Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ## CUSTOMIZE YOUR SCRIPT VARIABLES
- #
- ## Uncomment and set value(s) as needed to customize your rules
- #
- # IP ADRESS RANGE OR SINGLE IP ADDRESS
- #ip_src_lst="192.168.1.104-192.168.1.106 192.168.1.15"
- #ip_src_lst="192.168.1.9 192.168.1.29"
- #ip_dst_lst=""
- ## CIDR NOTATION or SINGLE IP ADDRESS - E. G. "98.207.0.0/16 74.125.229.0/24 80.130.125.163"
- #cidr_src_rnge=""
- #cidr_dst_rnge=""
- #################################################################
- # CHANGE MARK VALUE(S) (0 or 1) IN FOR LOOPS BELOW IF NECESSARY #
- #################################################################
- # SHELL COMMANDS FOR MAINTENANCE.
- # DO NOT UNCOMMENT, THESE ARE INTENDED TO BE USED IN A SHELL COMMAND LINE
- #
- # List Contents by line number
- # iptables -L PREROUTING -t mangle -n --line-numbers
- #
- # Delete rules from mangle by line number
- # iptables -D PREROUTING type-line-number-here -t mangle
- #
- # To list the current rules on the router, issue the command:
- # iptables -t mangle -L PREROUTING
- #
- # Flush/reset all the rules to default by issuing the command:
- # iptables -t mangle -F PREROUTING
- #
- # First it is necessary to disable Reverse Path Filtering on all
- # current and future network interfaces:
- #
- for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
- echo 0 > $i
- done
- #
- # Delete table 100 and flush any existing rules if they exist.
- #
- ip route flush table 100
- ip route del default table 100
- ip rule del fwmark 1 table 100
- ip route flush cache
- iptables -t mangle -F PREROUTING
- #
- # Let's find out the tunnel interface
- #
- iface_lst=`route | awk ' {print $8}'`
- for tun_if in $iface_lst; do
- if [ $tun_if == "tun11" ] || [ $tun_if == "tun12" ] || [ $tun_if == "ppp0" ]; then
- break
- fi
- done
- #
- # Copy all non-default and non-VPN related routes from the main table into table 100.
- # Then configure table 100 to route all traffic out the WAN gateway and assign it mark "1"
- #
- ip route show table main | grep -Ev ^default | grep -Ev $tun_if \
- | while read ROUTE ; do
- ip route add table 100 $ROUTE
- done
- ip route add default table 100 via $(nvram get wan_gateway)
- ip rule add fwmark 1 table 100
- ip route flush cache
- # EXAMPLES:
- #
- # All LAN traffic will bypass the VPN (Useful to put this rule first,
- # so all traffic bypasses the VPN and you can configure exceptions afterwards)
- # iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1
- #
- # Ports 80 and 443 will bypass the VPN
- # iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 80,443 -j MARK --set-mark 1
- #
- # All traffic from a particular computer on the LAN will use the VPN
- # iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.2 -j MARK --set-mark 0
- #
- # All traffic to a specific Internet IP address will use the VPN
- # iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 216.146.38.70 -j MARK --set-mark 0
- #
- # All traffic from a specific Internet IP address range USING CIDR NOTATION will bypass the VPN
- # iptables -t mangle -A PREROUTING -i br0 -s 74.125.229.0/24 -j MARK --set-mark 0
- #
- # All traffic to a specific Internet IP address range USING CIDR NOTATION will use the VPN
- # iptables -t mangle -A PREROUTING -i br0 -d 98.207.0.0/16 -j MARK --set-mark 0
- #
- # All UDP and ICMP traffic will bypass the VPN
- # iptables -t mangle -A PREROUTING -i br0 -p udp -j MARK --set-mark 1
- # iptables -t mangle -A PREROUTING -i br0 -p icmp -j MARK --set-mark 1
- # Default behavior: MARK = 1 all traffic bypasses VPN, MARK = 0 all traffic goes VPN
- iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 0
- for ip_addrs in $ip_src_lst ; do
- iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range "$ip_addrs" -j MARK --set-mark 1
- done
- for ip_addrs in $ip_dst_lst ; do
- iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range "$ip_addrs" -j MARK --set-mark 0
- done
- for ip_rnge in $cidr_src_rnge ; do
- iptables -t mangle -A PREROUTING -i br0 -s "$ip_rnge" -j MARK --set-mark 0
- done
- for ip_rnge in $cidr_dst_rnge ; do
- iptables -t mangle -A PREROUTING -i br0 -d "$ip_rnge" -j MARK --set-mark 0
- done
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement