X-Git-Url: https://git.rrq.au/?a=blobdiff_plain;f=setup.sh;h=4cf7a80d8c6ffdb89e89bab1042029d40583208c;hb=4466d2ec250322c1b603d041703259586e213b22;hp=e4bcc646bbbd9836ca991e2fca5ccfdb4bff595a;hpb=05a9c528d8aee0373f52fa1bc72250e7f3625e76;p=rrq%2Fhourglass.git

diff --git a/setup.sh b/setup.sh
index e4bcc64..4cf7a80 100755
--- a/setup.sh
+++ b/setup.sh
@@ -1,14 +1,36 @@
 #!/bin/bash
+#
+# This is a control script to start and stop the network activity
+# listening.
 
-CMD=${1-start}
-NET=192.168.249
-TAP=tap0
+CONF="hourglass.conf"
+function getcfg() {
+    grep -E "\\s*[^;#]$1]\\s*=" $CONF | sed 's/.*=\s*(.*)/\1/;s/\s*$//'
+}
+
+NET="$(getcfg listener.ip)"
+TAP="$(getcfg listener.tap)"
+SET="$(getcfg ipset.table)"
 
 cd $(dirname $0)
 
 RULE=( ! -o $TAP -j TEE --gateway $NET.2 --oif $TAP )
 case "$CMD" in
     start)
+	# start the blocking rule
+	if iptables-save | grep -qs "match-set $SET" ; then
+	    : # all fine
+	else
+	    if ipset list $SET >& /dev/null ; then
+		: # The set exists
+	    else
+		ipset create $SET hash:net
+	    fi
+	    iptables -A FORWARD -p tcp --dport 53 -j ACCEPT
+	    iptables -A FORWARD -p udp --dport 53 -j ACCEPT
+	    iptables -A FORWARD -m set --match-set $SET src -j DROP
+	fi
+	# Start the traffic listener
 	if ifconfig $TAP >& /dev/null ; then
 	    echo "Already started"
 	else
@@ -19,6 +41,8 @@ case "$CMD" in
 		echo $TAP not up yet
 	    done
 	    ifconfig $TAP $NET.1 up
+	    iptables -t mangle -A FORWARD -p tcp --dport 53 -j RETURN
+	    iptables -t mangle -A FORWARD -p udp --dport 53 -j RETURN
 	    iptables -t mangle -A FORWARD ${RULE[@]}
 	fi
 	;;
@@ -29,6 +53,7 @@ case "$CMD" in
 	else
 	    echo "Already stopped"
 	fi
+	ipset flush $SET
 	;;
     *)
 	echo "Unknown: $CMD"