Inicio Explorar Axuda
Iniciar sesión
arch
/
e-router
Seguir 3
Destacar 0
Fork 0
Ficheiros Incidencias 0 Pull Requests 0 Wiki
Explorar o código

Rework logging

Edvinas Valatka %!s(int64=8) %!d(string=hai) anos
pai
948e1884fb
achega
c7ec23d346
Modificáronse 2 ficheiros con 25 adicións e 30 borrados
Dividir vista Mostrar estatísticas de Diff
  1. 3 2
      config
  2. 22 28
      e-router

+ 3 - 2
config
Ver ficheiro 

@@ -39,6 +39,9 @@ scanttl=172800
 
 ## DEBUG ##
 
 loginput=true
 
 logforward=true
 
+logbad=true
 
+logscan=true
 
+logcast=true
 
 debugtcp=true
 
 debugudp=true
 
 debugicmp=true
 
@@ -47,8 +50,6 @@ debugicmp=true
 
 hooks=(
 
 base
 
 lan
 
-wandroplog
 
-fordroplog
 
 whitenets
 
 forward
 
 badips

+ 22 - 28
e-router
Ver ficheiro 

@@ -19,38 +19,25 @@ base() {
 
 }
 
 
 final(){
 
-    if $loginput ; then
 
-        ${iptables} -A INPUT -j WAN-LOG-DROP
 
+    if $loginput; then
 
+        droplog "FINAL" "INPUT"
 
     fi
 
 }
 
 
-wandroplog() {
 
-    ${iptables} -N WAN-LOG-DROP
 
+droplog() {
 
+    ${iptables} -N ${1}-LOG-DROP
 
     if $debugtcp; then
 
-        ${iptables} -A WAN-LOG-DROP -p tcp  -j LOG --log-prefix  "WAN-LOG-DROP TCP: " --log-level 7
 
+        ${iptables} -A ${1}-LOG-DROP -p tcp  -j LOG --log-prefix "${1}-LOG-DROP TCP: " --log-level 7
 
     fi
 
     if $debugudp; then
 
-        ${iptables} -A WAN-LOG-DROP -p udp  -j LOG --log-prefix  "WAN-LOG-DROP UDP: " --log-level 7
 
+        ${iptables} -A ${1}-LOG-DROP -p udp  -j LOG --log-prefix "${1}-LOG-DROP UDP: " --log-level 7
 
     fi
 
     if $debugicmp; then
 
-        ${iptables} -A WAN-LOG-DROP -p icmp -j LOG --log-prefix  "WAN-LOG-DROP ICMP: " --log-level 7
 
+        ${iptables} -A ${1}-LOG-DROP -p icmp -j LOG --log-prefix "${1}-LOG-DROP ICMP: " --log-level 7
 
     fi
 
+    ${iptables} -A ${2} -j ${1}-LOG-DROP
 
 }
 
 
-fordroplog() {
 
-    ${iptables} -N FORWARD-LOG-DROP
 
-    if $debugtcp; then
 
-        ${iptables} -A FORWARD-LOG-DROP -p tcp  -j LOG --log-prefix "FORWARD-LOG-DROP TCP: " --log-level 7
 
-    fi
 
-    if $debugudp; then
 
-        ${iptables} -A FORWARD-LOG-DROP -p udp  -j LOG --log-prefix "FORWARD-LOG-DROP UDP: " --log-level 7
 
-    fi
 
-    if $debugicmp; then
 
-        ${iptables} -A FORWARD-LOG-DROP -p icmp -j LOG --log-prefix "FORWARD-LOG-DROP ICMP: " --log-level 7
 
-    fi
 
-}
 
-
 
-
 
 forward() {
 
     ${iptables} -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 
     ${iptables} -A FORWARD -i ${eth0} -o ${wan} -j ACCEPT
 
@@ -81,7 +68,7 @@ forward() {
 
     done < $confd/FORWARD.udp
 
 
     if $logforward ; then
 
-        ${iptables} -A FORWARD -j FORWARD-LOG-DROP
 
+        droplog "FORWARD" "FORWARD"
 
     fi
 
     ${iptables} -A FORWARD -j END-RESET
 
 }
 
@@ -101,15 +88,18 @@ whitenets() {
 
 
 badips() {
 
     ipset create -! $banset hash:ip hashsize 4096 timeout $banttl  maxelem $badmaxelems
 
-    ${iptables} -A INPUT -i ${wan} -p udp -m set --match-set $banset src -m conntrack --ctstate NEW --ctproto UDP -j REJECT --reject-with icmp-port-unreachable
 
-    ${iptables} -A INPUT -i ${wan} -p tcp -m set --match-set $banset src -m conntrack --ctstate NEW --ctproto TCP -j REJECT --reject-with tcp-reset
 
+    if $logbad ; then
 
+        droplog "BAD" "INPUT"
 
+    fi
 
+    ${iptables} -A INPUT -i ${wan} -p udp -m set --match-set $banset src -m conntrack --ctstate NEW --ctproto UDP -j END-RESET
 
+    ${iptables} -A INPUT -i ${wan} -p tcp -m set --match-set $banset src -m conntrack --ctstate NEW --ctproto TCP -j END-RESET
 
 }
 
 
 scanips() {
 
     ipset create -! $scanset hash:ip hashsize 4096 timeout $scanttl maxelem $scanmaxelems
 
     ${iptables} -A INPUT -i ${wan} -j SET --add-set $scanset src --exist  --timeout $scanttl
 
-    if $loginput ; then
 
-        ${iptables} -A INPUT -j WAN-LOG-DROP
 
+    if $logscan ; then
 
+        droplog "SCAN" "INPUT"
 
     fi
 
     ${iptables} -A INPUT -i ${wan} -p udp -m set --match-set $scanset src -m conntrack --ctstate NEW --ctproto UDP -j REJECT --reject-with icmp-port-unreachable
 
     ${iptables} -A INPUT -i ${wan} -p tcp -m set --match-set $scanset src -m conntrack --ctstate NEW --ctproto TCP -j REJECT --reject-with tcp-reset
 
@@ -146,8 +136,12 @@ public() {
 
 
 cast() {
 
     ${iptables} -N FW-CAST
 
-    ${iptables} -A FW-CAST -m pkttype --pkt-type broadcast -j ACCEPT
 
-    ${iptables} -A FW-CAST -m pkttype --pkt-type multicast -j ACCEPT
 
+    if $logcast; then
 
+        ${iptables} -A FW-CAST -m pkttype --pkt-type multicast -m conntrack --ctstate NEW  -j LOG --log-prefix "CAST-LOG MULTI: " --log-level 7
 
+        ${iptables} -A FW-CAST -m pkttype --pkt-type broadcast -m conntrack --ctstate NEW  -j LOG --log-prefix "CAST-LOG BROAD: " --log-level 7
 
+    fi
 
+    ${iptables} -A FW-CAST -m pkttype --pkt-type multicast -m conntrack --ctstate NEW -j ACCEPT
 
+    ${iptables} -A FW-CAST -m pkttype --pkt-type broadcast -m conntrack --ctstate NEW -j ACCEPT
 
     ${iptables} -A INPUT -i ${wan} -j FW-CAST
 
 }