86d37066 |
1 | #!/bin/bash |
2 | iptables="/sbin/iptables" |
3 | iptablesrestore="/sbin/iptables-restore" |
4 | ifconfig="/sbin/ifconfig" |
3a4fe273 |
5 | grep="/bin/grep" |
6 | cut="/usr/bin/cut" |
143c9a45 |
7 | ipcalc="/usr/bin/ipcalc" |
86d37066 |
8 | |
9 | #pimp files must be generated by optional-tools/make-pimp utility |
3a4fe273 |
10 | pimp_2way_nat="/dev/shm/pimp-2way-nat.tmp" |
11 | pimp_snat="/dev/shm/pimp-snat.tmp" |
86d37066 |
12 | etchosts="/mnt/mtdblock0/hosts" |
3a4fe273 |
13 | restoretmp="/dev/shm/iptables-restore.tmp" |
86d37066 |
14 | restoredata="/mnt/mtdblock0/iptables-restore.in" |
15 | wan1="vlan770" |
16 | wan2="vlan771" |
17 | wan3="vlan772" |
3a4fe273 |
18 | wan4="vlan774" |
19 | czffirstbitmask="19" |
20 | czfsecondbitmask="22" |
21 | czfthirdbitmask="25" |
22 | czffourthbitmask="28" |
23 | pubfirstbitmask="26" |
24 | pubsecondbitmask="29" |
143c9a45 |
25 | chaintrack="_" |
3a4fe273 |
26 | |
27 | echo "*nat" > $restoretmp |
28 | echo ":PREROUTING ACCEPT [0:0]" >> $restoretmp |
29 | echo ":POSTROUTING ACCEPT [0:0]" >> $restoretmp |
30 | echo ":OUTPUT ACCEPT [0:0]" >> $restoretmp |
86d37066 |
31 | |
32 | # =============================================================== |
33 | # Symetrical SNAT-DNAT using indexed iptables |
34 | # =============================================================== |
86d37066 |
35 | echo -n "Generating new iptables-restore data - two way SNAT/DNAT " |
36 | |
3a4fe273 |
37 | for czfip in `$grep -v ^# $pimp_2way_nat|$cut -f 1 -d " "` |
86d37066 |
38 | do |
3a4fe273 |
39 | pubip=`$grep "$czfip " $pimp_2way_nat|$cut -f 2 -d " "` |
143c9a45 |
40 | czffirstindex=priv_`$ipcalc -n $czfip/$czffirstbitmask|$grep Network|$cut -f 4 -d \ |tr [./] _` |
41 | czfsecondindex=priv_`$ipcalc -n $czfip/$czfsecondbitmask|$grep Network|$cut -f 4 -d \ |tr [./] _` |
42 | czfthirdindex=priv_`$ipcalc -n $czfip/$czfthirdbitmask|$grep Network|$cut -f 4 -d \ |tr [./] _` |
43 | czffourthindex=priv_`$ipcalc -n $czfip/$czffourthbitmask|$grep Network|$cut -f 4 -d \ |tr [./] _` |
44 | pubfirstindex=pub_`$ipcalc -n $pubip/$pubfirstbitmask|$grep Network|$cut -f 4 -d \ |tr [./] _` |
45 | pubsecondindex=pub_`$ipcalc -n $pubip/$pubsecondbitmask|$grep Network|$cut -f 4 -d \ |tr [./] _` |
46 | |
47 | if ! [[ "$chaintrack" == *"$czffirstindex"* ]] |
86d37066 |
48 | then |
3a4fe273 |
49 | echo :$czffirstindex "- [0:0]" >> $restoretmp |
143c9a45 |
50 | s=`$ipcalc -n $czfip/$czffirstbitmask|$grep Network|$cut -f 4 -d \ ` |
51 | echo -A POSTROUTING -d ! 10.0.0.0/8 -s $s -o $wan1 -j $czffirstindex >> $restoretmp |
52 | echo -A POSTROUTING -d ! 10.0.0.0/8 -s $s -o $wan2 -j $czffirstindex >> $restoretmp |
53 | echo -A POSTROUTING -d ! 10.0.0.0/8 -s $s -o $wan3 -j $czffirstindex >> $restoretmp |
54 | echo -A POSTROUTING -d ! 10.0.0.0/8 -s $s -o $wan4 -j $czffirstindex >> $restoretmp |
