.gitignore

@@ -0,0 +1 @@
+*.swp

ACCEPT.udp

@@ -1,8 +0,0 @@
-# deluged
-4660
-# emule
-4662
-4663
-4664
-4662
-4672

FORWARD.tcp

@@ -0,0 +1,2 @@
+#dest-ip public-port private-port
+192.168.1.105 2222 22

FORWARD.udp

@@ -0,0 +1 @@
+#dest-ip public-port private-port

ACCEPT.tcp

@@ -1,3 +1,5 @@
+# Sopcast
+3902
 # deluged
 4660
 # emule
@@ -7,6 +9,8 @@
 4665
 # syncthing-disco
 8443
+# acestream
+8621
 # syncthing
 22000
 # syncthing-relay

PUBLIC.udp

@@ -0,0 +1,14 @@
+# Sopcast
+3902
+# deluged
+4660
+# emule
+4662
+4663
+4664
+4662
+4672
+# acestream
+8621
+# syncthing discovery broadcast
+21027

config

@@ -1,3 +1,5 @@
+# vim: syntax=sh
+
 eth0=enp5s0
 wan=enp1s0
 locnet=192.168.1.0/24
@@ -7,34 +9,57 @@ lanbro=192.168.1.255
 ## badips.com ##
 # ipset name
 banset=badips
+# set size, default 65536
+badmaxelems=131072
 # 0 - 5 , 0 will ban max
 banlevel=0
 # ban time in seconds,  1 week =  604800,  1 day = 86400
 banttl=604800
 # h,d,w,m,y
-rangecheck=1h
+rangecheck=2h
 # ssh,http... or any
 banservice=any
 
 ## whitenets ##
 #ipset name
 whiteset=goodips
+# set size, default 65536
+whitemaxelems=65536
 # default ttl
 whitettl=172800
 
 ## scannets ##
 #ipset name
 scanset=scanips
+# set size, default 65536
+scanmaxelems=65536
 # default ttl
 scanttl=172800
 
 ## DEBUG ##
 loginput=true
+logstrange=true
+logbroken=true
+loginvalid=true
 logforward=true
+logbad=true
+logscan=true
+logcast=true
 debugtcp=true
 debugudp=true
 debugicmp=true
 
-
 ## default hook order ##
-# hooks="set_defaults setup_whitenets setup_nat setup_forward setup_base setup_badips setup_white setup_open setup_scanips setup_cast setup_final"
+hooks=(
+base
+cast
+lan
+public
+badips
+white
+scanips
+final
+)
+
+## iptables invocation command ##
+iptables="iptables -w"

e-badips

@@ -7,7 +7,14 @@ source $CONFD/config
 tmp=$(mktemp)
 trap "/bin/rm -f ${tmp}" EXIT SIGHUP SIGINT SIGTERM
 
-curl -f -s -S -m 60 -o $tmp "https://www.badips.com/get/list/${banservice}/${banlevel}?age=${rangecheck}"
-while read -r ip ; do
-    ipset -! add ${banset} ${ip} timeout $banttl
-done < $tmp
+if curl -f -s -S -m 60 -o $tmp "https://www.badips.com/get/list/${banservice}/${banlevel}?age=${rangecheck}" ; then
+    while read -r ip ; do
+        [[ "$ip" =~ ^[0-9]{1,}.[0-9]{1,}.[0-9]{1,}.[0-9]{1,}$ ]] && ipset -! add ${banset} ${ip} timeout $banttl
+    done < $tmp
+fi
+
+if curl -f -s -S -m 60 -o $tmp  "http://api.blocklist.de/getlast.php?time=7200&service=all" ; then
+    while read -r ip ; do
+        [[ "$ip" =~ ^[0-9]{1,}.[0-9]{1,}.[0-9]{1,}.[0-9]{1,}$ ]] && ipset -! add ${banset} ${ip} timeout $banttl
+    done < $tmp
+fi

e-badips.service

@@ -1,7 +1,7 @@
 [Unit]
 Description=Update badips ipset  from badips.com
-Requires=iptables.service e-router.service
-After=iptables.service e-router.service
+Wants=e-router.service multi-user.target
+After=e-router.service multi-user.target
 
