Merge branch 'devel'

e-badips

@@ -7,12 +7,14 @@ source $CONFD/config
 tmp=$(mktemp)
 trap "/bin/rm -f ${tmp}" EXIT SIGHUP SIGINT SIGTERM
 
-curl -f -s -S -m 60 -o $tmp "https://www.badips.com/get/list/${banservice}/${banlevel}?age=${rangecheck}"
-while read -r ip ; do
-    [[ "$ip" =~ ^[0-9]{1,}.[0-9]{1,}.[0-9]{1,}.[0-9]{1,}$ ]] && ipset -! add ${banset} ${ip} timeout $banttl
-done < $tmp
+if curl -f -s -S -m 60 -o $tmp "https://www.badips.com/get/list/${banservice}/${banlevel}?age=${rangecheck}" ; then
+    while read -r ip ; do
+        [[ "$ip" =~ ^[0-9]{1,}.[0-9]{1,}.[0-9]{1,}.[0-9]{1,}$ ]] && ipset -! add ${banset} ${ip} timeout $banttl
+    done < $tmp
+fi
 
-curl -f -s -S -m 60 -o $tmp  "http://api.blocklist.de/getlast.php?time=3600&service=all"
-while read -r ip ; do
-    [[ "$ip" =~ ^[0-9]{1,}.[0-9]{1,}.[0-9]{1,}.[0-9]{1,}$ ]] && ipset -! add ${banset} ${ip} timeout $banttl
-done < $tmp
+if curl -f -s -S -m 60 -o $tmp  "http://api.blocklist.de/getlast.php?time=3600&service=all" ; then
+    while read -r ip ; do
+        [[ "$ip" =~ ^[0-9]{1,}.[0-9]{1,}.[0-9]{1,}.[0-9]{1,}$ ]] && ipset -! add ${banset} ${ip} timeout $banttl
+    done < $tmp
+fi

e-badips.service

@@ -1,7 +1,7 @@
 [Unit]
 Description=Update badips ipset  from badips.com
-Requires=iptables.service e-router.service
-After=iptables.service e-router.service
+Wants=e-router.service multi-user.target
+After=e-router.service multi-user.target
 
 [Service]
 Type=oneshot

e-pullasn.service

@@ -1,7 +1,7 @@
 [Unit]
 Description=Update goodips ipset  from whois.radb.net
-Requires=e-router.service network-online.target
-After=e-router.service  network-online.target
+Wants=e-router.service multi-user.target
+After=e-router.service multi-user.target
 
 [Service]
 Type=oneshot

e-pullhosts.service

@@ -1,6 +1,6 @@
 [Unit]
 Description=Update hosts.ban file from http://someonewhocares.org/hosts/zero/hosts
-Requires=dnsmasq.service
+Wants=dnsmasq.service
 After=dnsmasq.service
 
 [Service]

e-router

@@ -6,69 +6,69 @@ source $confd/config
 
 set_defaults() {
     /usr/lib/systemd/scripts/iptables-flush
-    iptables -P FORWARD DROP
-    iptables -P OUTPUT ACCEPT
-    iptables -P INPUT DROP
+    iptables -w -v -P FORWARD DROP
+    iptables -w -v -P OUTPUT ACCEPT
+    iptables -w -v -P INPUT DROP
 }
 
 setup_final(){
     if $loginput ; then
         setup_wandroplog
-        iptables -A INPUT -j WAN-LOG-DROP
+        iptables -w -v -A INPUT -j WAN-LOG-DROP
     else
-        iptables -A INPUT -j DROP
+        iptables -w -v -A INPUT -j DROP
     fi
 }
 
 setup_wandroplog() {
-    iptables -N WAN-LOG-DROP
+    iptables -w -v -N WAN-LOG-DROP
     if $debugtcp; then
-        iptables -A WAN-LOG-DROP -p tcp  -j LOG --log-prefix  "WAN-LOG-DROP TCP: " --log-level 7
-        iptables -A WAN-LOG-DROP -p tcp -j REJECT --reject-with tcp-reset
+        iptables -w -v -A WAN-LOG-DROP -p tcp  -j LOG --log-prefix  "WAN-LOG-DROP TCP: " --log-level 7
+        iptables -w -v -A WAN-LOG-DROP -p tcp -j REJECT --reject-with tcp-reset
     fi
     if $debugudp; then
-        iptables -A WAN-LOG-DROP -p udp  -j LOG --log-prefix  "WAN-LOG-DROP UDP: " --log-level 7
-        iptables -A WAN-LOG-DROP -p udp -j REJECT --reject-with icmp-port-unreachable
+        iptables -w -v -A WAN-LOG-DROP -p udp  -j LOG --log-prefix  "WAN-LOG-DROP UDP: " --log-level 7
+        iptables -w -v -A WAN-LOG-DROP -p udp -j REJECT --reject-with icmp-port-unreachable
     fi
     if $debugicmp; then
-        iptables -A WAN-LOG-DROP -p icmp -j LOG --log-prefix  "WAN-LOG-DROP ICMP: " --log-level 7
-        iptables -A WAN-LOG-DROP -j REJECT --reject-with icmp-proto-unreachable
+        iptables -w -v -A WAN-LOG-DROP -p icmp -j LOG --log-prefix  "WAN-LOG-DROP ICMP: " --log-level 7
+        iptables -w -v -A WAN-LOG-DROP -j REJECT --reject-with icmp-proto-unreachable
     fi
 }
 
