[svn/Prometheus-QoS/.git] / optional-tools / make-iptables-restore

#!/bin/bash
# $Id$
iptables="/sbin/iptables"
iptablesrestore="/sbin/iptables-restore"

#pimp files must be generated by optional-tools/make-pimp utility
pimp_2way_nat="/dev/shm/pimp-2way-nat.tmp"
pimp_snat="/dev/shm/pimp-snat.tmp"
etchosts="/mnt/mtdblock0/hosts"
restoretmp="/dev/shm/iptables-restore.tmp"
restoredata="/mnt/mtdblock0/iptables-restore.in"
wan1="vlan770"
wan2="vlan771"
wan3="vlan772"
wan4="vlan774"
czffirstbitmask="19"
czfsecondbitmask="22"
czfthirdbitmask="25"
czffourthbitmask="28"
pubfirstbitmask="26"
pubsecondbitmask="29"
chaintrack="_"

# ===============================================================
#  ipcalc rewrite
# ===============================================================

gen_ipt_string() {
eval `echo $1 | awk -F\/ '{printf "IP=%s; CIDRMASK=%s; \n", $1, $2}'`

MASK_FULL_OCTETS=$(($CIDRMASK/8))
MASK_PART_OCTETS=$(($CIDRMASK%8))
for i in `seq 0 3`; do 
        if [ "$i" -lt "$MASK_FULL_OCTETS" ]; then
                MASK+="255"
        elif [ "$i" -eq "$MASK_FULL_OCTETS" ]; then
                MASK+=$((256 - 2**(8-$MASK_PART_OCTETS)))
        else
                MASK+="0"
        fi
        [ "$i" -lt "3" ] && MASK+="."
done

eval `echo $IP | awk -F\. '{printf "IPBYTE1=%s; IPBYTE2=%s; IPBYTE3=%s; IPBYTE4=%s; \n", $1, $2, $3, $4}'`
eval `echo $MASK | awk -F\. '{printf "MASKBYTE1=%s; MASKBYTE2=%s; MASKBYTE3=%s; MASKBYTE4=%s; \n", $1, $2, $3, $4}'`

IPT_STRING="$(($IPBYTE1 & $MASKBYTE1))_$(($IPBYTE2 & $MASKBYTE2))_$(($IPBYTE3 & $MASKBYTE3))_$(($IPBYTE4 & $MASKBYTE4))_$CIDRMASK"
echo $IPT_STRING
}

echo "*nat" > $restoretmp
echo ":PREROUTING ACCEPT [0:0]" >> $restoretmp
echo ":POSTROUTING ACCEPT [0:0]" >> $restoretmp
echo ":OUTPUT ACCEPT [0:0]" >> $restoretmp

# ===============================================================
#  Symetrical SNAT-DNAT using indexed iptables
# ===============================================================
echo -n "Generating new iptables-restore data - two way SNAT/DNAT "


while read LINE; do
 eval `echo -e $LINE | awk '{printf "czfip=%s; pubip=%s\n", $1, $2}'`
 czffirstindex=priv_`gen_ipt_string $czfip/$czffirstbitmask`
 czfsecondindex=priv_`gen_ipt_string $czfip/$czfsecondbitmask`
 czfthirdindex=priv_`gen_ipt_string $czfip/$czfthirdbitmask`
 czffourthindex=priv_`gen_ipt_string $czfip/$czffourthbitmask`
 pubfirstindex=pub_`gen_ipt_string $pubip/$pubfirstbitmask`
 pubsecondindex=pub_`gen_ipt_string $pubip/$pubsecondbitmask`

 if ! [[ "$chaintrack" == *"$czffirstindex"* ]]
 then
  echo :$czffirstindex "- [0:0]" >> $restoretmp
  s=`gen_ipt_string $czfip/$czffirstbitmask| sed 's/_[0-9]*//4; s/_/./g'`
  echo -A POSTROUTING -d ! 10.0.0.0/8 -s $s -o $wan1 -j $czffirstindex >> $restoretmp
  echo -A POSTROUTING -d ! 10.0.0.0/8 -s $s -o $wan2 -j $czffirstindex >> $restoretmp
  echo -A POSTROUTING -d ! 10.0.0.0/8 -s $s -o $wan3 -j $czffirstindex >> $restoretmp
  echo -A POSTROUTING -d ! 10.0.0.0/8 -s $s -o $wan4 -j $czffirstindex >> $restoretmp
  chaintrack=\ ${czffirstindex}\ ${chaintrack}
 fi

