|
|
@@ -84,28 +84,28 @@ setup_whitenets() {
|
|
|
|
|
|
setup_badips() {
|
|
|
ipset create -! $banset hash:ip hashsize 4096 timeout $banttl
|
|
|
- iptables -A INPUT -i ${wan} -m set --match-set $banset src -m conntrack --ctstate NEW --ctproto UDP -j REJECT --reject-with icmp-port-unreachable
|
|
|
- iptables -A INPUT -i ${wan} -m set --match-set $banset src -m conntrack --ctstate NEW --ctproto TCP -j REJECT --reject-with tcp-reset
|
|
|
+ iptables -A INPUT -i ${wan} -p udp -m set --match-set $banset src -m conntrack --ctstate NEW --ctproto UDP -j REJECT --reject-with icmp-port-unreachable
|
|
|
+ iptables -A INPUT -i ${wan} -p tcp -m set --match-set $banset src -m conntrack --ctstate NEW --ctproto TCP -j REJECT --reject-with tcp-reset
|
|
|
}
|
|
|
|
|
|
setup_scanips() {
|
|
|
ipset create -! $scanset hash:ip hashsize 4096 timeout $scanttl
|
|
|
- iptables -A INPUT -i ${wan} -m set --match-set $scanset src -m conntrack --ctstate NEW --ctproto UDP -j REJECT --reject-with icmp-port-unreachable
|
|
|
- iptables -A INPUT -i ${wan} -m set --match-set $scanset src -m conntrack --ctstate NEW --ctproto TCP -j REJECT --reject-with tcp-reset
|
|
|
+ iptables -A INPUT -i ${wan} -p udp -m set --match-set $scanset src -m conntrack --ctstate NEW --ctproto UDP -j REJECT --reject-with icmp-port-unreachable
|
|
|
+ iptables -A INPUT -i ${wan} -p tcp -m set --match-set $scanset src -m conntrack --ctstate NEW --ctproto TCP -j REJECT --reject-with tcp-reset
|
|
|
}
|
|
|
|
|
|
setup_white() {
|
|
|
iptables -N FW-FILTERED
|
|
|
while read -r port ; do
|
|
|
[[ "$port" =~ ^[0-9]{1,}$ ]] || continue
|
|
|
- iptables -A FW-FILTERED -m conntrack --ctstate NEW --ctproto UDP --dport $port -j ACCEPT
|
|
|
+ iptables -A FW-FILTERED -p udp -m conntrack --ctstate NEW --ctproto UDP --dport $port -j ACCEPT
|
|
|
done < $CONFD/WHITE.udp
|
|
|
while read -r port ; do
|
|
|
[[ "$port" =~ ^[0-9]{1,}$ ]] || continue
|
|
|
- iptables -A FW-FILTERED -m conntrack --ctstate NEW --ctproto TCP --dport $port -j ACCEPT
|
|
|
+ iptables -A FW-FILTERED -p tcp -m conntrack --ctstate NEW --ctproto TCP --dport $port -j ACCEPT
|
|
|
done < $CONFD/WHITE.tcp
|
|
|
- iptables -A INPUT -i ${wan} -m set --match-set $whiteset src -m conntrack --ctstate NEW --ctproto UDP -j FW-FILTERED
|
|
|
- iptables -A INPUT -i ${wan} -m set --match-set $whiteset src -m conntrack --ctstate NEW --ctproto TCP -j FW-FILTERED
|
|
|
+ iptables -A INPUT -i ${wan} -p udp -m set --match-set $whiteset src -m conntrack --ctstate NEW --ctproto UDP -j FW-FILTERED
|
|
|
+ iptables -A INPUT -i ${wan} -p tcp -m set --match-set $whiteset src -m conntrack --ctstate NEW --ctproto TCP -j FW-FILTERED
|
|
|
iptables -A INPUT -i ${wan} -p icmp --icmp-type 8 -m set --match-set $whiteset src -m conntrack --ctstate NEW --ctproto ICMP -j ACCEPT
|
|
|
}
|
|
|
|
|
|
@@ -113,14 +113,14 @@ setup_open() {
|
|
|
iptables -N FW-OPEN
|
|
|
while read -r port ; do
|
|
|
[[ "$port" =~ ^[0-9]{1,}$ ]] || continue
|
|
|
- iptables -A FW-OPEN -m conntrack --ctstate NEW --ctproto UDP --dport $port -j ACCEPT
|
|
|
+ iptables -A FW-OPEN -p udp -m conntrack --ctstate NEW --ctproto UDP --dport $port -j ACCEPT
|
|
|
done < $CONFD/ACCEPT.udp
|
|
|
while read -r port ; do
|
|
|
[[ "$port" =~ ^[0-9]{1,}$ ]] || continue
|
|
|
- iptables -A FW-OPEN -m conntrack --ctstate NEW --ctproto TCP --dport $port -j ACCEPT
|
|
|
+ iptables -A FW-OPEN -p tcp -m conntrack --ctstate NEW --ctproto TCP --dport $port -j ACCEPT
|
|
|
done < $CONFD/ACCEPT.tcp
|
|
|
- iptables -A INPUT -i ${wan} -m conntrack --ctstate NEW --ctproto UDP -j FW-OPEN
|
|
|
- iptables -A INPUT -i ${wan} -m conntrack --ctstate NEW --ctproto TCP -j FW-OPEN
|
|
|
+ iptables -A INPUT -i ${wan} -p udp -m conntrack --ctstate NEW --ctproto UDP -j FW-OPEN
|
|
|
+ iptables -A INPUT -i ${wan} -p tcp -m conntrack --ctstate NEW --ctproto TCP -j FW-OPEN
|
|
|
}
|
|
|
|
|
|
setup_cast() {
|
