config

@@ -34,3 +34,7 @@ logforward=true
 debugtcp=true
 debugudp=true
 debugicmp=true
+
+
+## default hook order ##
+# hooks="set_defaults setup_whitenets setup_nat setup_forward setup_base setup_badips setup_white setup_open setup_scanips setup_cast setup_final"

e-badips

@@ -9,5 +9,5 @@ trap "/bin/rm -f ${tmp}" EXIT SIGHUP SIGINT SIGTERM
 
 curl -f -s -S -m 60 -o $tmp "https://www.badips.com/get/list/${banservice}/${banlevel}?age=${rangecheck}"
 while read -r ip ; do
-    ipset -! add ${banset} ${ip} timeout $bantime
+    ipset -! add ${banset} ${ip} timeout $banttl
 done < $tmp

e-pullasn

@@ -13,5 +13,5 @@ while read -r asn ; do
 done < $CONFD/WHITE.asn
 
 grep -Eo "([0-9.]+){4}/[0-9]+" $tmp | while read -r net ; do
-    ipset -! add  $whiteset $net timeout $routettl
+    ipset -! add  $whiteset $net timeout $whitettl
 done

e-router

@@ -1,8 +1,8 @@
 #!/bin/bash -x
 ((EUID == 0 )) || { echo "Need root"; exit 1; }
 set -euo pipefail
-CONFD=/etc/e-router
-source $CONFD/config
+confd=/etc/e-router
+source $confd/config
 
 set_defaults() {
     /usr/lib/systemd/scripts/iptables-flush
@@ -79,48 +79,48 @@ setup_whitenets() {
     while read -r net ; do
         [[ "$net" =~ ^[0-9]{1,}.[0-9]{1,}.[0-9]{1,}.[0-9]{1,}/[0-9]{1,}$ ]] || continue
         ipset -! add  $whiteset $net timeout 0
-    done < $CONFD/WHITE.nets
+    done < $confd/WHITE.nets
 }
 
 setup_badips() {
     ipset create -! $banset hash:ip hashsize 4096 timeout $banttl
-    iptables -A INPUT -i ${wan} -m set --match-set $banset src -p udp -j REJECT --reject-with icmp-port-unreachable
-    iptables -A INPUT -i ${wan} -m set --match-set $banset src -p tcp -j REJECT --reject-with tcp-reset
+    iptables -A INPUT -i ${wan} -p udp -m set --match-set $banset src -m conntrack --ctstate NEW --ctproto UDP -j REJECT --reject-with icmp-port-unreachable
+    iptables -A INPUT -i ${wan} -p tcp -m set --match-set $banset src -m conntrack --ctstate NEW --ctproto TCP -j REJECT --reject-with tcp-reset
 }
 
 setup_scanips() {
     ipset create -! $scanset hash:ip hashsize 4096 timeout $scanttl
-    iptables -A INPUT -i ${wan} -m set --match-set $scanset src -p udp -j REJECT --reject-with icmp-port-unreachable
-    iptables -A INPUT -i ${wan} -m set --match-set $scanset src -p tcp -j REJECT --reject-with tcp-reset
+    iptables -A INPUT -i ${wan} -p udp -m set --match-set $scanset src -m conntrack --ctstate NEW --ctproto UDP -j REJECT --reject-with icmp-port-unreachable
+    iptables -A INPUT -i ${wan} -p tcp -m set --match-set $scanset src -m conntrack --ctstate NEW --ctproto TCP -j REJECT --reject-with tcp-reset
 }
 
 setup_white() {
     iptables -N FW-FILTERED
     while read -r port ; do
         [[ "$port" =~ ^[0-9]{1,}$ ]] || continue
-        iptables -A FW-FILTERED -m udp -p udp --dport $port -j ACCEPT
-    done < $CONFD/WHITE.udp
+        iptables -A FW-FILTERED -p udp -m conntrack --ctstate NEW --ctproto UDP --dport $port -j ACCEPT
+    done < $confd/WHITE.udp
     while read -r port ; do
         [[ "$port" =~ ^[0-9]{1,}$ ]] || continue
-        iptables -A FW-FILTERED -m tcp -p tcp --dport $port -j ACCEPT
-    done < $CONFD/WHITE.tcp
-    iptables -A INPUT -p udp -i ${wan} -m set --match-set $whiteset src -m conntrack --ctstate NEW -j FW-FILTERED
-    iptables -A INPUT -p tcp --syn -i ${wan} -m set --match-set $whiteset src -m conntrack --ctstate NEW -j FW-FILTERED
-    iptables -A INPUT -i ${wan} -p icmp --icmp-type 8 -m conntrack --ctstate NEW -m set --match-set $whiteset src  -j ACCEPT
+        iptables -A FW-FILTERED -p tcp -m conntrack --ctstate NEW --ctproto TCP --dport $port -j ACCEPT
+    done < $confd/WHITE.tcp
+    iptables -A INPUT -i ${wan} -p udp -m set --match-set $whiteset src -m conntrack --ctstate NEW --ctproto UDP -j FW-FILTERED
+    iptables -A INPUT -i ${wan} -p tcp -m set --match-set $whiteset src -m conntrack --ctstate NEW --ctproto TCP -j FW-FILTERED
+    iptables -A INPUT -i ${wan} -p icmp --icmp-type 8 -m set --match-set $whiteset src -m conntrack --ctstate NEW --ctproto ICMP -j ACCEPT
 }
 
 setup_open() {
     iptables -N FW-OPEN
     while read -r port ; do
         [[ "$port" =~ ^[0-9]{1,}$ ]] || continue
-        iptables -A FW-OPEN -m udp -p udp --dport $port -j ACCEPT
-    done < $CONFD/ACCEPT.udp
+        iptables -A FW-OPEN -p udp -m conntrack --ctstate NEW --ctproto UDP --dport $port -j ACCEPT
+    done < $confd/ACCEPT.udp
     while read -r port ; do
         [[ "$port" =~ ^[0-9]{1,}$ ]] || continue
-        iptables -A FW-OPEN -m tcp -p tcp --dport $port -j ACCEPT
-    done < $CONFD/ACCEPT.tcp
-    iptables -A INPUT -p udp -i ${wan} -m conntrack --ctstate NEW -j FW-OPEN
-    iptables -A INPUT -p tcp --syn -i ${wan} -m conntrack --ctstate NEW -j FW-OPEN
+        iptables -A FW-OPEN -p tcp -m conntrack --ctstate NEW --ctproto TCP --dport $port -j ACCEPT
+    done < $confd/ACCEPT.tcp
+    iptables -A INPUT -i ${wan} -p udp -m conntrack --ctstate NEW --ctproto UDP -j FW-OPEN
+    iptables -A INPUT -i ${wan} -p tcp -m conntrack --ctstate NEW --ctproto TCP -j FW-OPEN
 }
 
 setup_cast() {
@@ -131,17 +131,11 @@ setup_cast() {
 }
 
 main () {
-    set_defaults
-    setup_whitenets
-    setup_nat
-    setup_forward
-    setup_base
-    setup_badips
-    setup_white
-    setup_open
-    setup_scanips
-    setup_cast
-    setup_final
+   defaultHooks="set_defaults setup_whitenets setup_nat setup_forward setup_base setup_badips setup_white setup_open setup_scanips setup_cast setup_final"
+    hookarray=(${hooks:-$defaultHooks})
+    for hook in "${hookarray[@]}" ; do
+        $hook
+    done
 }
 
 main