#!/bin/sh # Start/stop/restart the bridge. # # Written for Slackware Linux by Patrick J. Volkerding . BRCTL=/usr/sbin/brctl IPTABLES=/sbin/iptables EBTABLES=/sbin/ebtables IFCONFIG=/sbin/ifconfig BRIF="br0" # Mrezna in network address za LAN kartico INTIF="eth2" INTNET="192.168.0.0/24" # Mrezna ki je priklopljena na VOOD port C oz. GH OUTIF="eth1" # POMEMBNO: DSLAM IP address se razlikuje odvisno od lokacije prikljucka!! # Zamenjaj 10.0.1.3 s tvojim IPjem (dobis ga ce snifas promet..iz tega IPja # pride 1 igmp request vsakih cca 30-45s) DSLAMIP="10.0.1.3" check_bridge() { return `$IFCONFIG | grep $BRIF -c` } set_iptables() { echo " - Setting iptables rules.." # Clear any previous settings $IPTABLES -D FORWARD -i $BRIF -o $BRIF -j bridge-forward &> /dev/null $IPTABLES -F bridge-forward &> /dev/null $IPTABLES -X bridge-forward &> /dev/null # Create a custom bridge chain $IPTABLES -N bridge-forward $IPTABLES -A bridge-forward -p udp -d 239.1.0.0/22 --dport 5000 -j ACCEPT # IGMP forwarding $IPTABLES -A bridge-forward -p igmp -m physdev --physdev-in $INTIF --physdev-out $OUTIF \ -s $INTNET -d 224.0.0.2 -j ACCEPT $IPTABLES -A bridge-forward -p igmp -m physdev --physdev-in $INTIF --physdev-out $OUTIF \ -s $INTNET -d 224.0.0.22 -j ACCEPT $IPTABLES -A bridge-forward -p igmp -m physdev --physdev-in $INTIF --physdev-out $OUTIF \ -s $INTNET -d 239.1.0.0/22 -j ACCEPT # Allow queries $IPTABLES -A bridge-forward -p igmp -m physdev --physdev-in $OUTIF --physdev-out $INTIF \ -s $DSLAMIP -d 239.1.0.0/22 -j ACCEPT $IPTABLES -A bridge-forward -p igmp -m physdev --physdev-in $OUTIF --physdev-out $INTIF \ -s $DSLAMIP -d 224.0.0.1 -j ACCEPT # Drop all remaining IGMP $IPTABLES -A bridge-forward -p igmp -j DROP # All other forwarding is denied and logged #$IPTABLES -A bridge-forward -j LOG --log-level info --log-prefix "bridge-drop: " $IPTABLES -A bridge-forward -j DROP # Create a hook in the forward chain $IPTABLES -I FORWARD 1 -i $BRIF -o $BRIF -j bridge-forward } bridge_start() { echo " Starting bridge: " check_bridge if [ $? -eq 0 ]; then # Check if the other interface is running if [ `$IFCONFIG | grep $OUTIF -c` -eq 0 ]; then $IFCONFIG $OUTIF 0.0.0.0 up fi echo " - Creating bridge device.." $BRCTL addbr $BRIF $BRCTL stp $BRIF off $BRCTL setfd $BRIF 4 $BRCTL addif $BRIF $INTIF $BRCTL addif $BRIF $OUTIF # Bring bridge if up $IFCONFIG $BRIF 0.0.0.0 up echo " - Setting ebtables rules.." # Default is routing $EBTABLES -t broute -P BROUTING DROP # IGMP bridging is needed #$EBTABLES -t broute -A BROUTING -p 0x800 --ip-proto igmp --log --log-level=info --log-prefix="igmp-bridge: " $EBTABLES -t broute -A BROUTING -p 0x800 --logical-in $BRIF --ip-proto igmp -j ACCEPT # UDP multicast bridging $EBTABLES -t broute -A BROUTING -d 01:00:00:00:00:00/01:00:00:00:00:00 -p 0x800 --logical-in $BRIF \ --ip-proto udp --ip-dst 239.1.0.0/22 --ip-dport 5000 -j ACCEPT # All other bridging on $BRIF is denied $EBTABLES -t broute -A BROUTING --logical-in $BRIF -j DROP fi set_iptables } bridge_stop() { check_bridge if [ $? -gt 0 ]; then echo " Stopping bridge.." $IFCONFIG $OUTIF down $IFCONFIG $BRIF down $BRCTL delif $BRIF $OUTIF $BRCTL delif $BRIF $INTIF $BRCTL delbr $BRIF $EBTABLES -t broute -F $EBTABLES -t broute -P BROUTING ACCEPT $IPTABLES -D FORWARD -i $BRIF -o $BRIF -j bridge-forward $IPTABLES -F bridge-forward $IPTABLES -X bridge-forward fi } bridge_restart() { echo "Restarting bridge: " bridge_stop bridge_start } bridge_status() { check_bridge if [ $? -eq 0 ]; then echo " Bridge ($BRIF) status: inactive" exit 2 else echo " Bridge ($BRIF) status: active" exit 1 fi } case "$1" in 'start') bridge_start ;; 'stop') bridge_stop ;; 'restart') bridge_restart ;; 'status') ;; *) echo "usage $0 start|stop|restart|status" esac bridge_status