start_router.bash 7.39 KB
Newer Older
gauthier's avatar
Updates  
gauthier committed
1 2 3 4 5
#!/bin/bash

#############################################################
#Setting the EXTERNAL and INTERNAL interfaces for the network
#############################################################
6 7
declare EXTIF="eth1"
declare INTIF="eth2"
gauthier's avatar
Updates  
gauthier committed
8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162

IPTABLES=/sbin/iptables
DEPMOD=/sbin/depmod
MODPROBE=/sbin/modprobe

###########################################################
THIS_SCRIPT_PATH=$(dirname $(readlink -f $0))
source $THIS_SCRIPT_PATH/utils.bash
###########################################################
test_command_install_package "vconfig"  "vlan" "--force-yes"
test_command_install_package "iptables" "iptables"
test_command_install_package "iperf"    "iperf"  "--force-yes"
test_command_install_package "ip"       "iproute"




echo "   External Interface:  $EXTIF"
echo "   Internal Interface:  $INTIF"

echo -en "   loading modules: "

# Need to verify that all modules have all required dependencies
#
echo "  - Verifying that all kernel modules are ok"
$DEPMOD -a

echo "----------------------------------------------------------------------"

#Load the main body of the IPTABLES module - "iptable"
#  - Loaded automatically when the "iptables" command is invoked
#
#  - Loaded manually to clean up kernel auto-loading timing issues
#
echo -en "ip_tables, "
$MODPROBE ip_tables


#Load the IPTABLES filtering module - "iptable_filter"
#  - Loaded automatically when filter policies are activated


#Load the stateful connection tracking framework - "ip_conntrack"
#
# The conntrack  module in itself does nothing without other specific
# conntrack modules being loaded afterwards such as the "ip_conntrack_ftp"
# module
#
#  - This module is loaded automatically when MASQ functionality is
#    enabled
#
#  - Loaded manually to clean up kernel auto-loading timing issues
#
echo -en "ip_conntrack, "
$MODPROBE ip_conntrack


#Load the FTP tracking mechanism for full FTP tracking
#
# Enabled by default -- insert a "#" on the next line to deactivate
#
echo -en "ip_conntrack_ftp, "
$MODPROBE ip_conntrack_ftp


#Load the IRC tracking mechanism for full IRC tracking
#
# Enabled by default -- insert a "#" on the next line to deactivate
#
echo -en "ip_conntrack_irc, "
$MODPROBE ip_conntrack_irc


#Load the general IPTABLES NAT code - "iptable_nat"
#  - Loaded automatically when MASQ functionality is turned on
#
#  - Loaded manually to clean up kernel auto-loading timing issues
#
echo -en "iptable_nat, "
$MODPROBE iptable_nat


#Loads the FTP NAT functionality into the core IPTABLES code
# Required to support non-PASV FTP.
#
# Enabled by default -- insert a "#" on the next line to deactivate
#
echo -en "ip_nat_ftp, "
$MODPROBE ip_nat_ftp

#Clearing any previous configuration
#
#  Unless specified, the defaults for INPUT and OUTPUT is ACCEPT
#    The default for FORWARD is DROP (REJECT is not a valid policy)
#
#   Isn't ACCEPT insecure?  To some degree, YES, but this is our testing
#   phase.  Once we know that IPMASQ is working well, I recommend you run
#   the rc.firewall-*-stronger rulesets which set the defaults to DROP but
#   also include the critical additional rulesets to still let you connect to
#   the IPMASQ server, etc.
#
echo "   Clearing any existing rules and setting default policy.."
bash_exec "iptables -P INPUT ACCEPT"
bash_exec "iptables -F INPUT"
bash_exec "iptables -P OUTPUT ACCEPT"
bash_exec "iptables -F OUTPUT"
bash_exec "iptables -P FORWARD ACCEPT"
bash_exec "iptables -F FORWARD"
bash_exec "iptables -t nat -F"
bash_exec "iptables -t mangle -F"
bash_exec "iptables -t filter -F"
bash_exec "iptables -t raw -F"

bash_exec "ip route flush cache"


echo "   Enabling forwarding"
bash_exec "sysctl -w net.ipv4.ip_forward=1"
assert "  `sysctl -n net.ipv4.ip_forward` -eq 1" $LINENO

