577 lines
25 KiB
Bash
577 lines
25 KiB
Bash
#!/bin/sh
|
|
#
|
|
# Beware! This script will be in /rom/etc/uci-defaults/ as part of the image.
|
|
# Uncomment lines to apply:
|
|
WIFI_2G_SSID="fta-bgn"
|
|
WIFI_5G_SSID="fta-nac"
|
|
WIFI_2G_PASSWORD="fuckingwep"
|
|
WIFI_5G_PASSWORD="fuckingwep"
|
|
root_password="AsD7fg"
|
|
lan_ip_address="192.168.77.1"
|
|
wan_mac_address="98:DA:C4:20:8D:02"
|
|
hostname="gw-elmash"
|
|
# dhcp server 1 disable, 0 enable
|
|
dhcpsrv="0"
|
|
|
|
# log potential errors
|
|
exec >/tmp/setup.log 2>&1
|
|
|
|
if [ -n "$root_password" ]; then
|
|
(echo "$root_password"; sleep 1; echo "$root_password") | passwd > /dev/null
|
|
fi
|
|
|
|
# Configure LAN
|
|
# More options: https://openwrt.org/docs/guide-user/base-system/basic-networking
|
|
if [ -n "$lan_ip_address" ]; then
|
|
uci set network.lan.ipaddr="$lan_ip_address"
|
|
uci set network.@device[1].macaddr="$wan_mac_address"
|
|
uci commit network
|
|
fi
|
|
|
|
# Configure WLAN
|
|
# More options: https://openwrt.org/docs/guide-user/network/wifi/basic#wi-fi_interfaces
|
|
echo 'Configuring Wi-Fi...'
|
|
uci set wireless.radio0.channel='6'
|
|
uci set wireless.radio0.country='RU'
|
|
uci set wireless.radio0.legacy_rates='0'
|
|
uci set wireless.radio0.noscan='1'
|
|
uci del wireless.radio0.disabled &> /dev/null
|
|
uci set wireless.default_radio0.ssid="${WIFI_5G_SSID}"
|
|
uci set wireless.default_radio0.encryption='psk2'
|
|
uci set wireless.default_radio0.key="${WIFI_5G_PASSWORD}"
|
|
|
|
uci set wireless.radio1.channel='64'
|
|
uci set wireless.radio1.country='RU'
|
|
uci set wireless.radio1.legacy_rates='0'
|
|
uci set wireless.radio1.noscan='1'
|
|
uci del wireless.radio1.disabled &> /dev/null
|
|
uci set wireless.default_radio1.ssid="${WIFI_2G_SSID}"
|
|
uci set wireless.default_radio1.encryption='psk2'
|
|
uci set wireless.default_radio1.key="${WIFI_2G_PASSWORD}"
|
|
|
|
uci commit wireless
|
|
|
|
# Configure system
|
|
uci set system.@system[0].hostname="$hostname"
|
|
uci set system.@system[0].timezone='<+05>-5'
|
|
uci set system.ntp.enable_server='1'
|
|
uci set system.ntp.interface='lan'
|
|
uci set system.@system[0].zonename='Asia/Yekaterinburg'
|
|
uci commit system
|
|
/etc/init.d/system restart
|
|
|
|
# Configure ssh dropbear
|
|
SSHPUB="ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDSZsnOKXMTO7GTdrDUzuemE2h+SAIwMBbsrLVtx/CFoYidtT5qQ4ukAJG5JvRIkmZUl0t2C69z0nEEZXInTycsqQW7IlYpiy9yTlImd9QmyckZcHptTtEzyNdcCDOXOcW2Q0YEykpOoccTCkk2PHa3Xufel67jTwXfaqAVzaN5fXy6uO2I1ab5HHwCFX8zTuagBXKSYDMlHxrz9friu8ipuiPsEgl5n1LOvasypnZkpjhb5XnJi7tyRHfbzx+X+DIZc/ZW21BPtcExSXn+mmVhTD0vQh9MGG/hnfdvCXGPSKGGHMPiZEL9vzN3PvBYVchp/8DDSKtRZtJnBpNhdtl+8LjGsOgDPN51otOxcDtIQgOiMGbgX6fzMB7EN642b3f8tlFp3aVswtH3isBz6AgeVO+qqI/nW6Io7mayNXrDXVIULh0Ol4TKTZ61KGLCUhX/ZL9ifXdXWlTVeXzidaxIZ7BGF5SaTRlHJhRfqVc8fZI9BBaPFFSqxBYzybYkGzU= jeka@x220"
|
|
cat << EOI > /etc/dropbear/authorized_keys
|
|
${SSHPUB}
|
|
EOI
|
|
chmod 600 /etc/dropbear/authorized_keys
|
|
uci set dropbear.@dropbear[0].PasswordAuth="1"
|
|
uci set dropbear.@dropbear[0].RootPasswordAuth="1"
|
|
uci set dropbear.@dropbear[0].GatewayPorts='on'
|
|
uci commit dropbear
|
|
/etc/init.d/dropbear restart
|
|
|
|
# Configure uhttpd
|
|
uci set uhttpd.main.listen_http='0.0.0.0:8080'
|
|
uci set uhttpd.main.listen_https='0.0.0.0:4431'
|
|
uci commit uhttpd
|
|
/etc/init.d/uhttpd restart
|
|
|
|
# DHCP server on/off
|
|
uci set dhcp.lan.ignore="$dhcpsrv"
|
|
uci set dhcp.lan.start='50'
|
|
uci set dhcp.lan.limit='100'
|
|
uci add dhcp host
|
|
uci set dhcp.@host[-1].name='jeka-office'
|
|
uci set dhcp.@host[-1].mac='4c:cc:6a:01:5d:30'
|
|
uci set dhcp.@host[-1].ip='192.168.77.35'
|
|
uci add dhcp host
|
|
uci set dhcp.@host[-1].name='fs1370dn'
|
|
uci set dhcp.@host[-1].mac='00:C0:EE:9E:01:55'
|
|
uci set dhcp.@host[-1].ip='192.168.77.33'
|
|
uci add dhcp host
|
|
uci set dhcp.@host[-1].name='kyoceraigor'
|
|
uci set dhcp.@host[-1].mac='00:17:C8:21:A7:F2'
|
|
uci set dhcp.@host[-1].ip='192.168.77.30'
|
|
uci add dhcp host
|
|
uci set dhcp.@host[-1].name='kyocerascanner'
|
|
uci set dhcp.@host[-1].mac='00:C0:EE:BB:85:2C'
|
|
uci set dhcp.@host[-1].ip='192.168.77.31'
|
|
uci add dhcp host
|
|
uci set dhcp.@host[-1].name='natasha-office'
|
|
uci set dhcp.@host[-1].mac='50:46:5D:09:D0:69'
|
|
uci set dhcp.@host[-1].ip='192.168.77.36'
|
|
uci add dhcp host
|
|
uci set dhcp.@host[-1].name='klipper'
|
|
uci set dhcp.@host[-1].mac='B8:27:EB:B9:82:6D'
|
|
uci set dhcp.@host[-1].ip='192.168.77.44'
|
|
uci commit dhcp
|
|
/etc/init.d/dnsmasq restart
|
|
|
|
# Configure network
|
|
# VPN LAN BAUMANA
|
|
uci set network.vpn0=interface
|
|
uci set network.vpn0.proto='wireguard'
|
|
uci set network.vpn0.private_key='gFr1rme9kPAo6qJ4ss9wT8GYlwqIaPP0Tk+Y0VT8smo='
|
|
uci set network.vpn0.listen_port='23555'
|
|
uci add network wireguard_vpn0
|
|
uci set network.@wireguard_vpn0[0].description='Site Baumana Home'
|
|
uci set network.@wireguard_vpn0[0].public_key='ZNRTOIidJnKA34g1pDHVi0F1q2n7goNcJjDfGrTUnTM='
|
|
uci set network.@wireguard_vpn0[0].preshared_key='qBhqDIizi2rR8DduM+LPedXcuTm02XQWSmtJ3s3r+NA='
|
|
uci set network.@wireguard_vpn0[0].allowed_ips='192.168.75.0/24' '192.168.3.0/24'
|
|
uci set network.@wireguard_vpn0[0].route_allowed_ips='1'
|
|
uci set network.@wireguard_vpn0[0].persistent_keepalive='25'
|
|
uci set network.@wireguard_vpn0[0].endpoint_host='wg.npau.ru'
|
|
uci set network.@wireguard_vpn0[0].endpoint_port='23555'
|
|
# VPN LAN ARAMIL
|
|
uci set network.vpn1=interface
|
|
uci set network.vpn1.proto='wireguard'
|
|
uci set network.vpn1.private_key='uGb0lzBp6xeG3QW9YX1JOe47o9j8oY3fqtRdbH4gz3c='
|
|
uci set network.vpn1.listen_port='23556'
|
|
uci add network wireguard_vpn1
|
|
uci set network.@wireguard_vpn1[0].description='Site Aramil Office'
|
|
uci set network.@wireguard_vpn1[0].public_key='UrNRptLKi9GEKY/NgViIzK9F63oDNsMjuUgqQApQCQE='
|
|
uci set network.@wireguard_vpn1[0].preshared_key='GdSszP+e86Vhs+/GD7uHpsLCnBCpyBZwMmOlxbS6OOg='
|
|
uci set network.@wireguard_vpn1[0].allowed_ips='192.168.47.0/24'
|
|
uci set network.@wireguard_vpn1[0].route_allowed_ips='1'
|
|
uci set network.@wireguard_vpn1[0].persistent_keepalive='25'
|
|
uci set network.@wireguard_vpn1[0].endpoint_host='aramil.npau.ru'
|
|
uci set network.@wireguard_vpn1[0].endpoint_port='23556'
|
|
# VPN LAN OLGA
|
|
uci set network.vpn2=interface
|
|
uci set network.vpn2.proto='wireguard'
|
|
uci set network.vpn2.private_key='2IOKg/anbXm5yV7CteOAL02Ae6ewVIZu1E/+V/nM2lo='
|
|
uci set network.vpn2.listen_port='23559'
|
|
uci add network wireguard_vpn2
|
|
uci set network.@wireguard_vpn2[0].description='Site Olga Office'
|
|
uci set network.@wireguard_vpn2[0].public_key='SWZxuUR4tFoHbS/0jQm670X4Ex8TDyHRiW8u2D8QMHw='
|
|
uci set network.@wireguard_vpn2[0].preshared_key='aUBTNiL5mBjMa2WXxSjdAUHkDr3laEv5py8tavNjndI='
|
|
uci set network.@wireguard_vpn2[0].allowed_ips='192.168.97.0/24'
|
|
uci set network.@wireguard_vpn2[0].route_allowed_ips='1'
|
|
uci set network.@wireguard_vpn2[0].persistent_keepalive='25'