 setup_fordroplog() {
-    iptables -N FORWARD-LOG-DROP
+    iptables -w -v -N FORWARD-LOG-DROP
     if $debugtcp; then
-        iptables -A FORWARD-LOG-DROP -p tcp  -j LOG --log-prefix "FORWARD-LOG-DROP TCP: " --log-level 7
-        iptables -A FORWARD-LOG-DROP -p tcp -j REJECT --reject-with tcp-reset
+        iptables -w -v -A FORWARD-LOG-DROP -p tcp  -j LOG --log-prefix "FORWARD-LOG-DROP TCP: " --log-level 7
+        iptables -w -v -A FORWARD-LOG-DROP -p tcp -j REJECT --reject-with tcp-reset
     fi
     if $debugudp; then
-        iptables -A FORWARD-LOG-DROP -p udp  -j LOG --log-prefix "FORWARD-LOG-DROP UDP: " --log-level 7
-        iptables -A FORWARD-LOG-DROP -p udp -j REJECT --reject-with icmp-port-unreachable
+        iptables -w -v -A FORWARD-LOG-DROP -p udp  -j LOG --log-prefix "FORWARD-LOG-DROP UDP: " --log-level 7
+        iptables -w -v -A FORWARD-LOG-DROP -p udp -j REJECT --reject-with icmp-port-unreachable
     fi
     if $debugicmp; then
-        iptables -A FORWARD-LOG-DROP -p icmp -j LOG --log-prefix "FORWARD-LOG-DROP ICMP: " --log-level 7
-        iptables -A FORWARD-LOG-DROP -j REJECT --reject-with icmp-proto-unreachable
+        iptables -w -v -A FORWARD-LOG-DROP -p icmp -j LOG --log-prefix "FORWARD-LOG-DROP ICMP: " --log-level 7
+        iptables -w -v -A FORWARD-LOG-DROP -j REJECT --reject-with icmp-proto-unreachable
     fi
 }
 
 setup_nat() {
-    iptables -t nat -A POSTROUTING -o ${wan} -s ${locnet} -j MASQUERADE
+    iptables -w -v -t nat -A POSTROUTING -o ${wan} -s ${locnet} -j MASQUERADE
 }
 
 setup_forward() {
-    iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-    iptables -A FORWARD -i ${eth0} -o ${wan} -j ACCEPT
+    iptables -w -v -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+    iptables -w -v -A FORWARD -i ${eth0} -o ${wan} -j ACCEPT
     while read -r ip public private ; do
         [[ "$ip" =~ ^[0-9]{1,}.[0-9]{1,}.[0-9]{1,}.[0-9]{1,}$ ]] || continue
         [[ "$public" =~ ^[0-9]{1,}|[0-9]{1,}:[0-9]{1,}$ ]] || continue
         [[ "$private" =~ ^[0-9]{1,}|[0-9]{1,}:[0-9]{1,}$ ]] || continue
         if [[ "$public" =~ ^[0-9]{1,}$ ]] ; then
-            iptables -A PREROUTING -t nat -i ${wan} -p tcp --dport ${public} -j DNAT --to ${ip}:${private}
-            iptables -A FORWARD -i ${wan} -p tcp --syn -d ${ip} --dport ${private} -m conntrack --ctstate NEW --ctproto TCP -j ACCEPT
+            iptables -w -v -A PREROUTING -t nat -i ${wan} -p tcp --dport ${public} -j DNAT --to ${ip}:${private}
+            iptables -w -v -A FORWARD -i ${wan} -p tcp --syn -d ${ip} --dport ${private} -m conntrack --ctstate NEW --ctproto TCP -j ACCEPT
         else
-            iptables -A PREROUTING -t nat -i ${wan} -p tcp --dport ${public} -j DNAT --to ${ip}
-            iptables -A FORWARD -i ${wan} -p tcp --syn -d ${ip} --dport ${public} -m conntrack --ctstate NEW --ctproto TCP -j ACCEPT
+            iptables -w -v -A PREROUTING -t nat -i ${wan} -p tcp --dport ${public} -j DNAT --to ${ip}
+            iptables -w -v -A FORWARD -i ${wan} -p tcp --syn -d ${ip} --dport ${public} -m conntrack --ctstate NEW --ctproto TCP -j ACCEPT
         fi
     done < $confd/FORWARD.tcp
 
