86d37066 |
1 | #!/bin/bash |
f1bba845 |
2 | # $Id$ |
86d37066 |
3 | iptables="/sbin/iptables" |
4 | iptablesrestore="/sbin/iptables-restore" |
86d37066 |
5 | |
6 | #pimp files must be generated by optional-tools/make-pimp utility |
3a4fe273 |
7 | pimp_2way_nat="/dev/shm/pimp-2way-nat.tmp" |
8 | pimp_snat="/dev/shm/pimp-snat.tmp" |
86d37066 |
9 | etchosts="/mnt/mtdblock0/hosts" |
3a4fe273 |
10 | restoretmp="/dev/shm/iptables-restore.tmp" |
86d37066 |
11 | restoredata="/mnt/mtdblock0/iptables-restore.in" |
12 | wan1="vlan770" |
13 | wan2="vlan771" |
14 | wan3="vlan772" |
3a4fe273 |
15 | wan4="vlan774" |
16 | czffirstbitmask="19" |
17 | czfsecondbitmask="22" |
18 | czfthirdbitmask="25" |
19 | czffourthbitmask="28" |
20 | pubfirstbitmask="26" |
21 | pubsecondbitmask="29" |
143c9a45 |
22 | chaintrack="_" |
3a4fe273 |
23 | |
f1bba845 |
24 | # =============================================================== |
25 | # ipcalc rewrite |
26 | # =============================================================== |
27 | |
28 | gen_ipt_string() { |
29 | eval `echo $1 | awk -F\/ '{printf "IP=%s; CIDRMASK=%s; \n", $1, $2}'` |
30 | |
31 | MASK_FULL_OCTETS=$(($CIDRMASK/8)) |
32 | MASK_PART_OCTETS=$(($CIDRMASK%8)) |
33 | for i in `seq 0 3`; do |
34 | if [ "$i" -lt "$MASK_FULL_OCTETS" ]; then |
35 | MASK+="255" |
36 | elif [ "$i" -eq "$MASK_FULL_OCTETS" ]; then |
37 | MASK+=$((256 - 2**(8-$MASK_PART_OCTETS))) |
38 | else |
39 | MASK+="0" |
40 | fi |
41 | [ "$i" -lt "3" ] && MASK+="." |
42 | done |
43 | |
44 | eval `echo $IP | awk -F\. '{printf "IPBYTE1=%s; IPBYTE2=%s; IPBYTE3=%s; IPBYTE4=%s; \n", $1, $2, $3, $4}'` |
45 | eval `echo $MASK | awk -F\. '{printf "MASKBYTE1=%s; MASKBYTE2=%s; MASKBYTE3=%s; MASKBYTE4=%s; \n", $1, $2, $3, $4}'` |
46 | |
47 | IPT_STRING="$(($IPBYTE1 & $MASKBYTE1))_$(($IPBYTE2 & $MASKBYTE2))_$(($IPBYTE3 & $MASKBYTE3))_$(($IPBYTE4 & $MASKBYTE4))_$CIDRMASK" |
48 | echo $IPT_STRING |
49 | } |
50 | |
3a4fe273 |
51 | echo "*nat" > $restoretmp |
52 | echo ":PREROUTING ACCEPT [0:0]" >> $restoretmp |
53 | echo ":POSTROUTING ACCEPT [0:0]" >> $restoretmp |
54 | echo ":OUTPUT ACCEPT [0:0]" >> $restoretmp |
86d37066 |
55 | |
56 | # =============================================================== |
57 | # Symetrical SNAT-DNAT using indexed iptables |
58 | # =============================================================== |
86d37066 |
59 | echo -n "Generating new iptables-restore data - two way SNAT/DNAT " |
60 | |
f1bba845 |
61 | |
62 | while read LINE; do |
63 | eval `echo -e $LINE | awk '{printf "czfip=%s; pubip=%s\n", $1, $2}'` |
64 | czffirstindex=priv_`gen_ipt_string $czfip/$czffirstbitmask` |
65 | czfsecondindex=priv_`gen_ipt_string $czfip/$czfsecondbitmask` |
66 | czfthirdindex=priv_`gen_ipt_string $czfip/$czfthirdbitmask` |
67 | czffourthindex=priv_`gen_ipt_string $czfip/$czffourthbitmask` |
68 | pubfirstindex=pub_`gen_ipt_string $pubip/$pubfirstbitmask` |
69 | pubsecondindex=pub_`gen_ipt_string $pubip/$pubsecondbitmask` |
143c9a45 |
70 | |