55 | chaintrack=\ ${czffirstindex}\ ${chaintrack} |
86d37066 |
56 | fi |
57 | |
143c9a45 |
58 | if ! [[ "$chaintrack" == *"$czfsecondindex"* ]] |
86d37066 |
59 | then |
3a4fe273 |
60 | echo :$czfsecondindex "- [0:0]" >> $restoretmp |
143c9a45 |
61 | s=`$ipcalc -n $czfip/$czfsecondbitmask|$grep Network|$cut -f 4 -d \ ` |
62 | echo -A $czffirstindex -s $s -o $wan1 -j $czfsecondindex >> $restoretmp |
63 | echo -A $czffirstindex -s $s -o $wan2 -j $czfsecondindex >> $restoretmp |
64 | echo -A $czffirstindex -s $s -o $wan3 -j $czfsecondindex >> $restoretmp |
65 | echo -A $czffirstindex -s $s -o $wan4 -j $czfsecondindex >> $restoretmp |
66 | chaintrack=\ ${czfsecondindex}\ ${chaintrack} |
86d37066 |
67 | fi |
68 | |
143c9a45 |
69 | if ! [[ "$chaintrack" == *"$czfthirdindex"* ]] |
86d37066 |
70 | then |
3a4fe273 |
71 | echo :$czfthirdindex "- [0:0]" >> $restoretmp |
143c9a45 |
72 | s=`$ipcalc -n $czfip/$czfthirdbitmask|$grep Network|$cut -f 4 -d \ ` |
73 | echo -A $czfsecondindex -s $s -o $wan1 -j $czfthirdindex >> $restoretmp |
74 | echo -A $czfsecondindex -s $s -o $wan2 -j $czfthirdindex >> $restoretmp |
75 | echo -A $czfsecondindex -s $s -o $wan3 -j $czfthirdindex >> $restoretmp |
76 | echo -A $czfsecondindex -s $s -o $wan4 -j $czfthirdindex >> $restoretmp |
77 | chaintrack=\ ${czfthirdindex}\ ${chaintrack} |
86d37066 |
78 | fi |
79 | |
143c9a45 |
80 | if ! [[ "$chaintrack" == *"$czffourthindex"* ]] |
86d37066 |
81 | then |
3a4fe273 |
82 | echo :$czffourthindex "- [0:0]" >> $restoretmp |
143c9a45 |
83 | s=`$ipcalc -n $czfip/$czffourthbitmask|$grep Network|$cut -f 4 -d \ ` |
84 | echo -A $czfthirdindex -s $s -o $wan1 -j $czffourthindex >> $restoretmp |
85 | echo -A $czfthirdindex -s $s -o $wan2 -j $czffourthindex >> $restoretmp |
86 | echo -A $czfthirdindex -s $s -o $wan3 -j $czffourthindex >> $restoretmp |
87 | echo -A $czfthirdindex -s $s -o $wan4 -j $czffourthindex >> $restoretmp |
88 | chaintrack=\ ${czffourthindex}\ ${chaintrack} |
86d37066 |
89 | fi |
90 | |
143c9a45 |
91 | if ! [[ "$chaintrack" == *"$pubfirstindex"* ]] |
86d37066 |
92 | then |
3a4fe273 |
93 | echo :$pubfirstindex "- [0:0]" >> $restoretmp |
143c9a45 |
94 | s=`$ipcalc -n $pubip/$pubfirstbitmask|$grep Network|$cut -f 4 -d \ ` |
95 | echo -A PREROUTING -i $wan1 -d $s -j $pubfirstindex >> $restoretmp |
96 | echo -A PREROUTING -i $wan2 -d $s -j $pubfirstindex >> $restoretmp |
97 | echo -A PREROUTING -i $wan3 -d $s -j $pubfirstindex >> $restoretmp |
98 | echo -A PREROUTING -i $wan4 -d $s -j $pubfirstindex >> $restoretmp |
99 | chaintrack=\ ${pubfirstindex}\ ${chaintrack} |
86d37066 |
100 | fi |
101 | |
143c9a45 |
102 | if ! [[ "$chaintrack" == *"$pubsecondindex"* ]] |
3a4fe273 |
103 | then |
104 | echo :$pubsecondindex "- [0:0]" >> $restoretmp |
143c9a45 |
