vinhdizzo/gist:6d31d91e7b3dda6b3061 Secret

## gistfile1.sh-session
root@router:/tmp/home/root# ip route show
10.110.1.1 via 10.110.1.9 dev tun11
10.8.0.2 dev tun21  proto kernel  scope link  src 10.8.0.1
45.48.32.1 dev vlan2  scope link
198.23.103.66 via 45.48.32.1 dev vlan2
10.110.1.9 dev tun11  proto kernel  scope link  src 10.110.1.10
192.168.3.0/24 dev br2  proto kernel  scope link  src 192.168.3.1
192.168.2.0/24 dev br1  proto kernel  scope link  src 192.168.2.1
10.8.0.0/24 via 10.8.0.2 dev tun21
192.168.1.0/24 dev br0  proto kernel  scope link  src 192.168.1.1
45.48.32.0/19 dev vlan2  proto kernel  scope link  src 45.48.34.12
127.0.0.0/8 dev lo  scope link
0.0.0.0/1 via 10.110.1.9 dev tun11
128.0.0.0/1 via 10.110.1.9 dev tun11
default via 45.48.32.1 dev vlan2
root@router:/tmp/home/root# ip route show table 200
10.8.0.2 dev tun21  proto kernel  scope link  src 10.8.0.1
45.48.32.1 dev vlan2  scope link
198.23.103.66 via 45.48.32.1 dev vlan2
192.168.3.0/24 dev br2  proto kernel  scope link  src 192.168.3.1
192.168.2.0/24 dev br1  proto kernel  scope link  src 192.168.2.1
192.168.1.0/24 dev br0  proto kernel  scope link  src 192.168.1.1
10.8.0.0/24 via 10.8.0.2 dev tun21
45.48.32.0/19 dev vlan2  proto kernel  scope link  src 45.48.34.12
127.0.0.0/8 dev lo  scope link
default via 45.48.32.1 dev vlan2
root@router:/tmp/home/root# ip rule list
-t mang0:       from all lookup local
32761:  from all fwmark 0x88 lookup 200
32762:  from 192.168.1.171 lookup 200
32763:  from 192.168.1.22 lookup 200
32764:  from 192.168.1.91 lookup 200
32765:  from 192.168.1.51 lookup 200
32766:  from all lookup main
32767:  from all lookup default
root@router:/tmp/home/root# iptables -t mangle -vnL PREROUTING
Chain PREROUTING (policy ACCEPT 7000 packets, 1931K bytes)
 pkts bytes target     prot opt in     out     source               destination
-vnL PRER    0     0 MARK       tcp  --  *      *       192.168.1.16         0.0.0.0/0            tcp spt:22 MARK set 0x88
    0     0 MARK       tcp  --  *      *       192.168.1.14         0.0.0.0/0            tcp spt:22 MARK set 0x88
    0     0 MARK       tcp  --  *      *       192.168.1.12         0.0.0.0/0            tcp spt:443 MARK set 0x88
    0     0 MARK       tcp  --  *      *       192.168.1.12         0.0.0.0/0            tcp spt:80 MARK set 0x88
    0     0 MARK       tcp  --  *      *       192.168.1.12         0.0.0.0/0            tcp spt:22 MARK set 0x88
   24  5500 MARK       tcp  --  *      *       192.168.1.11         0.0.0.0/0            tcp spt:9095 MARK set 0x88
    0     0 MARK       tcp  --  *      *       192.168.1.11         0.0.0.0/0            tcp spt:22 MARK set 0x88
    0     0 DROP       all  --  vlan2  *       0.0.0.0/0            192.168.1.0/24
    0     0 DROP       all  --  vlan2  *       0.0.0.0/0            192.168.2.0/24
    0     0 DROP       all  --  vlan2  *       0.0.0.0/0            192.168.3.0/24
root@router:/tmp/home/root# iptables -t nat -vnL PREROUTING
Chain PREROUTING (policy ACCEPT 1154 packets, 208K bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:1194
67870 7901K WANPREROUTING  all  --  *      *       0.0.0.0/0            45.48.34.12
root@router:/tmp/home/root# iptables -t nat -vnL WANPREROUTING
Chain WANPREROUTING (1 references)
 pkts bytes target     prot opt in     out     source               destination
   26  1244 DNAT       icmp --  *      *       0.0.0.0/0            0.0.0.0/0            to:192.168.1.1
   76  4056 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 to:192.168.1.12
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:80 to:192.168.1.12
