#!/bin/bash # # Init file for Rx3 network setup # # chkconfig: 2345 55 25 # description: Rx3 network setup # ### BEGIN INIT INFO # Provides: rx3-net # Required-Start: $network # Required-Stop: $network # Default-Start: 2 3 4 5 # Short-Description: Rx3 network setup # Description: Rx3 network setup ### END INIT INFO # source function library . /etc/rc.d/init.d/functions [ -e /etc/sysconfig/rx3-net ] && . /etc/sysconfig/rx3-net [ -e /etc/sysconfig/rx3-vpn ] && . /etc/sysconfig/rx3-vpn RETVAL=0 prog="rx3-net" #-------------------------------------------------------------------------------------------------------------------------- # Lookup Source IP () #-------------------------------------------------------------------------------------------------------------------------- Lookup_Src_IP () { lo_id=0 for lo_blk in ${IP_SRC_SN} do OIFS=${IFS} IFS=: set ${lo_blk} lo_ip=$1 lo_table=$2 lo_owner=$3 lo_type=$4 IFS=${OIFS} echo "${lo_ip}:${lo_table}:${lo_owner}:${lo_type}:${lo_type}:sn:${lo_id}" lo_id=$((${lo_id}+1)) done for lo_blk in ${IP_SRC_PTP} do OIFS=${IFS} IFS=: set ${lo_blk} lo_id=$1 lo_table=$2 lo_owner=$3 lo_forward=$4 IFS=${OIFS} for lo_type in 1 2 3 do echo "${IP_PREFIX}.${lo_type}.${lo_id}:${lo_table}:${lo_owner}:${lo_type}:${lo_forward}:ptp:${lo_id}" done done } #-------------------------------------------------------------------------------------------------------------------------- # Port_Start_Get () #-------------------------------------------------------------------------------------------------------------------------- port_start_get() { ps_net_type=$1 ps_vpn_id=$2 if [[ "${ps_net_type}" == "sn" ]] then ps_port_base=3000 else ps_port_base=33000 fi echo $((${ps_port_base}+${ps_vpn_id}*100)) } #-------------------------------------------------------------------------------------------------------------------------- # Lookup Source IP () #-------------------------------------------------------------------------------------------------------------------------- port_end_get() { ps_port_start=$1 echo $((${ps_port_start}+99)) } #-------------------------------------------------------------------------------------------------------------------------- # Forward_Add () #-------------------------------------------------------------------------------------------------------------------------- forward_add() { fa_ip=$1 fa_net_type=$2 fa_vpn_id=$3 fa_port_start=$(port_start_get "${fa_net_type}" "${fa_vpn_id}") fa_port_end=$(port_end_get "${fa_port_start}") iptables -t nat -A PREROUTING-VPN -p tcp -m tcp --dport ${fa_port_start}:${fa_port_end} -j DNAT --to ${fa_ip} iptables -t nat -A PREROUTING-VPN -p udp -m udp --dport ${fa_port_start}:${fa_port_end} -j DNAT --to ${fa_ip} # iptables -t nat -A PREROUTING -p tcp -m tcp --dport ${fa_port_start}:${fa_port_end} -i tun+ -j DNAT --to ${fa_ip} # iptables -t nat -A PREROUTING -p udp -m udp --dport ${fa_port_start}:${fa_port_end} -i tun+ -j DNAT --to ${fa_ip} # iptables -t nat -A PREROUTING -p tcp -m tcp --dport ${fa_port_start}:${fa_port_end} -i ppp+ -j DNAT --to ${fa_ip} # iptables -t nat -A PREROUTING -p udp -m udp --dport ${fa_port_start}:${fa_port_end} -i ppp+ -j DNAT --to ${fa_ip} } #-------------------------------------------------------------------------------------------------------------------------- # Forward_Remove () #-------------------------------------------------------------------------------------------------------------------------- forward_remove() { fr_ip=$1 fr_net_type=$2 fr_vpn_id=$3 fr_port_start=$(port_start_get "${fr_net_type}" "${fr_vpn_id}") fr_port_end=$(port_end_get "${fr_port_start}") iptables -t nat -D PREROUTING-VPN -p tcp -m tcp --dport ${fr_port_start}:${fr_port_end} -j DNAT --to ${fr_ip} iptables -t