software captore

[rrq/hourglass.git] / setup.sh

diff --git a/setup.sh b/setup.sh
index e4bcc646bbbd9836ca991e2fca5ccfdb4bff595a..96463bc17b5cad747420e26d05116aa724189464 100755 (executable)
--- a/setup.sh
+++ b/setup.sh
@@ -3,12 +3,27 @@
 CMD=${1-start}
 NET=192.168.249
 TAP=tap0
+SET=TIMO
 
 cd $(dirname $0)
 
 RULE=( ! -o $TAP -j TEE --gateway $NET.2 --oif $TAP )
 case "$CMD" in
     start)
+       # start the blocking rule
+       if iptables-save | grep -qs "match-set $SET" ; then
+           : # all fine
+       else
+           if ipset list $SET >& /dev/null ; then
+               : # The set exists
+           else
+               ipset create $SET hash:net
+           fi
+           iptables -A FORWARD -p tcp --dport 53 -j ACCEPT
+           iptables -A FORWARD -p udp --dport 53 -j ACCEPT
+           iptables -A FORWARD -m set --match-set $SET src -j DROP
+       fi
+       # Start the traffic listener
        if ifconfig $TAP >& /dev/null ; then
            echo "Already started"
        else
@@ -19,6 +34,8 @@ case "$CMD" in
                echo $TAP not up yet
            done
            ifconfig $TAP $NET.1 up
+           iptables -t mangle -A FORWARD -p tcp --dport 53 -j RETURN
+           iptables -t mangle -A FORWARD -p udp --dport 53 -j RETURN
            iptables -t mangle -A FORWARD ${RULE[@]}
        fi
        ;;
@@ -29,6 +46,7 @@ case "$CMD" in
        else
            echo "Already stopped"
        fi
+       ipset flush $SET
        ;;
     *)
        echo "Unknown: $CMD"