Commit 72f9e651 authored by nanahira's avatar nanahira

fix iptables conflict

parent a1be0c04
......@@ -52,7 +52,7 @@ handle_gateway {{gateway.id}} {{gateway.address}} {% if gateway.mac is defined a
{% if br.masq is defined and br.masq %}
# Masquerade
ensure_localnet_ipset
iptables -t nat -A POSTROUTING -o "$BRIDGE_NAME" -m set --match-set localnet src -m set ! --match-set localnet dst -j MASQUERADE
iptables -w -t nat -A POSTROUTING -o "$BRIDGE_NAME" -m set --match-set localnet src -m set ! --match-set localnet dst -j MASQUERADE
{% endif %}
{% if br.dhcpv6Client is defined and br.dhcpv6Client %}
......
......@@ -39,9 +39,9 @@ handle_gateway {{gateway.id}} {{gateway.address}} {% if gateway.mac is defined a
{% if br.masq is defined and br.masq %}
# Masquerade
iptables -t nat -D POSTROUTING -o "$BRIDGE_NAME" -j MASQUERADE
iptables -t nat -D POSTROUTING -o "$BRIDGE_NAME" -m set --match-set localnet src -j MASQUERADE
iptables -t nat -D POSTROUTING -o "$BRIDGE_NAME" -m set --match-set localnet src -m set ! --match-set localnet dst -j MASQUERADE
iptables -w -t nat -D POSTROUTING -o "$BRIDGE_NAME" -j MASQUERADE
iptables -w -t nat -D POSTROUTING -o "$BRIDGE_NAME" -m set --match-set localnet src -j MASQUERADE
iptables -w -t nat -D POSTROUTING -o "$BRIDGE_NAME" -m set --match-set localnet src -m set ! --match-set localnet dst -j MASQUERADE
{% endif %}
{% if br.down is defined and br.down %}
......
......@@ -4,24 +4,24 @@ source {{ansible_user_dir}}/nextgen-router/scripts/utility.sh
PPPOE_NEXT_HOP_MARK=$[1000 + $(echo "$PPP_IFACE" | sed "s/ppp//g")]
PPPOE_SELECTION_MARK=$((PPPOE_NEXT_HOP_MARK + 50))
iptables-save | grep -- '-j TCPMSS' | grep -- "$PPP_IFACE" | sed 's/^-A/-D/g' | xargs -I '{}' bash -c 'iptables -t mangle {}'
iptables-save | grep -- '-j TCPMSS' | grep -- "$PPP_IFACE" | sed 's/^-A/-D/g' | xargs -I '{}' bash -c 'iptables -w -t mangle {}'
ip6tables-save | grep -- '-j TCPMSS' | grep -- "$PPP_IFACE" | sed 's/^-A/-D/g' | xargs -I '{}' bash -c 'ip6tables -t mangle {}'
{% if gdut is defined and gdut %}
# Rules for GDUT
iptables -t mangle -D POSTROUTING -o "$PPP_IFACE" -j TTL --ttl-set 64
iptables -t mangle -D OUTPUT -o "$PPP_IFACE" -j TTL --ttl-set 64
iptables -t mangle -D FORWARD -o "$PPP_IFACE" -j TTL --ttl-set 64
iptables -w -t mangle -D POSTROUTING -o "$PPP_IFACE" -j TTL --ttl-set 64
iptables -w -t mangle -D OUTPUT -o "$PPP_IFACE" -j TTL --ttl-set 64
iptables -w -t mangle -D FORWARD -o "$PPP_IFACE" -j TTL --ttl-set 64
iptables -D FORWARD -p tcp -i "$PPP_IFACE" -m multiport --sports 80 --tcp-flags ACK ACK -m string --algo bm --string " src=\"http://1.1.1." -j DROP
iptables -D FORWARD -p tcp -o "$PPP_IFACE" -m multiport --sports 80 --tcp-flags ACK ACK -m string --algo bm --string " src=\"http://1.1.1." -j DROP
