|
@@ -5,11 +5,20 @@ confd=/etc/e-router
|
|
|
source $confd/config
|
|
source $confd/config
|
|
|
|
|
|
|
|
_broken(){
|
|
_broken(){
|
|
|
|
|
+ ${iptables} -N FWSCAN
|
|
|
${iptables} -N BROKENLOGDROP
|
|
${iptables} -N BROKENLOGDROP
|
|
|
if $logbroken; then
|
|
if $logbroken; then
|
|
|
${iptables} -A BROKENLOGDROP -j LOG --log-prefix "BROKENLOGDROP TCP: " --log-level 7
|
|
${iptables} -A BROKENLOGDROP -j LOG --log-prefix "BROKENLOGDROP TCP: " --log-level 7
|
|
|
fi
|
|
fi
|
|
|
- ${iptables} -A BROKENLOGDROP -j ENDRESET
|
|
|
|
|
|
|
+ ${iptables} -A BROKENLOGDROP -i ${wan} -j FWSCAN
|
|
|
|
|
+ ${iptables} -A BROKENLOGDROP -j DROP
|
|
|
|
|
+
|
|
|
|
|
+ ${iptables} -N BROKENLOGRST
|
|
|
|
|
+ if $logbroken; then
|
|
|
|
|
+ ${iptables} -A BROKENLOGRST -j LOG --log-prefix "BROKENLOGRST TCP: " --log-level 7
|
|
|
|
|
+ fi
|
|
|
|
|
+ ${iptables} -A BROKENLOGRST -i ${wan} -j FWSCAN
|
|
|
|
|
+ ${iptables} -A BROKENLOGRST -j ENDRESET
|
|
|
|
|
|
|
|
${iptables} -N STRANGELOG
|
|
${iptables} -N STRANGELOG
|
|
|
if $logstrange; then
|
|
if $logstrange; then
|
|
@@ -18,42 +27,46 @@ _broken(){
|
|
|
|
|
|
|
|
${iptables} -N FWSUSPICIOUS
|
|
${iptables} -N FWSUSPICIOUS
|
|
|
|
|
|
|
|
- ${iptables} -A FWSUSPICIOUS -p tcp --sport 0:19 -j BROKENLOGDROP
|
|
|
|
|
- ${iptables} -A FWSUSPICIOUS -p tcp --dport 0:19 -j BROKENLOGDROP
|
|
|
|
|
|
|
+ ${iptables} -A FWSUSPICIOUS -p tcp --sport 0:19 -j BROKENLOGRST
|
|
|
|
|
+ ${iptables} -A FWSUSPICIOUS -p tcp --dport 0:19 -j BROKENLOGRST
|
|
|
|
|
|
|
|
- ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL ACK -m conntrack --ctstate ESTABLISHED -j RETURN
|
|
|
|
|
- ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL ACK -m conntrack --ctstate NEW,RELATED -j BROKENLOGDROP
|
|
|
|
|
- ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL PSH,ACK -m conntrack --ctstate ESTABLISHED -j RETURN
|
|
|
|
|
|
|
+ ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL ACK -m conntrack --ctstate ESTABLISHED -j ACCEPT
|
|
|
|
|
+ ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL ACK -m conntrack --ctstate NEW,RELATED -j BROKENLOGRST
|
|
|
|
|
+ ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL PSH,ACK -m conntrack --ctstate ESTABLISHED -j ACCEPT
|
|
|
${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL PSH,ACK -m conntrack --ctstate NEW -j RETURN
|
|
${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL PSH,ACK -m conntrack --ctstate NEW -j RETURN
|
|
|
- ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL PSH,ACK -m conntrack --ctstate RELATED -j BROKENLOGDROP
|
|
|
|
|
- ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL NONE -j BROKENLOGDROP
|
|
|
|
|
- ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL ALL -j BROKENLOGDROP
|
|
|
|
|
- ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags SYN,FIN SYN,FIN -j BROKENLOGDROP
|
|
|
|
|
- ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags SYN,RST SYN,RST -j BROKENLOGDROP
|
|
|
|
|
- ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags RST,FIN RST,FIN -j BROKENLOGDROP
|
|
|
|
|
- ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags SYN,URG SYN,URG -j BROKENLOGDROP
|
|
|
|
|
- ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL SYN,PSH -j BROKENLOGDROP
