|
|
@@ -4,136 +4,254 @@ set -euo pipefail
|
|
|
confd=/etc/e-router
|
|
|
source $confd/config
|
|
|
|
|
|
-set_defaults() {
|
|
|
- /usr/lib/systemd/scripts/iptables-flush
|
|
|
- iptables -P FORWARD DROP
|
|
|
- iptables -P OUTPUT ACCEPT
|
|
|
- iptables -P INPUT DROP
|
|
|
-}
|
|
|
-
|
|
|
-setup_final(){
|
|
|
- if $loginput ; then
|
|
|
- setup_wandroplog
|
|
|
- iptables -A INPUT -j WAN-LOG-DROP
|
|
|
- else
|
|
|
- iptables -A INPUT -j DROP
|
|
|
+_broken(){
|
|
|
+ ${iptables} -N FWSCAN
|
|
|
+ ${iptables} -N BROKENLOGDROP
|
|
|
+ if $logbroken; then
|
|
|
+ ${iptables} -A BROKENLOGDROP -j LOG --log-prefix "BROKENLOGDROP TCP: " --log-level 7
|
|
|
fi
|
|
|
-}
|
|
|
+ ${iptables} -A BROKENLOGDROP -i ${wan} -j FWSCAN
|
|
|
+ ${iptables} -A BROKENLOGDROP -j DROP
|
|
|
|
|
|
-setup_wandroplog() {
|
|
|
- iptables -N WAN-LOG-DROP
|
|
|
- if $debugtcp; then
|
|
|
- iptables -A WAN-LOG-DROP -p tcp -j LOG --log-prefix "WAN-LOG-DROP TCP: " --log-level 7
|
|
|
- iptables -A WAN-LOG-DROP -p tcp -j REJECT --reject-with tcp-reset
|
|
|
- fi
|
|
|
- if $debugudp; then
|
|
|
- iptables -A WAN-LOG-DROP -p udp -j LOG --log-prefix "WAN-LOG-DROP UDP: " --log-level 7
|
|
|
- iptables -A WAN-LOG-DROP -p udp -j REJECT --reject-with icmp-port-unreachable
|
|
|
+ ${iptables} -N BROKENLOGRST
|
|
|
+ if $logbroken; then
|
|
|
+ ${iptables} -A BROKENLOGRST -j LOG --log-prefix "BROKENLOGRST TCP: " --log-level 7
|
|
|
fi
|
|
|
- if $debugicmp; then
|
|
|
- iptables -A WAN-LOG-DROP -p icmp -j LOG --log-prefix "WAN-LOG-DROP ICMP: " --log-level 7
|
|
|
- iptables -A WAN-LOG-DROP -j REJECT --reject-with icmp-proto-unreachable
|
|
|
+ ${iptables} -A BROKENLOGRST -i ${wan} -j FWSCAN
|
|
|
+ ${iptables} -A BROKENLOGRST -j ENDRESET
|
|
|
+
|
|
|
+ ${iptables} -N STRANGELOG
|
|
|
+ if $logstrange; then
|
|
|
+ ${iptables} -A STRANGELOG -j LOG --log-prefix "STRANGELOG TCP: " --log-level 7
|
|
|
fi
|
|
|
+
|
|
|
+ ${iptables} -N FWSUSPICIOUS
|
|
|
+
|
|
|
+ ${iptables} -A FWSUSPICIOUS -p tcp --sport 0:19 -j BROKENLOGRST
|
|
|
+ ${iptables} -A FWSUSPICIOUS -p tcp --dport 0:19 -j BROKENLOGRST
|
|
|
+
|
|
|
+ ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL ACK -m conntrack --ctstate ESTABLISHED -j ACCEPT
|
|
|
+ ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL ACK -m conntrack --ctstate NEW,RELATED -j BROKENLOGRST
|
|
|
+ ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL PSH,ACK -m conntrack --ctstate ESTABLISHED -j ACCEPT
|
|
|
+ ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL PSH,ACK -m conntrack --ctstate NEW -j RETURN
|
|
|
+ ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL PSH,ACK -m conntrack --ctstate RELATED -j BROKENLOGRST
|
|
|
+ ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL NONE -j BROKENLOGRST
|
|
|
+ ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL ALL -j BROKENLOGRST
|
|
|
+ ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags SYN,FIN SYN,FIN -j BROKENLOGRST
|
|
|
+ ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags SYN,RST SYN,RST -j BROKENLOGRST
|
|
|
+ ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags RST,FIN RST,FIN -j BROKENLOGRST
|
|
|
+ ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags SYN,URG SYN,URG -j BROKENLOGRST
|
|
|
+ ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL SYN,PSH -j BROKENLOGRST
|
|
|
+ ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL SYN,ACK,PSH -j BROKENLOGRST
|
|
|
+ ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ACK,FIN FIN -j BROKENLOGRST
|
|
|
+ ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ACK,PSH PSH -j BROKENLOGRST
|
|
|
+ ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ACK,URG URG -j BROKENLOGRST
|
|
|
+ ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL RST -m conntrack --ctstate ESTABLISHED -j ACCEPT
|
|
|
+ ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL RST -m conntrack --ctstate NEW,RELATED -j BROKENLOGDROP
|
|
|
+ ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL RST -m conntrack --ctstate INVALID -j BROKENLOGDROP
|
|
|
+ ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags SYN,ACK NONE -j BROKENLOGRST
|
|
|
+ ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL SYN -m conntrack --ctstate NEW -j RETURN
|
|
|
+ ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL SYN -m conntrack --ctstate RELATED -j ACCEPT
|
|
|
+ ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL SYN -m conntrack --ctstate ESTABLISHED -j BROKENLOGRST
|
|
|
+ ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL SYN,ACK -m conntrack --ctstate ESTABLISHED -j ACCEPT
|
|
|
+ ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL SYN,ACK -m conntrack --ctstate NEW,RELATED -j BROKENLOGRST
|
|
|
+ ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL SYN,ACK -m conntrack --ctstate INVALID -j BROKENLOGRST
|
|
|
+ ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL FIN,ACK -m conntrack --ctstate ESTABLISHED -j ACCEPT
|
|
|
+ ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL FIN,ACK -m conntrack --ctstate NEW,RELATED -j BROKENLOGRST
|
|
|
+ ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL FIN,ACK -m conntrack --ctstate INVALID -j BROKENLOGRST
|
|
|
+ ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL RST,ACK -m conntrack --ctstate ESTABLISHED -j ACCEPT
|
|
|
+ ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL RST,ACK -m conntrack --ctstate NEW -j RETURN
|
|
|
+ ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL RST,ACK -m conntrack --ctstate RELATED -j BROKENLOGDROP
|
|
|
+ ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL ACK,PSH,RST -m conntrack --ctstate ESTABLISHED -j ACCEPT
|
|
|
+ ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL ACK,PSH,RST -m conntrack --ctstate NEW,RELATED -j BROKENLOGDROP
|
|
|
+ ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL FIN,PSH,ACK -m conntrack --ctstate ESTABLISHED -j ACCEPT
|
|
|
+ ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL FIN,PSH,ACK -m conntrack --ctstate NEW,RELATED -j BROKENLOGRST
|
|
|
+ ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL FIN,PSH,ACK -m conntrack --ctstate INVALID -j BROKENLOGRST
|
|
|
+ ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL RST,ACK,PSH -j STRANGELOG
|
|
|
+ ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL RST,ACK,URG -j STRANGELOG
|
|
|
+ ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL RST,ACK,PSH,URG -j STRANGELOG
|
|
|
+ ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL FIN,PSH,ACK,URG -j STRANGELOG
|
|
|
+ ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL ACK,URG -j STRANGELOG
|
|
|
+ ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL ACK,URG,FIN -j STRANGELOG
|
|
|
}
|
|
|
|
|
|
-setup_fordroplog() {
|
|
|
- iptables -N FORWARD-LOG-DROP
|
|
|
+_droplog() {
|
|
|
+ ${iptables} -N ${1}LOGDROP
|
|
|
if $debugtcp; then
|
|
|
- iptables -A FORWARD-LOG-DROP -p tcp -j LOG --log-prefix "FORWARD-LOG-DROP TCP: " --log-level 7
|
|
|
- iptables -A FORWARD-LOG-DROP -p tcp -j REJECT --reject-with tcp-reset
|
|
|
+ ${iptables} -A ${1}LOGDROP -p tcp -j LOG --log-prefix "${1}LOGDROP TCP: " --log-level 7
|
|
|
fi
|
|
|
if $debugudp; then
|
|
|
- iptables -A FORWARD-LOG-DROP -p udp -j LOG --log-prefix "FORWARD-LOG-DROP UDP: " --log-level 7
|
|
|
- iptables -A FORWARD-LOG-DROP -p udp -j REJECT --reject-with icmp-port-unreachable
|
|
|
+ ${iptables} -A ${1}LOGDROP -p udp -j LOG --log-prefix "${1}LOGDROP UDP: " --log-level 7
|
|
|
fi
|
|
|
if $debugicmp; then
|
|
|
- iptables -A FORWARD-LOG-DROP -p icmp -j LOG --log-prefix "FORWARD-LOG-DROP ICMP: " --log-level 7
|
|
|
- iptables -A FORWARD-LOG-DROP -j REJECT --reject-with icmp-proto-unreachable
|
|
|
+ ${iptables} -A ${1}LOGDROP -p icmp -j LOG --log-prefix "${1}LOGDROP ICMP: " --log-level 7
|
|
|
fi
|
|
|
}
|
|
|
|
|
|
-setup_nat() {
|
|
|
- iptables -t nat -A POSTROUTING -o ${wan} -s ${locnet} -j MASQUERADE
|
|
|
-}
|
|
|
+_forward() {
|
|
|
+ while read -r ip public private ; do
|
|
|
+ [[ "$ip" =~ ^[0-9]{1,}.[0-9]{1,}.[0-9]{1,}.[0-9]{1,}$ ]] || continue
|
|
|
+ [[ "$public" =~ ^[0-9]{1,}|[0-9]{1,}:[0-9]{1,}$ ]] || continue
|
|
|
+ [[ "$private" =~ ^[0-9]{1,}|[0-9]{1,}:[0-9]{1,}$ ]] || continue
