Refactor

Create tables, sets and chains in featured functions
Reject packets as per RFC, not drop silently

e-router

@@ -11,56 +11,73 @@ set_defaults() {
     iptables -P INPUT DROP
 }
 
-create_tables() {
-    iptables -N FORWARD-LOG-DROP
-    iptables -N WAN-LOG-DROP
-    iptables -N FW-FILTERED
-    iptables -N FW-OPEN
-    iptables -N FW-CAST
-    ipset create -! $banset hash:ip hashsize 4096 timeout $bantime
-    ipset create -! $whiteset hash:net hashsize 4096
+setup_final(){
+    if $debug ; then
+        setup_wandroplog
+        iptables -A INPUT -j WAN-LOG-DROP
+    else
+        iptables -A INPUT -j DROP
+    fi
 }
 
 setup_wandroplog() {
+    iptables -N WAN-LOG-DROP
     iptables -A WAN-LOG-DROP -p tcp  -j LOG --log-prefix  "WAN-LOG-DROP TCP: " --log-level 7
+    iptables -A WAN-LOG-DROP -p tcp -j REJECT --reject-with tcp-reset
     iptables -A WAN-LOG-DROP -p udp  -j LOG --log-prefix  "WAN-LOG-DROP UDP: " --log-level 7
+    iptables -A WAN-LOG-DROP -p udp -j REJECT --reject-with icmp-port-unreachable
     iptables -A WAN-LOG-DROP -p icmp -j LOG --log-prefix  "WAN-LOG-DROP ICMP: " --log-level 7
-    iptables -A WAN-LOG-DROP -j DROP
+    iptables -A WAN-LOG-DROP -j REJECT --reject-with icmp-proto-unreachable
 }
 
 setup_fordroplog() {
+    iptables -N FORWARD-LOG-DROP
     iptables -A FORWARD-LOG-DROP -p tcp  -j LOG --log-prefix "FORWARD-LOG-DROP TCP: " --log-level 7
+    iptables -A FORWARD-LOG-DROP -p tcp -j REJECT --reject-with tcp-reset
     iptables -A FORWARD-LOG-DROP -p udp  -j LOG --log-prefix "FORWARD-LOG-DROP UDP: " --log-level 7
+    iptables -A FORWARD-LOG-DROP -p udp -j REJECT --reject-with icmp-port-unreachable
     iptables -A FORWARD-LOG-DROP -p icmp -j LOG --log-prefix "FORWARD-LOG-DROP ICMP: " --log-level 7
-    iptables -A FORWARD-LOG-DROP -j DROP
+    iptables -A FORWARD-LOG-DROP -j REJECT --reject-with icmp-proto-unreachable
+}
+
+setup_nat() {
+    iptables -t nat -A POSTROUTING -o ${wan} -s ${locnet} -j MASQUERADE
 }
 
 setup_forward() {
     iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
     iptables -A FORWARD -i ${eth0} -o ${wan} -j ACCEPT
     if $debug ; then
+        setup_fordroplog
         iptables -A FORWARD -j FORWARD-LOG-DROP
     else
         iptables -A FORWARD -j DROP
     fi
 }
 
-setup_nat() {
-    iptables -t nat -A POSTROUTING -o ${wan} -s ${locnet} -j MASQUERADE
+setup_base() {
+    iptables -A INPUT -i lo -j ACCEPT
+    iptables -A INPUT -i ${eth0} -j ACCEPT
+    iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+    iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
 }
 
-setup_white() {
+setup_whitenets() {
+    ipset create -! $whiteset hash:net hashsize 4096
     while read -r net ; do
         [[ "$net" =~ ^[0-9]{1,}.[0-9]{1,}.[0-9]{1,}.[0-9]{1,}/[0-9]{1,}$ ]] || continue
         ipset -! add  $whiteset $net
     done < $CONFD/WHITE.nets
 }
 
-banbadips() {
-    iptables -A WAN-IN -m set --match-set $banset src -j REJECT
+setup_badips() {
+    ipset create -! $banset hash:ip hashsize 4096 timeout $bantime
+    iptables -A INPUT -i ${wan} -m set --match-set $banset src -p udp -j REJECT --reject-with icmp-port-unreachable
+    iptables -A INPUT -i ${wan} -m set --match-set $banset src -p tcp -j REJECT --reject-with tcp-reset
 }
 
 setup_white() {
+    iptables -N FW-FILTERED
     while read -r port ; do
         [[ "$port" =~ ^[0-9]{1,}$ ]] || continue
         iptables -A FW-FILTERED -m udp -p udp --dport $port -j ACCEPT
@@ -69,9 +86,11 @@ setup_white() {
         [[ "$port" =~ ^[0-9]{1,}$ ]] || continue
         iptables -A FW-FILTERED -m tcp -p tcp --dport $port -j ACCEPT
     done < $CONFD/WHITE.tcp
+    iptables -A INPUT -i ${wan} -m set --match-set $whiteset src -j FW-FILTERED
 }
 
 setup_open() {
+    iptables -N FW-OPEN
     while read -r port ; do
         [[ "$port" =~ ^[0-9]{1,}$ ]] || continue
         iptables -A FW-OPEN -m udp -p udp --dport $port -j ACCEPT
@@ -80,41 +99,27 @@ setup_open() {
         [[ "$port" =~ ^[0-9]{1,}$ ]] || continue
         iptables -A FW-OPEN -m tcp -p tcp --dport $port -j ACCEPT
     done < $CONFD/ACCEPT.tcp
+    iptables -A INPUT -i ${wan} -j FW-OPEN
 }
 
 setup_cast() {
+    iptables -N FW-CAST
     iptables -A FW-CAST -m pkttype --pkt-type broadcast -j ACCEPT
     iptables -A FW-CAST -m pkttype --pkt-type multicast -j ACCEPT
-}
-
-setup_input() {
-    iptables -A INPUT -i lo -j ACCEPT
-    iptables -A INPUT -i ${eth0} -j ACCEPT
-    iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-    iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
-    iptables -A INPUT -i ${wan} -m set --match-set $banset src -j REJECT
-    iptables -A INPUT -i ${wan} -m set --match-set $whiteset src -j FW-FILTERED
-    iptables -A INPUT -i ${wan} -j FW-OPEN
     iptables -A INPUT -i ${wan} -j FW-CAST
-    if $debug ; then
-        iptables -A INPUT -j WAN-LOG-DROP
-    else
-        iptables -A INPUT -j DROP
-    fi
 }
 
 main () {
     set_defaults
-    create_tables
-    setup_fordroplog
-    setup_wandroplog
-    setup_white
+    setup_whitenets
     setup_nat
     setup_forward
+    setup_base
+    setup_badips
     setup_white
     setup_open
     setup_cast
-    setup_input
+    setup_final
 }
 
 main