|
@@ -14,26 +14,23 @@ set_defaults() {
|
|
|
|
|
|
|
|
setup_final(){
|
|
setup_final(){
|
|
|
if $loginput ; then
|
|
if $loginput ; then
|
|
|
- setup_wandroplog
|
|
|
|
|
${iptables} -A INPUT -j WAN-LOG-DROP
|
|
${iptables} -A INPUT -j WAN-LOG-DROP
|
|
|
- else
|
|
|
|
|
- ${iptables} -A INPUT -j DROP
|
|
|
|
|
fi
|
|
fi
|
|
|
|
|
+ ${iptables} -A INPUT -p tcp -j REJECT --reject-with tcp-reset
|
|
|
|
|
+ ${iptables} -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
|
|
|
|
|
+ ${iptables} -A INPUT -j REJECT --reject-with icmp-proto-unreachable
|
|
|
}
|
|
}
|
|
|
|
|
|
|
|
setup_wandroplog() {
|
|
setup_wandroplog() {
|
|
|
${iptables} -N WAN-LOG-DROP
|
|
${iptables} -N WAN-LOG-DROP
|
|
|
if $debugtcp; then
|
|
if $debugtcp; then
|
|
|
${iptables} -A WAN-LOG-DROP -p tcp -j LOG --log-prefix "WAN-LOG-DROP TCP: " --log-level 7
|
|
${iptables} -A WAN-LOG-DROP -p tcp -j LOG --log-prefix "WAN-LOG-DROP TCP: " --log-level 7
|
|
|
- ${iptables} -A WAN-LOG-DROP -p tcp -j REJECT --reject-with tcp-reset
|
|
|
|
|
fi
|
|
fi
|
|
|
if $debugudp; then
|
|
if $debugudp; then
|
|
|
${iptables} -A WAN-LOG-DROP -p udp -j LOG --log-prefix "WAN-LOG-DROP UDP: " --log-level 7
|
|
${iptables} -A WAN-LOG-DROP -p udp -j LOG --log-prefix "WAN-LOG-DROP UDP: " --log-level 7
|
|
|
- ${iptables} -A WAN-LOG-DROP -p udp -j REJECT --reject-with icmp-port-unreachable
|
|
|
|
|
fi
|
|
fi
|
|
|
if $debugicmp; then
|
|
if $debugicmp; then
|
|
|
${iptables} -A WAN-LOG-DROP -p icmp -j LOG --log-prefix "WAN-LOG-DROP ICMP: " --log-level 7
|
|
${iptables} -A WAN-LOG-DROP -p icmp -j LOG --log-prefix "WAN-LOG-DROP ICMP: " --log-level 7
|
|
|
- ${iptables} -A WAN-LOG-DROP -j REJECT --reject-with icmp-proto-unreachable
|
|
|
|
|
fi
|
|
fi
|
|
|
}
|
|
}
|
|
|
|
|
|
|
@@ -41,15 +38,12 @@ setup_fordroplog() {
|
|
|
${iptables} -N FORWARD-LOG-DROP
|
|
${iptables} -N FORWARD-LOG-DROP
|
|
|
if $debugtcp; then
|
|
if $debugtcp; then
|
|
|
${iptables} -A FORWARD-LOG-DROP -p tcp -j LOG --log-prefix "FORWARD-LOG-DROP TCP: " --log-level 7
|
|
${iptables} -A FORWARD-LOG-DROP -p tcp -j LOG --log-prefix "FORWARD-LOG-DROP TCP: " --log-level 7
|
|
|
- ${iptables} -A FORWARD-LOG-DROP -p tcp -j REJECT --reject-with tcp-reset
|
|
|
|
|
fi
|
|
fi
|
|
|
if $debugudp; then
|
|
if $debugudp; then
|
|
|
${iptables} -A FORWARD-LOG-DROP -p udp -j LOG --log-prefix "FORWARD-LOG-DROP UDP: " --log-level 7
|
|
${iptables} -A FORWARD-LOG-DROP -p udp -j LOG --log-prefix "FORWARD-LOG-DROP UDP: " --log-level 7
|
|
|
- ${iptables} -A FORWARD-LOG-DROP -p udp -j REJECT --reject-with icmp-port-unreachable
|
|
|
|
|
fi
|
|
fi
|
|
|
if $debugicmp; then
|
|
if $debugicmp; then
|
|
|
