11 Oct 08 Linux on a Mikrotik 532a, Part 4 - Customization, Debian Scripts, Shaping, Firewall, NAT, picoLCD
>> Forums...Following on from the previous article, I’ve written some scripts which you’ll find in the /root/scripts/ directory of the prebuilt image. I’ve attached and commented them here, as they could also be useful elsewhere.
bridge.sh #For setting up a simple bridge
ifconfig eth0 0.0.0.0
ifconfig eth1 0.0.0.0
brctl addbr br0
brctl addif br0 eth0
brctl addif br0 eth1
ifconfig br0 87.194.X.X netmask 255.255.248.0 broadcast 87.194.X.X
ifconfig br0 up
route add default gw 87.194.X.X
#fw.sh
EXTIF=br0
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -P INPUT ACCEPT
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -I FORWARD -i $INTIF -o $EXTIF -j REJECT
iptables -I FORWARD -i ath0 -o $EXTIF -j ACCEPT #ath0 is wifi
iptables -t nat -A POSTROUTING -d 87.194.X.A -o $EXTIF -j MASQUERADE
iptables -t nat -A POSTROUTING -d 87.194.X.B -o $EXTIF -j MASQUERADE
iptables -t nat -A POSTROUTING -d 87.194.X.C -o $EXTIF -j MASQUERADE
iptables -t nat -A POSTROUTING -d 87.194.X.D -o $EXTIF -j MASQUERADE
iptables -t nat -A POSTROUTING -d 87.194.X.E -o $EXTIF -j MASQUERADE
iptables -t nat -A POSTROUTING -o $EXTIF -s 192.168.254.0/24 -j SNAT –to 87.194.X.C
iptables -t nat -A POSTROUTING -o $EXTIF -s 192.168.253.0/24 -j SNAT –to 87.194.X.D
TCP=”53 80 110 123 143 443 25 1863 22″
UDP=”53 123 5082″
DAD=”192.168.254.14″ #dad’s laptop.
for PORT in $TCP; do
iptables -I FORWARD -i $INTIF -o $EXTIF -p tcp -m tcp –dport $PORT -j ACCEPT
done
for PORT in $UDP; do
iptables -I FORWARD -i $INTIF -o $EXTIF -p udp -m udp –dport $PORT -j ACCEPT
done
iptables -I FORWARD -i $INTIF -o $EXTIF -s $DAD -j ACCEPT
iptables -I FORWARD -i $INTIF -o $EXTIF -p icmp -m icmp -j ACCEPT
iptables -I FORWARD -o $INTIF -i $EXTIF -p icmp -m icmp -j ACCEPT
iptables -I FORWARD -i $EXTIF -m state –state ESTABLISHED,RELATED -j ACCEPT
iptables -I FORWARD -o $EXTIF -m state –state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A PREROUTING -i $INTIF -p tcp –dport 80 -j REDIRECT –to-port 3128
iptables -I INPUT -i $EXTIF -p tcp -m tcp –dport 3128 -j REJECT
iptables -I INPUT -i $EXTIF -p tcp -m tcp –dport 3128 -s 192.168.0.0/16 -j ACCEPT
iptables -I INPUT -i $EXTIF -p tcp -m tcp –dport 3128 -s 87.194.123.A -j ACCEPT
iptables -I INPUT -i $EXTIF -p tcp -m tcp –dport 3128 -s 87.194.123.B -j ACCEPT
iptables -I INPUT -i $EXTIF -p tcp -m tcp –dport 3128 -s 87.194.123.C -j ACCEPT
iptables -I INPUT -i $EXTIF -p tcp -m tcp –dport 3128 -s 87.194.123.D -j ACCEPT
iptables -I INPUT -i $EXTIF -p tcp -m tcp –dport 3128 -s 87.194.123.E -j ACCEPT
shape.sh #old CBQ rate limiting script that I wrote. See: for something better.
