Menu
▾
▴
[Astlinux-commits] SF.net SVN: astlinux: [358] trunk
|
From: <kr...@us...> - 2006-09-08 15:26:17
|
Revision: 358
http://svn.sourceforge.net/astlinux/?rev=358&view=rev
Author: krisk84
Date: 2006-09-08 08:26:12 -0700 (Fri, 08 Sep 2006)
Log Message:
-----------
initial internet failover config
Modified Paths:
--------------
trunk/package/iptables/astfw
trunk/target/generic/target_skeleton/etc/init.d/network
trunk/target/generic/target_skeleton/stat/etc/rc.conf
Modified: trunk/package/iptables/astfw
===================================================================
--- trunk/package/iptables/astfw 2006-09-07 04:39:01 UTC (rev 357)
+++ trunk/package/iptables/astfw 2006-09-08 15:26:12 UTC (rev 358)
@@ -40,6 +40,13 @@
modprobe ip_nat_tftp
modprobe ip_nat_irc
+if [ "$EXTIP" -a "$EXT2IP" ]
+then
+EXTIFS="$EXTIF $EXT2IF"
+else
+EXTIFS="$EXTIF"
+fi
+
#Allow traffic with loopback
iptables -A INPUT -i lo -j ACCEPT
@@ -64,22 +71,28 @@
if [ "$DMZIF" ]
then
+for i in $EXTIFS
+do
if [ "$DMZTYPE" = "extonly" ]
then
-#Pass traffic out EXTIF
-iptables -A FORWARD -i $DMZIF -o $EXTIF -j ACCEPT
+#Pass traffic out EXTIFs
+iptables -A FORWARD -i $DMZIF -o $i -j ACCEPT
#DNS, ICMP support to AstLinux machine
iptables -A INPUT -i $DMZIF -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT
iptables -A INPUT -i $DMZIF -p icmp --icmp-type any -j ACCEPT
fi
+done
+for i in $EXTIFS
+do
if [ "$DMZTYPE" = "extme" ]
then
-#Pass traffic out EXTIF
-iptables -A FORWARD -i $DMZIF -o $EXTIF -j ACCEPT
+#Pass traffic out EXTIFs
+iptables -A FORWARD -i $DMZIF -o $i -j ACCEPT
# Allow all traffic to AstLinux machine
iptables -A INPUT -i $DMZIF -j ACCEPT
fi
+done
if [ "$DMZTYPE" = "open" ]
then
@@ -117,30 +130,38 @@
PORT=`echo $i | tr -d itu`
+for i in $EXTIFS
+do
if [ "$PROTOCOL" = "icmp" ]
then
-iptables -A INPUT -i $EXTIF -m icmp -p icmp --icmp-type $PORT -j ACCEPT
+iptables -A INPUT -i $i -m icmp -p icmp --icmp-type $PORT -j ACCEPT
else
-iptables -A INPUT -m state --state NEW -i $EXTIF -m $PROTOCOL -p $PROTOCOL --dport $PORT -j ACCEPT
+iptables -A INPUT -m state --state NEW -i $i -m $PROTOCOL -p $PROTOCOL --dport $PORT -j ACCEPT
fi
+done
done
fi
#allow forwaring from each interface to the internet...
-iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
+for i in $EXTIFS
+do
+iptables -A FORWARD -i $INTIF -o $i -j ACCEPT
if [ "$INT2IF" ]
then
-iptables -A FORWARD -i $INT2IF -o $EXTIF -j ACCEPT
+iptables -A FORWARD -i $INT2IF -o $i -j ACCEPT
fi
if [ "$INT3IF" ]
then
-iptables -A FORWARD -i $INT3IF -o $EXTIF -j ACCEPT
+iptables -A FORWARD -i $INT3IF -o $i -j ACCEPT
fi
+done
#Setup 1:1 Maps...
+for i in $EXTIFS
+do
if [ "$EXTMAP10" ]
then
COUNT=10
@@ -156,11 +177,11 @@
then
NATEXTIP=`echo $IPLINE | cut -d"=" -f2`
NATINTIP=`echo $IPLINE | cut -d"=" -f3`
- ifconfig $EXTIF:$IFALIAS $NATEXTIP netmask $EXTNM
- iptables -t nat -A PREROUTING -d $NATEXTIP -i $EXTIF -j DNAT --to-destination $NATINTIP
- iptables -t nat -A POSTROUTING -s $NATEXTIP -o $EXTIF -j SNAT --to-source $NATINTIP
- iptables -t nat -A POSTROUTING -s $NATINTIP -o $EXTIF -j SNAT --to-source $NATEXTIP
- # iptables -A FORWARD -i $EXTIF -o $INTIF -d $NATINTIP -m state --state NEW -j ACCEPT
+ ifconfig $i:$IFALIAS $NATEXTIP netmask $EXTNM
+ iptables -t nat -A PREROUTING -d $NATEXTIP -i $i -j DNAT --to-destination $NATINTIP
+ iptables -t nat -A POSTROUTING -s $NATEXTIP -o $i -j SNAT --to-source $NATINTIP
+ iptables -t nat -A POSTROUTING -s $NATINTIP -o $i -j SNAT --to-source $NATEXTIP
+ # iptables -A FORWARD -i $i -o $INTIF -d $NATINTIP -m state --state NEW -j ACCEPT
if [ $PORTMAP ]
then
@@ -168,8 +189,8 @@
(IFS=:
for i in $PORTS
do
- iptables -A FORWARD -i $EXTIF -o $INTIF -d $NATINTIP -m state --state NEW -p tcp -m multiport --dport $i -j ACCEPT
- iptables -A FORWARD -i $EXTIF -o $INTIF -d $NATINTIP -m state --state NEW -p udp -m multiport --dport $i -j ACCEPT
+ iptables -A FORWARD -i $i -o $INTIF -d $NATINTIP -m state --state NEW -p tcp -m multiport --dport $i -j ACCEPT
+ iptables -A FORWARD -i $i -o $INTIF -d $NATINTIP -m state --state NEW -p udp -m multiport --dport $i -j ACCEPT
done)
fi
@@ -185,19 +206,23 @@
done
fi
+done
#turn on NAT (PAT) for everything\everyone else...