 [Service]
 Type=oneshot

e-pullasn.service

@@ -1,7 +1,7 @@
 [Unit]
 Description=Update goodips ipset  from whois.radb.net
-Requires=iptables.service e-router.service
-After=iptables.service e-router.service
+Wants=e-router.service multi-user.target
+After=e-router.service multi-user.target
 
 [Service]
 Type=oneshot

e-pullasn.timer

@@ -3,7 +3,7 @@ Description=e-pullasn timer
 
 [Timer]
 OnUnitActiveSec=42000
-OnBootSec=300
+OnBootSec=15
 
 [Install]
 WantedBy=timers.target

e-pullhosts.service

@@ -1,6 +1,6 @@
 [Unit]
 Description=Update hosts.ban file from http://someonewhocares.org/hosts/zero/hosts
-Requires=dnsmasq.service
+Wants=dnsmasq.service
 After=dnsmasq.service
 
 [Service]

e-router

@@ -4,136 +4,254 @@ set -euo pipefail
 confd=/etc/e-router
 source $confd/config
 
-set_defaults() {
-    /usr/lib/systemd/scripts/iptables-flush
-    iptables -P FORWARD DROP
-    iptables -P OUTPUT ACCEPT
-    iptables -P INPUT DROP
-}
-
-setup_final(){
-    if $loginput ; then
-        setup_wandroplog
-        iptables -A INPUT -j WAN-LOG-DROP
-    else
-        iptables -A INPUT -j DROP
+_broken(){
+    ${iptables} -N FWSCAN
+    ${iptables} -N BROKENLOGDROP
+    if $logbroken; then
+        ${iptables} -A BROKENLOGDROP -j LOG --log-prefix "BROKENLOGDROP TCP: " --log-level 7
     fi
-}
+    ${iptables} -A BROKENLOGDROP -i ${wan} -j FWSCAN
+    ${iptables} -A BROKENLOGDROP -j DROP
 
