Only NEW packets will be add to the scanips set

e-router

@@ -16,50 +16,50 @@ _broken(){
         ${iptables} -A STRANGELOG -j LOG --log-prefix "STRANGELOG TCP: " --log-level 7
     fi
 
-    ${iptables} -N DROP_TCP_SUSPICIOUS
-
-    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --sport 0:19                                                          -j BROKENLOGDROP
-    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --dport 0:19                                                          -j BROKENLOGDROP
-
-    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL ACK             -m conntrack --ctstate ESTABLISHED    -j RETURN
-    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL ACK             -m conntrack --ctstate NEW,RELATED    -j BROKENLOGDROP
-    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL PSH,ACK         -m conntrack --ctstate ESTABLISHED    -j RETURN
-    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL PSH,ACK         -m conntrack --ctstate NEW            -j RETURN
-    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL PSH,ACK         -m conntrack --ctstate RELATED        -j BROKENLOGDROP
-    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL NONE                                                  -j BROKENLOGDROP
-    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL ALL                                                   -j BROKENLOGDROP
-    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags SYN,FIN SYN,FIN                                           -j BROKENLOGDROP
-    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags SYN,RST SYN,RST                                           -j BROKENLOGDROP
-    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags RST,FIN RST,FIN                                           -j BROKENLOGDROP
-    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags SYN,URG SYN,URG                                           -j BROKENLOGDROP
-    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL SYN,PSH                                               -j BROKENLOGDROP
-    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL SYN,ACK,PSH                                           -j BROKENLOGDROP
-    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ACK,FIN FIN                                               -j BROKENLOGDROP
-    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ACK,PSH PSH                                               -j BROKENLOGDROP
-    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ACK,URG URG                                               -j BROKENLOGDROP
-    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL RST             -m conntrack --ctstate ESTABLISHED    -j RETURN
-    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL RST             -m conntrack --ctstate NEW,RELATED    -j BROKENLOGDROP
-    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags SYN,ACK NONE                                              -j BROKENLOGDROP
-    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL SYN             -m conntrack --ctstate NEW            -j RETURN
-    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL SYN             -m conntrack --ctstate RELATED        -j RETURN
-    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL SYN             -m conntrack --ctstate ESTABLISHED    -j BROKENLOGDROP
-    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL SYN,ACK         -m conntrack --ctstate ESTABLISHED    -j RETURN
-    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL SYN,ACK         -m conntrack --ctstate NEW,RELATED    -j BROKENLOGDROP
-    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL FIN,ACK         -m conntrack --ctstate ESTABLISHED    -j RETURN
-    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL FIN,ACK         -m conntrack --ctstate NEW,RELATED    -j BROKENLOGDROP
-    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL RST,ACK         -m conntrack --ctstate ESTABLISHED    -j RETURN
-    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL RST,ACK         -m conntrack --ctstate NEW            -j RETURN
-    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL RST,ACK         -m conntrack --ctstate RELATED        -j BROKENLOGDROP
-    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL ACK,PSH,RST     -m conntrack --ctstate ESTABLISHED    -j RETURN
-    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL ACK,PSH,RST     -m conntrack --ctstate NEW,RELATED    -j BROKENLOGDROP
-    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL FIN,PSH,ACK     -m conntrack --ctstate ESTABLISHED    -j RETURN
-    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL FIN,PSH,ACK     -m conntrack --ctstate NEW,RELATED    -j BROKENLOGDROP
-    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL RST,ACK,PSH                                           -j STRANGELOG
-    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL RST,ACK,URG                                           -j STRANGELOG
-    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL RST,ACK,PSH,URG                                       -j STRANGELOG
-    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL FIN,PSH,ACK,URG                                       -j STRANGELOG
-    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL ACK,URG                                               -j STRANGELOG
-    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL ACK,URG,FIN                                           -j STRANGELOG
+    ${iptables} -N FWSUSPICIOUS
+
+    ${iptables} -A FWSUSPICIOUS -p tcp --sport 0:19                                                           -j BROKENLOGDROP
+    ${iptables} -A FWSUSPICIOUS -p tcp --dport 0:19                                                           -j BROKENLOGDROP
+
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL     ACK             -m conntrack --ctstate ESTABLISHED -j RETURN
+    ${Iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL     ACK             -m conntrack --ctstate NEW,RELATED -j BROKENLOGDROP
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL     PSH,ACK         -m conntrack --ctstate ESTABLISHED -j RETURN
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL     PSH,ACK         -m conntrack --ctstate NEW         -j RETURN
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL     PSH,ACK         -m conntrack --ctstate RELATED     -j BROKENLOGDROP
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL     NONE                                               -j BROKENLOGDROP
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL     ALL                                                -j BROKENLOGDROP
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags SYN,FIN SYN,FIN                                            -j BROKENLOGDROP
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags SYN,RST SYN,RST                                            -j BROKENLOGDROP
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags RST,FIN RST,FIN                                            -j BROKENLOGDROP
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags SYN,URG SYN,URG                                            -j BROKENLOGDROP
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL     SYN,PSH                                            -j BROKENLOGDROP
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL     SYN,ACK,PSH                                        -j BROKENLOGDROP
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ACK,FIN FIN                                                -j BROKENLOGDROP
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ACK,PSH PSH                                                -j BROKENLOGDROP
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ACK,URG URG                                                -j BROKENLOGDROP
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL     RST             -m conntrack --ctstate ESTABLISHED -j RETURN
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL     RST             -m conntrack --ctstate NEW,RELATED -j BROKENLOGDROP
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags SYN,ACK NONE                                               -j BROKENLOGDROP
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL     SYN             -m conntrack --ctstate NEW         -j RETURN
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL     SYN             -m conntrack --ctstate RELATED     -j RETURN
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL     SYN             -m conntrack --ctstate ESTABLISHED -j BROKENLOGDROP
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL     SYN,ACK         -m conntrack --ctstate ESTABLISHED -j RETURN
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL     SYN,ACK         -m conntrack --ctstate NEW,RELATED -j BROKENLOGDROP
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL     FIN,ACK         -m conntrack --ctstate ESTABLISHED -j RETURN
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL     FIN,ACK         -m conntrack --ctstate NEW,RELATED -j BROKENLOGDROP
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL     RST,ACK         -m conntrack --ctstate ESTABLISHED -j RETURN
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL     RST,ACK         -m conntrack --ctstate NEW         -j RETURN
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL     RST,ACK         -m conntrack --ctstate RELATED     -j BROKENLOGDROP
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL     ACK,PSH,RST     -m conntrack --ctstate ESTABLISHED -j RETURN
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL     ACK,PSH,RST     -m conntrack --ctstate NEW,RELATED -j BROKENLOGDROP
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL     FIN,PSH,ACK     -m conntrack --ctstate ESTABLISHED -j RETURN
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL     FIN,PSH,ACK     -m conntrack --ctstate NEW,RELATED -j BROKENLOGDROP
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL     RST,ACK,PSH                                        -j STRANGELOG
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL     RST,ACK,URG                                        -j STRANGELOG
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL     RST,ACK,PSH,URG                                    -j STRANGELOG
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL     FIN,PSH,ACK,URG                                    -j STRANGELOG
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL     ACK,URG                                            -j STRANGELOG
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL     ACK,URG,FIN                                        -j STRANGELOG
 }
 