|
|
|
|
|
- ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL SYN,ACK,PSH -j BROKENLOGDROP
|
|
|
|
|
- ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ACK,FIN FIN -j BROKENLOGDROP
|
|
|
|
|
- ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ACK,PSH PSH -j BROKENLOGDROP
|
|
|
|
|
- ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ACK,URG URG -j BROKENLOGDROP
|
|
|
|
|
- ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL RST -m conntrack --ctstate ESTABLISHED -j RETURN
|
|
|
|
|
|
|
+ ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL PSH,ACK -m conntrack --ctstate RELATED -j BROKENLOGRST
|
|
|
|
|
+ ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL NONE -j BROKENLOGRST
|
|
|
|
|
+ ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL ALL -j BROKENLOGRST
|
|
|
|
|
+ ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags SYN,FIN SYN,FIN -j BROKENLOGRST
|
|
|
|
|
+ ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags SYN,RST SYN,RST -j BROKENLOGRST
|
|
|
|
|
+ ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags RST,FIN RST,FIN -j BROKENLOGRST
|
|
|
|
|
+ ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags SYN,URG SYN,URG -j BROKENLOGRST
|
|
|
|
|
+ ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL SYN,PSH -j BROKENLOGRST
|
|
|
|
|
+ ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL SYN,ACK,PSH -j BROKENLOGRST
|
|
|
|
|
+ ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ACK,FIN FIN -j BROKENLOGRST
|
|
|
|
|
+ ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ACK,PSH PSH -j BROKENLOGRST
|
|
|
|
|
+ ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ACK,URG URG -j BROKENLOGRST
|
|
|
|
|
+ ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL RST -m conntrack --ctstate ESTABLISHED -j ACCEPT
|
|
|
${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL RST -m conntrack --ctstate NEW,RELATED -j BROKENLOGDROP
|
|
${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL RST -m conntrack --ctstate NEW,RELATED -j BROKENLOGDROP
|
|
|
- ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags SYN,ACK NONE -j BROKENLOGDROP
|
|
|
|
|
|
|
+ ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL RST -m conntrack --ctstate INVALID -j BROKENLOGDROP
|
|
|
|
|
+ ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags SYN,ACK NONE -j BROKENLOGRST
|
|
|
${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL SYN -m conntrack --ctstate NEW -j RETURN
|
|
${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL SYN -m conntrack --ctstate NEW -j RETURN
|
|
|
- ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL SYN -m conntrack --ctstate RELATED -j RETURN
|
|
|
|
|
- ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL SYN -m conntrack --ctstate ESTABLISHED -j BROKENLOGDROP
|
|
|
|
|
- ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL SYN,ACK -m conntrack --ctstate ESTABLISHED -j RETURN
|
|
|
|
|
- ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL SYN,ACK -m conntrack --ctstate NEW,RELATED -j BROKENLOGDROP
|
|
|
|
|
- ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL FIN,ACK -m conntrack --ctstate ESTABLISHED -j RETURN
|
|
|
|
|
- ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL FIN,ACK -m conntrack --ctstate NEW,RELATED -j BROKENLOGDROP
