#!/bin/zsh IPTBIN=/sbin/iptables IP6TBIN=/sbin/ip6tables INETIF=eth1 LANIF=eth0 # Flushing all rules $IPTBIN -F # connections initiated from our side get back $IPTBIN -A INPUT -i $INETIF -m state --state ESTABLISHED,RELATED -j ACCEPT # poptop (vpn) $IPTBIN -A INPUT -i $INETIF -p tcp --dport 1723 -j ACCEPT # gre tunnel $IPTBIN -A INPUT -i $INETIF -p gre -j ACCEPT # We're not setting the policy so we explicitly block in the end $IPTBIN -A INPUT -i $INETIF -j DROP # Then on to the routing part. # We need to: # 1) Extract current internet route # 2) Remove it # 3) Set 2 new routing tables # 4) Assign them to rules and default IPBIN=`which ip` CUTBIN=`which cut` GREPBIN=`which grep` SIPCALCBIN=`which sipcalc` if [ ! -x $IPBIN ]; then echo "ip not found" exit 2 fi if [ ! -x $CUTBIN ]; then echo "cut not found" exit 3 fi if [ ! -x $GREPBIN ]; then echo "grep not found" exit 4 fi if [ ! -x $SIPCALCBIN ]; then echo "sipcalc not found" exit 4 fi function getIfNet ( NET=`$IPBIN address show $1 | $GREPBIN "inet " | $CUTBIN -d\ -f6` NETIP=`echo $NET | $SIPCALCBIN - | $GREPBIN "Network address" | $CUTBIN -d- -f2` echo ${NETIP}/`echo $NET | $CUTBIN -d/ -f2` ) function getIfIP ( echo `$IPBIN address show $1 | $GREPBIN "inet " | $CUTBIN -d\ -f6 | $CUTBIN -d/ -f1` ) function getIfGw ( echo `$IPBIN route | $GREPBIN default | $GREPBIN $1 | cut -d\ -f3` ) INETNET=`getIfNet $INETIF` INETIP=`getIfIP $INETIF` INETGW=`getIfGw $INETIF` LANNET=`getIfNet $LANIF` LANIP=`getIfIP $LANIF` LANGW=`getIfGw $LANIF` # Lan table $IPBIN route add $LANNET dev $LANIF src $LANIP table lan $IPBIN route add default via $LANGW table lan # Inet table #$IPBIN route add 10.0.0.0/24 dev $LANINT src 10.0.0.3 table lan $IPBIN route add $INETNET dev $INETIF src $INETIP table inet $IPBIN route add default via $INETGW table inet # Default $IPBIN route del default # Twice 'cause we got both inet and lan routes $IPBIN route del default $IPBIN route add default via $LANGW # Routing $IPBIN rule add from $LANIP table lan $IPBIN rule add from $INETIP table inet