|
@@ -1,74 +1,77 @@
|
|
|
#!/bin/bash -x
|
|
#!/bin/bash -x
|
|
|
((EUID == 0 )) || { echo "Need root"; exit 1; }
|
|
((EUID == 0 )) || { echo "Need root"; exit 1; }
|
|
|
|
|
+
|
|
|
set -euo pipefail
|
|
set -euo pipefail
|
|
|
|
|
+
|
|
|
confd=/etc/e-router
|
|
confd=/etc/e-router
|
|
|
|
|
+iptables=${IPTABLESCMD:-iptables}
|
|
|
source $confd/config
|
|
source $confd/config
|
|
|
|
|
|
|
|
set_defaults() {
|
|
set_defaults() {
|
|
|
/usr/lib/systemd/scripts/iptables-flush
|
|
/usr/lib/systemd/scripts/iptables-flush
|
|
|
- iptables -w -v -P FORWARD DROP
|
|
|
|
|
- iptables -w -v -P OUTPUT ACCEPT
|
|
|
|
|
- iptables -w -v -P INPUT DROP
|
|
|
|
|
|
|
+ ${iptables} -P FORWARD DROP
|
|
|
|
|
+ ${iptables} -P OUTPUT ACCEPT
|
|
|
|
|
+ ${iptables} -P INPUT DROP
|
|
|
}
|
|
}
|
|
|
|
|
|
|
|
setup_final(){
|
|
setup_final(){
|
|
|
if $loginput ; then
|
|
if $loginput ; then
|
|
|
setup_wandroplog
|
|
setup_wandroplog
|
|
|
- iptables -w -v -A INPUT -j WAN-LOG-DROP
|
|
|
|
|
|
|
+ ${iptables} -A INPUT -j WAN-LOG-DROP
|
|
|
else
|
|
else
|
|
|
- iptables -w -v -A INPUT -j DROP
|
|
|
|
|
|
|
+ ${iptables} -A INPUT -j DROP
|
|
|
fi
|
|
fi
|
|
|
}
|
|
}
|
|
|
|
|
|
|
|
setup_wandroplog() {
|
|
setup_wandroplog() {
|
|
|
- iptables -w -v -N WAN-LOG-DROP
|
|
|
|
|
|
|
+ ${iptables} -N WAN-LOG-DROP
|
|
|
if $debugtcp; then
|
|
if $debugtcp; then
|
|
|
- iptables -w -v -A WAN-LOG-DROP -p tcp -j LOG --log-prefix "WAN-LOG-DROP TCP: " --log-level 7
|
|
|
|
|
- iptables -w -v -A WAN-LOG-DROP -p tcp -j REJECT --reject-with tcp-reset
|
|
|
|
|
|
|
+ ${iptables} -A WAN-LOG-DROP -p tcp -j LOG --log-prefix "WAN-LOG-DROP TCP: " --log-level 7
|
|
|
|
|
+ ${iptables} -A WAN-LOG-DROP -p tcp -j REJECT --reject-with tcp-reset
|
|
|
fi
|
|
fi
|
|
|
if $debugudp; then
|
|
if $debugudp; then
|
|
|
- iptables -w -v -A WAN-LOG-DROP -p udp -j LOG --log-prefix "WAN-LOG-DROP UDP: " --log-level 7
|
|
|
|
|
- iptables -w -v -A WAN-LOG-DROP -p udp -j REJECT --reject-with icmp-port-unreachable
|
|
|
|
|
|
|
+ ${iptables} -A WAN-LOG-DROP -p udp -j LOG --log-prefix "WAN-LOG-DROP UDP: " --log-level 7
|
|
|
|
|
+ ${iptables} -A WAN-LOG-DROP -p udp -j REJECT --reject-with icmp-port-unreachable
|
|
|
fi
|
|
fi
|
|
|
if $debugicmp; then
|
|
if $debugicmp; then
|
|
|
- iptables -w -v -A WAN-LOG-DROP -p icmp -j LOG --log-prefix "WAN-LOG-DROP ICMP: " --log-level 7
|
|
|
|
|
- iptables -w -v -A WAN-LOG-DROP -j REJECT --reject-with icmp-proto-unreachable
|
|
|
