| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103 |
- #!/bin/bash
- ((EUID == 0 )) || { echo "Need root"; exit 1; }
- set -euo pipefail
- CONFD=/etc/e-router
- source $CONFD/config
- set_defaults() {
- /usr/lib/systemd/scripts/iptables-flush
- iptables -P FORWARD DROP
- iptables -P OUTPUT ACCEPT
- iptables -P INPUT DROP
- }
- create_tables() {
- iptables -N WANIN
- iptables -N FORDROPLOG
- iptables -N WANDROPLOG
- iptables -N SILENTDROP
- ipset create -! $banset hash:ip hashsize 4096 timeout $bantime
- }
- activate() {
- iptables-save > /etc/iptables/iptables.rules
- systemctl restart iptables.service
- }
- create_wandroplog() {
- #iptables -A WANDROPLOG -p tcp -m limit --limit 5/min -j LOG --log-prefix "WANDROPLOG TCP: " --log-level 7
- iptables -A WANDROPLOG -p tcp -j LOG --log-prefix "WANDROPLOG TCP: " --log-level 7
- iptables -A WANDROPLOG -p udp -j LOG --log-prefix "WANDROPLOG UDP: " --log-level 7
- iptables -A WANDROPLOG -p icmp -j LOG --log-prefix "WANDROPLOG ICMP: " --log-level 7
- iptables -A WANDROPLOG -j DROP
- }
- create_fordroplog() {
- iptables -A FORDROPLOG -p tcp -j LOG --log-prefix "FORDROPLOG TCP: " --log-level 7
- iptables -A FORDROPLOG -p udp -j LOG --log-prefix "FORDROPLOG UDP: " --log-level 7
- iptables -A FORDROPLOG -p icmp -j LOG --log-prefix "FORDROPLOG ICMP: " --log-level 7
- iptables -A FORDROPLOG -j DROP
- }
- setup_forward() {
- iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
- iptables -A FORWARD -i ${eth0} -o ${wan} -j ACCEPT
- iptables -A FORWARD -j FORDROPLOG
- }
- setup_nat() {
- iptables -t nat -A POSTROUTING -o ${wan} -s ${locnet} -j MASQUERADE
- }
- passbroadcast() {
- iptables -A WANIN -m pkttype --pkt-type broadcast -j ACCEPT
- iptables -A WANIN -m pkttype --pkt-type multicast -j ACCEPT
- }
- banwanin() {
- iptables -A WANIN -m set --match-set $banset src -p TCP -j REJECT
- }
- dropwanin() {
- while read -r port ; do
- [[ "$port" =~ ^[0-9]{1,}$ ]] || continue
- iptables -A WANIN -i ${wan} -m udp -p udp --dport $port -j DROP
- done < $CONFD/DROP.udp
- while read -r port ; do
- [[ "$port" =~ ^[0-9]{1,}$ ]] || continue
- iptables -A WANIN -i ${wan} -m tcp -p tcp --dport $port -j DROP
- done < $CONFD/DROP.tcp
- }
- passwanin() {
- while read -r port ; do
- [[ "$port" =~ ^[0-9]{1,}$ ]] || continue
- iptables -A WANIN -i ${wan} -m udp -p udp --dport $port -j ACCEPT
- done < $CONFD/ACCEPT.udp
- while read -r port ; do
- [[ "$port" =~ ^[0-9]{1,}$ ]] || continue
- iptables -A WANIN -i ${wan} -m tcp -p tcp --dport $port -j ACCEPT
- done < $CONFD/ACCEPT.tcp
- }
- setup_input() {
- iptables -A INPUT -i lo -j ACCEPT
- iptables -A INPUT -i ${eth0} -j ACCEPT
- iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
- iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
- banwanin
- dropwanin
- passwanin
- passbroadcast
- iptables -A INPUT -i ${wan} -j WANIN
- iptables -A INPUT -j WANDROPLOG
- }
- set_defaults
- create_tables
- create_fordroplog
- create_wandroplog
- setup_nat
- setup_input
- setup_forward
- #activate
|
