Página inicial Explorar Ajuda
Entrar
arch
/
e-router
Observar 3
Favorito 0
Fork 0
Arquivos Issues 0 Pull Requests 0 Wiki
Ver código fonte

Merge branch 'devel'

Edvinas Valatka 8 anos atrás
pai
bf3deb8e61 af79a33873
commit
b465be7657
1 arquivos alterados com 53 adições e 50 exclusões
Visão dividida Mostrar estatísticas do Diff
  1. 53 50
      e-router

+ 53 - 50
e-router
Ver arquivo 

@@ -16,50 +16,50 @@ _broken(){
 
         ${iptables} -A STRANGELOG -j LOG --log-prefix "STRANGELOG TCP: " --log-level 7
 
     fi
 
 
-    ${iptables} -N DROP_TCP_SUSPICIOUS
 
-
 
-    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --sport 0:19                                                          -j BROKENLOGDROP
 
-    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --dport 0:19                                                          -j BROKENLOGDROP
 
-
 
-    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL ACK             -m conntrack --ctstate ESTABLISHED    -j RETURN
 
-    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL ACK             -m conntrack --ctstate NEW,RELATED    -j BROKENLOGDROP
 
-    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL PSH,ACK         -m conntrack --ctstate ESTABLISHED    -j RETURN
 
-    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL PSH,ACK         -m conntrack --ctstate NEW            -j RETURN
 
-    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL PSH,ACK         -m conntrack --ctstate RELATED        -j BROKENLOGDROP
 
-    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL NONE                                                  -j BROKENLOGDROP
 
-    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL ALL                                                   -j BROKENLOGDROP
 
-    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags SYN,FIN SYN,FIN                                           -j BROKENLOGDROP
 
-    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags SYN,RST SYN,RST                                           -j BROKENLOGDROP
 
-    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags RST,FIN RST,FIN                                           -j BROKENLOGDROP
 
-    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags SYN,URG SYN,URG                                           -j BROKENLOGDROP
 
-    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL SYN,PSH                                               -j BROKENLOGDROP
 
-    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL SYN,ACK,PSH                                           -j BROKENLOGDROP
 
-    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ACK,FIN FIN                                               -j BROKENLOGDROP
 
-    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ACK,PSH PSH                                               -j BROKENLOGDROP
 
-    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ACK,URG URG                                               -j BROKENLOGDROP
 
-    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL RST             -m conntrack --ctstate ESTABLISHED    -j RETURN
 
-    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL RST             -m conntrack --ctstate NEW,RELATED    -j BROKENLOGDROP
 
-    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags SYN,ACK NONE                                              -j BROKENLOGDROP
 
-    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL SYN             -m conntrack --ctstate NEW            -j RETURN
 
-    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL SYN             -m conntrack --ctstate RELATED        -j RETURN
 
-    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL SYN             -m conntrack --ctstate ESTABLISHED    -j BROKENLOGDROP
 
-    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL SYN,ACK         -m conntrack --ctstate ESTABLISHED    -j RETURN
 
-    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL SYN,ACK         -m conntrack --ctstate NEW,RELATED    -j BROKENLOGDROP
 
-    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL FIN,ACK         -m conntrack --ctstate ESTABLISHED    -j RETURN
 
-    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL FIN,ACK         -m conntrack --ctstate NEW,RELATED    -j BROKENLOGDROP
 
-    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL RST,ACK         -m conntrack --ctstate ESTABLISHED    -j RETURN
 
-    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL RST,ACK         -m conntrack --ctstate NEW            -j RETURN
 
-    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL RST,ACK         -m conntrack --ctstate RELATED        -j BROKENLOGDROP
 
-    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL ACK,PSH,RST     -m conntrack --ctstate ESTABLISHED    -j RETURN
 
-    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL ACK,PSH,RST     -m conntrack --ctstate NEW,RELATED    -j BROKENLOGDROP
 
