Revert make-iptables-restore to previous version - this one doesn't work yet
[svn/Prometheus-QoS/.git] / optional-tools / make-iptables-restore
CommitLineData
86d37066 1#!/bin/bash
f1bba845 2# $Id$
86d37066 3iptables="/sbin/iptables"
4iptablesrestore="/sbin/iptables-restore"
f2893be6 5ifconfig="/sbin/ifconfig"
6grep="/bin/grep"
7cut="/usr/bin/cut"
86d37066 8
9#pimp files must be generated by optional-tools/make-pimp utility
3a4fe273 10pimp_2way_nat="/dev/shm/pimp-2way-nat.tmp"
11pimp_snat="/dev/shm/pimp-snat.tmp"
86d37066 12etchosts="/mnt/mtdblock0/hosts"
3a4fe273 13restoretmp="/dev/shm/iptables-restore.tmp"
86d37066 14restoredata="/mnt/mtdblock0/iptables-restore.in"
15wan1="vlan770"
16wan2="vlan771"
17wan3="vlan772"
3a4fe273 18wan4="vlan774"
19czffirstbitmask="19"
20czfsecondbitmask="22"
21czfthirdbitmask="25"
22czffourthbitmask="28"
23pubfirstbitmask="26"
24pubsecondbitmask="29"
f1bba845 25
3a4fe273 26echo "*nat" > $restoretmp
27echo ":PREROUTING ACCEPT [0:0]" >> $restoretmp
28echo ":POSTROUTING ACCEPT [0:0]" >> $restoretmp
29echo ":OUTPUT ACCEPT [0:0]" >> $restoretmp
86d37066 30
31# ===============================================================
32# Symetrical SNAT-DNAT using indexed iptables
33# ===============================================================
86d37066 34
f2893be6 35echo -n "Generating new iptables-restore data - two way SNAT/DNAT "
f1bba845 36
f2893be6 37for czfip in `$grep -v ^# $pimp_2way_nat|$cut -f 1 -d " "`
38do
39 pubip=`$grep "$czfip " $pimp_2way_nat|$cut -f 2 -d " "`
40 czffirstindex=priv_`ipcalc -n $czfip/$czffirstbitmask|$grep Network|$cut -f 4 -d \ |tr [./] _`
41 czfsecondindex=priv_`ipcalc -n $czfip/$czfsecondbitmask|$grep Network|$cut -f 4 -d \ |tr [./] _`
42 czfthirdindex=priv_`ipcalc -n $czfip/$czfthirdbitmask|$grep Network|$cut -f 4 -d \ |tr [./] _`
43 czffourthindex=priv_`ipcalc -n $czfip/$czffourthbitmask|$grep Network|$cut -f 4 -d \ |tr [./] _`
44 pubfirstindex=pub_`ipcalc -n $pubip/$pubfirstbitmask|$grep Network|$cut -f 4 -d \ |tr [./] _`
45 pubsecondindex=pub_`ipcalc -n $pubip/$pubsecondbitmask|$grep Network|$cut -f 4 -d \ |tr [./] _`
46
47 if ! $grep $czffirstindex $restoretmp > /dev/null
86d37066 48 then
3a4fe273 49 echo :$czffirstindex "- [0:0]" >> $restoretmp
f2893be6 50 echo -A POSTROUTING -d ! 10.0.0.0/8 -s `ipcalc -n $czfip/$czffirstbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan1 -j $czffirstindex >> $restoretmp
51 echo -A POSTROUTING -d ! 10.0.0.0/8 -s `ipcalc -n $czfip/$czffirstbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan2 -j $czffirstindex >> $restoretmp
52 echo -A POSTROUTING -d ! 10.0.0.0/8 -s `ipcalc -n $czfip/$czffirstbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan3 -j $czffirstindex >> $restoretmp
53 echo -A POSTROUTING -d ! 10.0.0.0/8 -s `ipcalc -n $czfip/$czffirstbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan4 -j $czffirstindex >> $restoretmp
86d37066 54 fi
55
f2893be6 56 if ! $grep $czfsecondindex $restoretmp > /dev/null
86d37066 57 then
3a4fe273 58 echo :$czfsecondindex "- [0:0]" >> $restoretmp
f2893be6 59 echo -A $czffirstindex -s `ipcalc -n $czfip/$czfsecondbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan1 -j $czfsecondindex >> $restoretmp
60 echo -A $czffirstindex -s `ipcalc -n $czfip/$czfsecondbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan2 -j $czfsecondindex >> $restoretmp
61 echo -A $czffirstindex -s `ipcalc -n $czfip/$czfsecondbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan3 -j $czfsecondindex >> $restoretmp
62 echo -A $czffirstindex -s `ipcalc -n $czfip/$czfsecondbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan4 -j $czfsecondindex >> $restoretmp
86d37066 63 fi
64
f2893be6 65 if ! $grep $czfthirdindex $restoretmp > /dev/null