71 | if ! [[ "$chaintrack" == *"$czffirstindex"* ]] |
86d37066 |
72 | then |
3a4fe273 |
73 | echo :$czffirstindex "- [0:0]" >> $restoretmp |
f1bba845 |
74 | s=`gen_ipt_string $czfip/$czffirstbitmask| sed 's/_[0-9]*//4; s/_/./g'` |
143c9a45 |
75 | echo -A POSTROUTING -d ! 10.0.0.0/8 -s $s -o $wan1 -j $czffirstindex >> $restoretmp |
76 | echo -A POSTROUTING -d ! 10.0.0.0/8 -s $s -o $wan2 -j $czffirstindex >> $restoretmp |
77 | echo -A POSTROUTING -d ! 10.0.0.0/8 -s $s -o $wan3 -j $czffirstindex >> $restoretmp |
78 | echo -A POSTROUTING -d ! 10.0.0.0/8 -s $s -o $wan4 -j $czffirstindex >> $restoretmp |
79 | chaintrack=\ ${czffirstindex}\ ${chaintrack} |
86d37066 |
80 | fi |
81 | |
143c9a45 |
82 | if ! [[ "$chaintrack" == *"$czfsecondindex"* ]] |
86d37066 |
83 | then |
3a4fe273 |
84 | echo :$czfsecondindex "- [0:0]" >> $restoretmp |
f1bba845 |
85 | s=`gen_ipt_string $czfip/$czfsecondbitmask| sed 's/_[0-9]*//4; s/_/./g'` |
143c9a45 |
86 | echo -A $czffirstindex -s $s -o $wan1 -j $czfsecondindex >> $restoretmp |
87 | echo -A $czffirstindex -s $s -o $wan2 -j $czfsecondindex >> $restoretmp |
88 | echo -A $czffirstindex -s $s -o $wan3 -j $czfsecondindex >> $restoretmp |
89 | echo -A $czffirstindex -s $s -o $wan4 -j $czfsecondindex >> $restoretmp |
90 | chaintrack=\ ${czfsecondindex}\ ${chaintrack} |
86d37066 |
91 | fi |
92 | |
143c9a45 |
93 | if ! [[ "$chaintrack" == *"$czfthirdindex"* ]] |
86d37066 |
94 | then |
3a4fe273 |
95 | echo :$czfthirdindex "- [0:0]" >> $restoretmp |
f1bba845 |
96 | s=`gen_ipt_string $czfip/$czfthirdbitmask| sed 's/_[0-9]*//4; s/_/./g'` |
143c9a45 |
97 | echo -A $czfsecondindex -s $s -o $wan1 -j $czfthirdindex >> $restoretmp |
98 | echo -A $czfsecondindex -s $s -o $wan2 -j $czfthirdindex >> $restoretmp |
99 | echo -A $czfsecondindex -s $s -o $wan3 -j $czfthirdindex >> $restoretmp |
100 | echo -A $czfsecondindex -s $s -o $wan4 -j $czfthirdindex >> $restoretmp |
101 | chaintrack=\ ${czfthirdindex}\ ${chaintrack} |
86d37066 |
102 | fi |
103 | |
143c9a45 |
104 | if ! [[ "$chaintrack" == *"$czffourthindex"* ]] |
86d37066 |
105 | then |
3a4fe273 |
106 | echo :$czffourthindex "- [0:0]" >> $restoretmp |
f1bba845 |
107 | s=`gen_ipt_string $czfip/$czffourthbitmask| sed 's/_[0-9]*//4; s/_/./g'` |
143c9a45 |
108 | echo -A $czfthirdindex -s $s -o $wan1 -j $czffourthindex >> $restoretmp |
109 | echo -A $czfthirdindex -s $s -o $wan2 -j $czffourthindex >> $restoretmp |
110 | echo -A $czfthirdindex -s $s -o $wan3 -j $czffourthindex >> $restoretmp |
111 | echo -A $czfthirdindex -s $s -o $wan4 -j $czffourthindex >> $restoretmp |
112 | chaintrack=\ ${czffourthindex}\ ${chaintrack} |
86d37066 |
113 | fi |
114 | |
143c9a45 |
115 | if ! [[ "$chaintrack" == *"$pubfirstindex"* ]] |
86d37066 |
116 | then |
3a4fe273 |
117 | echo :$pubfirstindex "- [0:0]" >> $restoretmp |
f1bba845 |
118 | s=`gen_ipt_string $pubip/$pubfirstbitmask| sed 's/_[0-9]*//4; s/_/./g'` |
143c9a45 |
119 | echo -A PREROUTING -i $wan1 -d $s -j $pubfirstindex >> $restoretmp |
