|
|
@@ -21,11 +21,11 @@ _broken(){
|
|
|
${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --sport 0:19 -j BROKENLOGDROP
|
|
|
${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --dport 0:19 -j BROKENLOGDROP
|
|
|
|
|
|
- ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL ACK -m conntrack --cstate ESTABLISHED -j RETURN
|
|
|
- ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL ACK -m conntrack --cstate NEW,RELATED -j BROKENLOGDROP
|
|
|
- ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL PSH,ACK -m conntrack --cstate ESTABLISHED -j RETURN
|
|
|
- ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL PSH,ACK -m conntrack --cstate NEW -j RETURN
|
|
|
- ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL PSH,ACK -m conntrack --cstate RELATED -j BROKENLOGDROP
|
|
|
+ ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL ACK -m conntrack --ctstate ESTABLISHED -j RETURN
|
|
|
+ ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL ACK -m conntrack --ctstate NEW,RELATED -j BROKENLOGDROP
|
|
|
+ ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL PSH,ACK -m conntrack --ctstate ESTABLISHED -j RETURN
|
|
|
+ ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL PSH,ACK -m conntrack --ctstate NEW -j RETURN
|
|
|
+ ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL PSH,ACK -m conntrack --ctstate RELATED -j BROKENLOGDROP
|
|
|
${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL NONE -j BROKENLOGDROP
|
|
|
${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL ALL -j BROKENLOGDROP
|
|
|
${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags SYN,FIN SYN,FIN -j BROKENLOGDROP
|
|
|
@@ -37,23 +37,23 @@ _broken(){
|
|
|
${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ACK,FIN FIN -j BROKENLOGDROP
|
|
|
${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ACK,PSH PSH -j BROKENLOGDROP
|
|
|
${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ACK,URG URG -j BROKENLOGDROP
|
|
|
- ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL RST -m conntrack --cstate ESTABLISHED -j RETURN
|
|
|
- ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL RST -m conntrack --cstate NEW,RELATED -j BROKENLOGDROP
|
|
|
+ ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL RST -m conntrack --ctstate ESTABLISHED -j RETURN
|
|
|
+ ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL RST -m conntrack --ctstate NEW,RELATED -j BROKENLOGDROP
|
|
|
${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags SYN,ACK NONE -j BROKENLOGDROP
|
|
|
- ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL SYN -m conntrack --cstate NEW -j RETURN
|
|
|
- ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL SYN -m conntrack --cstate RELATED -j RETURN
|
|
|
- ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL SYN -m conntrack --cstate ESTABLISHED -j BROKENLOGDROP
|
|
|
- ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL SYN,ACK -m conntrack --cstate ESTABLISHED -j RETURN
|
|
|
- ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL SYN,ACK -m conntrack --cstate NEW,RELATED -j BROKENLOGDROP
|
|
|
- ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL FIN,ACK -m conntrack --cstate ESTABLISHED -j RETURN
|
|
|
- ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL FIN,ACK -m conntrack --cstate NEW,RELATED -j BROKENLOGDROP
|
|
|
- ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL RST,ACK -m conntrack --cstate ESTABLISHED -j RETURN
|
|
|
- ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL RST,ACK -m conntrack --cstate NEW -j RETURN
|
|
|
- ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL RST,ACK -m conntrack --cstate RELATED -j BROKENLOGDROP
|
|
|
- ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL ACK,PSH,RST -m conntrack --cstate ESTABLISHED -j RETURN
|
|
|
- ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL ACK,PSH,RST -m conntrack --cstate NEW,RELATED -j BROKENLOGDROP
|
|
|
- ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL FIN,PSH,ACK -m conntrack --cstate ESTABLISHED -j RETURN
|
|
|
- ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL FIN,PSH,ACK -m conntrack --cstate NEW,RELATED -j BROKENLOGDROP
|
|
|
+ ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL SYN -m conntrack --ctstate NEW -j RETURN
|
|
|
+ ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL SYN -m conntrack --ctstate RELATED -j RETURN
|
|
|
+ ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL SYN -m conntrack --ctstate ESTABLISHED -j BROKENLOGDROP
|
|
|
+ ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL SYN,ACK -m conntrack --ctstate ESTABLISHED -j RETURN
|
|
|
+ ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL SYN,ACK -m conntrack --ctstate NEW,RELATED -j BROKENLOGDROP
|
|
|
+ ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL FIN,ACK -m conntrack --ctstate ESTABLISHED -j RETURN
|
|
|
+ ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL FIN,ACK -m conntrack --ctstate NEW,RELATED -j BROKENLOGDROP
|
|
|
+ ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL RST,ACK -m conntrack --ctstate ESTABLISHED -j RETURN
|
|
|
+ ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL RST,ACK -m conntrack --ctstate NEW -j RETURN
|
|
|
+ ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL RST,ACK -m conntrack --ctstate RELATED -j BROKENLOGDROP
|
|
|
+ ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL ACK,PSH,RST -m conntrack --ctstate ESTABLISHED -j RETURN
|
|
|
+ ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL ACK,PSH,RST -m conntrack --ctstate NEW,RELATED -j BROKENLOGDROP
|
|
|
+ ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL FIN,PSH,ACK -m conntrack --ctstate ESTABLISHED -j RETURN
|
|
|
+ ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL FIN,PSH,ACK -m conntrack --ctstate NEW,RELATED -j BROKENLOGDROP
|
|
|
${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL RST,ACK,PSH -j STRANGELOG
|
|
|
${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL RST,ACK,URG -j STRANGELOG
|
|
|
${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL RST,ACK,PSH,URG -j STRANGELOG
|
|
|
@@ -173,6 +173,7 @@ lan() {
|
|
|
|
|
|
badips() {
|
|
|
ipset create -! $banset hash:ip hashsize 4096 timeout $banttl maxelem $badmaxelems
|
|
|
+ ${iptables} -N FWBAD
|
|
|
if $logbad ; then
|
|
|
_droplog "BAD"
|
|
|
${iptables} -A FWBAD -i ${wan} -p udp -m set --match-set $banset src -m conntrack --ctstate NEW --ctproto UDP -j BADLOGDROP
|