-iptables -t nat -A POSTROUTING -s $IPBASE.0/$INTNM -o $EXTIF -j MASQUERADE
+for i in $EXTIFS
+do
+iptables -t nat -A POSTROUTING -s $IPBASE.0/$INTNM -o $i -j MASQUERADE
if [ "$INT2IF" ]
then
-iptables -t nat -A POSTROUTING -s $IP2BASE.0/$INT2NM -o $EXTIF -j MASQUERADE
+iptables -t nat -A POSTROUTING -s $IP2BASE.0/$INT2NM -o $i -j MASQUERADE
fi
if [ "$INT3IF" ]
then
-iptables -t nat -A POSTROUTING -s $IP3BASE.0/$INT3NM -o $EXTIF -j MASQUERADE
+iptables -t nat -A POSTROUTING -s $IP3BASE.0/$INT3NM -o $i -j MASQUERADE
fi
+done
#Default Deny FOR ALL REMAINING INTERFACES
iptables -A INPUT -j $DACTION
Modified: trunk/target/generic/target_skeleton/etc/init.d/network
===================================================================
--- trunk/target/generic/target_skeleton/etc/init.d/network 2006-09-07 04:39:01 UTC (rev 357)
+++ trunk/target/generic/target_skeleton/etc/init.d/network 2006-09-08 15:26:12 UTC (rev 358)
@@ -127,6 +127,11 @@
ifconfig $EXTIF hw ether $EXTIFMAC 2>/dev/null
fi
+if [ "$EXT2IF" -a "$EXT2IFMAC" ]
+then
+ifconfig $EXT2IF hw ether $EXT2IFMAC 2>/dev/null
+fi
+
# PPPoE Again!
if [ "$WANDELAY" ]
then
@@ -221,11 +226,40 @@
fi
fi
+if [ "$EXT2IP" -a "$EXT2IF" ]
+then
+if ! `echo $EXT2IF | grep -q wp`
+then
+if [ "$EXT2IF" = "hdlc0" -o "$EXT2IF" = "pvc0" ]
+then
+ifconfig "$EXT2IF" "$EXT2IP" pointopoint "$EXT2GW"
+else
+ifconfig "$EXT2IF" inet "$EXT2IP" netmask "$EXT2NM"
+fi
+fi
+
if [ "$EXTGW" ]
then
-route add -net default gw "$EXTGW"
+route add -net default gw "$EXTGW" dev "$EXTIF"
fi
+if [ "$EXT2GW" -a "$EXT2IF" ]
+then
+route add -net default gw "$EXT2GW" dev "$EXT2IF"
+fi
+
+if [ "$EXTGW" -a "$EXT2GW" ]
+then
+if [ "$FAILTIME" ]
+then
+TIME=$FAILTIME
+else
+TIME=10
+fi
+echo $TIME > /proc/sys/net/ipv4/route/gc_timeout
+fi
+fi
+
echo "search $DOMAIN" > /tmp/etc/resolv.conf
for h in $DNS
Modified: trunk/target/generic/target_skeleton/stat/etc/rc.conf
===================================================================
--- trunk/target/generic/target_skeleton/stat/etc/rc.conf 2006-09-07 04:39:01 UTC (rev 357)
+++ trunk/target/generic/target_skeleton/stat/etc/rc.conf 2006-09-08 15:26:12 UTC (rev 358)
@@ -62,11 +62,21 @@
##Change EXTIF's MAC address here (for some cable connections)
#EXTIFMAC="01:02:03:04:05:06"
+##Change EXT2IF's MAC address here (for some cable connections)
+#EXT2IFMAC="01:02:03:04:05:06"
+
##External Interface
##The external interface has a fairly restrictive firewall when not in PBX
##only mode. See the Firewall section in this file for more details.
EXTIF=eth0
+##Backup External Interface
+##The backup external interface will be used as a backup default route
+##in case the primary becomes unavailable. The firewall rules, routing, etc
+##apply identically to both interfaces. THIS CURRENTLY ONLY WORKS IF BOTH
+##EXTIF AND EXT2IF HAVE STATIC IP ADDRESSES.
+#EXT2IF=eth1
+
##Fancy External interface support
##THIS HAS CHANGED FROM PREVIOUS VERSIONS!!!
##You will still need to set EXTIF to your external interface (wp*).
@@ -108,6 +118,18 @@
#EXTGW="192.168.25.1"
#DNS="192.168.1.1 192.168.1.2 192.168.1.3"
+##These variables are required for internet failover. They will do nothing
+##if either EXTIF or EXT2IF are set to dhcp. They will use the same DNS
+##servers as above.
+#EXT2IP="192.168.25.2"
+#EXT2NM="255.255.255.0"
+#EXT2GW="192.168.25.1"
+
+##Internet failover timeout. How long to wait before switching default routes.
+##If failover is otherwise setup - EXTIP, EXT2IP, EXT2IF, EXT2GW the default
+##will be 10 seconds. You can change that here.
+#FAILTIME=10
+
##If you do not define the INTIF, I will not try to start one.
##If you do not define the INTIF, I will also not start the following services:
##dnsmasq iptables astshape (PBX only mode)
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
