I’ll give an example of the scripts I used before, in the allowip list IP addresses were added to which the Internet is allowed, and in denyip those were redirected to the http page with information about the negative deposit.
Ip-up script:
#!/bin/sh
# ip-up
IFNAME=$1
IP=$5
AWK=/usr/bin/awk
DEBUG=0
if [ -f /var/run/radattr.$IFNAME ]; then
FILTERS=`${AWK} '/Filter-Id/ {print $2}' /var/run/radattr.${IFNAME}`
fi;
if [ w${FILTERS} = wNEG_DEPOSIT ] ; then
/sbin/ipset add denyip $IP -exist
if [ w${DEBUG} != w ] ; then
echo "$(date '+%Y/%m/%d %H:%M') --- UP neg filter User: ${USER_NAME} Filter: ${FILTERS} IF: ${IFNAME} IP: $IP" >> /tmp/neg
fi;
exit;
else
if [ "${DEBUG}" != "" ] ; then
echo "$(date '+%Y/%m/%d %H:%M') --- UP User: ${USER_NAME} Filter: ${FILTERS} IF: ${IFNAME} IP: $IP" >> /tmp/allow
fi;
/sbin/ipset add allowip $IP -exist
fi;
Ip-down script:
#!/bin/sh
# ip-down
IFNAME=$1
IP=$5
AWK=/usr/bin/awk
DEBUG=0
if [ -f /var/run/radattr.$IFNAME ]; then
FILTERS=`${AWK} '/Filter-Id/ {print $2}' /var/run/radattr.$IFNAME`
USER_NAME=`${AWK} '/User-Name/ {print $2}' /var/run/radattr.${IFNAME}`
fi;
# Filters
if [ w${FILTERS} = wNEG_DEPOSIT ] ; then
/sbin/ipset del denyip $IP -exist
if [ w${DEBUG} != w ] ; then
echo "$(date '+%Y/%m/%d %H:%M') --- Down neg filter User: ${USER_NAME} Filter: ${FILTERS} IF: ${IFNAME} IP: $IP" >> /tmp/neg
fi;
exit;
else
if [ "${DEBUG}" != "" ] ; then
echo "$(date '+%Y/%m/%d %H:%M') --- DOWN User: ${USER_NAME} Filter: ${FILTERS} IF: ${IFNAME} IP: $IP" >> /tmp/allow
fi;
/sbin/ipset del allowip $IP -exist
fi;
Accordingly, lists should be created:
/sbin/ipset -N allowip iphash
/sbin/ipset -N denyip iphash
And iptables rules.
We allow FORWARD for allowip:
/sbin/iptables -A FORWARD -m set --match-set allowip src -j ACCEPT
/sbin/iptables -A FORWARD -m set --match-set allowip dst -j ACCEPT
NAT:
/sbin/iptables -t nat -I POSTROUTING -s 10.0.0.0/24 -j SNAT --to-source 11.11.11.1 --persistent
For denyip, we configure the redirection of all http requests, allow FORWARD to the page on which the redirection is performed and we forbid FORWARD by default for everything else:
/sbin/iptables -t nat -A PREROUTING -p tcp -m multiport --dport 80 -m set --match-set denyip src -j DNAT --to-destination 11.11.11.1:80
/sbin/iptables -A FORWARD -s 11.11.11.1 -j ACCEPT
/sbin/iptables -A FORWARD -d 11.11.11.1 -j ACCEPT
/sbin/iptables -P FORWARD DROP
Before the ipset command, you can also add a check for the existence of the list, but the simpler the scripts, the better the performance:
allownet=`/sbin/ipset -L |grep allowip |sed 's/ //'|awk -F: '{ print $2 }'`
if [ "${allownet}" = "" ]; then
/sbin/ipset -N allowip iphash
fi;
I note that if there are duplicate sessions, IP will disappear from the lists, because there can not be the same addresses in the list, and if for example there are two duplicate sessions and one of them ends, accordingly, IP will be allocated from the list, respectively, if the second session remains online , then no IP in the list.
Therefore, you can opt out of ipset allowip by configuring ip-unnumbered, and in ipset denyip add addresses via L4-redirect and completely abandon these scripts, well, solve the problem with duplicate IP if there is one.
Here is an example of very simple scripts for adding an IP address to ipset:
#!/bin/sh
# /etc/ppp/ip-up
if [ -f /var/run/radattr.$1 ]; then
/sbin/ipset add inet $5
fi
#!/bin/sh
# /etc/ppp/ip-down
if [ -f /var/run/radattr.$1 ]; then
/sbin/ipset del inet $5
fi
See also my articles:
The script for adding IP addresses from a file to ipset
Accel-ppp installation
Installing and using ipset