mirror of https://github.com/bol-van/zapret/
18 changed files with 434 additions and 401 deletions
@ -0,0 +1,242 @@ |
|||
#!/bin/sh |
|||
# For systemd : |
|||
# install : /usr/lib/lsb/install_initd zapret |
|||
# remove : /usr/lib/lsb/remove_initd zapret |
|||
### BEGIN INIT INFO |
|||
# Provides: zapret |
|||
# Required-Start: $local_fs $network |
|||
# Required-Stop: $local_fs $network |
|||
# Default-Start: 2 3 4 5 |
|||
# Default-Stop: 0 1 6 |
|||
### END INIT INFO |
|||
|
|||
|
|||
# +++ REVIEW CONFIG HERE +++ |
|||
|
|||
# CHOOSE OPERATION MODE |
|||
# leave only one MODE= uncommented |
|||
|
|||
# using nfqws with ipset |
|||
#MODE=nfqws_ipset |
|||
# using nfqws for all |
|||
#MODE=nfqws_all |
|||
# CHOOSE NFQWS DAEMON OPTIONS. run "nfq/nfqws --help" for option list |
|||
NFQWS_OPT="--wsize=3 --hostspell=HOST" |
|||
|
|||
# using tpws with ipset |
|||
MODE=tpws_ipset |
|||
# using tpws for all |
|||
#MODE=tpws_all |
|||
# using tpws with hostlist |
|||
#MODE=tpws_hostlist |
|||
# CHOOSE TPWS DAEMON OPTIONS. run "tpws/tpws --help" for option list |
|||
TPWS_OPT="--hostspell=HOST --split-http-req=method" |
|||
|
|||
# only fill ipset, do not run daemons |
|||
#MODE=ipset |
|||
|
|||
# Custom mode |
|||
# Find out what works for you and modify "# PLACEHOLDER" parts of this script |
|||
#MODE=custom |
|||
|
|||
# CHOSE NETWORK INTERFACE BEHIND NAT (LAN) |
|||
SLAVE_ETH=eth0 |
|||
|
|||
# --- REVIEW CONFIG HERE --- |
|||
|
|||
|
|||
|
|||
NAME=zapret |
|||
DESC=anti-zapret |
|||
PIDDIR=/var/run |
|||
|
|||
ZAPRET_BASE=/opt/zapret |
|||
IPSET_CR=$ZAPRET_BASE/ipset/create_ipset.sh |
|||
|
|||
QNUM=200 |
|||
NFQWS=$ZAPRET_BASE/nfq/nfqws |
|||
NFQWS_OPT_BASE="--qnum=$QNUM" |
|||
|
|||
TPPORT=1188 |
|||
TPWS=$ZAPRET_BASE/tpws/tpws |
|||
TPWS_USER=tpws |
|||
TPWS_HOSTLIST=$ZAPRET_BASE/ipset/zapret-hosts.txt |
|||
TPWS_OPT_BASE="--port=$TPPORT --user=$TPWS_USER --bind-addr=127.0.0.1" |
|||
|
|||
# exit script on any error |
|||
set -e |
|||
|
|||
prepare_tpws() |
|||
{ |
|||
# $TPWS_USER is required to prevent redirection of the traffic originating from TPWS itself |
|||
# otherwise infinite loop will occur |
|||
# also its good idea not to run tpws as root |
|||
adduser --disabled-login --no-create-home --system --quiet $TPWS_USER |
|||
# otherwise linux kernel will treat 127.0.0.1 as "martian" ip and refuse routing to it |
|||
# NOTE : kernels <3.6 do not have this feature. consider upgrading or change DNAT to REDIRECT and do not bind to 127.0.0.1 |
|||
sysctl -w net.ipv4.conf.$SLAVE_ETH.route_localnet=1 |
|||
} |
|||
|
|||
fw_tpws_add() |
|||
{ |
|||
# $1 - iptable filter |
|||
prepare_tpws |
|||
echo "Adding iptables rule for tpws : $1" |
|||
iptables -t nat -C PREROUTING -i $SLAVE_ETH -p tcp $1 -j DNAT --to 127.0.0.1:$TPPORT 2>/dev/null || |
|||
iptables -t nat -I PREROUTING -i $SLAVE_ETH -p tcp $1 -j DNAT --to 127.0.0.1:$TPPORT |
|||
iptables -t nat -C OUTPUT -m owner ! --uid-owner $TPWS_USER -p tcp $1 -j DNAT --to 127.0.0.1:$TPPORT 2>/dev/null || |
|||
iptables -t nat -I OUTPUT -m owner ! --uid-owner $TPWS_USER -p tcp $1 -j DNAT --to 127.0.0.1:$TPPORT |