-    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL FIN,PSH,ACK     -m conntrack --ctstate ESTABLISHED    -j RETURN
 
-    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL FIN,PSH,ACK     -m conntrack --ctstate NEW,RELATED    -j BROKENLOGDROP
 
-    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL RST,ACK,PSH                                           -j STRANGELOG
 
-    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL RST,ACK,URG                                           -j STRANGELOG
 
-    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL RST,ACK,PSH,URG                                       -j STRANGELOG
 
-    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL FIN,PSH,ACK,URG                                       -j STRANGELOG
 
-    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL ACK,URG                                               -j STRANGELOG
 
-    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL ACK,URG,FIN                                           -j STRANGELOG
 
+    ${iptables} -N FWSUSPICIOUS
 
+
 
+    ${iptables} -A FWSUSPICIOUS -p tcp --sport 0:19                                                           -j BROKENLOGDROP
 
+    ${iptables} -A FWSUSPICIOUS -p tcp --dport 0:19                                                           -j BROKENLOGDROP
 
+
 
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL     ACK             -m conntrack --ctstate ESTABLISHED -j RETURN
 
+    ${Iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL     ACK             -m conntrack --ctstate NEW,RELATED -j BROKENLOGDROP
 
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL     PSH,ACK         -m conntrack --ctstate ESTABLISHED -j RETURN
 
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL     PSH,ACK         -m conntrack --ctstate NEW         -j RETURN
 
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL     PSH,ACK         -m conntrack --ctstate RELATED     -j BROKENLOGDROP
 
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL     NONE                                               -j BROKENLOGDROP
 
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL     ALL                                                -j BROKENLOGDROP
 
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags SYN,FIN SYN,FIN                                            -j BROKENLOGDROP
 
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags SYN,RST SYN,RST                                            -j BROKENLOGDROP
 
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags RST,FIN RST,FIN                                            -j BROKENLOGDROP
 
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags SYN,URG SYN,URG                                            -j BROKENLOGDROP
 
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL     SYN,PSH                                            -j BROKENLOGDROP
 
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL     SYN,ACK,PSH                                        -j BROKENLOGDROP
 
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ACK,FIN FIN                                                -j BROKENLOGDROP
 
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ACK,PSH PSH                                                -j BROKENLOGDROP
 
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ACK,URG URG                                                -j BROKENLOGDROP
 
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL     RST             -m conntrack --ctstate ESTABLISHED -j RETURN
 
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL     RST             -m conntrack --ctstate NEW,RELATED -j BROKENLOGDROP
 
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags SYN,ACK NONE                                               -j BROKENLOGDROP
 
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL     SYN             -m conntrack --ctstate NEW         -j RETURN
 
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL     SYN             -m conntrack --ctstate RELATED     -j RETURN
 
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL     SYN             -m conntrack --ctstate ESTABLISHED -j BROKENLOGDROP
 
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL     SYN,ACK         -m conntrack --ctstate ESTABLISHED -j RETURN
 
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL     SYN,ACK         -m conntrack --ctstate NEW,RELATED -j BROKENLOGDROP
 
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL     FIN,ACK         -m conntrack --ctstate ESTABLISHED -j RETURN
 
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL     FIN,ACK         -m conntrack --ctstate NEW,RELATED -j BROKENLOGDROP
 
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL     RST,ACK         -m conntrack --ctstate ESTABLISHED -j RETURN
 
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL     RST,ACK         -m conntrack --ctstate NEW         -j RETURN
 
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL     RST,ACK         -m conntrack --ctstate RELATED     -j BROKENLOGDROP
 
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL     ACK,PSH,RST     -m conntrack --ctstate ESTABLISHED -j RETURN
 
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL     ACK,PSH,RST     -m conntrack --ctstate NEW,RELATED -j BROKENLOGDROP
 
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL     FIN,PSH,ACK     -m conntrack --ctstate ESTABLISHED -j RETURN
 
