Adding custom code files
parent
9a9ff7c3cd
commit
7124d93bfb
|
@ -1,23 +0,0 @@
|
||||||
0.0.0.0/7
|
|
||||||
5.0.0.0/8
|
|
||||||
14.0.0.0/8
|
|
||||||
23.0.0.0/8
|
|
||||||
27.0.0.0/8
|
|
||||||
31.0.0.0/8
|
|
||||||
36.0.0.0/7
|
|
||||||
39.0.0.0/8
|
|
||||||
42.0.0.0/8
|
|
||||||
49.0.0.0/8
|
|
||||||
50.0.0.0/8
|
|
||||||
100.0.0.0/6
|
|
||||||
104.0.0.0/6
|
|
||||||
127.0.0.0/8
|
|
||||||
169.254.0.0/16
|
|
||||||
176.0.0.0/7
|
|
||||||
179.0.0.0/8
|
|
||||||
181.0.0.0/8
|
|
||||||
185.0.0.0/8
|
|
||||||
192.0.2.0/24
|
|
||||||
198.18.0.0/15
|
|
||||||
223.0.0.0/8
|
|
||||||
224.0.0.0/3
|
|
|
@ -1,41 +0,0 @@
|
||||||
#!/bin/bash
|
|
||||||
# Script to auto update bogons file for use with firewall script
|
|
||||||
|
|
||||||
VERSION="0.1"
|
|
||||||
WGET=/usr/bin/wget
|
|
||||||
PREFIX=`pwd`
|
|
||||||
BOGONSFILE=$PREFIX/bogon-bn-agg.txt
|
|
||||||
BOGONSURL="http://www.cymru.com/Documents/bogon-bn-agg.txt"
|
|
||||||
REMOVECIDR="(192.168.0.0|10.0.0.0|172.16.0.0)"
|
|
||||||
|
|
||||||
|
|
||||||
if [ ! -x $WGET ]; then
|
|
||||||
echo "wget command not found or executable. Please"
|
|
||||||
echo "edit the update-bogons script."
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
|
|
||||||
echo "Bogons update script - Version $VERSION"
|
|
||||||
echo -e "Part of Firewall/SOSDG - http://www.sosdg.org \n"
|
|
||||||
echo "Uses The Team Cymru Bogon List located at:"
|
|
||||||
echo -e "http://www.cymru.com/Documents/bogon-list.html\n"
|
|
||||||
|
|
||||||
if `wget -q -O $BOGONSFILE.new $BOGONSURL`; then
|
|
||||||
echo "Downloaded new bogons file..."
|
|
||||||
mv $BOGONSFILE $BOGONSFILE.old &>/dev/null
|
|
||||||
echo "Backed up $BOGONSFILE to .old..."
|
|
||||||
if [ $REMOVECIDR ]; then
|
|
||||||
grep -vE -e "$REMOVECIDR" $BOGONSFILE.new > $BOGONSFILE
|
|
||||||
echo "Removed blocks listed in REMOVECIDR..."
|
|
||||||
rm -f $BOGONSFILE.new
|
|
||||||
else
|
|
||||||
mv $BOGONSFILE.new $BOGONSFILE
|
|
||||||
echo "Replaced old bogons file with new one."
|
|
||||||
fi
|
|
||||||
else
|
|
||||||
echo "Error downloading bogons file. Please try again later."
|
|
||||||
rm -f $BOGONSFILE.new
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
exit 0
|
|
63
rc.firewall
63
rc.firewall
|
@ -61,6 +61,12 @@ if [ "$STRIPECN" ]; then
|
||||||
echo -ne "\n"
|
echo -ne "\n"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
if [ -s "$BASEDIR/include/ipv4_custom_mssclamp" ]; then
|
||||||
|
echo -e "\E[33mLoading custom MSS Clamp rules...\E[37m"
|
||||||
|
. "$BASEDIR/include/ipv4_custom_mssclamp"
|
||||||
|
echo -ne "\n"
|
||||||
|
fi
|
||||||
|
|
||||||
if [ "$CLAMPMSS" ]; then
|
if [ "$CLAMPMSS" ]; then
|
||||||
echo -e "\E[33mClamping MSS to PMTU...\E[37m"
|
echo -e "\E[33mClamping MSS to PMTU...\E[37m"
|
||||||
for i in $CLAMPMSS; do
|
for i in $CLAMPMSS; do
|
||||||
|
@ -84,6 +90,12 @@ fi
|
||||||
$IPTABLES -A INPUT -j DROP -p udp --dport domain -m u32 --u32 \
|
$IPTABLES -A INPUT -j DROP -p udp --dport domain -m u32 --u32 \
|
||||||
"0>>22&0x3C@12>>16=1&&0>>22&0x3C@20>>24=0&&0>>22&0x3C@21=0x00020001"
|
"0>>22&0x3C@12>>16=1&&0>>22&0x3C@20>>24=0&&0>>22&0x3C@21=0x00020001"
|
||||||
|
|
||||||
|
if [ -s "$BASEDIR/include/ipv4_custom_conntrack" ]; then
|
||||||
|
echo -e "\E[33mLoading custom conntrack rules...\E[37m"
|
||||||
|
. "$BASEDIR/include/ipv4_custom_conntrack"
|
||||||
|
echo -ne "\n"
|
||||||
|
fi
|
||||||
|
|
||||||
if [ $CONNTRACK ]; then
|
if [ $CONNTRACK ]; then
|
||||||
$IPTABLES -A INPUT -m state --state NEW -j ACCEPT
|
$IPTABLES -A INPUT -m state --state NEW -j ACCEPT
|
||||||
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
|
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
|
||||||
|
@ -96,6 +108,12 @@ if [ $CONNTRACK ]; then
|
||||||
$IPTABLES -A FORWARD -m state --state INVALID -j DROP
|
$IPTABLES -A FORWARD -m state --state INVALID -j DROP
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
if [ -s "$BASEDIR/include/ipv4_custom_blockports" ]; then
|
||||||
|
echo -e "\E[33mLoading custom blocked port rules...\E[37m"
|
||||||
|
. "$BASEDIR/include/ipv4_custom_blockports"
|
||||||
|
echo -ne "\n"
|
||||||
|
fi
|
||||||
|
|
||||||
if [ "$BLOCKTCPPORTS" ] || [ "$BLOCKUDPPORTS" ]; then
|
if [ "$BLOCKTCPPORTS" ] || [ "$BLOCKUDPPORTS" ]; then
|
||||||
echo -en "\E[33mBlocking outbound port:\E[37m "
|
echo -en "\E[33mBlocking outbound port:\E[37m "
|
||||||
|
|
||||||
|
@ -124,6 +142,12 @@ if [ "$BLOCKTCPPORTS" ] || [ "$BLOCKUDPPORTS" ]; then
|
||||||
echo -en "\n"
|
echo -en "\n"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
if [ -s "$BASEDIR/include/ipv4_custom_allowedports" ]; then
|
||||||
|
echo -e "\E[33mLoading custom allowed port rules...\E[37m"
|
||||||
|
. "$BASEDIR/include/ipv4_custom_allowedports"
|
||||||
|
echo -ne "\n"
|
||||||
|
fi
|
||||||
|
|
||||||
if [ "$TCPPORTS" ] || [ "$UDPPORTS" ]; then
|
if [ "$TCPPORTS" ] || [ "$UDPPORTS" ]; then
|
||||||
echo -en "\E[33mAdding allowed port:\E[37m "
|
echo -en "\E[33mAdding allowed port:\E[37m "
|
||||||
|
|
||||||
|
@ -147,6 +171,12 @@ fi
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
if [ -s "$BASEDIR/include/ipv4_custom_proto" ]; then
|
||||||
|
echo -e "\E[33mLoading custom protocol rules...\E[37m"
|
||||||
|
. "$BASEDIR/include/ipv4_custom_proto"
|
||||||
|
echo -ne "\n"
|
||||||
|
fi
|
||||||
|
|
||||||
if [ "$ALLOWEDPROTO" ]; then
