Monitor broken packets;refactor

config

@@ -38,6 +38,9 @@ scanttl=172800
 
 ## DEBUG ##
 loginput=true
+logstrange=true
+logbroken=true
+loginvalid=true
 logforward=true
 logbad=true
 logscan=true
@@ -51,8 +54,6 @@ hooks=(
 base
 cast
 lan
-whitenets
-forward
 public
 badips
 white

e-router

@@ -4,34 +4,78 @@ set -euo pipefail
 confd=/etc/e-router
 source $confd/config
 
+_broken(){
+    ${iptables} -N BROKENLOGDROP
+    if $logbroken; then
+        ${iptables} -A BROKENLOGDROP -j LOG --log-prefix "BROKENLOGDROP TCP: " --log-level 7
+    fi
+    ${iptables} -A BROKENLOGDROP -j ENDRESET
+
+    ${iptables} -N STRANGELOG
+    if $logstrange; then
+        ${iptables} -A STRANGELOG -j LOG --log-prefix "STRANGELOG TCP: " --log-level 7
+    fi
+
+    ${iptables} -N DROP_TCP_SUSPICIOUS
+
+    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --sport 0:19                                                          -j BROKENLOGDROP
+    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --dport 0:19                                                          -j BROKENLOGDROP
+
+    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL ACK             -m conntrack --cstate ESTABLISHED     -j RETURN
+    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL ACK             -m conntrack --cstate NEW,RELATED     -j BROKENLOGDROP
+    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL PSH,ACK         -m conntrack --cstate ESTABLISHED     -j RETURN
+    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL PSH,ACK         -m conntrack --cstate NEW             -j RETURN
+    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL PSH,ACK         -m conntrack --cstate RELATED         -j BROKENLOGDROP
+    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL NONE                                                  -j BROKENLOGDROP
+    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL ALL                                                   -j BROKENLOGDROP
+    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags SYN,FIN SYN,FIN                                           -j BROKENLOGDROP
+    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags SYN,RST SYN,RST                                           -j BROKENLOGDROP
+    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags RST,FIN RST,FIN                                           -j BROKENLOGDROP
+    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags SYN,URG SYN,URG                                           -j BROKENLOGDROP
+    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL SYN,PSH                                               -j BROKENLOGDROP
+    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL SYN,ACK,PSH                                           -j BROKENLOGDROP
+    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ACK,FIN FIN                                               -j BROKENLOGDROP
+    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ACK,PSH PSH                                               -j BROKENLOGDROP
+    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ACK,URG URG                                               -j BROKENLOGDROP
+    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL RST             -m conntrack --cstate ESTABLISHED     -j RETURN
+    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL RST             -m conntrack --cstate NEW,RELATED     -j BROKENLOGDROP
+    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags SYN,ACK NONE                                              -j BROKENLOGDROP
+    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL SYN             -m conntrack --cstate NEW             -j RETURN
+    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL SYN             -m conntrack --cstate RELATED         -j RETURN
+    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL SYN             -m conntrack --cstate ESTABLISHED     -j BROKENLOGDROP
+    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL SYN,ACK         -m conntrack --cstate ESTABLISHED     -j RETURN
+    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL SYN,ACK         -m conntrack --cstate NEW,RELATED     -j BROKENLOGDROP
+    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL FIN,ACK         -m conntrack --cstate ESTABLISHED     -j RETURN
+    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL FIN,ACK         -m conntrack --cstate NEW,RELATED     -j BROKENLOGDROP
+    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL RST,ACK         -m conntrack --cstate ESTABLISHED     -j RETURN
+    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL RST,ACK         -m conntrack --cstate NEW             -j RETURN
+    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL RST,ACK         -m conntrack --cstate RELATED         -j BROKENLOGDROP
+    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL ACK,PSH,RST     -m conntrack --cstate ESTABLISHED     -j RETURN
+    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL ACK,PSH,RST     -m conntrack --cstate NEW,RELATED     -j BROKENLOGDROP
+    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL FIN,PSH,ACK     -m conntrack --cstate ESTABLISHED     -j RETURN
+    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL FIN,PSH,ACK     -m conntrack --cstate NEW,RELATED     -j BROKENLOGDROP
+    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL RST,ACK,PSH                                           -j STRANGELOG
+    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL RST,ACK,URG                                           -j STRANGELOG
+    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL RST,ACK,PSH,URG                                       -j STRANGELOG
+    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL FIN,PSH,ACK,URG                                       -j STRANGELOG
+    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL ACK,URG                                               -j STRANGELOG
+    ${iptables} -A DROP_TCP_SUSPICIOUS -p tcp --tcp-flags ALL ACK,URG,FIN                                           -j STRANGELOG
+}
+
 _droplog() {
-    ${iptables} -N ${1}-LOG-DROP
+    ${iptables} -N ${1}LOGDROP
     if $debugtcp; then
-        ${iptables} -A ${1}-LOG-DROP -p tcp  -j LOG --log-prefix "${1}-LOG-DROP TCP: " --log-level 7
+        ${iptables} -A ${1}LOGDROP -p tcp  -j LOG --log-prefix "${1}LOGDROP TCP: " --log-level 7
     fi
     if $debugudp; then
-        ${iptables} -A ${1}-LOG-DROP -p udp  -j LOG --log-prefix "${1}-LOG-DROP UDP: " --log-level 7
+        ${iptables} -A ${1}LOGDROP -p udp  -j LOG --log-prefix "${1}LOGDROP UDP: " --log-level 7
     fi
     if $debugicmp; then
-        ${iptables} -A ${1}-LOG-DROP -p icmp -j LOG --log-prefix "${1}-LOG-DROP ICMP: " --log-level 7
+        ${iptables} -A ${1}LOGDROP -p icmp -j LOG --log-prefix "${1}LOGDROP ICMP: " --log-level 7
     fi
 }
 
-base() {
-    /usr/lib/systemd/scripts/iptables-flush
-    ${iptables} -P INPUT DROP
-    ${iptables} -P FORWARD DROP
-    ${iptables} -P OUTPUT ACCEPT
-    ${iptables} -A INPUT -i lo -j ACCEPT
-    ${iptables} -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-    ${iptables} -A INPUT -m conntrack --ctstate INVALID -j DROP
-    ${iptables} -N END-RESET
-    ${iptables} -A END-RESET -p tcp -j REJECT --reject-with tcp-reset
-    ${iptables} -A END-RESET -p udp -j REJECT --reject-with icmp-port-unreachable
-    ${iptables} -A END-RESET -j REJECT --reject-with icmp-proto-unreachable
-}
-
-forward() {
+_forward() {
     while read -r ip public private ; do
         [[ "$ip" =~ ^[0-9]{1,}.[0-9]{1,}.[0-9]{1,}.[0-9]{1,}$ ]] || continue
         [[ "$public" =~ ^[0-9]{1,}|[0-9]{1,}:[0-9]{1,}$ ]] || continue
@@ -59,20 +103,22 @@ forward() {
     done < $confd/FORWARD.udp
 
     if $logforward ; then
-        _droplog "FORWARD"
-        ${iptables} -A FORWARD -j FORWARD-LOG-DROP
+        ${iptables} -A FORWARD -j FORWARDLOGDROP
     fi
-    ${iptables} -A FORWARD -j END-RESET
 }
 
-lan() {
-    ${iptables} -A INPUT -i ${eth0} -j ACCEPT
-    ${iptables} -t nat -A POSTROUTING -o ${wan} -s ${locnet} -j MASQUERADE
-    ${iptables} -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-    ${iptables} -A FORWARD -i ${eth0} -o ${wan} -j ACCEPT
+_init(){
+    /usr/lib/systemd/scripts/iptables-flush
+    ${iptables} -P INPUT DROP
+    ${iptables} -P FORWARD DROP
+    ${iptables} -P OUTPUT ACCEPT
+    ${iptables} -N ENDRESET
+    ${iptables} -A ENDRESET -p tcp -j REJECT --reject-with tcp-reset
+    ${iptables} -A ENDRESET -p udp -j REJECT --reject-with icmp-port-unreachable
+    ${iptables} -A ENDRESET -j REJECT --reject-with icmp-proto-unreachable
 }
 
-whitenets() {
+_whitenets() {
     ipset create -! $whiteset hash:net hashsize 4096 timeout $whitettl maxelem $whitemaxelems
     while read -r net ; do
         [[ "$net" =~ ^[0-9]{1,}.[0-9]{1,}.[0-9]{1,}.[0-9]{1,}/[0-9]{1,}$ ]] || continue
@@ -80,75 +126,114 @@ whitenets() {
     done < $confd/WHITE.nets
 }
 
+base() {
+    _init
+    ${iptables} -A INPUT -i lo -j ACCEPT
+    if $logbroken; then
+        _broken
+        ${iptables} -A INPUT -i ${wan} -p tcp -j DROP_TCP_SUSPICIOUS
+    fi
+    ${iptables} -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+    if $loginvalid; then
+        _droplog "INVALID"
+        ${iptables} -A INPUT -m conntrack --ctstate INVALID -j INVALIDLOGDROP
+    fi
+    ${iptables} -A INPUT -m conntrack --ctstate INVALID -j DROP
+}
+
+cast() {
+    ${iptables} -N FWCAST
+    if $logcast; then
+        ${iptables} -A FWCAST -m pkttype --pkt-type multicast -m conntrack --ctstate NEW  -j LOG --log-prefix "CASTLOG MULTI: " --log-level 7
+        ${iptables} -A FWCAST -m pkttype --pkt-type broadcast -m conntrack --ctstate NEW  -j LOG --log-prefix "CASTLOG BROAD: " --log-level 7
+    fi
+    ${iptables} -A FWCAST -m pkttype --pkt-type multicast -m conntrack --ctstate NEW -j ACCEPT
+    ${iptables} -A FWCAST -m pkttype --pkt-type broadcast -m conntrack --ctstate NEW -j ACCEPT
+    ${iptables} -A INPUT -i ${wan} -j FWCAST
+}
+
+lan() {
+    if $logforward ; then
+        _droplog "FORWARD"
+    fi
+    ${iptables} -A INPUT -i ${eth0} -j ACCEPT
+    ${iptables} -t nat -A POSTROUTING -o ${wan} -s ${locnet} -j MASQUERADE
+    ${iptables} -A FORWARD -i ${eth0} -o ${wan} -j ACCEPT
+    if $logbroken; then
+        ${iptables} -A FORWARD -i ${wan} -p tcp -j DROP_TCP_SUSPICIOUS
+    fi
+    ${iptables} -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+    if $loginvalid; then
+        _droplog "FWDINVALID"
+        ${iptables} -A FORWARD -m conntrack --ctstate INVALID -j FWDINVALIDLOGDROP
+    fi
+    ${iptables} -A FORWARD -m conntrack --ctstate INVALID -j  DROP
+    _forward
+}
+
 badips() {
     ipset create -! $banset hash:ip hashsize 4096 timeout $banttl  maxelem $badmaxelems
     if $logbad ; then
         _droplog "BAD"
-        ${iptables} -A INPUT -i ${wan} -p udp       -m set --match-set $banset src -m conntrack --ctstate NEW --ctproto UDP -j BAD-LOG-DROP
-        ${iptables} -A INPUT -i ${wan} -p tcp --syn -m set --match-set $banset src -m conntrack --ctstate NEW --ctproto TCP -j BAD-LOG-DROP
+        ${iptables} -A FWBAD -i ${wan} -p udp -m set --match-set $banset src -m conntrack --ctstate NEW --ctproto UDP -j BADLOGDROP
+        ${iptables} -A FWBAD -i ${wan} -p tcp -m set --match-set $banset src -m conntrack --ctstate NEW --ctproto TCP -j BADLOGDROP
     fi
-    ${iptables} -A INPUT -i ${wan} -p udp       -m set --match-set $banset src -m conntrack --ctstate NEW --ctproto UDP -j END-RESET
-    ${iptables} -A INPUT -i ${wan} -p tcp --syn -m set --match-set $banset src -m conntrack --ctstate NEW --ctproto TCP -j END-RESET
+    ${iptables} -A FWBAD -i ${wan} -p udp -m set --match-set $banset src -m conntrack --ctstate NEW --ctproto UDP -j ENDRESET
+    ${iptables} -A FWBAD -i ${wan} -p tcp -m set --match-set $banset src -m conntrack --ctstate NEW --ctproto TCP -j ENDRESET
+    ${iptables} -A INPUT -j FWBAD
 }
 