|
|
|
+ if [[ "$public" =~ ^[0-9]{1,}$ ]] ; then
|
|
|
+ ${iptables} -A PREROUTING -t nat -i ${wan} -p tcp --dport ${public} -j DNAT --to ${ip}:${private}
|
|
|
+ ${iptables} -A FORWARD -i ${wan} -p tcp --syn -d ${ip} --dport ${private} -m conntrack --ctstate NEW --ctproto TCP -j ACCEPT
|
|
|
+ else
|
|
|
+ ${iptables} -A PREROUTING -t nat -i ${wan} -p tcp --dport ${public} -j DNAT --to ${ip}
|
|
|
+ ${iptables} -A FORWARD -i ${wan} -p tcp --syn -d ${ip} --dport ${public} -m conntrack --ctstate NEW --ctproto TCP -j ACCEPT
|
|
|
+ fi
|
|
|
+ done < $confd/FORWARD.tcp
|
|
|
+
|
|
|
+ while read -r ip public private ; do
|
|
|
+ [[ "$ip" =~ ^[0-9]{1,}.[0-9]{1,}.[0-9]{1,}.[0-9]{1,}$ ]] || continue
|
|
|
+ [[ "$public" =~ ^[0-9]{1,}|[0-9]{1,}:[0-9]{1,}$ ]] || continue
|
|
|
+ [[ "$private" =~ ^[0-9]{1,}|[0-9]{1,}:[0-9]{1,}$ ]] || continue
|
|
|
+ if [[ "$public" =~ ^[0-9]{1,}$ ]] ; then
|
|
|
+ ${iptables} -A PREROUTING -t nat -i ${wan} -p udp --dport ${public} -j DNAT --to ${ip}:${private}
|
|
|
+ ${iptables} -A FORWARD -i ${wan} -p udp -d ${ip} --dport ${private} -m conntrack --ctstate NEW --ctproto UDP -j ACCEPT
|
|
|
+ else
|
|
|
+ ${iptables} -A PREROUTING -t nat -i ${wan} -p udp --dport ${public} -j DNAT --to ${ip}
|
|
|
+ ${iptables} -A FORWARD -i ${wan} -p udp -d ${ip} --dport ${public} -m conntrack --ctstate NEW --ctproto UDP -j ACCEPT
|
|
|
+ fi
|
|
|
+ done < $confd/FORWARD.udp
|
|
|
|
|
|
-setup_forward() {
|
|
|
- iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
|
|
- iptables -A FORWARD -i ${eth0} -o ${wan} -j ACCEPT
|
|
|
if $logforward ; then
|
|
|
- setup_fordroplog
|
|
|
- iptables -A FORWARD -j FORWARD-LOG-DROP
|
|
|
- else
|
|
|
- iptables -A FORWARD -j DROP
|
|
|
+ _droplog "FORWARD"
|
|
|
+ ${iptables} -A FORWARD -j FORWARDLOGDROP
|
|
|
fi
|
|
|
}
|
|
|
|
|
|
-setup_base() {
|
|
|
- iptables -A INPUT -i lo -j ACCEPT
|
|
|
- iptables -A INPUT -i ${eth0} -j ACCEPT
|
|
|
- iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
|
|
- iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
|
|
|
+_init(){
|
|
|
+ /usr/lib/systemd/scripts/iptables-flush
|
|
|
+ ${iptables} -P INPUT DROP
|
|
|
+ ${iptables} -P FORWARD DROP
|
|
|
+ ${iptables} -P OUTPUT ACCEPT
|
|
|
+ ${iptables} -A INPUT -i lo -j ACCEPT
|
|
|
+ ${iptables} -A INPUT -i ${wan} -p icmp --icmp-type echo-request -j ACCEPT
|
|
|
+ ${iptables} -A INPUT -i ${wan} -p icmp --icmp-type time-exceeded -j ACCEPT
|
|
|
+ ${iptables} -A INPUT -i ${wan} -p icmp --icmp-type destination-unreachable -j ACCEPT
|
|
|
+ ${iptables} -N ENDRESET
|
|
|
+ ${iptables} -A ENDRESET -p tcp -j REJECT --reject-with tcp-reset
|
|
|
+ ${iptables} -A ENDRESET -p udp -j REJECT --reject-with icmp-port-unreachable