 if ! [[ "$chaintrack" == *"$czfsecondindex"* ]]
 then
  echo :$czfsecondindex "- [0:0]" >> $restoretmp
  s=`gen_ipt_string $czfip/$czfsecondbitmask| sed 's/_[0-9]*//4; s/_/./g'`
  echo -A $czffirstindex -s $s -o $wan1 -j $czfsecondindex >> $restoretmp
  echo -A $czffirstindex -s $s -o $wan2 -j $czfsecondindex >> $restoretmp
  echo -A $czffirstindex -s $s -o $wan3 -j $czfsecondindex >> $restoretmp
  echo -A $czffirstindex -s $s -o $wan4 -j $czfsecondindex >> $restoretmp
  chaintrack=\ ${czfsecondindex}\ ${chaintrack}
 fi

 if ! [[ "$chaintrack" == *"$czfthirdindex"* ]]
 then
  echo :$czfthirdindex "- [0:0]" >> $restoretmp
  s=`gen_ipt_string $czfip/$czfthirdbitmask| sed 's/_[0-9]*//4; s/_/./g'`
  echo -A $czfsecondindex -s $s -o $wan1 -j $czfthirdindex >> $restoretmp
  echo -A $czfsecondindex -s $s -o $wan2 -j $czfthirdindex >> $restoretmp
  echo -A $czfsecondindex -s $s -o $wan3 -j $czfthirdindex >> $restoretmp
  echo -A $czfsecondindex -s $s -o $wan4 -j $czfthirdindex >> $restoretmp
  chaintrack=\ ${czfthirdindex}\ ${chaintrack}
 fi

 if ! [[ "$chaintrack" == *"$czffourthindex"* ]]
 then
  echo :$czffourthindex "- [0:0]" >> $restoretmp
  s=`gen_ipt_string $czfip/$czffourthbitmask| sed 's/_[0-9]*//4; s/_/./g'`
  echo -A $czfthirdindex -s $s -o $wan1 -j $czffourthindex >> $restoretmp
  echo -A $czfthirdindex -s $s -o $wan2 -j $czffourthindex >> $restoretmp
  echo -A $czfthirdindex -s $s -o $wan3 -j $czffourthindex >> $restoretmp
  echo -A $czfthirdindex -s $s -o $wan4 -j $czffourthindex >> $restoretmp
  chaintrack=\ ${czffourthindex}\ ${chaintrack}
 fi

 if ! [[ "$chaintrack" == *"$pubfirstindex"* ]]
 then
  echo :$pubfirstindex "- [0:0]" >> $restoretmp
  s=`gen_ipt_string $pubip/$pubfirstbitmask| sed 's/_[0-9]*//4; s/_/./g'`
  echo -A PREROUTING -i $wan1 -d $s -j $pubfirstindex >> $restoretmp
  echo -A PREROUTING -i $wan2 -d $s -j $pubfirstindex >> $restoretmp
  echo -A PREROUTING -i $wan3 -d $s -j $pubfirstindex >> $restoretmp
  echo -A PREROUTING -i $wan4 -d $s -j $pubfirstindex >> $restoretmp
  chaintrack=\ ${pubfirstindex}\ ${chaintrack}
 fi

 if ! [[ "$chaintrack" == *"$pubsecondindex"* ]]
 then
  echo :$pubsecondindex "- [0:0]" >> $restoretmp
  s=`gen_ipt_string $pubip/$pubsecondbitmask| sed 's/_[0-9]*//4; s/_/./g'`
  echo -A $pubfirstindex -i $wan1 -d $s -j $pubsecondindex >> $restoretmp
  echo -A $pubfirstindex -i $wan2 -d $s -j $pubsecondindex >> $restoretmp
  echo -A $pubfirstindex -i $wan3 -d $s -j $pubsecondindex >> $restoretmp
  echo -A $pubfirstindex -i $wan4 -d $s -j $pubsecondindex >> $restoretmp
  chaintrack=\ ${pubsecondindex}\ ${chaintrack}
 fi

 echo -A $pubsecondindex -i $wan1 -d $pubip/32 -j DNAT --to-destination $czfip >> $restoretmp
 echo -A $pubsecondindex -i $wan2 -d $pubip/32 -j DNAT --to-destination $czfip >> $restoretmp
 echo -A $pubsecondindex -i $wan3 -d $pubip/32 -j DNAT --to-destination $czfip >> $restoretmp
 echo -A $pubsecondindex -i $wan4 -d $pubip/32 -j DNAT --to-destination $czfip >> $restoretmp

 echo -A $czffourthindex -s $czfip/32 -o $wan1 -j SNAT --to-source $pubip >> $restoretmp
 echo -A $czffourthindex -s $czfip/32 -o $wan2 -j SNAT --to-source $pubip >> $restoretmp
 echo -A $czffourthindex -s $czfip/32 -o $wan3 -j SNAT --to-source $pubip >> $restoretmp
 echo -A $czffourthindex -s $czfip/32 -o $wan4 -j SNAT --to-source $pubip >> $restoretmp

 echo -n .

done < $pimp_2way_nat
echo " done."