|||
} |
|||
fw_tpws_del() |
|||
{ |
|||
# $1 - iptable filter |
|||
echo "Deleting iptables rule for tpws : $1" |
|||
iptables -t nat -C PREROUTING -i $SLAVE_ETH -p tcp $1 -j DNAT --to 127.0.0.1:$TPPORT 2>/dev/null && |
|||
iptables -t nat -D PREROUTING -i $SLAVE_ETH -p tcp $1 -j DNAT --to 127.0.0.1:$TPPORT |
|||
iptables -t nat -C OUTPUT -m owner ! --uid-owner $TPWS_USER -p tcp $1 -j DNAT --to 127.0.0.1:$TPPORT 2>/dev/null && |
|||
iptables -t nat -D OUTPUT -m owner ! --uid-owner $TPWS_USER -p tcp $1 -j DNAT --to 127.0.0.1:$TPPORT |
|||
true |
|||
} |
|||
fw_nfqws_add_pre() |
|||
{ |
|||
# $1 - iptable filter |
|||
echo "Adding iptables rule for nfqws prerouting : $1" |
|||
iptables -t raw -C PREROUTING -p tcp --tcp-flags SYN,ACK SYN,ACK $1 -j NFQUEUE --queue-num $QNUM --queue-bypass 2>/dev/null || |
|||
iptables -t raw -I PREROUTING -p tcp --tcp-flags SYN,ACK SYN,ACK $1 -j NFQUEUE --queue-num $QNUM --queue-bypass |
|||
} |
|||
fw_nfqws_del_pre() |
|||
{ |
|||
# $1 - iptable filter |
|||
echo "Deleting iptables rule for nfqws prerouting : $1" |
|||
iptables -t raw -C PREROUTING -p tcp --tcp-flags SYN,ACK SYN,ACK $1 -j NFQUEUE --queue-num $QNUM --queue-bypass 2>/dev/null && |
|||
iptables -t raw -D PREROUTING -p tcp --tcp-flags SYN,ACK SYN,ACK $1 -j NFQUEUE --queue-num $QNUM --queue-bypass |
|||
true |
|||
} |
|||
fw_nfqws_add_post() |
|||
{ |
|||
# $1 - iptable filter |
|||
echo "Adding iptables rule for nfqws postrouting : $1" |
|||
iptables -t mangle -C POSTROUTING -p tcp $1 -j NFQUEUE --queue-num $QNUM --queue-bypass 2>/dev/null || |
|||
iptables -t mangle -I POSTROUTING -p tcp $1 -j NFQUEUE --queue-num $QNUM --queue-bypass |
|||
} |
|||
fw_nfqws_del_post() |
|||
{ |
|||
# $1 - iptable filter |
|||
echo "Deleting iptables rule for nfqws postrouting : $1" |
|||
iptables -t mangle -C POSTROUTING -p tcp $1 -j NFQUEUE --queue-num $QNUM --queue-bypass 2>/dev/null && |
|||
iptables -t mangle -D POSTROUTING -p tcp $1 -j NFQUEUE --queue-num $QNUM --queue-bypass |
|||
true |
|||
} |
|||
|
|||
run_daemon() |
|||
{ |
|||
# $1 - daemon string id or number. can use 1,2,3,... |
|||
# $2 - daemon |
|||
# $3 - daemon args |
|||
# use $PIDDIR/$DAEMONBASE$1.pid as pidfile |
|||
local DAEMONBASE=$(basename $2) |
|||
echo "Starting daemon $1: $2 $3" |
|||
start-stop-daemon --start --quiet --pidfile $PIDDIR/$DAEMONBASE$1.pid --background --make-pidfile \ |
|||
--exec $2 -- $3 |
|||
} |
|||
stop_daemon() |
|||
{ |
|||
# $1 - daemon string id or number. can use 1,2,3,... |
|||
# $2 - daemon |
|||
# use $PIDDIR/$DAEMONBASE$1.pid as pidfile |
|||
local DAEMONBASE=$(basename $2) |
|||
echo "Stopping daemon $1: $2" |
|||
start-stop-daemon --oknodo --stop --quiet --pidfile $PIDDIR/$DAEMONBASE$1.pid \ |
|||
--exec $2 |
|||
} |
|||
|
|||
|
|||
create_ipset() |
|||
{ |
|||
echo "Creating ipset" |
|||
($IPSET_CR) |
|||
} |
|||
|
|||
case "$1" in |
|||
start) |
|||
case "${MODE}" in |
|||
tpws_hostlist) |
|||
fw_tpws_add "--dport 80" |
|||
run_daemon 1 $TPWS "$TPWS_OPT_BASE $TPWS_OPT --hostlist=$TPWS_HOSTLIST" |
|||
;; |
|||
tpws_ipset) |
|||
