X-Git-Url: https://git.rrq.au/?a=blobdiff_plain;f=setup.sh;h=96463bc17b5cad747420e26d05116aa724189464;hb=8e3c55b65d2acf7ed3ab2f9eeaffcc5b9d6d117f;hp=e4bcc646bbbd9836ca991e2fca5ccfdb4bff595a;hpb=05a9c528d8aee0373f52fa1bc72250e7f3625e76;p=rrq%2Fhourglass.git

diff --git a/setup.sh b/setup.sh
index e4bcc64..96463bc 100755
--- a/setup.sh
+++ b/setup.sh
@@ -3,12 +3,27 @@
 CMD=${1-start}
 NET=192.168.249
 TAP=tap0
+SET=TIMO
 
 cd $(dirname $0)
 
 RULE=( ! -o $TAP -j TEE --gateway $NET.2 --oif $TAP )
 case "$CMD" in
     start)
+	# start the blocking rule
+	if iptables-save | grep -qs "match-set $SET" ; then
+	    : # all fine
+	else
+	    if ipset list $SET >& /dev/null ; then
+		: # The set exists
+	    else
+		ipset create $SET hash:net
+	    fi
+	    iptables -A FORWARD -p tcp --dport 53 -j ACCEPT
+	    iptables -A FORWARD -p udp --dport 53 -j ACCEPT
+	    iptables -A FORWARD -m set --match-set $SET src -j DROP
+	fi
+	# Start the traffic listener
 	if ifconfig $TAP >& /dev/null ; then
 	    echo "Already started"
 	else
@@ -19,6 +34,8 @@ case "$CMD" in
 		echo $TAP not up yet
 	    done
 	    ifconfig $TAP $NET.1 up
+	    iptables -t mangle -A FORWARD -p tcp --dport 53 -j RETURN
+	    iptables -t mangle -A FORWARD -p udp --dport 53 -j RETURN
 	    iptables -t mangle -A FORWARD ${RULE[@]}
 	fi
 	;;
@@ -29,6 +46,7 @@ case "$CMD" in
 	else
 	    echo "Already stopped"
 	fi
+	ipset flush $SET
 	;;
     *)
 	echo "Unknown: $CMD"