Major overhaul of make-pimp; runtime decreased by 2 orders of magnitude :)
[svn/Prometheus-QoS/.git] / optional-tools / make-iptables-restore
CommitLineData
86d37066 1#!/bin/bash
2iptables="/sbin/iptables"
3iptablesrestore="/sbin/iptables-restore"
4ifconfig="/sbin/ifconfig"
3a4fe273 5grep="/bin/grep"
6cut="/usr/bin/cut"
86d37066 7
8#pimp files must be generated by optional-tools/make-pimp utility
3a4fe273 9pimp_2way_nat="/dev/shm/pimp-2way-nat.tmp"
10pimp_snat="/dev/shm/pimp-snat.tmp"
86d37066 11etchosts="/mnt/mtdblock0/hosts"
3a4fe273 12restoretmp="/dev/shm/iptables-restore.tmp"
86d37066 13restoredata="/mnt/mtdblock0/iptables-restore.in"
14wan1="vlan770"
15wan2="vlan771"
16wan3="vlan772"
3a4fe273 17wan4="vlan774"
18czffirstbitmask="19"
19czfsecondbitmask="22"
20czfthirdbitmask="25"
21czffourthbitmask="28"
22pubfirstbitmask="26"
23pubsecondbitmask="29"
24
25echo "*nat" > $restoretmp
26echo ":PREROUTING ACCEPT [0:0]" >> $restoretmp
27echo ":POSTROUTING ACCEPT [0:0]" >> $restoretmp
28echo ":OUTPUT ACCEPT [0:0]" >> $restoretmp
86d37066 29
30# ===============================================================
31# Symetrical SNAT-DNAT using indexed iptables
32# ===============================================================
33
34echo -n "Generating new iptables-restore data - two way SNAT/DNAT "
35
3a4fe273 36for czfip in `$grep -v ^# $pimp_2way_nat|$cut -f 1 -d " "`
86d37066 37do
3a4fe273 38 pubip=`$grep "$czfip " $pimp_2way_nat|$cut -f 2 -d " "`
39 czffirstindex=priv_`ipcalc -n $czfip/$czffirstbitmask|$grep Network|$cut -f 4 -d \ |tr [./] _`
40 czfsecondindex=priv_`ipcalc -n $czfip/$czfsecondbitmask|$grep Network|$cut -f 4 -d \ |tr [./] _`
41 czfthirdindex=priv_`ipcalc -n $czfip/$czfthirdbitmask|$grep Network|$cut -f 4 -d \ |tr [./] _`
42 czffourthindex=priv_`ipcalc -n $czfip/$czffourthbitmask|$grep Network|$cut -f 4 -d \ |tr [./] _`
43 pubfirstindex=pub_`ipcalc -n $pubip/$pubfirstbitmask|$grep Network|$cut -f 4 -d \ |tr [./] _`
44 pubsecondindex=pub_`ipcalc -n $pubip/$pubsecondbitmask|$grep Network|$cut -f 4 -d \ |tr [./] _`
45
46 if ! $grep $czffirstindex $restoretmp > /dev/null
86d37066 47 then
3a4fe273 48 echo :$czffirstindex "- [0:0]" >> $restoretmp
49 echo -A POSTROUTING -d ! 10.0.0.0/8 -s `ipcalc -n $czfip/$czffirstbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan1 -j $czffirstindex >> $restoretmp
50 echo -A POSTROUTING -d ! 10.0.0.0/8 -s `ipcalc -n $czfip/$czffirstbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan2 -j $czffirstindex >> $restoretmp
51 echo -A POSTROUTING -d ! 10.0.0.0/8 -s `ipcalc -n $czfip/$czffirstbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan3 -j $czffirstindex >> $restoretmp
52 echo -A POSTROUTING -d ! 10.0.0.0/8 -s `ipcalc -n $czfip/$czffirstbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan4 -j $czffirstindex >> $restoretmp
86d37066 53 fi
54
3a4fe273 55 if ! $grep $czfsecondindex $restoretmp > /dev/null
86d37066 56 then
3a4fe273 57 echo :$czfsecondindex "- [0:0]" >> $restoretmp
58 echo -A $czffirstindex -s `ipcalc -n $czfip/$czfsecondbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan1 -j $czfsecondindex >> $restoretmp
59 echo -A $czffirstindex -s `ipcalc -n $czfip/$czfsecondbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan2 -j $czfsecondindex >> $restoretmp
60 echo -A $czffirstindex -s `ipcalc -n $czfip/$czfsecondbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan3 -j $czfsecondindex >> $restoretmp
61 echo -A $czffirstindex -s `ipcalc -n $czfip/$czfsecondbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan4 -j $czfsecondindex >> $restoretmp
86d37066 62 fi
63
3a4fe273 64 if ! $grep $czfthirdindex $restoretmp > /dev/null
86d37066 65 then
3a4fe273 66 echo :$czfthirdindex "- [0:0]" >> $restoretmp
67 echo -A $czfsecondindex -s `ipcalc -n $czfip/$czfthirdbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan1 -j $czfthirdindex >> $restoretmp
68 echo -A $czfsecondindex -s `ipcalc -n $czfip/$czfthirdbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan2 -j $czfthirdindex >> $restoretmp
69 echo -A $czfsecondindex -s `ipcalc -n $czfip/$czfthirdbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan3 -j $czfthirdindex >> $restoretmp
70 echo -A $czfsecondindex -s `ipcalc -n $czfip/$czfthirdbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan4 -j $czfthirdindex >> $restoretmp
86d37066 71 fi
72
3a4fe273 73 if ! $grep $czffourthindex $restoretmp > /dev/null
86d37066 74 then
3a4fe273 75 echo :$czffourthindex "- [0:0]" >> $restoretmp
76 echo -A $czfthirdindex -s `ipcalc -n $czfip/$czffourthbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan1 -j $czffourthindex >> $restoretmp
77 echo -A $czfthirdindex -s `ipcalc -n $czfip/$czffourthbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan2 -j $czffourthindex >> $restoretmp
78 echo -A $czfthirdindex -s `ipcalc -n $czfip/$czffourthbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan3 -j $czffourthindex >> $restoretmp
79 echo -A $czfthirdindex -s `ipcalc -n $czfip/$czffourthbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan4 -j $czffourthindex >> $restoretmp
86d37066 80 fi
81
3a4fe273 82 if ! $grep $pubfirstindex $restoretmp > /dev/null
86d37066 83 then
3a4fe273 84 echo :$pubfirstindex "- [0:0]" >> $restoretmp
85 echo -A PREROUTING -i $wan1 -d `ipcalc -n $pubip/$pubfirstbitmask|$grep Network|$cut -f 4 -d \ ` -j $pubfirstindex >> $restoretmp
86 echo -A PREROUTING -i $wan2 -d `ipcalc -n $pubip/$pubfirstbitmask|$grep Network|$cut -f 4 -d \ ` -j $pubfirstindex >> $restoretmp
87 echo -A PREROUTING -i $wan3 -d `ipcalc -n $pubip/$pubfirstbitmask|$grep Network|$cut -f 4 -d \ ` -j $pubfirstindex >> $restoretmp
88 echo -A PREROUTING -i $wan4 -d `ipcalc -n $pubip/$pubfirstbitmask|$grep Network|$cut -f 4 -d \ ` -j $pubfirstindex >> $restoretmp
86d37066 89 fi
90
3a4fe273 91 if ! $grep $pubsecondindex $restoretmp > /dev/null
92 then
93 echo :$pubsecondindex "- [0:0]" >> $restoretmp
94 echo -A $pubfirstindex -i $wan1 -d `ipcalc -n $pubip/$pubsecondbitmask|$grep Network|$cut -f 4 -d \ ` -j $pubsecondindex >> $restoretmp
95 echo -A $pubfirstindex -i $wan2 -d `ipcalc -n $pubip/$pubsecondbitmask|$grep Network|$cut -f 4 -d \ ` -j $pubsecondindex >> $restoretmp
96 echo -A $pubfirstindex -i $wan3 -d `ipcalc -n $pubip/$pubsecondbitmask|$grep Network|$cut -f 4 -d \ ` -j $pubsecondindex >> $restoretmp
97 echo -A $pubfirstindex -i $wan4 -d `ipcalc -n $pubip/$pubsecondbitmask|$grep Network|$cut -f 4 -d \ ` -j $pubsecondindex >> $restoretmp
98 fi
86d37066 99
3a4fe273 100 echo -A $pubsecondindex -i $wan1 -d $pubip/32 -j DNAT --to-destination $czfip >> $restoretmp
101 echo -A $pubsecondindex -i $wan2 -d $pubip/32 -j DNAT --to-destination $czfip >> $restoretmp
102 echo -A $pubsecondindex -i $wan3 -d $pubip/32 -j DNAT --to-destination $czfip >> $restoretmp
103 echo -A $pubsecondindex -i $wan4 -d $pubip/32 -j DNAT --to-destination $czfip >> $restoretmp
86d37066 104
3a4fe273 105 echo -A $czffourthindex -s $czfip/32 -o $wan1 -j SNAT --to-source $pubip >> $restoretmp
106 echo -A $czffourthindex -s $czfip/32 -o $wan2 -j SNAT --to-source $pubip >> $restoretmp
107 echo -A $czffourthindex -s $czfip/32 -o $wan3 -j SNAT --to-source $pubip >> $restoretmp
108 echo -A $czffourthindex -s $czfip/32 -o $wan4 -j SNAT --to-source $pubip >> $restoretmp
86d37066 109
110 echo -n .
111done
112echo " done."
