86d37066 |
1 | #!/bin/bash |
2 | iptables="/sbin/iptables" |
3 | iptablesrestore="/sbin/iptables-restore" |
4 | ifconfig="/sbin/ifconfig" |
3a4fe273 |
5 | grep="/bin/grep" |
6 | cut="/usr/bin/cut" |
86d37066 |
7 | |
8 | #pimp files must be generated by optional-tools/make-pimp utility |
3a4fe273 |
9 | pimp_2way_nat="/dev/shm/pimp-2way-nat.tmp" |
10 | pimp_snat="/dev/shm/pimp-snat.tmp" |
86d37066 |
11 | etchosts="/mnt/mtdblock0/hosts" |
3a4fe273 |
12 | restoretmp="/dev/shm/iptables-restore.tmp" |
86d37066 |
13 | restoredata="/mnt/mtdblock0/iptables-restore.in" |
14 | wan1="vlan770" |
15 | wan2="vlan771" |
16 | wan3="vlan772" |
3a4fe273 |
17 | wan4="vlan774" |
18 | czffirstbitmask="19" |
19 | czfsecondbitmask="22" |
20 | czfthirdbitmask="25" |
21 | czffourthbitmask="28" |
22 | pubfirstbitmask="26" |
23 | pubsecondbitmask="29" |
24 | |
25 | echo "*nat" > $restoretmp |
26 | echo ":PREROUTING ACCEPT [0:0]" >> $restoretmp |
27 | echo ":POSTROUTING ACCEPT [0:0]" >> $restoretmp |
28 | echo ":OUTPUT ACCEPT [0:0]" >> $restoretmp |
86d37066 |
29 | |
30 | # =============================================================== |
31 | # Symetrical SNAT-DNAT using indexed iptables |
32 | # =============================================================== |
33 | |
34 | echo -n "Generating new iptables-restore data - two way SNAT/DNAT " |
35 | |
3a4fe273 |
36 | for czfip in `$grep -v ^# $pimp_2way_nat|$cut -f 1 -d " "` |
86d37066 |
37 | do |
3a4fe273 |
38 | pubip=`$grep "$czfip " $pimp_2way_nat|$cut -f 2 -d " "` |
39 | czffirstindex=priv_`ipcalc -n $czfip/$czffirstbitmask|$grep Network|$cut -f 4 -d \ |tr [./] _` |
40 | czfsecondindex=priv_`ipcalc -n $czfip/$czfsecondbitmask|$grep Network|$cut -f 4 -d \ |tr [./] _` |
41 | czfthirdindex=priv_`ipcalc -n $czfip/$czfthirdbitmask|$grep Network|$cut -f 4 -d \ |tr [./] _` |
42 | czffourthindex=priv_`ipcalc -n $czfip/$czffourthbitmask|$grep Network|$cut -f 4 -d \ |tr [./] _` |
43 | pubfirstindex=pub_`ipcalc -n $pubip/$pubfirstbitmask|$grep Network|$cut -f 4 -d \ |tr [./] _` |
44 | pubsecondindex=pub_`ipcalc -n $pubip/$pubsecondbitmask|$grep Network|$cut -f 4 -d \ |tr [./] _` |
45 | |
46 | if ! $grep $czffirstindex $restoretmp > /dev/null |
86d37066 |
47 | then |
3a4fe273 |
48 | echo :$czffirstindex "- [0:0]" >> $restoretmp |
49 | echo -A POSTROUTING -d ! 10.0.0.0/8 -s `ipcalc -n $czfip/$czffirstbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan1 -j $czffirstindex >> $restoretmp |
50 | echo -A POSTROUTING -d ! 10.0.0.0/8 -s `ipcalc -n $czfip/$czffirstbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan2 -j $czffirstindex >> $restoretmp |
51 | echo -A POSTROUTING -d ! 10.0.0.0/8 -s `ipcalc -n $czfip/$czffirstbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan3 -j $czffirstindex >> $restoretmp |
52 | echo -A POSTROUTING -d ! 10.0.0.0/8 -s `ipcalc -n $czfip/$czffirstbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan4 -j $czffirstindex >> $restoretmp |
86d37066 |
53 | fi |
54 | |
3a4fe273 |
55 | if ! $grep $czfsecondindex $restoretmp > /dev/null |
86d37066 |
56 | then |
3a4fe273 |
57 | echo :$czfsecondindex "- [0:0]" >> $restoretmp |
