Etusivu Tutki Apua
Kirjaudu sisään
arch
/
e-router
Tarkkaile 3
Äänestä 0
Fork 0
Tiedostot Ongelmat 0 Pull-pyynnöt 0 Wiki
Selaa lähdekoodia

Feat: scanips, debug levels, refactor names

Edvinas Valatka 9 vuotta sitten
vanhempi
7576f33f7b
commit
12fa17f9fa
2 muutettua tiedostoa jossa 50 lisäystä ja 21 poistoa
Jaettu näkymä Näytä diff tilastot
  1. 14 4
      config
  2. 36 17
      e-router

+ 14 - 4
config
Näytä tiedosto 

@@ -10,7 +10,7 @@ banset=badips
 
 # 0 - 5 , 0 will ban max
 
 banlevel=0
 
 # ban time in seconds,  1 week =  604800,  1 day = 86400
 
-bantime=604800
 
+banttl=604800
 
 # h,d,w,m,y
 
 rangecheck=1h
 
 # ssh,http... or any
 
@@ -19,8 +19,18 @@ banservice=any
 
 ## whitenets ##
 
 #ipset name
 
 whiteset=goodips
 
-# route ttl
 
-routettl=172800
 
+# default ttl
 
+whitettl=172800
 
+
 
+## scannets ##
 
+#ipset name
 
+scanset=scanips
 
+# default ttl
 
+scanttl=172800
 
 
 ## DEBUG ##
 
-debug=true
 
+loginput=true
 
+logforward=true
 
+debugtcp=true
 
+debugudp=true
 
+debugicmp=true

+ 36 - 17
e-router
Näytä tiedosto 

@@ -1,4 +1,4 @@
 
-#!/bin/bash
 
+#!/bin/bash -x
 
 ((EUID == 0 )) || { echo "Need root"; exit 1; }
 
 set -euo pipefail
 
 CONFD=/etc/e-router
 
@@ -12,7 +12,7 @@ set_defaults() {
 
 }
 
 
 setup_final(){
 
-    if $debug ; then
 
+    if $loginput ; then
 
         setup_wandroplog
 
         iptables -A INPUT -j WAN-LOG-DROP
 
     else
 
@@ -22,22 +22,34 @@ setup_final(){
 
 
 setup_wandroplog() {
 
     iptables -N WAN-LOG-DROP
 
-    iptables -A WAN-LOG-DROP -p tcp  -j LOG --log-prefix  "WAN-LOG-DROP TCP: " --log-level 7
 
-    iptables -A WAN-LOG-DROP -p tcp -j REJECT --reject-with tcp-reset
 
-    iptables -A WAN-LOG-DROP -p udp  -j LOG --log-prefix  "WAN-LOG-DROP UDP: " --log-level 7
 
-    iptables -A WAN-LOG-DROP -p udp -j REJECT --reject-with icmp-port-unreachable
 
-    iptables -A WAN-LOG-DROP -p icmp -j LOG --log-prefix  "WAN-LOG-DROP ICMP: " --log-level 7
 
-    iptables -A WAN-LOG-DROP -j REJECT --reject-with icmp-proto-unreachable
 
+    if $debugtcp; then
 
+        iptables -A WAN-LOG-DROP -p tcp  -j LOG --log-prefix  "WAN-LOG-DROP TCP: " --log-level 7
 
+        iptables -A WAN-LOG-DROP -p tcp -j REJECT --reject-with tcp-reset
 
+    fi
 
+    if $debugudp; then
 
+        iptables -A WAN-LOG-DROP -p udp  -j LOG --log-prefix  "WAN-LOG-DROP UDP: " --log-level 7
 
+        iptables -A WAN-LOG-DROP -p udp -j REJECT --reject-with icmp-port-unreachable
 
+    fi
 
+    if $debugicmp; then
 
+        iptables -A WAN-LOG-DROP -p icmp -j LOG --log-prefix  "WAN-LOG-DROP ICMP: " --log-level 7
 
