blob: 8f36ed8fa017bd964ec7436558fc396215454d58 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
|
#!/bin/sh -e
net_robinson=$(uci get cloud.cur.net_robinson)
net_fake=$( uci get cloud.cur.net_fake)
net_mesh=$( uci get cloud.cur.net_mesh)
# flush PREROUTING chains; we catch all packets with the cases
# detailed below
iptables -t nat -F PREROUTING
## robinson net
# create chains for the robinson fake net (depending on the inetable
# state, this is used to route all TCP traffic to a local web server
# or relay all traffic to the intended target):
# - prerouting_robinson_fake: traffic destinated to the fake net
# - prerouting_robinson_inet: traffic destinated to anything outside
# the robinson net
iptables -t nat -N prerouting_robinson_inet
iptables -t nat -N prerouting_robinson_fake
iptables -t nat -A PREROUTING -i br-mesh -d $net_fake \
-j prerouting_robinson_fake
iptables -t nat -A PREROUTING -i br-mesh ! -d $net_robinson \
-j prerouting_robinson_inet
# reject all packets to the robinson fake net that have not been
# catched by a nat rule in the preceeding chains
iptables -t filter -I forward -d $net_fake \
-j REJECT --reject-with icmp-net-unreachable
## splash
# create chains executed for splashed/unsplashed users when trying to
# reach the internet
for mode in splashed unsplashed; do
iptables -t nat -N prerouting_inet_$mode
iptables -t nat -A PREROUTING -s $net_mesh ! -d $net_mesh \
-j prerouting_inet_$mode
done
# route everything
iptables -I FORWARD -j ACCEPT
iptables -I FORWARD -i br-mesh -d 192.168.0.0/16 -j DROP
|
