[svn/Prometheus-QoS/.git] / optional-tools / make-snat-dnat

#!/bin/bash

iptables="/sbin/iptables"
ifconfig="/sbin/ifconfig"

#pimp files must be generated by optional-tools/make-pimp utility
pimp_2way_nat="/rw/var/run/pimp-2way-nat.tmp"
pimp_snat="/rw/var/run/pimp-snat.tmp"
etchosts="/rw/etc/hosts"
script="/rw/etc/network/snat-dnat"

echo "#!/bin/bash" > $script
echo $iptables -t nat -F >> $script
echo $iptables -t nat -X >> $script
echo "echo -n \"Setting firewall rules \"" >> $script

# ===============================================================
#  Symetrical SNAT-DNAT using indexed iptables
# ===============================================================

echo -n "Generating new iptables rules "

for czfip in `grep -v ^# $pimp_2way_nat|cut -f 1 -d " "`
do
 pubip=`grep "$czfip " $pimp_2way_nat|cut -f 2 -d " "`
 czffirstindex=priv_`ipcalc -n $czfip/20|grep Network|cut -f 4 -d \ |tr [./] _`
 czfsecondindex=priv_`ipcalc -n $czfip/23|grep Network|cut -f 4 -d \ |tr [./] _`
 czfthirdindex=priv_`ipcalc -n $czfip/26|grep Network|cut -f 4 -d \ |tr [./] _`
 pubfirstindex=pub_`ipcalc -n $pubip/27|grep Network|cut -f 4 -d \ |tr [./] _`
 pubsecondindex=pub_`ipcalc -n $pubip/29|grep Network|cut -f 4 -d \ |tr [./] _`

 if ! grep $czffirstindex $script > /dev/null
 then
  echo $iptables -t nat -N $czffirstindex >> $script
  echo $iptables -t nat -F $czffirstindex >> $script
  echo $iptables -t nat -A POSTROUTING -s `ipcalc -n $czfip/20|grep Network|cut -f 4 -d \ ` -o eth1 -j $czffirstindex >> $script
 fi

 if ! grep $czfsecondindex $script > /dev/null
 then
  echo $iptables -t nat -N $czfsecondindex >> $script
  echo $iptables -t nat -F $czfsecondindex >> $script
  echo $iptables -t nat -A $czffirstindex -s `ipcalc -n $czfip/23|grep Network|cut -f 4 -d \ ` -o eth1 -j $czfsecondindex >> $script
 fi

 if ! grep $czfthirdindex $script > /dev/null
 then
  echo $iptables -t nat -N $czfthirdindex >> $script
  echo $iptables -t nat -F $czfthirdindex >> $script
  echo $iptables -t nat -A $czfsecondindex -s `ipcalc -n $czfip/26|grep Network|cut -f 4 -d \ ` -o eth1 -j $czfthirdindex >> $script
 fi

 if ! grep $pubfirstindex $script > /dev/null
 then
  echo $iptables -t nat -N $pubfirstindex >> $script
  echo $iptables -t nat -F $pubfirstindex >> $script
  echo $iptables -t nat -A PREROUTING -i eth1 -d `ipcalc -n $pubip/27|grep Network|cut -f 4 -d \ ` -j $pubfirstindex >> $script
 fi

 if ! grep $pubsecondindex $script > /dev/null
 then
  echo $iptables -t nat -N $pubsecondindex >> $script
  echo $iptables -t nat -F $pubsecondindex >> $script
  echo $iptables -t nat -A $pubfirstindex -i eth1 -d `ipcalc -n $pubip/29|grep Network|cut -f 4 -d \ ` -j $pubsecondindex >> $script
 fi

 echo $iptables -t nat -A $pubsecondindex -i eth1 -d $pubip/32 -j DNAT --to-destination $czfip >> $script
 echo $iptables -t nat -A $pubsecondindex -i eth1 -d $pubip/32 -j ACCEPT >> $script

 echo $iptables -t nat -A $czfthirdindex -s $czfip/32 -o eth1 -j SNAT --to-source $pubip >> $script
 echo $iptables -t nat -A $czfthirdindex -s $czfip/32 -o eth1 -j ACCEPT >> $script

 echo -n .
 echo "echo -n ." >>$script
done
echo " done."