58 | echo -A $czffirstindex -s `ipcalc -n $czfip/$czfsecondbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan1 -j $czfsecondindex >> $restoretmp |
59 | echo -A $czffirstindex -s `ipcalc -n $czfip/$czfsecondbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan2 -j $czfsecondindex >> $restoretmp |
60 | echo -A $czffirstindex -s `ipcalc -n $czfip/$czfsecondbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan3 -j $czfsecondindex >> $restoretmp |
61 | echo -A $czffirstindex -s `ipcalc -n $czfip/$czfsecondbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan4 -j $czfsecondindex >> $restoretmp |
86d37066 |
62 | fi |
63 | |
3a4fe273 |
64 | if ! $grep $czfthirdindex $restoretmp > /dev/null |
86d37066 |
65 | then |
3a4fe273 |
66 | echo :$czfthirdindex "- [0:0]" >> $restoretmp |
67 | echo -A $czfsecondindex -s `ipcalc -n $czfip/$czfthirdbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan1 -j $czfthirdindex >> $restoretmp |
68 | echo -A $czfsecondindex -s `ipcalc -n $czfip/$czfthirdbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan2 -j $czfthirdindex >> $restoretmp |
69 | echo -A $czfsecondindex -s `ipcalc -n $czfip/$czfthirdbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan3 -j $czfthirdindex >> $restoretmp |
70 | echo -A $czfsecondindex -s `ipcalc -n $czfip/$czfthirdbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan4 -j $czfthirdindex >> $restoretmp |
86d37066 |
71 | fi |
72 | |
3a4fe273 |
73 | if ! $grep $czffourthindex $restoretmp > /dev/null |
86d37066 |
74 | then |
3a4fe273 |
75 | echo :$czffourthindex "- [0:0]" >> $restoretmp |
76 | echo -A $czfthirdindex -s `ipcalc -n $czfip/$czffourthbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan1 -j $czffourthindex >> $restoretmp |
77 | echo -A $czfthirdindex -s `ipcalc -n $czfip/$czffourthbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan2 -j $czffourthindex >> $restoretmp |
78 | echo -A $czfthirdindex -s `ipcalc -n $czfip/$czffourthbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan3 -j $czffourthindex >> $restoretmp |
79 | echo -A $czfthirdindex -s `ipcalc -n $czfip/$czffourthbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan4 -j $czffourthindex >> $restoretmp |
86d37066 |
80 | fi |
81 | |
3a4fe273 |
82 | if ! $grep $pubfirstindex $restoretmp > /dev/null |
86d37066 |
83 | then |
3a4fe273 |
84 | echo :$pubfirstindex "- [0:0]" >> $restoretmp |
85 | echo -A PREROUTING -i $wan1 -d `ipcalc -n $pubip/$pubfirstbitmask|$grep Network|$cut -f 4 -d \ ` -j $pubfirstindex >> $restoretmp |
86 | echo -A PREROUTING -i $wan2 -d `ipcalc -n $pubip/$pubfirstbitmask|$grep Network|$cut -f 4 -d \ ` -j $pubfirstindex >> $restoretmp |
87 | echo -A PREROUTING -i $wan3 -d `ipcalc -n $pubip/$pubfirstbitmask|$grep Network|$cut -f 4 -d \ ` -j $pubfirstindex >> $restoretmp |
88 | echo -A PREROUTING -i $wan4 -d `ipcalc -n $pubip/$pubfirstbitmask|$grep Network|$cut -f 4 -d \ ` -j $pubfirstindex >> $restoretmp |
86d37066 |
89 | fi |
90 | |
3a4fe273 |
91 | if ! $grep $pubsecondindex $restoretmp > /dev/null |
92 | then |
93 | echo :$pubsecondindex "- [0:0]" >> $restoretmp |