# Dynamic IP users:
#
#   If you get your IP address dynamically from SLIP, PPP, or DHCP,
#   enable this following option.  This enables dynamic-address hacking
#   which makes the life with Diald and similar programs much easier.
#
echo "   Enabling DynamicAddr.."
bash_exec "sysctl -w net.ipv4.ip_dynaddr=1"
assert "  `sysctl -n net.ipv4.ip_dynaddr` -eq 1" $LINENO

bash_exec "sysctl -w net.ipv4.conf.all.log_martians=1"
assert "  `sysctl -n net.ipv4.conf.all.log_martians` -eq 1" $LINENO


echo "   Disabling reverse path filtering"
bash_exec "sysctl -w net.ipv4.conf.all.rp_filter=0"
assert "  `sysctl -n net.ipv4.conf.all.rp_filter` -eq 0" $LINENO
bash_exec "sysctl -w net.ipv4.conf.$EXTIF.rp_filter=0"
assert "  `sysctl -n net.ipv4.conf.$EXTIF.rp_filter` -eq 0" $LINENO
bash_exec "sysctl -w net.ipv4.conf.$INTIF.rp_filter=0"
assert "  `sysctl -n net.ipv4.conf.$INTIF.rp_filter` -eq 0" $LINENO


echo "0" > /proc/sys/net/ipv4/conf/all/proxy_arp
echo "1" > /proc/sys/net/ipv4/conf/$EXTIF/proxy_arp
echo "1" > /proc/sys/net/ipv4/conf/$INTIF/proxy_arp

echo "   FWD: Allow all connections OUT and only existing and related ones IN"
bash_exec "iptables -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT"
bash_exec "iptables -A FORWARD -i $INTIF -o $EXTIF -m state --state NEW,ESTABLISHED,RELATED,INVALID -j ACCEPT"

bash_exec "modprobe 8021q"

for i in 5 6 7 8 9 10 11 12 13 14 15
do
gauthier's avatar
gauthier committed
163 164
    ifconfig $INTIF.$i down > /dev/null 2>&1
    sync
gauthier's avatar
Updates  
gauthier committed
165 166
    vconfig rem $INTIF.$i > /dev/null 2>&1
    sync
gauthier's avatar
gauthier committed
167 168 169 170
done

for i in 5 6 7 8 9 10 11 12 13 14 15
do
gauthier's avatar
Updates  
gauthier committed
171
    bash_exec "vconfig add $INTIF $i"
172
    bash_exec "ifconfig $INTIF.$i up"
gauthier's avatar
Updates  
gauthier committed
173 174 175
    sync
    NET=$(( $i + 200 ))
    CIDR='10.0.'$NET'.1/8'
gauthier's avatar
gauthier committed
176
    bash_exec "ip -4 addr add $CIDR dev $INTIF.$i"
gauthier's avatar
Updates  
gauthier committed
177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215
    bash_exec "iptables -A FORWARD -i $EXTIF -o $INTIF.$i -m state --state ESTABLISHED,RELATED -j ACCEPT"
    bash_exec "iptables -A FORWARD -i $INTIF.$i -o $EXTIF -m state --state NEW,ESTABLISHED,RELATED,INVALID -j ACCEPT"
    bash_exec "echo 1 > /proc/sys/net/ipv4/conf/$INTIF.$i/proxy_arp"
    bash_exec "echo 0 > /proc/sys/net/ipv4/conf/$INTIF.$i/rp_filter"
done
for i in 5 6 7 8 9 10 11 12 13 14 15
do
    bash_exec "iptables  -t mangle -A PREROUTING -i $INTIF.$i -j CONNMARK --restore-mark"
    bash_exec "iptables  -t mangle -A PREROUTING -i $INTIF.$i -m mark --mark 0 -j MARK --set-mark $i"
    bash_exec "iptables  -t mangle -A PREROUTING -i $INTIF.$i -j CONNMARK --save-mark"


    fgrep  vlan$i /etc/iproute2/rt_tables
    if [ $? -ne 0 ]
    then
        base=200
        num=$(( $i + $base ))
        echo "$num vlan$i" >>  /etc/iproute2/rt_tables
        echo "Updating /etc/iproute2/rt_tables with table vlan$i id $num"
    fi
    ip rule del from all iif $EXTIF  fwmark $i table vlan$i > /dev/null
    bash_exec "ip rule add iif $EXTIF fwmark $i table vlan$i"
    bash_exec "ip route add default dev $INTIF.$i table vlan$i"
done
#bash_exec "iptables  -t mangle -A OUTPUT -m mark ! --mark 0 -j CONNMARK --save-mark"
#iptables -I INPUT      -i $INTIF.5 -j LOG --log-ip-options --log-prefix "INPUT CHAIN:"
#iptables -I FORWARD  -t mangle  -i $INTIF.5 -j LOG --log-ip-options --log-prefix "FORWARD CHAIN(mangle):"
#iptables -I FORWARD  -t filter  -i $INTIF.5 -j LOG --log-ip-options --log-prefix "FORWARD CHAIN(filter):"
#iptables -I PREROUTING -t raw -i $INTIF.5 -j LOG --log-ip-options --log-prefix "PREROUTING (raw):"
#iptables -I PREROUTING -t mangle -i $INTIF.5 -j LOG --log-ip-options --log-prefix "PREROUTING (mangle):"
#iptables -I PREROUTING -t nat -i $INTIF.5 -j LOG --log-ip-options --log-prefix "PREROUTING (nat):"


echo "   Enabling SNAT (MASQUERADE) functionality on $EXTIF"
bash_exec "iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE"

echo -e "\nrc.firewall-iptables v$FWVER done.\n"
iptables  -t mangle -nvL
iptables  -t filter -nvL