Importas is atomas-router

ACCEPT.tcp

@@ -0,0 +1,10 @@
+22
+80
+4662
+4663
+4664
+4665
+22000
+22067
+
+

ACCEPT.udp

@@ -0,0 +1,6 @@
+4662
+4663
+4664
+4662
+4672
+

config

@@ -0,0 +1,17 @@
+eth0=enp5s0
+wan=enp1s0
+locnet=192.168.1.0/24
+lanip=192.168.1.1
+lanbro=192.168.1.255
+
+## badips.com ##
+# ipset name
+banset=badips
+# 0 - 5 , 0 will ban max
+banlevel=0
+# ban time in seconds,  1 week =  604800,  1 day = 86400
+bantime=604800
+# h,d,w,m,y
+rangecheck=1h
+# ssh,http... or any
+banservice=any

e-badips

@@ -0,0 +1,14 @@
+#!/bin/bash
+((EUID == 0 )) || { echo "Need root"; exit 1; }
+set -euo pipefail
+CONFD=/etc/e-router
+source $CONFD/config
+
+
+tmp=$(mktemp)
+curl -f -s -m 60 -o $tmp "https://www.badips.com/get/list/${banservice}/${banlevel}?age=${rangecheck}"
+while read -r ip ; do
+    ipset -! add ${banset} ${ip}
+done < $tmp
+
+trap "/bin/rm -f ${tmp}" EXIT SIGHUP SIGINT SIGTERM

e-badips.service

@@ -0,0 +1,8 @@
+[Unit]
+Description=Update badips ipset  from badips.com
+Requires=iptables.service e-router.service
+After=iptables.service e-router.service
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/e-badips

e-badips.timer

@@ -0,0 +1,10 @@
+[Unit]
+Description=e-badips timer
+
+[Timer]
+OnUnitActiveSec=3300
+OnBootSec=300
+
+[Install]
+WantedBy=timers.target
+

e-router

@@ -0,0 +1,103 @@
+#!/bin/bash
+((EUID == 0 )) || { echo "Need root"; exit 1; }
+set -euo pipefail
+CONFD=/etc/e-router
+source $CONFD/config
+
+set_defaults() {
+    /usr/lib/systemd/scripts/iptables-flush
+    iptables -P FORWARD DROP
+    iptables -P OUTPUT ACCEPT
+    iptables -P INPUT DROP
+}
+
+create_tables() {
+    iptables -N WANIN
+    iptables -N FORDROPLOG
+    iptables -N WANDROPLOG
+    iptables -N SILENTDROP
+    ipset create -! $banset hash:ip hashsize 4096 timeout $bantime
+}
+
+activate() {
+    iptables-save > /etc/iptables/iptables.rules
+    systemctl restart iptables.service
+}
+
+create_wandroplog() {
+    #iptables -A WANDROPLOG -p tcp -m limit --limit 5/min -j LOG --log-prefix  "WANDROPLOG TCP: " --log-level 7
+    iptables -A WANDROPLOG -p tcp  -j LOG --log-prefix  "WANDROPLOG TCP: " --log-level 7
+    iptables -A WANDROPLOG -p udp  -j LOG --log-prefix  "WANDROPLOG UDP: " --log-level 7
+    iptables -A WANDROPLOG -p icmp -j LOG --log-prefix  "WANDROPLOG ICMP: " --log-level 7
+    iptables -A WANDROPLOG -j DROP
+}
+
+create_fordroplog() {
+    iptables -A FORDROPLOG -p tcp  -j LOG --log-prefix "FORDROPLOG TCP: " --log-level 7
+    iptables -A FORDROPLOG -p udp  -j LOG --log-prefix "FORDROPLOG UDP: " --log-level 7
+    iptables -A FORDROPLOG -p icmp -j LOG --log-prefix "FORDROPLOG ICMP: " --log-level 7
+    iptables -A FORDROPLOG -j DROP
+}
+
+setup_forward() {
+    iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+    iptables -A FORWARD -i ${eth0} -o ${wan} -j ACCEPT
+    iptables -A FORWARD -j FORDROPLOG
+}
+
+setup_nat() {
+    iptables -t nat -A POSTROUTING -o ${wan} -s ${locnet} -j MASQUERADE
+}
+
+passbroadcast() {
+    iptables -A WANIN -m pkttype --pkt-type broadcast -j ACCEPT
+    iptables -A WANIN -m pkttype --pkt-type multicast -j ACCEPT
+}
+
+banwanin() {
+    iptables -A WANIN -m set --match-set $banset src -p TCP -j REJECT
+}
+
+dropwanin() {
+    while read -r port ; do
+        [[ -n "$port" ]] || continue
+        iptables -A WANIN -i ${wan} -m udp -p udp --dport $port -j DROP
+    done < $CONFD/DROP.udp
+    while read -r port ; do
+        [[ -n "$port" ]] || continue
+        iptables -A WANIN -i ${wan} -m tcp -p tcp --dport $port -j DROP
+    done < $CONFD/DROP.tcp
+}
+
+passwanin() {
+    while read -r port ; do
+        [[ -n "$port" ]] || continue
+        iptables -A WANIN -i ${wan} -m udp -p udp --dport $port -j ACCEPT
+    done < $CONFD/ACCEPT.udp
+    while read -r port ; do
+        [[ -n "$port" ]] || continue
+        iptables -A WANIN -i ${wan} -m tcp -p tcp --dport $port -j ACCEPT
+    done < $CONFD/ACCEPT.tcp
+}
+
+setup_input() {
+    iptables -A INPUT -i lo -j ACCEPT
+    iptables -A INPUT -i ${eth0} -j ACCEPT
+    iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+    iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
+    banwanin
+    dropwanin
+    passwanin
+    passbroadcast
+    iptables -A INPUT -i ${wan} -j WANIN
+    iptables -A INPUT -j WANDROPLOG
+}
+
+set_defaults
+create_tables
+create_fordroplog
+create_wandroplog
+setup_nat
+setup_input
+setup_forward
+#activate

e-router.service

@@ -0,0 +1,12 @@
+[Unit]
+Description=e-router script
+Requires=iptables.service
+After=iptables.service
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/e-router
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target