create_ipset |
|||
fw_tpws_add "--dport 80 -m set --match-set zapret dst" |
|||
run_daemon 1 $TPWS "$TPWS_OPT_BASE $TPWS_OPT" |
|||
;; |
|||
tpws_all) |
|||
fw_tpws_add "--dport 80" |
|||
run_daemon 1 $TPWS "$TPWS_OPT_BASE $TPWS_OPT" |
|||
;; |
|||
nfqws_ipset) |
|||
create_ipset |
|||
fw_nfqws_add_pre "--sport 80 -m set --match-set zapret src" |
|||
fw_nfqws_add_post "--dport 80 -m set --match-set zapret dst" |
|||
run_daemon 1 $NFQWS "$NFQWS_OPT_BASE $NFQWS_OPT" |
|||
;; |
|||
nfqws_all) |
|||
fw_nfqws_add_pre "--sport 80" |
|||
fw_nfqws_add_post "--dport 80" |
|||
run_daemon 1 $NFQWS "$NFQWS_OPT_BASE $NFQWS_OPT" |
|||
;; |
|||
ipset) |
|||
create_ipset |
|||
;; |
|||
custom) |
|||
# PLACEHOLDER |
|||
echo !!! NEED ATTENTION !!! |
|||
echo Configure iptables for required actions |
|||
echo Start daemon\(s\) |
|||
echo Study how other sections work |
|||
run_daemon 1 /bin/sleep 20 |
|||
;; |
|||
esac |
|||
;; |
|||
|
|||
stop) |
|||
case "${MODE}" in |
|||
tpws_hostlist) |
|||
fw_tpws_del "--dport 80" |
|||
stop_daemon 1 $TPWS |
|||
;; |
|||
tpws_ipset) |
|||
fw_tpws_del "--dport 80 -m set --match-set zapret dst" |
|||
stop_daemon 1 $TPWS |
|||
;; |
|||
tpws_all) |
|||
fw_tpws_del "--dport 80" |
|||
stop_daemon 1 $TPWS |
|||
;; |
|||
nfqws_ipset) |
|||
fw_nfqws_del_pre "--sport 80 -m set --match-set zapret src" |
|||
fw_nfqws_del_post "--dport 80 -m set --match-set zapret dst" |
|||
stop_daemon 1 $NFQWS |
|||
;; |
|||
nfqws_all) |
|||
fw_nfqws_del_pre "--sport 80" |
|||
fw_nfqws_del_post "--dport 80" |
|||
stop_daemon 1 $NFQWS |
|||
;; |
|||
custom) |
|||
# PLACEHOLDER |
|||
echo !!! NEED ATTENTION !!! |
|||
echo Clear firewall rules here. Remove iptables changes made previously. |
|||
echo Stop daemon\(s\) previously started. |
|||
echo Study how other sections work. |
|||
;; |
|||
esac |
|||
;; |
|||
|
|||
*) |
|||
N=/etc/init.d/$NAME |
|||
echo "Usage: $N {start|stop}" >&2 |
|||
exit 1 |
|||
;; |
|||
esac |
|||
|
|||
exit 0 |
@ -1,192 +0,0 @@ |
|||
#!/bin/sh |
|||
# For systemd : |
|||
# install : /usr/lib/lsb/install_initd zapret |
|||
# remove : /usr/lib/lsb/remove_initd zapret |
|||
### BEGIN INIT INFO |
|||
# Provides: zapret |
|||
# Required-Start: $local_fs $network |
|||
# Required-Stop: $local_fs $network |
|||
# Default-Start: 2 3 4 5 |
|||
# Default-Stop: 0 1 6 |
|||
### END INIT INFO |
|||
|
|||
# CHOOSE ISP HERE. UNCOMMENT ONLY ONE LINE. |
|||
ISP=mns |
|||
#ISP=rt |
|||
#ISP=beeline |
|||
#ISP=domru |
|||
#ISP=tiera |
|||
#ISP=athome |
|||
|
|||
# Its possible not to use ipset. Use hostlist with tpws instead. |
|||
#ISP=hostlist |
|||
|
|||
# If ISP is unlisted then uncomment "custom" |
|||
# Find out what works for your ISP and modify "# PLACEHOLDER" parts of this script |
|||
#ISP=custom |
|||
|
|||
# CHOSE NETWORK INTERFACE BEHIND NAT |
|||
SLAVE_ETH=eth0 |
|||
|
|||
|
|||
ZAPRET_BASE=/opt/zapret |
|||
|
|||
IPSET_CR=$ZAPRET_BASE/ipset/create_ipset.sh |
|||
NAME=zapret |
|||
DESC=anti-zapret |
|||
|
|||
QNUM=200 |
|||
TPPORT=1188 |
|||
ROUTE_TABLE_NUM=100 |
|||
NFQWS=$ZAPRET_BASE/nfq/nfqws |
|||
TPWS=$ZAPRET_BASE/tpws/tpws |