nat -D PREROUTING-VPN -p udp -m udp --dport ${fr_port_start}:${fr_port_end} -j DNAT --to ${fr_ip} # iptables -t nat -D PREROUTING -p tcp -m tcp --dport ${fr_port_start}:${fr_port_end} -i tun+ -j DNAT --to ${fr_ip} # iptables -t nat -D PREROUTING -p udp -m udp --dport ${fr_port_start}:${fr_port_end} -i tun+ -j DNAT --to ${fr_ip} # iptables -t nat -D PREROUTING -p tcp -m tcp --dport ${fr_port_start}:${fr_port_end} -i ppp+ -j DNAT --to ${fr_ip} # iptables -t nat -D PREROUTING -p udp -m udp --dport ${fr_port_start}:${fr_port_end} -i ppp+ -j DNAT --to ${fr_ip} } # Some functions to make the below more readable #-------------------------------------------------------------------------------------------------------------------------- # Rx3-Start () #-------------------------------------------------------------------------------------------------------------------------- rx3-start() { # Add Rx3 routes in vpn tables for table in ${TABLE_LIST} do for route in ${IP_ROUTE} do # ip route add ${route/:*/} table ${table} via ${route/*:/} ip route add ${route/:*/} table ${table} dev ${route/*:/} done done # copy main default rule into table 3 (vpn local routing table) if [[ "$(ip route list match 0.0.0.0 table main)" != "" ]] then ip route add $(ip route list match 0.0.0.0 table main) table 3 fi # Create VPN Forward Chain iptables -t nat -N PREROUTING-VPN # Add Jump rule for VPN for blk in ${VPN_EXT_LIST} do OIFS=${IFS} IFS=: set $blk dev=$1 conf=$2 table=$3 name=$4 IFS=${OIFS} if [[ "${dev}" != "eth0" ]] then iptables -t nat -A PREROUTING -i ${dev} -j PREROUTING-VPN fi done # Add sub-net + point-to-point vpn client addresse rules for blk in $(Lookup_Src_IP) do OIFS=$IFS IFS=: set $blk ip=$1 table=$2 owner=$3 vpn_type=$4 forward=$5 net_type=$6 vpn_id=$7 IFS=$OIFS ip rule add from ${ip} table ${table} if [[ "${vpn_type}" == "${forward}" ]] then forward_add "${ip}" "${net_type}" "${vpn_id}" fi done } #-------------------------------------------------------------------------------------------------------------------------- # Rx3-Stop () #-------------------------------------------------------------------------------------------------------------------------- rx3-stop() { # Remove subnet + point-to-point vpn client addresse rules for blk in $(Lookup_Src_IP) do OIFS=$IFS IFS=: set $blk ip=$1 table=$2 owner=$3 vpn_type=$4 forward=$5 net_type=$6 vpn_id=$7 IFS=$OIFS ip rule del from ${ip} 2>/dev/null if [[ "${vpn_type}" == "${forward}" ]] then forward_remove "${ip}" "${net_type}" "${vpn_id}" fi done # Remove Jump rule for VPN for blk in ${VPN_EXT_LIST} do OIFS=${IFS} IFS=: set $blk dev=$1 conf=$2 table=$3 name=$4 IFS=${OIFS} if [[ "${dev}" != "eth0" ]] then iptables -t nat -D PREROUTING -i ${dev} -j PREROUTING-VPN fi done # Delete VPN Forward Chain iptables -t nat -X PREROUTING-VPN # Remove default route in table 3 ip route del default table 3 # Remove Rx3 routes in vpn tables for table in ${TABLE_LIST} do for route in ${IP_ROUTE} do # ip route del ${route/:*/} table ${table} via ${route/*:/} 2>/dev/null ip route del ${route/:*/} table ${table} dev ${route/*:/} 2>/dev/null done done return 0 } #-------------------------------------------------------------------------------------------------------------------------- # Rx3-Table_Set () #-------------------------------------------------------------------------------------------------------------------------- rx3-table_set() { ip=$1 table=$2 if [[ $table -lt 3 || $table -gt 11 ]] then return 1 fi if [[ $(echo ${ip} | sed 's/.[^.]*.[^.]*$//') != "${IP_PREFIX}" ]] then sed /etc/sysconfig/rx3-net.new mv /etc/sysconfig/rx3-net.new /etc/sysconfig/rx3-net ip rule del from ${ip} ip rule add from ${ip} table ${table} else vpn_id=${ip/*./} sed /etc/sysconfig/rx3-net.new mv /etc/sysconfig/rx3-net.new /etc/sysconfig/rx3-net for vpn_type in 1 2 3 do ip=${IP_PREFIX}.