+        iptables -A WAN-LOG-DROP -j REJECT --reject-with icmp-proto-unreachable
 
+    fi
 
 }
 
 
 setup_fordroplog() {
 
     iptables -N FORWARD-LOG-DROP
 
-    iptables -A FORWARD-LOG-DROP -p tcp  -j LOG --log-prefix "FORWARD-LOG-DROP TCP: " --log-level 7
 
-    iptables -A FORWARD-LOG-DROP -p tcp -j REJECT --reject-with tcp-reset
 
-    iptables -A FORWARD-LOG-DROP -p udp  -j LOG --log-prefix "FORWARD-LOG-DROP UDP: " --log-level 7
 
-    iptables -A FORWARD-LOG-DROP -p udp -j REJECT --reject-with icmp-port-unreachable
 
-    iptables -A FORWARD-LOG-DROP -p icmp -j LOG --log-prefix "FORWARD-LOG-DROP ICMP: " --log-level 7
 
-    iptables -A FORWARD-LOG-DROP -j REJECT --reject-with icmp-proto-unreachable
 
+    if $debugtcp; then
 
+        iptables -A FORWARD-LOG-DROP -p tcp  -j LOG --log-prefix "FORWARD-LOG-DROP TCP: " --log-level 7
 
+        iptables -A FORWARD-LOG-DROP -p tcp -j REJECT --reject-with tcp-reset
 
+    fi
 
+    if $debugudp; then
 
+        iptables -A FORWARD-LOG-DROP -p udp  -j LOG --log-prefix "FORWARD-LOG-DROP UDP: " --log-level 7
 
+        iptables -A FORWARD-LOG-DROP -p udp -j REJECT --reject-with icmp-port-unreachable
 
+    fi
 
+    if $debugicmp; then
 
+        iptables -A FORWARD-LOG-DROP -p icmp -j LOG --log-prefix "FORWARD-LOG-DROP ICMP: " --log-level 7
 
+        iptables -A FORWARD-LOG-DROP -j REJECT --reject-with icmp-proto-unreachable
 
+    fi
 
 }
 
 
 setup_nat() {
 
@@ -47,7 +59,7 @@ setup_nat() {
 
 setup_forward() {
 
     iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 
     iptables -A FORWARD -i ${eth0} -o ${wan} -j ACCEPT
 
-    if $debug ; then
 
+    if $logforward ; then
 
         setup_fordroplog
 
         iptables -A FORWARD -j FORWARD-LOG-DROP
 
     else
 
@@ -63,7 +75,7 @@ setup_base() {
 
 }
 
 
 setup_whitenets() {
 
-    ipset create -! $whiteset hash:net hashsize 4096 timeout $routettl
 
+    ipset create -! $whiteset hash:net hashsize 4096 timeout $whitettl
 
     while read -r net ; do
 
         [[ "$net" =~ ^[0-9]{1,}.[0-9]{1,}.[0-9]{1,}.[0-9]{1,}/[0-9]{1,}$ ]] || continue
 
         ipset -! add  $whiteset $net timeout 0
 
@@ -71,11 +83,17 @@ setup_whitenets() {
 
 }
 
 
 setup_badips() {
 
-    ipset create -! $banset hash:ip hashsize 4096 timeout $bantime
 
+    ipset create -! $banset hash:ip hashsize 4096 timeout $banttl
 
     iptables -A INPUT -i ${wan} -m set --match-set $banset src -p udp -j REJECT --reject-with icmp-port-unreachable
 
     iptables -A INPUT -i ${wan} -m set --match-set $banset src -p tcp -j REJECT --reject-with tcp-reset
 
 }
 
 
+setup_scanips() {
 
+    ipset create -! $scanset hash:ip hashsize 4096 timeout $scanttl
 
+    iptables -A INPUT -i ${wan} -m set --match-set $scanset src -p udp -j REJECT --reject-with icmp-port-unreachable
 
+    iptables -A INPUT -i ${wan} -m set --match-set $scanset src -p tcp -j REJECT --reject-with tcp-reset
 
+}
 
+
 
 setup_white() {
 
     iptables -N FW-FILTERED
 
     while read -r port ; do
 
@@ -121,6 +139,7 @@ main () {
 
     setup_badips
 
     setup_white
 
     setup_open
 
+    setup_scanips
 
     setup_cast
 
     setup_final
 
 }