Ip-up and ip-down scripts with ipset for Accel-ppp

I’ll give an example of the scripts I used before, in the allowip list IP addresses were added to which the Internet is allowed, and in denyip those were redirected to the http page with information about the negative deposit.

Ip-up script:

#!/bin/sh
# ip-up
IFNAME=$1
IP=$5
AWK=/usr/bin/awk
DEBUG=0
 
if [ -f /var/run/radattr.$IFNAME ]; then
  FILTERS=`${AWK}  '/Filter-Id/ {print $2}'  /var/run/radattr.${IFNAME}`
fi;
 
if [ w${FILTERS} = wNEG_DEPOSIT ] ; then
   /sbin/ipset add denyip $IP -exist
  if [ w${DEBUG} != w ] ; then
    echo "$(date '+%Y/%m/%d %H:%M') --- UP neg filter User: ${USER_NAME} Filter: ${FILTERS} IF: ${IFNAME} IP: $IP" >> /tmp/neg
  fi;
  exit;
 
else
  if [ "${DEBUG}" != "" ] ; then
    echo "$(date '+%Y/%m/%d %H:%M') --- UP User: ${USER_NAME} Filter: ${FILTERS} IF: ${IFNAME} IP: $IP" >> /tmp/allow
  fi;
 
  /sbin/ipset add allowip $IP -exist
fi;

Ip-down script:

#!/bin/sh
# ip-down
IFNAME=$1
IP=$5
AWK=/usr/bin/awk
DEBUG=0
 
if [ -f /var/run/radattr.$IFNAME ]; then
   FILTERS=`${AWK}  '/Filter-Id/ {print $2}'  /var/run/radattr.$IFNAME`
   USER_NAME=`${AWK}  '/User-Name/ {print $2}'  /var/run/radattr.${IFNAME}`
fi;
 
# Filters
if [ w${FILTERS} = wNEG_DEPOSIT ] ; then
    /sbin/ipset del denyip $IP -exist
   if [ w${DEBUG} != w ] ; then
     echo "$(date '+%Y/%m/%d %H:%M') --- Down neg filter User: ${USER_NAME} Filter: ${FILTERS} IF: ${IFNAME} IP: $IP" >> /tmp/neg
   fi;
   exit;
else
  if [ "${DEBUG}" != "" ] ; then
    echo "$(date '+%Y/%m/%d %H:%M') --- DOWN User: ${USER_NAME} Filter: ${FILTERS} IF: ${IFNAME} IP: $IP" >> /tmp/allow
  fi;
 
  /sbin/ipset del allowip $IP -exist
fi;

Accordingly, lists should be created:

/sbin/ipset -N allowip iphash
/sbin/ipset -N denyip iphash

And iptables rules.
We allow FORWARD for allowip:

/sbin/iptables -A FORWARD -m set --match-set allowip src -j ACCEPT
/sbin/iptables -A FORWARD -m set --match-set allowip dst -j ACCEPT

NAT:

/sbin/iptables -t nat -I POSTROUTING -s 10.0.0.0/24 -j SNAT --to-source 11.11.11.1 --persistent

For denyip, we configure the redirection of all http requests, allow FORWARD to the page on which the redirection is performed and we forbid FORWARD by default for everything else:

/sbin/iptables -t nat -A PREROUTING -p tcp -m multiport --dport 80 -m set --match-set denyip src -j DNAT --to-destination 11.11.11.1:80
/sbin/iptables -A FORWARD -s 11.11.11.1 -j ACCEPT
/sbin/iptables -A FORWARD -d 11.11.11.1 -j ACCEPT
/sbin/iptables -P FORWARD DROP

Before the ipset command, you can also add a check for the existence of the list, but the simpler the scripts, the better the performance:

allownet=`/sbin/ipset -L |grep allowip |sed 's/ //'|awk -F: '{ print $2 }'`
if [ "${allownet}" = "" ]; then
/sbin/ipset -N allowip iphash
fi;

I note that if there are duplicate sessions, IP will disappear from the lists, because there can not be the same addresses in the list, and if for example there are two duplicate sessions and one of them ends, accordingly, IP will be allocated from the list, respectively, if the second session remains online , then no IP in the list.
Therefore, you can opt out of ipset allowip by configuring ip-unnumbered, and in ipset denyip add addresses via L4-redirect and completely abandon these scripts, well, solve the problem with duplicate IP if there is one.

Here is an example of very simple scripts for adding an IP address to ipset:

#!/bin/sh
# /etc/ppp/ip-up
if [ -f /var/run/radattr.$1 ]; then
  /sbin/ipset add inet $5
fi
 
 
#!/bin/sh
# /etc/ppp/ip-down
if [ -f /var/run/radattr.$1 ]; then
  /sbin/ipset del inet $5
fi

See also my articles:
The script for adding IP addresses from a file to ipset
Accel-ppp installation
Installing and using ipset

Leave a comment

Leave a Reply