iptables -w -D FORWARD -p tcp -i "$PPP_IFACE" -m multiport --sports 80 --tcp-flags ACK ACK -m string --algo bm --string " src=\"http://1.1.1." -j DROP
iptables -w -D FORWARD -p tcp -o "$PPP_IFACE" -m multiport --sports 80 --tcp-flags ACK ACK -m string --algo bm --string " src=\"http://1.1.1." -j DROP
ip6tables -D FORWARD -p tcp -i "$PPP_IFACE" -m multiport --sports 80 --tcp-flags ACK ACK -m string --algo bm --string " src=\"http://1.1.1." -j DROP
ip6tables -D FORWARD -p tcp -o "$PPP_IFACE" -m multiport --sports 80 --tcp-flags ACK ACK -m string --algo bm --string " src=\"http://1.1.1." -j DROP
{% endif %}
iptables -t nat -o "$PPP_IFACE" -D POSTROUTING -j MASQUERADE
iptables -w -t nat -o "$PPP_IFACE" -D POSTROUTING -j MASQUERADE
ip rule del pref 100 fwmark $PPPOE_NEXT_HOP_MARK lookup $PPPOE_NEXT_HOP_MARK
ip rule del pref 400 fwmark $PPPOE_SELECTION_MARK lookup $PPPOE_NEXT_HOP_MARK
......
......@@ -9,12 +9,12 @@ INTERFACE_MTU=$(ip link show dev "$PPP_IFACE" | grep -oP 'mtu \d+' | cut -c 5-)
INTERFACE_MTU_4=$((INTERFACE_MTU - 40))
INTERFACE_MTU_6=$((INTERFACE_MTU - 60))
iptables -t mangle -A FORWARD -o "$PPP_IFACE" -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss $INTERFACE_MTU_4:1460 -j TCPMSS --set-mss $INTERFACE_MTU_4
iptables -t mangle -A FORWARD -i "$PPP_IFACE" -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss $INTERFACE_MTU_4:1460 -j TCPMSS --set-mss $INTERFACE_MTU_4
iptables -w -t mangle -A FORWARD -o "$PPP_IFACE" -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss $INTERFACE_MTU_4:1460 -j TCPMSS --set-mss $INTERFACE_MTU_4
iptables -w -t mangle -A FORWARD -i "$PPP_IFACE" -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss $INTERFACE_MTU_4:1460 -j TCPMSS --set-mss $INTERFACE_MTU_4
ip6tables -t mangle -A FORWARD -o "$PPP_IFACE" -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss $INTERFACE_MTU_6:1460 -j TCPMSS --set-mss $INTERFACE_MTU_6
ip6tables -t mangle -A FORWARD -i "$PPP_IFACE" -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss $INTERFACE_MTU_6:1460 -j TCPMSS --set-mss $INTERFACE_MTU_6
iptables -t nat -o "$PPP_IFACE" -A POSTROUTING -j MASQUERADE
iptables -w -t nat -o "$PPP_IFACE" -A POSTROUTING -j MASQUERADE
ip route replace default dev "$PPP_IFACE" table $PPPOE_NEXT_HOP_MARK
ip route add default dev "$PPP_IFACE" metric $PPPOE_NEXT_HOP_MARK
......@@ -39,12 +39,12 @@ fi
# Rules for GDUT
iptables -t mangle -A POSTROUTING -o "$PPP_IFACE" -j TTL --ttl-set 64
iptables -t mangle -A OUTPUT -o "$PPP_IFACE" -j TTL --ttl-set 64
iptables -t mangle -A FORWARD -o "$PPP_IFACE" -j TTL --ttl-set 64
iptables -w -t mangle -A POSTROUTING -o "$PPP_IFACE" -j TTL --ttl-set 64
iptables -w -t mangle -A OUTPUT -o "$PPP_IFACE" -j TTL --ttl-set 64
iptables -w -t mangle -A FORWARD -o "$PPP_IFACE" -j TTL --ttl-set 64