|
|
|
|
+ ${iptables} -A WAN-LOG-DROP -p icmp -j LOG --log-prefix "WAN-LOG-DROP ICMP: " --log-level 7
|
|
|
|
|
+ ${iptables} -A WAN-LOG-DROP -j REJECT --reject-with icmp-proto-unreachable
|
|
|
fi
|
|
fi
|
|
|
}
|
|
}
|
|
|
|
|
|
|
|
setup_fordroplog() {
|
|
setup_fordroplog() {
|
|
|
- iptables -w -v -N FORWARD-LOG-DROP
|
|
|
|
|
|
|
+ ${iptables} -N FORWARD-LOG-DROP
|
|
|
if $debugtcp; then
|
|
if $debugtcp; then
|
|
|
- iptables -w -v -A FORWARD-LOG-DROP -p tcp -j LOG --log-prefix "FORWARD-LOG-DROP TCP: " --log-level 7
|
|
|
|
|
- iptables -w -v -A FORWARD-LOG-DROP -p tcp -j REJECT --reject-with tcp-reset
|
|
|
|
|
|
|
+ ${iptables} -A FORWARD-LOG-DROP -p tcp -j LOG --log-prefix "FORWARD-LOG-DROP TCP: " --log-level 7
|
|
|
|
|
+ ${iptables} -A FORWARD-LOG-DROP -p tcp -j REJECT --reject-with tcp-reset
|
|
|
fi
|
|
fi
|
|
|
if $debugudp; then
|
|
if $debugudp; then
|
|
|
- iptables -w -v -A FORWARD-LOG-DROP -p udp -j LOG --log-prefix "FORWARD-LOG-DROP UDP: " --log-level 7
|
|
|
|
|
- iptables -w -v -A FORWARD-LOG-DROP -p udp -j REJECT --reject-with icmp-port-unreachable
|
|
|
|
|
|
|
+ ${iptables} -A FORWARD-LOG-DROP -p udp -j LOG --log-prefix "FORWARD-LOG-DROP UDP: " --log-level 7
|
|
|
|
|
+ ${iptables} -A FORWARD-LOG-DROP -p udp -j REJECT --reject-with icmp-port-unreachable
|
|
|
fi
|
|
fi
|
|
|
if $debugicmp; then
|
|
if $debugicmp; then
|
|
|
- iptables -w -v -A FORWARD-LOG-DROP -p icmp -j LOG --log-prefix "FORWARD-LOG-DROP ICMP: " --log-level 7
|
|
|
|
|
- iptables -w -v -A FORWARD-LOG-DROP -j REJECT --reject-with icmp-proto-unreachable
|
|
|
|
|
|
|
+ ${iptables} -A FORWARD-LOG-DROP -p icmp -j LOG --log-prefix "FORWARD-LOG-DROP ICMP: " --log-level 7
|
|
|
|
|
+ ${iptables} -A FORWARD-LOG-DROP -j REJECT --reject-with icmp-proto-unreachable
|
|
|
fi
|
|
fi
|
|
|
}
|
|
}
|
|
|
|
|
|
|
|
setup_nat() {
|
|
setup_nat() {
|
|
|
- iptables -w -v -t nat -A POSTROUTING -o ${wan} -s ${locnet} -j MASQUERADE
|
|
|
|
|
|
|
+ ${iptables} -t nat -A POSTROUTING -o ${wan} -s ${locnet} -j MASQUERADE
|
|
|
}
|
|
}
|
|
|
|
|
|
|
|
setup_forward() {
|
|
setup_forward() {
|
|
|
- iptables -w -v -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
|
|
|
|
- iptables -w -v -A FORWARD -i ${eth0} -o ${wan} -j ACCEPT
|
|
|
|
|
|
|
+ ${iptables} -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
|
|
|
|
+ ${iptables} -A FORWARD -i ${eth0} -o ${wan} -j ACCEPT
|
|
|
while read -r ip public private ; do
|
|
while read -r ip public private ; do
