Главная Обзор Помощь
Вход
arch
/
e-router
Следить 3
В избранное 0
Ответвить 0
Файлы Обсуждения 0 Запросы на слияние 0 Вики
Просмотр исходного кода

Merge branch 'devel'

Edvinas Valatka 8 лет назад
Родитель
a60b9d2c79 0714af9b27
Сommit
c77c79dc5e
2 измененных файлов с 27 добавлено и 17 удалено
Единый вид Показать статистику Diff
  1. 18 3
      config
  2. 9 14
      e-router

+ 18 - 3
config
Просмотреть файл 

@@ -1,3 +1,5 @@
 
+# vim: syntax=sh
 
+
 
 eth0=enp5s0
 
 eth0=enp5s0
 
 wan=enp1s0
 
 wan=enp1s0
 
 locnet=192.168.1.0/24
 
 locnet=192.168.1.0/24
 
@@ -42,7 +44,20 @@ debugudp=true
 
 debugicmp=true
 
 debugicmp=true
 
 
 
 ## default hook order ##
 
 ## default hook order ##
 
-# hooks="set_defaults setup_whitenets setup_nat setup_forward setup_base setup_badips setup_white setup_open setup_scanips setup_cast setup_final"
 
+hooks=(
 
+base
 
+lan
 
+setup_wandroplog
 
+setup_fordroplog
 
+setup_whitenets
 
+setup_forward
 
+setup_badips
 
+setup_white
 
+setup_public
 
+setup_scanips
 
+setup_cast
 
+final
 
+)
 
 
 
-## Default iptables invocation command ##
 
-#IPTABLESCMD="iptables -w"
 
+## iptables invocation command ##
 
+iptables="iptables -w"

+ 9 - 14
e-router
Просмотреть файл 

@@ -2,17 +2,19 @@
 
 ((EUID == 0 )) || { echo "Need root"; exit 1; }
 
 ((EUID == 0 )) || { echo "Need root"; exit 1; }
 
 set -euo pipefail
 
 set -euo pipefail
 
 confd=/etc/e-router
 
 confd=/etc/e-router
 
-iptables="${IPTABLESCMD:-iptables -w}"
 
 source $confd/config
 
 source $confd/config
 
 
 
-set_defaults() {
 
+base() {
 
     /usr/lib/systemd/scripts/iptables-flush
 
     /usr/lib/systemd/scripts/iptables-flush
 
+    ${iptables} -P INPUT DROP
 
     ${iptables} -P FORWARD DROP
 
     ${iptables} -P FORWARD DROP
 
     ${iptables} -P OUTPUT ACCEPT
 
     ${iptables} -P OUTPUT ACCEPT
 
-    ${iptables} -P INPUT DROP
 
+    ${iptables} -A INPUT -i lo -j ACCEPT
 
+    ${iptables} -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 
+    ${iptables} -A INPUT -m conntrack --ctstate INVALID -j DROP
 
 }
 
 }
 
 
 
-setup_final(){
 
+final(){
 
     if $loginput ; then
 
     if $loginput ; then
 
         ${iptables} -A INPUT -j WAN-LOG-DROP
 
         ${iptables} -A INPUT -j WAN-LOG-DROP
 
     fi
 
     fi
 
@@ -47,9 +49,6 @@ setup_fordroplog() {
 
     fi
 
     fi
 
 }
 
 }
 
 
 
-setup_nat() {
 
-    ${iptables} -t nat -A POSTROUTING -o ${wan} -s ${locnet} -j MASQUERADE
 
-}
 
 
 
 setup_forward() {
 
 setup_forward() {
 
     ${iptables} -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 
     ${iptables} -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 
@@ -88,11 +87,9 @@ setup_forward() {
 
     ${iptables} -A FORWARD -j REJECT --reject-with icmp-proto-unreachable
 
     ${iptables} -A FORWARD -j REJECT --reject-with icmp-proto-unreachable
 
 }
 
 }
 
 
 
-setup_base() {
 
-    ${iptables} -A INPUT -i lo -j ACCEPT
 
+lan() {
 
     ${iptables} -A INPUT -i ${eth0} -j ACCEPT
 
     ${iptables} -A INPUT -i ${eth0} -j ACCEPT
 
-    ${iptables} -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 
-    ${iptables} -A INPUT -m conntrack --ctstate INVALID -j DROP
 
+    ${iptables} -t nat -A POSTROUTING -o ${wan} -s ${locnet} -j MASQUERADE
 
 }
 
 }
 
 
 
 setup_whitenets() {
 
 setup_whitenets() {
 
@@ -156,9 +153,7 @@ setup_cast() {
 
 }
 
 }
 
 
 
 main () {
 
 main () {
 
-    defaultHooks="set_defaults setup_wandroplog setup_fordroplog setup_whitenets setup_nat setup_forward setup_base setup_badips setup_white setup_public setup_scanips setup_cast setup_final"
 
-    hookarray=(${hooks:-$defaultHooks})
 
-    for hook in "${hookarray[@]}" ; do
 
+    for hook in "${hooks[@]}" ; do
 
         $hook
 
         $hook
 
     done
 
     done
 
 }
 
 }