Useful Dual WAN script

Antimatter · 08-03-2007, 04:26 AM

I've been struggling for a while on getting a dual WAN config to work for me...

Basically this script is an dhclient-exit-hooks script that will hook into the dhclient-script which then is ran by dhclient.

Anyway what it does, is it takes care of all of the routing table and iptable stuff required to have two DMZ, one off each wan IP address, anyway I'm going to present the script below in hopes that someone else out there would have some use for this script also.

Code:

#!/bin/sh
#
# This script takes care of setting up the rules and routing table for
# eth0 and eth1 which are our wan port
#

# Programs
IPTABLES="/sbin/iptables"
IP="/sbin/ip"

# Enable ip_forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# Script variables
wan0="eth0"
wan1="eth1"

# File for marking/demarking expiration/failure of interface
# so when its bound/rebound again it will by pass the new/old IP
# address checks
wan0_file="/var/run/wan0.expired"
wan1_file="/var/run/wan1.expired"

# Sets up the wan0 rules and routes
set_wan0 () {

	$IP rule add from 172.20.0.5 lookup 100

	for router in $new_routers; do
		$IP route add default via $router dev $wan0 table 100
	done
}

# Remove the wan0 rules and routes
unset_wan0 () {

	$IP rule del from 172.20.0.5 lookup 100
	$IP route flush table 100
}

# Sets up the wan1 rules and routes
set_wan1 () {

	$IP rule add from 172.20.0.3 lookup 101

	for router in $new_routers; do
		$IP route add default via $router dev $wan1 table 101
	done
}

# Remove the wan1 rules and routes
unset_wan1 () {

	$IP rule del from 172.20.0.3 lookup 101
	$IP route flush table 101
}

# Setup the IPTABLE rules for wan0
iptable_wan0 () {

	$IPTABLES -t nat -A wan0_dnat -d $new_ip_address -j DNAT --to-destination 172.20.0.5
	$IPTABLES -t nat -A wan0_snat -s 172.20.0.5 -j SNAT --to-source $new_ip_address
}

# Setup the IPTABLE rules for wan1
iptable_wan1 () {

	$IPTABLES -t nat -A wan1_dnat -d $new_ip_address -j DNAT --to-destination 172.20.0.3
	$IPTABLES -t nat -A wan1_snat -s 172.20.0.3 -j SNAT --to-source $new_ip_address
}

##################################################################################################
#
# Below this section shouldn't needs to be changed as long as the basic logic/stuff are the
# same in the above variables/functions
#
##################################################################################################

# Setup the indivual wan0 & wan1 chains and add it to the NAT tables
setup_NAT () {
	
	$IPTABLES -t nat -N wan0_dnat
	$IPTABLES -t nat -N wan0_snat

	$IPTABLES -t nat -N wan1_dnat
	$IPTABLES -t nat -N wan1_snat

	$IPTABLES -t nat -A PREROUTING -j wan0_dnat
	$IPTABLES -t nat -A POSTROUTING -j wan0_snat

	$IPTABLES -t nat -A PREROUTING -j wan1_dnat
	$IPTABLES -t nat -A POSTROUTING -j wan1_snat
}


# Flushes the NAT tables
flush_NAT () {

	# First this function needs to make sure that the
	# proper NAT chains actually exists, if not then
	# create them and exit
	echo `$IPTABLES -n -L -t nat` | grep -F -q "Chain wan1_snat"

	if [[ $? -eq 0 ]]; then
		
		# The NAT chain was found so find out which interface
		# is being flushed then flush that chain
		if [[ "$interface" == "$wan0" ]]; then
			
			$IPTABLES -t nat -F wan0_dnat
			$IPTABLES -t nat -F wan0_snat

		elif [[ "$interface" == "$wan1" ]]; then
			
			$IPTABLES -t nat -F wan1_dnat
			$IPTABLES -t nat -F wan1_snat
		
		fi
	else
		# The NAT chain was not found so create it
		setup_NAT
	fi
}



# Flushes the routing tables
flush_routing () {

	# find out which interface to flush
	if [[ "$interface" == "$wan0" ]]; then

		unset_wan0

	elif [[ "$interface" == "$wan1" ]]; then
	
		unset_wan1
	
	fi
	
	$IP route flush cache
}


# Sets up the NAT tables
set_NAT () {

	# Determite if the NAT tables needs to be flushed
	# and updated, also determite if the interface was
	# previously expired
	if [[ "$old_ip_address" != "$new_ip_address" ||
		-e $wan0_file || -e $wan1_file ]]; then