|
|
|
|
|
- ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL RST,ACK -m conntrack --ctstate ESTABLISHED -j RETURN
|
|
|
|
|
|
|
+ ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL SYN -m conntrack --ctstate RELATED -j ACCEPT
|
|
|
|
|
+ ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL SYN -m conntrack --ctstate ESTABLISHED -j BROKENLOGRST
|
|
|
|
|
+ ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL SYN,ACK -m conntrack --ctstate ESTABLISHED -j ACCEPT
|
|
|
|
|
+ ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL SYN,ACK -m conntrack --ctstate NEW,RELATED -j BROKENLOGRST
|
|
|
|
|
+ ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL SYN,ACK -m conntrack --ctstate INVALID -j BROKENLOGRST
|
|
|
|
|
+ ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL FIN,ACK -m conntrack --ctstate ESTABLISHED -j ACCEPT
|
|
|
|
|
+ ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL FIN,ACK -m conntrack --ctstate NEW,RELATED -j BROKENLOGRST
|
|
|
|
|
+ ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL FIN,ACK -m conntrack --ctstate INVALID -j BROKENLOGRST
|
|
|
|
|
+ ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL RST,ACK -m conntrack --ctstate ESTABLISHED -j ACCEPT
|
|
|
${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL RST,ACK -m conntrack --ctstate NEW -j RETURN
|
|
${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL RST,ACK -m conntrack --ctstate NEW -j RETURN
|
|
|
${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL RST,ACK -m conntrack --ctstate RELATED -j BROKENLOGDROP
|
|
${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL RST,ACK -m conntrack --ctstate RELATED -j BROKENLOGDROP
|
|
|
- ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL ACK,PSH,RST -m conntrack --ctstate ESTABLISHED -j RETURN
|
|
|
|
|
|
|
+ ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL ACK,PSH,RST -m conntrack --ctstate ESTABLISHED -j ACCEPT
|
|
|
${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL ACK,PSH,RST -m conntrack --ctstate NEW,RELATED -j BROKENLOGDROP
|
|
${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL ACK,PSH,RST -m conntrack --ctstate NEW,RELATED -j BROKENLOGDROP
|
|
|
- ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL FIN,PSH,ACK -m conntrack --ctstate ESTABLISHED -j RETURN
|
|
|
|
|
- ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL FIN,PSH,ACK -m conntrack --ctstate NEW,RELATED -j BROKENLOGDROP
|
|
|
|
|
|
|
+ ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL FIN,PSH,ACK -m conntrack --ctstate ESTABLISHED -j ACCEPT
|
|
|
|
|
+ ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL FIN,PSH,ACK -m conntrack --ctstate NEW,RELATED -j BROKENLOGRST
|
|
|
|
|
+ ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL FIN,PSH,ACK -m conntrack --ctstate INVALID -j BROKENLOGRST
|
|
|
${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL RST,ACK,PSH -j STRANGELOG
|
|
${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL RST,ACK,PSH -j STRANGELOG
|
|
|
${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL RST,ACK,URG -j STRANGELOG
|
|
${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL RST,ACK,URG -j STRANGELOG
|
|
|
