Domů Procházet Nápověda
Přihlásit se
arch
/
e-router
Sledovat 3
Oblíbit 0
Rozštěpit 0
Soubory Úkoly 0 Pull Requesty 0 Wiki
Strom: 905cb8ef26
Větve Značky
e-router
/
e-router

e-router 6.8 KB
Historie Surový

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155 
  1. #!/bin/bash -x
    2. 

  2. ((EUID == 0 )) || { echo "Need root"; exit 1; }
    3. 

  3. set -euo pipefail
    4. 

  4. confd=/etc/e-router
    5. 

  5. source $confd/config
    6. 

  6. 

  7. base() {
    8. 

  8.     /usr/lib/systemd/scripts/iptables-flush
    9. 

  9.     ${iptables} -P INPUT DROP
    10. 

  10.     ${iptables} -P FORWARD DROP
    11. 

  11.     ${iptables} -P OUTPUT ACCEPT
    12. 

  12.     ${iptables} -A INPUT -i lo -j ACCEPT
    13. 

  13.     ${iptables} -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    14. 

  14.     ${iptables} -A INPUT -m conntrack --ctstate INVALID -j DROP
    15. 

  15.     ${iptables} -N END-RESET
    16. 

  16.     ${iptables} -A END-RESET -p tcp -j REJECT --reject-with tcp-reset
    17. 

  17.     ${iptables} -A END-RESET -p udp -j REJECT --reject-with icmp-port-unreachable
    18. 

  18.     ${iptables} -A END-RESET -j REJECT --reject-with icmp-proto-unreachable
    19. 

  19. }
    20. 

  20. 

  21. final(){
    22. 

  22.     if $loginput; then
    23. 

  23.         droplog "FINAL" "INPUT"
    24. 

  24.     fi
    25. 

  25. }
    26. 

  26. 

  27. droplog() {
    28. 

  28.     ${iptables} -N ${1}-LOG-DROP
    29. 

  29.     if $debugtcp; then
    30. 

  30.         ${iptables} -A ${1}-LOG-DROP -p tcp  -j LOG --log-prefix "${1}-LOG-DROP TCP: " --log-level 7
    31. 

  31.     fi
    32. 

  32.     if $debugudp; then
    33. 

  33.         ${iptables} -A ${1}-LOG-DROP -p udp  -j LOG --log-prefix "${1}-LOG-DROP UDP: " --log-level 7
    34. 

  34.     fi
    35. 

  35.     if $debugicmp; then
    36. 

  36.         ${iptables} -A ${1}-LOG-DROP -p icmp -j LOG --log-prefix "${1}-LOG-DROP ICMP: " --log-level 7
    37. 

  37.     fi
    38. 

  38.     ${iptables} -A ${2} -j ${1}-LOG-DROP
    39. 

  39. }
    40. 

  40. 

  41. forward() {
    42. 

  42.     while read -r ip public private ; do
    43. 

  43.         [[ "$ip" =~ ^[0-9]{1,}.[0-9]{1,}.[0-9]{1,}.[0-9]{1,}$ ]] || continue
    44. 

  44.         [[ "$public" =~ ^[0-9]{1,}|[0-9]{1,}:[0-9]{1,}$ ]] || continue
    45. 

  45.         [[ "$private" =~ ^[0-9]{1,}|[0-9]{1,}:[0-9]{1,}$ ]] || continue
    46. 

  46.         if [[ "$public" =~ ^[0-9]{1,}$ ]] ; then
    47. 

  47.             ${iptables} -A PREROUTING -t nat -i ${wan} -p tcp --dport ${public} -j DNAT --to ${ip}:${private}
    48. 

  48.             ${iptables} -A FORWARD -i ${wan} -p tcp --syn -d ${ip} --dport ${private} -m conntrack --ctstate NEW --ctproto TCP -j ACCEPT
    49. 

  49.         else
    50. 

  50.             ${iptables} -A PREROUTING -t nat -i ${wan} -p tcp --dport ${public} -j DNAT --to ${ip}
    51. 

  51.             ${iptables} -A FORWARD -i ${wan} -p tcp --syn -d ${ip} --dport ${public} -m conntrack --ctstate NEW --ctproto TCP -j ACCEPT
    52. 

  52.         fi
    53. 

  53.     done < $confd/FORWARD.tcp
    54. 

  54. 

  55.     while read -r ip public private ; do
    56. 

  56.         [[ "$ip" =~ ^[0-9]{1,}.[0-9]{1,}.[0-9]{1,}.[0-9]{1,}$ ]] || continue
    57. 

  57.         [[ "$public" =~ ^[0-9]{1,}|[0-9]{1,}:[0-9]{1,}$ ]] || continue
    58. 

  58.         [[ "$private" =~ ^[0-9]{1,}|[0-9]{1,}:[0-9]{1,}$ ]] || continue
    59. 

  59.         if [[ "$public" =~ ^[0-9]{1,}$ ]] ; then
    60. 

  60.             ${iptables} -A PREROUTING -t nat -i ${wan} -p udp --dport ${public} -j DNAT --to ${ip}:${private}
    61. 

  61.             ${iptables} -A FORWARD -i ${wan} -p udp -d ${ip} --dport ${private} -m conntrack --ctstate NEW --ctproto UDP -j ACCEPT
    62. 

  62.         else
    63. 

  63.             ${iptables} -A PREROUTING -t nat -i ${wan} -p udp --dport ${public} -j DNAT --to ${ip}
    64. 

  64.             ${iptables} -A FORWARD -i ${wan} -p udp -d ${ip} --dport ${public} -m conntrack --ctstate NEW --ctproto UDP -j ACCEPT
    65. 

  65.         fi
    66. 

  66.     done < $confd/FORWARD.udp
    67. 

  67. 

  68.     if $logforward ; then
    69. 

  69.         droplog "FORWARD" "FORWARD"
    70. 

  70.     fi
    71. 

  71.     ${iptables} -A FORWARD -j END-RESET
    72. 

  72. }
    73. 

  73. 

  74. lan() {
    75. 

  75.     ${iptables} -A INPUT -i ${eth0} -j ACCEPT
    76. 

  76.     ${iptables} -t nat -A POSTROUTING -o ${wan} -s ${locnet} -j MASQUERADE
    77. 

  77.     ${iptables} -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    78. 

  78.     ${iptables} -A FORWARD -i ${eth0} -o ${wan} -j ACCEPT
    79. 

  79. }
    80. 

  80. 

  81. whitenets() {
    82. 

  82.     ipset create -! $whiteset hash:net hashsize 4096 timeout $whitettl maxelem $whitemaxelems
    83. 

  83.     while read -r net ; do
    84. 

  84.         [[ "$net" =~ ^[0-9]{1,}.[0-9]{1,}.[0-9]{1,}.[0-9]{1,}/[0-9]{1,}$ ]] || continue
    85. 

  85.         ipset -! add  $whiteset $net timeout 0
    86. 

  86.     done < $confd/WHITE.nets
    87. 

  87. }
    88. 

  88. 

  89. badips() {
    90. 

  90.     ipset create -! $banset hash:ip hashsize 4096 timeout $banttl  maxelem $badmaxelems
    91. 

  91.     if $logbad ; then
    92. 

  92.         droplog "BAD" "INPUT"
    93. 

  93.     fi
    94. 

  94.     ${iptables} -A INPUT -i ${wan} -p udp -m set --match-set $banset src -m conntrack --ctstate NEW --ctproto UDP -j END-RESET
    95. 

  95.     ${iptables} -A INPUT -i ${wan} -p tcp --syn -m set --match-set $banset src -m conntrack --ctstate NEW --ctproto TCP -j END-RESET
    96. 

  96. }
    97. 

  97. 

  98. scanips() {
    99. 

  99.     ipset create -! $scanset hash:ip hashsize 4096 timeout $scanttl maxelem $scanmaxelems
    100. 

  100.     ${iptables} -A INPUT -i ${wan} -p udp -m conntrack --ctstate NEW --ctproto UDP -j SET --add-set $scanset src --exist  --timeout $scanttl
    101. 

  101.     ${iptables} -A INPUT -i ${wan} -p tcp --syn -m conntrack --ctstate NEW --ctproto TCP -j SET --add-set $scanset src --exist  --timeout $scanttl
    102. 

  102.     if $logscan ; then
    103. 

  103.         droplog "SCAN" "INPUT"
    104. 

  104.     fi
    105. 

  105.     ${iptables} -A INPUT -i ${wan} -p udp -m set --match-set $scanset src -m conntrack --ctstate NEW --ctproto UDP -j END-RESET
    106. 

  106.     ${iptables} -A INPUT -i ${wan} -p tcp --syn -m set --match-set $scanset src -m conntrack --ctstate NEW --ctproto TCP -j END-RESET
    107. 

  107. }
    108. 

  108. 

  109. white() {
    110. 

  110.     ${iptables} -N FW-FILTERED
    111. 

  111.     while read -r port ; do
    112. 

  112.         [[ "$port" =~ ^[0-9]{1,}$ ]] || continue
    113. 

  113.         ${iptables} -A FW-FILTERED -p udp -m conntrack --ctstate NEW --ctproto UDP --dport $port -j ACCEPT
    114. 

  114.     done < $confd/WHITE.udp
    115. 

  115.     while read -r port ; do
    116. 

  116.         [[ "$port" =~ ^[0-9]{1,}$ ]] || continue
    117. 

  117.         ${iptables} -A FW-FILTERED -p tcp -m conntrack --ctstate NEW --ctproto TCP --dport $port -j ACCEPT
    118. 

  118.     done < $confd/WHITE.tcp
    119. 

  119.     ${iptables} -A INPUT -i ${wan} -p udp -m set --match-set $whiteset src -m conntrack --ctstate NEW --ctproto UDP -j FW-FILTERED
    120. 

  120.     ${iptables} -A INPUT -i ${wan} -p tcp --syn -m set --match-set $whiteset src -m conntrack --ctstate NEW --ctproto TCP -j FW-FILTERED
    121. 

  121.     ${iptables} -A INPUT -i ${wan} -p icmp --icmp-type 8 -m set --match-set $whiteset src -m conntrack --ctstate NEW --ctproto ICMP -j ACCEPT
    122. 

  122. }
    123. 

  123. 

  124. public() {
    125. 

  125.     ${iptables} -N FW-PUBLIC
    126. 

  126.     while read -r port ; do
    127. 

  127.         [[ "$port" =~ ^[0-9]{1,}$ ]] || continue
    128. 

  128.         ${iptables} -A FW-PUBLIC -p udp -m conntrack --ctstate NEW --ctproto UDP --dport $port -j ACCEPT
    129. 

  129.     done < $confd/PUBLIC.udp
    130. 

  130.     while read -r port ; do
    131. 

  131.         [[ "$port" =~ ^[0-9]{1,}$ ]] || continue
    132. 

  132.         ${iptables} -A FW-PUBLIC -p tcp -m conntrack --ctstate NEW --ctproto TCP --dport $port -j ACCEPT
    133. 

  133.     done < $confd/PUBLIC.tcp
    134. 

  134.     ${iptables} -A INPUT -i ${wan} -p udp -m conntrack --ctstate NEW --ctproto UDP -j FW-PUBLIC
    135. 

  135.     ${iptables} -A INPUT -i ${wan} -p tcp --syn -m conntrack --ctstate NEW --ctproto TCP -j FW-PUBLIC
    136. 

  136. }
    137. 

  137. 

  138. cast() {
    139. 

  139.     ${iptables} -N FW-CAST
    140. 

  140.     if $logcast; then
    141. 

  141.         ${iptables} -A FW-CAST -m pkttype --pkt-type multicast -m conntrack --ctstate NEW  -j LOG --log-prefix "CAST-LOG MULTI: " --log-level 7
    142. 

  142.         ${iptables} -A FW-CAST -m pkttype --pkt-type broadcast -m conntrack --ctstate NEW  -j LOG --log-prefix "CAST-LOG BROAD: " --log-level 7
    143. 

  143.     fi
    144. 

  144.     ${iptables} -A FW-CAST -m pkttype --pkt-type multicast -m conntrack --ctstate NEW -j ACCEPT
    145. 

  145.     ${iptables} -A FW-CAST -m pkttype --pkt-type broadcast -m conntrack --ctstate NEW -j ACCEPT
    146. 

  146.     ${iptables} -A INPUT -i ${wan} -j FW-CAST
    147. 

  147. }
    148. 

  148. 

  149. main () {
    150. 

  150.     for hook in "${hooks[@]}" ; do
    151. 

  151.         $hook
    152. 

  152.     done
    153. 

  153. }
    154. 

  154. 

  155. main
    156.