-setup_wandroplog() {
-    iptables -N WAN-LOG-DROP
-    if $debugtcp; then
-        iptables -A WAN-LOG-DROP -p tcp  -j LOG --log-prefix  "WAN-LOG-DROP TCP: " --log-level 7
-        iptables -A WAN-LOG-DROP -p tcp -j REJECT --reject-with tcp-reset
-    fi
-    if $debugudp; then
-        iptables -A WAN-LOG-DROP -p udp  -j LOG --log-prefix  "WAN-LOG-DROP UDP: " --log-level 7
-        iptables -A WAN-LOG-DROP -p udp -j REJECT --reject-with icmp-port-unreachable
+    ${iptables} -N BROKENLOGRST
+    if $logbroken; then
+        ${iptables} -A BROKENLOGRST -j LOG --log-prefix "BROKENLOGRST TCP: " --log-level 7
     fi
-    if $debugicmp; then
-        iptables -A WAN-LOG-DROP -p icmp -j LOG --log-prefix  "WAN-LOG-DROP ICMP: " --log-level 7
-        iptables -A WAN-LOG-DROP -j REJECT --reject-with icmp-proto-unreachable
+    ${iptables} -A BROKENLOGRST -i ${wan} -j FWSCAN
+    ${iptables} -A BROKENLOGRST -j ENDRESET
+
+    ${iptables} -N STRANGELOG
+    if $logstrange; then
+        ${iptables} -A STRANGELOG -j LOG --log-prefix "STRANGELOG TCP: " --log-level 7
     fi
+
+    ${iptables} -N FWSUSPICIOUS
+
+    ${iptables} -A FWSUSPICIOUS -p tcp --sport 0:19                                                           -j BROKENLOGRST
+    ${iptables} -A FWSUSPICIOUS -p tcp --dport 0:19                                                           -j BROKENLOGRST
+
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL     ACK             -m conntrack --ctstate ESTABLISHED -j ACCEPT
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL     ACK             -m conntrack --ctstate NEW,RELATED -j BROKENLOGRST
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL     PSH,ACK         -m conntrack --ctstate ESTABLISHED -j ACCEPT
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL     PSH,ACK         -m conntrack --ctstate NEW         -j RETURN
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL     PSH,ACK         -m conntrack --ctstate RELATED     -j BROKENLOGRST
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL     NONE                                               -j BROKENLOGRST
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL     ALL                                                -j BROKENLOGRST
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags SYN,FIN SYN,FIN                                            -j BROKENLOGRST
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags SYN,RST SYN,RST                                            -j BROKENLOGRST
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags RST,FIN RST,FIN                                            -j BROKENLOGRST
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags SYN,URG SYN,URG                                            -j BROKENLOGRST
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL     SYN,PSH                                            -j BROKENLOGRST
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL     SYN,ACK,PSH                                        -j BROKENLOGRST
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ACK,FIN FIN                                                -j BROKENLOGRST
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ACK,PSH PSH                                                -j BROKENLOGRST
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ACK,URG URG                                                -j BROKENLOGRST
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL     RST             -m conntrack --ctstate ESTABLISHED -j ACCEPT
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL     RST             -m conntrack --ctstate NEW,RELATED -j BROKENLOGDROP
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL     RST             -m conntrack --ctstate INVALID     -j BROKENLOGDROP
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags SYN,ACK NONE                                               -j BROKENLOGRST
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL     SYN             -m conntrack --ctstate NEW         -j RETURN
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL     SYN             -m conntrack --ctstate RELATED     -j ACCEPT
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL     SYN             -m conntrack --ctstate ESTABLISHED -j BROKENLOGRST
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL     SYN,ACK         -m conntrack --ctstate ESTABLISHED -j ACCEPT
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL     SYN,ACK         -m conntrack --ctstate NEW,RELATED -j BROKENLOGRST
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL     SYN,ACK         -m conntrack --ctstate INVALID     -j BROKENLOGRST
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL     FIN,ACK         -m conntrack --ctstate ESTABLISHED -j ACCEPT
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL     FIN,ACK         -m conntrack --ctstate NEW,RELATED -j BROKENLOGRST
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL     FIN,ACK         -m conntrack --ctstate INVALID     -j BROKENLOGRST
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL     RST,ACK         -m conntrack --ctstate ESTABLISHED -j ACCEPT
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL     RST,ACK         -m conntrack --ctstate NEW         -j RETURN
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL     RST,ACK         -m conntrack --ctstate RELATED     -j BROKENLOGDROP
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL     ACK,PSH,RST     -m conntrack --ctstate ESTABLISHED -j ACCEPT
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL     ACK,PSH,RST     -m conntrack --ctstate NEW,RELATED -j BROKENLOGDROP
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL     FIN,PSH,ACK     -m conntrack --ctstate ESTABLISHED -j ACCEPT
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL     FIN,PSH,ACK     -m conntrack --ctstate NEW,RELATED -j BROKENLOGRST
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL     FIN,PSH,ACK     -m conntrack --ctstate INVALID     -j BROKENLOGRST
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL     RST,ACK,PSH                                        -j STRANGELOG
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL     RST,ACK,URG                                        -j STRANGELOG
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL     RST,ACK,PSH,URG                                    -j STRANGELOG
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL     FIN,PSH,ACK,URG                                    -j STRANGELOG
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL     ACK,URG                                            -j STRANGELOG
+    ${iptables} -A FWSUSPICIOUS -p tcp --tcp-flags ALL     ACK,URG,FIN                                        -j STRANGELOG
 }
 