${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL RST,ACK,PSH,URG -j STRANGELOG
|
|
${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL RST,ACK,PSH,URG -j STRANGELOG
|
|
@@ -103,6 +116,7 @@ _forward() {
|
|
|
done < $confd/FORWARD.udp
|
|
done < $confd/FORWARD.udp
|
|
|
|
|
|
|
|
if $logforward ; then
|
|
if $logforward ; then
|
|
|
|
|
+ _droplog "FORWARD"
|
|
|
${iptables} -A FORWARD -j FORWARDLOGDROP
|
|
${iptables} -A FORWARD -j FORWARDLOGDROP
|
|
|
fi
|
|
fi
|
|
|
}
|
|
}
|
|
@@ -112,10 +126,23 @@ _init(){
|
|
|
${iptables} -P INPUT DROP
|
|
${iptables} -P INPUT DROP
|
|
|
${iptables} -P FORWARD DROP
|
|
${iptables} -P FORWARD DROP
|
|
|
${iptables} -P OUTPUT ACCEPT
|
|
${iptables} -P OUTPUT ACCEPT
|
|
|
|
|
+ ${iptables} -A INPUT -i lo -j ACCEPT
|
|
|
|
|
+ ${iptables} -A INPUT -i ${wan} -p icmp --icmp-type echo-request -j ACCEPT
|
|
|
|
|
+ ${iptables} -A INPUT -i ${wan} -p icmp --icmp-type time-exceeded -j ACCEPT
|
|
|
|
|
+ ${iptables} -A INPUT -i ${wan} -p icmp --icmp-type destination-unreachable -j ACCEPT
|
|
|
${iptables} -N ENDRESET
|
|
${iptables} -N ENDRESET
|
|
|
${iptables} -A ENDRESET -p tcp -j REJECT --reject-with tcp-reset
|
|
${iptables} -A ENDRESET -p tcp -j REJECT --reject-with tcp-reset
|
|
|
${iptables} -A ENDRESET -p udp -j REJECT --reject-with icmp-port-unreachable
|
|
${iptables} -A ENDRESET -p udp -j REJECT --reject-with icmp-port-unreachable
|
|
|
${iptables} -A ENDRESET -j REJECT --reject-with icmp-proto-unreachable
|
|
${iptables} -A ENDRESET -j REJECT --reject-with icmp-proto-unreachable
|
|
|
|
|
+ _unblock
|
|
|
|
|
+}
|
|
|
|
|
+
|
|
|
|
|
+_unblock(){
|
|
|
|
|
+ ipset create -! $scanset hash:ip hashsize $scanmaxelems timeout $scanttl maxelem $scanmaxelems forceadd counters
|
|
|
|
|
+ ${iptables} -N FWUNBLOCK
|
|
|
|
|
+ ${iptables} -A FWUNBLOCK -i ${wan} -m set --match-set $scanset src -j LOG --log-prefix "UNBLOCK: " --log-level 7
|
|
|
|
|
+ ${iptables} -A FWUNBLOCK -i ${wan} -m set --match-set $scanset src -j SET --del-set $scanset src
|
|
|
|
|
+ ${iptables} -A FWUNBLOCK -j ACCEPT
|
|
|
}
|
|
}
|
|
|
|
|
|
|
|
_whitenets() {
|
|
_whitenets() {
|
|
@@ -128,17 +155,15 @@ _whitenets() {
|
|
|
|
|
|
|
|
base() {
|
|
base() {
|
|
|
_init
|
|
_init
|
|
|
- ${iptables} -A INPUT -i lo -j ACCEPT
|
|
|
|
|
- if $logbroken; then
|
|
|
|
|
- _broken
|
|
|
|
|
- ${iptables} -A INPUT -i ${wan} -p tcp -j FWSUSPICIOUS
|
|
|
|
|
- fi
|
|
|
|
|
- ${iptables} -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
|
|
|
|
|
|
+ ${iptables} -A INPUT -i ${wan} ! -p tcp -m conntrack --ctstate RELATED,ESTABLISHED -j FWUNBLOCK
|
|
|
|
|
+ _broken
|
|
|
|
|
+ ${iptables} -A INPUT -i ${wan} -p tcp -j FWSUSPICIOUS
|
|
|
|
|
+ ${iptables} -A INPUT -i ${wan} -p tcp -m conntrack --ctstate RELATED,ESTABLISHED -j FWUNBLOCK
|
|
|
if $loginvalid; then
|
|
if $loginvalid; then
|
|
|
_droplog "INVALID"
|
|
_droplog "INVALID"
|
|
|
- ${iptables} -A INPUT -m conntrack --ctstate INVALID -j INVALIDLOGDROP
|
|
|
|
|
|
|
+ ${iptables} -A INPUT -i ${wan} -m conntrack --ctstate INVALID -j INVALIDLOGDROP
|
|
|
fi
|
|
fi
|
|
|
- ${iptables} -A INPUT -m conntrack --ctstate INVALID -j DROP
|
|
|
|
|
|
|
+ ${iptables} -A INPUT -i ${wan} -m conntrack --ctstate INVALID -j DROP
|
|
|
}
|
|
}
|
|
|
|
|
|
|
|
