192.168.0.* > 192.168.0.0 How with command line?

jmgibson1981 · 11-07-2020, 11:17 AM

I'm trying to write a somewhat universal script for simple router configuration via iptables. I'm attempting to have the script get the information it needs from the `ip link` and `ip addr` commands. I can extract what I need easily.

My problem is how to change the lan interface ip from whatever it is, in my case 192.168.0.1 to 192.168.0.0 to make that entire subnet work in my iptables rules. 192.168.0.1 could be any ip in that subnet. So regardless of what it is I want to change the last field to 0.

I am terrible with regex, my only experience of any kind involves delimiters and such with cut and awk Those just get me individual fields. How can I take any ip in that subnet to end up ending with a 0?

My current script

Code:

#!/bin/sh

SQUIDIP=192.168.0.1
SQUIDPORT=3128
LANSUBNET=192.168.0.0/24

# router
for iface in enp0s3 enp0s8 ; do
	iptables -t nat -A POSTROUTING ! -d "$LANSUBNET" -o "$iface" -j MASQUERADE
done
route add -net "$LANSUBNET" dev enp0s9

# squid
for port in 443 80 ; do
	iptables -t nat -A PREROUTING -s "$SQUIDIP" -p tcp --dport "$port" -j ACCEPT
	iptables -t nat -A PREROUTING -p tcp --dport "$port" -j REDIRECT --to-port "$SQUIDPORT"
done
iptables -t mangle -A PREROUTING -p tcp --dport "$SQUIDPORT" -j DROP

My plan is to wrap this in a for loop, working through the interfaces and setting the rules depending on the interface and it's given ip. I'm trying to get it geared for multiple wan inputs for failover as well.

hazel · 11-07-2020, 01:37 PM

The regexp would be 192\.168\.0\.[1..9]+. That would give you any address with any number of digits (but at least one) as the fourth octet. I think you could do a for loop to find and reset addresses in that range.

jmgibson1981 · 11-07-2020, 01:53 PM

I'll try that. It may be cleaner than what I found here. This is my current script with the loop.

Code:

#!/bin/sh

SQUIDIP=192.168.0.1
SQUIDPORT=3128

router_setup_func() {
	for interface in $(find /sys/class/net/ -maxdepth 1) ; do
		ifname=$(basename "$interface")
		case "$ifname" in
			net|lo|veth*)
				continue
				;;
			*)
				ifip=$(ip addr | grep 'inet ' | grep "$ifname" | awk '{print $2}' \
				| cut -d\/ -f 1)
				case "$ifip" in
					192.168.*.*|172.17.*.*)
						MODIFIEDIP=$(echo "$ifip" | rev | cut -d"." -f2- | rev).0/24
						route add -net "$MODIFIEDIP" dev "$ifname"
						;;
					*)
						iptables -t nat -A POSTROUTING -o "$ifname" -j MASQUERADE
						;;
				esac
				;;
		esac
	done
}

case "$1" in
	routersetup)
		router_setup_func
		;;
	squidsetup)
		squid_setup_func
		;;
	*)
		echo "usage: ${0} (routersetup|squidsetup)"
		exit 0
		;;
esac

Router seems to work. Not getting very far with squid though for intercepting transparently. Iptables and I are not friends.

chrism01 · 11-08-2020, 10:26 PM

Actually, in a given network, the first address is reserved as the address of the network itself and the last is the broadcast address.
For 192.168.0.0/24, that means 192.168.0.0 = network, 192.168.0.255 = broadcast.
You shouldn't try to assign those 2.

See eg http://www.jodies.de/ipcalc?host=192...ask1=24&mask2= for a nice easy ip calculator (there are many on the web).