|
|
|
+ ${iptables} -A ENDRESET -j REJECT --reject-with icmp-proto-unreachable
|
|
|
+ _unblock
|
|
|
}
|
|
|
|
|
|
-setup_whitenets() {
|
|
|
- ipset create -! $whiteset hash:net hashsize 4096 timeout $whitettl
|
|
|
+_unblock(){
|
|
|
+ ipset create -! $scanset hash:ip hashsize $scanmaxelems timeout $scanttl maxelem $scanmaxelems forceadd counters
|
|
|
+ ${iptables} -N FWUNBLOCK
|
|
|
+ ${iptables} -A FWUNBLOCK -i ${wan} -m set --match-set $scanset src -j LOG --log-prefix "UNBLOCK: " --log-level 7
|
|
|
+ ${iptables} -A FWUNBLOCK -i ${wan} -m set --match-set $scanset src -j SET --del-set $scanset src
|
|
|
+ ${iptables} -A FWUNBLOCK -j ACCEPT
|
|
|
+}
|
|
|
+
|
|
|
+_whitenets() {
|
|
|
+ ipset create -! $whiteset hash:net hashsize 4096 timeout $whitettl maxelem $whitemaxelems
|
|
|
while read -r net ; do
|
|
|
[[ "$net" =~ ^[0-9]{1,}.[0-9]{1,}.[0-9]{1,}.[0-9]{1,}/[0-9]{1,}$ ]] || continue
|
|
|
ipset -! add $whiteset $net timeout 0
|
|
|
done < $confd/WHITE.nets
|
|
|
}
|
|
|
|
|
|
-setup_badips() {
|
|
|
- ipset create -! $banset hash:ip hashsize 4096 timeout $banttl
|
|
|
- iptables -A INPUT -i ${wan} -p udp -m set --match-set $banset src -m conntrack --ctstate NEW --ctproto UDP -j REJECT --reject-with icmp-port-unreachable
|
|
|
- iptables -A INPUT -i ${wan} -p tcp -m set --match-set $banset src -m conntrack --ctstate NEW --ctproto TCP -j REJECT --reject-with tcp-reset
|
|
|
+base() {
|
|
|
+ _init
|
|
|
+ ${iptables} -A INPUT -i ${wan} ! -p tcp -m conntrack --ctstate RELATED,ESTABLISHED -j FWUNBLOCK
|
|
|
+ _broken
|
|
|
+ ${iptables} -A INPUT -i ${wan} -p tcp -j FWSUSPICIOUS
|
|
|
+ ${iptables} -A INPUT -i ${wan} -p tcp -m conntrack --ctstate RELATED,ESTABLISHED -j FWUNBLOCK
|
|
|
+ if $loginvalid; then
|
|
|
+ _droplog "INVALID"
|
|
|
+ ${iptables} -A INPUT -i ${wan} -m conntrack --ctstate INVALID -j INVALIDLOGDROP
|
|
|
+ fi
|
|
|
+ ${iptables} -A INPUT -i ${wan} -m conntrack --ctstate INVALID -j DROP
|
|
|
+}
|
|
|
+
|
|
|
+cast() {
|
|
|
+ ${iptables} -N FWCAST
|
|
|
+ if $logcast; then
|
|
|
+ ${iptables} -A FWCAST -m pkttype --pkt-type multicast -m conntrack --ctstate NEW -j LOG --log-prefix "CASTLOG MULTI: " --log-level 7
|
|
|
+ ${iptables} -A FWCAST -m pkttype --pkt-type broadcast -m conntrack --ctstate NEW -j LOG --log-prefix "CASTLOG BROAD: " --log-level 7
|
|
|
+ fi
|
|
|
+ ${iptables} -A FWCAST -m pkttype --pkt-type multicast -m conntrack --ctstate NEW -j ACCEPT
|
|
|
+ ${iptables} -A FWCAST -m pkttype --pkt-type broadcast -m conntrack --ctstate NEW -j ACCEPT
|
|
|
+ ${iptables} -A INPUT -i ${wan} -j FWCAST
|
|
|
+}
|
|
|
+
|
|
|
+lan() {
|
|
|
+ ${iptables} -A INPUT -i ${eth0} -j ACCEPT
|
|
|
