tudor
November 17, 2009, 11:56pm
1
hello,
could anyone help me automate the process of allowing acces based on mac/ip pairs?
/ip firewall filter add chain=input in-interface=lan src-mac-address=xx:xx:xx:xx:xx:xx action=jump jump-target=client1 place-before=14
/ip firewall filter add chain=client1 src-address=10.7.10.9 action=accept
/ip firewall filter add chain=client1 action=drop
(the “place-before=14” is to insert it after the 13th firewall rule that denies acces to various ports)
/ip firewall filter add chain=input in-interface=lan src-mac-address=$3 action=jump jump-target=$1 place-before=14
/ip firewall filter add chain=$1 src-address=$2 action=accept
/ip firewall filter add chain=$1 action=drop
and save it as client_add.sh , so when i type:
ssh _router_ip_ "sh client_add.sh client1 10.7.10.9 xx:xx:xx:xx:xx:xx"
it would work.
hope i made sense to anyone.
fewi
November 18, 2009, 12:10am
2
You cannot pass parameters to system scripts.
I think the easiest solution is to make use of the fact that files ending in “auto.rsc” (so test.auto.rsc, for example) uploaded via FTP (not via any other method) get automatically executed directly after upload. Write a shell script wrapper that takes your parameters, creates the correct script and uploads it via FTP.
Edit: if you really want to do this via SSH - and I can absolutely see why that would be desirable - the easiest way I can think of is to construct the same script via a bash wrapper that takes parameters, uploads it via SFTP and then runs ‘ssh user@ip “/import uploaded_scriptname; /file remove uploaded_scriptname;”’.
or jsut have client_add.sh run the mikrotik commands directly. bash will expand the variables and ssh will run them on the router.
psuedo code:
#!/bin/sh
ssh user@router_ip “/ip firewall filter add chain=input in-interface=lan src-mac-address=$3 action=jump jump-target=$1 place-before=14; /ip firewall filter add chain=$1 src-address=$2 action=accept; /ip firewall filter add chain=$1 action=drop”
then call that script:
sh client_add.sh client1 10.7.10.9 xx:xx:xx:xx:xx:xx
tudor
November 18, 2009, 3:47pm
5
changeip:
psuedo code:
#!/bin/sh
ssh user@router_ip “/ip firewall filter add chain=input in-interface=lan src-mac-address=$3 action=jump jump-target=$1 place-before=14; /ip firewall filter add chain=$1 src-address=$2 action=accept; /ip firewall filter add chain=$1 action=drop”
then call that script:
sh client_add.sh client1 10.7.10.9 xx:xx:xx:xx:xx:xx
now why didn’t i think of that…
tudor
November 18, 2009, 3:51pm
6
fewi:
You cannot pass parameters to system scripts.
I think the easiest solution is to make use of the fact that files ending in “auto.rsc” (so test.auto.rsc, for example) uploaded via FTP (not via any other method) get automatically executed directly after upload. Write a shell script wrapper that takes your parameters, creates the correct script and uploads it via FTP.
Edit: if you really want to do this via SSH - and I can absolutely see why that would be desirable - the easiest way I can think of is to construct the same script via a bash wrapper that takes parameters, uploads it via SFTP and then runs ‘ssh user@ip “/import uploaded_scriptname; /file remove uploaded_scriptname;”’.
using bash to do all the work seems more simple, but thanks for the ideea anyway
Where do I enter my password? Does it pop up a prompt when you run the script?
fewi
November 19, 2009, 9:45pm
8
It pops up a prompt when you run that command just like it does for any other SSH connection you build.
You can also set up certificates instead and do away with the need for a password (beyond unlocking your keychain, if you use that functionality).
fewi:
It pops up a prompt when you run that command just like it does for any other SSH connection you build.
You can also set up certificates instead and do away with the need for a password (beyond unlocking your keychain, if you use that functionality).
Tested and confirmed. Thanks!
):
thanx in advance.
thanks a lot