X-Git-Url: https://git.rrq.au/?a=blobdiff_plain;ds=sidebyside;f=setup.sh;h=3585d74d12bbe45a9053ba1f657f25e83bcc8fa0;hb=edf9ef981d33d2ef5712ae7116094c0fc6528aa7;hp=e4bcc646bbbd9836ca991e2fca5ccfdb4bff595a;hpb=05a9c528d8aee0373f52fa1bc72250e7f3625e76;p=rrq%2Fhourglass.git

diff --git a/setup.sh b/setup.sh
index e4bcc64..3585d74 100755
--- a/setup.sh
+++ b/setup.sh
@@ -1,14 +1,32 @@
 #!/bin/bash
+#
+# This is a control script to start and stop the network activity
+# listening.
 
 CMD=${1-start}
 NET=192.168.249
-TAP=tap0
+TAP=hourglass0
+SET=TIMO
 
 cd $(dirname $0)
 
 RULE=( ! -o $TAP -j TEE --gateway $NET.2 --oif $TAP )
 case "$CMD" in
     start)
+	# start the blocking rule
+	if iptables-save | grep -qs "match-set $SET" ; then
+	    : # all fine
+	else
+	    if ipset list $SET >& /dev/null ; then
+		: # The set exists
+	    else
+		ipset create $SET hash:net
+	    fi
+	    iptables -A FORWARD -p tcp --dport 53 -j ACCEPT
+	    iptables -A FORWARD -p udp --dport 53 -j ACCEPT
+	    iptables -A FORWARD -m set --match-set $SET src -j DROP
+	fi
+	# Start the traffic listener
 	if ifconfig $TAP >& /dev/null ; then
 	    echo "Already started"
 	else
@@ -19,6 +37,8 @@ case "$CMD" in
 		echo $TAP not up yet
 	    done
 	    ifconfig $TAP $NET.1 up
+	    iptables -t mangle -A FORWARD -p tcp --dport 53 -j RETURN
+	    iptables -t mangle -A FORWARD -p udp --dport 53 -j RETURN
 	    iptables -t mangle -A FORWARD ${RULE[@]}
 	fi
 	;;
@@ -29,6 +49,7 @@ case "$CMD" in
 	else
 	    echo "Already stopped"
 	fi
+	ipset flush $SET
 	;;
     *)
 	echo "Unknown: $CMD"