X-Git-Url: https://git.harvie.cz/?p=svn%2FPrometheus-QoS%2F.git;a=blobdiff_plain;f=optional-tools%2Fmake-snat-dnat;h=3785557d47e96894e9fa3639cee2bb2af0c5bde2;hp=165dc6e0fb75be5fa348378d64cfa10b28dad47d;hb=f035230d28accdddb1e3043400246369bdff590d;hpb=b17a255ff81c823eb399f66001df8d4a8f9f23d3 diff --git a/optional-tools/make-snat-dnat b/optional-tools/make-snat-dnat index 165dc6e..3785557 100755 --- a/optional-tools/make-snat-dnat +++ b/optional-tools/make-snat-dnat @@ -3,8 +3,10 @@ iptables="/sbin/iptables" ifconfig="/sbin/ifconfig" -#pimp.conf should be regularly updated! -pimp="/rw/etc/pimp.conf" +#pimp files must be generated by optional-tools/make-pimp utility +pimp_2way_nat="/rw/var/run/pimp-2way-nat.tmp" +pimp_snat="/rw/var/run/pimp-snat.tmp" +etchosts="/rw/etc/hosts" script="/rw/etc/network/snat-dnat" echo "#!/bin/bash" > $script @@ -13,21 +15,20 @@ echo $iptables -t nat -X >> $script echo "echo -n \"Setting firewall rules \"" >> $script # =============================================================== -# Symetricky SNAT-DNAT, zarazeny do indexovanych iptables +# Symetrical SNAT-DNAT using indexed iptables # =============================================================== -echo -n "Generating new pimp index rules " +echo -n "Generating new iptables rules " -for czfip in `grep -v ^# $pimp|cut -f 1 -d " "` +for czfip in `grep -v ^# $pimp_2way_nat|cut -f 1 -d " "` do - pubip=`grep "$czfip " $pimp|cut -f 2 -d " "` + pubip=`grep "$czfip " $pimp_2way_nat|cut -f 2 -d " "` czffirstindex=priv_`ipcalc -n $czfip/20|grep Network|cut -f 4 -d \ |tr [./] _` czfsecondindex=priv_`ipcalc -n $czfip/23|grep Network|cut -f 4 -d \ |tr [./] _` czfthirdindex=priv_`ipcalc -n $czfip/26|grep Network|cut -f 4 -d \ |tr [./] _` pubfirstindex=pub_`ipcalc -n $pubip/27|grep Network|cut -f 4 -d \ |tr [./] _` pubsecondindex=pub_`ipcalc -n $pubip/29|grep Network|cut -f 4 -d \ |tr [./] _` - if ! grep $czffirstindex $script > /dev/null then echo $iptables -t nat -N $czffirstindex >> $script @@ -75,12 +76,52 @@ done echo " done." # =============================================================== -# Pravidla pro dashboard +# SNAT only using indexed iptables (should be rather function, hmm) +# =============================================================== + +for czfip in `grep -v ^# $pimp_snat|cut -f 1 -d " "` +do + pubip=`grep "$czfip " $pimp_snat|cut -f 2 -d " "` + czffirstindex=priv_`ipcalc -n $czfip/20|grep Network|cut -f 4 -d \ |tr [./] _` + czfsecondindex=priv_`ipcalc -n $czfip/23|grep Network|cut -f 4 -d \ |tr [./] _` + czfthirdindex=priv_`ipcalc -n $czfip/26|grep Network|cut -f 4 -d \ |tr [./] _` + + if ! grep $czffirstindex $script > /dev/null + then + echo $iptables -t nat -N $czffirstindex >> $script + echo $iptables -t nat -F $czffirstindex >> $script + echo $iptables -t nat -A POSTROUTING -s `ipcalc -n $czfip/20|grep Network|cut -f 4 -d \ ` -o eth1 -j $czffirstindex >> $script + fi + + if ! grep $czfsecondindex $script > /dev/null + then + echo $iptables -t nat -N $czfsecondindex >> $script + echo $iptables -t nat -F $czfsecondindex >> $script + echo $iptables -t nat -A $czffirstindex -s `ipcalc -n $czfip/23|grep Network|cut -f 4 -d \ ` -o eth1 -j $czfsecondindex >> $script + fi + + if ! grep $czfthirdindex $script > /dev/null + then + echo $iptables -t nat -N $czfthirdindex >> $script + echo $iptables -t nat -F $czfthirdindex >> $script + echo $iptables -t nat -A $czfsecondindex -s `ipcalc -n $czfip/26|grep Network|cut -f 4 -d \ ` -o eth1 -j $czfthirdindex >> $script + fi + + echo $iptables -t nat -A $czfthirdindex -s $czfip/32 -o eth1 -j SNAT --to-source $pubip >> $script + echo $iptables -t nat -A $czfthirdindex -s $czfip/32 -o eth1 -j ACCEPT >> $script + + echo -n . + echo "echo -n ." >>$script +done +echo " done." + +# =============================================================== +# Dashboard rules # =============================================================== echo -n "Generating dashboard index rules " -for czfip in `grep ^10[.] /etc/hosts|grep dashboard-|cut -f 1` +for czfip in `grep ^10[.] $etchosts|grep dashboard-|cut -f 1` do czffirstindex=dash_`ipcalc -n $czfip/20|grep Network|cut -f 4 -d \ |tr [./] _` czfsecondindex=dash_`ipcalc -n $czfip/23|grep Network|cut -f 4 -d \ |tr [./] _`