# Put your custom commands here that should be executed once # the system init finished. By default this file does nothing. TABLES="mts-azov rt-azov mts-il" # create ip sets for _table in $TABLES; do ipset create $_table hash:net done # add untrusted cameras set ipset create ipcam hash:net for addr in $(seq 21 69); do ipset add ipcam 192.168.5.${addr} done sleep 0.1 # block internet access for untrusted cameras iptables -I FORWARD 1 -m set --match-set ipcam src ! -d 192.168.5.0/24 -j REJECT # add some default routing rules ipset add mts-azov 192.168.5.0/24 # everybody ipset add mts-azov 192.168.5.163 # cs1 ipset add mts-azov 192.168.5.212 # cs2 ipset add mts-azov 192.168.5.161 # cs3 ipset add rt-azov 192.168.5.133 # roof2 ipset add rt-azov 192.168.5.115 # room ipset add rt-azov 192.168.5.170 # room ipset add mts-il 192.168.5.120 # inv ipset add mts-il 192.168.5.223 # inv ipset add mts-il 192.168.5.143 # roof1 # create rules ip rule add fwmark 100 table mts-azov ip rule add fwmark 101 table rt-azov ip rule add fwmark 102 table mts-il # set default route for each custom routing table ip route add default via 192.168.7.1 table mts-azov ip route add default via 192.168.8.1 table rt-azov ip route add default via 192.168.88.1 table mts-il # via mikrotik # fix local routes for _table in $TABLES; do ip route add 192.168.5.0/24 via 192.168.5.1 table $_table ip route add 192.168.6.0/24 via 192.168.88.1 table $_table ip route add 192.168.7.0/24 via 192.168.7.1 table $_table ip route add 192.168.8.0/24 via 192.168.8.1 table $_table ip route add 192.168.88.0/24 via 192.168.88.1 table $_table done # iptables rules (see also /etc/firewall.user) sleep 0.5 # pass already-marked packets iptables -t mangle -A PREROUTING -m mark ! --mark 0x0 -j ACCEPT iptables -t mangle -A PREROUTING -m set --match-set mts-azov src -j MARK --set-mark 0x64 iptables -t mangle -A OUTPUT -m set --match-set mts-azov src -j MARK --set-mark 0x64 iptables -t mangle -A PREROUTING -m set --match-set mts-il src -j MARK --set-mark 0x66 iptables -t mangle -A OUTPUT -m set --match-set mts-il src -j MARK --set-mark 0x66 iptables -t mangle -A PREROUTING -m set --match-set rt-azov src -j MARK --set-mark 0x65 iptables -t mangle -A OUTPUT -m set --match-set rt-azov src -j MARK --set-mark 0x65 exit 0