|||
TPWS_USER=tpws |
|||
TPWS_HOSTLIST=$ZAPRET_BASE/ipset/zapret-hosts.txt |
|||
|
|||
PIDFILE=/var/run/$NAME.pid |
|||
|
|||
set -e |
|||
|
|||
|
|||
prepare_tpws() |
|||
{ |
|||
adduser --disabled-login --no-create-home --system --quiet $TPWS_USER |
|||
sysctl -w net.ipv4.conf.$SLAVE_ETH.route_localnet=1 |
|||
} |
|||
|
|||
case "$1" in |
|||
start) |
|||
echo "Creating ipset" |
|||
($IPSET_CR) |
|||
|
|||
echo "Adding iptables rule" |
|||
case "${ISP}" in |
|||
hostlist) |
|||
prepare_tpws |
|||
iptables -t nat -C PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -j DNAT --to 127.0.0.1:$TPPORT 2>/dev/null || |
|||
iptables -t nat -I PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -j DNAT --to 127.0.0.1:$TPPORT |
|||
iptables -t nat -C OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -j DNAT --to 127.0.0.1:$TPPORT 2>/dev/null || |
|||
iptables -t nat -I OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -j DNAT --to 127.0.0.1:$TPPORT |
|||
DAEMON=$TPWS |
|||
DAEMON_OPTS="--port=$TPPORT --hostlist=$TPWS_HOSTLIST --hostcase --split-http-req=method --user=$TPWS_USER --bind-addr=127.0.0.1" |
|||
;; |
|||
mns) |
|||
iptables -t raw -C PREROUTING -p tcp --sport 80 --tcp-flags SYN,ACK SYN,ACK -m set --match-set zapret src -j NFQUEUE --queue-num $QNUM --queue-bypass 2>/dev/null || |
|||
iptables -t raw -I PREROUTING -p tcp --sport 80 --tcp-flags SYN,ACK SYN,ACK -m set --match-set zapret src -j NFQUEUE --queue-num $QNUM --queue-bypass |
|||
DAEMON=$NFQWS |
|||
DAEMON_OPTS="--qnum=$QNUM --wsize=3" |
|||
;; |
|||
rt) |
|||
iptables -t raw -C PREROUTING -p tcp --sport 80 --tcp-flags SYN,ACK SYN,ACK -m set --match-set zapret src -j NFQUEUE --queue-num $QNUM --queue-bypass 2>/dev/null || |
|||
iptables -t raw -I PREROUTING -p tcp --sport 80 --tcp-flags SYN,ACK SYN,ACK -m set --match-set zapret src -j NFQUEUE --queue-num $QNUM --queue-bypass |
|||
DAEMON=$NFQWS |
|||
DAEMON_OPTS="--qnum=$QNUM --wsize=20" |
|||
;; |
|||
beeline) |
|||
iptables -t mangle -C POSTROUTING -p tcp --dport 80 -m set --match-set zapret dst -j NFQUEUE --queue-num $QNUM --queue-bypass 2>/dev/null || |
|||
iptables -t mangle -I POSTROUTING -p tcp --dport 80 -m set --match-set zapret dst -j NFQUEUE --queue-num $QNUM --queue-bypass |
|||
DAEMON=$NFQWS |
|||
DAEMON_OPTS="--qnum=$QNUM --hostspell=HOST" |
|||
;; |
|||
domru) |
|||
prepare_tpws |
|||
iptables -t nat -C PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT 2>/dev/null || |
|||
iptables -t nat -I PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT |
|||
iptables -t nat -C OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT 2>/dev/null || |
|||
iptables -t nat -I OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT |
|||
# BLOCK SPOOFED DNS FROM DOMRU |
|||
iptables -t raw -C PREROUTING -p udp --sport 53 -m string --hex-string "|05030311|" --algo bm -j DROP --from 40 --to 300 || |
|||
iptables -t raw -I PREROUTING -p udp --sport 53 -m string --hex-string "|05030311|" --algo bm -j DROP --from 40 --to 300 |
|||