   27  1632 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:1122 to:192.168.1.11:22
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:1122 to:192.168.1.11:22
 5773  346K DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:9095 to:192.168.1.11
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:9095 to:192.168.1.11
 4297  228K DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443 to:192.168.1.12
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:1222 to:192.168.1.12:22
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:1222 to:192.168.1.12:22
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:1322 to:192.168.1.13:22
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:1322 to:192.168.1.13:22
 1002 52708 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:1380 to:192.168.1.13:80
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:1380 to:192.168.1.13:80
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:1422 to:192.168.1.14:22
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:1422 to:192.168.1.14:22
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:1722 to:192.168.1.16:22
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:1722 to:192.168.1.16:22
root@router:/tmp/home/root#
root@router:/tmp/home/root#
root@router:/tmp/home/root# echo "wan_iface=$(nvram get wan_iface)"
h -c 'for i in wan_iface=vlan2
root@router:/tmp/home/root# sh -c 'for i in $(ls -1 /proc/sys/net/ipv4/conf/*/rp
_filter); do echo "$i=$(cat $i)"; done'
/proc/sys/net/ipv4/conf/all/rp_filter=1
/proc/sys/net/ipv4/conf/br0/rp_filter=1
/proc/sys/net/ipv4/conf/br1/rp_filter=1
/proc/sys/net/ipv4/conf/br2/rp_filter=1
/proc/sys/net/ipv4/conf/default/rp_filter=1
/proc/sys/net/ipv4/conf/eth0/rp_filter=1
/proc/sys/net/ipv4/conf/eth1/rp_filter=1
/proc/sys/net/ipv4/conf/eth2/rp_filter=1
/proc/sys/net/ipv4/conf/lo/rp_filter=1
/proc/sys/net/ipv4/conf/tun11/rp_filter=1
/proc/sys/net/ipv4/conf/tun21/rp_filter=1
/proc/sys/net/ipv4/conf/vlan1/rp_filter=1
/proc/sys/net/ipv4/conf/vlan2/rp_filter=0
/proc/sys/net/ipv4/conf/wl0.1/rp_filter=1
/proc/sys/net/ipv4/conf/wl1.1/rp_filter=1
	root@router:/tmp/home/root# ip route show
	10.110.1.1 via 10.110.1.9 dev tun11
	10.8.0.2 dev tun21 proto kernel scope link src 10.8.0.1
	45.48.32.1 dev vlan2 scope link
	198.23.103.66 via 45.48.32.1 dev vlan2
	10.110.1.9 dev tun11 proto kernel scope link src 10.110.1.10
	192.168.3.0/24 dev br2 proto kernel scope link src 192.168.3.1
	192.168.2.0/24 dev br1 proto kernel scope link src 192.168.2.1
	10.8.0.0/24 via 10.8.0.2 dev tun21
	192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.1
	45.48.32.0/19 dev vlan2 proto kernel scope link src 45.48.34.12
	127.0.0.0/8 dev lo scope link
	0.0.0.0/1 via 10.110.1.9 dev tun11
	128.0.0.0/1 via 10.110.1.9 dev tun11
	default via 45.48.32.1 dev vlan2
	root@router:/tmp/home/root# ip route show table 200
	10.8.0.2 dev tun21 proto kernel scope link src 10.8.0.1
	45.48.32.1 dev vlan2 scope link
	198.23.103.66 via 45.48.32.1 dev vlan2
	192.168.3.0/24 dev br2 proto kernel scope link src 192.168.3.1
	192.168.2.0/24 dev br1 proto kernel scope link src 192.168.2.1
	192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.1
	10.8.0.0/24 via 10.8.0.2 dev tun21
	45.48.32.0/19 dev vlan2 proto kernel scope link src 45.48.34.12
	127.0.0.0/8 dev lo scope link
	default via 45.48.32.1 dev vlan2
	root@router:/tmp/home/root# ip rule list
	-t mang0: from all lookup local
	32761: from all fwmark 0x88 lookup 200
	32762: from 192.168.1.171 lookup 200
	32763: from 192.168.1.22 lookup 200
	32764: from 192.168.1.91 lookup 200
	32765: from 192.168.1.51 lookup 200
	32766: from all lookup main
	32767: from all lookup default
