-
Notifications
You must be signed in to change notification settings - Fork 0
/
rc.poststart
executable file
·139 lines (130 loc) · 6.31 KB
/
rc.poststart
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
#!/bin/ash
#version redama 0.1
#delete exact iptables rule:
# iptables -t nat --line-numbers -L
# iptables -t nat -D PREROUTING LINE
#
#
#
#----Vlan Database----
ADM_VLAN=100
NETFLIX_VLAN=111
DATA_VLAN=131
VOZ_VLAN=213
#----------------------
#----Layer 3 config----
IP_ADDR_ADM=$(/sbin/ifconfig "ath0.$ADM_VLAN" | grep 'inet addr:' | cut -d: -f2 | awk '{ print $1}')
NETWORK_LAN=$(/usr/bin/ip route | grep eth0 | grep -v default | cut -d ' ' -f1)
NETWORK_GW=$(/sbin/ifconfig eth0 | grep 'inet addr:' | cut -d: -f2 | awk '{ print $1}')
LAST_OCTET=$(echo $IP_ADDR_ADM | cut -d . -f4)
if [[ $(/usr/bin/ip link | grep -c $NETFLIX_VLAN) -eq 1 ]]; then
ctrl_netflix=1
IP_ADDR_NETFLIX="172.16.23.$LAST_OCTET/24"
NETFLIX_GW="172.16.23.1"
NETFLIX_HOST="10.1.10.124"
fi
if [[ $(/usr/bin/ip link | grep -c $VOZ_VLAN) -eq 1 ]]; then
ctrl_voz=1
IP_ADDR_VOZ="172.16.113.$LAST_OCTET/24"
VOZ_GW="172.16.113.1"
VOZ_HOST="10.1.10.13"
SIP_SERVER="185.8.244.80"
ADM_HOST="172.16.18.1"
fi
#----------------------
/usr/bin/ip link set mtu 1496 dev "ath0.$ADM_VLAN"
/usr/bin/ip link set mtu 1496 dev "ath0.$DATA_VLAN"
#others VLANs
[[ $ctrl_netflix ]] && \
/usr/bin/ip addr add $IP_ADDR_NETFLIX brd + dev "ath0.$NETFLIX_VLAN" && \
/usr/bin/ip link set mtu 1496 dev "ath0.$NETFLIX_VLAN"
[[ $ctrl_voz ]] && \
/usr/bin/ip addr add $IP_ADDR_VOZ dev brd + dev "ath0.$VOZ_VLAN" && \
/usr/bin/ip link set mtu 1496 dev "ath0.$VOZ_VLAN"
#CoS bit
/usr/bin/vconfig set_egress_map "ath0.$ADM_VLAN" 0 1
/usr/bin/vconfig set_egress_map "ath0.$ADM_VLAN" 1 1
/usr/bin/vconfig set_egress_map "ath0.$ADM_VLAN" 2 1
/usr/bin/vconfig set_egress_map "ath0.$ADM_VLAN" 3 1
/usr/bin/vconfig set_egress_map "ath0.$ADM_VLAN" 4 1
/usr/bin/vconfig set_egress_map "ath0.$ADM_VLAN" 5 1
/usr/bin/vconfig set_egress_map "ath0.$ADM_VLAN" 6 1
/usr/bin/vconfig set_egress_map "ath0.$ADM_VLAN" 7 1
[[ $ctrl_netflix ]] && \
/usr/bin/vconfig set_egress_map "ath0.$NETFLIX_VLAN" 0 6 && \
/usr/bin/vconfig set_egress_map "ath0.$NETFLIX_VLAN" 1 6 && \
/usr/bin/vconfig set_egress_map "ath0.$NETFLIX_VLAN" 2 6 && \
/usr/bin/vconfig set_egress_map "ath0.$NETFLIX_VLAN" 3 6 && \
/usr/bin/vconfig set_egress_map "ath0.$NETFLIX_VLAN" 4 6 && \
/usr/bin/vconfig set_egress_map "ath0.$NETFLIX_VLAN" 5 6 && \
/usr/bin/vconfig set_egress_map "ath0.$NETFLIX_VLAN" 6 6 && \
/usr/bin/vconfig set_egress_map "ath0.$NETFLIX_VLAN" 7 6
[[ $ctrl_voz ]] && \
/usr/bin/vconfig set_egress_map "ath0.$VOZ_VLAN" 0 6 && \
/usr/bin/vconfig set_egress_map "ath0.$VOZ_VLAN" 1 6 && \
/usr/bin/vconfig set_egress_map "ath0.$VOZ_VLAN" 2 6 && \
/usr/bin/vconfig set_egress_map "ath0.$VOZ_VLAN" 3 6 && \
/usr/bin/vconfig set_egress_map "ath0.$VOZ_VLAN" 4 6 && \
/usr/bin/vconfig set_egress_map "ath0.$VOZ_VLAN" 5 6 && \
/usr/bin/vconfig set_egress_map "ath0.$VOZ_VLAN" 6 6 && \
/usr/bin/vconfig set_egress_map "ath0.$VOZ_VLAN" 7 6
/usr/bin/vconfig set_egress_map "ath0.$DATA_VLAN" 0 3
/usr/bin/vconfig set_egress_map "ath0.$DATA_VLAN" 1 3
/usr/bin/vconfig set_egress_map "ath0.$DATA_VLAN" 2 3
/usr/bin/vconfig set_egress_map "ath0.$DATA_VLAN" 3 3