|
|
|
[[ "$ip" =~ ^[0-9]{1,}.[0-9]{1,}.[0-9]{1,}.[0-9]{1,}$ ]] || continue
|
|
[[ "$ip" =~ ^[0-9]{1,}.[0-9]{1,}.[0-9]{1,}.[0-9]{1,}$ ]] || continue
|
|
|
[[ "$public" =~ ^[0-9]{1,}|[0-9]{1,}:[0-9]{1,}$ ]] || continue
|
|
[[ "$public" =~ ^[0-9]{1,}|[0-9]{1,}:[0-9]{1,}$ ]] || continue
|
|
|
[[ "$private" =~ ^[0-9]{1,}|[0-9]{1,}:[0-9]{1,}$ ]] || continue
|
|
[[ "$private" =~ ^[0-9]{1,}|[0-9]{1,}:[0-9]{1,}$ ]] || continue
|
|
|
if [[ "$public" =~ ^[0-9]{1,}$ ]] ; then
|
|
if [[ "$public" =~ ^[0-9]{1,}$ ]] ; then
|
|
|
- iptables -w -v -A PREROUTING -t nat -i ${wan} -p tcp --dport ${public} -j DNAT --to ${ip}:${private}
|
|
|
|
|
- iptables -w -v -A FORWARD -i ${wan} -p tcp --syn -d ${ip} --dport ${private} -m conntrack --ctstate NEW --ctproto TCP -j ACCEPT
|
|
|
|
|
|
|
+ ${iptables} -A PREROUTING -t nat -i ${wan} -p tcp --dport ${public} -j DNAT --to ${ip}:${private}
|
|
|
|
|
+ ${iptables} -A FORWARD -i ${wan} -p tcp --syn -d ${ip} --dport ${private} -m conntrack --ctstate NEW --ctproto TCP -j ACCEPT
|
|
|
else
|
|
else
|
|
|
- iptables -w -v -A PREROUTING -t nat -i ${wan} -p tcp --dport ${public} -j DNAT --to ${ip}
|
|
|
|
|
- iptables -w -v -A FORWARD -i ${wan} -p tcp --syn -d ${ip} --dport ${public} -m conntrack --ctstate NEW --ctproto TCP -j ACCEPT
|
|
|
|
|
|
|
+ ${iptables} -A PREROUTING -t nat -i ${wan} -p tcp --dport ${public} -j DNAT --to ${ip}
|
|
|
|
|
+ ${iptables} -A FORWARD -i ${wan} -p tcp --syn -d ${ip} --dport ${public} -m conntrack --ctstate NEW --ctproto TCP -j ACCEPT
|
|
|
fi
|
|
fi
|
|
|
done < $confd/FORWARD.tcp
|
|
done < $confd/FORWARD.tcp
|
|
|
|
|
|
|
@@ -77,27 +80,27 @@ setup_forward() {
|
|
|
[[ "$public" =~ ^[0-9]{1,}|[0-9]{1,}:[0-9]{1,}$ ]] || continue
|
|
[[ "$public" =~ ^[0-9]{1,}|[0-9]{1,}:[0-9]{1,}$ ]] || continue
|
|
|
[[ "$private" =~ ^[0-9]{1,}|[0-9]{1,}:[0-9]{1,}$ ]] || continue
|
|
[[ "$private" =~ ^[0-9]{1,}|[0-9]{1,}:[0-9]{1,}$ ]] || continue
|
|
|
if [[ "$public" =~ ^[0-9]{1,}$ ]] ; then
|
|
if [[ "$public" =~ ^[0-9]{1,}$ ]] ; then
|
|
|
- iptables -w -v -A PREROUTING -t nat -i ${wan} -p udp --dport ${public} -j DNAT --to ${ip}:${private}
|
|
|
|
|
- iptables -w -v -A FORWARD -i ${wan} -p udp -d ${ip} --dport ${private} -m conntrack --ctstate NEW --ctproto UDP -j ACCEPT
|
|
|
|
|
|
|
+ ${iptables} -A PREROUTING -t nat -i ${wan} -p udp --dport ${public} -j DNAT --to ${ip}:${private}
|
|
|
|
|
+ ${iptables} -A FORWARD -i ${wan} -p udp -d ${ip} --dport ${private} -m conntrack --ctstate NEW --ctproto UDP -j ACCEPT
