Re: Modifying Routing Tables on the fly

[Craig Sanders]

On Tue, 3 Mar 1998, Ian Perry wrote:

> ---cut here---
> #!/bin/sh
> 
> USER=$( who|grep ttyS1 | awk '{printf $1}')
> 
> case $USER in
>         fulltest)       /sbin/route add 192.168.1.1 eth0;;
> esac
> --cut here--

glad to hear you're figuring it out :-)

> Again, Many thanks

what you've got there will probably work for you, but unless i'm reading
it wrong, it will allow ANY logged in user to follow that route while
"fulltest" is logged in.

IMO, a better way to do it would be to have the route there permanently
(e.g. set up the route in /etc/ihit.d/network as normal, and firewall) ,
and use ipfwadm to selectively enable/disable access to the 192.168.1/24
network.

as a VERY ROUGH example (modify to suit your requirements)


in /etc/init.d/network:

---cut here---
        # allow localhost [127.0.0.1] and the machine's IP address (eth0
        # interface) to access the 192.168.1.0/24 network
        /sbin/ipfwadm -I -a accept -P any -S 127.0.0.1 -D 192.168.1.0/24
        /sbin/ipfwadm -I -a accept -P any -S $IPADDR -D 192.168.1.0/24
---cut here---

in /etc/init.d/ip-up

---cut here---
case $USER in
        fulltest)
                        # first delete the deny rule
                        ipfwadm -I -d deny -P any -S $5 -W $1 -D 192.168.1.0/24
                        # then add the accept rule
                        ipfwadm -I -a accept -P any -S $5 -W $1 -D 
192.168.1.0/24
                        ;;
                *)      
                        # first delete the accept rule (if any)
                        ipfwadm -I -d accept -P any -S $5 -W $1 -D 
192.168.1.0/24
                        # then add the deny rule
                        ipfwadm -I -a deny -P any -S $5 -W $1 -D 192.168.1.0/24
                        ;;
esac
---cut here---

and in /etc/ppp/ip-down:

---cut here---
case $USER in
        fulltest)
                        ipfwadm -I -d accept -P any -S $5 -W $1 -D 
192.168.1.0/24
                        ipfwadm -I -a deny -P any -S $5 -W $1 -D 192.168.1.0/24
                        ;;
esac
---cut here---


note, these code snippets are just the bare bones of the idea.  you'll need
to adapt them to suit your needs.

btw, it is possible (likely) that you don't actually need to delete the
rules - i think that they may go away automatically when the ppp interface
goes away (i.e. when the user disconnects).  try it and see...if true, then
it will simplify the scripting considerably, you probably wont even need to
use /etc/ppp/ip-down at all.

also note that this is all "it should work but i haven't tested it or
even done it". the purpose of this message is not to give you a magic
spell that solves your problem but to illustrate a method which you can
use to solve it yourself.

play with it and find out.....enjoy!


craig

--
craig sanders


--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
[EMAIL PROTECTED] . 
Trouble?  e-mail to [EMAIL PROTECTED] .