Linux on a Mikrotik 532a, Part 4 – Customization, Debian Scripts, Shaping, Firewall, NAT, picoLCD

Follow On From: 05 Oct 08 APNIC Box – Linux on a Mikrotik 532a, Part 3 – Installing Debian, Prebuilt Disk Image

Following on from the previous article, I’ve written some scripts which you’ll find in the /root/scripts/ directory of the prebuilt image. I’ve attached and commented them here, as they could also be useful elsewhere.

bridge.sh #For setting up a simple bridge

#!/bin/bash

ifconfig eth0 0.0.0.0
ifconfig eth1 0.0.0.0

brctl addbr br0
brctl addif br0 eth0
brctl addif br0 eth1

ifconfig br0 87.194.X.X netmask 255.255.248.0 broadcast 87.194.X.X
ifconfig br0 up
route add default gw 87.194.X.X

#fw.sh

INTIF=eth2
EXTIF=br0

iptables -F
iptables -X

iptables -t nat -F
iptables -t nat -X
iptables -P INPUT ACCEPT
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -I FORWARD -i $INTIF -o $EXTIF -j REJECT
iptables -I FORWARD -i ath0 -o $EXTIF -j ACCEPT #ath0 is wifi

iptables -t nat -A POSTROUTING -d 87.194.X.A -o $EXTIF -j MASQUERADE
iptables -t nat -A POSTROUTING -d 87.194.X.B -o $EXTIF -j MASQUERADE
iptables -t nat -A POSTROUTING -d 87.194.X.C -o $EXTIF -j MASQUERADE
iptables -t nat -A POSTROUTING -d 87.194.X.D -o $EXTIF -j MASQUERADE
iptables -t nat -A POSTROUTING -d 87.194.X.E -o $EXTIF -j MASQUERADE

iptables -t nat -A POSTROUTING -o $EXTIF -s 192.168.254.0/24 -j SNAT –to 87.194.X.C
iptables -t nat -A POSTROUTING -o $EXTIF -s 192.168.253.0/24 -j SNAT –to 87.194.X.D

TCP=”53 80 110 123 143 443 25 1863 22″
UDP=”53 123 5082″

DAD=”192.168.254.14″ #dad’s laptop.

for PORT in $TCP; do
iptables -I FORWARD -i $INTIF -o $EXTIF -p tcp -m tcp –dport $PORT -j ACCEPT
done
for PORT in $UDP; do
iptables -I FORWARD -i $INTIF -o $EXTIF -p udp -m udp –dport $PORT -j ACCEPT
done

iptables -I FORWARD -i $INTIF -o $EXTIF -s $DAD -j ACCEPT

iptables -I FORWARD -i $INTIF -o $EXTIF -p icmp -m icmp -j ACCEPT
iptables -I FORWARD -o $INTIF -i $EXTIF -p icmp -m icmp -j ACCEPT

iptables -I FORWARD -i $EXTIF -m state –state ESTABLISHED,RELATED -j ACCEPT
iptables -I FORWARD -o $EXTIF -m state –state ESTABLISHED,RELATED -j ACCEPT

iptables -t nat -A PREROUTING -i $INTIF -p tcp –dport 80 -j REDIRECT –to-port 3128

iptables -I INPUT -i $EXTIF -p tcp -m tcp –dport 3128 -j REJECT
iptables -I INPUT -i $EXTIF -p tcp -m tcp –dport 3128 -s 192.168.0.0/16 -j ACCEPT
iptables -I INPUT -i $EXTIF -p tcp -m tcp –dport 3128 -s 87.194.123.A -j ACCEPT
iptables -I INPUT -i $EXTIF -p tcp -m tcp –dport 3128 -s 87.194.123.B -j ACCEPT
iptables -I INPUT -i $EXTIF -p tcp -m tcp –dport 3128 -s 87.194.123.C -j ACCEPT
iptables -I INPUT -i $EXTIF -p tcp -m tcp –dport 3128 -s 87.194.123.D -j ACCEPT
iptables -I INPUT -i $EXTIF -p tcp -m tcp –dport 3128 -s 87.194.123.E -j ACCEPT

shape.sh #old CBQ rate limiting script that I wrote. See: for something better.

