Neur0toxine revised this gist . Go to revision
1 file changed, 2 insertions
setup_split_tunneling.sh
@@ -1,4 +1,5 @@ | |||
1 | 1 | # RT Table Configuration | |
2 | + | echo "228 warp_table" >> /etc/iproute2/rt_tables | |
2 | 3 | uci add network rt_table | |
3 | 4 | uci set network.@rt_table[-1].name='warp_table' | |
4 | 5 | uci set network.@rt_table[-1].id='228' | |
@@ -36,6 +37,7 @@ uci set firewall.@rule[-1].chain='prerouting' | |||
36 | 37 | uci set firewall.@rule[-1].family='ipv4' | |
37 | 38 | ||
38 | 39 | # Amazon IP Sets | |
40 | + | # Download & parse like this: curl https://ip-ranges.amazonaws.com/ip-ranges.json | jq -r '.prefixes[].ip_prefix' | tee amazon-ip-ranges.txt | |
39 | 41 | uci add firewall ipset | |
40 | 42 | uci set firewall.@ipset[-1].name='Amazon_CIDRs' | |
41 | 43 | uci set firewall.@ipset[-1].family='ipv4' |
Neur0toxine revised this gist . Go to revision
1 file changed, 0 insertions, 0 deletions
result_example.txt renamed to x_result_example.txt
File renamed without changes
Neur0toxine revised this gist . Go to revision
2 files changed, 83 insertions
gistfile1.txt renamed to result_example.txt
File renamed without changes
setup_split_tunneling.sh(file created)
@@ -0,0 +1,83 @@ | |||
1 | + | # RT Table Configuration | |
2 | + | uci add network rt_table | |
3 | + | uci set network.@rt_table[-1].name='warp_table' | |
4 | + | uci set network.@rt_table[-1].id='228' | |
5 | + | ||
6 | + | # IPv4 Rule and Route Configuration | |
7 | + | uci add network rule | |
8 | + | uci set network.@rule[-1].mark='0xe4' | |
9 | + | uci set network.@rule[-1].lookup='warp_table' | |
10 | + | ||
11 | + | uci add network route | |
12 | + | uci set network.@route[-1].interface='WARP' | |
13 | + | uci set network.@route[-1].target='0.0.0.0/0' | |
14 | + | uci set network.@route[-1].table='warp_table' | |
15 | + | ||
16 | + | # IPv6 Rule and Route Configuration | |
17 | + | uci add network rule6 | |
18 | + | uci set network.@rule6[-1].lookup='warp_table' | |
19 | + | uci set network.@rule6[-1].mark='0xe4' | |
20 | + | ||
21 | + | uci add network route6 | |
22 | + | uci set network.@route6[-1].interface='WARP' | |
23 | + | uci set network.@route6[-1].target='::/0' | |
24 | + | uci set network.@route6[-1].table='warp_table' | |
25 | + | ||
26 | + | # Firewall Rules Configuration | |
27 | + | uci add firewall rule | |
28 | + | uci set firewall.@rule[-1].name='Mark-Amazon-Traffic' | |
29 | + | uci set firewall.@rule[-1].ipset='Amazon_CIDRs' | |
30 | + | uci set firewall.@rule[-1].target='MARK' | |
31 | + | uci set firewall.@rule[-1].set_mark='0xe4' | |
32 | + | uci set firewall.@rule[-1].src='lan' | |
33 | + | uci set firewall.@rule[-1].dest='*' | |
34 | + | uci set firewall.@rule[-1].priority='1' | |
35 | + | uci set firewall.@rule[-1].chain='prerouting' | |
36 | + | uci set firewall.@rule[-1].family='ipv4' | |
37 | + | ||
38 | + | # Amazon IP Sets | |
39 | + | uci add firewall ipset | |
40 | + | uci set firewall.@ipset[-1].name='Amazon_CIDRs' | |
41 | + | uci set firewall.@ipset[-1].family='ipv4' | |
42 | + | uci set firewall.@ipset[-1].match='dest_net' | |
43 | + | uci set firewall.@ipset[-1].loadfile='/etc/luci-uploads/amazon-ip-ranges.txt' | |
44 | + | ||
45 | + | # Hetzner IPv4 IP Sets | |
46 | + | uci add firewall ipset | |
47 | + | uci set firewall.@ipset[-1].name='Hetzner_CIDRs_v4' | |
48 | + | uci set firewall.@ipset[-1].family='ipv4' | |
49 | + | uci set firewall.@ipset[-1].match='dest_net' | |
