From 86d37066beb7298ec660b09f5efa0f2622352663 Mon Sep 17 00:00:00 2001 From: xchaos Date: Thu, 24 Feb 2011 21:52:37 +0000 Subject: [PATCH] optional hosts-based snat-dnat tools modified to generate iptables restore config git-svn-id: https://dev.arachne.cz/repos/prometheus/trunk@140 251d49ef-1d17-4917-a970-b30cf55b089b --- optional-tools/make-firewall | 21 ++-- optional-tools/make-iptables-restore | 142 +++++++++++++++++++++++ optional-tools/make-pimp | 8 +- optional-tools/make-snat-dnat | 162 --------------------------- 4 files changed, 154 insertions(+), 179 deletions(-) create mode 100755 optional-tools/make-iptables-restore delete mode 100755 optional-tools/make-snat-dnat diff --git a/optional-tools/make-firewall b/optional-tools/make-firewall index 239f478..ca1fc6a 100755 --- a/optional-tools/make-firewall +++ b/optional-tools/make-firewall @@ -1,14 +1,9 @@ #!/bin/bash -# -# requires: -# -# /rw/etc/hosts ... configuration file for dashboard and snat/dnat -# parses Prometheus compatible nodelist and generates some firewall -# rules -# -./make-pimp -./make-snat-dnat -# -# /rw/etc/network/snat-dnat is generated by make-snat-dnat -# -/rw/etc/network/snat-dnat +cd /root/bin/ +/root/bin/updatehosts +/root/bin/make-pimp +/root/bin/make-iptables-restore +/etc/network/setnet +#echo -n "Running iptables restore ... " +#/sbin/iptables-restore < /mnt/mtdblock0/iptables-restore.in +#echo "done." diff --git a/optional-tools/make-iptables-restore b/optional-tools/make-iptables-restore new file mode 100755 index 0000000..666d15b --- /dev/null +++ b/optional-tools/make-iptables-restore @@ -0,0 +1,142 @@ +#!/bin/bash +iptables="/sbin/iptables" +iptablesrestore="/sbin/iptables-restore" +ifconfig="/sbin/ifconfig" + +#pimp files must be generated by optional-tools/make-pimp utility +pimp_2way_nat="/mnt/mtdblock0/pimp-2way-nat.tmp" +pimp_snat="/mnt/mtdblock0/pimp-snat.tmp" +etchosts="/mnt/mtdblock0/hosts" +restoredata="/mnt/mtdblock0/iptables-restore.in" +wan1="vlan770" +wan2="vlan771" +wan3="vlan772" + +echo "*nat" > $restoredata +echo ":PREROUTING ACCEPT [0:0]" >> $restoredata +echo ":POSTROUTING ACCEPT [0:0]" >> $restoredata +echo ":OUTPUT ACCEPT [0:0]" >> $restoredata + +# =============================================================== +# Symetrical SNAT-DNAT using indexed iptables +# =============================================================== + +echo -n "Generating new iptables-restore data - two way SNAT/DNAT " + +for czfip in `grep -v ^# $pimp_2way_nat|cut -f 1 -d " "` +do + pubip=`grep "$czfip " $pimp_2way_nat|cut -f 2 -d " "` + czffirstindex=priv_`ipcalc -n $czfip/20|grep Network|cut -f 4 -d \ |tr [./] _` + czfsecondindex=priv_`ipcalc -n $czfip/23|grep Network|cut -f 4 -d \ |tr [./] _` + czfthirdindex=priv_`ipcalc -n $czfip/26|grep Network|cut -f 4 -d \ |tr [./] _` + pubfirstindex=pub_`ipcalc -n $pubip/27|grep Network|cut -f 4 -d \ |tr [./] _` + pubsecondindex=pub_`ipcalc -n $pubip/29|grep Network|cut -f 4 -d \ |tr [./] _` + + if ! grep $czffirstindex $restoredata > /dev/null + then + echo :$czffirstindex "- [0:0]" >> $restoredata + echo -A POSTROUTING -d ! 10.0.0.0/8 -s `ipcalc -n $czfip/20|grep Network|cut -f 4 -d \ ` -o $wan1 -j $czffirstindex >> $restoredata + echo -A POSTROUTING -d ! 10.0.0.0/8 -s `ipcalc -n $czfip/20|grep Network|cut -f 4 -d \ ` -o $wan2 -j $czffirstindex >> $restoredata + echo -A POSTROUTING -d ! 