iptables -t raw -C PREROUTING -p udp --sport 53 -m string --hex-string "|2a022698a00200010000000000030017|" --algo bm -j DROP --from 40 --to 300 || |
|||
iptables -t raw -I PREROUTING -p udp --sport 53 -m string --hex-string "|2a022698a00200010000000000030017|" --algo bm -j DROP --from 40 --to 300 |
|||
DAEMON=$TPWS |
|||
DAEMON_OPTS="--port=$TPPORT --hostcase --split-http-req=host --user=$TPWS_USER --bind-addr=127.0.0.1" |
|||
;; |
|||
tiera) |
|||
prepare_tpws |
|||
iptables -t nat -C PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT 2>/dev/null || |
|||
iptables -t nat -I PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT |
|||
iptables -t nat -C OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT 2>/dev/null || |
|||
iptables -t nat -I OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT |
|||
DAEMON=$TPWS |
|||
DAEMON_OPTS="--port=$TPPORT --split-http-req=host --user=$TPWS_USER --bind-addr=127.0.0.1" |
|||
;; |
|||
athome) |
|||
prepare_tpws |
|||
iptables -t nat -C PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT 2>/dev/null || |
|||
iptables -t nat -I PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT |
|||
iptables -t nat -C OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT 2>/dev/null || |
|||
iptables -t nat -I OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT |
|||
DAEMON=$TPWS |
|||
DAEMON_OPTS="--port=$TPPORT --split-http-req=method --user=$TPWS_USER --bind-addr=127.0.0.1" |
|||
;; |
|||
custom) |
|||
# PLACEHOLDER |
|||
echo !!! NEED ATTENTION !!! |
|||
echo Select daemon and options that work for you |
|||
echo \(optional\) Prepare environment for running daemon |
|||
echo Configure iptables for required actions |
|||
echo Study how other sections work |
|||
DAEMON=/bin/sleep |
|||
DAEMON_OPTS=20 |
|||
;; |
|||
esac |
|||
|
|||
echo -n "Starting $DESC: " |
|||
start-stop-daemon --start --quiet --pidfile $PIDFILE --background --make-pidfile \ |
|||
--exec $DAEMON -- $DAEMON_OPTS |
|||
echo "$NAME." |
|||
;; |
|||
stop) |
|||
echo "Deleting iptables rule" |
|||
|
|||
case "${ISP}" in |
|||
hostlist) |
|||
iptables -t nat -D PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -j DNAT --to 127.0.0.1:$TPPORT |
|||
iptables -t nat -D OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -j DNAT --to 127.0.0.1:$TPPORT |
|||
DAEMON=$TPWS |
|||
;; |
|||
mns|rt) |
|||
iptables -t raw -D PREROUTING -p tcp --sport 80 --tcp-flags SYN,ACK SYN,ACK -m set --match-set zapret src -j NFQUEUE --queue-num $QNUM --queue-bypass |
|||
DAEMON=$NFQWS |
|||
;; |
|||
beeline) |
|||
iptables -t mangle -D POSTROUTING -p tcp --dport 80 -m set --match-set zapret dst -j NFQUEUE --queue-num $QNUM --queue-bypass |
|||
DAEMON=$NFQWS |
|||
;; |
|||
domru) |
|||
sysctl -w net.ipv4.conf.$SLAVE_ETH.route_localnet=0 |
|||
iptables -t nat -D PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT |
|||
iptables -t nat -D OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT |
|||
iptables -t raw -D PREROUTING -p udp --sport 53 -m string --hex-string "|05030311|" --algo bm -j DROP --from 40 --to 300 |
|||
iptables -t raw -D PREROUTING -p udp --sport 53 -m string --hex-string "|2a022698a00200010000000000030017|" --algo bm -j DROP --from 40 --to 300 |