-setup_fordroplog() {
-    iptables -N FORWARD-LOG-DROP
+_droplog() {
+    ${iptables} -N ${1}LOGDROP
     if $debugtcp; then
-        iptables -A FORWARD-LOG-DROP -p tcp  -j LOG --log-prefix "FORWARD-LOG-DROP TCP: " --log-level 7
-        iptables -A FORWARD-LOG-DROP -p tcp -j REJECT --reject-with tcp-reset
+        ${iptables} -A ${1}LOGDROP -p tcp  -j LOG --log-prefix "${1}LOGDROP TCP: " --log-level 7
     fi
     if $debugudp; then
-        iptables -A FORWARD-LOG-DROP -p udp  -j LOG --log-prefix "FORWARD-LOG-DROP UDP: " --log-level 7
-        iptables -A FORWARD-LOG-DROP -p udp -j REJECT --reject-with icmp-port-unreachable
+        ${iptables} -A ${1}LOGDROP -p udp  -j LOG --log-prefix "${1}LOGDROP UDP: " --log-level 7
     fi
     if $debugicmp; then
-        iptables -A FORWARD-LOG-DROP -p icmp -j LOG --log-prefix "FORWARD-LOG-DROP ICMP: " --log-level 7
-        iptables -A FORWARD-LOG-DROP -j REJECT --reject-with icmp-proto-unreachable
+        ${iptables} -A ${1}LOGDROP -p icmp -j LOG --log-prefix "${1}LOGDROP ICMP: " --log-level 7
     fi
 }
 
-setup_nat() {
-    iptables -t nat -A POSTROUTING -o ${wan} -s ${locnet} -j MASQUERADE
-}
+_forward() {
+    while read -r ip public private ; do
+        [[ "$ip" =~ ^[0-9]{1,}.[0-9]{1,}.[0-9]{1,}.[0-9]{1,}$ ]] || continue
+        [[ "$public" =~ ^[0-9]{1,}|[0-9]{1,}:[0-9]{1,}$ ]] || continue
+        [[ "$private" =~ ^[0-9]{1,}|[0-9]{1,}:[0-9]{1,}$ ]] || continue
+        if [[ "$public" =~ ^[0-9]{1,}$ ]] ; then
+            ${iptables} -A PREROUTING -t nat -i ${wan} -p tcp --dport ${public} -j DNAT --to ${ip}:${private}
+            ${iptables} -A FORWARD -i ${wan} -p tcp --syn -d ${ip} --dport ${private} -m conntrack --ctstate NEW --ctproto TCP -j ACCEPT
+        else
+            ${iptables} -A PREROUTING -t nat -i ${wan} -p tcp --dport ${public} -j DNAT --to ${ip}
+            ${iptables} -A FORWARD -i ${wan} -p tcp --syn -d ${ip} --dport ${public} -m conntrack --ctstate NEW --ctproto TCP -j ACCEPT
+        fi
+    done < $confd/FORWARD.tcp
+
+    while read -r ip public private ; do
+        [[ "$ip" =~ ^[0-9]{1,}.[0-9]{1,}.[0-9]{1,}.[0-9]{1,}$ ]] || continue
+        [[ "$public" =~ ^[0-9]{1,}|[0-9]{1,}:[0-9]{1,}$ ]] || continue
+        [[ "$private" =~ ^[0-9]{1,}|[0-9]{1,}:[0-9]{1,}$ ]] || continue
+        if [[ "$public" =~ ^[0-9]{1,}$ ]] ; then
+            ${iptables} -A PREROUTING -t nat -i ${wan} -p udp --dport ${public} -j DNAT --to ${ip}:${private}
+            ${iptables} -A FORWARD -i ${wan} -p udp -d ${ip} --dport ${private} -m conntrack --ctstate NEW --ctproto UDP -j ACCEPT
+        else
+            ${iptables} -A PREROUTING -t nat -i ${wan} -p udp --dport ${public} -j DNAT --to ${ip}
+            ${iptables} -A FORWARD -i ${wan} -p udp -d ${ip} --dport ${public} -m conntrack --ctstate NEW --ctproto UDP -j ACCEPT
+        fi
+    done < $confd/FORWARD.udp
 
-setup_forward() {
-    iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-    iptables -A FORWARD -i ${eth0} -o ${wan} -j ACCEPT
     if $logforward ; then
-        setup_fordroplog
-        iptables -A FORWARD -j FORWARD-LOG-DROP
-    else
-        iptables -A FORWARD -j DROP
+        _droplog "FORWARD"
+        ${iptables} -A FORWARD -j FORWARDLOGDROP
     fi
 }
 
