|
@@ -185,10 +185,10 @@ badips() {
|
|
|
}
|
|
}
|
|
|
|
|
|
|
|
scanips() {
|
|
scanips() {
|
|
|
- ipset create -! $scanset hash:ip hashsize 4096 timeout $scanttl maxelem $scanmaxelems forceadd
|
|
|
|
|
|
|
+ ipset create -! $scanset hash:ip hashsize 4096 timeout $scanttl maxelem $scanmaxelems forceadd counters
|
|
|
${iptables} -N FWSCAN
|
|
${iptables} -N FWSCAN
|
|
|
${iptables} -A FWSCAN -i ${wan} -p udp -j SET --add-set $scanset src --exist --timeout $scanttl
|
|
${iptables} -A FWSCAN -i ${wan} -p udp -j SET --add-set $scanset src --exist --timeout $scanttl
|
|
|
- ${iptables} -A FWSCAN -i ${wan} -p tcp -j SET --add-set $scanset src --exist --timeout $scanttl
|
|
|
|
|
|
|
+ ${iptables} -A FWSCAN -i ${wan} -p tcp -m set ! --match-set $scanset src -j SET --add-set $scanset src --exist --timeout $scanttl
|
|
|
if $logscan ; then
|
|
if $logscan ; then
|
|
|
_droplog "SCAN"
|
|
_droplog "SCAN"
|
|
|
${iptables} -A FWSCAN -i ${wan} -p udp -m set --match-set $scanset src -m conntrack --ctstate NEW --ctproto UDP -j SCANLOGDROP
|
|
${iptables} -A FWSCAN -i ${wan} -p udp -m set --match-set $scanset src -m conntrack --ctstate NEW --ctproto UDP -j SCANLOGDROP
|