105 | s=`$ipcalc -n $pubip/$pubsecondbitmask|$grep Network|$cut -f 4 -d \ ` |
106 | echo -A $pubfirstindex -i $wan1 -d $s -j $pubsecondindex >> $restoretmp |
107 | echo -A $pubfirstindex -i $wan2 -d $s -j $pubsecondindex >> $restoretmp |
108 | echo -A $pubfirstindex -i $wan3 -d $s -j $pubsecondindex >> $restoretmp |
109 | echo -A $pubfirstindex -i $wan4 -d $s -j $pubsecondindex >> $restoretmp |
110 | chaintrack=\ ${pubsecondindex}\ ${chaintrack} |
3a4fe273 |
111 | fi |
86d37066 |
112 | |
3a4fe273 |
113 | echo -A $pubsecondindex -i $wan1 -d $pubip/32 -j DNAT --to-destination $czfip >> $restoretmp |
114 | echo -A $pubsecondindex -i $wan2 -d $pubip/32 -j DNAT --to-destination $czfip >> $restoretmp |
115 | echo -A $pubsecondindex -i $wan3 -d $pubip/32 -j DNAT --to-destination $czfip >> $restoretmp |
116 | echo -A $pubsecondindex -i $wan4 -d $pubip/32 -j DNAT --to-destination $czfip >> $restoretmp |
86d37066 |
117 | |
3a4fe273 |
118 | echo -A $czffourthindex -s $czfip/32 -o $wan1 -j SNAT --to-source $pubip >> $restoretmp |
119 | echo -A $czffourthindex -s $czfip/32 -o $wan2 -j SNAT --to-source $pubip >> $restoretmp |
120 | echo -A $czffourthindex -s $czfip/32 -o $wan3 -j SNAT --to-source $pubip >> $restoretmp |
121 | echo -A $czffourthindex -s $czfip/32 -o $wan4 -j SNAT --to-source $pubip >> $restoretmp |
86d37066 |
122 | |
123 | echo -n . |
143c9a45 |
124 | |
86d37066 |
125 | done |
126 | echo " done." |
127 | |
86d37066 |
128 | # =============================================================== |
129 | # SNAT only using indexed iptables (should be rather function, hmm) |
130 | # =============================================================== |
143c9a45 |
131 | echo -n "Generating new iptables-restore data - one way SNAT " |
86d37066 |
132 | |
3a4fe273 |
133 | for czfip in `$grep -v ^# $pimp_snat|$cut -f 1 -d " "` |
86d37066 |
134 | do |
3a4fe273 |
135 | pubip=`$grep "$czfip " $pimp_snat|$cut -f 2 -d " "` |
143c9a45 |
136 | czffirstindex=priv_`$ipcalc -n $czfip/$czffirstbitmask|$grep Network|$cut -f 4 -d \ |tr [./] _` |
137 | czfsecondindex=priv_`$ipcalc -n $czfip/$czfsecondbitmask|$grep Network|$cut -f 4 -d \ |tr [./] _` |
138 | czfthirdindex=priv_`$ipcalc -n $czfip/$czfthirdbitmask|$grep Network|$cut -f 4 -d \ |tr [./] _` |
139 | czffourthindex=priv_`$ipcalc -n $czfip/$czffourthbitmask|$grep Network|$cut -f 4 -d \ |tr [./] _` |
3a4fe273 |
140 | |
143c9a45 |
141 | if ! [[ "$chaintrack" == *"$czffirstindex"* ]] |
3a4fe273 |
142 | then |
143 | echo :$czffirstindex "- [0:0]" >> $restoretmp |
143c9a45 |
144 | s=`$ipcalc -n $czfip/$czffirstbitmask|$grep Network|$cut -f 4 -d \ ` |
145 | echo -A POSTROUTING -d ! 10.0.0.0/8 -s $s -o $wan1 -j $czffirstindex >> $restoretmp |
146 | echo -A POSTROUTING -d ! 10.0.0.0/8 -s $s -o $wan2 -j $czffirstindex >> $restoretmp |