	root@router:/tmp/home/root# iptables -t mangle -vnL PREROUTING
	Chain PREROUTING (policy ACCEPT 7000 packets, 1931K bytes)
	pkts bytes target prot opt in out source destination
	-vnL PRER 0 0 MARK tcp -- * * 192.168.1.16 0.0.0.0/0 tcp spt:22 MARK set 0x88
	0 0 MARK tcp -- * * 192.168.1.14 0.0.0.0/0 tcp spt:22 MARK set 0x88
	0 0 MARK tcp -- * * 192.168.1.12 0.0.0.0/0 tcp spt:443 MARK set 0x88
	0 0 MARK tcp -- * * 192.168.1.12 0.0.0.0/0 tcp spt:80 MARK set 0x88
	0 0 MARK tcp -- * * 192.168.1.12 0.0.0.0/0 tcp spt:22 MARK set 0x88
	24 5500 MARK tcp -- * * 192.168.1.11 0.0.0.0/0 tcp spt:9095 MARK set 0x88
	0 0 MARK tcp -- * * 192.168.1.11 0.0.0.0/0 tcp spt:22 MARK set 0x88
	0 0 DROP all -- vlan2 * 0.0.0.0/0 192.168.1.0/24
	0 0 DROP all -- vlan2 * 0.0.0.0/0 192.168.2.0/24
	0 0 DROP all -- vlan2 * 0.0.0.0/0 192.168.3.0/24
	root@router:/tmp/home/root# iptables -t nat -vnL PREROUTING
	Chain PREROUTING (policy ACCEPT 1154 packets, 208K bytes)
	pkts bytes target prot opt in out source destination
	0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1194
	67870 7901K WANPREROUTING all -- * * 0.0.0.0/0 45.48.34.12
	root@router:/tmp/home/root# iptables -t nat -vnL WANPREROUTING
	Chain WANPREROUTING (1 references)
	pkts bytes target prot opt in out source destination
	26 1244 DNAT icmp -- * * 0.0.0.0/0 0.0.0.0/0 to:192.168.1.1
	76 4056 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:192.168.1.12
	0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:80 to:192.168.1.12
	27 1632 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1122 to:192.168.1.11:22
	0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1122 to:192.168.1.11:22
	5773 346K DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:9095 to:192.168.1.11
	0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:9095 to:192.168.1.11
	4297 228K DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 to:192.168.1.12
	0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1222 to:192.168.1.12:22
	0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1222 to:192.168.1.12:22
	0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1322 to:192.168.1.13:22
	0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1322 to:192.168.1.13:22
	1002 52708 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1380 to:192.168.1.13:80
	0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1380 to:192.168.1.13:80
	0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1422 to:192.168.1.14:22
	0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1422 to:192.168.1.14:22
	0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1722 to:192.168.1.16:22
	0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1722 to:192.168.1.16:22
	root@router:/tmp/home/root#
	root@router:/tmp/home/root#
	root@router:/tmp/home/root# echo "wan_iface=$(nvram get wan_iface)"
	h -c 'for i in wan_iface=vlan2
	root@router:/tmp/home/root# sh -c 'for i in $(ls -1 /proc/sys/net/ipv4/conf/*/rp
	_filter); do echo "$i=$(cat $i)"; done'
	/proc/sys/net/ipv4/conf/all/rp_filter=1
	/proc/sys/net/ipv4/conf/br0/rp_filter=1
	/proc/sys/net/ipv4/conf/br1/rp_filter=1
	/proc/sys/net/ipv4/conf/br2/rp_filter=1
	/proc/sys/net/ipv4/conf/default/rp_filter=1
	/proc/sys/net/ipv4/conf/eth0/rp_filter=1
	/proc/sys/net/ipv4/conf/eth1/rp_filter=1
	/proc/sys/net/ipv4/conf/eth2/rp_filter=1
	/proc/sys/net/ipv4/conf/lo/rp_filter=1
	/proc/sys/net/ipv4/conf/tun11/rp_filter=1
	/proc/sys/net/ipv4/conf/tun21/rp_filter=1
	/proc/sys/net/ipv4/conf/vlan1/rp_filter=1
	/proc/sys/net/ipv4/conf/vlan2/rp_filter=0
	/proc/sys/net/ipv4/conf/wl0.1/rp_filter=1
	/proc/sys/net/ipv4/conf/wl1.1/rp_filter=1