94 | echo -A $pubfirstindex -i $wan1 -d `ipcalc -n $pubip/$pubsecondbitmask|$grep Network|$cut -f 4 -d \ ` -j $pubsecondindex >> $restoretmp |
95 | echo -A $pubfirstindex -i $wan2 -d `ipcalc -n $pubip/$pubsecondbitmask|$grep Network|$cut -f 4 -d \ ` -j $pubsecondindex >> $restoretmp |
96 | echo -A $pubfirstindex -i $wan3 -d `ipcalc -n $pubip/$pubsecondbitmask|$grep Network|$cut -f 4 -d \ ` -j $pubsecondindex >> $restoretmp |
97 | echo -A $pubfirstindex -i $wan4 -d `ipcalc -n $pubip/$pubsecondbitmask|$grep Network|$cut -f 4 -d \ ` -j $pubsecondindex >> $restoretmp |
98 | fi |
86d37066 |
99 | |
3a4fe273 |
100 | echo -A $pubsecondindex -i $wan1 -d $pubip/32 -j DNAT --to-destination $czfip >> $restoretmp |
101 | echo -A $pubsecondindex -i $wan2 -d $pubip/32 -j DNAT --to-destination $czfip >> $restoretmp |
102 | echo -A $pubsecondindex -i $wan3 -d $pubip/32 -j DNAT --to-destination $czfip >> $restoretmp |
103 | echo -A $pubsecondindex -i $wan4 -d $pubip/32 -j DNAT --to-destination $czfip >> $restoretmp |
86d37066 |
104 | |
3a4fe273 |
105 | echo -A $czffourthindex -s $czfip/32 -o $wan1 -j SNAT --to-source $pubip >> $restoretmp |
106 | echo -A $czffourthindex -s $czfip/32 -o $wan2 -j SNAT --to-source $pubip >> $restoretmp |
107 | echo -A $czffourthindex -s $czfip/32 -o $wan3 -j SNAT --to-source $pubip >> $restoretmp |
108 | echo -A $czffourthindex -s $czfip/32 -o $wan4 -j SNAT --to-source $pubip >> $restoretmp |
86d37066 |
109 | |
110 | echo -n . |
111 | done |
112 | echo " done." |
113 | |
114 | echo -n "Generating new iptables-restore data - one way SNAT " |
115 | |
116 | # =============================================================== |
117 | # SNAT only using indexed iptables (should be rather function, hmm) |
118 | # =============================================================== |
119 | |
3a4fe273 |
120 | for czfip in `$grep -v ^# $pimp_snat|$cut -f 1 -d " "` |
86d37066 |
121 | do |
3a4fe273 |
122 | pubip=`$grep "$czfip " $pimp_snat|$cut -f 2 -d " "` |
123 | czffirstindex=priv_`ipcalc -n $czfip/$czffirstbitmask|$grep Network|$cut -f 4 -d \ |tr [./] _` |
124 | czfsecondindex=priv_`ipcalc -n $czfip/$czfsecondbitmask|$grep Network|$cut -f 4 -d \ |tr [./] _` |
125 | czfthirdindex=priv_`ipcalc -n $czfip/$czfthirdbitmask|$grep Network|$cut -f 4 -d \ |tr [./] _` |
126 | czffourthindex=priv_`ipcalc -n $czfip/$czffourthbitmask|$grep Network|$cut -f 4 -d \ |tr [./] _` |
127 | |
128 | if ! $grep $czffirstindex $restoretmp > /dev/null |
129 | then |
130 | echo :$czffirstindex "- [0:0]" >> $restoretmp |
131 | echo -A POSTROUTING -d ! 10.0.0.0/8 -s `ipcalc -n $czfip/$czffirstbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan1 -j $czffirstindex >> $restoretmp |
132 | echo -A POSTROUTING -d ! 10.0.0.0/8 -s `ipcalc -n $czfip/$czffirstbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan2 -j $czffirstindex >> $restoretmp |
133 | echo -A POSTROUTING -d ! 10.0.0.0/8 -s `ipcalc -n $czfip/$czffirstbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan3 -j $czffirstindex >> $restoretmp |