|
if [ "$ALLOWEDPROTO" ]; then
|
||||||
echo -en "\E[33mAdding allowed protocols:\E[37m "
|
echo -en "\E[33mAdding allowed protocols:\E[37m "
|
||||||
for i in $ALLOWEDPROTO; do
|
for i in $ALLOWEDPROTO; do
|
||||||
|
@ -157,6 +187,13 @@ if [ "$ALLOWEDPROTO" ]; then
|
||||||
echo -en "\n\E[37m"
|
echo -en "\n\E[37m"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
||||||
|
if [ -s "$BASEDIR/include/ipv4_custom_notrack" ]; then
|
||||||
|
echo -e "\E[33mLoading custom NOTRACK rules...\E[37m"
|
||||||
|
. "$BASEDIR/include/ipv4_custom_notrack"
|
||||||
|
echo -ne "\n"
|
||||||
|
fi
|
||||||
|
|
||||||
if [ $CONNTRACK ]; then
|
if [ $CONNTRACK ]; then
|
||||||
for i in $DONTTRACK; do
|
for i in $DONTTRACK; do
|
||||||
$IPTABLES -t raw -I PREROUTING -s $i -j NOTRACK
|
$IPTABLES -t raw -I PREROUTING -s $i -j NOTRACK
|
||||||
|
@ -167,6 +204,12 @@ if [ $CONNTRACK ]; then
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
||||||
|
if [ -s "$BASEDIR/include/ipv4_custom_routing" ]; then
|
||||||
|
echo -e "\E[33mLoading custom routing rules...\E[37m"
|
||||||
|
. "$BASEDIR/include/ipv4_custom_routing"
|
||||||
|
echo -ne "\n"
|
||||||
|
fi
|
||||||
|
|
||||||
if [ $ROUTING ]; then
|
if [ $ROUTING ]; then
|
||||||
echo -en "\E[33mAdding route:\E[37m "
|
echo -en "\E[33mAdding route:\E[37m "
|
||||||
for i in `grep -v "\#" $ROUTING`; do
|
for i in `grep -v "\#" $ROUTING`; do
|
||||||
|
@ -196,6 +239,12 @@ echo -ne "\n"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
||||||
|
if [ -s "$BASEDIR/include/ipv4_custom_portforward" ]; then
|
||||||
|
echo -e "\E[33mLoading custom port forwarding rules...\E[37m"
|
||||||
|
. "$BASEDIR/include/ipv4_custom_portforward"
|
||||||
|
echo -ne "\n"
|
||||||
|
fi
|
||||||
|
|
||||||
if [ $PORTFW ] && [ $NAT ]; then
|
if [ $PORTFW ] && [ $NAT ]; then
|
||||||
echo -en "\E[33mAdding port forward for:\E[37m "
|
echo -en "\E[33mAdding port forward for:\E[37m "
|
||||||
for i in `grep -v "\#" $PORTFW`; do
|
for i in `grep -v "\#" $PORTFW`; do
|
||||||
|
@ -215,8 +264,11 @@ if [ $LANDHCPSERVER ]; then
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
||||||
|
if [ -s "$BASEDIR/include/ipv4_custom_nat" ]; then
|
||||||
|
echo -e "\E[33mLoading custom nat rules...\E[37m"
|
||||||
|
. "$BASEDIR/include/ipv4_custom_nat"
|
||||||
|
echo -ne "\n"
|
||||||
|
fi
|
||||||
|
|
||||||
if [ $NAT ]; then
|
if [ $NAT ]; then
|
||||||
for i in $NATRANGE; do
|
for i in $NATRANGE; do
|
||||||
|
@ -233,6 +285,13 @@ $IPTABLES --policy INPUT ACCEPT
|
||||||
$IPTABLES --policy OUTPUT ACCEPT
|
$IPTABLES --policy OUTPUT ACCEPT
|
||||||
$IPTABLES --policy FORWARD DROP
|
$IPTABLES --policy FORWARD DROP
|
||||||
|
|
||||||
|
|
||||||
|
if [ -s "$BASEDIR/include/ipv4_custom_blockincoming" ]; then
|
||||||
|
echo -e "\E[33mLoading custom incoming blocked rules...\E[37m"
|
||||||
|
. "$BASEDIR/include/ipv4_custom_blockincoming"
|
||||||
|
echo -ne "\n"
|
||||||
|
fi
|
||||||
|
|
||||||
if [ $BLOCKINCOMING ]; then
|
if [ $BLOCKINCOMING ]; then
|
||||||
$IPTABLES -A INPUT -p tcp --syn -j DROP
|
$IPTABLES -A INPUT -p tcp --syn -j DROP
|
||||||
$IPTABLES -A INPUT -p udp -j DROP
|
$IPTABLES -A INPUT -p udp -j DROP
|
||||||
|
|
Loading…
Reference in New Issue