|
|
@@ -1,8 +1,8 @@
|
|
|
#!/bin/bash -x
|
|
|
((EUID == 0 )) || { echo "Need root"; exit 1; }
|
|
|
set -euo pipefail
|
|
|
-CONFD=/etc/e-router
|
|
|
-source $CONFD/config
|
|
|
+confd=/etc/e-router
|
|
|
+source $confd/config
|
|
|
|
|
|
set_defaults() {
|
|
|
/usr/lib/systemd/scripts/iptables-flush
|
|
|
@@ -79,48 +79,48 @@ setup_whitenets() {
|
|
|
while read -r net ; do
|
|
|
[[ "$net" =~ ^[0-9]{1,}.[0-9]{1,}.[0-9]{1,}.[0-9]{1,}/[0-9]{1,}$ ]] || continue
|
|
|
ipset -! add $whiteset $net timeout 0
|
|
|
- done < $CONFD/WHITE.nets
|
|
|
+ done < $confd/WHITE.nets
|
|
|
}
|
|
|
|
|
|
setup_badips() {
|
|
|
ipset create -! $banset hash:ip hashsize 4096 timeout $banttl
|
|
|
- iptables -A INPUT -i ${wan} -m set --match-set $banset src -p udp -j REJECT --reject-with icmp-port-unreachable
|
|
|
- iptables -A INPUT -i ${wan} -m set --match-set $banset src -p tcp -j REJECT --reject-with tcp-reset
|
|
|
+ iptables -A INPUT -i ${wan} -p udp -m set --match-set $banset src -m conntrack --ctstate NEW --ctproto UDP -j REJECT --reject-with icmp-port-unreachable
|
|
|
+ iptables -A INPUT -i ${wan} -p tcp -m set --match-set $banset src -m conntrack --ctstate NEW --ctproto TCP -j REJECT --reject-with tcp-reset
|
|
|
}
|
|
|
|
|
|
setup_scanips() {
|
|
|
ipset create -! $scanset hash:ip hashsize 4096 timeout $scanttl
|
|
|
- iptables -A INPUT -i ${wan} -m set --match-set $scanset src -p udp -j REJECT --reject-with icmp-port-unreachable
|
|
|
- iptables -A INPUT -i ${wan} -m set --match-set $scanset src -p tcp -j REJECT --reject-with tcp-reset
|
|
|
+ iptables -A INPUT -i ${wan} -p udp -m set --match-set $scanset src -m conntrack --ctstate NEW --ctproto UDP -j REJECT --reject-with icmp-port-unreachable
|
|
|
+ iptables -A INPUT -i ${wan} -p tcp -m set --match-set $scanset src -m conntrack --ctstate NEW --ctproto TCP -j REJECT --reject-with tcp-reset
|
|
|
}
|
|
|
|
|
|
setup_white() {
|
|
|
iptables -N FW-FILTERED
|
|
|
while read -r port ; do
|
|
|
[[ "$port" =~ ^[0-9]{1,}$ ]] || continue
|
|
|
- iptables -A FW-FILTERED -m udp -p udp --dport $port -j ACCEPT
|
|
|
- done < $CONFD/WHITE.udp
|
|
|
+ iptables -A FW-FILTERED -p udp -m conntrack --ctstate NEW --ctproto UDP --dport $port -j ACCEPT
|
|
|
+ done < $confd/WHITE.udp
|
|
|
while read -r port ; do
|
|
|
[[ "$port" =~ ^[0-9]{1,}$ ]] || continue
|
|
|
- iptables -A FW-FILTERED -m tcp -p tcp --dport $port -j ACCEPT
|
|
|
- done < $CONFD/WHITE.tcp
|
|
|
- iptables -A INPUT -p udp -i ${wan} -m set --match-set $whiteset src -m conntrack --ctstate NEW -j FW-FILTERED
|
|
|
- iptables -A INPUT -p tcp --syn -i ${wan} -m set --match-set $whiteset src -m conntrack --ctstate NEW -j FW-FILTERED
|
|
|
- iptables -A INPUT -i ${wan} -p icmp --icmp-type 8 -m conntrack --ctstate NEW -m set --match-set $whiteset src -j ACCEPT
|
|
|
+ iptables -A FW-FILTERED -p tcp -m conntrack --ctstate NEW --ctproto TCP --dport $port -j ACCEPT
|
|
|
+ done < $confd/WHITE.tcp
|
|
|
+ iptables -A INPUT -i ${wan} -p udp -m set --match-set $whiteset src -m conntrack --ctstate NEW --ctproto UDP -j FW-FILTERED
|
|
|
+ iptables -A INPUT -i ${wan} -p tcp -m set --match-set $whiteset src -m conntrack --ctstate NEW --ctproto TCP -j FW-FILTERED
|
|
|
+ iptables -A INPUT -i ${wan} -p icmp --icmp-type 8 -m set --match-set $whiteset src -m conntrack --ctstate NEW --ctproto ICMP -j ACCEPT
|
|
|
}
|
|
|
|
|
|
setup_open() {
|
|
|
iptables -N FW-OPEN
|
|
|
while read -r port ; do
|
|
|
[[ "$port" =~ ^[0-9]{1,}$ ]] || continue
|
|
|
- iptables -A FW-OPEN -m udp -p udp --dport $port -j ACCEPT
|
|
|
- done < $CONFD/ACCEPT.udp
|
|
|
+ iptables -A FW-OPEN -p udp -m conntrack --ctstate NEW --ctproto UDP --dport $port -j ACCEPT
|
|
|
+ done < $confd/ACCEPT.udp
|
|
|
while read -r port ; do
|
|
|
[[ "$port" =~ ^[0-9]{1,}$ ]] || continue
|
|
|
- iptables -A FW-OPEN -m tcp -p tcp --dport $port -j ACCEPT
|
|
|
- done < $CONFD/ACCEPT.tcp
|
|
|
- iptables -A INPUT -p udp -i ${wan} -m conntrack --ctstate NEW -j FW-OPEN
|
|
|
- iptables -A INPUT -p tcp --syn -i ${wan} -m conntrack --ctstate NEW -j FW-OPEN
|
|
|
+ iptables -A FW-OPEN -p tcp -m conntrack --ctstate NEW --ctproto TCP --dport $port -j ACCEPT
|
|
|
+ done < $confd/ACCEPT.tcp
|
|
|
+ iptables -A INPUT -i ${wan} -p udp -m conntrack --ctstate NEW --ctproto UDP -j FW-OPEN
|
|
|
+ iptables -A INPUT -i ${wan} -p tcp -m conntrack --ctstate NEW --ctproto TCP -j FW-OPEN
|
|
|
}
|
|
|
|
|
|
setup_cast() {
|
|
|
@@ -131,17 +131,11 @@ setup_cast() {
|
|
|
}
|
|
|
|
|
|
main () {
|
|
|
- set_defaults
|
|
|
- setup_whitenets
|
|
|
- setup_nat
|
|
|
- setup_forward
|
|
|
- setup_base
|
|
|
- setup_badips
|
|
|
- setup_white
|
|
|
- setup_open
|
|
|
- setup_scanips
|
|
|
- setup_cast
|
|
|
- setup_final
|
|
|
+ defaultHooks="set_defaults setup_whitenets setup_nat setup_forward setup_base setup_badips setup_white setup_open setup_scanips setup_cast setup_final"
|
|
|
+ hookarray=(${hooks:-$defaultHooks})
|
|
|
+ for hook in "${hookarray[@]}" ; do
|
|
|
+ $hook
|
|
|
+ done
|
|
|
}
|
|
|
|
|
|
main
|
Edvinas Valatka