Nat through non-default gateways more than one internal network.

One big office space (with one BIG net) shared by more than one company - each having different policies for IT infrastructure.
How do we nat different local networks (connected to eth2,3,4 etc) trough different gateway (connected openvpn to each Company VPN server)?

Here it is how:

#!/bin/sh

exc() {
cmd="$1";
[ -n "$2" ] && exitt="$2";
echo "Exec $cmd ...";
$cmd;
[ $? -gt 0 ] && echo "Error executing $cmd..." && [ "$exitt" != "0" ] && exit 1;
}

[ `which realpath|wc -l` -lt 1 ] && echo "This script requiers realpath command" && exit 1;

[ -z "$1" ] && echo "Param1: net config" && exit 1;
[ -n "$1" ] && cfg=`realpath $1`;
[ -n "$1" ] && ! [ -f "$cfg" ] && echo "Config $1 con't be found!" && exit 1;
[ -n "$1" ] && [ -f "$cfg" ] && . $cfg;

[ -z "$defgw" ] || [ -z "$vpnremoteip" ] || [ -z "$local1net" ] || [ -z "$local1ip" ] || [ -z "$local1netdev" ] || [ -z "$tundev1" ] || [ -z "$vpn1cfgdir" ] || [ -z "$vpn1cfg" ] || [ -z "$vpn1rtbl" ] && echo "Some variables that are required are empty! We need all: defgw : $defgw , vpnremoteip : $vpnremoteip , local1net : $local1net , local1ip : $local1ip , local1netdev : $local1netdev , tundev1 : $tundev1 , vpn1cfgdir : $vpn1cfgdir , vpn1cfg : $vpn1cfg , vpn1rtbl : $vpn1rtbl" && exit 1;


[ -n "`ps ax|grep openvpn|grep $vpn1cfg|grep -v grep`" ] && echo "Openvpn with cfg $vpn1cfg already runs PID: `ps ax|grep openvpn|grep $vpn1cfg|grep -v grep|cut -f1 -d ' '`" && exit 1;
local1ifacecheck=`ifconfig $local1netdev|grep inet|cut -f2 -d:|cut -f1 -d' '`;

[ -n "$local1ifacecheck" ] && [ "x$local1ifacecheck" != "x$local1ip" ] && echo "$local1netdev is UP but ip doesn't match ($local1ip != $local1ifacecheck)!" && exit 1;
[ -z "$local1ifacecheck" ] && exc "ifconfig $local1netdev $local1ip up" && exc "ip r del $local1net" 0;

[ `ip r s|grep $local1net|grep -v grep|wc -l` -gt 0 ] && exc "ip r del $local1net" 0;

[ `ip r s|grep $vpnremoteip|grep -v grep|wc -l` -lt 1 ] && exc "ip r add $vpnremoteip via $defgw dev eth0";

# start vpn and get local/remote ppp ip
exc "cd $vpn1cfgdir";
exc "openvpn --daemon --config $vpn1cfg";
sleep 10;

vpn1local=`ifconfig $tundev1|grep inet|awk '{print $2}'|cut -f 2 -d:`;
vpn1remote=`ifconfig $tundev1|grep inet|awk '{print $3}'|cut -f 2 -d:`;

[ -z "$vpn1local" ] || [ -z "$vpn1remote" ] && echo "Can't find local/remote vpn ips" && exit 1;

#clean up vpn routes from default routing table
vpn1net=`ip r |grep "via $vpn1remote"|grep -v grep|cut -f1 -d' '`;
[ -n "$vpn1net" ] && exc "ip r del $vpn1net" 0;
[ -n "$vpn1remote" ] && exc "ip r del $vpn1remote" 0;


echo "Add routing for: vpn1remote: $vpn1remote ; vpn1net: $vpn1net ; local1net : $local1net ; default";
#add routes in new routing table vpnr1
[ -z "`ip r s t $vpn1rtbl|grep $vpn1remote|grep -v grep`" ] && exc "ip r add $vpn1remote dev $tundev1 src $vpn1local table $vpn1rtbl";
[ -z "`ip r s t $vpn1rtbl|grep $vpn1net|grep -v grep`" ] && exc "ip r add $vpn1net dev $tundev1 via $vpn1local table $vpn1rtbl";
[ -z "`ip r s t $vpn1rtbl|grep $local1net|grep -v grep`" ] && exc "ip r add $local1net dev $local1netdev src $local1ip table $vpn1rtbl";
[ -z "`ip r s t $vpn1rtbl|grep 'default'|grep -v grep`" ] && exc "ip r add default via $vpn1local dev $tundev1 table $vpn1rtbl";
#add rules for vpn/vpn1-local nets to lookup vpnr1;
[ -z "`ip ru s|grep "from $vpn1net"|grep -v grep`" ] && exc "ip rule add from $vpn1net lookup $vpn1rtbl prio 1000";
[ -z "`ip ru s|grep "to $vpn1net"|grep -v grep`" ] && exc "ip rule add to $vpn1net lookup $vpn1rtbl prio 1000";
[ -z "`ip ru s|grep "from $vpn1local"|grep -v grep`" ] && exc "ip rule add from $vpn1local lookup $vpn1rtbl prio 1100";
[ -z "`ip ru s|grep "from $local1net"|grep -v grep`" ] && exc "ip rule add from $local1net lookup $vpn1rtbl prio 998";
[ -z "`ip ru s|grep "to $local1net"|grep -v grep`" ] && exc "ip rule add to $local1net lookup $vpn1rtbl prio 998";


[ `iptables -t nat -nvL|grep SNAT|grep "$local1net"|wc -l` -lt 1 ] && exc "iptables -t nat -A POSTROUTING -s $local1net -o $tundev1 -j SNAT --to-source $vpn1local";

Trackbacks

Trackback specific URI for this entry

This link is not meant to be clicked. It contains the trackback URI for this entry. You can use this URI to send ping- & trackbacks from your own blog to this entry. To copy the link, right click and select "Copy Shortcut" in Internet Explorer or "Copy Link Location" in Mozilla.

No Trackbacks

Comments

Display comments as Linear | Threaded

No comments

Add Comment

You can use [geshi lang=lang_name [,ln={y|n}]][/geshi] tags to embed source code snippets.
Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications.
To leave a comment you must approve it via e-mail, which will be sent to your address after submission.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA