|
@@ -84,14 +84,14 @@ setup_whitenets() {
|
|
|
|
|
|
|
|
setup_badips() {
|
|
setup_badips() {
|
|
|
ipset create -! $banset hash:ip hashsize 4096 timeout $banttl
|
|
ipset create -! $banset hash:ip hashsize 4096 timeout $banttl
|
|
|
- iptables -A INPUT -i ${wan} -m set --match-set $banset src -p udp -j REJECT --reject-with icmp-port-unreachable
|
|
|
|
|
- iptables -A INPUT -i ${wan} -m set --match-set $banset src -p tcp -j REJECT --reject-with tcp-reset
|
|
|
|
|
|
|
+ iptables -A INPUT -i ${wan} -m set --match-set $banset src -p udp -m conntrack --ctstate NEW -j REJECT --reject-with icmp-port-unreachable
|
|
|
|
|
+ iptables -A INPUT -i ${wan} -m set --match-set $banset src -p tcp -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset
|
|
|
}
|
|
}
|
|
|
|
|
|
|
|
setup_scanips() {
|
|
setup_scanips() {
|
|
|
ipset create -! $scanset hash:ip hashsize 4096 timeout $scanttl
|
|
ipset create -! $scanset hash:ip hashsize 4096 timeout $scanttl
|
|
|
- iptables -A INPUT -i ${wan} -m set --match-set $scanset src -p udp -j REJECT --reject-with icmp-port-unreachable
|
|
|
|
|
- iptables -A INPUT -i ${wan} -m set --match-set $scanset src -p tcp -j REJECT --reject-with tcp-reset
|
|
|
|
|
|
|
+ iptables -A INPUT -i ${wan} -m set --match-set $scanset src -p udp -m conntrack --ctstate NEW -j REJECT --reject-with icmp-port-unreachable
|
|
|
|
|
+ iptables -A INPUT -i ${wan} -m set --match-set $scanset src -p tcp -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset
|
|
|
}
|
|
}
|
|
|
|
|
|
|
|
setup_white() {
|
|
setup_white() {
|
