failover script for two internet links

Details

Category: Linux && Unix Services

Written by Mahdi Bahmani Ciahmard

Hits: 52

gbgcache:~# cat /usr/local/bin/sh.iptables
#!/bin/bash
#file sh.iptables
################################################################
##============================================================##
##------------------------------------------------------------##
## Here it is...part of bahmani's Firewall. ##
## Nat Users SHABAKIEH List...77.237.186.225-77.237.186.238 ##
##============================================================##
## Nat Users AZADNET List...86.109.58.225-86.109.58.238 ##
##============================================================##
##------------------------------------------------------------##
################################################################

IPTABLES="/sbin/iptables" #set to your iptables location, must be set
TCP_ALLOW="21 22 25 80 110 443 3333 6667" #TCP ports to ALLOW
UDP_ALLOW="6112 6119 4000" #UDP ports to ALLOW (53 not needed, covered by DNS above)
ARG1=$1
#INET_IFACE="ppp0" #the interface your internet's on (one only), must be set
IFACE_AZADNET="eth0" #the interface(s) your LAN's on (currently unused)
IFACE_SHABAKIEH="eth1"<br />NET_AZADNET="86.109.58.0/24"<br />NET_SHABAKIEH="77.237.186.0/24"<br />SHABAKIEH="77.237.186.225-77.237.186.238"<br />AZADNET="86.109.58.225-86.109.58.238"<br />NAT_USERS_SHABAKIEH="/etc/squid3/nat-users-shabakieh"<br />NAT_USERS_AZADNET="/etc/squid3/nat-users-azadnet"<br />IP_SHABAKIEH="/etc/squid3/ip_range_shabakieh"<br />IP_AZADNET="/etc/squid3/ip_range_azadnet"<br />USE_SSH1="TRUE" #set to TRUE if you use "real" SSH1 (anything else is interpreted as FALSE)
USE_OPENSSH="FALSE" #set to TRUE if you use OpenSSH (anything else is interpreted as FALSE)
#INTERNAL_LAN="192.168.0.0/24 192.168.1.0/24" #the internal network(s), must be set<br />#DENY_ALL="" #internet hosts to explicitly deny from accessing your system at all<br />DROP="REJECT" #what to do with packets we don't want<br />GBGVPN="192.168.5.2"<br />VPN1="172.20.26.0/23"<br />VPN2="172.20.28.0/23"<br />DNS_SERVER="172.20.21.5 172.20.21.6 172.21.0.24"<br />SQUID="/usr/sbin/squid3"<br />USAGE="./sh.iptables <br /> [setnet] Initializing network interfaces <br /> [rpdb] Initializing Routing Policy DataBase <br /> [atos] Move Azadnet Users to shabakieh <br />"<br />MONSERVERS="172.20.21.38/32 172.20.21.40/32 172.20.24.24/32"<br />SQUIDCONF="/etc/squid3/squid.conf"<br />SED="/bin/sed"<br />IPADDRADD="/sbin/ip addr add"<br />IPADDRDEL="/sbin/ip addr del"<br />IPRULEADD="/sbin/ip rule add from"<br />IPRULEDEL="/sbin/ip rule del"<br /><br /><br />##important files<br /><br /><br />##############################################################<br />#gbgcache:~# cat /etc/iproute2/rt_tables<br />##<br />## reserved values<br />##<br />#255 local<br />#254 main<br />#253 default<br />#0 unspec<br />##<br />## local<br />##<br />##1 inr.ruhep<br />#77 uplinkshabakieh<br />#86 uplinkazadnet<br />#gbgcache:~#<br />##############################################################<br /><br />#gbgcache:~# cat /etc/network/interfaces <br /># <br />## The loopback network interface <br />#auto lo <br />#iface lo inet loopback<br />##LAN interface Back-to-Back gbgcache <---> gbgvpn<br />#auto eth5<br />#iface eth5 inet static<br /># address 192.168.5.1<br /># netmask 255.255.255.252<br />##Uplinkazadnet<br />#auto eth0<br />#iface eth0 inet static<br /># address 86.109.58.6<br /># netmask 255.255.255.0<br /># post-up ip route add 86.109.58.1/32 dev eth0 src 86.109.58.6 table uplinkazadnet<br /># post-up ip route add default via 86.109.58.1 table uplinkazadnet<br /># post-up ip rule add from 86.109.58.6 table uplinkazadnet<br /># post-down ip rule del from 86.109.58.6 table uplinkazadnet<br /># dns-nameservers 4.2.2.4 172.20.21.5 172.20.21.6<br /># dns-search gbgnetwork.net<br />#<br />##uplinkshabakieh<br />#auto eth1<br />#iface eth1 inet static<br /># address<br /># netmask 255.255.255.0<br /># post-up ip route add 77.237.186.1/32 dev eth2 src 77.237.186.6 table uplinkshabakieh<br /># post-up ip route add default via 77.237.186.1 table uplinkshabakieh<br /># post-up ip rule add from 77.237.186.6 table uplinkshabakieh<br /># post-down ip rule del from 77.237.186.6 table uplinkshabakieh<br /># dns-nameservers 4.2.2.4 172.20.21.5 172.20.21.6<br /># dns-search gbgnetwork.net<br />#<br />#gbgcache:~#<br />##############################################################<br /><br /><br />#-------------------Functions----------------------------------<br /><br />Flush_everything()<br />{<br /><br /> echo -n "Flush: "<br /> ${IPTABLES} -t filter -F INPUT<br /> echo -n "INPUT "<br /> ${IPTABLES} -t filter -F OUTPUT<br /> echo -n "OUTPUT1 "<br /> ${IPTABLES} -t filter -F FORWARD<br /> echo -n "FORWARD "<br /> ${IPTABLES} -t nat -F PREROUTING<br /> echo -n "PREROUTING1 "<br /> ${IPTABLES} -t nat -F OUTPUT<br /> echo -n "OUTPUT2 "<br /> ${IPTABLES} -t nat -F POSTROUTING<br /> echo -n "POSTROUTING "<br /> ${IPTABLES} -t mangle -F PREROUTING<br /> echo -n "PREROUTING2 "<br /> ${IPTABLES} -t mangle -F OUTPUT<br /> echo -n "OUTPUT3"<br /> echo<br /><br />}<br />##------------------------------------------------------------##<br />################################################################<br /> <br />Turn_on_IP_forwarding()<br />{<br /> echo -n "Checking IP Forwarding..."<br /> if [ -e /proc/sys/net/ipv4/ip_forward ] ; then<br /> echo 1 > /proc/sys/net/ipv4/ip_forward<br /> echo "enabled."<br /> else<br /> echo "support not found! This will probably cause problems!"<br /> fi<br />}<br />##------------------------------------------------------------##<br />################################################################<br /><br />Enable_TCP_Syncookies()<br />{<br /><br /> echo -n "Checking IP SynCookies..."<br /> if [ -e /proc/sys/net/ipv4/tcp_syncookies ] ; then<br /> echo 1 > /proc/sys/net/ipv4/tcp_syncookies<br /> echo "enabled."<br /> else<br /> echo "support not found, but that's OK."<br /> fi<br />}<br />##------------------------------------------------------------##<br />################################################################<br />NAT_Users()<br />{<br />#NAT_Users_Azadnet<br /> echo ""<br /> echo "Initializing NAT User's Azadnet..."<br /> for natip in `cat $NAT_USERS_AZADNET |grep -v ^# |grep -v ^$`;do<br /> echo "IP:"$natip<br /> echo "${IPTABLES} -t nat -A POSTROUTING -s $natip -j SNAT --to-source $AZADNET "<br /> ${IPTABLES} -t nat -A POSTROUTING -s $natip -j SNAT --to-source $AZADNET <br /> done<br /><br />#NAT_Users_Shabakieh<br /> echo ""<br /> echo "Initializing NAT User's Shabakieh..."<br /> for natip in `cat $NAT_USERS_SHABAKIEH |grep -v ^# |grep -v ^$`;do<br /> echo "IP:"$natip<br /> echo "${IPTABLES} -t nat -A POSTROUTING -s $natip -j SNAT --to-source $SHABAKIEH"<br /> ${IPTABLES} -t nat -A POSTROUTING -s $natip -j SNAT --to-source $SHABAKIEH<br /> done<br /> ${IPTABLES} -t nat -A POSTROUTING -s 172.20.24.31 -j SNAT --to-source $SHABAKIEH<br />}<br />##------------------------------------------------------------##<br />################################################################<br /><br />NAT_All_Users_to_Shabakieh()<br />{<br />#NAT_Users_Azadnet<br /> echo ""<br /> echo "Initializing NAT User's Azadnet..."