config

@@ -10,7 +10,7 @@ banset=badips
 # 0 - 5 , 0 will ban max
 banlevel=0
 # ban time in seconds,  1 week =  604800,  1 day = 86400
-bantime=604800
+banttl=604800
 # h,d,w,m,y
 rangecheck=1h
 # ssh,http... or any
@@ -19,8 +19,18 @@ banservice=any
 ## whitenets ##
 #ipset name
 whiteset=goodips
-# route ttl
-routettl=172800
+# default ttl
+whitettl=172800
+
+## scannets ##
+#ipset name
+scanset=scanips
+# default ttl
+scanttl=172800
 
 ## DEBUG ##
-debug=true
+loginput=true
+logforward=true
+debugtcp=true
+debugudp=true
+debugicmp=true

e-badips

@@ -7,7 +7,7 @@ source $CONFD/config
 tmp=$(mktemp)
 trap "/bin/rm -f ${tmp}" EXIT SIGHUP SIGINT SIGTERM
 
-curl -f -s -m 60 -o $tmp "https://www.badips.com/get/list/${banservice}/${banlevel}?age=${rangecheck}"
+curl -f -s -S -m 60 -o $tmp "https://www.badips.com/get/list/${banservice}/${banlevel}?age=${rangecheck}"
 while read -r ip ; do
     ipset -! add ${banset} ${ip} timeout $bantime
 done < $tmp

e-router

@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/bash -x
 ((EUID == 0 )) || { echo "Need root"; exit 1; }
 set -euo pipefail
 CONFD=/etc/e-router
@@ -12,7 +12,7 @@ set_defaults() {
 }
 
 setup_final(){
-    if $debug ; then
+    if $loginput ; then
         setup_wandroplog
         iptables -A INPUT -j WAN-LOG-DROP
     else
@@ -22,22 +22,34 @@ setup_final(){
 
 setup_wandroplog() {
     iptables -N WAN-LOG-DROP
-    iptables -A WAN-LOG-DROP -p tcp  -j LOG --log-prefix  "WAN-LOG-DROP TCP: " --log-level 7
-    iptables -A WAN-LOG-DROP -p tcp -j REJECT --reject-with tcp-reset
-    iptables -A WAN-LOG-DROP -p udp  -j LOG --log-prefix  "WAN-LOG-DROP UDP: " --log-level 7
-    iptables -A WAN-LOG-DROP -p udp -j REJECT --reject-with icmp-port-unreachable
-    iptables -A WAN-LOG-DROP -p icmp -j LOG --log-prefix  "WAN-LOG-DROP ICMP: " --log-level 7
-    iptables -A WAN-LOG-DROP -j REJECT --reject-with icmp-proto-unreachable
+    if $debugtcp; then
+        iptables -A WAN-LOG-DROP -p tcp  -j LOG --log-prefix  "WAN-LOG-DROP TCP: " --log-level 7
+        iptables -A WAN-LOG-DROP -p tcp -j REJECT --reject-with tcp-reset
+    fi
+    if $debugudp; then
+        iptables -A WAN-LOG-DROP -p udp  -j LOG --log-prefix  "WAN-LOG-DROP UDP: " --log-level 7
+        iptables -A WAN-LOG-DROP -p udp -j REJECT --reject-with icmp-port-unreachable
+    fi
+    if $debugicmp; then
+        iptables -A WAN-LOG-DROP -p icmp -j LOG --log-prefix  "WAN-LOG-DROP ICMP: " --log-level 7
+        iptables -A WAN-LOG-DROP -j REJECT --reject-with icmp-proto-unreachable
+    fi
 }
 
 setup_fordroplog() {
     iptables -N FORWARD-LOG-DROP
-    iptables -A FORWARD-LOG-DROP -p tcp  -j LOG --log-prefix "FORWARD-LOG-DROP TCP: " --log-level 7
-    iptables -A FORWARD-LOG-DROP -p tcp -j REJECT --reject-with tcp-reset
-    iptables -A FORWARD-LOG-DROP -p udp  -j LOG --log-prefix "FORWARD-LOG-DROP UDP: " --log-level 7
-    iptables -A FORWARD-LOG-DROP -p udp -j REJECT --reject-with icmp-port-unreachable
-    iptables -A FORWARD-LOG-DROP -p icmp -j LOG --log-prefix "FORWARD-LOG-DROP ICMP: " --log-level 7
-    iptables -A FORWARD-LOG-DROP -j REJECT --reject-with icmp-proto-unreachable
+    if $debugtcp; then
+        iptables -A FORWARD-LOG-DROP -p tcp  -j LOG --log-prefix "FORWARD-LOG-DROP TCP: " --log-level 7
+        iptables -A FORWARD-LOG-DROP -p tcp -j REJECT --reject-with tcp-reset
+    fi
+    if $debugudp; then
+        iptables -A FORWARD-LOG-DROP -p udp  -j LOG --log-prefix "FORWARD-LOG-DROP UDP: " --log-level 7
+        iptables -A FORWARD-LOG-DROP -p udp -j REJECT --reject-with icmp-port-unreachable
+    fi
+    if $debugicmp; then
+        iptables -A FORWARD-LOG-DROP -p icmp -j LOG --log-prefix "FORWARD-LOG-DROP ICMP: " --log-level 7
+        iptables -A FORWARD-LOG-DROP -j REJECT --reject-with icmp-proto-unreachable
+    fi
 }
 
 setup_nat() {
@@ -47,7 +59,7 @@ setup_nat() {
 setup_forward() {
     iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
     iptables -A FORWARD -i ${eth0} -o ${wan} -j ACCEPT
-    if $debug ; then
+    if $logforward ; then
         setup_fordroplog
         iptables -A FORWARD -j FORWARD-LOG-DROP
     else
@@ -63,7 +75,7 @@ setup_base() {
 }
 
 setup_whitenets() {
-    ipset create -! $whiteset hash:net hashsize 4096 timeout $routettl
+    ipset create -! $whiteset hash:net hashsize 4096 timeout $whitettl
     while read -r net ; do
         [[ "$net" =~ ^[0-9]{1,}.[0-9]{1,}.[0-9]{1,}.[0-9]{1,}/[0-9]{1,}$ ]] || continue
         ipset -! add  $whiteset $net timeout 0
@@ -71,11 +83,17 @@ setup_whitenets() {
 }
 
 setup_badips() {
-    ipset create -! $banset hash:ip hashsize 4096 timeout $bantime
+    ipset create -! $banset hash:ip hashsize 4096 timeout $banttl
     iptables -A INPUT -i ${wan} -m set --match-set $banset src -p udp -j REJECT --reject-with icmp-port-unreachable
     iptables -A INPUT -i ${wan} -m set --match-set $banset src -p tcp -j REJECT --reject-with tcp-reset
 }
 
+setup_scanips() {
+    ipset create -! $scanset hash:ip hashsize 4096 timeout $scanttl
+    iptables -A INPUT -i ${wan} -m set --match-set $scanset src -p udp -j REJECT --reject-with icmp-port-unreachable
+    iptables -A INPUT -i ${wan} -m set --match-set $scanset src -p tcp -j REJECT --reject-with tcp-reset
+}
+
 setup_white() {
     iptables -N FW-FILTERED
     while read -r port ; do
@@ -121,6 +139,7 @@ main () {
     setup_badips
     setup_white
     setup_open
+    setup_scanips
     setup_cast
     setup_final
 }