|
|
|
else
|
|
else
|
|
|
- iptables -w -v -A PREROUTING -t nat -i ${wan} -p udp --dport ${public} -j DNAT --to ${ip}
|
|
|
|
|
- iptables -w -v -A FORWARD -i ${wan} -p udp -d ${ip} --dport ${public} -m conntrack --ctstate NEW --ctproto UDP -j ACCEPT
|
|
|
|
|
|
|
+ ${iptables} -A PREROUTING -t nat -i ${wan} -p udp --dport ${public} -j DNAT --to ${ip}
|
|
|
|
|
+ ${iptables} -A FORWARD -i ${wan} -p udp -d ${ip} --dport ${public} -m conntrack --ctstate NEW --ctproto UDP -j ACCEPT
|
|
|
fi
|
|
fi
|
|
|
done < $confd/FORWARD.udp
|
|
done < $confd/FORWARD.udp
|
|
|
|
|
|
|
|
if $logforward ; then
|
|
if $logforward ; then
|
|
|
setup_fordroplog
|
|
setup_fordroplog
|
|
|
- iptables -w -v -A FORWARD -j FORWARD-LOG-DROP
|
|
|
|
|
|
|
+ ${iptables} -A FORWARD -j FORWARD-LOG-DROP
|
|
|
else
|
|
else
|
|
|
- iptables -w -v -A FORWARD -j DROP
|
|
|
|
|
|
|
+ ${iptables} -A FORWARD -j DROP
|
|
|
fi
|
|
fi
|
|
|
}
|
|
}
|
|
|
|
|
|
|
|
setup_base() {
|
|
setup_base() {
|
|
|
- iptables -w -v -A INPUT -i lo -j ACCEPT
|
|
|
|
|
- iptables -w -v -A INPUT -i ${eth0} -j ACCEPT
|
|
|
|
|
- iptables -w -v -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
|
|
|
|
- iptables -w -v -A INPUT -m conntrack --ctstate INVALID -j DROP
|
|
|
|
|
|
|
+ ${iptables} -A INPUT -i lo -j ACCEPT
|
|
|
|
|
+ ${iptables} -A INPUT -i ${eth0} -j ACCEPT
|
|
|
|
|
+ ${iptables} -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
|
|
|
|
+ ${iptables} -A INPUT -m conntrack --ctstate INVALID -j DROP
|
|
|
}
|
|
}
|
|
|
|
|
|
|
|
setup_whitenets() {
|
|
setup_whitenets() {
|
|
@@ -110,50 +113,50 @@ setup_whitenets() {
|
|
|
|
|
|
|
|
setup_badips() {
|
|
setup_badips() {
|
|
|
ipset create -! $banset hash:ip hashsize 4096 timeout $banttl maxelem $badmaxelems
|
|
ipset create -! $banset hash:ip hashsize 4096 timeout $banttl maxelem $badmaxelems
|
|
|
- iptables -w -v -A INPUT -i ${wan} -p udp -m set --match-set $banset src -m conntrack --ctstate NEW --ctproto UDP -j REJECT --reject-with icmp-port-unreachable
|
|
|
|
|
- iptables -w -v -A INPUT -i ${wan} -p tcp -m set --match-set $banset src -m conntrack --ctstate NEW --ctproto TCP -j REJECT --reject-with tcp-reset
|
|
|
|
|
|
|
+ ${iptables} -A INPUT -i ${wan} -p udp -m set --match-set $banset src -m conntrack --ctstate NEW --ctproto UDP -j REJECT --reject-with icmp-port-unreachable
|
|
|
|
|