<br /> for natip in `cat $NAT_USERS_AZADNET |grep -v ^# |grep -v ^$`;do<br /> echo "IP:"$natip<br /> echo "${IPTABLES} -t nat -A POSTROUTING -s $natip -j SNAT --to-source $SHABAKIEH"<br /> ${IPTABLES} -t nat -A POSTROUTING -s $natip -j SNAT --to-source $SHABAKIEH<br /> done<br /><br />#NAT_Users_Shabakieh<br /> echo ""<br /> echo "Initializing NAT User's Shabakieh..."<br /> for natip in `cat $NAT_USERS_SHABAKIEH |grep -v ^# |grep -v ^$`;do<br /> echo "IP:"$natip<br /> echo "${IPTABLES} -t nat -A POSTROUTING -s $natip -j SNAT --to-source $SHABAKIEH"<br /> ${IPTABLES} -t nat -A POSTROUTING -s $natip -j SNAT --to-source $SHABAKIEH<br /> done<br />}<br /><br /><br /><br />##------------------------------------------------------------##<br />################################################################<br />Open_DNS_Port()<br />{<br /> for ip in $DNS_SERVER<br /> do<br /> ${IPTABLES} -A FORWARD -m udp -p udp -s $ip --dport 53 -j ACCEPT<br /> ${IPTABLES} -A FORWARD -m udp -p udp -d $ip --sport 53 -j ACCEPT<br /> done<br /> for ip in $DNS_SERVER<br /> do<br /> ${IPTABLES} -A FORWARD -s $ip -j DROP<br /> done<br /><br />}<br />##------------------------------------------------------------##<br />################################################################<br /><br />DDOS_Prevent()<br />{<br />#######icmp Attacks<br /> ${IPTABLES} -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 10/s -j ACCEPT<br /> ${IPTABLES} -A FORWARD -p icmp --icmp-type echo-request -j DROP<br />#<br />#<br />########SYN floodingas<br /> ${IPTABLES} -t nat -A INPUT -p tcp --syn -m limit --limit 10/s -j ACCEPT<br /> ${IPTABLES} -t nat -A INPUT -p tcp --syn -j DROP<br />########SSH ssh##############<br /> ${IPTABLES} -A INPUT -s 172.20.24.31 -p tcp -m tcp --dport 22 -j ACCEPT<br /> ${IPTABLES} -A INPUT -s 192.168.5.1 -p tcp -m tcp --dport 22 -j ACCEPT<br /> ${IPTABLES} -A INPUT -s 192.168.5.2 -p tcp -m tcp --dport 22 -j ACCEPT<br /> ${IPTABLES} -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m limit --limit 3/min --limit-burst 3 -j ACCEPT<br /># ${IPTABLES} -A INPUT -p tcp -m tcp --dport 22 -j DROP<br /><br />}<br />##------------------------------------------------------------##<br />################################################################<br /><br /><br />Normal_Run()<br />{<br />echo "Loading iptables firewall:"<br />Turn_on_IP_forwarding<br />Enable_TCP_Syncookies<br />Flush_everything<br />echo "Initializing VPN... "<br />${IPTABLES} -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128 <br />${IPTABLES} -t nat -A PREROUTING -p udp -m udp --dport 1812 -j DNAT --to-destination $GBGVPN:1812 <br />${IPTABLES} -t nat -A PREROUTING -p udp -m udp --dport 1813 -j DNAT --to-destination $GBGVPN:1813 <br />${IPTABLES} -t nat -A POSTROUTING -s $VPN2 -j SNAT --to-source $SHABAKIEH <br />${IPTABLES} -t nat -A POSTROUTING -s $VPN1 -j SNAT --to-source $AZADNET <br />#Allow outgoing https/secure web service traffic to port 443<br />${IPTABLES} -A INPUT -p tcp -m tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT<br />${IPTABLES} -A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT<br />Open_DNS_Port<br />DDOS_Prevent<br />NAT_Users<br />########### monitoring servers ##################<br />#for i in $MONSERVERS<br />#do<br />#${IPTABLES} -A FORWARD -p icmp -s $i -j ACCEPT<br />#${IPTABLES} -A FORWARD -p icmp -s 172.20.24.24/32 -j ACCEPT<br />#${IPTABLES} -A FORWARD -s $i -j DROP<br />#${IPTABLES} -A FORWARD -s 172.20.24.24/32 -j DROP<br />#done<br />${IPTABLES} -t nat -A POSTROUTING -s 172.20.21.38/32 -d 4.2.2.4/32 -p ICMP -j SNAT --to-source $SHABAKIEH<br />${IPTABLES} -t nat -A POSTROUTING -s 172.20.21.38/32 -d 8.8.8.8/32 -p ICMP -j SNAT --to-source $SHABAKIEH<br />${IPTABLES} -t nat -A POSTROUTING -s 172.20.21.38/32 -p ICMP -j SNAT --to-source $AZADNET<br />########## hod ####################<br />${IPTABLES} -t nat -A POSTROUTING -s 172.20.0.0/15 -d 211.8.118.144/32 -j SNAT --to-source 86.109.58.6 <br />##############end hod#############<br />##############kia#################<br />${IPTABLES} -t nat -A POSTROUTING -s 172.20.0.0/15 -d 194.50.160.180/32 -j SNAT --to-source 86.109.58.6 <br />##############end kia############<br />echo "$SQUID -k reconfigure"<br />$SED -i '/vpn1/ s/77.237.186.6/86.109.58.6/' $SQUIDCONF<br />$SED -i '/nat_list_azadnet/ s/77.237.186.6/86.109.58.6/' $SQUIDCONF<br />$SQUID -k reconfigure<br /><br />ip link set up $IFACE_AZADNET<br />ip route del default<br />#ip route add default scope global nexthop via 86.109.58.1 dev eth0 weight 1 nexthop via 77.237.186.1 dev eth1 weight 1<br />ip route add default scope global nexthop via 77.237.186.1 dev eth1 weight 1 nexthop via 86.109.58.1 dev eth0 weight 1<br />ip route flush cache<br />ip route flush cache<br />ip route flush cache<br />}<br />##------------------------------------------------------------##<br />################################################################<br /><br /><br />Run_if_Azadnet_Down()<br />{<br /><br />echo "Loading iptables firewall:"<br />Turn_on_IP_forwarding<br />Enable_TCP_Syncookies<br />Flush_everything<br />echo "Initializing VPN... "<br />${IPTABLES} -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128<br />${IPTABLES} -t nat -A PREROUTING -p udp -m udp --dport 1812 -j DNAT --to-destination $GBGVPN:1812<br />${IPTABLES} -t nat -A PREROUTING -p udp -m udp --dport 1813 -j DNAT --to-destination $GBGVPN:1813<br />${IPTABLES} -t nat -A POSTROUTING -s $VPN2 -j SNAT --to-source $SHABAKIEH<br />${IPTABLES} -t nat -A POSTROUTING -s $VPN1 -j SNAT --to-source $SHABAKIEH <br />#Allow outgoing https/secure web service traffic to port 443<br />${IPTABLES} -A INPUT -p tcp -m tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT<br />${IPTABLES} -A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT<br />Open_DNS_Port<br />DDOS_Prevent<br />NAT_All_Users_to_Shabakieh<br />########### smon ##################<br />for i in $MONSERVERS<br />do<br />${IPTABLES} -A FORWARD -p icmp -s $i -j ACCEPT<br />#${IPTABLES} -A FORWARD -p icmp -s 172.20.24.24/32 -j ACCEPT<br />${IPTABLES} -A FORWARD -s $i -j DROP<br />#${IPTABLES} -A FORWARD -s 172.20.24.24/32 -j DROP<br />done<br /><br />#${IPTABLES} -A FORWARD -p icmp -s 172.20.21.38/32 -j ACCEPT<br />#${IPTABLES} -A FORWARD -p icmp -s 172.20.24.24/32 -j ACCEPT<br />#${IPTABLES} -A FORWARD -s 172.20.21.38/32 -j DROP<br />#${IPTABLES} -A FORWARD -s 172.20.24.24/32 -j DROP<br />########## hod ####################<br />${IPTABLES} -A FORWARD -s 172.20.0.0/15 -d 211.8.118.144/32 -j ACCEPT<br />${IPTABLES} -A FORWARD -s 211.8.118.144/32 -d 172.20.0.0/15 -j ACCEPT<br />${IPTABLES} -t nat -A POSTROUTING -s 172.20.0.0/15 -d 211.8.118.144/32 -j SNAT --to-source 211.8.118.144<br />${IPTABLES} -t nat -A PREROUTING -d 211.8.118.144/32 -s 172.20.0.0/15 -j ACCEPT<br />#########change SQUID#############<br />echo "$SQUID -k reconfigure"<br />$SED -i '/vpn1/ s/86.109.58.6/77.237.186.6/' $SQUIDCONF<br />$SED -i '/nat_list_azadnet/ s/86.109.58.6/77.237.186.6/' $SQUIDCONF<br />$SQUID -k reconfigure<br /><br />ip link set down $IFACE_AZADNET<br />ip route del default <br />ip route del default<br />ip route add default scope global nexthop via 77.237.186.1 dev eth1 weight 1 <br />#nexthop via 86.109.58.1 dev eth0 weight 1<br />ip route flush cache<br />ip route flush cache<br />ip route flush cache<br /><br />##------------------------------------------------------------##<br />################################################################<br /><br />}<br /><br /><br />##------------------------------------------------------------##<br />################################################################<br />Clear_RPDB()<br />{<br />ip route flush cache<br />ip rul flush<br />#for i in `cat $IP_SHABAKIEH`<br /># do<br /> # $IPADDRDEL $i dev $IFACE_SHABAKIEH<br /> # $IPRULEDEL $i table uplinkshabakieh<br /> #done<br /><br />#for i in `cat $IP_AZADNET`<br /># do<br /> # $IPADDRDEL $i dev $IFACE_AZADNET<br /> # $IPRULEDEL $i table uplinkazadnet<br /> #done<br /><br />#for i in `cat $NAT_USERS_AZADENET`<br /># do<br /> # $IPRULEDEL nat 86.109.58.6 from $i<br /> #done<br /><br />#for i in `cat $NAT_USERS_SHABAKIEH`<br /># do<br /># $IPRULEDEL nat 77.237.186.6 from $i<br /># done<br /><br /><br /> # ip route del $NET_AZADNET dev $IFACE_AZADNET src 86.109.58.6 table uplinkazadnet<br /> # ip route del default via 86.109.58.1 table uplinkazadnet<br /> # ip route del $NET_SHABAKIEH dev $IFACE_SHABAKIEH src 77.237.186.6 table uplinkshabakieh<br /> # ip route del default via 77.237.186.1 table uplinkshabakieh<br /> # ip route del $NET_AZADNET dev $IFACE_AZADNET src 86.109.58.6<br /> # ip route del $NET_SHABAKIEH dev $IFACE_SHABAKIEH src 77.237.186.6<br /> # ip route del default scope global nexthop via 86.109.58.1 dev $IFACE_AZADNET weight 1 nexthop via 77.237.186.1 dev $IFACE_SHABAKIEH weight 1<br /><br /><br />}<br /><br />Initializing_NET_IFS()<br />{<br /><br />##ifconfig eth4 172.20.21.12 netmask 255.255.255.128 up<br />#ifconfig $IFACE_AZADNET 86.109.58.6 netmask 255.255.255.0 up<br />#ifconfig $IFACE_SHABAKIEH 77.237.186.6 netmask 255.255.255.0 up<br />#ifconfig eth5 192.168.5.1 netmask 255.255.255.252 up<br />#ip link set down eth4<br />ip route flush cache<br />ip link set up eth5<br />ip link set up eth0<br />ip link set up eth1<br />#ifup -a<br />ip route add default scope global nexthop via 86.109.58.1 dev eth0 weight 1 nexthop via 77.237.186.1 dev eth1 weight 1<br /><br />#################Route For VPN Pools<br />route add -net 172.20.26.0/23 gw GBGVPN <br />route add -net 172.20.28.0/23 gw GBGVPN<br />route add -net 172.20.0.0/15 gw GBGVPN <br />ip route flush cache<br />}<br /><br /><br /><br />Initializing_RPDB()<br />{<br /><br />for i in `cat $IP_SHABAKIEH |grep -v ^# |grep -v ^$`<br /> do<br /> $IPADDRADD $i dev $IFACE_SHABAKIEH<br /> $IPRULEADD $i table uplinkshabakieh<br /> done<br /><br />for i in `cat $IP_AZADNET |grep -v ^# |grep -v ^$`<br /> do<br /> $IPADDRADD $i dev $IFACE_AZADNET<br /> $IPRULEADD $i table uplinkazadnet<br /> done<br /><br />#for i in `cat $NAT_USERS_AZADENET |grep -v ^# |grep -v ^$`<br /># do<br /># $IPRULEADD nat 86.109.58.6 from $i <br /># done<br /><br />#for i in `cat $NAT_USERS_SHABAKIEH |grep -v ^# |grep -v ^$`<br /># do<br /># $IPRULEADD nat 77.237.186.6 from $i<br /># done<br /><br /><br /># ip route add $NET_AZADNET dev $IFACE_AZADNET src 86.109.58.6 table uplinkazadnet<br /># ip route add default via 86.109.58.1 table uplinkazadnet<br /># ip route add $NET_SHABAKIEH dev $IFACE_SHABAKIEH src 77.237.186.6 table uplinkshabakieh<br /># ip route add default via 77.237.186.1 table uplinkshabakieh<br /># ip route add $NET_AZADNET dev $IFACE_AZADNET src 86.109.58.6<br /># ip route add $NET_SHABAKIEH dev $IFACE_SHABAKIEH src 77.237.186.6<br /># ip route add default scope global nexthop via 86.109.58.1 dev $IFACE_AZADNET weight 1 nexthop via 77.237.186.1 dev $IFACE_SHABAKIEH weight 1<br /><br /><br />}<br />##------------------------------------------------------------##<br />################################################################<br /><br />#ghl<br /> <br /># Main<br /><br />if [ "$#" == "0" ];then
echo ""
echo "**********************************************"
Normal_Run
echo ""
echo "**********************************************"

