1#!/bin/sh 2# 3# Bring up vpn routing. 4 5# calculate the network address 6remote_network=`ipcalc -n "$remote"/"$remote_netmask_bits"` 7remote_network="${remote_network#*=}" 8 9# add the stuff that doesn't change if it's not already there 10grep -q '^202 ' /etc/iproute2/rt_tables 11if [ "$?" -ne 0 ] 12then 13 echo 202 vpn.out >> /etc/iproute2/rt_tables 14fi 15grep -q '^203 ' /etc/iproute2/rt_tables 16if [ "$?" -ne 0 ] 17then 18 echo 203 vpnonly.out >> /etc/iproute2/rt_tables 19fi 20ip rule ls | grep -q 'lookup vpn.out *$' 21if [ "$?" -ne 0 ] 22then 23 ip rule add fwmark 2 table vpn.out 24fi 25ip rule ls | grep -q 'lookup vpnonly.out *$' 26if [ "$?" -ne 0 ] 27then 28 ip rule add fwmark 3 table vpnonly.out 29fi 30 31# route VPN traffic using the normal table 32iptables -A OUTPUT -t mangle -p "$proto" -d "$remote" --dport "$remote_port" \ 33 -j ACCEPT 34 35# route all other traffic to that host via VPN 36iptables -A OUTPUT -t mangle -d "$remote_network"/"$remote_netmask_bits" \ 37 -j MARK --set-mark 2 38 39# route all ICMP pings over the VPN 40iptables -A OUTPUT -t mangle --protocol icmp --icmp-type echo-request \ 41 -j MARK --set-mark 3 42 43# NAT traffic going over the VPN, so it doesn't have an unknown address 44iptables -t nat -A POSTROUTING -o "$1" -j SNAT --to-source "$4" 45 46# add routing commands 47ip route add "$remote_network"/"$remote_netmask_bits" via "$5" table vpn.out 48ip route add table vpnonly.out via "$5" 49ip route flush cache 50