TC=”tc”
DEV=”eth2″
BANDWIDTH=”100mbit”
RATE=”8mbit” #266K/s
DST=”192.168.254.0/24″
DEV2=”eth1″ #backup
BANDWIDTH2=”100mbit”
RATE2=”88mbit” #800K/s
DST2a=”87.194.123.201″
DST2b=”87.194.123.203″
DST2c=”87.194.123.204″
DEV3=”ath0″
BANDWIDTH3=”100mbit”
RATE3=”24mbit” #XXX K/s
DST3=”192.168.253.0/24″
#####SCRIPT#####
echo “Loading modules…”
modprobe sch_cbq
modprobe sch_dsmark
modprobe sch_gred
modprobe sch_hfsc
modprobe sch_htb
modprobe sch_ingress
modprobe sch_prio
modprobe sch_red
modprobe sch_sfq
modprobe sch_tbf
modprobe sch_teql
modprobe cls_u32
echo “Deleting…”
$TC qdisc del dev $DEV root
$TC qdisc del dev $DEV2 root
$TC qdisc del dev $DEV3 root
echo -n “Adding rules for $DEV…”
$TC qdisc add dev $DEV root handle 1: cbq avpkt 1000 bandwidth $BANDWIDTH
$TC class add dev $DEV parent 1: classid 1:1 cbq rate $RATE \
allot 1500 prio 5 bounded isolated
$TC filter add dev $DEV parent 1: protocol ip prio 16 u32 \
match ip dst $DST flowid 1:1
$TC qdisc add dev $DEV parent 1:1 sfq perturb 10
echo “ done”
echo -n “Adding rules for $DEV2…”
$TC qdisc add dev $DEV2 root handle 1: cbq avpkt 1000 bandwidth $BANDWIDTH2
$TC class add dev $DEV2 parent 1: classid 1:1 cbq rate $RATE2 \
allot 1500 prio 5 bounded isolated
$TC filter add dev $DEV2 parent 1: protocol ip prio 16 u32 \
match ip dst $DST2a flowid 1:1
$TC filter add dev $DEV2 parent 1: protocol ip prio 16 u32 \
match ip dst $DST2b flowid 1:1
$TC filter add dev $DEV2 parent 1: protocol ip prio 16 u32 \
match ip dst $DST2c flowid 1:1
$TC qdisc add dev $DEV2 parent 1:1 sfq perturb 10
echo “ done”
echo -n “Adding rules for $DEV3…”
$TC qdisc add dev $DEV3 root handle 1: cbq avpkt 1000 bandwidth $BANDWIDTH3
$TC class add dev $DEV3 parent 1: classid 1:1 cbq rate $RATE3 \
allot 1500 prio 5 bounded isolated
$TC filter add dev $DEV3 parent 1: protocol ip prio 16 u32 \
match ip dst $DST3 flowid 1:1
$TC qdisc add dev $DEV3 parent 1:1 sfq perturb 10
echo “ done”
timing.sh #for timing a command.
CMD=$*
/usr/bin/time $CMD 2>/tmp/t
T=`cat /tmp/t|head -n1|awk ‘{ print $3 }’|sed ’s|elapsed||g’|cut -d \: -f 2| \
cut -d . -f 1`
rm -f /tmp/t
echo $T
lcd/start.sh #receive button press on LCD
USBLCD=”/usr/local/bin/usblcd”
$USBLCD backlight 1 text 0 0 APNIC Box v1.2 text 1 0 “Continue? (Yes) (No)”
RESULT=`usblcd led 5 1 led 4 1 read 2>&1 | ./parse.sh`
if [ "$RESULT" == "x07" ]; then
$USBLCD text 0 0 “You fat @!#$er ”
fi
if [ "$RESULT" == "x06" ]; then
$USBLCD text 1 0 “Nice one… ”
fi
lcd/stats/ within the disk image is a crude statistics script for the LCD, but I dropped it for lcdproc quite early.
sleeping.c #this is used to provide a ‘usleep’ command line tool
int main(int argc, char **argv)
{
if (argc != 2)
{
printf(”Usage: %s <sleep(msec)>\n”, argv[0]);
return 1;
}
usleep(atoi(argv[1])*1000);
return 0;
}
Those are the main interesting bits within the image. There is some more LCD stuff that I haven’t listed here as it isn’t much good in it’s uncompleted state, but will hopefully give examples of everything that you can do with picolcd.
Next: Wiping debian and installing OpenWRT, buildroot, scripts, cross-compiling your own binaries.
Tags: 532a, APNIC Box, bandwidth management, bandwidth rate, bridge, cbq, ifconfig, iproute2, iptables, lcd, Linux, picolcd, qdisc, routerboard, routerboard 532a, shaping, tc, time, usblcd, usleep
Reader's Comments
Leave a Comment
I'm Adam Palmer, and I'm an Embedded Linux/Embedded Hardware enthusiast.
I spend most of my time managing server clusters, and doing some PHP/MySQL development, whilst what little spare time I have is dedicated to playing with gadgets.
I'm always happy to consult on or manage any Linux related, Web Application or Hosting project. Please get in touch with me!
[...] Acá los pasos para la parte 1, parte 2, parte 3, parte 4. [...]
[...] Follow on from: http://www.adamsinfo.com/linux-on-a-mikrotik-532a-part-4-customization-debian-script... [...]