optional hosts-based snat-dnat tools modified to generate iptables restore config

git-svn-id: https://dev.arachne.cz/repos/prometheus/trunk@140 251d49ef-1d17-4917-a970-b30cf55b089b

diff --git a/optional-tools/make-firewall b/optional-tools/make-firewall
index 239f478047a41ca8872c12e361df70011416a765..ca1fc6a6bd04d7bc3db9af1467193f4034399594 100755 (executable)
--- a/optional-tools/make-firewall
+++ b/optional-tools/make-firewall
@@ -1,14 +1,9 @@
 #!/bin/bash
-#
-# requires:
-#
-# /rw/etc/hosts ... configuration file for dashboard and snat/dnat
-# parses Prometheus compatible nodelist and generates some firewall
-# rules
-#
-./make-pimp
-./make-snat-dnat
-#
-# /rw/etc/network/snat-dnat is generated by make-snat-dnat
-#
-/rw/etc/network/snat-dnat
+cd /root/bin/
+/root/bin/updatehosts
+/root/bin/make-pimp
+/root/bin/make-iptables-restore
+/etc/network/setnet
+#echo -n "Running iptables restore ... "
+#/sbin/iptables-restore < /mnt/mtdblock0/iptables-restore.in
+#echo "done."

diff --git a/optional-tools/make-iptables-restore b/optional-tools/make-iptables-restore
new file mode 100755 (executable)
index 0000000..666d15b
--- /dev/null
+++ b/optional-tools/make-iptables-restore
@@ -0,0 +1,142 @@
+#!/bin/bash
+iptables="/sbin/iptables"
+iptablesrestore="/sbin/iptables-restore"
+ifconfig="/sbin/ifconfig"
+
+#pimp files must be generated by optional-tools/make-pimp utility
+pimp_2way_nat="/mnt/mtdblock0/pimp-2way-nat.tmp"
+pimp_snat="/mnt/mtdblock0/pimp-snat.tmp"
+etchosts="/mnt/mtdblock0/hosts"
+restoredata="/mnt/mtdblock0/iptables-restore.in"
+wan1="vlan770"
+wan2="vlan771"
+wan3="vlan772"
+
+echo "*nat" > $restoredata
+echo ":PREROUTING ACCEPT [0:0]" >> $restoredata
+echo ":POSTROUTING ACCEPT [0:0]" >> $restoredata
+echo ":OUTPUT ACCEPT [0:0]" >> $restoredata
+
+# ===============================================================
+#  Symetrical SNAT-DNAT using indexed iptables
+# ===============================================================
+
+echo -n "Generating new iptables-restore data - two way SNAT/DNAT "
+
+for czfip in `grep -v ^# $pimp_2way_nat|cut -f 1 -d " "`
+do
+ pubip=`grep "$czfip " $pimp_2way_nat|cut -f 2 -d " "`
+ czffirstindex=priv_`ipcalc -n $czfip/20|grep Network|cut -f 4 -d \ |tr [./] _`
+ czfsecondindex=priv_`ipcalc -n $czfip/23|grep Network|cut -f 4 -d \ |tr [./] _`
+ czfthirdindex=priv_`ipcalc -n $czfip/26|grep Network|cut -f 4 -d \ |tr [./] _`
+ pubfirstindex=pub_`ipcalc -n $pubip/27|grep Network|cut -f 4 -d \ |tr [./] _`
+ pubsecondindex=pub_`ipcalc -n $pubip/29|grep Network|cut -f 4 -d \ |tr [./] _`
+
+ if ! grep $czffirstindex $restoredata > /dev/null
+ then
+  echo :$czffirstindex "- [0:0]" >> $restoredata
+  echo -A POSTROUTING -d ! 10.0.0.0/8 -s `ipcalc -n $czfip/20|grep Network|cut -f 4 -d \ ` -o $wan1 -j $czffirstindex >> $restoredata
+  echo -A POSTROUTING -d ! 10.0.0.0/8 -s `ipcalc -n $czfip/20|grep Network|cut -f 4 -d \ ` -o $wan2 -j $czffirstindex >> $restoredata
+  echo -A POSTROUTING -d ! 10.0.0.0/8 -s `ipcalc -n $czfip/20|grep Network|cut -f 4 -d \ ` -o $wan3 -j $czffirstindex >> $restoredata
