merlin-ovpn-plex-pbr.sh

1. #!/bin/sh
2. #DEBUG= # uncomment/comment to enable/disable debug mode
3.  
4. #          name: merlin-ovpn-plex-pbr.sh
5. #       version: 2.0.0, 23-jul-2022, by eibgrad
6. #       purpose: route remote access of plex server back over wan
7. #       type(s): firewall-start
8. #          href: https://tinyurl.com/yc3atrep
9. #  installation:
10. #    1. enable jffs custom scripts and configs (administration->system)
11. #    2. ssh to router and copy/paste the following command:
12. #         curl -kLs bit.ly/merlin-installer|tr -d '\r'|sh -s i8hpNGpq
13. #    3. reboot
14.  
15. SCRIPTS_DIR="/jffs/scripts"
16. SCRIPT1="$SCRIPTS_DIR/merlin-ovpn-plex-pbr.sh"
17. SCRIPT2="$SCRIPTS_DIR/firewall-start"
18.  
19. mkdir -p $SCRIPTS_DIR
20.  
21. # ---------------------- DO NOT CHANGE BELOW THIS LINE ----------------------- #
22.  
23. # ------------------------ begin merlin-ovpn-plex-pbr ------------------------ #
24. cat << "EOF" > $SCRIPT1
25. #!/bin/sh
26. #set -x # uncomment/comment to enable/disable debug mode
27. {
28. TID='10'
29. FW_MARK='0x7000/0x7000'
30. PLEX_PORT='32400'
31.  
32. ipt() { iptables ${@/-[IA]/-D} 2>/dev/null; iptables $@; }
33.  
34. # cleanup from possible prior execution
35. {
36. ip rule del fwmark $FW_MARK table $TID
37. ip route flush table $TID
38. ip route flush cache
39. } 2>/dev/null
40.  
41. # build alternate routing table (default gateway = wan)
42. ip route show | grep -Ev '^0\.0\.0\.0/1 |^128\.0\.0\.0/1 ' \
43.   | while read route; do
44.         ip route add $route table $TID
45.     done
46.  
47. # note: the disabling of reverse path filtering may NOT be required in some
48. # cases; if you comment out the following command and it still works, you
49. # should continue to do so since it's more secure, but always start w/ it
50. # enabled until the script is working
51.  
52. # disable reverse path filtering
53. for i in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 0 > $i; done
54.  
55. # start split tunnel
56. ip rule add fwmark $FW_MARK table $TID prio 9990
57.  
58. # force routing system to recognize changes
59. ip route flush cache
60.  
61. # route plex traffic in/out wan
62. ipt -t mangle -A PREROUTING -i br0 -p udp --sport $PLEX_PORT -j MARK --set-mark $FW_MARK
63. ipt -t mangle -A PREROUTING -i br0 -p tcp --sport $PLEX_PORT -j MARK --set-mark $FW_MARK
64. ipt -t mangle -A PREROUTING -i br0 -p udp --dport $PLEX_PORT -j MARK --set-mark $FW_MARK
65. ipt -t mangle -A PREROUTING -i br0 -p tcp --dport $PLEX_PORT -j MARK --set-mark $FW_MARK
66.  
67. exit 0
68. } 2>&1 | logger -t $(basename $0 .sh)[$$]
69. EOF
70. [ ${DEBUG+x} ] && sed -ri '2 s/^#(set -x)/\1/' $SCRIPT1
71. chmod +x $SCRIPT1
72. echo "installed: $SCRIPT1"
73. # ------------------------- end merlin-ovpn-plex-pbr ------------------------- #
74.  
75. # --------------------------- begin firewall-start --------------------------- #
76. create_script() {
77. cat << 'EOF' > $SCRIPT2
78. #!/bin/sh
79. #set -x # comment/uncomment to disable/enable debug mode
80. {
81. $SCRIPT1
82. } 2>&1 | logger -t $(basename $0)[$$]
83. EOF
84. [ ${DEBUG+x} ] && sed -ri '2 s/^#(set -x)/\1/' $SCRIPT2
85. sed "s:\$SCRIPT1:$SCRIPT1:g" -i $SCRIPT2
86. chmod +x $SCRIPT2
87. }
88.  
89. if [ -f $SCRIPT2 ]; then
90.     echo "error: $SCRIPT2 already exists; requires manual installation"
91. else
92.     create_script
93.     echo "installed: $SCRIPT2"
94. fi
95. # ---------------------------- end firewall-start ---------------------------- #