diff options
Diffstat (limited to 'misc/openwrt/etc/rc.local')
| -rw-r--r-- | misc/openwrt/etc/rc.local | 70 |
1 files changed, 70 insertions, 0 deletions
diff --git a/misc/openwrt/etc/rc.local b/misc/openwrt/etc/rc.local new file mode 100644 index 0000000..407d1eb --- /dev/null +++ b/misc/openwrt/etc/rc.local @@ -0,0 +1,70 @@ +# Put your custom commands here that should be executed once +# the system init finished. By default this file does nothing. + +TABLES="mts-azov rt-azov mts-il" + +# create ip sets +for _table in $TABLES; do + ipset create $_table hash:net +done + +# add untrusted cameras set +ipset create ipcam hash:net +for addr in $(seq 21 69); do + ipset add ipcam 192.168.5.${addr} +done + +sleep 0.1 + +# block internet access for untrusted cameras +iptables -I FORWARD 1 -m set --match-set ipcam src ! -d 192.168.5.0 -j REJECT + +# add some default routing rules +ipset add mts-azov 192.168.5.0/24 # everybody +ipset add mts-azov 192.168.5.163 # cs1 +ipset add mts-azov 192.168.5.212 # cs2 +ipset add mts-azov 192.168.5.161 # cs3 + +ipset add rt-azov 192.168.5.133 # roof2 +ipset add rt-azov 192.168.5.115 # room +ipset add rt-azov 192.168.5.170 # room + +ipset add mts-il 192.168.5.120 # inv +ipset add mts-il 192.168.5.223 # inv +ipset add mts-il 192.168.5.143 # roof1 + +# create rules +ip rule add fwmark 100 table mts-azov +ip rule add fwmark 101 table rt-azov +ip rule add fwmark 102 table mts-il + +# set default route for each custom routing table +ip route add default via 192.168.7.1 table mts-azov +ip route add default via 192.168.8.1 table rt-azov +ip route add default via 192.168.88.1 table mts-il # via mikrotik + +# fix local routes +for _table in $TABLES; do + ip route add 192.168.5.0/24 via 192.168.5.1 table $_table + ip route add 192.168.6.0/24 via 192.168.88.1 table $_table + ip route add 192.168.7.0/24 via 192.168.7.1 table $_table + ip route add 192.168.8.0/24 via 192.168.8.1 table $_table + ip route add 192.168.88.0/24 via 192.168.88.1 table $_table +done + +# iptables rules (see also /etc/firewall.user) +sleep 0.5 + +# pass already-marked packets +iptables -t mangle -A PREROUTING -m mark ! --mark 0x0 -j ACCEPT + +iptables -t mangle -A PREROUTING -m set --match-set mts-azov src -j MARK --set-mark 0x64 +iptables -t mangle -A OUTPUT -m set --match-set mts-azov src -j MARK --set-mark 0x64 + +iptables -t mangle -A PREROUTING -m set --match-set mts-il src -j MARK --set-mark 0x66 +iptables -t mangle -A OUTPUT -m set --match-set mts-il src -j MARK --set-mark 0x66 + +iptables -t mangle -A PREROUTING -m set --match-set rt-azov src -j MARK --set-mark 0x65 +iptables -t mangle -A OUTPUT -m set --match-set rt-azov src -j MARK --set-mark 0x65 + +exit 0 |