113
114echo -n "Generating new iptables-restore data - one way SNAT "
115
116# ===============================================================
117# SNAT only using indexed iptables (should be rather function, hmm)
118# ===============================================================
119
3a4fe273 120for czfip in `$grep -v ^# $pimp_snat|$cut -f 1 -d " "`
86d37066 121do
3a4fe273 122 pubip=`$grep "$czfip " $pimp_snat|$cut -f 2 -d " "`
123 czffirstindex=priv_`ipcalc -n $czfip/$czffirstbitmask|$grep Network|$cut -f 4 -d \ |tr [./] _`
124 czfsecondindex=priv_`ipcalc -n $czfip/$czfsecondbitmask|$grep Network|$cut -f 4 -d \ |tr [./] _`
125 czfthirdindex=priv_`ipcalc -n $czfip/$czfthirdbitmask|$grep Network|$cut -f 4 -d \ |tr [./] _`
126 czffourthindex=priv_`ipcalc -n $czfip/$czffourthbitmask|$grep Network|$cut -f 4 -d \ |tr [./] _`
127
128 if ! $grep $czffirstindex $restoretmp > /dev/null
129 then
130 echo :$czffirstindex "- [0:0]" >> $restoretmp
131 echo -A POSTROUTING -d ! 10.0.0.0/8 -s `ipcalc -n $czfip/$czffirstbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan1 -j $czffirstindex >> $restoretmp
132 echo -A POSTROUTING -d ! 10.0.0.0/8 -s `ipcalc -n $czfip/$czffirstbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan2 -j $czffirstindex >> $restoretmp
133 echo -A POSTROUTING -d ! 10.0.0.0/8 -s `ipcalc -n $czfip/$czffirstbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan3 -j $czffirstindex >> $restoretmp
134 echo -A POSTROUTING -d ! 10.0.0.0/8 -s `ipcalc -n $czfip/$czffirstbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan4 -j $czffirstindex >> $restoretmp
135 fi
86d37066 136
3a4fe273 137 if ! $grep $czfsecondindex $restoretmp > /dev/null
86d37066 138 then
3a4fe273 139 echo :$czfsecondindex "- [0:0]" >> $restoretmp
140 echo -A $czffirstindex -s `ipcalc -n $czfip/$czfsecondbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan1 -j $czfsecondindex >> $restoretmp
141 echo -A $czffirstindex -s `ipcalc -n $czfip/$czfsecondbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan2 -j $czfsecondindex >> $restoretmp
142 echo -A $czffirstindex -s `ipcalc -n $czfip/$czfsecondbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan3 -j $czfsecondindex >> $restoretmp
143 echo -A $czffirstindex -s `ipcalc -n $czfip/$czfsecondbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan4 -j $czfsecondindex >> $restoretmp
86d37066 144 fi
145
3a4fe273 146 if ! $grep $czfthirdindex $restoretmp > /dev/null
86d37066 147 then
3a4fe273 148 echo :$czfthirdindex "- [0:0]" >> $restoretmp
149 echo -A $czfsecondindex -s `ipcalc -n $czfip/$czfthirdbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan1 -j $czfthirdindex >> $restoretmp
150 echo -A $czfsecondindex -s `ipcalc -n $czfip/$czfthirdbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan2 -j $czfthirdindex >> $restoretmp
151 echo -A $czfsecondindex -s `ipcalc -n $czfip/$czfthirdbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan3 -j $czfthirdindex >> $restoretmp
152 echo -A $czfsecondindex -s `ipcalc -n $czfip/$czfthirdbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan4 -j $czfthirdindex >> $restoretmp
86d37066 153 fi
154
3a4fe273 155 if ! $grep $czffourthindex $restoretmp > /dev/null
86d37066 156 then
3a4fe273 157 echo :$czffourthindex "- [0:0]" >> $restoretmp
158 echo -A $czfthirdindex -s `ipcalc -n $czfip/$czffourthbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan1 -j $czffourthindex >> $restoretmp
159 echo -A $czfthirdindex -s `ipcalc -n $czfip/$czffourthbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan2 -j $czffourthindex >> $restoretmp
160 echo -A $czfthirdindex -s `ipcalc -n $czfip/$czffourthbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan3 -j $czffourthindex >> $restoretmp
161 echo -A $czfthirdindex -s `ipcalc -n $czfip/$czffourthbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan4 -j $czffourthindex >> $restoretmp
86d37066 162 fi
163
3a4fe273 164 echo -A $czffourthindex -s $czfip/32 -o $wan1 -j SNAT --to-source $pubip >> $restoretmp
165 echo -A $czffourthindex -s $czfip/32 -o $wan2 -j SNAT --to-source $pubip >> $restoretmp
166 echo -A $czffourthindex -s $czfip/32 -o $wan3 -j SNAT --to-source $pubip >> $restoretmp
167 echo -A $czffourthindex -s $czfip/32 -o $wan4 -j SNAT --to-source $pubip >> $restoretmp
86d37066 168
169 echo -n .
170done
171echo " done."
172
3a4fe273 173echo COMMIT >> $restoretmp
174mv $restoretmp $restoredata
This page took 0.274965 seconds and 4 git commands to generate.