#ignore the incorrect “RATEs” below. Not sure what those were there for but preserving the original script nevertheless. IIRC, it was some throughput test.
TC=”tc”

DEV=”eth2″
BANDWIDTH=”100mbit”
RATE=”8mbit” #266K/s
DST=”192.168.254.0/24″

DEV2=”eth1″   #backup
BANDWIDTH2=”100mbit”
RATE2=”88mbit” #800K/s
DST2a=”87.194.123.201″
DST2b=”87.194.123.203″
DST2c=”87.194.123.204″

DEV3=”ath0″
BANDWIDTH3=”100mbit”
RATE3=”24mbit” #XXX K/s
DST3=”192.168.253.0/24″

#####SCRIPT#####
echo “Loading modules…”
modprobe sch_cbq
modprobe sch_dsmark
modprobe sch_gred
modprobe sch_hfsc
modprobe sch_htb
modprobe sch_ingress
modprobe sch_prio
modprobe sch_red
modprobe sch_sfq
modprobe sch_tbf
modprobe sch_teql
modprobe cls_u32

echo “Deleting…”
$TC qdisc del dev $DEV root
$TC qdisc del dev $DEV2 root
$TC qdisc del dev $DEV3 root

echo -n “Adding rules for $DEV…”
$TC qdisc add dev $DEV root handle 1: cbq avpkt 1000 bandwidth $BANDWIDTH
$TC class add dev $DEV parent 1: classid 1:1 cbq rate $RATE \
allot 1500 prio 5 bounded isolated
$TC filter add dev $DEV parent 1: protocol ip prio 16 u32 \
match ip dst $DST flowid 1:1
$TC qdisc add dev $DEV parent 1:1 sfq perturb 10
echo “          done”

echo -n “Adding rules for $DEV2…”
$TC qdisc add dev $DEV2 root handle 1: cbq avpkt 1000 bandwidth $BANDWIDTH2
$TC class add dev $DEV2 parent 1: classid 1:1 cbq rate $RATE2 \
allot 1500 prio 5 bounded isolated
$TC filter add dev $DEV2 parent 1: protocol ip prio 16 u32 \
match ip dst $DST2a flowid 1:1
$TC filter add dev $DEV2 parent 1: protocol ip prio 16 u32 \
match ip dst $DST2b flowid 1:1
$TC filter add dev $DEV2 parent 1: protocol ip prio 16 u32 \
match ip dst $DST2c flowid 1:1
$TC qdisc add dev $DEV2 parent 1:1 sfq perturb 10
echo “          done”

echo -n “Adding rules for $DEV3…”
$TC qdisc add dev $DEV3 root handle 1: cbq avpkt 1000 bandwidth $BANDWIDTH3
$TC class add dev $DEV3 parent 1: classid 1:1 cbq rate $RATE3 \
allot 1500 prio 5 bounded isolated
$TC filter add dev $DEV3 parent 1: protocol ip prio 16 u32 \
match ip dst $DST3 flowid 1:1
$TC qdisc add dev $DEV3 parent 1:1 sfq perturb 10
echo “          done”

timing.sh #for timing a command.

#!/bin/bash
CMD=$*
/usr/bin/time $CMD 2>/tmp/t
T=`cat /tmp/t|head -n1|awk ‘{ print $3 }’|sed ‘s|elapsed||g’|cut -d \: -f 2| \
cut -d . -f 1`
rm -f /tmp/t

echo $T

lcd/start.sh #receive button press on LCD

#!/bin/bash
USBLCD=”/usr/local/bin/usblcd”

$USBLCD backlight 1 text 0 0 APNIC Box v1.2 text 1 0 “Continue? (Yes) (No)”
RESULT=`usblcd led 5 1 led 4 1 read 2>&1 |  ./parse.sh`

if [ "$RESULT" == "x07" ]; then
$USBLCD text 0 0 “You fat @!#$er     ”
fi
if [ "$RESULT" == "x06" ]; then
$USBLCD text 1 0 “Nice one…        ”
fi

lcd/stats/ within the disk image is a crude statistics script for the LCD, but I dropped it for lcdproc quite early.

sleeping.c #this is used to provide a ‘usleep’ command line tool

#include <stdio.h>

int main(int argc, char **argv)
{

if (argc != 2)
{
printf(“Usage: %s <sleep(msec)>\n”, argv[0]);
return 1;
}
usleep(atoi(argv[1])*1000);
return 0;
}


Those are the main interesting bits within the image. There is some more LCD stuff that I haven’t listed here as it isn’t much good in it’s uncompleted state, but will hopefully give examples of everything that you can do with picolcd.

Next: Wiping debian and installing OpenWRT, buildroot, scripts, cross-compiling your own binaries.

Discuss this article here

Tagged with: , , , , , , , , , , , , , , , , , , ,
Posted in APNIC Box, Hardware, Internetworking & Routing, Linux, Projects, Technology, Wireless
No Comments » for Linux on a Mikrotik 532a, Part 4 – Customization, Debian Scripts, Shaping, Firewall, NAT, picoLCD
2 Pings/Trackbacks for "Linux on a Mikrotik 532a, Part 4 – Customization, Debian Scripts, Shaping, Firewall, NAT, picoLCD"
  1. [...] Acá los pasos para la parte 1, parte 2, parte 3, parte 4. [...]

Leave a Reply