# ===============================================================
#  SNAT only using indexed iptables (should be rather function, hmm)
# ===============================================================
echo -n "Generating new iptables-restore data - one way SNAT "

while read LINE; do
 eval `echo -e $LINE | awk '{printf "czfip=%s; pubip=%s\n", $1, $2}'`
 czffirstindex=priv_`gen_ipt_string $czfip/$czffirstbitmask`
 czfsecondindex=priv_`gen_ipt_string $czfip/$czfsecondbitmask`
 czfthirdindex=priv_`gen_ipt_string $czfip/$czfthirdbitmask`
 czffourthindex=priv_`gen_ipt_string $czfip/$czffourthbitmask`

 if ! [[ "$chaintrack" == *"$czffirstindex"* ]]
 then
  echo :$czffirstindex "- [0:0]" >> $restoretmp
  s=`gen_ipt_string $czfip/$czffirstbitmask| sed 's/_[0-9]*//4; s/_/./g'`
  echo -A POSTROUTING -d ! 10.0.0.0/8 -s $s -o $wan1 -j $czffirstindex >> $restoretmp
  echo -A POSTROUTING -d ! 10.0.0.0/8 -s $s -o $wan2 -j $czffirstindex >> $restoretmp
  echo -A POSTROUTING -d ! 10.0.0.0/8 -s $s -o $wan3 -j $czffirstindex >> $restoretmp
  echo -A POSTROUTING -d ! 10.0.0.0/8 -s $s -o $wan4 -j $czffirstindex >> $restoretmp
  chaintrack=\ ${czffirstindex}\ ${chaintrack}
 fi

 if ! [[ "$chaintrack" == *"$czfsecondindex"* ]]
 then
  echo :$czfsecondindex "- [0:0]" >> $restoretmp
  s=`gen_ipt_string $czfip/$czfsecondbitmask| sed 's/_[0-9]*//4; s/_/./g'`
  echo -A $czffirstindex -s $s -o $wan1 -j $czfsecondindex >> $restoretmp
  echo -A $czffirstindex -s $s -o $wan2 -j $czfsecondindex >> $restoretmp
  echo -A $czffirstindex -s $s -o $wan3 -j $czfsecondindex >> $restoretmp
  echo -A $czffirstindex -s $s -o $wan4 -j $czfsecondindex >> $restoretmp
  chaintrack=\ ${czfsecondindex}\ ${chaintrack}
 fi

 if ! [[ "$chaintrack" == *"$czfthirdindex"* ]]
 then
  echo :$czfthirdindex "- [0:0]" >> $restoretmp
  s=`gen_ipt_string $czfip/$czfthirdbitmask| sed 's/_[0-9]*//4; s/_/./g'`
  echo -A $czfsecondindex -s $s -o $wan1 -j $czfthirdindex >> $restoretmp
  echo -A $czfsecondindex -s $s -o $wan2 -j $czfthirdindex >> $restoretmp
  echo -A $czfsecondindex -s $s -o $wan3 -j $czfthirdindex >> $restoretmp
  echo -A $czfsecondindex -s $s -o $wan4 -j $czfthirdindex >> $restoretmp
  chaintrack=\ ${czfthirdindex}\ ${chaintrack}
 fi

 if ! [[ "$chaintrack" == *"$czffourthindex"* ]]
 then
  echo :$czffourthindex "- [0:0]" >> $restoretmp
  s=`gen_ipt_string $czfip/$czffourthbitmask| sed 's/_[0-9]*//4; s/_/./g'`
  echo -A $czfthirdindex -s $s -o $wan1 -j $czffourthindex >> $restoretmp
  echo -A $czfthirdindex -s $s -o $wan2 -j $czffourthindex >> $restoretmp
  echo -A $czfthirdindex -s $s -o $wan3 -j $czffourthindex >> $restoretmp
  echo -A $czfthirdindex -s $s -o $wan4 -j $czffourthindex >> $restoretmp
  chaintrack=\ ${czffourthindex}\ ${chaintrack}
 fi

 echo -A $czffourthindex -s $czfip/32 -o $wan1 -j SNAT --to-source $pubip >> $restoretmp
 echo -A $czffourthindex -s $czfip/32 -o $wan2 -j SNAT --to-source $pubip >> $restoretmp
 echo -A $czffourthindex -s $czfip/32 -o $wan3 -j SNAT --to-source $pubip >> $restoretmp
 echo -A $czffourthindex -s $czfip/32 -o $wan4 -j SNAT --to-source $pubip >> $restoretmp

 echo -n .
done < $pimp_snat
echo " done."

echo COMMIT >> $restoretmp
echo -n "Writing $restoredata"
mv $restoretmp $restoredata