# ===============================================================
#  SNAT only using indexed iptables (should be rather function, hmm)
# ===============================================================

for czfip in `grep -v ^# $pimp_snat|cut -f 1 -d " "`
do
 pubip=`grep "$czfip " $pimp_snat|cut -f 2 -d " "`
 czffirstindex=priv_`ipcalc -n $czfip/20|grep Network|cut -f 4 -d \ |tr [./] _`
 czfsecondindex=priv_`ipcalc -n $czfip/23|grep Network|cut -f 4 -d \ |tr [./] _`
 czfthirdindex=priv_`ipcalc -n $czfip/26|grep Network|cut -f 4 -d \ |tr [./] _`

 if ! grep $czffirstindex $script > /dev/null
 then
  echo $iptables -t nat -N $czffirstindex >> $script
  echo $iptables -t nat -F $czffirstindex >> $script
  echo $iptables -t nat -A POSTROUTING -s `ipcalc -n $czfip/20|grep Network|cut -f 4 -d \ ` -o eth1 -j $czffirstindex >> $script
 fi

 if ! grep $czfsecondindex $script > /dev/null
 then
  echo $iptables -t nat -N $czfsecondindex >> $script
  echo $iptables -t nat -F $czfsecondindex >> $script
  echo $iptables -t nat -A $czffirstindex -s `ipcalc -n $czfip/23|grep Network|cut -f 4 -d \ ` -o eth1 -j $czfsecondindex >> $script
 fi

 if ! grep $czfthirdindex $script > /dev/null
 then
  echo $iptables -t nat -N $czfthirdindex >> $script
  echo $iptables -t nat -F $czfthirdindex >> $script
  echo $iptables -t nat -A $czfsecondindex -s `ipcalc -n $czfip/26|grep Network|cut -f 4 -d \ ` -o eth1 -j $czfthirdindex >> $script
 fi

 echo $iptables -t nat -A $czfthirdindex -s $czfip/32 -o eth1 -j SNAT --to-source $pubip >> $script
 echo $iptables -t nat -A $czfthirdindex -s $czfip/32 -o eth1 -j ACCEPT >> $script

 echo -n .
 echo "echo -n ." >>$script
done
echo " done."

# ===============================================================
#  Dashboard rules
# ===============================================================

echo -n "Generating dashboard index rules "

for czfip in `grep ^10[.] $etchosts|grep dashboard-|cut -f 1`
do
 czffirstindex=dash_`ipcalc -n $czfip/20|grep Network|cut -f 4 -d \ |tr [./] _`
 czfsecondindex=dash_`ipcalc -n $czfip/23|grep Network|cut -f 4 -d \ |tr [./] _`
 czfthirdindex=dash_`ipcalc -n $czfip/26|grep Network|cut -f 4 -d \ |tr [./] _`

 if ! grep $czffirstindex $script > /dev/null
 then
  echo $iptables -t nat -N $czffirstindex >> $script
  echo $iptables -t nat -F $czffirstindex >> $script
  echo $iptables -t nat -A PREROUTING -s `ipcalc -n $czfip/20|grep Network|cut -f 4 -d \ ` -i eth0 -j $czffirstindex >> $script
 fi

 if ! grep $czfsecondindex $script > /dev/null
 then
  echo $iptables -t nat -N $czfsecondindex >> $script
  echo $iptables -t nat -F $czfsecondindex >> $script
  echo $iptables -t nat -A $czffirstindex -s `ipcalc -n $czfip/23|grep Network|cut -f 4 -d \ ` -i eth0 -j $czfsecondindex >> $script
 fi

 if ! grep $czfthirdindex $script > /dev/null
 then
  echo $iptables -t nat -N $czfthirdindex >> $script
  echo $iptables -t nat -F $czfthirdindex >> $script
  echo $iptables -t nat -A $czfsecondindex -s `ipcalc -n $czfip/26|grep Network|cut -f 4 -d \ ` -i eth0 -j $czfthirdindex >> $script
 fi

 echo $iptables -t nat -A $czfthirdindex -s $czfip -d ! 10.0.0.0/8 -p tcp --dport 80 -j REDIRECT --to 8080 >> $script
 echo $iptables -t nat -A $czfthirdindex -s $czfip -d ! 10.0.0.0/8 -p tcp --dport 3128 -j REDIRECT --to 8080  >> $script
 echo $iptables -t nat -A $czfthirdindex -s $czfip -d ! 10.0.0.0/8 -p tcp --dport 8080 -j ACCEPT >> $script
 echo $iptables -t nat -A $czfthirdindex -s $czfip -d ! 10.0.0.0/8 -j DROP  >> $script

 echo -n .
 echo "echo -n ." >>$script

done
echo " done."