 scanips() {
-    ipset create -! $scanset hash:ip hashsize 4096 timeout $scanttl maxelem $scanmaxelems
-    ${iptables} -A INPUT -i ${wan} -p udp       -m conntrack --ctstate NEW --ctproto UDP -j SET --add-set $scanset src --exist --timeout $scanttl
-    ${iptables} -A INPUT -i ${wan} -p tcp --syn -m conntrack --ctstate NEW --ctproto TCP -j SET --add-set $scanset src --exist --timeout $scanttl
+    ipset create -! $scanset hash:ip hashsize 4096 timeout $scanttl maxelem $scanmaxelems forceadd
+    ${iptables} -N FWSCAN
+    ${iptables} -A FWSCAN -i ${wan} -p udp -j SET --add-set $scanset src --exist --timeout $scanttl
+    ${iptables} -A FWSCAN -i ${wan} -p tcp -j SET --add-set $scanset src --exist --timeout $scanttl
     if $logscan ; then
         _droplog "SCAN"
-        ${iptables} -A INPUT -i ${wan} -p udp       -m set --match-set $scanset src -m conntrack --ctstate NEW --ctproto UDP -j SCAN-LOG-DROP
-        ${iptables} -A INPUT -i ${wan} -p tcp --syn -m set --match-set $scanset src -m conntrack --ctstate NEW --ctproto TCP -j SCAN-LOG-DROP
+        ${iptables} -A FWSCAN -i ${wan} -p udp -m set --match-set $scanset src -j SCANLOGDROP
+        ${iptables} -A FWSCAN -i ${wan} -p tcp -m set --match-set $scanset src -j SCANLOGDROP
     fi
-    ${iptables} -A INPUT -i ${wan} -p udp       -m set --match-set $scanset src -m conntrack --ctstate NEW --ctproto UDP -j END-RESET
-    ${iptables} -A INPUT -i ${wan} -p tcp --syn -m set --match-set $scanset src -m conntrack --ctstate NEW --ctproto TCP -j END-RESET
+    ${iptables} -A FWSCAN -i ${wan} -p udp -m set --match-set $scanset src -j ENDRESET
+    ${iptables} -A FWSCAN -i ${wan} -p tcp -m set --match-set $scanset src -j ENDRESET
+    ${iptables} -I BROKENLOGDROP -j FWSCAN
+    ${iptables} -A INPUT -j FWSCAN
 }
 
