|
|
@@ -4,6 +4,19 @@ set -euo pipefail
|
|
|
confd=/etc/e-router
|
|
|
source $confd/config
|
|
|
|
|
|
+_droplog() {
|
|
|
+ ${iptables} -N ${1}-LOG-DROP
|
|
|
+ if $debugtcp; then
|
|
|
+ ${iptables} -A ${1}-LOG-DROP -p tcp -j LOG --log-prefix "${1}-LOG-DROP TCP: " --log-level 7
|
|
|
+ fi
|
|
|
+ if $debugudp; then
|
|
|
+ ${iptables} -A ${1}-LOG-DROP -p udp -j LOG --log-prefix "${1}-LOG-DROP UDP: " --log-level 7
|
|
|
+ fi
|
|
|
+ if $debugicmp; then
|
|
|
+ ${iptables} -A ${1}-LOG-DROP -p icmp -j LOG --log-prefix "${1}-LOG-DROP ICMP: " --log-level 7
|
|
|
+ fi
|
|
|
+}
|
|
|
+
|
|
|
base() {
|
|
|
/usr/lib/systemd/scripts/iptables-flush
|
|
|
${iptables} -P INPUT DROP
|
|
|
@@ -18,26 +31,6 @@ base() {
|
|
|
${iptables} -A END-RESET -j REJECT --reject-with icmp-proto-unreachable
|
|
|
}
|
|
|
|
|
|
-final(){
|
|
|
- if $loginput; then
|
|
|
- _droplog "FINAL"
|
|
|
- ${iptables} -A INPUT -j FINAL-LOG-DROP
|
|
|
- fi
|
|
|
-}
|
|
|
-
|
|
|
-_droplog() {
|
|
|
- ${iptables} -N ${1}-LOG-DROP
|
|
|
- if $debugtcp; then
|
|
|
- ${iptables} -A ${1}-LOG-DROP -p tcp -j LOG --log-prefix "${1}-LOG-DROP TCP: " --log-level 7
|
|
|
- fi
|
|
|
- if $debugudp; then
|
|
|
- ${iptables} -A ${1}-LOG-DROP -p udp -j LOG --log-prefix "${1}-LOG-DROP UDP: " --log-level 7
|
|
|
- fi
|
|
|
- if $debugicmp; then
|
|
|
- ${iptables} -A ${1}-LOG-DROP -p icmp -j LOG --log-prefix "${1}-LOG-DROP ICMP: " --log-level 7
|
|
|
- fi
|
|
|
-}
|
|
|
-
|
|
|
forward() {
|
|
|
while read -r ip public private ; do
|
|
|
[[ "$ip" =~ ^[0-9]{1,}.[0-9]{1,}.[0-9]{1,}.[0-9]{1,}$ ]] || continue
|
|
|
@@ -152,6 +145,13 @@ cast() {
|
|
|
${iptables} -A INPUT -i ${wan} -j FW-CAST
|
|
|
}
|
|
|
|
|
|
+final(){
|
|
|
+ if $loginput; then
|
|
|
+ _droplog "FINAL"
|
|
|
+ ${iptables} -A INPUT -j FINAL-LOG-DROP
|
|
|
+ fi
|
|
|
+}
|
|
|
+
|
|
|
main () {
|
|
|
for hook in "${hooks[@]}" ; do
|
|
|
$hook
|