@@ -77,27 +77,27 @@ setup_forward() {
         [[ "$public" =~ ^[0-9]{1,}|[0-9]{1,}:[0-9]{1,}$ ]] || continue
         [[ "$private" =~ ^[0-9]{1,}|[0-9]{1,}:[0-9]{1,}$ ]] || continue
         if [[ "$public" =~ ^[0-9]{1,}$ ]] ; then
-            iptables -A PREROUTING -t nat -i ${wan} -p udp --dport ${public} -j DNAT --to ${ip}:${private}
-            iptables -A FORWARD -i ${wan} -p udp -d ${ip} --dport ${private} -m conntrack --ctstate NEW --ctproto UDP -j ACCEPT
+            iptables -w -v -A PREROUTING -t nat -i ${wan} -p udp --dport ${public} -j DNAT --to ${ip}:${private}
+            iptables -w -v -A FORWARD -i ${wan} -p udp -d ${ip} --dport ${private} -m conntrack --ctstate NEW --ctproto UDP -j ACCEPT
         else
-            iptables -A PREROUTING -t nat -i ${wan} -p udp --dport ${public} -j DNAT --to ${ip}
-            iptables -A FORWARD -i ${wan} -p udp -d ${ip} --dport ${public} -m conntrack --ctstate NEW --ctproto UDP -j ACCEPT
+            iptables -w -v -A PREROUTING -t nat -i ${wan} -p udp --dport ${public} -j DNAT --to ${ip}
+            iptables -w -v -A FORWARD -i ${wan} -p udp -d ${ip} --dport ${public} -m conntrack --ctstate NEW --ctproto UDP -j ACCEPT
         fi
     done < $confd/FORWARD.udp
 
     if $logforward ; then
         setup_fordroplog
-        iptables -A FORWARD -j FORWARD-LOG-DROP
+        iptables -w -v -A FORWARD -j FORWARD-LOG-DROP
     else
-        iptables -A FORWARD -j DROP
+        iptables -w -v -A FORWARD -j DROP
     fi
 }
 
 setup_base() {
-    iptables -A INPUT -i lo -j ACCEPT
-    iptables -A INPUT -i ${eth0} -j ACCEPT
-    iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-    iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
+    iptables -w -v -A INPUT -i lo -j ACCEPT
+    iptables -w -v -A INPUT -i ${eth0} -j ACCEPT
+    iptables -w -v -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+    iptables -w -v -A INPUT -m conntrack --ctstate INVALID -j DROP
 }
 
 setup_whitenets() {
@@ -110,50 +110,50 @@ setup_whitenets() {
 
 setup_badips() {
     ipset create -! $banset hash:ip hashsize 4096 timeout $banttl  maxelem $badmaxelems
-    iptables -A INPUT -i ${wan} -p udp -m set --match-set $banset src -m conntrack --ctstate NEW --ctproto UDP -j REJECT --reject-with icmp-port-unreachable
-    iptables -A INPUT -i ${wan} -p tcp -m set --match-set $banset src -m conntrack --ctstate NEW --ctproto TCP -j REJECT --reject-with tcp-reset
+    iptables -w -v -A INPUT -i ${wan} -p udp -m set --match-set $banset src -m conntrack --ctstate NEW --ctproto UDP -j REJECT --reject-with icmp-port-unreachable
+    iptables -w -v -A INPUT -i ${wan} -p tcp -m set --match-set $banset src -m conntrack --ctstate NEW --ctproto TCP -j REJECT --reject-with tcp-reset
 }
 
 setup_scanips() {
     ipset create -! $scanset hash:ip hashsize 4096 timeout $scanttl  maxelem $scanmaxelems
-    iptables -A INPUT -i ${wan} -p udp -m set --match-set $scanset src -m conntrack --ctstate NEW --ctproto UDP -j REJECT --reject-with icmp-port-unreachable
-    iptables -A INPUT -i ${wan} -p tcp -m set --match-set $scanset src -m conntrack --ctstate NEW --ctproto TCP -j REJECT --reject-with tcp-reset
+    iptables -w -v -A INPUT -i ${wan} -p udp -m set --match-set $scanset src -m conntrack --ctstate NEW --ctproto UDP -j REJECT --reject-with icmp-port-unreachable
+    iptables -w -v -A INPUT -i ${wan} -p tcp -m set --match-set $scanset src -m conntrack --ctstate NEW --ctproto TCP -j REJECT --reject-with tcp-reset
 }
 
