From: xchaos Date: Fri, 5 Sep 2008 16:13:11 +0000 (+0000) Subject: SNAT-only (firwalled) version of public-ip mapping (/optional-tools/make-snat-dnat... X-Git-Url: https://git.harvie.cz/?p=svn%2FPrometheus-QoS%2F.git;a=commitdiff_plain;h=f035230d28accdddb1e3043400246369bdff590d;hp=b17a255ff81c823eb399f66001df8d4a8f9f23d3 SNAT-only (firwalled) version of public-ip mapping (/optional-tools/make-snat-dnat and optional-tools/make-pimp) git-svn-id: https://dev.arachne.cz/repos/prometheus/trunk@95 251d49ef-1d17-4917-a970-b30cf55b089b --- diff --git a/examples/hosts b/examples/hosts index fcfa610..1780cc7 100644 --- a/examples/hosts +++ b/examples/hosts @@ -557,7 +557,7 @@ 10.XX.4.21 nadkajetankou11.xchaos #wifi-plus-256-640 10.XX.4.65 bridge-xchaos.dave263 dave263 10.XX.4.66 pc.dave263 #[XX.YY.90.18] wifi-normal-128-896 -10.XX.4.67 nb.dave263 #sharing-pc.dave263 +10.XX.4.67 nb.dave263 #(XX.YY.90.18) sharing-pc.dave263 10.XX.4.68 soused.dave263 #wifi-normal-128-512 10.XX.4.90 bridge-xchaos.cisticz-hq cisticz-hq cisticz 10.XX.4.91 91-4.cisticz-hq #wifi-plus-256-256 diff --git a/optional-tools/make-pimp b/optional-tools/make-pimp index 563725d..6a1d69a 100755 --- a/optional-tools/make-pimp +++ b/optional-tools/make-pimp @@ -1,15 +1,29 @@ #!/bin/bash -pimp=/rw/etc/pimp.conf -etchosts=/rw/etc/hosts +pimp_2way_nat="/rw/var/run/pimp-2way-nat.tmp" +pimp_snat="/rw/var/run/pimp-snat.tmp" +etchosts="/rw/etc/hosts" -echo -n "Writing $pimp " -echo "#This is $pimp generated by Prometheus-tools/make-pimp" > $pimp +echo -n "Writing $pimp_2way_nat" +echo "#This file was generated by Prometheus-tools/make-pimp" > $pimp_2way_nat for czfip in `grep [[] $etchosts|cut -f 1` do pubip=`grep "^$czfip " $etchosts|cut -f 2 -d "["|cut -f 1 -d "]"` if ! [ -z $pubip ] then - echo "$czfip $pubip" >> $pimp + echo "$czfip $pubip" >> $pimp_2way_nat + echo -n . + fi +done +echo " done." + +echo -n "Writing $pimp_snat" +echo "#This file was generated by Prometheus-tools/make-pimp" > $pimp_snat +for czfip in `grep "(" $etchosts|cut -f 1` +do + pubip=`grep "^$czfip " $etchosts|cut -f 2 -d "("|cut -f 1 -d ")"` + if ! [ -z $pubip ] + then + echo "$czfip $pubip" >> $pimp_snat echo -n . fi done diff --git a/optional-tools/make-snat-dnat b/optional-tools/make-snat-dnat index 165dc6e..3785557 100755 --- a/optional-tools/make-snat-dnat +++ b/optional-tools/make-snat-dnat @@ -3,8 +3,10 @@ iptables="/sbin/iptables" ifconfig="/sbin/ifconfig" -#pimp.conf should be regularly updated! -pimp="/rw/etc/pimp.conf" +#pimp files must be generated by optional-tools/make-pimp utility +pimp_2way_nat="/rw/var/run/pimp-2way-nat.tmp" +pimp_snat="/rw/var/run/pimp-snat.tmp" +etchosts="/rw/etc/hosts" script="/rw/etc/network/snat-dnat" echo "#!