+ fi
+
+ if ! grep $czfsecondindex $restoredata > /dev/null
+ then
+  echo :$czfsecondindex "- [0:0]" >> $restoredata
+  echo -A $czffirstindex -s `ipcalc -n $czfip/23|grep Network|cut -f 4 -d \ ` -o $wan1 -j $czfsecondindex >> $restoredata
+  echo -A $czffirstindex -s `ipcalc -n $czfip/23|grep Network|cut -f 4 -d \ ` -o $wan2 -j $czfsecondindex >> $restoredata
+  echo -A $czffirstindex -s `ipcalc -n $czfip/23|grep Network|cut -f 4 -d \ ` -o $wan3 -j $czfsecondindex >> $restoredata
+ fi
+
+ if ! grep $czfthirdindex $restoredata > /dev/null
+ then
+  echo :$czfthirdindex "- [0:0]" >> $restoredata
+  echo -A $czfsecondindex -s `ipcalc -n $czfip/26|grep Network|cut -f 4 -d \ ` -o $wan1 -j $czfthirdindex >> $restoredata
+  echo -A $czfsecondindex -s `ipcalc -n $czfip/26|grep Network|cut -f 4 -d \ ` -o $wan2 -j $czfthirdindex >> $restoredata
+  echo -A $czfsecondindex -s `ipcalc -n $czfip/26|grep Network|cut -f 4 -d \ ` -o $wan3 -j $czfthirdindex >> $restoredata
+ fi
+
+ if ! grep $pubfirstindex $restoredata > /dev/null
+ then
+  echo :$pubfirstindex "- [0:0]" >> $restoredata
+  echo -A PREROUTING -i $wan1 -d `ipcalc -n $pubip/27|grep Network|cut -f 4 -d \ ` -j $pubfirstindex >> $restoredata
+  echo -A PREROUTING -i $wan2 -d `ipcalc -n $pubip/27|grep Network|cut -f 4 -d \ ` -j $pubfirstindex >> $restoredata
+  echo -A PREROUTING -i $wan3 -d `ipcalc -n $pubip/27|grep Network|cut -f 4 -d \ ` -j $pubfirstindex >> $restoredata
+ fi
+
+ if ! grep $pubsecondindex $restoredata > /dev/null
+ then
+  echo :$pubsecondindex "- [0:0]" >> $restoredata
+  echo -A $pubfirstindex -i $wan1 -d `ipcalc -n $pubip/29|grep Network|cut -f 4 -d \ ` -j $pubsecondindex >> $restoredata
+  echo -A $pubfirstindex -i $wan2 -d `ipcalc -n $pubip/29|grep Network|cut -f 4 -d \ ` -j $pubsecondindex >> $restoredata
+  echo -A $pubfirstindex -i $wan3 -d `ipcalc -n $pubip/29|grep Network|cut -f 4 -d \ ` -j $pubsecondindex >> $restoredata
+ fi
+
+ echo -A $pubsecondindex -i $wan1 -d $pubip/32 -j DNAT --to-destination $czfip >> $restoredata
+ echo -A $pubsecondindex -i $wan2 -d $pubip/32 -j DNAT --to-destination $czfip >> $restoredata
+ echo -A $pubsecondindex -i $wan3 -d $pubip/32 -j DNAT --to-destination $czfip >> $restoredata
+ echo -A $pubsecondindex -i $wan1 -d $pubip/32 -j ACCEPT >> $restoredata
+ echo -A $pubsecondindex -i $wan2 -d $pubip/32 -j ACCEPT >> $restoredata
+ echo -A $pubsecondindex -i $wan3 -d $pubip/32 -j ACCEPT >> $restoredata
+
+
+ echo -A $czfthirdindex -s $czfip/32 -o $wan1 -j SNAT --to-source $pubip >> $restoredata
+ echo -A $czfthirdindex -s $czfip/32 -o $wan2 -j SNAT --to-source $pubip >> $restoredata
+ echo -A $czfthirdindex -s $czfip/32 -o $wan3 -j SNAT --to-source $pubip >> $restoredata
+ echo -A $czfthirdindex -s $czfip/32 -o $wan1 -j ACCEPT >> $restoredata
+ echo -A $czfthirdindex -s $czfip/32 -o $wan2 -j ACCEPT >> $restoredata
+ echo -A $czfthirdindex -s $czfip/32 -o $wan3 -j ACCEPT >> $restoredata
+
+ echo -n .
+done
+echo " done."
+
+echo -n "Generating new iptables-restore data - one way SNAT "
+
+# ===============================================================
+#  SNAT only using indexed iptables (should be rather function, hmm)
+# ===============================================================
+
+for czfip in `grep -v ^# $pimp_snat|cut -f 1 -d " "`
+do
+ pubip=`grep "$czfip " $pimp_snat|cut -f 2 -d " "`
+ czffirstindex=priv_`ipcalc -n $czfip/20|grep Network|cut -f 4 -d \ |tr [./] _`
+ czfsecondindex=priv_`ipcalc -n $czfip/23|grep Network|cut -f 4 -d \ |tr [./] _`
+ czfthirdindex=priv_`ipcalc -n $czfip/26|grep Network|cut -f 4 -d \ |tr [./] _`
+
+ if ! grep $czffirstindex $restoredata > /dev/null
+ then
+  echo :$czffirstindex "- [0:0]" >> $restoredata
+  echo -A POSTROUTING -d ! 10.0.0.0/8 -s `ipcalc -n $czfip/20|grep Network|cut -f 4 -d \ ` -o $wan1 -j $czffirstindex >> $restoredata
+  echo -A POSTROUTING -d ! 10.0.0.0/8 -s `ipcalc -n $czfip/20|grep Network|cut -f 4 -d \ ` -o $wan2 -j $czffirstindex >> $restoredata
+  echo -A POSTROUTING -d ! 10.0.0.0/8 -s `ipcalc -n $czfip/20|grep Network|cut -f 4 -d \ ` -o $wan3 -j $czffirstindex >> $restoredata
+ fi
+
+ if ! grep $czfsecondindex $restoredata > /dev/null
+ then
+  echo :$czfsecondindex "- [0:0]" >> $restoredata
+  echo -A $czffirstindex -s `ipcalc -n $czfip/23|grep Network|cut -f 4 -d \ ` -o $wan1 -j $czfsecondindex >> $restoredata
+  echo -A $czffirstindex -s `ipcalc -n $czfip/23|grep Network|cut -f 4 -d \ ` -o $wan2 -j $czfsecondindex >> $restoredata
+  echo -A $czffirstindex -s `ipcalc -n $czfip/23|grep Network|cut -f 4 -d \ ` -o $wan3 -j $czfsecondindex >> $restoredata
+ fi
+
+ if ! grep $czfthirdindex $restoredata > /dev/null
+ then
+  echo :$czfthirdindex "- [0:0]" >> $restoredata
+  echo -A $czfsecondindex -s `ipcalc -n $czfip/26|grep Network|cut -f 4 -d \ ` -o $wan1 -j $czfthirdindex >> $restoredata
+  echo -A $czfsecondindex -s `ipcalc -n $czfip/26|grep Network|cut -f 4 -d \ ` -o $wan2 -j $czfthirdindex >> $restoredata
+  echo -A $czfsecondindex -s `ipcalc -n $czfip/26|grep Network|cut -f 4 -d \ ` -o $wan3 -j $czfthirdindex >> $restoredata
+ fi
+
+ echo -A $czfthirdindex -s $czfip/32 -o $wan1 -j SNAT --to-source $pubip >> $restoredata
+ echo -A $czfthirdindex -s $czfip/32 -o $wan2 -j SNAT --to-source $pubip >> $restoredata
+ echo -A $czfthirdindex -s $czfip/32 -o $wan3 -j SNAT --to-source $pubip >> $restoredata
+ echo -A $czfthirdindex -s $czfip/32 -o $wan1 -j ACCEPT >> $restoredata
+ echo -A $czfthirdindex -s $czfip/32 -o $wan2 -j ACCEPT >> $restoredata
+ echo -A $czfthirdindex -s $czfip/32 -o $wan3 -j ACCEPT >> $restoredata
+
+ echo -n .
+done
+echo " done."
+
+echo COMMIT >> $restoredata

diff --git a/optional-tools/make-pimp b/optional-tools/make-pimp
index 2c0f59d21528dedb54fee1bceff2f63279fcd4cc..cdd62641f125922898268b0575b36bfcf6b08e27 100755 (executable)
--- a/optional-tools/make-pimp
+++ b/optional-tools/make-pimp
@@ -1,7 +1,7 @@
 #!/bin/bash
-pimp_2way_nat="/rw/var/run/pimp-2way-nat.tmp"
-pimp_snat="/rw/var/run/pimp-snat.tmp"
-etchosts="/rw/etc/hosts"
+pimp_2way_nat="/mnt/mtdblock0/pimp-2way-nat.tmp"
+pimp_snat="/mnt/mtdblock0/pimp-snat.tmp"
+etchosts="/mnt/mtdblock0/hosts"
 
 echo -n "Writing $pimp_2way_nat"
 echo "#This file was generated by Prometheus-tools/make-pimp" > $pimp_2way_nat
@@ -21,7 +21,7 @@ echo "#This file was generated by Prometheus-tools/make-pimp" > $pimp_snat
 for czfip in `grep -v ^# $etchosts|grep "("|cut -f 1`
 do
  pubip=`grep "^$czfip  " $etchosts|cut -f 2 -d "("|cut -f 1 -d ")"`
- if ! [ -z $pubip ] 
+ if ! [ -z "$pubip" ] 
  then
   echo "$czfip $pubip" >> $pimp_snat
   echo -n .  

diff --git a/optional-tools/make-snat-dnat b/optional-tools/make-snat-dnat
deleted file mode 100755 (executable)
index 3785557..0000000
--- a/optional-tools/make-snat-dnat
+++ /dev/null
@@ -1,162 +0,0 @@
-#!/bin/bash
-
-iptables="/sbin/iptables"
-ifconfig="/sbin/ifconfig"
-
-#pimp files must be generated by optional-tools/make-pimp utility
-pimp_2way_nat="/rw/var/run/pimp-2way-nat.tmp"
-pimp_snat="/rw/var/run/pimp-snat.tmp"
-etchosts="/rw/etc/hosts"
-script="/rw/etc/network/snat-dnat"
-
-echo "#!/bin/bash" > $script
-echo $iptables -t nat -F >> $script
-echo $iptables -t nat -X >> $script
-echo "echo -n \"Setting firewall rules \"" >> $script
-
-# ===============================================================
-#  Symetrical SNAT-DNAT using indexed iptables
-# ===============================================================
-
-echo -n "Generating new iptables rules "
-
-for czfip in `grep -v ^# $pimp_2way_nat|cut -f 1 -d " "`
-do
- pubip=`grep "$czfip " $pimp_2way_nat|cut -f 2 -d " "`
- czffirstindex=priv_`ipcalc -n $czfip/20|grep Network|cut -f 4 -d \ |tr [./] _`
- czfsecondindex=priv_`ipcalc -n $czfip/23|grep Network|cut -f 4 -d \ |tr [./] _`