${vpn_type}.${vpn_id} ip rule del from ${ip} ip rule add from ${ip} table ${table} done fi } #-------------------------------------------------------------------------------------------------------------------------- # Rx3-Forward_Set () #-------------------------------------------------------------------------------------------------------------------------- rx3-forward_set() { ip=$1 IFS="." set $ip IFS=" " network="$1.$2" vpn_type="$3" vpn_id="$4" if [[ "${network}" == "${IP_PREFIX}" ]] then vpn_type_old=$(grep "^${vpn_id}:" /etc/sysconfig/rx3-net | sed -e "s/.*://" -e "s/ .*//") forward_remove "${IP_PREFIX}.${vpn_type_old}.${vpn_id}" "ptp" "${vpn_id}" sed /etc/sysconfig/rx3-net.new mv /etc/sysconfig/rx3-net.new /etc/sysconfig/rx3-net forward_add "${ip}" "ptp" "${vpn_id}" fi } #-------------------------------------------------------------------------------------------------------------------------- # Start () #-------------------------------------------------------------------------------------------------------------------------- start() { gprintf "Starting %s:" "$prog" if [ -r /var/lock/subsys/rx3-net ]; then success "already started" RETVAL=0 else rx3-start RETVAL=$? [ "$RETVAL" = 0 ] && success "startup" || failure "startup" [ "$RETVAL" = 0 ] && touch /var/lock/subsys/rx3-net fi echo } #-------------------------------------------------------------------------------------------------------------------------- # Stop () #-------------------------------------------------------------------------------------------------------------------------- stop() { gprintf "Stopping %s:" "$prog" if [ -r /var/lock/subsys/rx3-net ] then rx3-stop RETVAL=$? [ "$RETVAL" = 0 ] && success "stop" || failure "stop" else success "already stopped" RETVAL=0 fi [ "$RETVAL" = 0 ] && rm -f /var/lock/subsys/rx3-net echo } #-------------------------------------------------------------------------------------------------------------------------- # Table-Set () #-------------------------------------------------------------------------------------------------------------------------- table-set() { gprintf "Setting %s: ip:%s table:%s" "$prog" "$1" "$2" if [ -r /var/lock/subsys/rx3-net ]; then rx3-table_set $1 $2 RETVAL=$? [ "$RETVAL" = 0 ] && success "table set" || failure "table set" else failure "not running so table not set" RETVAL=1 fi echo } #-------------------------------------------------------------------------------------------------------------------------- # Forward-Set () #-------------------------------------------------------------------------------------------------------------------------- forward-set() { gprintf "Setting %s: ip:%s" "$prog" "$1" if [ -r /var/lock/subsys/rx3-net ]; then rx3-forward_set $1 $2 RETVAL=$? [ "$RETVAL" = 0 ] && success "forward set" || failure "forward set" else failure "not running so forward set" RETVAL=1 fi echo } #-------------------------------------------------------------------------------------------------------------------------- # Main #-------------------------------------------------------------------------------------------------------------------------- case "$1" in start) start ;; stop) stop ;; restart) stop sleep 1 start ;; status) gprintf "Rules:\n" ip rule show echo for table in ${TABLE_LIST} do gprintf "Table ${table}:\n" ip route list table ${table} echo done gprintf "Forward:\n" iptables -t nat -L PREROUTING -v -n iptables -t nat -L PREROUTING-VPN -v -n RETVAL=1 ;; table_set) table-set $2 $3 ;; forward_set) forward-set $2 ;; *) gprintf "Usage: %s {start|stop|restart|status|table_set|forward_set}\n" "$0" RETVAL=1 ;; esac exit $RETVAL