86d37066 |
1 | #!/bin/bash |
f1bba845 |
2 | # $Id$ |
86d37066 |
3 | iptables="/sbin/iptables" |
4 | iptablesrestore="/sbin/iptables-restore" |
f2893be6 |
5 | ifconfig="/sbin/ifconfig" |
6 | grep="/bin/grep" |
7 | cut="/usr/bin/cut" |
86d37066 |
8 | |
9 | #pimp files must be generated by optional-tools/make-pimp utility |
3a4fe273 |
10 | pimp_2way_nat="/dev/shm/pimp-2way-nat.tmp" |
11 | pimp_snat="/dev/shm/pimp-snat.tmp" |
86d37066 |
12 | etchosts="/mnt/mtdblock0/hosts" |
3a4fe273 |
13 | restoretmp="/dev/shm/iptables-restore.tmp" |
86d37066 |
14 | restoredata="/mnt/mtdblock0/iptables-restore.in" |
15 | wan1="vlan770" |
16 | wan2="vlan771" |
17 | wan3="vlan772" |
3a4fe273 |
18 | wan4="vlan774" |
19 | czffirstbitmask="19" |
20 | czfsecondbitmask="22" |
21 | czfthirdbitmask="25" |
22 | czffourthbitmask="28" |
23 | pubfirstbitmask="26" |
24 | pubsecondbitmask="29" |
f1bba845 |
25 | |
3a4fe273 |
26 | echo "*nat" > $restoretmp |
27 | echo ":PREROUTING ACCEPT [0:0]" >> $restoretmp |
28 | echo ":POSTROUTING ACCEPT [0:0]" >> $restoretmp |
29 | echo ":OUTPUT ACCEPT [0:0]" >> $restoretmp |
86d37066 |
30 | |
31 | # =============================================================== |
32 | # Symetrical SNAT-DNAT using indexed iptables |
33 | # =============================================================== |
86d37066 |
34 | |
f2893be6 |
35 | echo -n "Generating new iptables-restore data - two way SNAT/DNAT " |
f1bba845 |
36 | |
f2893be6 |
37 | for czfip in `$grep -v ^# $pimp_2way_nat|$cut -f 1 -d " "` |
38 | do |
39 | pubip=`$grep "$czfip " $pimp_2way_nat|$cut -f 2 -d " "` |
40 | czffirstindex=priv_`ipcalc -n $czfip/$czffirstbitmask|$grep Network|$cut -f 4 -d \ |tr [./] _` |
41 | czfsecondindex=priv_`ipcalc -n $czfip/$czfsecondbitmask|$grep Network|$cut -f 4 -d \ |tr [./] _` |
42 | czfthirdindex=priv_`ipcalc -n $czfip/$czfthirdbitmask|$grep Network|$cut -f 4 -d \ |tr [./] _` |
43 | czffourthindex=priv_`ipcalc -n $czfip/$czffourthbitmask|$grep Network|$cut -f 4 -d \ |tr [./] _` |
44 | pubfirstindex=pub_`ipcalc -n $pubip/$pubfirstbitmask|$grep Network|$cut -f 4 -d \ |tr [./] _` |
45 | pubsecondindex=pub_`ipcalc -n $pubip/$pubsecondbitmask|$grep Network|$cut -f 4 -d \ |tr [./] _` |
46 | |
47 | if ! $grep $czffirstindex $restoretmp > /dev/null |
86d37066 |
48 | then |
3a4fe273 |
49 | echo :$czffirstindex "- [0:0]" >> $restoretmp |
f2893be6 |
50 | echo -A POSTROUTING -d ! 10.0.0.0/8 -s `ipcalc -n $czfip/$czffirstbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan1 -j $czffirstindex >> $restoretmp |
51 | echo -A POSTROUTING -d ! 10.0.0.0/8 -s `ipcalc -n $czfip/$czffirstbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan2 -j $czffirstindex >> $restoretmp |
52 | echo -A POSTROUTING -d ! 10.0.0.0/8 -s `ipcalc -n $czfip/$czffirstbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan3 -j $czffirstindex >> $restoretmp |
53 | echo -A POSTROUTING -d ! 10.0.0.0/8 -s `ipcalc -n $czfip/$czffirstbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan4 -j $czffirstindex >> $restoretmp |
86d37066 |
54 | fi |
55 | |
f2893be6 |
56 | if ! $grep $czfsecondindex $restoretmp > /dev/null |
86d37066 |
57 | then |
3a4fe273 |
