#!/bin/bash # # rules_SNATpriv2pub_2.sh # # and the README_tent2.html is based on this script # # See rules_SNATpriv2pub.sh for details. This script builds upon and continues # from there. # # Copyright (C) 2016 Miroslav Rovis, # # released under BSD license, see LICENSE, or assume general BSD license, # meaning you can do basically anything with these scripts and data except # claim that you wrote them/made them # # vars ipt=/sbin/iptables echo "cat /proc/sys/net/ipv4/ip_forward :" cat /proc/sys/net/ipv4/ip_forward read FAKE echo " * flushing old rules" $ipt -X $ipt -F read FAKE echo " * flushing the nat table" $ipt -t nat -X $ipt -t nat -F read FAKE echo " * flushing the raw table" $ipt -t raw -X $ipt -t raw -F read FAKE echo " * flushing the mangle table" $ipt -t mangle -X $ipt -t mangle -F read FAKE lan2_if="eth2" lan2_ip="93.138.43.55" lan1_if="eth1" iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT # This is new. Apparently, the server's browser advertisement confuses dhcpcd: # messages_160903_1801_g0n_dhcpcd_confused # Note that the trouble was on the SX763 router network. Solved, apparently, with # dropping the server's packets. # And also the logging lines are new. iptables -A INPUT -s 192.168.2.1 -j LOG --log-prefix mrfw_srv --log-level 7 iptables -A INPUT -s 192.168.2.1 -j DROP iptables -A INPUT -m state --state ESTABLISHED,RELATED -j LOG --log-prefix mrfw --log-level 7 iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j LOG --log-prefix mrfw --log-level 7 iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i $lan2_if -m state --state ESTABLISHED,RELATED -j LOG --log-prefix mrfw --log-level 7 iptables -A FORWARD -i $lan2_if -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i $lan1_if -m state --state NEW,ESTABLISHED,RELATED -j LOG --log-prefix mrfw --log-level 7 iptables -A FORWARD -i $lan1_if -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -t nat -A POSTROUTING -o $lan2_if -j LOG --log-prefix mrfw_snat --log-level 7 iptables -t nat -A POSTROUTING -o $lan2_if -j SNAT --to-source $lan2_ip # And this worked fine up unto the commie router. Which didn't reply with any # packets, nor has anything in the logs. See: # dump_160903_1932_g0n_SOLO.pcap # dump_160903_1932_g0n_messages.log # ipt_conf_states_160903_1932_g0n.d/ # dump_160903_1932_gcn.pcap # (the screencast isn't necessary, just hanging connection.) # ipt_conf_states_160903_1927_gcn.d/ # ZTE_160903_1931.log (these are sanitized from what I can't post) # ZTE_160903_1939.log