|
|
uci set network.@wireguard_vpn2[0].endpoint_host='olga.npau.ru'
|
|
uci set network.@wireguard_vpn2[0].endpoint_port='23559'
|
|
# VPN LAN PIVKO
|
|
uci set network.vpn3=interface
|
|
uci set network.vpn3.proto='wireguard'
|
|
uci set network.vpn3.private_key='iJl+I4d7lako5lJuwbm3jDeuStT4SAA4AE11tStVQVc='
|
|
uci set network.vpn3.listen_port='23560'
|
|
uci add network wireguard_vpn3
|
|
uci set network.@wireguard_vpn3[0].description='Site Pivko'
|
|
uci set network.@wireguard_vpn3[0].public_key='Fa1MCMOZ5V55ApFY6OGcmg3YnWwScYH4QKpbQ9jDhzM='
|
|
uci set network.@wireguard_vpn3[0].preshared_key='tPDt9HWswEEGyW0qjTwD7h5GMqDhitNAGojiMt2rxNI='
|
|
uci set network.@wireguard_vpn3[0].allowed_ips='192.168.76.0/24'
|
|
uci set network.@wireguard_vpn3[0].route_allowed_ips='1'
|
|
uci set network.@wireguard_vpn3[0].persistent_keepalive='25'
|
|
uci set network.@wireguard_vpn3[0].endpoint_host='pivko.npau.ru'
|
|
uci set network.@wireguard_vpn3[0].endpoint_port='23560'
|
|
# VPN OFFICE REMOTE USERS
|
|
uci set network.wg777=interface
|
|
uci set network.wg777.proto='wireguard'
|
|
uci set network.wg777.private_key='QCOLeGs/F2dBSCzW677Tb7b0H2vuEkZXFsSDl6ZSoGI='
|
|
uci set network.wg777.listen_port='27027'
|
|
uci set network.wg777.addresses='10.14.0.1/24'
|
|
uci add network wireguard_wg777
|
|
uci set network.@wireguard_wg777[0].description='julia'
|
|
uci set network.@wireguard_wg777[0].route_allowed_ips='1'
|
|
uci set network.@wireguard_wg777[0].persistent_keepalive='25'
|
|
uci set network.@wireguard_wg777[0].public_key='tZvwcrN/wsxq8kTWKWnueoF0LFcSg6jppbtWWnObJzo='
|
|
uci set network.@wireguard_wg777[0].allowed_ips='10.14.0.2/32'
|
|
uci set network.@wireguard_wg777[1]=wireguard_wg777
|
|
uci set network.@wireguard_wg777[1].description='julia-andorid'
|
|
uci set network.@wireguard_wg777[1].route_allowed_ips='1'
|
|
uci set network.@wireguard_wg777[1].persistent_keepalive='25'
|
|
uci set network.@wireguard_wg777[1].public_key='wGgvktRg+mokhs3WQu5ou0IfLp11cWRQDq/0beEQHWE='
|
|
uci set network.@wireguard_wg777[1].allowed_ips='10.14.0.21/32'
|
|
uci set network.@wireguard_wg777[2]=wireguard_wg777
|
|
uci set network.@wireguard_wg777[2].description='ksusha'
|
|
uci set network.@wireguard_wg777[2].route_allowed_ips='1'
|
|
uci set network.@wireguard_wg777[2].persistent_keepalive='25'
|
|
uci set network.@wireguard_wg777[2].public_key='UUpi9cY9oETIlOYtKF4HI4+peLqrBjMmIMlH8yf0NR4='
|
|
uci set network.@wireguard_wg777[2].allowed_ips='10.14.0.3/32'
|
|
uci set network.@wireguard_wg777[3]=wireguard_wg777
|
|
uci set network.@wireguard_wg777[3].description='ksusha-android'
|
|
uci set network.@wireguard_wg777[3].route_allowed_ips='1'
|
|
uci set network.@wireguard_wg777[3].persistent_keepalive='25'
|
|
uci set network.@wireguard_wg777[3].public_key='W0ZPGHV+jybC6Kzr279+/L+2TVjCVm8v7tHZFE6vbX4='
|
|
uci set network.@wireguard_wg777[3].allowed_ips='10.14.0.22/32'
|
|
uci set network.@wireguard_wg777[4]=wireguard_wg777
|
|
uci set network.@wireguard_wg777[4].description='dan'
|
|
uci set network.@wireguard_wg777[4].route_allowed_ips='1'
|
|
uci set network.@wireguard_wg777[4].persistent_keepalive='25'
|
|
uci set network.@wireguard_wg777[4].public_key='0prJyJ5Up0hXuKorhMJakvOQK/583+w1yJTxvoz+GH0='
|
|
uci set network.@wireguard_wg777[4].allowed_ips='10.14.0.4/32'
|
|
uci set network.@wireguard_wg777[5]=wireguard_wg777
|
|
uci set network.@wireguard_wg777[5].description='dan-android'
|
|
uci set network.@wireguard_wg777[5].route_allowed_ips='1'