 white() {
-    ${iptables} -N FW-FILTERED
+    _whitenets
+    ${iptables} -N FWFILTERED
     while read -r port ; do
         [[ "$port" =~ ^[0-9]{1,}$ ]] || continue
-        ${iptables} -A FW-FILTERED -p udp -m conntrack --ctstate NEW --ctproto UDP --dport $port -j ACCEPT
+        ${iptables} -A FWFILTERED -p udp -m conntrack --ctstate NEW --ctproto UDP --dport $port -j ACCEPT
     done < $confd/WHITE.udp
     while read -r port ; do
         [[ "$port" =~ ^[0-9]{1,}$ ]] || continue
-        ${iptables} -A FW-FILTERED -p tcp -m conntrack --ctstate NEW --ctproto TCP --dport $port -j ACCEPT
+        ${iptables} -A FWFILTERED -p tcp -m conntrack --ctstate NEW --ctproto TCP --dport $port -j ACCEPT
     done < $confd/WHITE.tcp
-    ${iptables} -A INPUT -i ${wan} -p udp       -m set --match-set $whiteset src -m conntrack --ctstate NEW --ctproto UDP -j FW-FILTERED
-    ${iptables} -A INPUT -i ${wan} -p tcp --syn -m set --match-set $whiteset src -m conntrack --ctstate NEW --ctproto TCP -j FW-FILTERED
+    ${iptables} -A INPUT -i ${wan} -p udp       -m set --match-set $whiteset src -m conntrack --ctstate NEW --ctproto UDP -j FWFILTERED
+    ${iptables} -A INPUT -i ${wan} -p tcp --syn -m set --match-set $whiteset src -m conntrack --ctstate NEW --ctproto TCP -j FWFILTERED
 
     ${iptables} -A INPUT -i ${wan} -p icmp --icmp-type 8 -m set --match-set $whiteset src -m conntrack --ctstate NEW --ctproto ICMP -j ACCEPT
 }
 
 public() {
-    ${iptables} -N FW-PUBLIC
+    ${iptables} -N FWPUBLIC
     while read -r port ; do
         [[ "$port" =~ ^[0-9]{1,}$ ]] || continue
-        ${iptables} -A FW-PUBLIC -p udp -m conntrack --ctstate NEW --ctproto UDP --dport $port -j ACCEPT
+        ${iptables} -A FWPUBLIC -p udp -m conntrack --ctstate NEW --ctproto UDP --dport $port -j ACCEPT
     done < $confd/PUBLIC.udp
     while read -r port ; do
         [[ "$port" =~ ^[0-9]{1,}$ ]] || continue
-        ${iptables} -A FW-PUBLIC -p tcp -m conntrack --ctstate NEW --ctproto TCP --dport $port -j ACCEPT
+        ${iptables} -A FWPUBLIC -p tcp -m conntrack --ctstate NEW --ctproto TCP --dport $port -j ACCEPT
     done < $confd/PUBLIC.tcp
-    ${iptables} -A INPUT -i ${wan} -p udp       -m conntrack --ctstate NEW --ctproto UDP -j FW-PUBLIC
-    ${iptables} -A INPUT -i ${wan} -p tcp --syn -m conntrack --ctstate NEW --ctproto TCP -j FW-PUBLIC
-}
-
-cast() {
-    ${iptables} -N FW-CAST
-    if $logcast; then
-        ${iptables} -A FW-CAST -m pkttype --pkt-type multicast -m conntrack --ctstate NEW  -j LOG --log-prefix "CAST-LOG MULTI: " --log-level 7
-        ${iptables} -A FW-CAST -m pkttype --pkt-type broadcast -m conntrack --ctstate NEW  -j LOG --log-prefix "CAST-LOG BROAD: " --log-level 7
-    fi
-    ${iptables} -A FW-CAST -m pkttype --pkt-type multicast -m conntrack --ctstate NEW -j ACCEPT
-    ${iptables} -A FW-CAST -m pkttype --pkt-type broadcast -m conntrack --ctstate NEW -j ACCEPT
-    ${iptables} -A INPUT -i ${wan} -j FW-CAST
+    ${iptables} -A INPUT -i ${wan} -p udp       -m conntrack --ctstate NEW --ctproto UDP -j FWPUBLIC
+    ${iptables} -A INPUT -i ${wan} -p tcp --syn -m conntrack --ctstate NEW --ctproto TCP -j FWPUBLIC
 }
 
 final(){
     if $loginput; then
         _droplog "FINAL"
-        ${iptables} -A INPUT -j FINAL-LOG-DROP
+        ${iptables} -A INPUT -j FINALLOGDROP
     fi
 }