86d37066 66 then
3a4fe273 67 echo :$czfthirdindex "- [0:0]" >> $restoretmp
f2893be6 68 echo -A $czfsecondindex -s `ipcalc -n $czfip/$czfthirdbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan1 -j $czfthirdindex >> $restoretmp
69 echo -A $czfsecondindex -s `ipcalc -n $czfip/$czfthirdbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan2 -j $czfthirdindex >> $restoretmp
70 echo -A $czfsecondindex -s `ipcalc -n $czfip/$czfthirdbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan3 -j $czfthirdindex >> $restoretmp
71 echo -A $czfsecondindex -s `ipcalc -n $czfip/$czfthirdbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan4 -j $czfthirdindex >> $restoretmp
86d37066 72 fi
73
f2893be6 74 if ! $grep $czffourthindex $restoretmp > /dev/null
86d37066 75 then
3a4fe273 76 echo :$czffourthindex "- [0:0]" >> $restoretmp
f2893be6 77 echo -A $czfthirdindex -s `ipcalc -n $czfip/$czffourthbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan1 -j $czffourthindex >> $restoretmp
78 echo -A $czfthirdindex -s `ipcalc -n $czfip/$czffourthbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan2 -j $czffourthindex >> $restoretmp
79 echo -A $czfthirdindex -s `ipcalc -n $czfip/$czffourthbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan3 -j $czffourthindex >> $restoretmp
80 echo -A $czfthirdindex -s `ipcalc -n $czfip/$czffourthbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan4 -j $czffourthindex >> $restoretmp
86d37066 81 fi
82
f2893be6 83 if ! $grep $pubfirstindex $restoretmp > /dev/null
86d37066 84 then
3a4fe273 85 echo :$pubfirstindex "- [0:0]" >> $restoretmp
f2893be6 86 echo -A PREROUTING -i $wan1 -d `ipcalc -n $pubip/$pubfirstbitmask|$grep Network|$cut -f 4 -d \ ` -j $pubfirstindex >> $restoretmp
87 echo -A PREROUTING -i $wan2 -d `ipcalc -n $pubip/$pubfirstbitmask|$grep Network|$cut -f 4 -d \ ` -j $pubfirstindex >> $restoretmp
88 echo -A PREROUTING -i $wan3 -d `ipcalc -n $pubip/$pubfirstbitmask|$grep Network|$cut -f 4 -d \ ` -j $pubfirstindex >> $restoretmp
89 echo -A PREROUTING -i $wan4 -d `ipcalc -n $pubip/$pubfirstbitmask|$grep Network|$cut -f 4 -d \ ` -j $pubfirstindex >> $restoretmp
86d37066 90 fi
91
f2893be6 92 if ! $grep $pubsecondindex $restoretmp > /dev/null
3a4fe273 93 then
94 echo :$pubsecondindex "- [0:0]" >> $restoretmp
f2893be6 95 echo -A $pubfirstindex -i $wan1 -d `ipcalc -n $pubip/$pubsecondbitmask|$grep Network|$cut -f 4 -d \ ` -j $pubsecondindex >> $restoretmp
96 echo -A $pubfirstindex -i $wan2 -d `ipcalc -n $pubip/$pubsecondbitmask|$grep Network|$cut -f 4 -d \ ` -j $pubsecondindex >> $restoretmp
97 echo -A $pubfirstindex -i $wan3 -d `ipcalc -n $pubip/$pubsecondbitmask|$grep Network|$cut -f 4 -d \ ` -j $pubsecondindex >> $restoretmp
98 echo -A $pubfirstindex -i $wan4 -d `ipcalc -n $pubip/$pubsecondbitmask|$grep Network|$cut -f 4 -d \ ` -j $pubsecondindex >> $restoretmp
3a4fe273 99 fi
86d37066 100
3a4fe273 101 echo -A $pubsecondindex -i $wan1 -d $pubip/32 -j DNAT --to-destination $czfip >> $restoretmp
102 echo -A $pubsecondindex -i $wan2 -d $pubip/32 -j DNAT --to-destination $czfip >> $restoretmp
103 echo -A $pubsecondindex -i $wan3 -d $pubip/32 -j DNAT --to-destination $czfip >> $restoretmp
104 echo -A $pubsecondindex -i $wan4 -d $pubip/32 -j DNAT --to-destination $czfip >> $restoretmp
86d37066 105
3a4fe273 106 echo -A $czffourthindex -s $czfip/32 -o $wan1 -j SNAT --to-source $pubip >> $restoretmp
107 echo -A $czffourthindex -s $czfip/32 -o $wan2 -j SNAT --to-source $pubip >> $restoretmp
108 echo -A $czffourthindex -s $czfip/32 -o $wan3 -j SNAT --to-source $pubip >> $restoretmp
109 echo -A $czffourthindex -s $czfip/32 -o $wan4 -j SNAT --to-source $pubip >> $restoretmp
86d37066 110
111 echo -n .
f2893be6 112done
86d37066 113echo " done."
