summaryrefslogtreecommitdiff
path: root/misc/openwrt/etc
diff options
context:
space:
mode:
authorEvgeny Zinoviev <me@ch1p.io>2023-06-03 01:00:49 +0300
committerEvgeny Zinoviev <me@ch1p.io>2023-06-03 01:00:49 +0300
commit3e3753d726f8a02d98368f20f77dd9fa739e3d80 (patch)
tree09622bb713c8065952cf9cb37111285a5389bf09 /misc/openwrt/etc
parenta1c7aff91f38473481590489f41b86d41df9a29d (diff)
add various scripts to not lose them
Diffstat (limited to 'misc/openwrt/etc')
-rw-r--r--misc/openwrt/etc/hotplug.d/iface/99-ifup21
-rw-r--r--misc/openwrt/etc/rc.local70
2 files changed, 91 insertions, 0 deletions
diff --git a/misc/openwrt/etc/hotplug.d/iface/99-ifup b/misc/openwrt/etc/hotplug.d/iface/99-ifup
new file mode 100644
index 0000000..e3562cd
--- /dev/null
+++ b/misc/openwrt/etc/hotplug.d/iface/99-ifup
@@ -0,0 +1,21 @@
+#!/bin/sh
+
+tables="mts-azov rt-azov mts-il"
+net=
+
+case "$ACTION" in
+ ifup)
+ case "$INTERFACE" in
+ eth2)
+ net=192.168.7
+ ;;
+ eth3)
+ net=192.168.8
+ ;;
+ esac
+ if [ -z "$net" ]; then exit; fi
+ for t in $tables; do
+ ip r add ${net}.0/24 via ${net}.1 table $t
+ done
+ ;;
+esac \ No newline at end of file
diff --git a/misc/openwrt/etc/rc.local b/misc/openwrt/etc/rc.local
new file mode 100644
index 0000000..407d1eb
--- /dev/null
+++ b/misc/openwrt/etc/rc.local
@@ -0,0 +1,70 @@
+# Put your custom commands here that should be executed once
+# the system init finished. By default this file does nothing.
+
+TABLES="mts-azov rt-azov mts-il"
+
+# create ip sets
+for _table in $TABLES; do
+ ipset create $_table hash:net
+done
+
+# add untrusted cameras set
+ipset create ipcam hash:net
+for addr in $(seq 21 69); do
+ ipset add ipcam 192.168.5.${addr}
+done
+
+sleep 0.1
+
+# block internet access for untrusted cameras
+iptables -I FORWARD 1 -m set --match-set ipcam src ! -d 192.168.5.0 -j REJECT
+
+# add some default routing rules
+ipset add mts-azov 192.168.5.0/24 # everybody
+ipset add mts-azov 192.168.5.163 # cs1
+ipset add mts-azov 192.168.5.212 # cs2
+ipset add mts-azov 192.168.5.161 # cs3
+
+ipset add rt-azov 192.168.5.133 # roof2
+ipset add rt-azov 192.168.5.115 # room
+ipset add rt-azov 192.168.5.170 # room
+
+ipset add mts-il 192.168.5.120 # inv
+ipset add mts-il 192.168.5.223 # inv
+ipset add mts-il 192.168.5.143 # roof1
+
+# create rules
+ip rule add fwmark 100 table mts-azov
+ip rule add fwmark 101 table rt-azov
+ip rule add fwmark 102 table mts-il
+
+# set default route for each custom routing table
+ip route add default via 192.168.7.1 table mts-azov
+ip route add default via 192.168.8.1 table rt-azov
+ip route add default via 192.168.88.1 table mts-il # via mikrotik
+
+# fix local routes
+for _table in $TABLES; do
+ ip route add 192.168.5.0/24 via 192.168.5.1 table $_table
+ ip route add 192.168.6.0/24 via 192.168.88.1 table $_table
+ ip route add 192.168.7.0/24 via 192.168.7.1 table $_table
+ ip route add 192.168.8.0/24 via 192.168.8.1 table $_table
+ ip route add 192.168.88.0/24 via 192.168.88.1 table $_table
+done
+
+# iptables rules (see also /etc/firewall.user)
+sleep 0.5
+
+# pass already-marked packets
+iptables -t mangle -A PREROUTING -m mark ! --mark 0x0 -j ACCEPT
+
+iptables -t mangle -A PREROUTING -m set --match-set mts-azov src -j MARK --set-mark 0x64
+iptables -t mangle -A OUTPUT -m set --match-set mts-azov src -j MARK --set-mark 0x64
+
+iptables -t mangle -A PREROUTING -m set --match-set mts-il src -j MARK --set-mark 0x66
+iptables -t mangle -A OUTPUT -m set --match-set mts-il src -j MARK --set-mark 0x66
+
+iptables -t mangle -A PREROUTING -m set --match-set rt-azov src -j MARK --set-mark 0x65
+iptables -t mangle -A OUTPUT -m set --match-set rt-azov src -j MARK --set-mark 0x65
+
+exit 0