10.0.0.0/8 -s `ipcalc -n $czfip/20|grep Network|cut -f 4 -d \ ` -o $wan3 -j $czffirstindex >> $restoredata + fi + + if ! grep $czfsecondindex $restoredata > /dev/null + then + echo :$czfsecondindex "- [0:0]" >> $restoredata + echo -A $czffirstindex -s `ipcalc -n $czfip/23|grep Network|cut -f 4 -d \ ` -o $wan1 -j $czfsecondindex >> $restoredata + echo -A $czffirstindex -s `ipcalc -n $czfip/23|grep Network|cut -f 4 -d \ ` -o $wan2 -j $czfsecondindex >> $restoredata + echo -A $czffirstindex -s `ipcalc -n $czfip/23|grep Network|cut -f 4 -d \ ` -o $wan3 -j $czfsecondindex >> $restoredata + fi + + if ! grep $czfthirdindex $restoredata > /dev/null + then + echo :$czfthirdindex "- [0:0]" >> $restoredata + echo -A $czfsecondindex -s `ipcalc -n $czfip/26|grep Network|cut -f 4 -d \ ` -o $wan1 -j $czfthirdindex >> $restoredata + echo -A $czfsecondindex -s `ipcalc -n $czfip/26|grep Network|cut -f 4 -d \ ` -o $wan2 -j $czfthirdindex >> $restoredata + echo -A $czfsecondindex -s `ipcalc -n $czfip/26|grep Network|cut -f 4 -d \ ` -o $wan3 -j $czfthirdindex >> $restoredata + fi + + if ! grep $pubfirstindex $restoredata > /dev/null + then + echo :$pubfirstindex "- [0:0]" >> $restoredata + echo -A PREROUTING -i $wan1 -d `ipcalc -n $pubip/27|grep Network|cut -f 4 -d \ ` -j $pubfirstindex >> $restoredata + echo -A PREROUTING -i $wan2 -d `ipcalc -n $pubip/27|grep Network|cut -f 4 -d \ ` -j $pubfirstindex >> $restoredata + echo -A PREROUTING -i $wan3 -d `ipcalc -n $pubip/27|grep Network|cut -f 4 -d \ ` -j $pubfirstindex >> $restoredata + fi + + if ! grep $pubsecondindex $restoredata > /dev/null + then + echo :$pubsecondindex "- [0:0]" >> $restoredata + echo -A $pubfirstindex -i $wan1 -d `ipcalc -n $pubip/29|grep Network|cut -f 4 -d \ ` -j $pubsecondindex >> $restoredata + echo -A $pubfirstindex -i $wan2 -d `ipcalc -n $pubip/29|grep Network|cut -f 4 -d \ ` -j $pubsecondindex >> $restoredata + echo -A $pubfirstindex -i $wan3 -d `ipcalc -n $pubip/29|grep Network|cut -f 4 -d \ ` -j $pubsecondindex >> $restoredata + fi + + echo -A $pubsecondindex -i $wan1 -d $pubip/32 -j DNAT --to-destination $czfip >> $restoredata + echo -A $pubsecondindex -i $wan2 -d $pubip/32 -j DNAT --to-destination $czfip >> $restoredata + echo -A $pubsecondindex -i $wan3 -d $pubip/32 -j DNAT --to-destination $czfip >> $restoredata + echo -A $pubsecondindex -i $wan1 -d $pubip/32 -j ACCEPT >> $restoredata + echo -A $pubsecondindex -i $wan2 -d $pubip/32 -j ACCEPT >> $restoredata + echo -A $pubsecondindex -i $wan3 -d $pubip/32 -j ACCEPT >> $restoredata + + + echo -A $czfthirdindex -s $czfip/32 -o $wan1 -j SNAT --to-source $pubip >> $restoredata + echo -A $czfthirdindex -s $czfip/32 -o $wan2 -j SNAT --to-source $pubip >> $restoredata + echo -A $czfthirdindex -s $czfip/32 -o $wan3 -j SNAT --to-source $pubip >> $restoredata + echo -A $czfthirdindex -s $czfip/32 -o $wan1 -j ACCEPT >> $restoredata + echo -A $czfthirdindex -s $czfip/32 -o $wan2 -j ACCEPT >> $restoredata + echo -A $czfthirdindex -s $czfip/32 -o $wan3 -j ACCEPT >> $restoredata + + echo -n . +done +echo " done." + +echo -n "Generating new iptables-restore data - one way SNAT " + +# =============================================================== +# SNAT only using indexed iptables (should be rather function, hmm) +# =============================================================== + +for czfip in `grep -v ^# $pimp_snat|cut -f 1 -d " "` +do + pubip=`grep "$czfip " $pimp_snat|cut -f 2 -d " "` + czffirstindex=priv_`ipcalc -n $czfip/20|grep Network|cut -f 4 -d \ |tr [./] _` + czfsecondindex=priv_`ipcalc -n $czfip/23|grep Network|cut -f 4 -d \ |tr [./] _` + czfthirdindex=priv_`ipcalc -n $czfip/26|grep Network|cut -f 4 -d \ |tr [./] _` + + if ! grep $czffirstindex $restoredata > /dev/null + then + echo :$czffirstindex "- [0:0]" >> $restoredata + echo -A POSTROUTING -d ! 