|||
DAEMON=$TPWS |
|||
;; |
|||
tiera|athome) |
|||
sysctl -w net.ipv4.conf.$SLAVE_ETH.route_localnet=0 |
|||
iptables -t nat -D PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT |
|||
iptables -t nat -D OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT |
|||
DAEMON=$TPWS |
|||
;; |
|||
custom) |
|||
# PLACEHOLDER |
|||
echo !!! NEED ATTENTION !!! |
|||
echo Clear firewall rules here. Remove iptables changes made previously. |
|||
echo Select which daemon to stop. |
|||
echo Study how other sections work |
|||
;; |
|||
esac |
|||
|
|||
echo -n "Stopping $DESC: " |
|||
start-stop-daemon --oknodo --stop --quiet --pidfile $PIDFILE \ |
|||
--exec $DAEMON |
|||
echo "$NAME." |
|||
;; |
|||
*) |
|||
N=/etc/init.d/$NAME |
|||
echo "Usage: $N {start|stop}" >&2 |
|||
exit 1 |
|||
;; |
|||
esac |
|||
|
|||
exit 0 |
@ -1,19 +0,0 @@ |
|||
TPPORT=1188 |
|||
TPWS_USER=daemon |
|||
|
|||
. /lib/functions/network.sh |
|||
|
|||
network_find_wan wan_iface |
|||
|
|||
for ext_iface in $wan_iface; do |
|||
network_get_device DEVICE $ext_iface |
|||
# DNAT for local traffic |
|||
iptables -t nat -C OUTPUT -p tcp --dport 80 -o $DEVICE -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT || |
|||
iptables -t nat -I OUTPUT -p tcp --dport 80 -o $DEVICE -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT |
|||
|
|||
done |
|||
|
|||
network_get_device DEVICE lan |
|||
sysctl -w net.ipv4.conf.$DEVICE.route_localnet=1 |
|||
iptables -t nat -C prerouting_lan_rule -p tcp --dport 80 -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT || |
|||
iptables -t nat -I prerouting_lan_rule -p tcp --dport 80 -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT |
@ -1,5 +0,0 @@ |
|||
# put it to /etc/firewall.user |
|||
|
|||
# for BEELINE ISP |
|||
iptables -t mangle -C POSTROUTING -p tcp --dport 80 -m set --match-set zapret dst -j NFQUEUE --queue-num 200 --queue-bypass || |
|||
iptables -t mangle -I POSTROUTING -p tcp --dport 80 -m set --match-set zapret dst -j NFQUEUE --queue-num 200 --queue-bypass |
@ -1,3 +0,0 @@ |
|||
# put it to /etc/firewall.user |
|||
|
|||
# study how other firewall.user scripts work and put here rules that work for you |
@ -1,24 +0,0 @@ |
|||
TPPORT=1188 |
|||
TPWS_USER=daemon |
|||
|
|||
. /lib/functions/network.sh |
|||
|
|||
network_find_wan wan_iface |
|||
|
|||
for ext_iface in $wan_iface; do |
|||
network_get_device DEVICE $ext_iface |
|||
# BLOCK SPOOFED DNS FROM DOMRU |
|||
iptables -t raw -C PREROUTING -i $DEVICE -p udp --sport 53 -m string --hex-string "|05030311|" --algo bm -j DROP --from 40 --to 300 || |
|||
iptables -t raw -I PREROUTING -i $DEVICE -p udp --sport 53 -m string --hex-string "|05030311|" --algo bm -j DROP --from 40 --to 300 |
|||
iptables -t raw -C PREROUTING -i $DEVICE -p udp --sport 53 -m string --hex-string "|2a022698a00200010000000000030017|" --algo bm -j DROP --from 40 --to 300 || |
|||
iptables -t raw -I PREROUTING -i $DEVICE -p udp --sport 53 -m string --hex-string "|2a022698a00200010000000000030017|" --algo bm -j DROP --from 40 --to 300 |