chmod a+x $script
Commit	Line	Data
a4f661fc	1	#!/bin/bash
	2
	3	iptables="/sbin/iptables"
	4	ifconfig="/sbin/ifconfig"
	5
f035230d	6	#pimp files must be generated by optional-tools/make-pimp utility
	7	pimp_2way_nat="/rw/var/run/pimp-2way-nat.tmp"
	8	pimp_snat="/rw/var/run/pimp-snat.tmp"
	9	etchosts="/rw/etc/hosts"
a4f661fc	10	script="/rw/etc/network/snat-dnat"
	11
	12	echo "#!/bin/bash" > $script
	13	echo $iptables -t nat -F >> $script
	14	echo $iptables -t nat -X >> $script
	15	echo "echo -n \"Setting firewall rules \"" >> $script
	16
	17	# ===============================================================
f035230d	18	# Symetrical SNAT-DNAT using indexed iptables
a4f661fc	19	# ===============================================================
a4f661fc	20
f035230d	21	echo -n "Generating new iptables rules "
a4f661fc	22
f035230d	23	for czfip in `grep -v ^# $pimp_2way_nat\|cut -f 1 -d " "`
a4f661fc	24	do
f035230d	25	pubip=`grep "$czfip " $pimp_2way_nat\|cut -f 2 -d " "`
a4f661fc	26	czffirstindex=priv_`ipcalc -n $czfip/20\|grep Network\|cut -f 4 -d \ \|tr [./] _`
	27	czfsecondindex=priv_`ipcalc -n $czfip/23\|grep Network\|cut -f 4 -d \ \|tr [./] _`
	28	czfthirdindex=priv_`ipcalc -n $czfip/26\|grep Network\|cut -f 4 -d \ \|tr [./] _`
	29	pubfirstindex=pub_`ipcalc -n $pubip/27\|grep Network\|cut -f 4 -d \ \|tr [./] _`
	30	pubsecondindex=pub_`ipcalc -n $pubip/29\|grep Network\|cut -f 4 -d \ \|tr [./] _`
	31
a4f661fc	32	if ! grep $czffirstindex $script > /dev/null
	33	then
	34	echo $iptables -t nat -N $czffirstindex >> $script
	35	echo $iptables -t nat -F $czffirstindex >> $script
	36	echo $iptables -t nat -A POSTROUTING -s `ipcalc -n $czfip/20\|grep Network\|cut -f 4 -d \ ` -o eth1 -j $czffirstindex >> $script
	37	fi
	38
	39	if ! grep $czfsecondindex $script > /dev/null
	40	then
	41	echo $iptables -t nat -N $czfsecondindex >> $script
	42	echo $iptables -t nat -F $czfsecondindex >> $script
	43	echo $iptables -t nat -A $czffirstindex -s `ipcalc -n $czfip/23\|grep Network\|cut -f 4 -d \ ` -o eth1 -j $czfsecondindex >> $script
	44	fi
	45
	46	if ! grep $czfthirdindex $script > /dev/null
	47	then
	48	echo $iptables -t nat -N $czfthirdindex >> $script
	49	echo $iptables -t nat -F $czfthirdindex >> $script
	50	echo $iptables -t nat -A $czfsecondindex -s `ipcalc -n $czfip/26\|grep Network\|cut -f 4 -d \ ` -o eth1 -j $czfthirdindex >> $script
	51	fi
	52
	53	if ! grep $pubfirstindex $script > /dev/null
	54	then
	55	echo $iptables -t nat -N $pubfirstindex >> $script
	56	echo $iptables -t nat -F $pubfirstindex >> $script
	57	echo $iptables -t nat -A PREROUTING -i eth1 -d `ipcalc -n $pubip/27\|grep Network\|cut -f 4 -d \ ` -j $pubfirstindex >> $script
	58	fi
	59
	60	if ! grep $pubsecondindex $script > /dev/null
	61	then
	62	echo $iptables -t nat -N $pubsecondindex >> $script
	63	echo $iptables -t nat -F $pubsecondindex >> $script
	64	echo $iptables -t nat -A $pubfirstindex -i eth1 -d `ipcalc -n $pubip/29\|grep Network\|cut -f 4 -d \ ` -j $pubsecondindex >> $script
	65	fi
	66
	67	echo $iptables -t nat -A $pubsecondindex -i eth1 -d $pubip/32 -j DNAT --to-destination $czfip >> $script
	68	echo $iptables -t nat -A $pubsecondindex -i eth1 -d $pubip/32 -j ACCEPT >> $script
	69
	70	echo $iptables -t nat -A $czfthirdindex -s $czfip/32 -o eth1 -j SNAT --to-source $pubip >> $script
	71	echo $iptables -t nat -A $czfthirdindex -s $czfip/32 -o eth1 -j ACCEPT >> $script
	72
	73	echo -n .
	74	echo "echo -n ." >>$script
	75	done
	76	echo " done."
	77
	78	# ===============================================================
f035230d	79	# SNAT only using indexed iptables (should be rather function, hmm)
	80	# ===============================================================
	81