+ ${iptables} -A INPUT -i ${wan} -p tcp -m set --match-set $banset src -m conntrack --ctstate NEW --ctproto TCP -j REJECT --reject-with tcp-reset
|
|
|
}
|
|
}
|
|
|
|
|
|
|
|
setup_scanips() {
|
|
setup_scanips() {
|
|
|
ipset create -! $scanset hash:ip hashsize 4096 timeout $scanttl maxelem $scanmaxelems
|
|
ipset create -! $scanset hash:ip hashsize 4096 timeout $scanttl maxelem $scanmaxelems
|
|
|
- iptables -w -v -A INPUT -i ${wan} -p udp -m set --match-set $scanset src -m conntrack --ctstate NEW --ctproto UDP -j REJECT --reject-with icmp-port-unreachable
|
|
|
|
|
- iptables -w -v -A INPUT -i ${wan} -p tcp -m set --match-set $scanset src -m conntrack --ctstate NEW --ctproto TCP -j REJECT --reject-with tcp-reset
|
|
|
|
|
|
|
+ ${iptables} -A INPUT -i ${wan} -p udp -m set --match-set $scanset src -m conntrack --ctstate NEW --ctproto UDP -j REJECT --reject-with icmp-port-unreachable
|
|
|
|
|
+ ${iptables} -A INPUT -i ${wan} -p tcp -m set --match-set $scanset src -m conntrack --ctstate NEW --ctproto TCP -j REJECT --reject-with tcp-reset
|
|
|
}
|
|
}
|
|
|
|
|
|
|
|
setup_white() {
|
|
setup_white() {
|
|
|
- iptables -w -v -N FW-FILTERED
|
|
|
|
|
|
|
+ ${iptables} -N FW-FILTERED
|
|
|
while read -r port ; do
|
|
while read -r port ; do
|
|
|
[[ "$port" =~ ^[0-9]{1,}$ ]] || continue
|
|
[[ "$port" =~ ^[0-9]{1,}$ ]] || continue
|
|
|
- iptables -w -v -A FW-FILTERED -p udp -m conntrack --ctstate NEW --ctproto UDP --dport $port -j ACCEPT
|
|
|
|
|
|
|
+ ${iptables} -A FW-FILTERED -p udp -m conntrack --ctstate NEW --ctproto UDP --dport $port -j ACCEPT
|
|
|
done < $confd/WHITE.udp
|
|
done < $confd/WHITE.udp
|
|
|
while read -r port ; do
|
|
while read -r port ; do
|
|
|
[[ "$port" =~ ^[0-9]{1,}$ ]] || continue
|
|
[[ "$port" =~ ^[0-9]{1,}$ ]] || continue
|
|
|
- iptables -w -v -A FW-FILTERED -p tcp -m conntrack --ctstate NEW --ctproto TCP --dport $port -j ACCEPT
|
|
|
|
|
|
|
+ ${iptables} -A FW-FILTERED -p tcp -m conntrack --ctstate NEW --ctproto TCP --dport $port -j ACCEPT
|
|
|
done < $confd/WHITE.tcp
|
|
done < $confd/WHITE.tcp
|
|
|
- iptables -w -v -A INPUT -i ${wan} -p udp -m set --match-set $whiteset src -m conntrack --ctstate NEW --ctproto UDP -j FW-FILTERED
|
|
|
|
|
- iptables -w -v -A INPUT -i ${wan} -p tcp -m set --match-set $whiteset src -m conntrack --ctstate NEW --ctproto TCP -j FW-FILTERED
|
|
|
|
|
- iptables -w -v -A INPUT -i ${wan} -p icmp --icmp-type 8 -m set --match-set $whiteset src -m conntrack --ctstate NEW --ctproto ICMP -j ACCEPT
|
|
|
|
|
|
|