fi



if [ "$ARG1" = '-h' ]; then
echo ""
echo "**********************************************"
echo "$USAGE"
#lear_Variables
echo ""
echo "**********************************************"
exit 1
fi


if [ "$ARG1" = '--help' ]; then
echo ""
echo "**********************************************"
echo "$USAGE"
#lear_Variables
echo ""
echo "**********************************************"
exit 1
fi

if [ "$ARG1" = '?' ]; then
echo ""
echo "**********************************************"
echo "$USAGE"
#lear_Variables
echo ""
echo "**********************************************"
exit 1
fi


if [ "$#" == "1" ];then
if [ "$ARG1" == "atos" ];then
echo ""
echo "**********************************************"
echo "Nat All Users to Shabakieh...:)"
Run_if_Azadnet_Down
echo ""
echo "**********************************************"
fi
fi



if [ "$#" == "1" ];then
if [ "$ARG1" == "rpdb" ];then
echo ""
echo "**********************************************"
echo "Initializing_RPDB..."
#Clear_RPDB
Initializing_RPDB
echo ""
echo "**********************************************"
fi
fi





if [ "$#" == "1" ];then
if [ "$ARG1" == "setnet" ];then
echo ""
echo "**********************************************"
echo "Initializing_NET_IFS..."
Initializing_NET_IFS
echo ""
echo "**********************************************"
fi
fi

gbgcache:~#
gbgcache:~#
gbgcache:~#

• < Prev
• Next >