#!/bin/bash # $Id$ iptables="/sbin/iptables" iptablesrestore="/sbin/iptables-restore" #pimp files must be generated by optional-tools/make-pimp utility pimp_2way_nat="/dev/shm/pimp-2way-nat.tmp" pimp_snat="/dev/shm/pimp-snat.tmp" etchosts="/mnt/mtdblock0/hosts" restoretmp="/dev/shm/iptables-restore.tmp" restoredata="/mnt/mtdblock0/iptables-restore.in" wan1="vlan770" wan2="vlan771" wan3="vlan772" wan4="vlan774" czffirstbitmask="19" czfsecondbitmask="22" czfthirdbitmask="25" czffourthbitmask="28" pubfirstbitmask="26" pubsecondbitmask="29" chaintrack="_" # =============================================================== # ipcalc rewrite # =============================================================== gen_ipt_string() { eval `echo $1 | awk -F\/ '{printf "IP=%s; CIDRMASK=%s; \n", $1, $2}'` MASK_FULL_OCTETS=$(($CIDRMASK/8)) MASK_PART_OCTETS=$(($CIDRMASK%8)) for i in `seq 0 3`; do if [ "$i" -lt "$MASK_FULL_OCTETS" ]; then MASK+="255" elif [ "$i" -eq "$MASK_FULL_OCTETS" ]; then MASK+=$((256 - 2**(8-$MASK_PART_OCTETS))) else MASK+="0" fi [ "$i" -lt "3" ] && MASK+="." done eval `echo $IP | awk -F\. '{printf "IPBYTE1=%s; IPBYTE2=%s; IPBYTE3=%s; IPBYTE4=%s; \n", $1, $2, $3, $4}'` eval `echo $MASK | awk -F\. '{printf "MASKBYTE1=%s; MASKBYTE2=%s; MASKBYTE3=%s; MASKBYTE4=%s; \n", $1, $2, $3, $4}'` IPT_STRING="$(($IPBYTE1 & $MASKBYTE1))_$(($IPBYTE2 & $MASKBYTE2))_$(($IPBYTE3 & $MASKBYTE3))_$(($IPBYTE4 & $MASKBYTE4))_$CIDRMASK" echo $IPT_STRING } echo "*nat" > $restoretmp echo ":PREROUTING ACCEPT [0:0]" >> $restoretmp echo ":POSTROUTING ACCEPT [0:0]" >> $restoretmp echo ":OUTPUT ACCEPT [0:0]" >> $restoretmp # =============================================================== # Symetrical SNAT-DNAT using indexed iptables # =============================================================== echo -n "Generating new iptables-restore data - two way SNAT/DNAT " while read LINE; do eval `echo -e $LINE | awk '{printf "czfip=%s; pubip=%s\n", $1, $2}'` czffirstindex=priv_`gen_ipt_string $czfip/$czffirstbitmask` czfsecondindex=priv_`gen_ipt_string $czfip/$czfsecondbitmask` czfthirdindex=priv_`gen_ipt_string $czfip/$czfthirdbitmask` czffourthindex=priv_`gen_ipt_string $czfip/$czffourthbitmask` pubfirstindex=pub_`gen_ipt_string $pubip/$pubfirstbitmask` pubsecondindex=pub_`gen_ipt_string $pubip/$pubsecondbitmask` if ! [[ "$chaintrack" == *"$czffirstindex"* ]] then echo :$czffirstindex "- [0:0]" >> $restoretmp s=`gen_ipt_string $czfip/$czffirstbitmask| sed 's/_[0-9]*//4; s/_/./g'` echo -A POSTROUTING -d ! 10.0.0.0/8 -s $s -o $wan1 -j $czffirstindex >> $restoretmp echo -A POSTROUTING -d ! 10.0.0.0/8 -s $s -o $wan2 -j $czffirstindex >> $restoretmp echo -A POSTROUTING -d ! 10.0.0.0/8 -s $s -o $wan3 -j $czffirstindex >> $restoretmp echo -A POSTROUTING -d ! 10.0.0.0/8 -s $s -o $wan4 -j $czffirstindex >> $restoretmp chaintrack=\ ${czffirstindex}\ ${chaintrack} fi if ! [[ "$chaintrack" == *"$czfsecondindex"* ]] then echo :$czfsecondindex "- [0:0]" >> $restoretmp s=`gen_ipt_string $czfip/$czfsecondbitmask| sed 's/_[0-9]*//4; s/_/./g'` echo -A $czffirstindex -s $s -o $wan1 -j $czfsecondindex >> $restoretmp echo -A $czffirstindex -s $s -o $wan2 -j $czfsecondindex >> $restoretmp echo -A $czffirstindex -s $s -o $wan3 -j $czfsecondindex >> $restoretmp echo -A $czffirstindex -s $s -o $wan4 -j $czfsecondindex >> $restoretmp chaintrack=\ ${czfsecondindex}\ ${chaintrack} fi if ! [[ "$chaintrack" == *"$czfthirdindex"* ]] then echo :$czfthirdindex "- [0:0]" >> $restoretmp s=`gen_ipt_string $czfip/$czfthirdbitmask| sed 's/_[0-9]*//4; s/_/./g'` echo -A $czfsecondindex -s $s -o $wan1 -j $czfthirdindex >> $restoretmp echo -A $czfsecondindex -s $s -o $wan2 -j $czfthirdindex >> $restoretmp echo -A $czfsecondindex -s $s -o $wan3 -j $czfthirdindex >> $restoretmp echo -A $czfsecondindex -s $s -o $wan4 -j $czfthirdindex >> $restoretmp chaintrack=\ ${czfthirdindex}\ ${chaintrack} fi if ! [[ "$chaintrack" == *"$czffourthindex"* ]] then echo :$czffourthindex "- [0:0]" >> $restoretmp s=`gen_ipt_string $czfip/$czffourthbitmask| sed 's/_[0-9]*//4; s/_/./g'` echo -A $czfthirdindex -s $s -o $wan1 -j $czffourthindex >> $restoretmp echo -A $czfthirdindex -s $s -o $wan2 -j $czffourthindex >> $restoretmp echo -A $czfthirdindex -s $s -o $wan3 -j $czffourthindex >> $restoretmp echo -A $czfthirdindex -s $s -o $wan4 -j $czffourthindex >> $restoretmp chaintrack=\ ${czffourthindex}\ ${chaintrack} fi if ! [[ "$chaintrack" == *"$pubfirstindex"* ]] then echo :$pubfirstindex "- [0:0]" >> $restoretmp s=`gen_ipt_string $pubip/$pubfirstbitmask| sed 's/_[0-9]*//4; s/_/./g'` echo -A PREROUTING -i $wan1 -d $s -j $pubfirstindex >> $restoretmp echo -A PREROUTING -i $wan2 -d $s -j $pubfirstindex >> $restoretmp echo -A PREROUTING -i $wan3 -d $s -j $pubfirstindex >> $restoretmp echo -A PREROUTING -i $wan4 -d $s -j $pubfirstindex >> $restoretmp chaintrack=\ ${pubfirstindex}\ ${chaintrack} fi if ! [[ "$chaintrack" == *"$pubsecondindex"* ]] then echo :$pubsecondindex "- [0:0]" >> $restoretmp s=`gen_ipt_string $pubip/$pubsecondbitmask| sed 's/_[0-9]*//4; s/_/./g'` echo -A $pubfirstindex -i $wan1 -d $s -j $pubsecondindex >> $restoretmp echo -A $pubfirstindex -i $wan2 -d $s -j $pubsecondindex >> $restoretmp echo -A $pubfirstindex -i $wan3 -d $s -j $pubsecondindex >> $restoretmp echo -A $pubfirstindex -i $wan4 -d $s -j $pubsecondindex >> $restoretmp chaintrack=\ ${pubsecondindex}\ ${chaintrack} fi echo -A $pubsecondindex -i $wan1 -d $pubip/32 -j DNAT --to-destination $czfip >> $restoretmp echo -A $pubsecondindex -i $wan2 -d $pubip/32 -j DNAT --to-destination $czfip >> $restoretmp echo -A $pubsecondindex -i $wan3 -d $pubip/32 -j DNAT --to-destination $czfip >> $restoretmp echo -A $pubsecondindex -i $wan4 -d $pubip/32 -j DNAT --to-destination $czfip >> $restoretmp echo -A $czffourthindex -s $czfip/32 -o $wan1 -j SNAT --to-source $pubip >> $restoretmp echo -A $czffourthindex -s $czfip/32 -o $wan2 -j SNAT --to-source $pubip >> $restoretmp echo -A $czffourthindex -s $czfip/32 -o $wan3 -j SNAT --to-source $pubip >> $restoretmp echo -A $czffourthindex -s $czfip/32 -o $wan4 -j SNAT --to-source $pubip >> $restoretmp echo -n . done < $pimp_2way_nat echo " done." # =============================================================== # SNAT only using indexed iptables (should be rather function, hmm) # =============================================================== echo -n "Generating new iptables-restore data - one way SNAT " while read LINE; do eval `echo -e $LINE | awk '{printf "czfip=%s; pubip=%s\n", $1, $2}'` czffirstindex=priv_`gen_ipt_string $czfip/$czffirstbitmask` czfsecondindex=priv_`gen_ipt_string $czfip/$czfsecondbitmask` czfthirdindex=priv_`gen_ipt_string $czfip/$czfthirdbitmask` czffourthindex=priv_`gen_ipt_string $czfip/$czffourthbitmask` if ! [[ "$chaintrack" == *"$czffirstindex"* ]] then echo :$czffirstindex "- [0:0]" >> $restoretmp s=`gen_ipt_string $czfip/$czffirstbitmask| sed 's/_[0-9]*//4; s/_/./g'` echo -A POSTROUTING -d ! 10.0.0.0/8 -s $s -o $wan1 -j $czffirstindex >> $restoretmp echo -A POSTROUTING -d ! 10.0.0.0/8 -s $s -o $wan2 -j $czffirstindex >> $restoretmp echo -A POSTROUTING -d ! 10.0.0.0/8 -s $s -o $wan3 -j $czffirstindex >> $restoretmp echo -A POSTROUTING -d ! 10.0.0.0/8 -s $s -o $wan4 -j $czffirstindex >> $restoretmp chaintrack=\ ${czffirstindex}\ ${chaintrack} fi if ! [[ "$chaintrack" == *"$czfsecondindex"* ]] then echo :$czfsecondindex "- [0:0]" >> $restoretmp s=`gen_ipt_string $czfip/$czfsecondbitmask| sed 's/_[0-9]*//4; s/_/./g'` echo -A $czffirstindex -s $s -o $wan1 -j $czfsecondindex >> $restoretmp echo -A $czffirstindex -s $s -o $wan2 -j $czfsecondindex >> $restoretmp echo -A $czffirstindex -s $s -o $wan3 -j $czfsecondindex >> $restoretmp echo -A $czffirstindex -s $s -o $wan4 -j $czfsecondindex >> $restoretmp chaintrack=\ ${czfsecondindex}\ ${chaintrack} fi if ! [[ "$chaintrack" == *"$czfthirdindex"* ]] then echo :$czfthirdindex "- [0:0]" >> $restoretmp s=`gen_ipt_string $czfip/$czfthirdbitmask| sed 's/_[0-9]*//4; s/_/./g'` echo -A $czfsecondindex -s $s -o $wan1 -j $czfthirdindex >> $restoretmp echo -A $czfsecondindex -s $s -o $wan2 -j $czfthirdindex >> $restoretmp echo -A $czfsecondindex -s $s -o $wan3 -j $czfthirdindex >> $restoretmp echo -A $czfsecondindex -s $s -o $wan4 -j $czfthirdindex >> $restoretmp chaintrack=\ ${czfthirdindex}\ ${chaintrack} fi if ! [[ "$chaintrack" == *"$czffourthindex"* ]] then echo :$czffourthindex "- [0:0]" >> $restoretmp s=`gen_ipt_string $czfip/$czffourthbitmask| sed 's/_[0-9]*//4; s/_/./g'` echo -A $czfthirdindex -s $s -o $wan1 -j $czffourthindex >> $restoretmp echo -A $czfthirdindex -s $s -o $wan2 -j $czffourthindex >> $restoretmp echo -A $czfthirdindex -s $s -o $wan3 -j $czffourthindex >> $restoretmp echo -A $czfthirdindex -s $s -o $wan4 -j $czffourthindex >> $restoretmp chaintrack=\ ${czffourthindex}\ ${chaintrack} fi echo -A $czffourthindex -s $czfip/32 -o $wan1 -j SNAT --to-source $pubip >> $restoretmp echo -A $czffourthindex -s $czfip/32 -o $wan2 -j SNAT --to-source $pubip >> $restoretmp echo -A $czffourthindex -s $czfip/32 -o $wan3 -j SNAT --to-source $pubip >> $restoretmp echo -A $czffourthindex -s $czfip/32 -o $wan4 -j SNAT --to-source $pubip >> $restoretmp echo -n . done < $pimp_snat echo " done." echo COMMIT >> $restoretmp echo -n "Writing $restoredata" mv $restoretmp $restoredata