		# The old and new ip address are not the same, update
		# the NAT table, or the interface was expired/failed
		flush_NAT
		
		# Find out which interface to set
		if [[ "$interface" == "$wan0" ]]; then
			
			iptable_wan0
			$IPTABLES -t nat -A wan0_dnat -j RETURN
			$IPTABLES -t nat -A wan0_snat -j RETURN

			# Remove the expired file
			rm -f $wan0_file

		elif [[ "$interface" == "$wan1" ]]; then

			iptable_wan1
			$IPTABLES -t nat -A wan1_dnat -j RETURN
			$IPTABLES -t nat -A wan1_snat -j RETURN

			# Remove the expired file
			rm -f $wan1_file
		fi

	fi

	#if [[ "$old_routers" != "$new_routers" ]]; then
	#	
	#	# The old and new routers does not match, so update the
	#	# nat TABLE
	#fi
}

# Sets up the routing tables
set_routing () {

	# Determite which interface needs the tables be set
	if [[ "$interface" == "$wan0" ]]; then

		set_wan0

	elif [[ "$interface" == "$wan1" ]]; then
	
		set_wan1
	
	fi

	$IP route flush cache
}

# This block determite which $reason code is passed to this script
case "$reason" in

        # MEDIUM - Ignore, linux does not do medium (media)
        "MEDIUM" )
                exit 0
        ;;

        # PREINIT - Initalizes interface for action
        "PREINIT" )

                # Touch the file for the expired interface
                if [[ "$interface" == "$wan0" ]]; then
                        touch $wan0_file
                elif [[ "$interface" == "$wan1" ]]; then
                        touch $wan1_file
                fi
        ;;

	# BOUND - Flushes and reset the routing tables, then find out
	# 	  If the ip address of the interface has changed and update
	#	  the NAT table if needed
	# RENEW - Same as BOUND
	# REBIND - Same as BOUND
	# REBOOT - Same as BOUND
	"BOUND" | "RENEW" | "REBIND" | "REBOOT" ) 
		set_NAT
		flush_routing
		set_routing
	;;

	# EXPIRE - No IP address on interface, flush NAT & Routing
	# FAIL - Same as EXPIRE
	"EXPIRE" | "FAIL" ) 
		flush_NAT
		flush_routing

		# Touch the file for the expired interface
		if [[ "$interface" == "$wan0" ]]; then
			touch $wan0_file
		elif [[ "$interface" == "$wan1" ]]; then
			touch $wan1_file
		fi
	;;

	# TIMEOUT - If the exit value is 0, the NAT & routing needs to be setup/fixed
	# otherwise if the exit value is 1, we need to flush NAT & routing like EXPIRE/FAIL
	"TIMEOUT" )

		# Determite the exit value
		if [[ "$exit_status" -eq "0" ]]; then
			
			set_NAT
			flush_routing
			set_routing
		else
			flush_NAT
			flush_routing
		fi
	;;

esac

Enjoy! And if anyone has any suggestion/improvement it would certainly be welcomed!

[edit1]: I just corrected an small oops with the script, sometime it won't setup the iptable upon bootup, and most of upon a bootup the exit script gets a preinit then bound/renew $reason so i fixed it to force the iptable to be updated when it gets an preinit $reason

GlennsPref · 08-03-2007, 09:41 AM

Hmmm! Thank you for the input. But how do I use it?

Regards, Glenn

Antimatter · 08-03-2007, 04:44 PM

Basically this script makes a few assumption: You have dual WAN, Both of the WAN uses DHCP to get their IP address, the DHCP client is "dhclient"

Anyway how to use it, you copy the script and paste it into a file named "dhclient-exit-hooks" which is a file that dhclient-script will call everytime it finishes an step, aka PREINIT, BIND, EXPIRE, TIMEOUT, etc...

Anyway it depends on your distro on where you place the script at, for OpenBSD it would probably go into "/etc" then for gentoo, it would go into "/etc/dhcp" and it just depends.

This script takes care of removing and setting up the routing table and NAT rules for both WAN, and on how to config it below is an list of the various functions that may need to be changed to adapt it to your own needs...

set_wan0 - This route sets up the routing table for the wan0
unset_wan0 - This route removes/clear up the routing table for wan0
set_wan1 - This route sets up the routing table for wan1
unset_wan1 - This route removes/clear the routing table for wan0
iptable_wan0 - This route sets up the NAT for iptables for wan0
iptable_wan1 - This route sets up the NAT for iptables for wan0

Then the two parameters at the top of the scripts would be: wan0="eth0" & wan1="eth1", these are your wan0 and wan1 interface.

I hope this clears it up enough so its useful for someone

GlennsPref · 08-03-2007, 07:23 PM

Thank you AntiMatter.

Very nice.

Glenn.