- czfthirdindex=priv_`ipcalc -n $czfip/26|grep Network|cut -f 4 -d \ |tr [./] _`
- pubfirstindex=pub_`ipcalc -n $pubip/27|grep Network|cut -f 4 -d \ |tr [./] _`
- pubsecondindex=pub_`ipcalc -n $pubip/29|grep Network|cut -f 4 -d \ |tr [./] _`
-
- if ! grep $czffirstindex $script > /dev/null
- then
-  echo $iptables -t nat -N $czffirstindex >> $script
-  echo $iptables -t nat -F $czffirstindex >> $script
-  echo $iptables -t nat -A POSTROUTING -s `ipcalc -n $czfip/20|grep Network|cut -f 4 -d \ ` -o eth1 -j $czffirstindex >> $script
- fi
-
- if ! grep $czfsecondindex $script > /dev/null
- then
-  echo $iptables -t nat -N $czfsecondindex >> $script
-  echo $iptables -t nat -F $czfsecondindex >> $script
-  echo $iptables -t nat -A $czffirstindex -s `ipcalc -n $czfip/23|grep Network|cut -f 4 -d \ ` -o eth1 -j $czfsecondindex >> $script
- fi
-
- if ! grep $czfthirdindex $script > /dev/null
- then
-  echo $iptables -t nat -N $czfthirdindex >> $script
-  echo $iptables -t nat -F $czfthirdindex >> $script
-  echo $iptables -t nat -A $czfsecondindex -s `ipcalc -n $czfip/26|grep Network|cut -f 4 -d \ ` -o eth1 -j $czfthirdindex >> $script
- fi
-
- if ! grep $pubfirstindex $script > /dev/null
- then
-  echo $iptables -t nat -N $pubfirstindex >> $script
-  echo $iptables -t nat -F $pubfirstindex >> $script
-  echo $iptables -t nat -A PREROUTING -i eth1 -d `ipcalc -n $pubip/27|grep Network|cut -f 4 -d \ ` -j $pubfirstindex >> $script
- fi
-
- if ! grep $pubsecondindex $script > /dev/null
- then
-  echo $iptables -t nat -N $pubsecondindex >> $script
-  echo $iptables -t nat -F $pubsecondindex >> $script
-  echo $iptables -t nat -A $pubfirstindex -i eth1 -d `ipcalc -n $pubip/29|grep Network|cut -f 4 -d \ ` -j $pubsecondindex >> $script
- fi
-
- echo $iptables -t nat -A $pubsecondindex -i eth1 -d $pubip/32 -j DNAT --to-destination $czfip >> $script
- echo $iptables -t nat -A $pubsecondindex -i eth1 -d $pubip/32 -j ACCEPT >> $script
-
- echo $iptables -t nat -A $czfthirdindex -s $czfip/32 -o eth1 -j SNAT --to-source $pubip >> $script
- echo $iptables -t nat -A $czfthirdindex -s $czfip/32 -o eth1 -j ACCEPT >> $script
-
- echo -n .
- echo "echo -n ." >>$script
-done
-echo " done."