58 | echo :$czfsecondindex "- [0:0]" >> $restoretmp |
f2893be6 |
59 | echo -A $czffirstindex -s `ipcalc -n $czfip/$czfsecondbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan1 -j $czfsecondindex >> $restoretmp |
60 | echo -A $czffirstindex -s `ipcalc -n $czfip/$czfsecondbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan2 -j $czfsecondindex >> $restoretmp |
61 | echo -A $czffirstindex -s `ipcalc -n $czfip/$czfsecondbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan3 -j $czfsecondindex >> $restoretmp |
62 | echo -A $czffirstindex -s `ipcalc -n $czfip/$czfsecondbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan4 -j $czfsecondindex >> $restoretmp |
86d37066 |
63 | fi |
64 | |
f2893be6 |
65 | if ! $grep $czfthirdindex $restoretmp > /dev/null |
86d37066 |
66 | then |
3a4fe273 |
67 | echo :$czfthirdindex "- [0:0]" >> $restoretmp |
f2893be6 |
68 | echo -A $czfsecondindex -s `ipcalc -n $czfip/$czfthirdbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan1 -j $czfthirdindex >> $restoretmp |
69 | echo -A $czfsecondindex -s `ipcalc -n $czfip/$czfthirdbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan2 -j $czfthirdindex >> $restoretmp |
70 | echo -A $czfsecondindex -s `ipcalc -n $czfip/$czfthirdbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan3 -j $czfthirdindex >> $restoretmp |
71 | echo -A $czfsecondindex -s `ipcalc -n $czfip/$czfthirdbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan4 -j $czfthirdindex >> $restoretmp |
86d37066 |
72 | fi |
73 | |
f2893be6 |
74 | if ! $grep $czffourthindex $restoretmp > /dev/null |
86d37066 |
75 | then |
3a4fe273 |
76 | echo :$czffourthindex "- [0:0]" >> $restoretmp |
f2893be6 |
77 | echo -A $czfthirdindex -s `ipcalc -n $czfip/$czffourthbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan1 -j $czffourthindex >> $restoretmp |
78 | echo -A $czfthirdindex -s `ipcalc -n $czfip/$czffourthbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan2 -j $czffourthindex >> $restoretmp |
79 | echo -A $czfthirdindex -s `ipcalc -n $czfip/$czffourthbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan3 -j $czffourthindex >> $restoretmp |
80 | echo -A $czfthirdindex -s `ipcalc -n $czfip/$czffourthbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan4 -j $czffourthindex >> $restoretmp |
86d37066 |
81 | fi |
82 | |
f2893be6 |
83 | if ! $grep $pubfirstindex $restoretmp > /dev/null |
86d37066 |
84 | then |
3a4fe273 |
85 | echo :$pubfirstindex "- [0:0]" >> $restoretmp |
f2893be6 |
86 | echo -A PREROUTING -i $wan1 -d `ipcalc -n $pubip/$pubfirstbitmask|$grep Network|$cut -f 4 -d \ ` -j $pubfirstindex >> $restoretmp |
87 | echo -A PREROUTING -i $wan2 -d `ipcalc -n $pubip/$pubfirstbitmask|$grep Network|$cut -f 4 -d \ ` -j $pubfirstindex >> $restoretmp |
88 | echo -A PREROUTING -i $wan3 -d `ipcalc -n $pubip/$pubfirstbitmask|$grep Network|$cut -f 4 -d \ ` -j $pubfirstindex >> $restoretmp |
89 | echo -A PREROUTING -i $wan4 -d `ipcalc -n $pubip/$pubfirstbitmask|$grep Network|$cut -f 4 -d \ ` -j $pubfirstindex >> $restoretmp |
86d37066 |
90 | fi |
91 | |
f2893be6 |
92 | if ! $grep $pubsecondindex $restoretmp > /dev/null |
3a4fe273 |
93 | then |
94 | echo :$pubsecondindex "- [0:0]" >> $restoretmp |