${iptables} -A FORWARD-LOG-DROP -p icmp -j LOG --log-prefix "FORWARD-LOG-DROP ICMP: " --log-level 7
|
|
${iptables} -A FORWARD-LOG-DROP -p icmp -j LOG --log-prefix "FORWARD-LOG-DROP ICMP: " --log-level 7
|
|
|
- ${iptables} -A FORWARD-LOG-DROP -j REJECT --reject-with icmp-proto-unreachable
|
|
|
|
|
fi
|
|
fi
|
|
|
}
|
|
}
|
|
|
|
|
|
|
@@ -87,11 +81,11 @@ setup_forward() {
|
|
|
done < $confd/FORWARD.udp
|
|
done < $confd/FORWARD.udp
|
|
|
|
|
|
|
|
if $logforward ; then
|
|
if $logforward ; then
|
|
|
- setup_fordroplog
|
|
|
|
|
${iptables} -A FORWARD -j FORWARD-LOG-DROP
|
|
${iptables} -A FORWARD -j FORWARD-LOG-DROP
|
|
|
- else
|
|
|
|
|
- ${iptables} -A FORWARD -j DROP
|
|
|
|
|
fi
|
|
fi
|
|
|
|
|
+ ${iptables} -A FORWARD -p tcp -j REJECT --reject-with tcp-reset
|
|
|
|
|
+ ${iptables} -A FORWARD -p udp -j REJECT --reject-with icmp-port-unreachable
|
|
|
|
|
+ ${iptables} -A FORWARD -j REJECT --reject-with icmp-proto-unreachable
|
|
|
}
|
|
}
|
|
|
|
|
|
|
|
setup_base() {
|
|
setup_base() {
|
|
@@ -116,7 +110,10 @@ setup_badips() {
|
|
|
}
|
|
}
|
|
|
|
|
|
|
|
setup_scanips() {
|
|
setup_scanips() {
|
|
|
- ipset create -! $scanset hash:ip hashsize 4096 timeout $scanttl maxelem $scanmaxelems
|
|
|
|
|
|
|
+ ipset create -! $scanset hash:ip hashsize 4096 timeout $scanttl maxelem $scanmaxelems
|
|
|
|
|
+ if $loginput ; then
|
|
|
|
|
+ ${iptables} -A INPUT -j WAN-LOG-DROP
|
|
|
|
|
+ fi
|
|
|
${iptables} -A INPUT -i ${wan} -p udp -m set --match-set $scanset src -m conntrack --ctstate NEW --ctproto UDP -j REJECT --reject-with icmp-port-unreachable
|
|
${iptables} -A INPUT -i ${wan} -p udp -m set --match-set $scanset src -m conntrack --ctstate NEW --ctproto UDP -j REJECT --reject-with icmp-port-unreachable
|
|
|
${iptables} -A INPUT -i ${wan} -p tcp -m set --match-set $scanset src -m conntrack --ctstate NEW --ctproto TCP -j REJECT --reject-with tcp-reset
|
|
${iptables} -A INPUT -i ${wan} -p tcp -m set --match-set $scanset src -m conntrack --ctstate NEW --ctproto TCP -j REJECT --reject-with tcp-reset
|
|
|
}
|
|
}
|
|
@@ -158,7 +155,7 @@ setup_cast() {
|
|
|
}
|
|
}
|
|
|
|
|
|
|
|
main () {
|
|
main () {
|
|
|
- defaultHooks="set_defaults setup_whitenets setup_nat setup_forward setup_base setup_badips setup_white setup_public setup_scanips setup_cast setup_final"
|
|
|
|
|
|
|
+ defaultHooks="set_defaults setup_wandroplog setup_fordroplog setup_whitenets setup_nat setup_forward setup_base setup_badips setup_white setup_public setup_scanips setup_cast setup_final"
|
|
|
hookarray=(${hooks:-$defaultHooks})
|
|
hookarray=(${hooks:-$defaultHooks})
|
|
|
for hook in "${hookarray[@]}" ; do
|
|
for hook in "${hookarray[@]}" ; do
|
|
|
$hook
|
|
$hook
|