-
-# ===============================================================
-#  SNAT only using indexed iptables (should be rather function, hmm)
-# ===============================================================
-
-for czfip in `grep -v ^# $pimp_snat|cut -f 1 -d " "`
-do
- pubip=`grep "$czfip " $pimp_snat|cut -f 2 -d " "`
- czffirstindex=priv_`ipcalc -n $czfip/20|grep Network|cut -f 4 -d \ |tr [./] _`
- czfsecondindex=priv_`ipcalc -n $czfip/23|grep Network|cut -f 4 -d \ |tr [./] _`
- czfthirdindex=priv_`ipcalc -n $czfip/26|grep Network|cut -f 4 -d \ |tr [./] _`
-
- if ! grep $czffirstindex $script > /dev/null
- then
-  echo $iptables -t nat -N $czffirstindex >> $script
-  echo $iptables -t nat -F $czffirstindex >> $script
-  echo $iptables -t nat -A POSTROUTING -s `ipcalc -n $czfip/20|grep Network|cut -f 4 -d \ ` -o eth1 -j $czffirstindex >> $script
- fi
-
- if ! grep $czfsecondindex $script > /dev/null
- then
-  echo $iptables -t nat -N $czfsecondindex >> $script
-  echo $iptables -t nat -F $czfsecondindex >> $script
-  echo $iptables -t nat -A $czffirstindex -s `ipcalc -n $czfip/23|grep Network|cut -f 4 -d \ ` -o eth1 -j $czfsecondindex >> $script
- fi
-
- if ! grep $czfthirdindex $script > /dev/null
- then
-  echo $iptables -t nat -N $czfthirdindex >> $script
-  echo $iptables -t nat -F $czfthirdindex >> $script
-  echo $iptables -t nat -A $czfsecondindex -s `ipcalc -n $czfip/26|grep Network|cut -f 4 -d \ ` -o eth1 -j $czfthirdindex >> $script
- fi
-
- echo $iptables -t nat -A $czfthirdindex -s $czfip/32 -o eth1 -j SNAT --to-source $pubip >> $script
- echo $iptables -t nat -A $czfthirdindex -s $czfip/32 -o eth1 -j ACCEPT >> $script
-
- echo -n .
- echo "echo -n ." >>$script
-done
-echo " done."
-
-# ===============================================================
-#  Dashboard rules
-# ===============================================================
-
-echo -n "Generating dashboard index rules "
-
-for czfip in `grep ^10[.] $etchosts|grep dashboard-|cut -f 1`
-do
- czffirstindex=dash_`ipcalc -n $czfip/20|grep Network|cut -f 4 -d \ |tr [./] _`
- czfsecondindex=dash_`ipcalc -n $czfip/23|grep Network|cut -f 4 -d \ |tr [./] _`
- czfthirdindex=dash_`ipcalc -n $czfip/26|grep Network|cut -f 4 -d \ |tr [./] _`
-
- if ! grep $czffirstindex $script > /dev/null
- then
-  echo $iptables -t nat -N $czffirstindex >> $script
-  echo $iptables -t nat -F $czffirstindex >> $script
-  echo $iptables -t nat -A PREROUTING -s `ipcalc -n $czfip/20|grep Network|cut -f 4 -d \ ` -i eth0 -j $czffirstindex >> $script
- fi
-
- if ! grep $czfsecondindex $script > /dev/null
- then
-  echo $iptables -t nat -N $czfsecondindex >> $script
-  echo $iptables -t nat -F $czfsecondindex >> $script
-  echo $iptables -t nat -A $czffirstindex -s `ipcalc -n $czfip/23|grep Network|cut -f 4 -d \ ` -i eth0 -j $czfsecondindex >> $script
- fi
-
- if ! grep $czfthirdindex $script > /dev/null
- then
-  echo $iptables -t nat -N $czfthirdindex >> $script
-  echo $iptables -t nat -F $czfthirdindex >> $script
-  echo $iptables -t nat -A $czfsecondindex -s `ipcalc -n $czfip/26|grep Network|cut -f 4 -d \ ` -i eth0 -j $czfthirdindex >> $script
- fi
-
- echo $iptables -t nat -A $czfthirdindex -s $czfip -d ! 10.0.0.0/8 -p tcp --dport 80 -j REDIRECT --to 8080 >> $script
- echo $iptables -t nat -A $czfthirdindex -s $czfip -d ! 10.0.0.0/8 -p tcp --dport 3128 -j REDIRECT --to 8080  >> $script
- echo $iptables -t nat -A $czfthirdindex -s $czfip -d ! 10.0.0.0/8 -p tcp --dport 8080 -j ACCEPT >> $script
- echo $iptables -t nat -A $czfthirdindex -s $czfip -d ! 10.0.0.0/8 -j DROP  >> $script
-
- echo -n .
- echo "echo -n ." >>$script
-
-done
-echo " done."
-
-chmod a+x $script