120 | echo -A PREROUTING -i $wan2 -d $s -j $pubfirstindex >> $restoretmp |
121 | echo -A PREROUTING -i $wan3 -d $s -j $pubfirstindex >> $restoretmp |
122 | echo -A PREROUTING -i $wan4 -d $s -j $pubfirstindex >> $restoretmp |
123 | chaintrack=\ ${pubfirstindex}\ ${chaintrack} |
86d37066 |
124 | fi |
125 | |
143c9a45 |
126 | if ! [[ "$chaintrack" == *"$pubsecondindex"* ]] |
3a4fe273 |
127 | then |
128 | echo :$pubsecondindex "- [0:0]" >> $restoretmp |
f1bba845 |
129 | s=`gen_ipt_string $pubip/$pubsecondbitmask| sed 's/_[0-9]*//4; s/_/./g'` |
143c9a45 |
130 | echo -A $pubfirstindex -i $wan1 -d $s -j $pubsecondindex >> $restoretmp |
131 | echo -A $pubfirstindex -i $wan2 -d $s -j $pubsecondindex >> $restoretmp |
132 | echo -A $pubfirstindex -i $wan3 -d $s -j $pubsecondindex >> $restoretmp |
133 | echo -A $pubfirstindex -i $wan4 -d $s -j $pubsecondindex >> $restoretmp |
134 | chaintrack=\ ${pubsecondindex}\ ${chaintrack} |
3a4fe273 |
135 | fi |
86d37066 |
136 | |
3a4fe273 |
137 | echo -A $pubsecondindex -i $wan1 -d $pubip/32 -j DNAT --to-destination $czfip >> $restoretmp |
138 | echo -A $pubsecondindex -i $wan2 -d $pubip/32 -j DNAT --to-destination $czfip >> $restoretmp |
139 | echo -A $pubsecondindex -i $wan3 -d $pubip/32 -j DNAT --to-destination $czfip >> $restoretmp |
140 | echo -A $pubsecondindex -i $wan4 -d $pubip/32 -j DNAT --to-destination $czfip >> $restoretmp |
86d37066 |
141 | |
3a4fe273 |
142 | echo -A $czffourthindex -s $czfip/32 -o $wan1 -j SNAT --to-source $pubip >> $restoretmp |
143 | echo -A $czffourthindex -s $czfip/32 -o $wan2 -j SNAT --to-source $pubip >> $restoretmp |
144 | echo -A $czffourthindex -s $czfip/32 -o $wan3 -j SNAT --to-source $pubip >> $restoretmp |
145 | echo -A $czffourthindex -s $czfip/32 -o $wan4 -j SNAT --to-source $pubip >> $restoretmp |
86d37066 |
146 | |
147 | echo -n . |
143c9a45 |
148 | |
f1bba845 |
149 | done < $pimp_2way_nat |
86d37066 |
150 | echo " done." |
151 | |
86d37066 |
152 | # =============================================================== |
153 | # SNAT only using indexed iptables (should be rather function, hmm) |
154 | # =============================================================== |
143c9a45 |
155 | echo -n "Generating new iptables-restore data - one way SNAT " |
86d37066 |
156 | |
f1bba845 |
157 | while read LINE; do |
158 | eval `echo -e $LINE | awk '{printf "czfip=%s; pubip=%s\n", $1, $2}'` |
159 | czffirstindex=priv_`gen_ipt_string $czfip/$czffirstbitmask` |
160 | czfsecondindex=priv_`gen_ipt_string $czfip/$czfsecondbitmask` |
161 | czfthirdindex=priv_`gen_ipt_string $czfip/$czfthirdbitmask` |
162 | czffourthindex=priv_`gen_ipt_string $czfip/$czffourthbitmask` |
3a4fe273 |
163 | |
143c9a45 |
164 | if ! [[ "$chaintrack" == *"$czffirstindex"* ]] |
3a4fe273 |
165 | then |
166 | echo :$czffirstindex "- [0:0]" >> $restoretmp |
f1bba845 |
167 | s=`gen_ipt_string $czfip/$czffirstbitmask| sed 's/_[0-9]*//4; s/_/./g'` |
143c9a45 |
168 | echo -A POSTROUTING -d ! 10.0.0.0/8 -s $s -o $wan1 -j $czffirstindex >> $restoretmp |