cast() {
|
|
cast() {
|
|
@@ -153,52 +178,38 @@ cast() {
|
|
|
}
|
|
}
|
|
|
|
|
|
|
|
lan() {
|
|
lan() {
|
|
|
- if $logforward ; then
|
|
|
|
|
- _droplog "FORWARD"
|
|
|
|
|
- fi
|
|
|
|
|
${iptables} -A INPUT -i ${eth0} -j ACCEPT
|
|
${iptables} -A INPUT -i ${eth0} -j ACCEPT
|
|
|
|
|
+ ${iptables} -t nat -A POSTROUTING -p udp --sport 3000 --o ${wan} -s ${locnet} -j MASQUERADE --to-ports 3000
|
|
|
${iptables} -t nat -A POSTROUTING -o ${wan} -s ${locnet} -j MASQUERADE
|
|
${iptables} -t nat -A POSTROUTING -o ${wan} -s ${locnet} -j MASQUERADE
|
|
|
- ${iptables} -A FORWARD -i ${eth0} -o ${wan} -j ACCEPT
|
|
|
|
|
- if $logbroken; then
|
|
|
|
|
- ${iptables} -A FORWARD -i ${wan} -p tcp -j FWSUSPICIOUS
|
|
|
|
|
- fi
|
|
|
|
|
- ${iptables} -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
|
|
|
|
|
|
+ ${iptables} -A FORWARD -i ${wan} -o ${eth0} ! -p tcp -m conntrack --ctstate RELATED,ESTABLISHED -j FWUNBLOCK
|
|
|
|
|
+ ${iptables} -A FORWARD -p tcp -j FWSUSPICIOUS
|
|
|
|
|
+ ${iptables} -A FORWARD -i ${wan} -o ${eth0} -p tcp -m conntrack --ctstate RELATED,ESTABLISHED -j FWUNBLOCK
|
|
|
if $loginvalid; then
|
|
if $loginvalid; then
|
|
|
_droplog "FWDINVALID"
|
|
_droplog "FWDINVALID"
|
|
|
${iptables} -A FORWARD -m conntrack --ctstate INVALID -j FWDINVALIDLOGDROP
|
|
${iptables} -A FORWARD -m conntrack --ctstate INVALID -j FWDINVALIDLOGDROP
|
|
|
fi
|
|
fi
|
|
|
- ${iptables} -A FORWARD -m conntrack --ctstate INVALID -j DROP
|
|
|
|
|
|
|
+ ${iptables} -A FORWARD -m conntrack --ctstate INVALID -j DROP
|
|
|
|
|
+ ${iptables} -A FORWARD -i ${eth0} -o ${wan} -j ACCEPT
|
|
|
_forward
|
|
_forward
|
|
|
}
|
|
}
|
|
|
|
|
|
|
|
badips() {
|
|
badips() {
|
|
|
- ipset create -! $banset hash:ip hashsize 4096 timeout $banttl maxelem $badmaxelems
|
|
|
|
|
|
|
+ ipset create -! $banset hash:ip hashsize $badmaxelems timeout $banttl maxelem $badmaxelems
|
|
|
${iptables} -N FWBAD
|
|
${iptables} -N FWBAD
|
|
|
if $logbad ; then
|
|
if $logbad ; then
|
|
|
_droplog "BAD"
|
|
_droplog "BAD"
|
|
|
- ${iptables} -A FWBAD -i ${wan} -p udp -m set --match-set $banset src -m conntrack --ctstate NEW --ctproto UDP -j BADLOGDROP
|
|
|
|
|
- ${iptables} -A FWBAD -i ${wan} -p tcp -m set --match-set $banset src -m conntrack --ctstate NEW --ctproto TCP -j BADLOGDROP
|
|
|
|
|
|
|
+ ${iptables} -A FWBAD -i ${wan} -m set --match-set $banset src -m conntrack --ctstate NEW -j BADLOGDROP
|
|
|
fi
|
|
fi
|
|
|
- ${iptables} -A FWBAD -i ${wan} -p udp -m set --match-set $banset src -m conntrack --ctstate NEW --ctproto UDP -j ENDRESET
|
|
|
|
|
- ${iptables} -A FWBAD -i ${wan} -p tcp -m set --match-set $banset src -m conntrack --ctstate NEW --ctproto TCP -j ENDRESET
|
|
|
|
|
|
|
+ ${iptables} -A FWBAD -i ${wan} -m set --match-set $banset src -m conntrack --ctstate NEW -j ENDRESET
|
|
|
${iptables} -A INPUT -j FWBAD
|
|
${iptables} -A INPUT -j FWBAD
|
|
|
}
|
|
}
|
|
|
|
|
|
|
|
scanips() {
|
|
scanips() {
|
|
|
- ipset create -! $scanset hash:ip hashsize 4096 timeout $scanttl maxelem $scanmaxelems forceadd counters
|
|
|
|
|
- ${iptables} -N FWSCAN
|
|
|
|
|
- ${iptables} -A FWSCAN -i ${wan} -p udp -j SET --add-set $scanset src --exist --timeout $scanttl
|
|
|
|
|
