#!/bin/bash # # 40_customfirewall - Custom firewall # PATH="/bin:/sbin:/usr/bin:/usr/sbin" NAME="40_customfirewall" test -f /etc/default/customfirewall || { exit 0; } source /etc/default/customfirewall function get_destination_ips() { { for rule_def in $FORWARDS ; do IFS=, read -r ip proto port destination <<< "$rule_def" echo $destination done } | sort | uniq } function start() { log_progress_msg $NAME iptables -t nat -N customfirewall_prerouting iptables -t nat -I PREROUTING -j customfirewall_prerouting for address_def in $ADDRESSES ; do IFS=, read -r interface ip <<< "$address_def" ip addr add $ip dev $interface done for rule_def in $FORWARDS ; do IFS=, read -r ip destination proto port <<< "$rule_def" if [ -n "$proto" ] ; then proto_opts="-p $proto" if [ -n "$port" ] ; then proto_opts="$proto_opts --dport $port" fi fi iptables -t nat -A customfirewall_prerouting -d $ip $proto_opts -j DNAT --to-destination $destination done for ip in $(get_destination_ips) ; do ip rule add to $ip lookup bonding-pwan prio 1900 done } function stop() { if [ "$1" != quiet ] ; then log_progress_msg $NAME fi while ip rule | grep -qe '^1900:' ; do ip rule del prio 1900 2>/dev/null ||: done for address_def in $ADDRESSES ; do IFS=, read -r interface ip <<< "$address_def" ip addr del $ip dev $interface 2>/dev/null ||: done iptables -t nat -D PREROUTING -j customfirewall_prerouting 2>/dev/null ||: iptables -t nat -F customfirewall_prerouting 2>/dev/null ||: iptables -t nat -X customfirewall_prerouting 2>/dev/null ||: } function status() { iptables -t nat -nvL customfirewall_prerouting } test -f /lib/lsb/init-functions && . /lib/lsb/init-functions case "$1" in start) stop quiet start ;; stop) stop ;; restart|force-reload) stop start ;; status) status exit 0 ;; *) echo "Usage: $0 {start|stop|restart|force-reload|status}" exit 1 ;; esac