|
|
@@ -23,7 +23,7 @@ final(){
|
|
|
${iptables} -A INPUT -j REJECT --reject-with icmp-proto-unreachable
|
|
|
}
|
|
|
|
|
|
-setup_wandroplog() {
|
|
|
+wandroplog() {
|
|
|
${iptables} -N WAN-LOG-DROP
|
|
|
if $debugtcp; then
|
|
|
${iptables} -A WAN-LOG-DROP -p tcp -j LOG --log-prefix "WAN-LOG-DROP TCP: " --log-level 7
|
|
|
@@ -36,7 +36,7 @@ setup_wandroplog() {
|
|
|
fi
|
|
|
}
|
|
|
|
|
|
-setup_fordroplog() {
|
|
|
+fordroplog() {
|
|
|
${iptables} -N FORWARD-LOG-DROP
|
|
|
if $debugtcp; then
|
|
|
${iptables} -A FORWARD-LOG-DROP -p tcp -j LOG --log-prefix "FORWARD-LOG-DROP TCP: " --log-level 7
|
|
|
@@ -50,7 +50,7 @@ setup_fordroplog() {
|
|
|
}
|
|
|
|
|
|
|
|
|
-setup_forward() {
|
|
|
+forward() {
|
|
|
${iptables} -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
|
|
${iptables} -A FORWARD -i ${eth0} -o ${wan} -j ACCEPT
|
|
|
while read -r ip public private ; do
|
|
|
@@ -92,7 +92,7 @@ lan() {
|
|
|
${iptables} -t nat -A POSTROUTING -o ${wan} -s ${locnet} -j MASQUERADE
|
|
|
}
|
|
|
|
|
|
-setup_whitenets() {
|
|
|
+whitenets() {
|
|
|
ipset create -! $whiteset hash:net hashsize 4096 timeout $whitettl maxelem $whitemaxelems
|
|
|
while read -r net ; do
|
|
|
[[ "$net" =~ ^[0-9]{1,}.[0-9]{1,}.[0-9]{1,}.[0-9]{1,}/[0-9]{1,}$ ]] || continue
|
|
|
@@ -100,13 +100,13 @@ setup_whitenets() {
|
|
|
done < $confd/WHITE.nets
|
|
|
}
|
|
|
|
|
|
-setup_badips() {
|
|
|
+badips() {
|
|
|
ipset create -! $banset hash:ip hashsize 4096 timeout $banttl maxelem $badmaxelems
|
|
|
${iptables} -A INPUT -i ${wan} -p udp -m set --match-set $banset src -m conntrack --ctstate NEW --ctproto UDP -j REJECT --reject-with icmp-port-unreachable
|
|
|
${iptables} -A INPUT -i ${wan} -p tcp -m set --match-set $banset src -m conntrack --ctstate NEW --ctproto TCP -j REJECT --reject-with tcp-reset
|
|
|
}
|
|
|
|
|
|
-setup_scanips() {
|
|
|
+scanips() {
|
|
|
ipset create -! $scanset hash:ip hashsize 4096 timeout $scanttl maxelem $scanmaxelems
|
|
|
${iptables} -A INPUT -i ${wan} -j SET --add-set $scanset src --exist --timeout $scanttl
|
|
|
if $loginput ; then
|
|
|
@@ -116,7 +116,7 @@ setup_scanips() {
|
|
|
${iptables} -A INPUT -i ${wan} -p tcp -m set --match-set $scanset src -m conntrack --ctstate NEW --ctproto TCP -j REJECT --reject-with tcp-reset
|
|
|
}
|
|
|
|
|
|
-setup_white() {
|
|
|
+white() {
|
|
|
${iptables} -N FW-FILTERED
|
|
|
while read -r port ; do
|
|
|
[[ "$port" =~ ^[0-9]{1,}$ ]] || continue
|
|
|
@@ -131,7 +131,7 @@ setup_white() {
|
|
|
${iptables} -A INPUT -i ${wan} -p icmp --icmp-type 8 -m set --match-set $whiteset src -m conntrack --ctstate NEW --ctproto ICMP -j ACCEPT
|
|
|
}
|
|
|
|
|
|
-setup_public() {
|
|
|
+public() {
|
|
|
${iptables} -N FW-PUBLIC
|
|
|
while read -r port ; do
|
|
|
[[ "$port" =~ ^[0-9]{1,}$ ]] || continue
|
|
|
@@ -145,7 +145,7 @@ setup_public() {
|
|
|
${iptables} -A INPUT -i ${wan} -p tcp -m conntrack --ctstate NEW --ctproto TCP -j FW-PUBLIC
|
|
|
}
|
|
|
|
|
|
-setup_cast() {
|
|
|
+cast() {
|
|
|
${iptables} -N FW-CAST
|
|
|
${iptables} -A FW-CAST -m pkttype --pkt-type broadcast -j ACCEPT
|
|
|
${iptables} -A FW-CAST -m pkttype --pkt-type multicast -j ACCEPT
|