|
|
uci set network.@wireguard_wg777[5].persistent_keepalive='25'
|
|
uci set network.@wireguard_wg777[5].public_key='VGPLY5IB/Ml35UJwhAOdT54hH+obEXGfaDZvi1QMwkQ='
|
|
uci set network.@wireguard_wg777[5].allowed_ips='10.14.0.23/32'
|
|
uci set network.@wireguard_wg777[6]=wireguard_wg777
|
|
uci set network.@wireguard_wg777[6].description='lev'
|
|
uci set network.@wireguard_wg777[6].route_allowed_ips='1'
|
|
uci set network.@wireguard_wg777[6].persistent_keepalive='25'
|
|
uci set network.@wireguard_wg777[6].public_key='D2FU7Za9VLcHvh6gp+vqViSYsiZY4BOjleVzBm2gx0E='
|
|
uci set network.@wireguard_wg777[6].allowed_ips='10.14.0.5/32'
|
|
uci set network.@wireguard_wg777[7]=wireguard_wg777
|
|
uci set network.@wireguard_wg777[7].description='lev-android'
|
|
uci set network.@wireguard_wg777[7].route_allowed_ips='1'
|
|
uci set network.@wireguard_wg777[7].persistent_keepalive='25'
|
|
uci set network.@wireguard_wg777[7].public_key='LS2C/943tsBS0SdtU4aRCYJAFOfCW93hsNF+9WdwZSc='
|
|
uci set network.@wireguard_wg777[7].allowed_ips='10.14.0.27/32'
|
|
uci set network.@wireguard_wg777[8]=wireguard_wg777
|
|
uci set network.@wireguard_wg777[8].description='natasha'
|
|
uci set network.@wireguard_wg777[8].route_allowed_ips='1'
|
|
uci set network.@wireguard_wg777[8].persistent_keepalive='25'
|
|
uci set network.@wireguard_wg777[8].public_key='BAPSq8QDxVSRsB3jFDFlWygh3dXoWeBF0WkV6W7ljEk='
|
|
uci set network.@wireguard_wg777[8].allowed_ips='10.14.0.6/32'
|
|
uci set network.@wireguard_wg777[9]=wireguard_wg777
|
|
uci set network.@wireguard_wg777[9].description='natasha-android'
|
|
uci set network.@wireguard_wg777[9].route_allowed_ips='1'
|
|
uci set network.@wireguard_wg777[9].persistent_keepalive='25'
|
|
uci set network.@wireguard_wg777[9].public_key='CFH22K5ji7bDuhON2ELxVhn41bvJjy6aZC1nILNZeAg='
|
|
uci set network.@wireguard_wg777[9].allowed_ips='10.14.0.24/32'
|
|
uci set network.@wireguard_wg777[10]=wireguard_wg777
|
|
uci set network.@wireguard_wg777[10].description='sia'
|
|
uci set network.@wireguard_wg777[10].route_allowed_ips='1'
|
|
uci set network.@wireguard_wg777[10].persistent_keepalive='25'
|
|
uci set network.@wireguard_wg777[10].public_key='H4xEoK4mqf01i/8AAgkYbLAc0px7K/zoFk8gpkbqX3Q='
|
|
uci set network.@wireguard_wg777[10].allowed_ips='10.14.0.7/32'
|
|
uci set network.@wireguard_wg777[11]=wireguard_wg777
|
|
uci set network.@wireguard_wg777[11].description='tonya'
|
|
uci set network.@wireguard_wg777[11].route_allowed_ips='1'
|
|
uci set network.@wireguard_wg777[11].persistent_keepalive='25'
|
|
uci set network.@wireguard_wg777[11].public_key='5qgq0gGJ4xBcVLA3qU4oi7YmQMkdix62Br5NXvO0xGc='
|
|
uci set network.@wireguard_wg777[11].allowed_ips='10.14.0.8/32'
|
|
uci set network.@wireguard_wg777[12]=wireguard_wg777
|
|
uci set network.@wireguard_wg777[12].description='lva-android'
|
|
uci set network.@wireguard_wg777[12].route_allowed_ips='1'
|
|
uci set network.@wireguard_wg777[12].persistent_keepalive='25'
|
|
uci set network.@wireguard_wg777[12].public_key='heWrgu7oPmpYIqT0WbziNZ0tZUFTOp7rPCz7Su8yM3g='
|
|
uci set network.@wireguard_wg777[12].allowed_ips='10.14.0.25/32'
|
|
# VPN ANTIZAPRET
|
|
uci set network.wg0=interface
|
|
uci set network.wg0.proto='wireguard'
|
|
uci set network.wg0.listen_port='51820'
|
|
uci set network.wg0.private_key='WFmfbE7X7MJ/769Ifd9ENEgkyzuWJItKErOht4X3iG8='
|
|
uci set network.wg0.addresses='192.168.100.2/24'
|
|
uci add network wireguard_wg0
|
|
uci set network.@wireguard_wg0[0].name='wg0_client'
