|
|
@@ -1,8 +1,8 @@
|
|
|
#!/bin/bash -x
|
|
|
((EUID == 0 )) || { echo "Need root"; exit 1; }
|
|
|
set -euo pipefail
|
|
|
-CONFD=/etc/e-router
|
|
|
-source $CONFD/config
|
|
|
+confd=/etc/e-router
|
|
|
+source $confd/config
|
|
|
|
|
|
set_defaults() {
|
|
|
/usr/lib/systemd/scripts/iptables-flush
|
|
|
@@ -79,7 +79,7 @@ setup_whitenets() {
|
|
|
while read -r net ; do
|
|
|
[[ "$net" =~ ^[0-9]{1,}.[0-9]{1,}.[0-9]{1,}.[0-9]{1,}/[0-9]{1,}$ ]] || continue
|
|
|
ipset -! add $whiteset $net timeout 0
|
|
|
- done < $CONFD/WHITE.nets
|
|
|
+ done < $confd/WHITE.nets
|
|
|
}
|
|
|
|
|
|
setup_badips() {
|
|
|
@@ -99,11 +99,11 @@ setup_white() {
|
|
|
while read -r port ; do
|
|
|
[[ "$port" =~ ^[0-9]{1,}$ ]] || continue
|
|
|
iptables -A FW-FILTERED -p udp -m conntrack --ctstate NEW --ctproto UDP --dport $port -j ACCEPT
|
|
|
- done < $CONFD/WHITE.udp
|
|
|
+ done < $confd/WHITE.udp
|
|
|
while read -r port ; do
|
|
|
[[ "$port" =~ ^[0-9]{1,}$ ]] || continue
|
|
|
iptables -A FW-FILTERED -p tcp -m conntrack --ctstate NEW --ctproto TCP --dport $port -j ACCEPT
|
|
|
- done < $CONFD/WHITE.tcp
|
|
|
+ done < $confd/WHITE.tcp
|
|
|
iptables -A INPUT -i ${wan} -p udp -m set --match-set $whiteset src -m conntrack --ctstate NEW --ctproto UDP -j FW-FILTERED
|
|
|
iptables -A INPUT -i ${wan} -p tcp -m set --match-set $whiteset src -m conntrack --ctstate NEW --ctproto TCP -j FW-FILTERED
|
|
|
iptables -A INPUT -i ${wan} -p icmp --icmp-type 8 -m set --match-set $whiteset src -m conntrack --ctstate NEW --ctproto ICMP -j ACCEPT
|
|
|
@@ -114,11 +114,11 @@ setup_open() {
|
|
|
while read -r port ; do
|
|
|
[[ "$port" =~ ^[0-9]{1,}$ ]] || continue
|
|
|
iptables -A FW-OPEN -p udp -m conntrack --ctstate NEW --ctproto UDP --dport $port -j ACCEPT
|
|
|
- done < $CONFD/ACCEPT.udp
|
|
|
+ done < $confd/ACCEPT.udp
|
|
|
while read -r port ; do
|
|
|
[[ "$port" =~ ^[0-9]{1,}$ ]] || continue
|
|
|
iptables -A FW-OPEN -p tcp -m conntrack --ctstate NEW --ctproto TCP --dport $port -j ACCEPT
|
|
|
- done < $CONFD/ACCEPT.tcp
|
|
|
+ done < $confd/ACCEPT.tcp
|
|
|
iptables -A INPUT -i ${wan} -p udp -m conntrack --ctstate NEW --ctproto UDP -j FW-OPEN
|
|
|
iptables -A INPUT -i ${wan} -p tcp -m conntrack --ctstate NEW --ctproto TCP -j FW-OPEN
|
|
|
}
|
|
|
@@ -131,17 +131,12 @@ setup_cast() {
|
|
|
}
|
|
|
|
|
|
main () {
|
|
|
- set_defaults
|
|
|
- setup_whitenets
|
|
|
- setup_nat
|
|
|
- setup_forward
|
|
|
- setup_base
|
|
|
- setup_badips
|
|
|
- setup_white
|
|
|
- setup_open
|
|
|
- setup_scanips
|
|
|
- setup_cast
|
|
|
- setup_final
|
|
|
+ defaultHooks="set_defaults setup_whitenets setup_nat setup_forward setup_base setup_badips setup_white setup_open setup_scanips setup_cast setup_final"
|
|
|
+ ${hooks:-$defaultHooks}
|
|
|
+ hookarray=($hooks)
|
|
|
+ for hook in "{$hookarray[@]}" ; do
|
|
|
+ $hook
|
|
|
+ done
|
|
|
}
|
|
|
|
|
|
main
|