10.0.0.0/8 -s `ipcalc -n $czfip/20|grep Network|cut -f 4 -d \ ` -o $wan1 -j $czffirstindex >> $restoredata + echo -A POSTROUTING -d ! 10.0.0.0/8 -s `ipcalc -n $czfip/20|grep Network|cut -f 4 -d \ ` -o $wan2 -j $czffirstindex >> $restoredata + echo -A POSTROUTING -d ! 10.0.0.0/8 -s `ipcalc -n $czfip/20|grep Network|cut -f 4 -d \ ` -o $wan3 -j $czffirstindex >> $restoredata + fi + + if ! grep $czfsecondindex $restoredata > /dev/null + then + echo :$czfsecondindex "- [0:0]" >> $restoredata + echo -A $czffirstindex -s `ipcalc -n $czfip/23|grep Network|cut -f 4 -d \ ` -o $wan1 -j $czfsecondindex >> $restoredata + echo -A $czffirstindex -s `ipcalc -n $czfip/23|grep Network|cut -f 4 -d \ ` -o $wan2 -j $czfsecondindex >> $restoredata + echo -A $czffirstindex -s `ipcalc -n $czfip/23|grep Network|cut -f 4 -d \ ` -o $wan3 -j $czfsecondindex >> $restoredata + fi + + if ! grep $czfthirdindex $restoredata > /dev/null + then + echo :$czfthirdindex "- [0:0]" >> $restoredata + echo -A $czfsecondindex -s `ipcalc -n $czfip/26|grep Network|cut -f 4 -d \ ` -o $wan1 -j $czfthirdindex >> $restoredata + echo -A $czfsecondindex -s `ipcalc -n $czfip/26|grep Network|cut -f 4 -d \ ` -o $wan2 -j $czfthirdindex >> $restoredata + echo -A $czfsecondindex -s `ipcalc -n $czfip/26|grep Network|cut -f 4 -d \ ` -o $wan3 -j $czfthirdindex >> $restoredata + fi + + echo -A $czfthirdindex -s $czfip/32 -o $wan1 -j SNAT --to-source $pubip >> $restoredata + echo -A $czfthirdindex -s $czfip/32 -o $wan2 -j SNAT --to-source $pubip >> $restoredata + echo -A $czfthirdindex -s $czfip/32 -o $wan3 -j SNAT --to-source $pubip >> $restoredata + echo -A $czfthirdindex -s $czfip/32 -o $wan1 -j ACCEPT >> $restoredata + echo -A $czfthirdindex -s $czfip/32 -o $wan2 -j ACCEPT >> $restoredata + echo -A $czfthirdindex -s $czfip/32 -o $wan3 -j ACCEPT >> $restoredata + + echo -n . +done +echo " done." + +echo COMMIT >> $restoredata diff --git a/optional-tools/make-pimp b/optional-tools/make-pimp index 2c0f59d..cdd6264 100755 --- a/optional-tools/make-pimp +++ b/optional-tools/make-pimp @@ -1,7 +1,7 @@ #!/bin/bash -pimp_2way_nat="/rw/var/run/pimp-2way-nat.tmp" -pimp_snat="/rw/var/run/pimp-snat.tmp" -etchosts="/rw/etc/hosts" +pimp_2way_nat="/mnt/mtdblock0/pimp-2way-nat.tmp" +pimp_snat="/mnt/mtdblock0/pimp-snat.tmp" +etchosts="/mnt/mtdblock0/hosts" echo -n "Writing $pimp_2way_nat" echo "#This file was generated by Prometheus-tools/make-pimp" > $pimp_2way_nat @@ -21,7 +21,7 @@ echo "#This file was generated by Prometheus-tools/make-pimp" > $pimp_snat for czfip in `grep -v ^# $etchosts|grep "("|cut -f 1` do pubip=`grep "^$czfip " $etchosts|cut -f 2 -d "("|cut -f 1 -d ")"` - if ! [ -z $pubip ] + if ! [ -z "$pubip" ] then echo "$czfip $pubip" >> $pimp_snat echo -n . diff --git a/optional-tools/make-snat-dnat b/optional-tools/make-snat-dnat deleted file mode 100755 index 3785557..0000000 --- a/optional-tools/make-snat-dnat +++ /dev/null @@ -1,162 +0,0 @@ -#!