|
@@ -86,7 +86,8 @@ setup_white() {
|
|
|
[[ "$port" =~ ^[0-9]{1,}$ ]] || continue
|
|
[[ "$port" =~ ^[0-9]{1,}$ ]] || continue
|
|
|
iptables -A FW-FILTERED -m tcp -p tcp --dport $port -j ACCEPT
|
|
iptables -A FW-FILTERED -m tcp -p tcp --dport $port -j ACCEPT
|
|
|
done < $CONFD/WHITE.tcp
|
|
done < $CONFD/WHITE.tcp
|
|
|
- iptables -A INPUT -i ${wan} -m set --match-set $whiteset src -j FW-FILTERED
|
|
|
|
|
|
|
+ iptables -A INPUT -p udp -i ${wan} -m set --match-set $whiteset src -m conntrack --ctstate NEW -j FW-FILTERED
|
|
|
|
|
+ iptables -A INPUT -p tcp --syn -i ${wan} -m set --match-set $whiteset src -m conntrack --ctstate NEW -j FW-FILTERED
|
|
|
}
|
|
}
|
|
|
|
|
|
|
|
setup_open() {
|
|
setup_open() {
|
|
@@ -99,7 +100,8 @@ setup_open() {
|
|
|
[[ "$port" =~ ^[0-9]{1,}$ ]] || continue
|
|
[[ "$port" =~ ^[0-9]{1,}$ ]] || continue
|
|
|
iptables -A FW-OPEN -m tcp -p tcp --dport $port -j ACCEPT
|
|
iptables -A FW-OPEN -m tcp -p tcp --dport $port -j ACCEPT
|
|
|
done < $CONFD/ACCEPT.tcp
|
|
done < $CONFD/ACCEPT.tcp
|
|
|
- iptables -A INPUT -i ${wan} -j FW-OPEN
|
|
|
|
|
|
|
+ iptables -A INPUT -p udp -i ${wan} -m conntrack --ctstate NEW -j FW-OPEN
|
|
|
|
|
+ iptables -A INPUT -p tcp --syn -i ${wan} -m conntrack --ctstate NEW -j FW-OPEN
|
|
|
}
|
|
}
|
|
|
|
|
|
|
|
setup_cast() {
|
|
setup_cast() {
|
