71 lines
2.3 KiB
Plaintext
71 lines
2.3 KiB
Plaintext
# Put your custom commands here that should be executed once
|
|
# the system init finished. By default this file does nothing.
|
|
|
|
TABLES="mts-azov rt-azov mts-il"
|
|
|
|
# create ip sets
|
|
for _table in $TABLES; do
|
|
ipset create $_table hash:net
|
|
done
|
|
|
|
# add untrusted cameras set
|
|
ipset create ipcam hash:net
|
|
for addr in $(seq 21 69); do
|
|
ipset add ipcam 192.168.5.${addr}
|
|
done
|
|
|
|
sleep 0.1
|
|
|
|
# block internet access for untrusted cameras
|
|
iptables -I FORWARD 1 -m set --match-set ipcam src ! -d 192.168.5.0/24 -j REJECT
|
|
|
|
# add some default routing rules
|
|
ipset add mts-azov 192.168.5.0/24 # everybody
|
|
ipset add mts-azov 192.168.5.163 # cs1
|
|
ipset add mts-azov 192.168.5.212 # cs2
|
|
ipset add mts-azov 192.168.5.161 # cs3
|
|
|
|
ipset add rt-azov 192.168.5.133 # roof2
|
|
ipset add rt-azov 192.168.5.115 # room
|
|
ipset add rt-azov 192.168.5.170 # room
|
|
|
|
ipset add mts-il 192.168.5.120 # inv
|
|
ipset add mts-il 192.168.5.223 # inv
|
|
ipset add mts-il 192.168.5.143 # roof1
|
|
|
|
# create rules
|
|
ip rule add fwmark 100 table mts-azov
|
|
ip rule add fwmark 101 table rt-azov
|
|
ip rule add fwmark 102 table mts-il
|
|
|
|
# set default route for each custom routing table
|
|
ip route add default via 192.168.7.1 table mts-azov
|
|
ip route add default via 192.168.8.1 table rt-azov
|
|
ip route add default via 192.168.88.1 table mts-il # via mikrotik
|
|
|
|
# fix local routes
|
|
for _table in $TABLES; do
|
|
ip route add 192.168.5.0/24 via 192.168.5.1 table $_table
|
|
ip route add 192.168.6.0/24 via 192.168.88.1 table $_table
|
|
ip route add 192.168.7.0/24 via 192.168.7.1 table $_table
|
|
ip route add 192.168.8.0/24 via 192.168.8.1 table $_table
|
|
ip route add 192.168.88.0/24 via 192.168.88.1 table $_table
|
|
done
|
|
|
|
# iptables rules (see also /etc/firewall.user)
|
|
sleep 0.5
|
|
|
|
# pass already-marked packets
|
|
iptables -t mangle -A PREROUTING -m mark ! --mark 0x0 -j ACCEPT
|
|
|
|
iptables -t mangle -A PREROUTING -m set --match-set mts-azov src -j MARK --set-mark 0x64
|
|
iptables -t mangle -A OUTPUT -m set --match-set mts-azov src -j MARK --set-mark 0x64
|
|
|
|
iptables -t mangle -A PREROUTING -m set --match-set mts-il src -j MARK --set-mark 0x66
|
|
iptables -t mangle -A OUTPUT -m set --match-set mts-il src -j MARK --set-mark 0x66
|
|
|
|
iptables -t mangle -A PREROUTING -m set --match-set rt-azov src -j MARK --set-mark 0x65
|
|
iptables -t mangle -A OUTPUT -m set --match-set rt-azov src -j MARK --set-mark 0x65
|
|
|
|
exit 0
|