+ ${iptables} -t nat -A POSTROUTING -p udp --sport 3000 --o ${wan} -s ${locnet} -j MASQUERADE --to-ports 3000
|
|
|
+ ${iptables} -t nat -A POSTROUTING -o ${wan} -s ${locnet} -j MASQUERADE
|
|
|
+ ${iptables} -A FORWARD -i ${wan} -o ${eth0} ! -p tcp -m conntrack --ctstate RELATED,ESTABLISHED -j FWUNBLOCK
|
|
|
+ ${iptables} -A FORWARD -p tcp -j FWSUSPICIOUS
|
|
|
+ ${iptables} -A FORWARD -i ${wan} -o ${eth0} -p tcp -m conntrack --ctstate RELATED,ESTABLISHED -j FWUNBLOCK
|
|
|
+ if $loginvalid; then
|
|
|
+ _droplog "FWDINVALID"
|
|
|
+ ${iptables} -A FORWARD -m conntrack --ctstate INVALID -j FWDINVALIDLOGDROP
|
|
|
+ fi
|
|
|
+ ${iptables} -A FORWARD -m conntrack --ctstate INVALID -j DROP
|
|
|
+ ${iptables} -A FORWARD -i ${eth0} -o ${wan} -j ACCEPT
|
|
|
+ _forward
|
|
|
}
|
|
|
|
|
|
-setup_scanips() {
|
|
|
- ipset create -! $scanset hash:ip hashsize 4096 timeout $scanttl
|
|
|
- iptables -A INPUT -i ${wan} -p udp -m set --match-set $scanset src -m conntrack --ctstate NEW --ctproto UDP -j REJECT --reject-with icmp-port-unreachable
|
|
|
- iptables -A INPUT -i ${wan} -p tcp -m set --match-set $scanset src -m conntrack --ctstate NEW --ctproto TCP -j REJECT --reject-with tcp-reset
|
|
|
+badips() {
|
|
|
+ ipset create -! $banset hash:ip hashsize $badmaxelems timeout $banttl maxelem $badmaxelems
|
|
|
+ ${iptables} -N FWBAD
|
|
|
+ if $logbad ; then
|
|
|
+ _droplog "BAD"
|
|
|
+ ${iptables} -A FWBAD -i ${wan} -m set --match-set $banset src -m conntrack --ctstate NEW -j BADLOGDROP
|
|
|
+ fi
|
|
|
+ ${iptables} -A FWBAD -i ${wan} -m set --match-set $banset src -m conntrack --ctstate NEW -j ENDRESET
|
|
|
+ ${iptables} -A INPUT -j FWBAD
|
|
|
}
|
|
|
|
|
|
-setup_white() {
|
|
|
- iptables -N FW-FILTERED
|
|
|
+scanips() {
|
|
|
+ ${iptables} -A FWSCAN -i ${wan} -j SET --add-set $scanset src --exist
|
|
|
+ if $logscan ; then
|
|
|
+ _droplog "SCAN"
|
|
|
+ ${iptables} -A FWSCAN -i ${wan} -m set --match-set $scanset src ! --update-counters -j SCANLOGDROP
|
|
|
+ fi
|
|
|
+ ${iptables} -A INPUT -j FWSCAN
|
|
|
+}
|
|
|
+
|
|
|
+white() {
|
|
|
+ _whitenets
|
|
|
+ ${iptables} -N FWFILTERED
|
|
|
while read -r port ; do
|
|
|
[[ "$port" =~ ^[0-9]{1,}$ ]] || continue
|
|
|
- iptables -A FW-FILTERED -p udp -m conntrack --ctstate NEW --ctproto UDP --dport $port -j ACCEPT
|
|
|
+ ${iptables} -A FWFILTERED -p udp -m conntrack --ctstate NEW --ctproto UDP --dport $port -j ACCEPT
|
|
|
done < $confd/WHITE.udp
|
|
|
while read -r port ; do
|
|
|
[[ "$port" =~ ^[0-9]{1,}$ ]] || continue
|
|
|
- iptables -A FW-FILTERED -p tcp -m conntrack --ctstate NEW --ctproto TCP --dport $port -j ACCEPT
|
|
|
+ ${iptables} -A FWFILTERED -p tcp -m conntrack --ctstate NEW --ctproto TCP --dport $port -j ACCEPT
