Refactor

whitelist net prototype
whitelist ASN prototype
debug mode
blacklist net prototype
blacklist ASN prototype
separate *cast table

ACCEPT.tcp

@@ -1,10 +1,7 @@
-22
-80
+4660
 4662
 4663
 4664
 4665
 22000
 22067
-
-

WHITE.tcp

@@ -0,0 +1,3 @@
+22
+80
+443

config

@@ -15,3 +15,9 @@ bantime=604800
 rangecheck=1h
 # ssh,http... or any
 banservice=any
+
+## whitenets ##
+whiteset=goodips
+
+## DEBUG ##
+debug=true

e-router

@@ -4,6 +4,10 @@ set -euo pipefail
 CONFD=/etc/e-router
 source $CONFD/config
 
+if $debug ; then
+    set -x
+fi
+
 set_defaults() {
     /usr/lib/systemd/scripts/iptables-flush
     iptables -P FORWARD DROP
@@ -12,87 +16,109 @@ set_defaults() {
 }
 
 create_tables() {
-    iptables -N WANIN
-    iptables -N FORDROPLOG
-    iptables -N WANDROPLOG
-    iptables -N SILENTDROP
+    iptables -N FORWARD-LOG-DROP
+    iptables -N WAN-LOG-DROP
+    iptables -N FW-FILTERED
+    iptables -N FW-OPEN
+    iptables -N FW-CAST
     ipset create -! $banset hash:ip hashsize 4096 timeout $bantime
+    ipset create -! $whiteset hash:net hashsize 4096
 }
 
-
-create_wandroplog() {
-    #iptables -A WANDROPLOG -p tcp -m limit --limit 5/min -j LOG --log-prefix  "WANDROPLOG TCP: " --log-level 7
-    iptables -A WANDROPLOG -p tcp  -j LOG --log-prefix  "WANDROPLOG TCP: " --log-level 7
-    iptables -A WANDROPLOG -p udp  -j LOG --log-prefix  "WANDROPLOG UDP: " --log-level 7
-    iptables -A WANDROPLOG -p icmp -j LOG --log-prefix  "WANDROPLOG ICMP: " --log-level 7
-    iptables -A WANDROPLOG -j DROP
+setup_wandroplog() {
+    iptables -A WAN-LOG-DROP -p tcp  -j LOG --log-prefix  "WAN-LOG-DROP TCP: " --log-level 7
+    iptables -A WAN-LOG-DROP -p udp  -j LOG --log-prefix  "WAN-LOG-DROP UDP: " --log-level 7
+    iptables -A WAN-LOG-DROP -p icmp -j LOG --log-prefix  "WAN-LOG-DROP ICMP: " --log-level 7
+    iptables -A WAN-LOG-DROP -j DROP
 }
 
-create_fordroplog() {
-    iptables -A FORDROPLOG -p tcp  -j LOG --log-prefix "FORDROPLOG TCP: " --log-level 7
-    iptables -A FORDROPLOG -p udp  -j LOG --log-prefix "FORDROPLOG UDP: " --log-level 7
-    iptables -A FORDROPLOG -p icmp -j LOG --log-prefix "FORDROPLOG ICMP: " --log-level 7
-    iptables -A FORDROPLOG -j DROP
+setup_fordroplog() {
+    iptables -A FORWARD-LOG-DROP -p tcp  -j LOG --log-prefix "FORWARD-LOG-DROP TCP: " --log-level 7
+    iptables -A FORWARD-LOG-DROP -p udp  -j LOG --log-prefix "FORWARD-LOG-DROP UDP: " --log-level 7
+    iptables -A FORWARD-LOG-DROP -p icmp -j LOG --log-prefix "FORWARD-LOG-DROP ICMP: " --log-level 7
+    iptables -A FORWARD-LOG-DROP -j DROP
 }
 
 setup_forward() {
     iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
     iptables -A FORWARD -i ${eth0} -o ${wan} -j ACCEPT
-    iptables -A FORWARD -j FORDROPLOG
+    if $debug ; then
+        iptables -A FORWARD -j FORWARD-LOG-DROP
+    else
+        iptables -A FORWARD -j DROP
+    fi
 }
 
 setup_nat() {
     iptables -t nat -A POSTROUTING -o ${wan} -s ${locnet} -j MASQUERADE
 }
 