+ ${iptables} -A INPUT -i ${wan} -p udp -m set --match-set $whiteset src -m conntrack --ctstate NEW --ctproto UDP -j FW-FILTERED
|
|
|
|
|
+ ${iptables} -A INPUT -i ${wan} -p tcp -m set --match-set $whiteset src -m conntrack --ctstate NEW --ctproto TCP -j FW-FILTERED
|
|
|
|
|
+ ${iptables} -A INPUT -i ${wan} -p icmp --icmp-type 8 -m set --match-set $whiteset src -m conntrack --ctstate NEW --ctproto ICMP -j ACCEPT
|
|
|
}
|
|
}
|
|
|
|
|
|
|
|
setup_public() {
|
|
setup_public() {
|
|
|
- iptables -w -v -N FW-PUBLIC
|
|
|
|
|
|
|
+ ${iptables} -N FW-PUBLIC
|
|
|
while read -r port ; do
|
|
while read -r port ; do
|
|
|
[[ "$port" =~ ^[0-9]{1,}$ ]] || continue
|
|
[[ "$port" =~ ^[0-9]{1,}$ ]] || continue
|
|
|
- iptables -w -v -A FW-PUBLIC -p udp -m conntrack --ctstate NEW --ctproto UDP --dport $port -j ACCEPT
|
|
|
|
|
|
|
+ ${iptables} -A FW-PUBLIC -p udp -m conntrack --ctstate NEW --ctproto UDP --dport $port -j ACCEPT
|
|
|
done < $confd/PUBLIC.udp
|
|
done < $confd/PUBLIC.udp
|
|
|
while read -r port ; do
|
|
while read -r port ; do
|
|
|
[[ "$port" =~ ^[0-9]{1,}$ ]] || continue
|
|
[[ "$port" =~ ^[0-9]{1,}$ ]] || continue
|
|
|
- iptables -w -v -A FW-PUBLIC -p tcp -m conntrack --ctstate NEW --ctproto TCP --dport $port -j ACCEPT
|
|
|
|
|
|
|
+ ${iptables} -A FW-PUBLIC -p tcp -m conntrack --ctstate NEW --ctproto TCP --dport $port -j ACCEPT
|
|
|
done < $confd/PUBLIC.tcp
|
|
done < $confd/PUBLIC.tcp
|
|
|
- iptables -w -v -A INPUT -i ${wan} -p udp -m conntrack --ctstate NEW --ctproto UDP -j FW-PUBLIC
|
|
|
|
|
- iptables -w -v -A INPUT -i ${wan} -p tcp -m conntrack --ctstate NEW --ctproto TCP -j FW-PUBLIC
|
|
|
|
|
|
|
+ ${iptables} -A INPUT -i ${wan} -p udp -m conntrack --ctstate NEW --ctproto UDP -j FW-PUBLIC
|
|
|
|
|
+ ${iptables} -A INPUT -i ${wan} -p tcp -m conntrack --ctstate NEW --ctproto TCP -j FW-PUBLIC
|
|
|
}
|
|
}
|
|
|
|
|
|
|
|
setup_cast() {
|
|
setup_cast() {
|
|
|
- iptables -w -v -N FW-CAST
|
|
|
|
|
- iptables -w -v -A FW-CAST -m pkttype --pkt-type broadcast -j ACCEPT
|
|
|
|
|
- iptables -w -v -A FW-CAST -m pkttype --pkt-type multicast -j ACCEPT
|
|
|
|
|
- iptables -w -v -A INPUT -i ${wan} -j FW-CAST
|
|
|
|
|
|
|
+ ${iptables} -N FW-CAST
|
|
|
|
|
+ ${iptables} -A FW-CAST -m pkttype --pkt-type broadcast -j ACCEPT
|
|
|
|
|
+ ${iptables} -A FW-CAST -m pkttype --pkt-type multicast -j ACCEPT
|
|
|
|
|
+ ${iptables} -A INPUT -i ${wan} -j FW-CAST
|
|
|
}
|
|
}
|
|
|
|
|
|
|
|
main () {
|
|
main () {
|
