release/src/router/nocat/libexec/iptables/access.fw

   1 #!/bin/sh
   2
   3 ##
   4 # VERY simple access control script for leeenux
   5 ##
   6
   7 export PATH=/tmp/sbin:/tmp/bin:/bin:/usr/bin:/sbin:/usr/sbin
   8
   9 action=$1
  10 mac=$2
  11 ip=$3
  12 class=$4
  13
  14 if [ -z "$action" -o -z "$mac" -o -z "$ip" -o -z "$class" ]; then
  15     echo Usage: $0 [permit\|deny] [MAC] [IP] [Class]
  16     echo Example: $0 permit 00:02:2d:aa:bb:cc 10.0.0.105 member
  17     exit 1
  18 fi
  19
  20 if [ "$action" = "permit" ]; then
  21     #I prefer that the older connections fall off the end of the table -TJ
  22     cmd=-I
  23     pos=2
  24 elif [ "$action" = "deny" ]; then
  25     cmd=-D
  26     pos=
  27 else
  28     echo "FATAL: Bad action: $action!"
  29     exit 1
  30 fi
  31
  32 if [ "$class" = "Owner" ]; then
  33     mark=1
  34 elif [ "$class" = "Member" ]; then
  35     mark=2
  36 elif [ "$class" = "Public" ]; then
  37     mark=3
  38 else
  39     echo "FATAL: Bad class: $class!"
  40     exit 1
  41 fi
  42
  43 # Mark outbound traffic from this node.
  44 # Because we use insert, we must insert below rule 1,
  45 # since rule 1 starts out by marking packets not authed via this chain as such (class 4)
  46 iptables -t mangle $cmd NoCat $pos -m mac --mac-source $mac -s $ip -j MARK --set-mark $mark
  47
  48 # Traffic counting in FORWARDED chains
  49 if [ "$InternalDevice" ]; then
  50     iptables -t filter $cmd NoCat_Download -o $InternalDevice -d $ip -j RETURN
  51     iptables -t filter $cmd NoCat_Upload -i $InternalDevice -s $ip -j RETURN
  52 else
  53     iptables -t filter $cmd NoCat_Download -d $ip -j RETURN
  54     iptables -t filter $cmd NoCat_Upload -s $ip -j RETURN
  55 fi
  56
  57 # Mark inbound RELATED,ESTABLISHED traffic to this node as ACCEPT
  58 iptables -t filter $cmd NoCat_Inbound -d $ip -m state --state RELATED,ESTABLISHED -j ACCEPT
  59 #echo 0
  60 #
  61 # Ende
  62 #