|
|
|
done < $confd/WHITE.tcp
|
|
|
- iptables -A INPUT -i ${wan} -p udp -m set --match-set $whiteset src -m conntrack --ctstate NEW --ctproto UDP -j FW-FILTERED
|
|
|
- iptables -A INPUT -i ${wan} -p tcp -m set --match-set $whiteset src -m conntrack --ctstate NEW --ctproto TCP -j FW-FILTERED
|
|
|
- iptables -A INPUT -i ${wan} -p icmp --icmp-type 8 -m set --match-set $whiteset src -m conntrack --ctstate NEW --ctproto ICMP -j ACCEPT
|
|
|
+ ${iptables} -A INPUT -i ${wan} -p udp -m set --match-set $whiteset src -m conntrack --ctstate NEW --ctproto UDP -j FWFILTERED
|
|
|
+ ${iptables} -A INPUT -i ${wan} -p tcp -m set --match-set $whiteset src -m conntrack --ctstate NEW --ctproto TCP -j FWFILTERED
|
|
|
}
|
|
|
|
|
|
-setup_open() {
|
|
|
- iptables -N FW-OPEN
|
|
|
+public() {
|
|
|
+ ${iptables} -N FWPUBLIC
|
|
|
while read -r port ; do
|
|
|
[[ "$port" =~ ^[0-9]{1,}$ ]] || continue
|
|
|
- iptables -A FW-OPEN -p udp -m conntrack --ctstate NEW --ctproto UDP --dport $port -j ACCEPT
|
|
|
- done < $confd/ACCEPT.udp
|
|
|
+ ${iptables} -A FWPUBLIC -p udp -m conntrack --ctstate NEW --ctproto UDP --dport $port -j ACCEPT
|
|
|
+ done < $confd/PUBLIC.udp
|
|
|
while read -r port ; do
|
|
|
[[ "$port" =~ ^[0-9]{1,}$ ]] || continue
|
|
|
- iptables -A FW-OPEN -p tcp -m conntrack --ctstate NEW --ctproto TCP --dport $port -j ACCEPT
|
|
|
- done < $confd/ACCEPT.tcp
|
|
|
- iptables -A INPUT -i ${wan} -p udp -m conntrack --ctstate NEW --ctproto UDP -j FW-OPEN
|
|
|
- iptables -A INPUT -i ${wan} -p tcp -m conntrack --ctstate NEW --ctproto TCP -j FW-OPEN
|
|
|
+ ${iptables} -A FWPUBLIC -p tcp -m conntrack --ctstate NEW --ctproto TCP --dport $port -j ACCEPT
|
|
|
+ done < $confd/PUBLIC.tcp
|
|
|
+ ${iptables} -A INPUT -i ${wan} -p udp -m conntrack --ctstate NEW --ctproto UDP -j FWPUBLIC
|
|
|
+ ${iptables} -A INPUT -i ${wan} -p tcp -m conntrack --ctstate NEW --ctproto TCP -j FWPUBLIC
|
|
|
}
|
|
|
|
|
|
-setup_cast() {
|
|
|
- iptables -N FW-CAST
|
|
|
- iptables -A FW-CAST -m pkttype --pkt-type broadcast -j ACCEPT
|
|
|
- iptables -A FW-CAST -m pkttype --pkt-type multicast -j ACCEPT
|
|
|
- iptables -A INPUT -i ${wan} -j FW-CAST
|
|
|
+final(){
|
|
|
+ if $loginput; then
|
|
|
+ _droplog "FINAL"
|
|
|
+ ${iptables} -A INPUT -j FINALLOGDROP
|
|
|
+ fi
|
|
|
+ ${iptables} -A INPUT -i ${wan} -j ENDRESET
|
|
|
}
|
|
|
|
|
|
main () {
|
|
|
- defaultHooks="set_defaults setup_whitenets setup_nat setup_forward setup_base setup_badips setup_white setup_open setup_scanips setup_cast setup_final"
|
|
|
- hookarray=(${hooks:-$defaultHooks})
|
|
|
- for hook in "${hookarray[@]}" ; do
|
|
|
+ for hook in "${hooks[@]}" ; do
|
|
|
$hook
|
|
|
done
|
|
|
}
|
Edvinas Valatka