/bin/bash - -iptables="/sbin/iptables" -ifconfig="/sbin/ifconfig" - -#pimp files must be generated by optional-tools/make-pimp utility -pimp_2way_nat="/rw/var/run/pimp-2way-nat.tmp" -pimp_snat="/rw/var/run/pimp-snat.tmp" -etchosts="/rw/etc/hosts" -script="/rw/etc/network/snat-dnat" - -echo "#!/bin/bash" > $script -echo $iptables -t nat -F >> $script -echo $iptables -t nat -X >> $script -echo "echo -n \"Setting firewall rules \"" >> $script - -# =============================================================== -# Symetrical SNAT-DNAT using indexed iptables -# =============================================================== - -echo -n "Generating new iptables rules " - -for czfip in `grep -v ^# $pimp_2way_nat|cut -f 1 -d " "` -do - pubip=`grep "$czfip " $pimp_2way_nat|cut -f 2 -d " "` - czffirstindex=priv_`ipcalc -n $czfip/20|grep Network|cut -f 4 -d \ |tr [./] _` - czfsecondindex=priv_`ipcalc -n $czfip/23|grep Network|cut -f 4 -d \ |tr [./] _` - czfthirdindex=priv_`ipcalc -n $czfip/26|grep Network|cut -f 4 -d \ |tr [./] _` - pubfirstindex=pub_`ipcalc -n $pubip/27|grep Network|cut -f 4 -d \ |tr [./] _` - pubsecondindex=pub_`ipcalc -n $pubip/29|grep Network|cut -f 4 -d \ |tr [./] _` - - if ! grep $czffirstindex $script > /dev/null - then - echo $iptables -t nat -N $czffirstindex >> $script - echo $iptables -t nat -F $czffirstindex >> $script - echo $iptables -t nat -A POSTROUTING -s `ipcalc -n $czfip/20|grep Network|cut -f 4 -d \ ` -o eth1 -j $czffirstindex >> $script - fi - - if ! grep $czfsecondindex $script > /dev/null - then - echo $iptables -t nat -N $czfsecondindex >> $script - echo $iptables -t nat -F $czfsecondindex >> $script - echo $iptables -t nat -A $czffirstindex -s `ipcalc -n $czfip/23|grep Network|cut -f 4 -d \ ` -o eth1 -j $czfsecondindex >> $script - fi - - if ! grep $czfthirdindex $script > /dev/null - then - echo $iptables -t nat -N $czfthirdindex >> $script - echo $iptables -t nat -F $czfthirdindex >> $script - echo $iptables -t nat -A $czfsecondindex -s `ipcalc -n $czfip/26|grep Network|cut -f 4 -d \ ` -o eth1 -j $czfthirdindex >> $script - fi - - if ! grep $pubfirstindex $script > /dev/null - then - echo $iptables -t nat -N $pubfirstindex >> $script - echo $iptables -t nat -F $pubfirstindex >> $script - echo $iptables -t nat -A PREROUTING -i eth1 -d `ipcalc -n $pubip/27|grep Network|cut -f 4 -d \ ` -j $pubfirstindex >> $script - fi - - if ! grep $pubsecondindex $script > /dev/null - then - echo $iptables -t nat -N $pubsecondindex >> $script - echo $iptables -t nat -F $pubsecondindex >> $script - echo $iptables -t nat -A $pubfirstindex -i eth1 -d `ipcalc -n $pubip/29|grep Network|cut -f 4 -d \ ` -j $pubsecondindex >> $script - fi - - echo $iptables -t nat -A $pubsecondindex -i eth1 -d $pubip/32 -j DNAT --to-destination $czfip >> $script - echo $iptables -t nat -A $pubsecondindex -i eth1 -d $pubip/32 -j ACCEPT >> $script - - echo $iptables -t nat -A $czfthirdindex -s $czfip/32 -o eth1 -j SNAT --to-source $pubip >> $script - echo $iptables -t nat -A $czfthirdindex -s $czfip/32 -o eth1 -j ACCEPT >> $script - - echo -n . - echo "echo -n ." >>$script -done -echo " done." - -# =============================================================== -# SNAT only using indexed iptables (should be rather function, hmm) -# =============================================================== - -for czfip in `grep -v ^# $pimp_snat|cut -f 1 -d " "` -do - pubip=`grep "$czfip " $pimp_snat|cut -f 2 -d " "` - czffirstindex=priv_`ipcalc -n $czfip/20|grep Network|cut -f 4 -d \ |tr [./] _` - czfsecondindex=priv_`ipcalc -n $czfip/23|grep Network|cut -f 4 -d \ |tr [./] _` - czfthirdindex=priv_`ipcalc -n $czfip/26|grep Network|cut -f 4 -d \ |tr [./] _` - - if ! grep $czffirstindex $script > /dev/null - then - echo $iptables -t nat -N $czffirstindex >> $script - echo $iptables -t nat -F $czffirstindex >> $script - echo $iptables -t nat -A POSTROUTING -s `ipcalc -n $czfip/20|grep Network|cut -f 4 -d \ ` -o eth1 -j $czffirstindex >> $script - fi - - if ! grep $czfsecondindex $script > /dev/null - then - echo $iptables -t nat -N $czfsecondindex >> $script - echo $iptables -t nat -F $czfsecondindex >> $script - echo $iptables -t nat -A $czffirstindex -s `ipcalc -n $czfip/23|grep Network|cut -f 4 -d \ ` -o eth1 -j $czfsecondindex >> $script - fi - - if ! grep $czfthirdindex $script > /dev/null - then - echo $iptables -t nat -N $czfthirdindex >> $script - echo $iptables -t nat -F $czfthirdindex >> $script - echo $iptables -t nat -A $czfsecondindex -s `ipcalc -n $czfip/26|grep Network|cut -f 4 -d \ ` -o eth1 -j $czfthirdindex >> $script - fi - - echo $iptables -t nat -A $czfthirdindex -s $czfip/32 -o eth1 -j SNAT --to-source $pubip >> $script - echo $iptables -t nat -A $czfthirdindex -s $czfip/32 -o eth1 -j ACCEPT >> $script - - echo -n . - echo "echo -n ." >>$script -done -echo " done." - -# =============================================================== -# Dashboard rules -# =============================================================== - -echo -n "Generating dashboard index rules " - -for czfip in `grep ^10[.] $etchosts|grep dashboard-|cut -f 1` -do - czffirstindex=dash_`ipcalc -n $czfip/20|grep Network|cut -f 4 -d \ |tr [./] _` - czfsecondindex=dash_`ipcalc -n $czfip/23|grep Network|cut -f 4 -d \ |tr [./] _` - czfthirdindex=dash_`ipcalc -n $czfip/26|grep Network|cut -f 4 -d \ |tr [./] _` - - if ! grep $czffirstindex $script > /dev/null - then - echo $iptables -t nat -N $czffirstindex >> $script - echo $iptables -t nat -F $czffirstindex >> $script - echo $iptables -t nat -A PREROUTING -s `ipcalc -n $czfip/20|grep Network|cut -f 4 -d \ ` -i eth0 -j $czffirstindex >> $script - fi - - if ! grep $czfsecondindex $script > /dev/null - then - echo $iptables -t nat -N $czfsecondindex >> $script - echo $iptables -t nat -F $czfsecondindex >> $script - echo $iptables -t nat -A $czffirstindex -s `ipcalc -n $czfip/23|grep Network|cut -f 4 -d \ ` -i eth0 -j $czfsecondindex >> $script - fi - - if ! grep $czfthirdindex $script > /dev/null - then - echo $iptables -t nat -N $czfthirdindex >> $script - echo $iptables -t nat -F $czfthirdindex >> $script - echo $iptables -t nat -A $czfsecondindex -s `ipcalc -n $czfip/26|grep Network|cut -f 4 -d \ ` -i eth0 -j $czfthirdindex >> $script - fi - - echo $iptables -t nat -A $czfthirdindex -s $czfip -d ! 10.0.0.0/8 -p tcp --dport 80 -j REDIRECT --to 8080 >> $script - echo $iptables -t nat -A $czfthirdindex -s $czfip -d ! 10.0.0.0/8 -p tcp --dport 3128 -j REDIRECT --to 8080 >> $script - echo $iptables -t nat -A $czfthirdindex -s $czfip -d ! 10.0.0.0/8 -p tcp --dport 8080 -j ACCEPT >> $script - echo $iptables -t nat -A $czfthirdindex -s $czfip -d ! 10.0.0.0/8 -j DROP >> $script - - echo -n . - echo "echo -n ." >>$script - -done -echo " done." - -chmod a+x $script -- 2.30.2