-setup_base() {
-    iptables -A INPUT -i lo -j ACCEPT
-    iptables -A INPUT -i ${eth0} -j ACCEPT
-    iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-    iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
+_init(){
+    /usr/lib/systemd/scripts/iptables-flush
+    ${iptables} -P INPUT DROP
+    ${iptables} -P FORWARD DROP
+    ${iptables} -P OUTPUT ACCEPT
+    ${iptables} -A INPUT -i lo -j ACCEPT
+    ${iptables} -A INPUT -i ${wan} -p icmp --icmp-type echo-request             -j ACCEPT
+    ${iptables} -A INPUT -i ${wan} -p icmp --icmp-type time-exceeded            -j ACCEPT
+    ${iptables} -A INPUT -i ${wan} -p icmp --icmp-type destination-unreachable  -j ACCEPT
+    ${iptables} -N ENDRESET
+    ${iptables} -A ENDRESET -p tcp -j REJECT --reject-with tcp-reset
+    ${iptables} -A ENDRESET -p udp -j REJECT --reject-with icmp-port-unreachable
+    ${iptables} -A ENDRESET -j REJECT --reject-with icmp-proto-unreachable
+    _unblock
 }
 
-setup_whitenets() {
-    ipset create -! $whiteset hash:net hashsize 4096 timeout $whitettl
+_unblock(){
+    ipset create -! $scanset hash:ip hashsize $scanmaxelems timeout $scanttl maxelem $scanmaxelems forceadd counters
+    ${iptables} -N FWUNBLOCK
+    ${iptables} -A FWUNBLOCK -i ${wan} -m set --match-set $scanset src -j LOG --log-prefix "UNBLOCK: " --log-level 7
+    ${iptables} -A FWUNBLOCK -i ${wan} -m set --match-set $scanset src -j SET --del-set $scanset src
+    ${iptables} -A FWUNBLOCK -j ACCEPT
+}
+
+_whitenets() {
+    ipset create -! $whiteset hash:net hashsize 4096 timeout $whitettl maxelem $whitemaxelems
     while read -r net ; do
         [[ "$net" =~ ^[0-9]{1,}.[0-9]{1,}.[0-9]{1,}.[0-9]{1,}/[0-9]{1,}$ ]] || continue
         ipset -! add  $whiteset $net timeout 0
     done < $confd/WHITE.nets
 }
 