/usr/bin/vconfig set_egress_map "ath0.$DATA_VLAN" 4 3
/usr/bin/vconfig set_egress_map "ath0.$DATA_VLAN" 5 3
/usr/bin/vconfig set_egress_map "ath0.$DATA_VLAN" 6 3
/usr/bin/vconfig set_egress_map "ath0.$DATA_VLAN" 7 3
#/usr/bin/iptables
/usr/bin/iptables -t nat -F
/usr/bin/iptables -t mangle -F
/usr/bin/iptables -F
/usr/bin/iptables -X
#FILTER
/usr/bin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#WAN si necesario
/usr/bin/iptables -A INPUT -i ppp0 -p icmp --icmp-type echo-request -j ACCEPT
/usr/bin/iptables -A INPUT -i ppp0 -j DROP
#LAN
#/usr/bin/iptables -A INPUT -s $NETWORK_LAN -p tcp --dport 80 -j DROP
#/usr/bin/iptables -A INPUT -s $NETWORK_LAN -p tcp --dport 22 -j DROP
/usr/bin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
/usr/bin/iptables -A FORWARD -s $NETWORK_LAN -d 192.168.0.0/16 -j DROP
/usr/bin/iptables -A FORWARD -s $NETWORK_LAN -d 172.16.0.0/12 -j DROP
/usr/bin/iptables -A FORWARD -s $NETWORK_LAN -d 10.0.0.0/8 -j DROP
/usr/bin/iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
#DSTNAT
[[ $ctrl_voz ]] && /usr/bin/iptables -A PREROUTING -t nat -i ppp0 -p udp --src $SIP_SERVER --dport 5060 -j DNAT --to-destination 10.1.10.3:5060 && \
/usr/bin/iptables -A PREROUTING -t nat -i "ath0.$ADM_VLAN" -p tcp --src $ADM_HOST --dport 50080 -j DNAT --to-destination 10.1.10.3:80
#DMZ
#/usr/bin/iptables -t nat -A PREROUTING -i ppp0 -p tcp -j DNAT --to $DMZ
#/usr/bin/iptables -t nat -A PREROUTING -i ppp0 -p udp -j DNAT --to $DMZ
#SRCNAT
#configuracion VOZIP si necesaria
#/usr/bin/iptables -t nat -A POSTROUTING -s $NETWORK_LAN -d 176.32.51.47 -o ath0.$VOZ_VLAN -j SNAT --to-source $IP_ADDR_VOZ
[[ $ctrl_voz ]] && -t nat -A POSTROUTING -s 10.1.10.3 -d 172.16.18.1 -o "ath0.$ADM_VLAN" -j SNAT --to-source $IP_ADDR_ADM
/usr/bin/iptables -t nat -A POSTROUTING -s $NETWORK_LAN -o ppp0 -j MASQUERADE
[[ $ctrl_voz ]] && /usr/bin/iptables -t nat -A POSTROUTING -s $VOZ_HOST -o "ath0.$VOZ_VLAN" -j MASQUERADE
#MANGLE NETFLIX
[[ $ctrl_voz ]] && \
/usr/bin/iptables -t mangle -A PREROUTING -s $VOZ_HOST -j MARK --set-mark "$VOZ_VLAN" && \
/usr/bin/ip rule add fwmark $VOZ_VLAN table $VOZ_VLAN && \
/usr/bin/ip route add default via $VOZ_GW dev "ath0.$VOZ_VLAN" table $VOZ_VLAN
[[ $ctrl_netflix ]] && /usr/bin/iptables -t nat -A POSTROUTING -s $NETFLIX_HOST -o "ath0.$NETFLIX_VLAN" -j MASQUERADE
#MANGLE NETFLIX
[[ $ctrl_netflix ]] && \
/usr/bin/iptables -t mangle -A PREROUTING -s $NETFLIX_HOST -j MARK --set-mark "$NETFLIX_VLAN" && \
/usr/bin/ip rule add fwmark $NETFLIX_VLAN table $NETFLIX_VLAN && \
/usr/bin/ip route add default via $NETFLIX_GW dev "ath0.$NETFLIX_VLAN" table $NETFLIX_VLAN
#DSCP CONSOLLE
#/usr/bin/iptables -t mangle -A POSTROUTING -s $DMZ -o ppp0 -j DSCP --set-dscp 45
#QoS DSCP [read by Airmax]
[[ $ctrl_netflix ]] && /usr/bin/iptables -t mangle -A POSTROUTING -o "ath0.$NETFLIX_VLAN" -j DSCP --set-dscp 48
[[ $ctrl_voz ]] && /usr/bin/iptables -t mangle -A POSTROUTING -o "ath0.$VOZ_VLAN" -j DSCP --set-dscp 48 && \
/usr/bin/iptables -t mangle -A POSTROUTING -o ppp0 -d $SIP_SERVER -j DSCP --set-dscp 48
/usr/bin/iptables -t mangle -A POSTROUTING -o "ath0.$ADM_VLAN" -j DSCP --set-dscp 8
/usr/bin/iptables -t mangle -A POSTROUTING -o ppp0 ! $SIP_SERVER -d -j DSCP --set-dscp 24
#iperf
#iperf -s -D -B $IP_ADDR_ADM -f m
#crond -b -c /etc/persistent/crontab