f2893be6 |
95 | echo -A $pubfirstindex -i $wan1 -d `ipcalc -n $pubip/$pubsecondbitmask|$grep Network|$cut -f 4 -d \ ` -j $pubsecondindex >> $restoretmp |
96 | echo -A $pubfirstindex -i $wan2 -d `ipcalc -n $pubip/$pubsecondbitmask|$grep Network|$cut -f 4 -d \ ` -j $pubsecondindex >> $restoretmp |
97 | echo -A $pubfirstindex -i $wan3 -d `ipcalc -n $pubip/$pubsecondbitmask|$grep Network|$cut -f 4 -d \ ` -j $pubsecondindex >> $restoretmp |
98 | echo -A $pubfirstindex -i $wan4 -d `ipcalc -n $pubip/$pubsecondbitmask|$grep Network|$cut -f 4 -d \ ` -j $pubsecondindex >> $restoretmp |
3a4fe273 |
99 | fi |
86d37066 |
100 | |
3a4fe273 |
101 | echo -A $pubsecondindex -i $wan1 -d $pubip/32 -j DNAT --to-destination $czfip >> $restoretmp |
102 | echo -A $pubsecondindex -i $wan2 -d $pubip/32 -j DNAT --to-destination $czfip >> $restoretmp |
103 | echo -A $pubsecondindex -i $wan3 -d $pubip/32 -j DNAT --to-destination $czfip >> $restoretmp |
104 | echo -A $pubsecondindex -i $wan4 -d $pubip/32 -j DNAT --to-destination $czfip >> $restoretmp |
86d37066 |
105 | |
3a4fe273 |
106 | echo -A $czffourthindex -s $czfip/32 -o $wan1 -j SNAT --to-source $pubip >> $restoretmp |
107 | echo -A $czffourthindex -s $czfip/32 -o $wan2 -j SNAT --to-source $pubip >> $restoretmp |
108 | echo -A $czffourthindex -s $czfip/32 -o $wan3 -j SNAT --to-source $pubip >> $restoretmp |
109 | echo -A $czffourthindex -s $czfip/32 -o $wan4 -j SNAT --to-source $pubip >> $restoretmp |
86d37066 |
110 | |
111 | echo -n . |
f2893be6 |
112 | done |
86d37066 |
113 | echo " done." |
114 | |
f2893be6 |
115 | echo -n "Generating new iptables-restore data - one way SNAT " |
116 | |
86d37066 |
117 | # =============================================================== |
118 | # SNAT only using indexed iptables (should be rather function, hmm) |
119 | # =============================================================== |
120 | |
f2893be6 |
121 | for czfip in `$grep -v ^# $pimp_snat|$cut -f 1 -d " "` |
122 | do |
123 | pubip=`$grep "$czfip " $pimp_snat|$cut -f 2 -d " "` |
124 | czffirstindex=priv_`ipcalc -n $czfip/$czffirstbitmask|$grep Network|$cut -f 4 -d \ |tr [./] _` |
125 | czfsecondindex=priv_`ipcalc -n $czfip/$czfsecondbitmask|$grep Network|$cut -f 4 -d \ |tr [./] _` |
126 | czfthirdindex=priv_`ipcalc -n $czfip/$czfthirdbitmask|$grep Network|$cut -f 4 -d \ |tr [./] _` |
127 | czffourthindex=priv_`ipcalc -n $czfip/$czffourthbitmask|$grep Network|$cut -f 4 -d \ |tr [./] _` |
3a4fe273 |
128 | |
f2893be6 |
129 | if ! $grep $czffirstindex $restoretmp > /dev/null |
3a4fe273 |
130 | then |
131 | echo :$czffirstindex "- [0:0]" >> $restoretmp |
f2893be6 |
132 | echo -A POSTROUTING -d ! 10.0.0.0/8 -s `ipcalc -n $czfip/$czffirstbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan1 -j $czffirstindex >> $restoretmp |
133 | echo -A POSTROUTING -d ! 10.0.0.0/8 -s `ipcalc -n $czfip/$czffirstbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan2 -j $czffirstindex >> $restoretmp |
134 | echo -A POSTROUTING -d ! 10.0.0.0/8 -s `ipcalc -n $czfip/$czffirstbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan3 -j $czffirstindex >> $restoretmp |