169 | echo -A POSTROUTING -d ! 10.0.0.0/8 -s $s -o $wan2 -j $czffirstindex >> $restoretmp |
170 | echo -A POSTROUTING -d ! 10.0.0.0/8 -s $s -o $wan3 -j $czffirstindex >> $restoretmp |
171 | echo -A POSTROUTING -d ! 10.0.0.0/8 -s $s -o $wan4 -j $czffirstindex >> $restoretmp |
172 | chaintrack=\ ${czffirstindex}\ ${chaintrack} |
3a4fe273 |
173 | fi |
86d37066 |
174 | |
143c9a45 |
175 | if ! [[ "$chaintrack" == *"$czfsecondindex"* ]] |
86d37066 |
176 | then |
3a4fe273 |
177 | echo :$czfsecondindex "- [0:0]" >> $restoretmp |
f1bba845 |
178 | s=`gen_ipt_string $czfip/$czfsecondbitmask| sed 's/_[0-9]*//4; s/_/./g'` |
143c9a45 |
179 | echo -A $czffirstindex -s $s -o $wan1 -j $czfsecondindex >> $restoretmp |
180 | echo -A $czffirstindex -s $s -o $wan2 -j $czfsecondindex >> $restoretmp |
181 | echo -A $czffirstindex -s $s -o $wan3 -j $czfsecondindex >> $restoretmp |
182 | echo -A $czffirstindex -s $s -o $wan4 -j $czfsecondindex >> $restoretmp |
183 | chaintrack=\ ${czfsecondindex}\ ${chaintrack} |
86d37066 |
184 | fi |
185 | |
143c9a45 |
186 | if ! [[ "$chaintrack" == *"$czfthirdindex"* ]] |
86d37066 |
187 | then |
3a4fe273 |
188 | echo :$czfthirdindex "- [0:0]" >> $restoretmp |
f1bba845 |
189 | s=`gen_ipt_string $czfip/$czfthirdbitmask| sed 's/_[0-9]*//4; s/_/./g'` |
143c9a45 |
190 | echo -A $czfsecondindex -s $s -o $wan1 -j $czfthirdindex >> $restoretmp |
191 | echo -A $czfsecondindex -s $s -o $wan2 -j $czfthirdindex >> $restoretmp |
192 | echo -A $czfsecondindex -s $s -o $wan3 -j $czfthirdindex >> $restoretmp |
193 | echo -A $czfsecondindex -s $s -o $wan4 -j $czfthirdindex >> $restoretmp |
194 | chaintrack=\ ${czfthirdindex}\ ${chaintrack} |
86d37066 |
195 | fi |
196 | |
143c9a45 |
197 | if ! [[ "$chaintrack" == *"$czffourthindex"* ]] |
86d37066 |
198 | then |
3a4fe273 |
199 | echo :$czffourthindex "- [0:0]" >> $restoretmp |
f1bba845 |
200 | s=`gen_ipt_string $czfip/$czffourthbitmask| sed 's/_[0-9]*//4; s/_/./g'` |
143c9a45 |
201 | echo -A $czfthirdindex -s $s -o $wan1 -j $czffourthindex >> $restoretmp |
202 | echo -A $czfthirdindex -s $s -o $wan2 -j $czffourthindex >> $restoretmp |
203 | echo -A $czfthirdindex -s $s -o $wan3 -j $czffourthindex >> $restoretmp |
204 | echo -A $czfthirdindex -s $s -o $wan4 -j $czffourthindex >> $restoretmp |
205 | chaintrack=\ ${czffourthindex}\ ${chaintrack} |
86d37066 |
206 | fi |
207 | |
3a4fe273 |
208 | echo -A $czffourthindex -s $czfip/32 -o $wan1 -j SNAT --to-source $pubip >> $restoretmp |
209 | echo -A $czffourthindex -s $czfip/32 -o $wan2 -j SNAT --to-source $pubip >> $restoretmp |
210 | echo -A $czffourthindex -s $czfip/32 -o $wan3 -j SNAT --to-source $pubip >> $restoretmp |
211 | echo -A $czffourthindex -s $czfip/32 -o $wan4 -j SNAT --to-source $pubip >> $restoretmp |
86d37066 |
212 | |
213 | echo -n . |
f1bba845 |
214 | done < $pimp_snat |
86d37066 |
215 | echo " done." |
216 | |
3a4fe273 |
217 | echo COMMIT >> $restoretmp |
143c9a45 |
218 | echo -n "Writing $restoredata" |
219 | mv $restoretmp $restoredata |