 setup_white() {
-    iptables -N FW-FILTERED
+    iptables -w -v -N FW-FILTERED
     while read -r port ; do
         [[ "$port" =~ ^[0-9]{1,}$ ]] || continue
-        iptables -A FW-FILTERED -p udp -m conntrack --ctstate NEW --ctproto UDP --dport $port -j ACCEPT
+        iptables -w -v -A FW-FILTERED -p udp -m conntrack --ctstate NEW --ctproto UDP --dport $port -j ACCEPT
     done < $confd/WHITE.udp
     while read -r port ; do
         [[ "$port" =~ ^[0-9]{1,}$ ]] || continue
-        iptables -A FW-FILTERED -p tcp -m conntrack --ctstate NEW --ctproto TCP --dport $port -j ACCEPT
+        iptables -w -v -A FW-FILTERED -p tcp -m conntrack --ctstate NEW --ctproto TCP --dport $port -j ACCEPT
     done < $confd/WHITE.tcp
-    iptables -A INPUT -i ${wan} -p udp -m set --match-set $whiteset src -m conntrack --ctstate NEW --ctproto UDP -j FW-FILTERED
-    iptables -A INPUT -i ${wan} -p tcp -m set --match-set $whiteset src -m conntrack --ctstate NEW --ctproto TCP -j FW-FILTERED
-    iptables -A INPUT -i ${wan} -p icmp --icmp-type 8 -m set --match-set $whiteset src -m conntrack --ctstate NEW --ctproto ICMP -j ACCEPT
+    iptables -w -v -A INPUT -i ${wan} -p udp -m set --match-set $whiteset src -m conntrack --ctstate NEW --ctproto UDP -j FW-FILTERED
+    iptables -w -v -A INPUT -i ${wan} -p tcp -m set --match-set $whiteset src -m conntrack --ctstate NEW --ctproto TCP -j FW-FILTERED
+    iptables -w -v -A INPUT -i ${wan} -p icmp --icmp-type 8 -m set --match-set $whiteset src -m conntrack --ctstate NEW --ctproto ICMP -j ACCEPT
 }
 
 setup_public() {
-    iptables -N FW-PUBLIC
+    iptables -w -v -N FW-PUBLIC
     while read -r port ; do
         [[ "$port" =~ ^[0-9]{1,}$ ]] || continue
-        iptables -A FW-PUBLIC -p udp -m conntrack --ctstate NEW --ctproto UDP --dport $port -j ACCEPT
+        iptables -w -v -A FW-PUBLIC -p udp -m conntrack --ctstate NEW --ctproto UDP --dport $port -j ACCEPT
     done < $confd/PUBLIC.udp
     while read -r port ; do
         [[ "$port" =~ ^[0-9]{1,}$ ]] || continue
-        iptables -A FW-PUBLIC -p tcp -m conntrack --ctstate NEW --ctproto TCP --dport $port -j ACCEPT
+        iptables -w -v -A FW-PUBLIC -p tcp -m conntrack --ctstate NEW --ctproto TCP --dport $port -j ACCEPT
     done < $confd/PUBLIC.tcp
-    iptables -A INPUT -i ${wan} -p udp -m conntrack --ctstate NEW --ctproto UDP -j FW-PUBLIC
-    iptables -A INPUT -i ${wan} -p tcp -m conntrack --ctstate NEW --ctproto TCP -j FW-PUBLIC
+    iptables -w -v -A INPUT -i ${wan} -p udp -m conntrack --ctstate NEW --ctproto UDP -j FW-PUBLIC
+    iptables -w -v -A INPUT -i ${wan} -p tcp -m conntrack --ctstate NEW --ctproto TCP -j FW-PUBLIC
 }
 
 setup_cast() {
-    iptables -N FW-CAST
-    iptables -A FW-CAST -m pkttype --pkt-type broadcast -j ACCEPT
-    iptables -A FW-CAST -m pkttype --pkt-type multicast -j ACCEPT
-    iptables -A INPUT -i ${wan} -j FW-CAST
+    iptables -w -v -N FW-CAST
+    iptables -w -v -A FW-CAST -m pkttype --pkt-type broadcast -j ACCEPT
+    iptables -w -v -A FW-CAST -m pkttype --pkt-type multicast -j ACCEPT
+    iptables -w -v -A INPUT -i ${wan} -j FW-CAST
 }
 
 main () {

e-router.service

@@ -1,7 +1,8 @@
 [Unit]
 Description=e-router script
-Requires=iptables.service
+Wants=iptables.service network-pre.target
 After=iptables.service
+Before=network-pre.target
 
 [Service]
 Type=oneshot