- ${iptables} -A FWSCAN -i ${wan} -p tcp -m set ! --match-set $scanset src -j SET --add-set $scanset src --exist --timeout $scanttl
|
|
|
|
|
|
|
+ ${iptables} -A FWSCAN -i ${wan} -j SET --add-set $scanset src --exist
|
|
|
if $logscan ; then
|
|
if $logscan ; then
|
|
|
_droplog "SCAN"
|
|
_droplog "SCAN"
|
|
|
- ${iptables} -A FWSCAN -i ${wan} -p udp -m set --match-set $scanset src -m conntrack --ctstate NEW --ctproto UDP -j SCANLOGDROP
|
|
|
|
|
- ${iptables} -A FWSCAN -i ${wan} -p tcp -m set --match-set $scanset src -m conntrack --ctstate NEW --ctproto TCP -j SCANLOGDROP
|
|
|
|
|
|
|
+ ${iptables} -A FWSCAN -i ${wan} -m set --match-set $scanset src ! --update-counters -j SCANLOGDROP
|
|
|
fi
|
|
fi
|
|
|
- ${iptables} -A FWSCAN -i ${wan} -p udp -m set --match-set $scanset src -m conntrack --ctstate NEW --ctproto UDP -j ENDRESET
|
|
|
|
|
- ${iptables} -A FWSCAN -i ${wan} -p tcp -m set --match-set $scanset src -m conntrack --ctstate NEW --ctproto TCP -j ENDRESET
|
|
|
|
|
- ${iptables} -A BROKENLOGDROP -j FWSCAN
|
|
|
|
|
- ${iptables} -D BROKENLOGDROP -j ENDRESET
|
|
|
|
|
- ${iptables} -A BROKENLOGDROP -j ENDRESET
|
|
|
|
|
${iptables} -A INPUT -j FWSCAN
|
|
${iptables} -A INPUT -j FWSCAN
|
|
|
}
|
|
}
|
|
|
|
|
|
|
@@ -213,10 +224,8 @@ white() {
|
|
|
[[ "$port" =~ ^[0-9]{1,}$ ]] || continue
|
|
[[ "$port" =~ ^[0-9]{1,}$ ]] || continue
|
|
|
${iptables} -A FWFILTERED -p tcp -m conntrack --ctstate NEW --ctproto TCP --dport $port -j ACCEPT
|
|
${iptables} -A FWFILTERED -p tcp -m conntrack --ctstate NEW --ctproto TCP --dport $port -j ACCEPT
|
|
|
done < $confd/WHITE.tcp
|
|
done < $confd/WHITE.tcp
|
|
|
- ${iptables} -A INPUT -i ${wan} -p udp -m set --match-set $whiteset src -m conntrack --ctstate NEW --ctproto UDP -j FWFILTERED
|
|
|
|
|
- ${iptables} -A INPUT -i ${wan} -p tcp --syn -m set --match-set $whiteset src -m conntrack --ctstate NEW --ctproto TCP -j FWFILTERED
|
|
|
|
|
-
|
|
|
|
|
- ${iptables} -A INPUT -i ${wan} -p icmp --icmp-type 8 -m set --match-set $whiteset src -m conntrack --ctstate NEW --ctproto ICMP -j ACCEPT
|
|
|
|
|
|
|
+ ${iptables} -A INPUT -i ${wan} -p udp -m set --match-set $whiteset src -m conntrack --ctstate NEW --ctproto UDP -j FWFILTERED
|
|
|
|
|
+ ${iptables} -A INPUT -i ${wan} -p tcp -m set --match-set $whiteset src -m conntrack --ctstate NEW --ctproto TCP -j FWFILTERED
|
|
|
}
|
|
}
|
|
|
|
|
|
|
|
public() {
|
|
public() {
|
|
@@ -229,8 +238,8 @@ public() {
|
|
|
[[ "$port" =~ ^[0-9]{1,}$ ]] || continue
|
|
[[ "$port" =~ ^[0-9]{1,}$ ]] || continue
|
|
|
${iptables} -A FWPUBLIC -p tcp -m conntrack --ctstate NEW --ctproto TCP --dport $port -j ACCEPT
|
|
${iptables} -A FWPUBLIC -p tcp -m conntrack --ctstate NEW --ctproto TCP --dport $port -j ACCEPT
|
|
|
done < $confd/PUBLIC.tcp
|
|
done < $confd/PUBLIC.tcp
|
|
|
- ${iptables} -A INPUT -i ${wan} -p udp -m conntrack --ctstate NEW --ctproto UDP -j FWPUBLIC
|
|
|
|
|
- ${iptables} -A INPUT -i ${wan} -p tcp --syn -m conntrack --ctstate NEW --ctproto TCP -j FWPUBLIC
|
|
|
|
|
|
|
+ ${iptables} -A INPUT -i ${wan} -p udp -m conntrack --ctstate NEW --ctproto UDP -j FWPUBLIC
|
|
|
|
|
+ ${iptables} -A INPUT -i ${wan} -p tcp -m conntrack --ctstate NEW --ctproto TCP -j FWPUBLIC
|
|
|
}
|
|
}
|
|
|
|
|
|
|
|
final(){
|
|
final(){
|
