Merge branch 'devel'

config

@@ -16,7 +16,7 @@ banlevel=0
 # ban time in seconds,  1 week =  604800,  1 day = 86400
 banttl=604800
 # h,d,w,m,y
-rangecheck=1h
+rangecheck=2h
 # ssh,http... or any
 banservice=any
 
@@ -49,14 +49,14 @@ debugicmp=true
 ## default hook order ##
 hooks=(
 base
+cast
 lan
 whitenets
 forward
+public
 badips
 white
-public
 scanips
-cast
 final
 )
 

e-badips

@@ -13,7 +13,7 @@ if curl -f -s -S -m 60 -o $tmp "https://www.badips.com/get/list/${banservice}/${
     done < $tmp
 fi
 
-if curl -f -s -S -m 60 -o $tmp  "http://api.blocklist.de/getlast.php?time=3600&service=all" ; then
+if curl -f -s -S -m 60 -o $tmp  "http://api.blocklist.de/getlast.php?time=7200&service=all" ; then
     while read -r ip ; do
         [[ "$ip" =~ ^[0-9]{1,}.[0-9]{1,}.[0-9]{1,}.[0-9]{1,}$ ]] && ipset -! add ${banset} ${ip} timeout $banttl
     done < $tmp

e-router

@@ -20,7 +20,8 @@ base() {
 
 final(){
     if $loginput; then
-        droplog "FINAL" "INPUT"
+        droplog "FINAL"
+        ${iptables} -A INPUT -j FINAL-LOG-DROP
     fi
 }
 
@@ -35,7 +36,6 @@ droplog() {
     if $debugicmp; then
         ${iptables} -A ${1}-LOG-DROP -p icmp -j LOG --log-prefix "${1}-LOG-DROP ICMP: " --log-level 7
     fi
-    ${iptables} -A ${2} -j ${1}-LOG-DROP
 }
 
 forward() {
@@ -66,7 +66,8 @@ forward() {
     done < $confd/FORWARD.udp
 
     if $logforward ; then
-        droplog "FORWARD" "FORWARD"
+        droplog "FORWARD"
+        ${iptables} -A FORWARD -j FORWARD-LOG-DROP
     fi
     ${iptables} -A FORWARD -j END-RESET
 }
@@ -89,20 +90,24 @@ whitenets() {
 badips() {
     ipset create -! $banset hash:ip hashsize 4096 timeout $banttl  maxelem $badmaxelems
     if $logbad ; then
-        droplog "BAD" "INPUT"
+        droplog "BAD"
+        ${iptables} -A INPUT -i ${wan} -p udp       -m set --match-set $banset src -m conntrack --ctstate NEW --ctproto UDP -j BAD-LOG-DROP
+        ${iptables} -A INPUT -i ${wan} -p tcp --syn -m set --match-set $banset src -m conntrack --ctstate NEW --ctproto TCP -j BAD-LOG-DROP
     fi
-    ${iptables} -A INPUT -i ${wan} -p udp -m set --match-set $banset src -m conntrack --ctstate NEW --ctproto UDP -j END-RESET
+    ${iptables} -A INPUT -i ${wan} -p udp       -m set --match-set $banset src -m conntrack --ctstate NEW --ctproto UDP -j END-RESET
     ${iptables} -A INPUT -i ${wan} -p tcp --syn -m set --match-set $banset src -m conntrack --ctstate NEW --ctproto TCP -j END-RESET
 }
 
 scanips() {
     ipset create -! $scanset hash:ip hashsize 4096 timeout $scanttl maxelem $scanmaxelems
-    ${iptables} -A INPUT -i ${wan} -p udp -m conntrack --ctstate NEW --ctproto UDP -j SET --add-set $scanset src --exist  --timeout $scanttl
-    ${iptables} -A INPUT -i ${wan} -p tcp --syn -m conntrack --ctstate NEW --ctproto TCP -j SET --add-set $scanset src --exist  --timeout $scanttl
+    ${iptables} -A INPUT -i ${wan} -p udp       -m conntrack --ctstate NEW --ctproto UDP -j SET --add-set $scanset src --exist --timeout $scanttl
+    ${iptables} -A INPUT -i ${wan} -p tcp --syn -m conntrack --ctstate NEW --ctproto TCP -j SET --add-set $scanset src --exist --timeout $scanttl
     if $logscan ; then
-        droplog "SCAN" "INPUT"
+        droplog "SCAN"
+        ${iptables} -A INPUT -i ${wan} -p udp       -m set --match-set $scanset src -m conntrack --ctstate NEW --ctproto UDP -j SCAN-LOG-DROP
+        ${iptables} -A INPUT -i ${wan} -p tcp --syn -m set --match-set $scanset src -m conntrack --ctstate NEW --ctproto TCP -j SCAN-LOG-DROP
     fi
-    ${iptables} -A INPUT -i ${wan} -p udp -m set --match-set $scanset src -m conntrack --ctstate NEW --ctproto UDP -j END-RESET
+    ${iptables} -A INPUT -i ${wan} -p udp       -m set --match-set $scanset src -m conntrack --ctstate NEW --ctproto UDP -j END-RESET
     ${iptables} -A INPUT -i ${wan} -p tcp --syn -m set --match-set $scanset src -m conntrack --ctstate NEW --ctproto TCP -j END-RESET
 }
 
@@ -116,8 +121,9 @@ white() {
         [[ "$port" =~ ^[0-9]{1,}$ ]] || continue
         ${iptables} -A FW-FILTERED -p tcp -m conntrack --ctstate NEW --ctproto TCP --dport $port -j ACCEPT
     done < $confd/WHITE.tcp
-    ${iptables} -A INPUT -i ${wan} -p udp -m set --match-set $whiteset src -m conntrack --ctstate NEW --ctproto UDP -j FW-FILTERED
+    ${iptables} -A INPUT -i ${wan} -p udp       -m set --match-set $whiteset src -m conntrack --ctstate NEW --ctproto UDP -j FW-FILTERED
     ${iptables} -A INPUT -i ${wan} -p tcp --syn -m set --match-set $whiteset src -m conntrack --ctstate NEW --ctproto TCP -j FW-FILTERED
+
     ${iptables} -A INPUT -i ${wan} -p icmp --icmp-type 8 -m set --match-set $whiteset src -m conntrack --ctstate NEW --ctproto ICMP -j ACCEPT
 }
 
@@ -131,7 +137,7 @@ public() {
         [[ "$port" =~ ^[0-9]{1,}$ ]] || continue
         ${iptables} -A FW-PUBLIC -p tcp -m conntrack --ctstate NEW --ctproto TCP --dport $port -j ACCEPT
     done < $confd/PUBLIC.tcp
-    ${iptables} -A INPUT -i ${wan} -p udp -m conntrack --ctstate NEW --ctproto UDP -j FW-PUBLIC
+    ${iptables} -A INPUT -i ${wan} -p udp       -m conntrack --ctstate NEW --ctproto UDP -j FW-PUBLIC
     ${iptables} -A INPUT -i ${wan} -p tcp --syn -m conntrack --ctstate NEW --ctproto TCP -j FW-PUBLIC
 }