 _droplog() {
@@ -131,7 +131,7 @@ base() {
     ${iptables} -A INPUT -i lo -j ACCEPT
     if $logbroken; then
         _broken
-        ${iptables} -A INPUT -i ${wan} -p tcp -j DROP_TCP_SUSPICIOUS
+        ${iptables} -A INPUT -i ${wan} -p tcp -j FWSUSPICIOUS
     fi
     ${iptables} -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
     if $loginvalid; then
@@ -160,7 +160,7 @@ lan() {
     ${iptables} -t nat -A POSTROUTING -o ${wan} -s ${locnet} -j MASQUERADE
     ${iptables} -A FORWARD -i ${eth0} -o ${wan} -j ACCEPT
     if $logbroken; then
-        ${iptables} -A FORWARD -i ${wan} -p tcp -j DROP_TCP_SUSPICIOUS
+        ${iptables} -A FORWARD -i ${wan} -p tcp -j FWSUSPICIOUS
     fi
     ${iptables} -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
     if $loginvalid; then
@@ -191,12 +191,14 @@ scanips() {
     ${iptables} -A FWSCAN -i ${wan} -p tcp -j SET --add-set $scanset src --exist --timeout $scanttl
     if $logscan ; then
         _droplog "SCAN"
-        ${iptables} -A FWSCAN -i ${wan} -p udp -m set --match-set $scanset src -j SCANLOGDROP
-        ${iptables} -A FWSCAN -i ${wan} -p tcp -m set --match-set $scanset src -j SCANLOGDROP
+        ${iptables} -A FWSCAN -i ${wan} -p udp -m set --match-set $scanset src -m conntrack --ctstate NEW --ctproto UDP -j SCANLOGDROP
+        ${iptables} -A FWSCAN -i ${wan} -p tcp -m set --match-set $scanset src -m conntrack --ctstate NEW --ctproto TCP -j SCANLOGDROP
     fi
-    ${iptables} -A FWSCAN -i ${wan} -p udp -m set --match-set $scanset src -j ENDRESET
-    ${iptables} -A FWSCAN -i ${wan} -p tcp -m set --match-set $scanset src -j ENDRESET
+    ${iptables} -A FWSCAN -i ${wan} -p udp -m set --match-set $scanset src -m conntrack --ctstate NEW --ctproto UDP -j ENDRESET
+    ${iptables} -A FWSCAN -i ${wan} -p tcp -m set --match-set $scanset src -m conntrack --ctstate NEW --ctproto TCP -j ENDRESET
     ${iptables} -I BROKENLOGDROP -j FWSCAN
+    ${iptables} -D BROKENLOGDROP -j ENDRESET
+    ${iptables} -A BROKENLOGDROP -j ENDRESET
     ${iptables} -A INPUT -j FWSCAN
 }
 
@@ -236,6 +238,7 @@ final(){
         _droplog "FINAL"
         ${iptables} -A INPUT -j FINALLOGDROP
     fi
+    ${iptables} -A INPUT -i ${wan} -j ENDRESET
 }
 
 main () {