50 | + | uci set firewall.@ipset[-1].entry='116.202.0.0/16' '116.203.0.0/16' '128.140.0.0/17' '135.181.0.0/16' '136.243.0.0/16' '138.199.128.0/17' '138.201.0.0/16' '139.28.242.0/23' '142.132.128.0/17' '144.76.0.0/16' '148.251.0.0/16' '157.180.0.0/17' '157.90.0.0/16' '159.69.0.0/16' '162.55.0.0/16' '167.233.0.0/16' '167.235.0.0/16' '168.119.0.0/16' '171.25.225.0/24' '176.9.0.0/16' '178.212.75.0/24' '178.63.0.0/16' '185.107.52.0/22' '185.126.28.0/22' '185.157.176.0/23' '185.157.178.0/23' '185.157.83.0/24' '185.171.224.0/22' '185.189.228.0/24' '185.189.229.0/24' '185.189.230.0/24' '185.189.231.0/24' '185.213.45.0/24' '185.216.237.0/24' '185.226.99.0/24' '185.228.8.0/23' '185.50.120.0/23' '188.245.0.0/16' '188.34.128.0/17' '188.40.0.0/16' '193.110.6.0/23' '193.163.198.0/24' '194.42.180.0/22' '194.42.184.0/22' '194.62.106.0/24' '195.201.0.0/16' '195.248.224.0/24' '195.60.226.0/24' '197.242.84.0/22' '201.131.3.0/24' '204.29.146.0/24' '213.133.96.0/19' '213.239.192.0/18' '216.55.108.0/22' '23.88.0.0/17' '37.27.0.0/16' '45.145.227.0/24' '46.4.0.0/16' '46.62.128.0/17' '49.12.0.0/16' '49.13.0.0/16' '5.75.128.0/17' '5.9.0.0/16' '65.108.0.0/16' '65.109.0.0/16' '65.21.0.0/16' '78.138.62.0/24' '78.46.0.0/15' '85.10.192.0/18' '88.198.0.0/16' '88.99.0.0/16' '91.107.128.0/17' '91.190.240.0/21' '91.99.0.0/16' '94.130.0.0/16' '95.216.0.0/16' '95.217.0.0/16' | |
51 | + | ||
52 | + | # Hetzner IPv6 IP Sets | |
53 | + | uci add firewall ipset | |
54 | + | uci set firewall.@ipset[-1].name='Hetzner_CIDRs_v6' | |
55 | + | uci set firewall.@ipset[-1].family='ipv6' | |
56 | + | uci set firewall.@ipset[-1].match='dest_net' | |
57 | + | uci set firewall.@ipset[-1].entry='2a01:4f8::/32' '2a01:4f9::/32' '2a06:be80::/29' '2a0e:7700::/32' '2a11:e980::/29' '2a12:1fc0::/42' | |
58 | + | ||
59 | + | # Hetzner IPv4 Marking Rule | |
60 | + | uci add firewall rule | |
61 | + | uci set firewall.@rule[-1].name='Mark-Hetzner-IPv4' | |
62 | + | uci set firewall.@rule[-1].family='ipv4' | |
63 | + | uci set firewall.@rule[-1].src='lan' | |
64 | + | uci set firewall.@rule[-1].ipset='Hetzner_CIDRs_v4' | |
65 | + | uci set firewall.@rule[-1].target='MARK' | |
66 | + | uci set firewall.@rule[-1].set_mark='0xe4' | |
67 | + | uci set firewall.@rule[-1].chain='prerouting' | |
68 | + | uci set firewall.@rule[-1].dest='*' | |
69 | + | ||
70 | + | # Hetzner IPv6 Marking Rule | |
71 | + | uci add firewall rule | |
72 | + | uci set firewall.@rule[-1].name='Mark-Hetzner-IPv6' | |
73 | + | uci set firewall.@rule[-1].family='ipv6' | |
74 | + | uci set firewall.@rule[-1].src='lan' | |
75 | + | uci set firewall.@rule[-1].ipset='Hetzner_CIDRs_v6' | |
76 | + | uci set firewall.@rule[-1].target='MARK' | |
77 | + | uci set firewall.@rule[-1].set_mark='0xe4' | |
78 | + | uci set firewall.@rule[-1].chain='prerouting' | |
79 | + | uci set firewall.@rule[-1].dest='*' | |
80 | + | ||
81 | + | # Apply changes | |
82 | + | uci commit network | |
83 | + | uci commit firewall |
Neur0toxine revised this gist . Go to revision
1 file changed, 60 insertions
gistfile1.txt(file created)
@@ -0,0 +1,60 @@ | |||
1 | + | network.@rt_table[0]=rt_table | |
2 | + | network.@rt_table[0].name='warp_table' | |
3 | + | network.@rt_table[0].id='228' | |
4 | + | network.@rule[0]=rule | |
5 | + | network.@rule[0].mark='0xe4' | |
6 | + | network.@rule[0].lookup='warp_table' | |
7 | + | network.@route[0]=route | |
8 | + | network.@route[0].interface='WARP' | |
9 | + | network.@route[0].target='0.0.0.0/0' | |
10 | + | network.@route[0].table='warp_table' | |
11 | + | network.@rule6[0]=rule6 | |
12 | + | network.@rule6[0].lookup='warp_table' | |
13 | + | network.@rule6[0].mark='0xe4' | |
14 | + | network.@route6[0]=route6 | |
15 | + | network.@route6[0].interface='WARP' | |