-setup_badips() {
-    ipset create -! $banset hash:ip hashsize 4096 timeout $banttl
-    iptables -A INPUT -i ${wan} -p udp -m set --match-set $banset src -m conntrack --ctstate NEW --ctproto UDP -j REJECT --reject-with icmp-port-unreachable
-    iptables -A INPUT -i ${wan} -p tcp -m set --match-set $banset src -m conntrack --ctstate NEW --ctproto TCP -j REJECT --reject-with tcp-reset
+base() {
+    _init
+    ${iptables} -A INPUT -i ${wan} ! -p tcp -m conntrack --ctstate RELATED,ESTABLISHED -j FWUNBLOCK
+    _broken
+    ${iptables} -A INPUT -i ${wan} -p tcp -j FWSUSPICIOUS
+    ${iptables} -A INPUT -i ${wan} -p tcp -m conntrack --ctstate RELATED,ESTABLISHED -j FWUNBLOCK
+    if $loginvalid; then
+        _droplog "INVALID"
+        ${iptables} -A INPUT -i ${wan} -m conntrack --ctstate INVALID -j INVALIDLOGDROP
+    fi
+    ${iptables} -A INPUT -i ${wan} -m conntrack --ctstate INVALID -j DROP
+}
+
+cast() {
+    ${iptables} -N FWCAST
+    if $logcast; then
+        ${iptables} -A FWCAST -m pkttype --pkt-type multicast -m conntrack --ctstate NEW  -j LOG --log-prefix "CASTLOG MULTI: " --log-level 7
+        ${iptables} -A FWCAST -m pkttype --pkt-type broadcast -m conntrack --ctstate NEW  -j LOG --log-prefix "CASTLOG BROAD: " --log-level 7
+    fi
+    ${iptables} -A FWCAST -m pkttype --pkt-type multicast -m conntrack --ctstate NEW -j ACCEPT
+    ${iptables} -A FWCAST -m pkttype --pkt-type broadcast -m conntrack --ctstate NEW -j ACCEPT
+    ${iptables} -A INPUT -i ${wan} -j FWCAST
+}
+
+lan() {
+    ${iptables} -A INPUT -i ${eth0} -j ACCEPT
+    ${iptables} -t nat -A POSTROUTING -p udp --sport 3000 --o ${wan} -s ${locnet} -j MASQUERADE --to-ports 3000
+    ${iptables} -t nat -A POSTROUTING -o ${wan} -s ${locnet} -j MASQUERADE
+    ${iptables} -A FORWARD -i ${wan} -o ${eth0} ! -p tcp -m conntrack --ctstate RELATED,ESTABLISHED -j FWUNBLOCK
+    ${iptables} -A FORWARD -p tcp -j FWSUSPICIOUS
+    ${iptables} -A FORWARD -i ${wan} -o ${eth0} -p tcp -m conntrack --ctstate RELATED,ESTABLISHED -j FWUNBLOCK
+    if $loginvalid; then
+        _droplog "FWDINVALID"
+        ${iptables} -A FORWARD -m conntrack --ctstate INVALID -j FWDINVALIDLOGDROP
+    fi
+    ${iptables} -A FORWARD -m conntrack --ctstate INVALID -j DROP
+    ${iptables} -A FORWARD -i ${eth0} -o ${wan} -j ACCEPT
+    _forward
 }
 
-setup_scanips() {
-    ipset create -! $scanset hash:ip hashsize 4096 timeout $scanttl
-    iptables -A INPUT -i ${wan} -p udp -m set --match-set $scanset src -m conntrack --ctstate NEW --ctproto UDP -j REJECT --reject-with icmp-port-unreachable
-    iptables -A INPUT -i ${wan} -p tcp -m set --match-set $scanset src -m conntrack --ctstate NEW --ctproto TCP -j REJECT --reject-with tcp-reset
+badips() {
+    ipset create -! $banset hash:ip hashsize $badmaxelems timeout $banttl maxelem $badmaxelems
+    ${iptables} -N FWBAD
+    if $logbad ; then
+        _droplog "BAD"
+        ${iptables} -A FWBAD -i ${wan} -m set --match-set $banset src -m conntrack --ctstate NEW -j BADLOGDROP
+    fi
+    ${iptables} -A FWBAD -i ${wan} -m set --match-set $banset src -m conntrack --ctstate NEW -j ENDRESET
+    ${iptables} -A INPUT -j FWBAD
 }
 
