|
|
@@ -7,9 +7,12 @@ source $confd/config
|
|
|
|
|
|
set_defaults() {
|
|
|
/usr/lib/systemd/scripts/iptables-flush
|
|
|
+ ${iptables} -P INPUT DROP
|
|
|
${iptables} -P FORWARD DROP
|
|
|
${iptables} -P OUTPUT ACCEPT
|
|
|
- ${iptables} -P INPUT DROP
|
|
|
+ ${iptables} -A INPUT -i lo -j ACCEPT
|
|
|
+ ${iptables} -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
|
|
+ ${iptables} -A INPUT -m conntrack --ctstate INVALID -j DROP
|
|
|
}
|
|
|
|
|
|
setup_final(){
|
|
|
@@ -47,9 +50,6 @@ setup_fordroplog() {
|
|
|
fi
|
|
|
}
|
|
|
|
|
|
-setup_nat() {
|
|
|
- ${iptables} -t nat -A POSTROUTING -o ${wan} -s ${locnet} -j MASQUERADE
|
|
|
-}
|
|
|
|
|
|
setup_forward() {
|
|
|
${iptables} -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
|
|
@@ -88,11 +88,9 @@ setup_forward() {
|
|
|
${iptables} -A FORWARD -j REJECT --reject-with icmp-proto-unreachable
|
|
|
}
|
|
|
|
|
|
-setup_base() {
|
|
|
- ${iptables} -A INPUT -i lo -j ACCEPT
|
|
|
+lan() {
|
|
|
${iptables} -A INPUT -i ${eth0} -j ACCEPT
|
|
|
- ${iptables} -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
|
|
- ${iptables} -A INPUT -m conntrack --ctstate INVALID -j DROP
|
|
|
+ ${iptables} -t nat -A POSTROUTING -o ${wan} -s ${locnet} -j MASQUERADE
|
|
|
}
|
|
|
|
|
|
setup_whitenets() {
|
|
|
@@ -156,7 +154,7 @@ setup_cast() {
|
|
|
}
|
|
|
|
|
|
main () {
|
|
|
- defaultHooks="set_defaults setup_wandroplog setup_fordroplog setup_whitenets setup_nat setup_forward setup_base setup_badips setup_white setup_public setup_scanips setup_cast setup_final"
|
|
|
+ defaultHooks="set_defaults lan setup_wandroplog setup_fordroplog setup_whitenets setup_forward setup_badips setup_white setup_public setup_scanips setup_cast setup_final"
|
|
|
hookarray=(${hooks:-$defaultHooks})
|
|
|
for hook in "${hookarray[@]}" ; do
|
|
|
$hook
|