16 | + | network.@route6[0].target='::/0' | |
17 | + | network.@route6[0].table='warp_table' | |
18 | + | firewall.@rule[11]=rule | |
19 | + | firewall.@rule[11].name='Mark-Amazon-Traffic' | |
20 | + | firewall.@rule[11].ipset='Amazon_CIDRs' | |
21 | + | firewall.@rule[11].target='MARK' | |
22 | + | firewall.@rule[11].set_mark='0xe4' | |
23 | + | firewall.@rule[11].src='lan' | |
24 | + | firewall.@rule[11].dest='*' | |
25 | + | firewall.@rule[11].priority='1' | |
26 | + | firewall.@rule[11].chain='prerouting' | |
27 | + | firewall.@rule[11].family='ipv4' | |
28 | + | firewall.@ipset[2]=ipset | |
29 | + | firewall.@ipset[2].name='Amazon_CIDRs' | |
30 | + | firewall.@ipset[2].family='ipv4' | |
31 | + | firewall.@ipset[2].match='dest_net' | |
32 | + | firewall.@ipset[2].loadfile='/etc/luci-uploads/amazon-ip-ranges.txt' # Скачал & спарсил с https://ip-ranges.amazonaws.com/ip-ranges.json | |
33 | + | firewall.@ipset[3]=ipset | |
34 | + | firewall.@ipset[3].name='Hetzner_CIDRs_v4' | |
35 | + | firewall.@ipset[3].family='ipv4' | |
36 | + | firewall.@ipset[3].match='dest_net' | |
37 | + | firewall.@ipset[3].entry='116.202.0.0/16' '116.203.0.0/16' '128.140.0.0/17' '135.181.0.0/16' '136.243.0.0/16' '138.199.128.0/17' '138.201.0.0/16' '139.28.242.0/23' '142.132.128.0/17' '144.76.0.0/16' '148.251.0.0/16' '157.180.0.0/17' '157.90.0.0/16' '159.69.0.0/16' '162.55.0.0/16' '167.233.0.0/16' '167.235.0.0/16' '168.119.0.0/16' '171.25.225.0/24' '176.9.0.0/16' '178.212.75.0/24' '178.63.0.0/16' '185.107.52.0/22' '185.126.28.0/22' '185.157.176.0/23' '185.157.178.0/23' '185.157.83.0/24' '185.171.224.0/22' '185.189.228.0/24' '185.189.229.0/24' '185.189.230.0/24' '185.189.231.0/24' '185.213.45.0/24' '185.216.237.0/24' '185.226.99.0/24' '185.228.8.0/23' '185.50.120.0/23' '188.245.0.0/16' '188.34.128.0/17' '188.40.0.0/16' '193.110.6.0/23' '193.163.198.0/24' '194.42.180.0/22' '194.42.184.0/22' '194.62.106.0/24' '195.201.0.0/16' '195.248.224.0/24' '195.60.226.0/24' '197.242.84.0/22' '201.131.3.0/24' '204.29.146.0/24' '213.133.96.0/19' '213.239.192.0/18' '216.55.108.0/22' '23.88.0.0/17' '37.27.0.0/16' '45.145.227.0/24' '46.4.0.0/16' '46.62.128.0/17' '49.12.0.0/16' '49.13.0.0/16' '5.75.128.0/17' '5.9.0.0/16' '65.108.0.0/16' '65.109.0.0/16' '65.21.0.0/16' '78.138.62.0/24' '78.46.0.0/15' '85.10.192.0/18' '88.198.0.0/16' '88.99.0.0/16' '91.107.128.0/17' '91.190.240.0/21' '91.99.0.0/16' '94.130.0.0/16' '95.216.0.0/16' '95.217.0.0/16' | |
38 | + | firewall.@ipset[4]=ipset | |
39 | + | firewall.@ipset[4].name='Hetzner_CIDRs_v6' | |
40 | + | firewall.@ipset[4].family='ipv6' | |
41 | + | firewall.@ipset[4].match='dest_net' | |
42 | + | firewall.@ipset[4].entry='2a01:4f8::/32' '2a01:4f9::/32' '2a06:be80::/29' '2a0e:7700::/32' '2a11:e980::/29' '2a12:1fc0::/42' | |
43 | + | firewall.@rule[12]=rule | |
44 | + | firewall.@rule[12].name='Mark-Hetzner-IPv4' | |
45 | + | firewall.@rule[12].family='ipv4' | |
46 | + | firewall.@rule[12].src='lan' | |
47 | + | firewall.@rule[12].ipset='Hetzner_CIDRs_v4' | |
48 | + | firewall.@rule[12].target='MARK' | |
49 | + | firewall.@rule[12].set_mark='0xe4' | |
50 | + | firewall.@rule[12].chain='prerouting' | |
51 | + | firewall.@rule[12].dest='*' | |
52 | + | firewall.@rule[13]=rule | |
53 | + | firewall.@rule[13].name='Mark-Hetzner-IPv6' | |
54 | + | firewall.@rule[13].family='ipv6' | |
55 | + | firewall.@rule[13].src='lan' | |
56 | + | firewall.@rule[13].ipset='Hetzner_CIDRs_v6' | |
57 | + | firewall.@rule[13].target='MARK' | |
58 | + | firewall.@rule[13].set_mark='0xe4' | |
59 | + | firewall.@rule[13].chain='prerouting' | |
60 | + | firewall.@rule[13].dest='*' |