/bin/bash" > $script @@ -13,21 +15,20 @@ echo $iptables -t nat -X >> $script echo "echo -n \"Setting firewall rules \"" >> $script # =============================================================== -# Symetricky SNAT-DNAT, zarazeny do indexovanych iptables +# Symetrical SNAT-DNAT using indexed iptables # =============================================================== -echo -n "Generating new pimp index rules " +echo -n "Generating new iptables rules " -for czfip in `grep -v ^# $pimp|cut -f 1 -d " "` +for czfip in `grep -v ^# $pimp_2way_nat|cut -f 1 -d " "` do - pubip=`grep "$czfip " $pimp|cut -f 2 -d " "` + pubip=`grep "$czfip " $pimp_2way_nat|cut -f 2 -d " "` czffirstindex=priv_`ipcalc -n $czfip/20|grep Network|cut -f 4 -d \ |tr [./] _` czfsecondindex=priv_`ipcalc -n $czfip/23|grep Network|cut -f 4 -d \ |tr [./] _` czfthirdindex=priv_`ipcalc -n $czfip/26|grep Network|cut -f 4 -d \ |tr [./] _` pubfirstindex=pub_`ipcalc -n $pubip/27|grep Network|cut -f 4 -d \ |tr [./] _` pubsecondindex=pub_`ipcalc -n $pubip/29|grep Network|cut -f 4 -d \ |tr [./] _` - if ! grep $czffirstindex $script > /dev/null then echo $iptables -t nat -N $czffirstindex >> $script @@ -75,12 +76,52 @@ done echo " done." # =============================================================== -# Pravidla pro dashboard +# SNAT only using indexed iptables (should be rather function, hmm) +# =============================================================== + +for czfip in `grep -v ^# $pimp_snat|cut -f 1 -d " "` +do + pubip=`grep "$czfip " $pimp_snat|cut -f 2 -d " "` + czffirstindex=priv_`ipcalc -n $czfip/20|grep Network|cut -f 4 -d \ |tr [./] _` + czfsecondindex=priv_`ipcalc -n $czfip/23|grep Network|cut -f 4 -d \ |tr [./] _` + czfthirdindex=priv_`ipcalc -n $czfip/26|grep Network|cut -f 4 -d \ |tr [./] _` + + if ! grep $czffirstindex $script > /dev/null + then + echo $iptables -t nat -N $czffirstindex >> $script + echo $iptables -t nat -F $czffirstindex >> $script + echo $iptables -t nat -A POSTROUTING -s `ipcalc -n $czfip/20|grep Network|cut -f 4 -d \ ` -o eth1 -j $czffirstindex >> $script + fi + + if ! grep $czfsecondindex $script > /dev/null + then + echo $iptables -t nat -N $czfsecondindex >> $script + echo $iptables -t nat -F $czfsecondindex >> $script + echo $iptables -t nat -A $czffirstindex -s `ipcalc -n $czfip/23|grep Network|cut -f 4 -d \ ` -o eth1 -j $czfsecondindex >> $script + fi + + if ! grep $czfthirdindex $script > /dev/null + then + echo $iptables -t nat -N $czfthirdindex >> $script + echo $iptables -t nat -F $czfthirdindex >> $script + echo $iptables -t nat -A $czfsecondindex -s `ipcalc -n $czfip/26|grep Network|cut -f 4 -d \ ` -o eth1 -j $czfthirdindex >> $script + fi + + echo $iptables -t nat -A $czfthirdindex -s $czfip/32 -o eth1 -j SNAT --to-source $pubip >> $script + echo $iptables -t nat -A $czfthirdindex -s $czfip/32 -o eth1 -j ACCEPT >> $script + + echo -n . + echo "echo -n ." >>$script +done +echo " done." + +# =============================================================== +# Dashboard rules # =============================================================== echo -n "Generating dashboard index rules " -for czfip in `grep ^10[.] /etc/hosts|grep dashboard-|cut -f 1` +for czfip in `grep ^10[.] $etchosts|grep dashboard-|cut -f 1` do czffirstindex=dash_`ipcalc -n $czfip/20|grep Network|cut -f 4 -d \ |tr [./] _` czfsecondindex=dash_`ipcalc -n $czfip/23|grep Network|cut -f 4 -d \ |tr [./] _`