114
f2893be6 115echo -n "Generating new iptables-restore data - one way SNAT "
116
86d37066 117# ===============================================================
118# SNAT only using indexed iptables (should be rather function, hmm)
119# ===============================================================
120
f2893be6 121for czfip in `$grep -v ^# $pimp_snat|$cut -f 1 -d " "`
122do
123 pubip=`$grep "$czfip " $pimp_snat|$cut -f 2 -d " "`
124 czffirstindex=priv_`ipcalc -n $czfip/$czffirstbitmask|$grep Network|$cut -f 4 -d \ |tr [./] _`
125 czfsecondindex=priv_`ipcalc -n $czfip/$czfsecondbitmask|$grep Network|$cut -f 4 -d \ |tr [./] _`
126 czfthirdindex=priv_`ipcalc -n $czfip/$czfthirdbitmask|$grep Network|$cut -f 4 -d \ |tr [./] _`
127 czffourthindex=priv_`ipcalc -n $czfip/$czffourthbitmask|$grep Network|$cut -f 4 -d \ |tr [./] _`
3a4fe273 128
f2893be6 129 if ! $grep $czffirstindex $restoretmp > /dev/null
3a4fe273 130 then
131 echo :$czffirstindex "- [0:0]" >> $restoretmp
f2893be6 132 echo -A POSTROUTING -d ! 10.0.0.0/8 -s `ipcalc -n $czfip/$czffirstbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan1 -j $czffirstindex >> $restoretmp
133 echo -A POSTROUTING -d ! 10.0.0.0/8 -s `ipcalc -n $czfip/$czffirstbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan2 -j $czffirstindex >> $restoretmp
134 echo -A POSTROUTING -d ! 10.0.0.0/8 -s `ipcalc -n $czfip/$czffirstbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan3 -j $czffirstindex >> $restoretmp
135 echo -A POSTROUTING -d ! 10.0.0.0/8 -s `ipcalc -n $czfip/$czffirstbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan4 -j $czffirstindex >> $restoretmp
3a4fe273 136 fi
86d37066 137
f2893be6 138 if ! $grep $czfsecondindex $restoretmp > /dev/null
86d37066 139 then
3a4fe273 140 echo :$czfsecondindex "- [0:0]" >> $restoretmp
f2893be6 141 echo -A $czffirstindex -s `ipcalc -n $czfip/$czfsecondbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan1 -j $czfsecondindex >> $restoretmp
142 echo -A $czffirstindex -s `ipcalc -n $czfip/$czfsecondbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan2 -j $czfsecondindex >> $restoretmp
143 echo -A $czffirstindex -s `ipcalc -n $czfip/$czfsecondbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan3 -j $czfsecondindex >> $restoretmp
144 echo -A $czffirstindex -s `ipcalc -n $czfip/$czfsecondbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan4 -j $czfsecondindex >> $restoretmp
86d37066 145 fi
146
f2893be6 147 if ! $grep $czfthirdindex $restoretmp > /dev/null
86d37066 148 then
3a4fe273 149 echo :$czfthirdindex "- [0:0]" >> $restoretmp
f2893be6 150 echo -A $czfsecondindex -s `ipcalc -n $czfip/$czfthirdbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan1 -j $czfthirdindex >> $restoretmp
151 echo -A $czfsecondindex -s `ipcalc -n $czfip/$czfthirdbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan2 -j $czfthirdindex >> $restoretmp
152 echo -A $czfsecondindex -s `ipcalc -n $czfip/$czfthirdbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan3 -j $czfthirdindex >> $restoretmp
153 echo -A $czfsecondindex -s `ipcalc -n $czfip/$czfthirdbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan4 -j $czfthirdindex >> $restoretmp
86d37066 154 fi
155
f2893be6 156 if ! $grep $czffourthindex $restoretmp > /dev/null
86d37066 157 then
3a4fe273 158 echo :$czffourthindex "- [0:0]" >> $restoretmp
f2893be6 159 echo -A $czfthirdindex -s `ipcalc -n $czfip/$czffourthbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan1 -j $czffourthindex >> $restoretmp
160 echo -A $czfthirdindex -s `ipcalc -n $czfip/$czffourthbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan2 -j $czffourthindex >> $restoretmp
161 echo -A $czfthirdindex -s `ipcalc -n $czfip/$czffourthbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan3 -j $czffourthindex >> $restoretmp
162 echo -A $czfthirdindex -s `ipcalc -n $czfip/$czffourthbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan4 -j $czffourthindex >> $restoretmp
86d37066 163 fi
164
3a4fe273 165 echo -A $czffourthindex -s $czfip/32 -o $wan1 -j SNAT --to-source $pubip >> $restoretmp
166 echo -A $czffourthindex -s $czfip/32 -o $wan2 -j SNAT --to-source $pubip >> $restoretmp
167 echo -A $czffourthindex -s $czfip/32 -o $wan3 -j SNAT --to-source $pubip >> $restoretmp
168 echo -A $czffourthindex -s $czfip/32 -o $wan4 -j SNAT --to-source $pubip >> $restoretmp
86d37066 169
170 echo -n .
f2893be6 171done
86d37066 172echo " done."
173
3a4fe273 174echo COMMIT >> $restoretmp
143c9a45 175mv $restoretmp $restoredata
This page took 0.265697 seconds and 4 git commands to generate.