-passbroadcast() {
-    iptables -A WANIN -m pkttype --pkt-type broadcast -j ACCEPT
-    iptables -A WANIN -m pkttype --pkt-type multicast -j ACCEPT
+setup_white() {
+    while read -r net ; do
+        [[ "$net" =~ ^[0-9]{1,}.[0-9]{1,}.[0-9]{1,}.[0-9]{1,}/[0-9]{1,}$ ]] || continue
+        ipset -! add  $whiteset $net
+    done < $CONFD/WHITE.nets
 }
 
-banwanin() {
-    iptables -A WANIN -m set --match-set $banset src -p TCP -j REJECT
+banbadips() {
+    iptables -A WAN-IN -m set --match-set $banset src -j REJECT
 }
 
-dropwanin() {
+setup_white() {
     while read -r port ; do
         [[ "$port" =~ ^[0-9]{1,}$ ]] || continue
-        iptables -A WANIN -i ${wan} -m udp -p udp --dport $port -j DROP
-    done < $CONFD/DROP.udp
+        iptables -A FW-FILTERED -m udp -p udp --dport $port -j ACCEPT
+    done < $CONFD/WHITE.udp
     while read -r port ; do
         [[ "$port" =~ ^[0-9]{1,}$ ]] || continue
-        iptables -A WANIN -i ${wan} -m tcp -p tcp --dport $port -j DROP
-    done < $CONFD/DROP.tcp
+        iptables -A FW-FILTERED -m tcp -p tcp --dport $port -j ACCEPT
+    done < $CONFD/WHITE.tcp
 }
 
-passwanin() {
+setup_open() {
     while read -r port ; do
         [[ "$port" =~ ^[0-9]{1,}$ ]] || continue
-        iptables -A WANIN -i ${wan} -m udp -p udp --dport $port -j ACCEPT
+        iptables -A FW-OPEN -m udp -p udp --dport $port -j ACCEPT
     done < $CONFD/ACCEPT.udp
     while read -r port ; do
         [[ "$port" =~ ^[0-9]{1,}$ ]] || continue
-        iptables -A WANIN -i ${wan} -m tcp -p tcp --dport $port -j ACCEPT
+        iptables -A FW-OPEN -m tcp -p tcp --dport $port -j ACCEPT
     done < $CONFD/ACCEPT.tcp
 }
 
+setup_cast() {
+    iptables -A FW-CAST -m pkttype --pkt-type broadcast -j ACCEPT
+    iptables -A FW-CAST -m pkttype --pkt-type multicast -j ACCEPT
+}
+
 setup_input() {
     iptables -A INPUT -i lo -j ACCEPT
     iptables -A INPUT -i ${eth0} -j ACCEPT
     iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
     iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
-    banwanin
-    dropwanin
-    passwanin
-    passbroadcast
-    iptables -A INPUT -i ${wan} -j WANIN
-    iptables -A INPUT -j WANDROPLOG
+    iptables -A INPUT -i ${wan} -m set --match-set $banset src -j REJECT
+    iptables -A INPUT -i ${wan} -m set --match-set $whiteset src -j FW-FILTERED
+    iptables -A INPUT -i ${wan} -j FW-OPEN
+    iptables -A INPUT -i ${wan} -j FW-CAST
+    if $debug ; then
+        iptables -A INPUT -j WAN-LOG-DROP
+    else
+        iptables -A INPUT -j DROP
+    fi
+}
+
+main () {
+    set_defaults
+    create_tables
+    setup_fordroplog
+    setup_wandroplog
+    setup_white
+    setup_nat
+    setup_forward
+    setup_white
+    setup_open
+    setup_cast
+    setup_input
 }
 
-set_defaults
-create_tables
-create_fordroplog
-create_wandroplog
-setup_nat
-setup_input
-setup_forward
+main