|
|
uci set network.@wireguard_wg0[0].route_allowed_ips='0'
|
|
uci set network.@wireguard_wg0[0].persistent_keepalive='25'
|
|
uci set network.@wireguard_wg0[0].allowed_ips='0.0.0.0/0'
|
|
uci set network.@wireguard_wg0[0].endpoint_host='88.210.11.80'
|
|
uci set network.@wireguard_wg0[0].endpoint_port='51820'
|
|
uci set network.@wireguard_wg0[0].public_key='E/3AhjY3/nteAEy7uPR72kKbXwyJL3ANEhsEoMHP43o='
|
|
uci set network.@wireguard_wg0[0].preshared_key='tI8KGVUFcPRn0h9BPXlr8gccVJqsxAsXgZPTWHsnUDI='
|
|
uci commit network
|
|
/etc/init.d/network restart
|
|
|
|
# Configure firewall
|
|
uci set firewall.@defaults[0].drop_invalid='1'
|
|
uci set firewall.@defaults[0].synflood_protect='1'
|
|
# ADD ZONES
|
|
uci add firewall zone
|
|
uci set firewall.@zone[-1].name='vpn0'
|
|
uci set firewall.@zone[-1].input='ACCEPT'
|
|
uci set firewall.@zone[-1].forward='ACCEPT'
|
|
uci set firewall.@zone[-1].device='vpn0'
|
|
uci set firewall.@zone[-1].output='ACCEPT'
|
|
uci set firewall.@zone[-1].network='vpn0'
|
|
uci add firewall zone
|
|
uci set firewall.@zone[-1].name='vpn1'
|
|
uci set firewall.@zone[-1].input='ACCEPT'
|
|
uci set firewall.@zone[-1].forward='ACCEPT'
|
|
uci set firewall.@zone[-1].device='vpn1'
|
|
uci set firewall.@zone[-1].output='ACCEPT'
|
|
uci set firewall.@zone[-1].network='vpn1'
|
|
uci add firewall zone
|
|
uci set firewall.@zone[-1].name='vpn2'
|
|
uci set firewall.@zone[-1].input='ACCEPT'
|
|
uci set firewall.@zone[-1].forward='ACCEPT'
|
|
uci set firewall.@zone[-1].device='vpn2'
|
|
uci set firewall.@zone[-1].output='ACCEPT'
|
|
uci set firewall.@zone[-1].network='vpn2'
|
|
uci add firewall zone
|
|
uci set firewall.@zone[-1].name='vpn3'
|
|
uci set firewall.@zone[-1].input='ACCEPT'
|
|
uci set firewall.@zone[-1].forward='ACCEPT'
|
|
uci set firewall.@zone[-1].device='vpn3'
|
|
uci set firewall.@zone[-1].output='ACCEPT'
|
|
uci set firewall.@zone[-1].network='vpn3'
|
|
uci add firewall zone
|
|
uci set firewall.@zone[-1].name='wg777'
|
|
uci set firewall.@zone[-1].input='ACCEPT'
|
|
uci set firewall.@zone[-1].forward='ACCEPT'
|
|
uci set firewall.@zone[-1].output='ACCEPT'
|
|
uci set firewall.@zone[-1].network='wg777'
|
|
uci add firewall zone
|
|
uci set firewall.@zone[-1].name='wg'
|
|
uci set firewall.@zone[-1].family='ipv4'
|
|
uci set firewall.@zone[-1].masq='1'
|
|
uci set firewall.@zone[-1].output='ACCEPT'
|
|
uci set firewall.@zone[-1].forward='REJECT'
|
|
uci set firewall.@zone[-1].input='REJECT'
|
|
uci set firewall.@zone[-1].mtu_fix='1'
|
|
uci set firewall.@zone[-1].network='wg0'
|
|
|
|
# ADD RULES
|
|
uci add firewall rule
|
|
uci set firewall.@rule[-1].target='ACCEPT'
|
|
uci set firewall.@rule[-1].src='wan'
|
|
uci set firewall.@rule[-1].proto='tcp udp'
|
|
uci set firewall.@rule[-1].dest_port='5001'
|
|
uci set firewall.@rule[-1].name='iperf '
|
|
uci add firewall rule
|
|
uci set firewall.@rule[-1].target='ACCEPT'
|
|
uci set firewall.@rule[-1].proto='udp'
|
|
uci set firewall.@rule[-1].dest_port='23555'
|
|
uci set firewall.@rule[-1].name='Allow-Baumana-Elmash-Inbound'
|
|
uci set firewall.@rule[-1].src='wan'
|
|
uci add firewall rule
|
|
uci set firewall.@rule[-1].target='ACCEPT'
|
|
uci set firewall.@rule[-1].proto='udp'
|
|
uci set firewall.@rule[-1].dest_port='23556'
|
|
uci set firewall.@rule[-1].name='Allow-Elmash-Aramil-Inbound'
|
|
uci set firewall.@rule[-1].src='wan'
|
|
uci add firewall rule
|
|
uci set firewall.@rule[-1].target='ACCEPT'
|
|
uci set firewall.@rule[-1].proto='udp'
