diff options
author | Evgeny Zinoviev <me@ch1p.io> | 2023-06-03 01:00:49 +0300 |
---|---|---|
committer | Evgeny Zinoviev <me@ch1p.io> | 2023-06-03 01:00:49 +0300 |
commit | 3e3753d726f8a02d98368f20f77dd9fa739e3d80 (patch) | |
tree | 09622bb713c8065952cf9cb37111285a5389bf09 /misc/openwrt/etc | |
parent | a1c7aff91f38473481590489f41b86d41df9a29d (diff) |
add various scripts to not lose them
Diffstat (limited to 'misc/openwrt/etc')
-rw-r--r-- | misc/openwrt/etc/hotplug.d/iface/99-ifup | 21 | ||||
-rw-r--r-- | misc/openwrt/etc/rc.local | 70 |
2 files changed, 91 insertions, 0 deletions
diff --git a/misc/openwrt/etc/hotplug.d/iface/99-ifup b/misc/openwrt/etc/hotplug.d/iface/99-ifup new file mode 100644 index 0000000..e3562cd --- /dev/null +++ b/misc/openwrt/etc/hotplug.d/iface/99-ifup @@ -0,0 +1,21 @@ +#!/bin/sh + +tables="mts-azov rt-azov mts-il" +net= + +case "$ACTION" in + ifup) + case "$INTERFACE" in + eth2) + net=192.168.7 + ;; + eth3) + net=192.168.8 + ;; + esac + if [ -z "$net" ]; then exit; fi + for t in $tables; do + ip r add ${net}.0/24 via ${net}.1 table $t + done + ;; +esac
\ No newline at end of file diff --git a/misc/openwrt/etc/rc.local b/misc/openwrt/etc/rc.local new file mode 100644 index 0000000..407d1eb --- /dev/null +++ b/misc/openwrt/etc/rc.local @@ -0,0 +1,70 @@ +# Put your custom commands here that should be executed once +# the system init finished. By default this file does nothing. + +TABLES="mts-azov rt-azov mts-il" + +# create ip sets +for _table in $TABLES; do + ipset create $_table hash:net +done + +# add untrusted cameras set +ipset create ipcam hash:net +for addr in $(seq 21 69); do + ipset add ipcam 192.168.5.${addr} +done + +sleep 0.1 + +# block internet access for untrusted cameras +iptables -I FORWARD 1 -m set --match-set ipcam src ! -d 192.168.5.0 -j REJECT + +# add some default routing rules +ipset add mts-azov 192.168.5.0/24 # everybody +ipset add mts-azov 192.168.5.163 # cs1 +ipset add mts-azov 192.168.5.212 # cs2 +ipset add mts-azov 192.168.5.161 # cs3 + +ipset add rt-azov 192.168.5.133 # roof2 +ipset add rt-azov 192.168.5.115 # room +ipset add rt-azov 192.168.5.170 # room + +ipset add mts-il 192.168.5.120 # inv +ipset add mts-il 192.168.5.223 # inv +ipset add mts-il 192.168.5.143 # roof1 + +# create rules +ip rule add fwmark 100 table mts-azov +ip rule add fwmark 101 table rt-azov +ip rule add fwmark 102 table mts-il + +# set default route for each custom routing table +ip route add default via 192.168.7.1 table mts-azov +ip route add default via 192.168.8.1 table rt-azov +ip route add default via 192.168.88.1 table mts-il # via mikrotik + +# fix local routes +for _table in $TABLES; do + ip route add 192.168.5.0/24 via 192.168.5.1 table $_table + ip route add 192.168.6.0/24 via 192.168.88.1 table $_table + ip route add 192.168.7.0/24 via 192.168.7.1 table $_table + ip route add 192.168.8.0/24 via 192.168.8.1 table $_table + ip route add 192.168.88.0/24 via 192.168.88.1 table $_table +done + +# iptables rules (see also /etc/firewall.user) +sleep 0.5 + +# pass already-marked packets +iptables -t mangle -A PREROUTING -m mark ! --mark 0x0 -j ACCEPT + +iptables -t mangle -A PREROUTING -m set --match-set mts-azov src -j MARK --set-mark 0x64 +iptables -t mangle -A OUTPUT -m set --match-set mts-azov src -j MARK --set-mark 0x64 + +iptables -t mangle -A PREROUTING -m set --match-set mts-il src -j MARK --set-mark 0x66 +iptables -t mangle -A OUTPUT -m set --match-set mts-il src -j MARK --set-mark 0x66 + +iptables -t mangle -A PREROUTING -m set --match-set rt-azov src -j MARK --set-mark 0x65 +iptables -t mangle -A OUTPUT -m set --match-set rt-azov src -j MARK --set-mark 0x65 + +exit 0 |