iptables -A FORWARD -p tcp -i "$PPP_IFACE" -m multiport --sports 80 --tcp-flags ACK ACK -m string --algo bm --string " src=\"http://1.1.1." -j DROP
iptables -A FORWARD -p tcp -o "$PPP_IFACE" -m multiport --sports 80 --tcp-flags ACK ACK -m string --algo bm --string " src=\"http://1.1.1." -j DROP
iptables -w -A FORWARD -p tcp -i "$PPP_IFACE" -m multiport --sports 80 --tcp-flags ACK ACK -m string --algo bm --string " src=\"http://1.1.1." -j DROP
iptables -w -A FORWARD -p tcp -o "$PPP_IFACE" -m multiport --sports 80 --tcp-flags ACK ACK -m string --algo bm --string " src=\"http://1.1.1." -j DROP
ip6tables -A FORWARD -p tcp -i "$PPP_IFACE" -m multiport --sports 80 --tcp-flags ACK ACK -m string --algo bm --string " src=\"http://1.1.1." -j DROP
ip6tables -A FORWARD -p tcp -o "$PPP_IFACE" -m multiport --sports 80 --tcp-flags ACK ACK -m string --algo bm --string " src=\"http://1.1.1." -j DROP
{% endif %}
......
......@@ -10,8 +10,8 @@ restore_mark() {
if [[ "$OUTPUT_OPTION" == "-I" ]]; then
OUTPUT_OPTION="-A"
fi
iptables -t mangle "$OPTION" PREROUTING -m connmark --mark "$MARK" -j CONNMARK --restore-mark
iptables -t mangle "$OUTPUT_OPTION" OUTPUT -m connmark --mark "$MARK" -j CONNMARK --restore-mark
iptables -w -t mangle "$OPTION" PREROUTING -m connmark --mark "$MARK" -j CONNMARK --restore-mark
iptables -w -t mangle "$OUTPUT_OPTION" OUTPUT -m connmark --mark "$MARK" -j CONNMARK --restore-mark
# ip6tables -t mangle "$OPTION" PREROUTING -m connmark --mark "$MARK" -j CONNMARK --restore-mark
# ip6tables -t mangle "$OPTION" OUTPUT -m connmark --mark "$MARK" -j CONNMARK --restore-mark
}
......@@ -22,7 +22,7 @@ ppp_origin() {
INTERFACE=$2
MARK=$[1000 + $(echo "$INTERFACE" | sed "s/ppp//g")]
restore_mark "$OPTION" "$MARK"
iptables -t mangle "$OPTION" PREROUTING ! -p ospf -i "$INTERFACE" -m set ! --match-set localnet src -j CONNMARK --set-xmark "$MARK"
iptables -w -t mangle "$OPTION" PREROUTING ! -p ospf -i "$INTERFACE" -m set ! --match-set localnet src -j CONNMARK --set-xmark "$MARK"
# ip6tables -t mangle "$OPTION" PREROUTING ! -p ospf -i "$INTERFACE" -j CONNMARK --set-xmark "$MARK"
}
......@@ -40,7 +40,7 @@ eth_origin() {
GATEWAY_MAC=$(echo $NEIGH_LINE | awk '{print $5}')
fi
restore_mark "$OPTION" "$MARK"
iptables -t mangle "$OPTION" PREROUTING ! -p ospf -i "$BRIDGE_NAME" -m mac --mac-source "$GATEWAY_MAC" -m set ! --match-set localnet src -j CONNMARK --set-xmark "$MARK"
iptables -w -t mangle "$OPTION" PREROUTING ! -p ospf -i "$BRIDGE_NAME" -m mac --mac-source "$GATEWAY_MAC" -m set ! --match-set localnet src -j CONNMARK --set-xmark "$MARK"
# ip6tables -t mangle "$OPTION" PREROUTING ! -p ospf -i "$BRIDGE_NAME" -m mac --mac-source "$GATEWAY_MAC" -m set ! --match-set localnet src -j CONNMARK --set-xmark "$MARK"
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment