|
|
@@ -2,17 +2,19 @@
|
|
|
((EUID == 0 )) || { echo "Need root"; exit 1; }
|
|
|
set -euo pipefail
|
|
|
confd=/etc/e-router
|
|
|
-iptables="${IPTABLESCMD:-iptables -w}"
|
|
|
source $confd/config
|
|
|
|
|
|
-set_defaults() {
|
|
|
+base() {
|
|
|
/usr/lib/systemd/scripts/iptables-flush
|
|
|
+ ${iptables} -P INPUT DROP
|
|
|
${iptables} -P FORWARD DROP
|
|
|
${iptables} -P OUTPUT ACCEPT
|
|
|
- ${iptables} -P INPUT DROP
|
|
|
+ ${iptables} -A INPUT -i lo -j ACCEPT
|
|
|
+ ${iptables} -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
|
|
+ ${iptables} -A INPUT -m conntrack --ctstate INVALID -j DROP
|
|
|
}
|
|
|
|
|
|
-setup_final(){
|
|
|
+final(){
|
|
|
if $loginput ; then
|
|
|
${iptables} -A INPUT -j WAN-LOG-DROP
|
|
|
fi
|
|
|
@@ -47,9 +49,6 @@ setup_fordroplog() {
|
|
|
fi
|
|
|
}
|
|
|
|
|
|
-setup_nat() {
|
|
|
- ${iptables} -t nat -A POSTROUTING -o ${wan} -s ${locnet} -j MASQUERADE
|
|
|
-}
|
|
|
|
|
|
setup_forward() {
|
|
|
${iptables} -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
|
|
@@ -88,11 +87,9 @@ setup_forward() {
|
|
|
${iptables} -A FORWARD -j REJECT --reject-with icmp-proto-unreachable
|
|
|
}
|
|
|
|
|
|
-setup_base() {
|
|
|
- ${iptables} -A INPUT -i lo -j ACCEPT
|
|
|
+lan() {
|
|
|
${iptables} -A INPUT -i ${eth0} -j ACCEPT
|
|
|
- ${iptables} -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
|
|
- ${iptables} -A INPUT -m conntrack --ctstate INVALID -j DROP
|
|
|
+ ${iptables} -t nat -A POSTROUTING -o ${wan} -s ${locnet} -j MASQUERADE
|
|
|
}
|
|
|
|
|
|
setup_whitenets() {
|
|
|
@@ -156,9 +153,7 @@ setup_cast() {
|
|
|
}
|
|
|
|
|
|
main () {
|
|
|
- defaultHooks="set_defaults setup_wandroplog setup_fordroplog setup_whitenets setup_nat setup_forward setup_base setup_badips setup_white setup_public setup_scanips setup_cast setup_final"
|
|
|
- hookarray=(${hooks:-$defaultHooks})
|
|
|
- for hook in "${hookarray[@]}" ; do
|
|
|
+ for hook in "${hooks[@]}" ; do
|
|
|
$hook
|
|
|
done
|
|
|
}
|