135 | echo -A POSTROUTING -d ! 10.0.0.0/8 -s `ipcalc -n $czfip/$czffirstbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan4 -j $czffirstindex >> $restoretmp |
3a4fe273 |
136 | fi |
86d37066 |
137 | |
f2893be6 |
138 | if ! $grep $czfsecondindex $restoretmp > /dev/null |
86d37066 |
139 | then |
3a4fe273 |
140 | echo :$czfsecondindex "- [0:0]" >> $restoretmp |
f2893be6 |
141 | echo -A $czffirstindex -s `ipcalc -n $czfip/$czfsecondbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan1 -j $czfsecondindex >> $restoretmp |
142 | echo -A $czffirstindex -s `ipcalc -n $czfip/$czfsecondbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan2 -j $czfsecondindex >> $restoretmp |
143 | echo -A $czffirstindex -s `ipcalc -n $czfip/$czfsecondbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan3 -j $czfsecondindex >> $restoretmp |
144 | echo -A $czffirstindex -s `ipcalc -n $czfip/$czfsecondbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan4 -j $czfsecondindex >> $restoretmp |
86d37066 |
145 | fi |
146 | |
f2893be6 |
147 | if ! $grep $czfthirdindex $restoretmp > /dev/null |
86d37066 |
148 | then |
3a4fe273 |
149 | echo :$czfthirdindex "- [0:0]" >> $restoretmp |
f2893be6 |
150 | echo -A $czfsecondindex -s `ipcalc -n $czfip/$czfthirdbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan1 -j $czfthirdindex >> $restoretmp |
151 | echo -A $czfsecondindex -s `ipcalc -n $czfip/$czfthirdbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan2 -j $czfthirdindex >> $restoretmp |
152 | echo -A $czfsecondindex -s `ipcalc -n $czfip/$czfthirdbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan3 -j $czfthirdindex >> $restoretmp |
153 | echo -A $czfsecondindex -s `ipcalc -n $czfip/$czfthirdbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan4 -j $czfthirdindex >> $restoretmp |
86d37066 |
154 | fi |
155 | |
f2893be6 |
156 | if ! $grep $czffourthindex $restoretmp > /dev/null |
86d37066 |
157 | then |
3a4fe273 |
158 | echo :$czffourthindex "- [0:0]" >> $restoretmp |
f2893be6 |
159 | echo -A $czfthirdindex -s `ipcalc -n $czfip/$czffourthbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan1 -j $czffourthindex >> $restoretmp |
160 | echo -A $czfthirdindex -s `ipcalc -n $czfip/$czffourthbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan2 -j $czffourthindex >> $restoretmp |
161 | echo -A $czfthirdindex -s `ipcalc -n $czfip/$czffourthbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan3 -j $czffourthindex >> $restoretmp |
162 | echo -A $czfthirdindex -s `ipcalc -n $czfip/$czffourthbitmask|$grep Network|$cut -f 4 -d \ ` -o $wan4 -j $czffourthindex >> $restoretmp |
86d37066 |
163 | fi |
164 | |
3a4fe273 |
165 | echo -A $czffourthindex -s $czfip/32 -o $wan1 -j SNAT --to-source $pubip >> $restoretmp |
166 | echo -A $czffourthindex -s $czfip/32 -o $wan2 -j SNAT --to-source $pubip >> $restoretmp |
167 | echo -A $czffourthindex -s $czfip/32 -o $wan3 -j SNAT --to-source $pubip >> $restoretmp |
168 | echo -A $czffourthindex -s $czfip/32 -o $wan4 -j SNAT --to-source $pubip >> $restoretmp |
86d37066 |
169 | |
170 | echo -n . |
f2893be6 |
171 | done |
86d37066 |
172 | echo " done." |
173 | |
3a4fe273 |
174 | echo COMMIT >> $restoretmp |
143c9a45 |
175 | mv $restoretmp $restoredata |