147 | echo -A POSTROUTING -d ! 10.0.0.0/8 -s $s -o $wan3 -j $czffirstindex >> $restoretmp |
148 | echo -A POSTROUTING -d ! 10.0.0.0/8 -s $s -o $wan4 -j $czffirstindex >> $restoretmp |
149 | chaintrack=\ ${czffirstindex}\ ${chaintrack} |
3a4fe273 |
150 | fi |
86d37066 |
151 | |
143c9a45 |
152 | if ! [[ "$chaintrack" == *"$czfsecondindex"* ]] |
86d37066 |
153 | then |
3a4fe273 |
154 | echo :$czfsecondindex "- [0:0]" >> $restoretmp |
143c9a45 |
155 | s=`$ipcalc -n $czfip/$czfsecondbitmask|$grep Network|$cut -f 4 -d \ ` |
156 | echo -A $czffirstindex -s $s -o $wan1 -j $czfsecondindex >> $restoretmp |
157 | echo -A $czffirstindex -s $s -o $wan2 -j $czfsecondindex >> $restoretmp |
158 | echo -A $czffirstindex -s $s -o $wan3 -j $czfsecondindex >> $restoretmp |
159 | echo -A $czffirstindex -s $s -o $wan4 -j $czfsecondindex >> $restoretmp |
160 | chaintrack=\ ${czfsecondindex}\ ${chaintrack} |
86d37066 |
161 | fi |
162 | |
143c9a45 |
163 | if ! [[ "$chaintrack" == *"$czfthirdindex"* ]] |
86d37066 |
164 | then |
3a4fe273 |
165 | echo :$czfthirdindex "- [0:0]" >> $restoretmp |
143c9a45 |
166 | s=`$ipcalc -n $czfip/$czfthirdbitmask|$grep Network|$cut -f 4 -d \ ` |
167 | echo -A $czfsecondindex -s $s -o $wan1 -j $czfthirdindex >> $restoretmp |
168 | echo -A $czfsecondindex -s $s -o $wan2 -j $czfthirdindex >> $restoretmp |
169 | echo -A $czfsecondindex -s $s -o $wan3 -j $czfthirdindex >> $restoretmp |
170 | echo -A $czfsecondindex -s $s -o $wan4 -j $czfthirdindex >> $restoretmp |
171 | chaintrack=\ ${czfthirdindex}\ ${chaintrack} |
86d37066 |
172 | fi |
173 | |
143c9a45 |
174 | if ! [[ "$chaintrack" == *"$czffourthindex"* ]] |
86d37066 |
175 | then |
3a4fe273 |
176 | echo :$czffourthindex "- [0:0]" >> $restoretmp |
143c9a45 |
177 | s=`$ipcalc -n $czfip/$czffourthbitmask|$grep Network|$cut -f 4 -d \ ` |
178 | echo -A $czfthirdindex -s $s -o $wan1 -j $czffourthindex >> $restoretmp |
179 | echo -A $czfthirdindex -s $s -o $wan2 -j $czffourthindex >> $restoretmp |
180 | echo -A $czfthirdindex -s $s -o $wan3 -j $czffourthindex >> $restoretmp |
181 | echo -A $czfthirdindex -s $s -o $wan4 -j $czffourthindex >> $restoretmp |
182 | chaintrack=\ ${czffourthindex}\ ${chaintrack} |
86d37066 |
183 | fi |
184 | |
3a4fe273 |
185 | echo -A $czffourthindex -s $czfip/32 -o $wan1 -j SNAT --to-source $pubip >> $restoretmp |
186 | echo -A $czffourthindex -s $czfip/32 -o $wan2 -j SNAT --to-source $pubip >> $restoretmp |
187 | echo -A $czffourthindex -s $czfip/32 -o $wan3 -j SNAT --to-source $pubip >> $restoretmp |
188 | echo -A $czffourthindex -s $czfip/32 -o $wan4 -j SNAT --to-source $pubip >> $restoretmp |
86d37066 |
189 | |
190 | echo -n . |
191 | done |
192 | echo " done." |
193 | |
3a4fe273 |
194 | echo COMMIT >> $restoretmp |
143c9a45 |
195 | echo -n "Writing $restoredata" |
196 | mv $restoretmp $restoredata |