimp index rules "
+echo -n "Generating new iptables rules "
 
-for czfip in `grep -v ^# $pimp|cut -f 1 -d " "`
+for czfip in `grep -v ^# $pimp_2way_nat|cut -f 1 -d " "`
 do
- pubip=`grep "$czfip " $pimp|cut -f 2 -d " "`
+ pubip=`grep "$czfip " $pimp_2way_nat|cut -f 2 -d " "`
  czffirstindex=priv_`ipcalc -n $czfip/20|grep Network|cut -f 4 -d \ |tr [./] _`
  czfsecondindex=priv_`ipcalc -n $czfip/23|grep Network|cut -f 4 -d \ |tr [./] _`
  czfthirdindex=priv_`ipcalc -n $czfip/26|grep Network|cut -f 4 -d \ |tr [./] _`
  pubfirstindex=pub_`ipcalc -n $pubip/27|grep Network|cut -f 4 -d \ |tr [./] _`
  pubsecondindex=pub_`ipcalc -n $pubip/29|grep Network|cut -f 4 -d \ |tr [./] _`
 
-
  if ! grep $czffirstindex $script > /dev/null
  then
   echo $iptables -t nat -N $czffirstindex >> $script
@@ -75,12 +76,52 @@ done
 echo " done."
 
 # ===============================================================
-#  Pravidla pro dashboard 
+#  SNAT only using indexed iptables (should be rather function, hmm)
+# ===============================================================
+
+for czfip in `grep -v ^# $pimp_snat|cut -f 1 -d " "`
+do
+ pubip=`grep "$czfip " $pimp_snat|cut -f 2 -d " "`
+ czffirstindex=priv_`ipcalc -n $czfip/20|grep Network|cut -f 4 -d \ |tr [./] _`
+ czfsecondindex=priv_`ipcalc -n $czfip/23|grep Network|cut -f 4 -d \ |tr [./] _`
+ czfthirdindex=priv_`ipcalc -n $czfip/26|grep Network|cut -f 4 -d \ |tr [./] _`
+
+ if ! grep $czffirstindex $script > /dev/null
+ then
+  echo $iptables -t nat -N $czffirstindex >> $script
+  echo $iptables -t nat -F $czffirstindex >> $script
+  echo $iptables -t nat -A POSTROUTING -s `ipcalc -n $czfip/20|grep Network|cut -f 4 -d \ ` -o eth1 -j $czffirstindex >> $script
+ fi
+
+ if ! grep $czfsecondindex $script > /dev/null
+ then
+  echo $iptables -t nat -N $czfsecondindex >> $script
+  echo $iptables -t nat -F $czfsecondindex >> $script
+  echo $iptables -t nat -A $czffirstindex -s `ipcalc -n $czfip/23|grep Network|cut -f 4 -d \ ` -o eth1 -j $czfsecondindex >> $script
+ fi
+
+ if ! grep $czfthirdindex $script > /dev/null
+ then
+  echo $iptables -t nat -N $czfthirdindex >> $script
+  echo $iptables -t nat -F $czfthirdindex >> $script
+  echo $iptables -t nat -A $czfsecondindex -s `ipcalc -n $czfip/26|grep Network|cut -f 4 -d \ ` -o eth1 -j $czfthirdindex >> $script
+ fi
+
+ echo $iptables -t nat -A $czfthirdindex -s $czfip/32 -o eth1 -j SNAT --to-source $pubip >> $script
+ echo $iptables -t nat -A $czfthirdindex -s $czfip/32 -o eth1 -j ACCEPT >> $script
+
+ echo -n .
+ echo "echo -n ." >>$script
+done
+echo " done."
+
+# ===============================================================
+#  Dashboard rules
 # ===============================================================
 
 echo -n "Generating dashboard index rules "
 
-for czfip in `grep ^10[.] /etc/hosts|grep dashboard-|cut -f 1`
+for czfip in `grep ^10[.] $etchosts|grep dashboard-|cut -f 1`
 do
  czffirstindex=dash_`ipcalc -n $czfip/20|grep Network|cut -f 4 -d \ |tr [./] _`
  czfsecondindex=dash_`ipcalc -n $czfip/23|grep Network|cut -f 4 -d \ |tr [./] _`