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL     FIN,PSH,ACK     -m conntrack --ctstate NEW,RELATED -j BROKENLOGDROP
 
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL     RST,ACK,PSH                                        -j STRANGELOG
 
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL     RST,ACK,URG                                        -j STRANGELOG
 
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL     RST,ACK,PSH,URG                                    -j STRANGELOG
 
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL     FIN,PSH,ACK,URG                                    -j STRANGELOG
 
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL     ACK,URG                                            -j STRANGELOG
 
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL     ACK,URG,FIN                                        -j STRANGELOG
 
 }
 
 
 _droplog() {
 
@@ -131,7 +131,7 @@ base() {
 
     ${iptables} -A INPUT -i lo -j ACCEPT
 
     if $logbroken; then
 
         _broken
 
-        ${iptables} -A INPUT -i ${wan} -p tcp -j DROP_TCP_SUSPICIOUS
 
+        ${iptables} -A INPUT -i ${wan} -p tcp -j FWSUSPICIOUS
 
     fi
 
     ${iptables} -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 
     if $loginvalid; then
 
@@ -160,7 +160,7 @@ lan() {
 
     ${iptables} -t nat -A POSTROUTING -o ${wan} -s ${locnet} -j MASQUERADE
 
     ${iptables} -A FORWARD -i ${eth0} -o ${wan} -j ACCEPT
 
     if $logbroken; then
 
-        ${iptables} -A FORWARD -i ${wan} -p tcp -j DROP_TCP_SUSPICIOUS
 
+        ${iptables} -A FORWARD -i ${wan} -p tcp -j FWSUSPICIOUS
 
     fi
 
     ${iptables} -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 
     if $loginvalid; then
 
@@ -191,12 +191,14 @@ scanips() {
 
     ${iptables} -A FWSCAN -i ${wan} -p tcp -j SET --add-set $scanset src --exist --timeout $scanttl
 
     if $logscan ; then
 
         _droplog "SCAN"
 
-        ${iptables} -A FWSCAN -i ${wan} -p udp -m set --match-set $scanset src -j SCANLOGDROP
 
-        ${iptables} -A FWSCAN -i ${wan} -p tcp -m set --match-set $scanset src -j SCANLOGDROP
 
+        ${iptables} -A FWSCAN -i ${wan} -p udp -m set --match-set $scanset src -m conntrack --ctstate NEW --ctproto UDP -j SCANLOGDROP
 
+        ${iptables} -A FWSCAN -i ${wan} -p tcp -m set --match-set $scanset src -m conntrack --ctstate NEW --ctproto TCP -j SCANLOGDROP
 
     fi
 
-    ${iptables} -A FWSCAN -i ${wan} -p udp -m set --match-set $scanset src -j ENDRESET
 
-    ${iptables} -A FWSCAN -i ${wan} -p tcp -m set --match-set $scanset src -j ENDRESET
 
+    ${iptables} -A FWSCAN -i ${wan} -p udp -m set --match-set $scanset src -m conntrack --ctstate NEW --ctproto UDP -j ENDRESET
 
+    ${iptables} -A FWSCAN -i ${wan} -p tcp -m set --match-set $scanset src -m conntrack --ctstate NEW --ctproto TCP -j ENDRESET
 
     ${iptables} -I BROKENLOGDROP -j FWSCAN
 
+    ${iptables} -D BROKENLOGDROP -j ENDRESET
 
+    ${iptables} -A BROKENLOGDROP -j ENDRESET
 
     ${iptables} -A INPUT -j FWSCAN
 
 }
 
 
@@ -236,6 +238,7 @@ final(){
 
         _droplog "FINAL"
 
         ${iptables} -A INPUT -j FINALLOGDROP
 
     fi
 
+    ${iptables} -A INPUT -i ${wan} -j ENDRESET
 
 }
 
 
 main () {