summaryrefslogtreecommitdiff
path: root/misc/openwrt/etc/rc.local
blob: 32b12279a31ae43b6f1f0754f4b6611a45c98dea (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70

# Put your custom commands here that should be executed once
# the system init finished. By default this file does nothing.

TABLES="mts-azov rt-azov mts-il"

# create ip sets
for _table in $TABLES; do
	ipset create $_table hash:net
done

# add untrusted cameras set
ipset create ipcam hash:net
for addr in $(seq 21 69); do
	ipset add ipcam 192.168.5.${addr}
done

sleep 0.1

# block internet access for untrusted cameras
iptables -I FORWARD 1 -m set --match-set ipcam src ! -d 192.168.5.0/24 -j REJECT

# add some default routing rules
ipset add mts-azov 192.168.5.0/24 # everybody
ipset add mts-azov 192.168.5.163  # cs1
ipset add mts-azov 192.168.5.212  # cs2
ipset add mts-azov 192.168.5.161  # cs3

ipset add rt-azov  192.168.5.133  # roof2
ipset add rt-azov  192.168.5.115  # room
ipset add rt-azov  192.168.5.170  # room

ipset add mts-il   192.168.5.120  # inv
ipset add mts-il   192.168.5.223  # inv
ipset add mts-il   192.168.5.143  # roof1

# create rules
ip rule add fwmark 100 table mts-azov
ip rule add fwmark 101 table rt-azov
ip rule add fwmark 102 table mts-il

# set default route for each custom routing table
ip route add default via 192.168.7.1 table mts-azov
ip route add default via 192.168.8.1 table rt-azov
ip route add default via 192.168.88.1 table mts-il # via mikrotik

# fix local routes
for _table in $TABLES; do
	ip route add 192.168.5.0/24 via 192.168.5.1 table $_table
	ip route add 192.168.6.0/24 via 192.168.88.1 table $_table
	ip route add 192.168.7.0/24 via 192.168.7.1 table $_table
	ip route add 192.168.8.0/24 via 192.168.8.1 table $_table
	ip route add 192.168.88.0/24 via 192.168.88.1 table $_table
done

# iptables rules (see also /etc/firewall.user)
sleep 0.5

# pass already-marked packets
iptables -t mangle -A PREROUTING -m mark ! --mark 0x0 -j ACCEPT

iptables -t mangle -A PREROUTING -m set --match-set mts-azov src -j MARK --set-mark 0x64
iptables -t mangle -A OUTPUT -m set --match-set mts-azov src -j MARK --set-mark 0x64

iptables -t mangle -A PREROUTING -m set --match-set mts-il src -j MARK --set-mark 0x66
iptables -t mangle -A OUTPUT -m set --match-set mts-il src -j MARK --set-mark 0x66

iptables -t mangle -A PREROUTING -m set --match-set rt-azov src -j MARK --set-mark 0x65
iptables -t mangle -A OUTPUT -m set --match-set rt-azov src -j MARK --set-mark 0x65

exit 0
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-21 11:55:53 +0000