-setup_white() {
-    iptables -N FW-FILTERED
+scanips() {
+    ${iptables} -A FWSCAN -i ${wan} -j SET --add-set $scanset src --exist
+    if $logscan ; then
+        _droplog "SCAN"
+        ${iptables} -A FWSCAN -i ${wan} -m set --match-set $scanset src ! --update-counters -j SCANLOGDROP
+    fi
+    ${iptables} -A INPUT -j FWSCAN
+}
+
+white() {
+    _whitenets
+    ${iptables} -N FWFILTERED
     while read -r port ; do
         [[ "$port" =~ ^[0-9]{1,}$ ]] || continue
-        iptables -A FW-FILTERED -p udp -m conntrack --ctstate NEW --ctproto UDP --dport $port -j ACCEPT
+        ${iptables} -A FWFILTERED -p udp -m conntrack --ctstate NEW --ctproto UDP --dport $port -j ACCEPT
     done < $confd/WHITE.udp
     while read -r port ; do
         [[ "$port" =~ ^[0-9]{1,}$ ]] || continue
-        iptables -A FW-FILTERED -p tcp -m conntrack --ctstate NEW --ctproto TCP --dport $port -j ACCEPT
+        ${iptables} -A FWFILTERED -p tcp -m conntrack --ctstate NEW --ctproto TCP --dport $port -j ACCEPT
     done < $confd/WHITE.tcp
-    iptables -A INPUT -i ${wan} -p udp -m set --match-set $whiteset src -m conntrack --ctstate NEW --ctproto UDP -j FW-FILTERED
-    iptables -A INPUT -i ${wan} -p tcp -m set --match-set $whiteset src -m conntrack --ctstate NEW --ctproto TCP -j FW-FILTERED
-    iptables -A INPUT -i ${wan} -p icmp --icmp-type 8 -m set --match-set $whiteset src -m conntrack --ctstate NEW --ctproto ICMP -j ACCEPT
+    ${iptables} -A INPUT -i ${wan} -p udp -m set --match-set $whiteset src -m conntrack --ctstate NEW --ctproto UDP -j FWFILTERED
+    ${iptables} -A INPUT -i ${wan} -p tcp -m set --match-set $whiteset src -m conntrack --ctstate NEW --ctproto TCP -j FWFILTERED
 }
 
-setup_open() {
-    iptables -N FW-OPEN
+public() {
+    ${iptables} -N FWPUBLIC
     while read -r port ; do
         [[ "$port" =~ ^[0-9]{1,}$ ]] || continue
-        iptables -A FW-OPEN -p udp -m conntrack --ctstate NEW --ctproto UDP --dport $port -j ACCEPT
-    done < $confd/ACCEPT.udp
+        ${iptables} -A FWPUBLIC -p udp -m conntrack --ctstate NEW --ctproto UDP --dport $port -j ACCEPT
+    done < $confd/PUBLIC.udp
     while read -r port ; do
         [[ "$port" =~ ^[0-9]{1,}$ ]] || continue
-        iptables -A FW-OPEN -p tcp -m conntrack --ctstate NEW --ctproto TCP --dport $port -j ACCEPT
-    done < $confd/ACCEPT.tcp
-    iptables -A INPUT -i ${wan} -p udp -m conntrack --ctstate NEW --ctproto UDP -j FW-OPEN
-    iptables -A INPUT -i ${wan} -p tcp -m conntrack --ctstate NEW --ctproto TCP -j FW-OPEN
+        ${iptables} -A FWPUBLIC -p tcp -m conntrack --ctstate NEW --ctproto TCP --dport $port -j ACCEPT
+    done < $confd/PUBLIC.tcp
+    ${iptables} -A INPUT -i ${wan} -p udp -m conntrack --ctstate NEW --ctproto UDP -j FWPUBLIC
+    ${iptables} -A INPUT -i ${wan} -p tcp -m conntrack --ctstate NEW --ctproto TCP -j FWPUBLIC
 }
 
-setup_cast() {
-    iptables -N FW-CAST
-    iptables -A FW-CAST -m pkttype --pkt-type broadcast -j ACCEPT
-    iptables -A FW-CAST -m pkttype --pkt-type multicast -j ACCEPT
-    iptables -A INPUT -i ${wan} -j FW-CAST
+final(){
+    if $loginput; then
+        _droplog "FINAL"
+        ${iptables} -A INPUT -j FINALLOGDROP
+    fi
+    ${iptables} -A INPUT -i ${wan} -j ENDRESET
 }
 
 main () {
-   defaultHooks="set_defaults setup_whitenets setup_nat setup_forward setup_base setup_badips setup_white setup_open setup_scanips setup_cast setup_final"
-    hookarray=(${hooks:-$defaultHooks})
-    for hook in "${hookarray[@]}" ; do
+    for hook in "${hooks[@]}" ; do
         $hook
     done
 }

e-router.service

@@ -1,7 +1,8 @@
 [Unit]
 Description=e-router script
-Requires=iptables.service
+Wants=iptables.service network-pre.target
 After=iptables.service
+Before=network-pre.target
 
 [Service]
 Type=oneshot