	82	for czfip in `grep -v ^# $pimp_snat\|cut -f 1 -d " "`
	83	do
	84	pubip=`grep "$czfip " $pimp_snat\|cut -f 2 -d " "`
	85	czffirstindex=priv_`ipcalc -n $czfip/20\|grep Network\|cut -f 4 -d \ \|tr [./] _`
	86	czfsecondindex=priv_`ipcalc -n $czfip/23\|grep Network\|cut -f 4 -d \ \|tr [./] _`
	87	czfthirdindex=priv_`ipcalc -n $czfip/26\|grep Network\|cut -f 4 -d \ \|tr [./] _`
	88
	89	if ! grep $czffirstindex $script > /dev/null
	90	then
	91	echo $iptables -t nat -N $czffirstindex >> $script
	92	echo $iptables -t nat -F $czffirstindex >> $script
	93	echo $iptables -t nat -A POSTROUTING -s `ipcalc -n $czfip/20\|grep Network\|cut -f 4 -d \ ` -o eth1 -j $czffirstindex >> $script
	94	fi
	95
	96	if ! grep $czfsecondindex $script > /dev/null
	97	then
	98	echo $iptables -t nat -N $czfsecondindex >> $script
	99	echo $iptables -t nat -F $czfsecondindex >> $script
	100	echo $iptables -t nat -A $czffirstindex -s `ipcalc -n $czfip/23\|grep Network\|cut -f 4 -d \ ` -o eth1 -j $czfsecondindex >> $script
	101	fi
	102
	103	if ! grep $czfthirdindex $script > /dev/null
	104	then
	105	echo $iptables -t nat -N $czfthirdindex >> $script
	106	echo $iptables -t nat -F $czfthirdindex >> $script
	107	echo $iptables -t nat -A $czfsecondindex -s `ipcalc -n $czfip/26\|grep Network\|cut -f 4 -d \ ` -o eth1 -j $czfthirdindex >> $script
	108	fi
	109
	110	echo $iptables -t nat -A $czfthirdindex -s $czfip/32 -o eth1 -j SNAT --to-source $pubip >> $script
	111	echo $iptables -t nat -A $czfthirdindex -s $czfip/32 -o eth1 -j ACCEPT >> $script
	112
	113	echo -n .
	114	echo "echo -n ." >>$script
	115	done
	116	echo " done."
	117
	118	# ===============================================================
	119	# Dashboard rules
a4f661fc	120	# ===============================================================
	121
	122	echo -n "Generating dashboard index rules "
	123
f035230d	124	for czfip in `grep ^10[.] $etchosts\|grep dashboard-\|cut -f 1`
a4f661fc	125	do
	126	czffirstindex=dash_`ipcalc -n $czfip/20\|grep Network\|cut -f 4 -d \ \|tr [./] _`
	127	czfsecondindex=dash_`ipcalc -n $czfip/23\|grep Network\|cut -f 4 -d \ \|tr [./] _`
	128	czfthirdindex=dash_`ipcalc -n $czfip/26\|grep Network\|cut -f 4 -d \ \|tr [./] _`
	129
	130	if ! grep $czffirstindex $script > /dev/null
	131	then
	132	echo $iptables -t nat -N $czffirstindex >> $script
	133	echo $iptables -t nat -F $czffirstindex >> $script
	134	echo $iptables -t nat -A PREROUTING -s `ipcalc -n $czfip/20\|grep Network\|cut -f 4 -d \ ` -i eth0 -j $czffirstindex >> $script
	135	fi
	136
	137	if ! grep $czfsecondindex $script > /dev/null
	138	then
	139	echo $iptables -t nat -N $czfsecondindex >> $script
	140	echo $iptables -t nat -F $czfsecondindex >> $script
	141	echo $iptables -t nat -A $czffirstindex -s `ipcalc -n $czfip/23\|grep Network\|cut -f 4 -d \ ` -i eth0 -j $czfsecondindex >> $script
	142	fi
	143
	144	if ! grep $czfthirdindex $script > /dev/null
	145	then
	146	echo $iptables -t nat -N $czfthirdindex >> $script
	147	echo $iptables -t nat -F $czfthirdindex >> $script
	148	echo $iptables -t nat -A $czfsecondindex -s `ipcalc -n $czfip/26\|grep Network\|cut -f 4 -d \ ` -i eth0 -j $czfthirdindex >> $script
	149	fi
	150
	151	echo $iptables -t nat -A $czfthirdindex -s $czfip -d ! 10.0.0.0/8 -p tcp --dport 80 -j REDIRECT --to 8080 >> $script
	152	echo $iptables -t nat -A $czfthirdindex -s $czfip -d ! 10.0.0.0/8 -p tcp --dport 3128 -j REDIRECT --to 8080 >> $script
	153	echo $iptables -t nat -A $czfthirdindex -s $czfip -d ! 10.0.0.0/8 -p tcp --dport 8080 -j ACCEPT >> $script
	154	echo $iptables -t nat -A $czfthirdindex -s $czfip -d ! 10.0.0.0/8 -j DROP >> $script
	155
	156	echo -n .
	157	echo "echo -n ." >>$script
	158
	159	done
	160	echo " done."
	161
	162	chmod a+x $script