|
|
uci set firewall.@rule[-1].dest_port='23559'
|
|
uci set firewall.@rule[-1].name='Allow-Elmash-Olga-Inbound'
|
|
uci set firewall.@rule[-1].src='wan'
|
|
uci add firewall rule
|
|
uci set firewall.@rule[-1].target='ACCEPT'
|
|
uci set firewall.@rule[-1].proto='udp'
|
|
uci set firewall.@rule[-1].dest_port='51820'
|
|
uci set firewall.@rule[-1].name='Allow-Wireguard-Hetzner'
|
|
uci set firewall.@rule[-1].src='wan'
|
|
uci add firewall rule
|
|
uci set firewall.@rule[-1].target='ACCEPT'
|
|
uci set firewall.@rule[-1].proto='udp'
|
|
uci set firewall.@rule[-1].dest_port='26261'
|
|
uci set firewall.@rule[-1].name='Allow-Wireguard-VPS'
|
|
uci set firewall.@rule[-1].src='wan'
|
|
uci add firewall rule
|
|
uci set firewall.@rule[-1].target='ACCEPT'
|
|
uci set firewall.@rule[-1].proto='udp'
|
|
uci set firewall.@rule[-1].dest_port='23560'
|
|
uci set firewall.@rule[-1].name='Allow-Elmash-Pivko-Inbound'
|
|
uci set firewall.@rule[-1].src='wan'
|
|
uci add firewall rule
|
|
uci set firewall.@rule[-1].target='ACCEPT'
|
|
uci set firewall.@rule[-1].proto='udp'
|
|
uci set firewall.@rule[-1].dest_port='27027'
|
|
uci set firewall.@rule[-1].src='wan'
|
|
uci set firewall.@rule[-1].name='Allow-Remote-Jurists-Inbound'
|
|
|
|
#ADD IPSET
|
|
uci add firewall ipset
|
|
uci set firewall.@ipset[-1].name='vpn_domains'
|
|
uci set firewall.@ipset[-1].match='dst_net'
|
|
|
|
#ADD MARK
|
|
uci add firewall rule
|
|
uci set firewall.@rule[-1]=rule
|
|
uci set firewall.@rule[-1].name='mark_domains'
|
|
uci set firewall.@rule[-1].src='lan'
|
|
uci set firewall.@rule[-1].dest='*'
|
|
uci set firewall.@rule[-1].proto='all'
|
|
uci set firewall.@rule[-1].ipset='vpn_domains'
|
|
uci set firewall.@rule[-1].set_mark='0x1'
|
|
uci set firewall.@rule[-1].target='MARK'
|
|
uci set firewall.@rule[-1].family='ipv4'
|
|
|
|
# ADD REDIRECT
|
|
uci add firewall redirect
|
|
uci set firewall.@redirect[-1].target='DNAT'
|
|
uci set firewall.@redirect[-1].src='wan'
|
|
uci set firewall.@redirect[-1].dest='lan'
|
|
uci set firewall.@redirect[-1].proto='tcp'
|
|
uci set firewall.@redirect[-1].src_dport='5222'
|
|
uci set firewall.@redirect[-1].dest_port='5222'
|
|
uci set firewall.@redirect[-1].name='jabber1'
|
|
uci set firewall.@redirect[-1].dest_ip='192.168.77.2'
|
|
uci add firewall redirect
|
|
uci set firewall.@redirect[-1].target='DNAT'
|
|
uci set firewall.@redirect[-1].src='wan'
|
|
uci set firewall.@redirect[-1].dest='lan'
|
|
uci set firewall.@redirect[-1].proto='tcp'
|
|
uci set firewall.@redirect[-1].src_dport='5223'
|
|
uci set firewall.@redirect[-1].dest_port='5223'
|
|
uci set firewall.@redirect[-1].name='jabber2'
|
|
uci set firewall.@redirect[-1].dest_ip='192.168.77.2'
|
|
uci add firewall redirect
|
|
uci set firewall.@redirect[-1].target='DNAT'
|
|
uci set firewall.@redirect[-1].src='wan'
|
|
uci set firewall.@redirect[-1].dest='lan'
|
|
uci set firewall.@redirect[-1].proto='tcp'
|
|
uci set firewall.@redirect[-1].src_dport='5269'
|
|
uci set firewall.@redirect[-1].dest_port='5269'
|
|
uci set firewall.@redirect[-1].name='jabber3'
|
|
uci set firewall.@redirect[-1].dest_ip='192.168.77.2'
|
|
uci add firewall redirect
|
|
uci set firewall.@redirect[-1].target='DNAT'
|
|
uci set firewall.@redirect[-1].src='wan'
|
|
uci set firewall.@redirect[-1].dest='lan'
|
|
uci set firewall.@redirect[-1].proto='tcp'
|
|
uci set firewall.@redirect[-1].src_dport='5280'
|
|
uci set firewall.@redirect[-1].dest_port='5280'
|
|
uci set firewall.@redirect[-1].name='jabber4'
|
|
uci set firewall.@redirect[-1].dest_ip='192.168.77.2'
|
|
uci add firewall redirect
|
|
uci set firewall.@redirect[-1].target='DNAT'
|
|
uci set firewall.@redirect[-1].src='wan'
|
|
uci set firewall.@redirect[-1].dest='lan'
|
|
uci set firewall.@redirect[-1].proto='tcp'
|
|
uci set firewall.@redirect[-1].src_dport='5443'
|
|
uci set firewall.@redirect[-1].dest_port='5443'
|
|
uci set firewall.@redirect[-1].name='jabber5'
|
|
uci set firewall.@redirect[-1].dest_ip='192.168.77.2'
|
|
uci add firewall redirect
|
|
uci set firewall.@redirect[-1].target='DNAT'
|
|
uci set firewall.@redirect[-1].src='wan'
|
|
uci set firewall.@redirect[-1].dest='lan'
|
|
uci set firewall.@redirect[-1].proto='udp'
|
|
uci set firewall.@redirect[-1].dest_ip='192.168.77.3'
|
|
uci set firewall.@redirect[-1].name='rtp'
|
|
uci set firewall.@redirect[-1].src_dport='10000-20000'
|
|
uci set firewall.@redirect[-1].dest_port='10000-20000'
|
|
uci add firewall redirect
|
|
uci set firewall.@redirect[-1].dest='lan'
|
|
uci set firewall.@redirect[-1].target='DNAT'
|
|
uci set firewall.@redirect[-1].name='stunt'
|
|
uci set firewall.@redirect[-1].src='wan'
|
|
uci set firewall.@redirect[-1].src_dport='3478'
|
|
uci set firewall.@redirect[-1].dest_ip='192.168.77.2'
|
|
uci add firewall redirect
|
|
uci set firewall.@redirect[-1].dest='lan'
|
|
uci set firewall.@redirect[-1].target='DNAT'
|
|
uci set firewall.@redirect[-1].name='stunts'
|
|
uci set firewall.@redirect[-1].proto='tcp'
|
|
uci set firewall.@redirect[-1].src='wan'
|
|
uci set firewall.@redirect[-1].src_dport='5349'
|
|
uci set firewall.@redirect[-1].dest_ip='192.168.77.2'
|
|
uci add firewall redirect
|
|
uci set firewall.@redirect[-1].dest='lan'
|
|
uci set firewall.@redirect[-1].target='DNAT'
|
|
uci set firewall.@redirect[-1].name='turn'
|
|
uci set firewall.@redirect[-1].src='wan'
|
|
uci set firewall.@redirect[-1].src_dport='3478'
|
|
uci set firewall.@redirect[-1].dest_ip='192.168.77.2'
|
|
uci add firewall redirect
|
|
uci set firewall.@redirect[-1].dest='lan'
|
|
uci set firewall.@redirect[-1].target='DNAT'
|
|
uci set firewall.@redirect[-1].name='turns'
|
|
uci set firewall.@redirect[-1].proto='tcp'
|
|
uci set firewall.@redirect[-1].src='wan'
|
|
uci set firewall.@redirect[-1].src_dport='5349'
|
|
uci set firewall.@redirect[-1].dest_ip='192.168.77.2'
|
|
uci add firewall redirect
|
|
uci set firewall.@redirect[-1].dest='lan'
|
|
uci set firewall.@redirect[-1].target='DNAT'
|
|
uci set firewall.@redirect[-1].name='ejabb-stunt'
|
|
uci set firewall.@redirect[-1].src='wan'
|
|
uci set firewall.@redirect[-1].src_dport='49152-65535'
|
|
uci set firewall.@redirect[-1].dest_ip='192.168.77.2'
|
|
uci add firewall redirect
|
|
uci set firewall.@redirect[-1].dest='lan'
|
|
uci set firewall.@redirect[-1].target='DNAT'
|
|
uci set firewall.@redirect[-1].src='wan'
|
|
uci set firewall.@redirect[-1].src_dport='80'
|
|
uci set firewall.@redirect[-1].dest_ip='192.168.77.2'
|
|
uci set firewall.@redirect[-1].dest_port='5280'
|
|
uci set firewall.@redirect[-1].name='acme_ejabberd_http'
|
|
uci set firewall.@redirect[-1].enabled='0'
|
|
uci add firewall redirect
|
|
uci set firewall.@redirect[-1].dest='lan'
|
|
uci set firewall.@redirect[-1].target='DNAT'
|
|
uci set firewall.@redirect[-1].proto='udp'
|
|
uci set firewall.@redirect[-1].src='wan'
|
|
uci set firewall.@redirect[-1].src_dport='49152-65535'
|
|
uci set firewall.@redirect[-1].dest_ip='192.168.77.2'
|
|
uci set firewall.@redirect[-1].dest_port='49152-65535'