134 | echo -A POSTROUTING -d ! 10.0.0.0/8 -s `ipcalc -n $czfip/$czffirstbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan4 -j $czffirstindex >> $restoretmp |
135 | fi |
86d37066 |
136 | |
3a4fe273 |
137 | if ! $grep $czfsecondindex $restoretmp > /dev/null |
86d37066 |
138 | then |
3a4fe273 |
139 | echo :$czfsecondindex "- [0:0]" >> $restoretmp |
140 | echo -A $czffirstindex -s `ipcalc -n $czfip/$czfsecondbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan1 -j $czfsecondindex >> $restoretmp |
141 | echo -A $czffirstindex -s `ipcalc -n $czfip/$czfsecondbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan2 -j $czfsecondindex >> $restoretmp |
142 | echo -A $czffirstindex -s `ipcalc -n $czfip/$czfsecondbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan3 -j $czfsecondindex >> $restoretmp |
143 | echo -A $czffirstindex -s `ipcalc -n $czfip/$czfsecondbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan4 -j $czfsecondindex >> $restoretmp |
86d37066 |
144 | fi |
145 | |
3a4fe273 |
146 | if ! $grep $czfthirdindex $restoretmp > /dev/null |
86d37066 |
147 | then |
3a4fe273 |
148 | echo :$czfthirdindex "- [0:0]" >> $restoretmp |
149 | echo -A $czfsecondindex -s `ipcalc -n $czfip/$czfthirdbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan1 -j $czfthirdindex >> $restoretmp |
150 | echo -A $czfsecondindex -s `ipcalc -n $czfip/$czfthirdbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan2 -j $czfthirdindex >> $restoretmp |
151 | echo -A $czfsecondindex -s `ipcalc -n $czfip/$czfthirdbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan3 -j $czfthirdindex >> $restoretmp |
152 | echo -A $czfsecondindex -s `ipcalc -n $czfip/$czfthirdbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan4 -j $czfthirdindex >> $restoretmp |
86d37066 |
153 | fi |
154 | |
3a4fe273 |
155 | if ! $grep $czffourthindex $restoretmp > /dev/null |
86d37066 |
156 | then |
3a4fe273 |
157 | echo :$czffourthindex "- [0:0]" >> $restoretmp |
158 | echo -A $czfthirdindex -s `ipcalc -n $czfip/$czffourthbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan1 -j $czffourthindex >> $restoretmp |
159 | echo -A $czfthirdindex -s `ipcalc -n $czfip/$czffourthbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan2 -j $czffourthindex >> $restoretmp |
160 | echo -A $czfthirdindex -s `ipcalc -n $czfip/$czffourthbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan3 -j $czffourthindex >> $restoretmp |
161 | echo -A $czfthirdindex -s `ipcalc -n $czfip/$czffourthbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan4 -j $czffourthindex >> $restoretmp |
86d37066 |
162 | fi |
163 | |
3a4fe273 |
164 | echo -A $czffourthindex -s $czfip/32 -o $wan1 -j SNAT --to-source $pubip >> $restoretmp |
165 | echo -A $czffourthindex -s $czfip/32 -o $wan2 -j SNAT --to-source $pubip >> $restoretmp |
166 | echo -A $czffourthindex -s $czfip/32 -o $wan3 -j SNAT --to-source $pubip >> $restoretmp |
167 | echo -A $czffourthindex -s $czfip/32 -o $wan4 -j SNAT --to-source $pubip >> $restoretmp |
86d37066 |
168 | |
169 | echo -n . |
170 | done |
171 | echo " done." |
172 | |
3a4fe273 |
173 | echo COMMIT >> $restoretmp |
174 | mv $restoretmp $restoredata |