|
|
uci set firewall.@redirect[-1].name='stun_udp_RANGE'
|
|
uci add firewall redirect
|
|
uci set firewall.@redirect[-1].dest='lan'
|
|
uci set firewall.@redirect[-1].target='DNAT'
|
|
uci set firewall.@redirect[-1].name='stun_tcp_RANGE'
|
|
uci set firewall.@redirect[-1].proto='tcp'
|
|
uci set firewall.@redirect[-1].src='wan'
|
|
uci set firewall.@redirect[-1].src_dport='49152-65535'
|
|
uci set firewall.@redirect[-1].dest_ip='192.168.77.2'
|
|
uci set firewall.@redirect[-1].dest_port='49152-65535'
|
|
uci add firewall redirect
|
|
uci set firewall.@redirect[-1].dest='lan'
|
|
uci set firewall.@redirect[-1].target='DNAT'
|
|
uci set firewall.@redirect[-1].name='NPM-80'
|
|
uci set firewall.@redirect[-1].src='wan'
|
|
uci set firewall.@redirect[-1].src_dport='80'
|
|
uci set firewall.@redirect[-1].dest_ip='192.168.77.191'
|
|
uci set firewall.@redirect[-1].dest_port='80'
|
|
uci add firewall redirect
|
|
uci set firewall.@redirect[-1].dest='lan'
|
|
uci set firewall.@redirect[-1].target='DNAT'
|
|
uci set firewall.@redirect[-1].name='NPM-443'
|
|
uci set firewall.@redirect[-1].src='wan'
|
|
uci set firewall.@redirect[-1].src_dport='443'
|
|
uci set firewall.@redirect[-1].dest_ip='192.168.77.191'
|
|
uci set firewall.@redirect[-1].dest_port='443'
|
|
uci add firewall redirect
|
|
uci set firewall.@redirect[-1].dest='lan'
|
|
uci set firewall.@redirect[-1].target='DNAT'
|
|
uci set firewall.@redirect[-1].name='gitea_SSH'
|
|
uci set firewall.@redirect[-1].src='wan'
|
|
uci set firewall.@redirect[-1].src_dport='2222'
|
|
uci set firewall.@redirect[-1].dest_ip='192.168.77.193'
|
|
uci set firewall.@redirect[-1].dest_port='22'
|
|
|
|
# ADD FORWARD ZONES
|
|
uci add firewall forwarding
|
|
uci set firewall.@forwarding[-1].dest='lan'
|
|
uci set firewall.@forwarding[-1].src='vpn0'
|
|
uci add firewall forwarding
|
|
uci set firewall.@forwarding[-1].dest='vpn0'
|
|
uci set firewall.@forwarding[-1].src='lan'
|
|
uci add firewall forwarding
|
|
uci set firewall.@forwarding[-1].dest='lan'
|
|
uci set firewall.@forwarding[-1].src='vpn1'
|
|
uci add firewall forwarding
|
|
uci set firewall.@forwarding[-1].dest='vpn1'
|
|
uci set firewall.@forwarding[-1].src='lan'
|
|
uci add firewall forwarding
|
|
uci set firewall.@forwarding[-1].src='vpn2'
|
|
uci set firewall.@forwarding[-1].dest='lan'
|
|
uci add firewall forwarding
|
|
uci set firewall.@forwarding[-1].src='lan'
|
|
uci set firewall.@forwarding[-1].dest='vpn2'
|
|
uci add firewall forwarding
|
|
uci set firewall.@forwarding[-1].dest='lan'
|
|
uci set firewall.@forwarding[-1].src='vpn3'
|
|
uci add firewall forwarding
|
|
uci set firewall.@forwarding[-1].dest='vpn3'
|
|
uci set firewall.@forwarding[-1].src='lan'
|
|
uci add firewall forwarding
|
|
uci set firewall.@forwarding[-1].src='wg777'
|
|
uci set firewall.@forwarding[-1].dest='wan'
|
|
uci add firewall forwarding
|
|
uci set firewall.@forwarding[-1].src='wan'
|
|
uci set firewall.@forwarding[-1].dest='wg777'
|
|
uci add firewall forwarding
|
|
uci set firewall.@forwarding[-1].dest='lan'
|
|
uci set firewall.@forwarding[-1].src='wg777'
|
|
uci add firewall forwarding
|
|
uci set firewall.@forwarding[-1].dest='wg777'
|
|
uci set firewall.@forwarding[-1].src='lan'
|
|
uci add firewall forwarding
|
|
uci set firewall.@forwarding[-1].family='ipv4'
|
|
uci set firewall.@forwarding[-1].src='lan'
|
|
uci set firewall.@forwarding[-1].dest='wg'
|
|
|
|
uci commit firewall
|
|
/etc/init.d/firewall restart
|
|
|
|
echo "All done"
|
|
|