|||
# DNAT for local traffic |
|||
iptables -t nat -C OUTPUT -p tcp --dport 80 -o $DEVICE -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT || |
|||
iptables -t nat -I OUTPUT -p tcp --dport 80 -o $DEVICE -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT |
|||
|
|||
done |
|||
|
|||
network_get_device DEVICE lan |
|||
sysctl -w net.ipv4.conf.$DEVICE.route_localnet=1 |
|||
iptables -t nat -C prerouting_lan_rule -p tcp --dport 80 -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT || |
|||
iptables -t nat -I prerouting_lan_rule -p tcp --dport 80 -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT |
@ -1,20 +0,0 @@ |
|||
TPPORT=1188 |
|||
TPWS_USER=daemon |
|||
|
|||
. /lib/functions/network.sh |
|||
|
|||
network_find_wan wan_iface |
|||
|
|||
for ext_iface in $wan_iface; do |
|||
network_get_device DEVICE $ext_iface |
|||
# DNAT for local traffic |
|||
|
|||
iptables -t nat -C OUTPUT -p tcp --dport 80 -o $DEVICE -m owner ! --uid-owner $TPWS_USER -j DNAT --to 127.0.0.1:$TPPORT || |
|||
iptables -t nat -I OUTPUT -p tcp --dport 80 -o $DEVICE -m owner ! --uid-owner $TPWS_USER -j DNAT --to 127.0.0.1:$TPPORT |
|||
|
|||
done |
|||
|
|||
network_get_device DEVICE lan |
|||
sysctl -w net.ipv4.conf.$DEVICE.route_localnet=1 |
|||
iptables -t nat -C prerouting_lan_rule -p tcp --dport 80 -j DNAT --to 127.0.0.1:$TPPORT || |
|||
iptables -t nat -I prerouting_lan_rule -p tcp --dport 80 -j DNAT --to 127.0.0.1:$TPPORT |
@ -1,2 +0,0 @@ |
|||
iptables -t raw -C PREROUTING -p tcp --sport 80 --tcp-flags SYN,ACK SYN,ACK -m set --match-set zapret src -j NFQUEUE --queue-num 200 --queue-bypass || |
|||
iptables -t raw -I PREROUTING -p tcp --sport 80 --tcp-flags SYN,ACK SYN,ACK -m set --match-set zapret src -j NFQUEUE --queue-num 200 --queue-bypass |
@ -0,0 +1,9 @@ |
|||
QNUM=200 |
|||
IPT_FILTER_PRE="-p tcp --sport 80" |
|||
IPT_FILTER_POST="-p tcp --dport 80" |
|||
|
|||
iptables -t raw -C PREROUTING $IPT_FILTER_PRE -j NFQUEUE --queue-num $QNUM --queue-bypass || |
|||
iptables -t raw -I PREROUTING $IPT_FILTER_PRE -j NFQUEUE --queue-num $QNUM --queue-bypass |
|||
|
|||
iptables -t mangle -C POSTROUTING $IPT_FILTER_POST -j NFQUEUE --queue-num $QNUM --queue-bypass || |
|||
iptables -t mangle -I POSTROUTING $IPT_FILTER_POST -j NFQUEUE --queue-num $QNUM --queue-bypass |
@ -0,0 +1,9 @@ |
|||
QNUM=200 |
|||
IPT_FILTER_PRE="-p tcp --sport 80 -m set --match-set zapret src" |
|||
IPT_FILTER_POST="-p tcp --dport 80 -m set --match-set zapret dst" |
|||
|
|||
iptables -t raw -C PREROUTING $IPT_FILTER_PRE -j NFQUEUE --queue-num $QNUM --queue-bypass || |
|||
iptables -t raw -I PREROUTING $IPT_FILTER_PRE -j NFQUEUE --queue-num $QNUM --queue-bypass |
|||
|
|||
iptables -t mangle -C POSTROUTING $IPT_FILTER_POST -j NFQUEUE --queue-num $QNUM --queue-bypass || |
|||
iptables -t mangle -I POSTROUTING $IPT_FILTER_POST -j NFQUEUE --queue-num $QNUM --queue-bypass |
@ -1,2 +0,0 @@ |
|||
iptables -t raw -C PREROUTING -p tcp --sport 80 --tcp-flags SYN,ACK SYN,ACK -m set --match-set zapret src -j NFQUEUE --queue-num 200 --queue-bypass || |
|||
iptables -t raw -I PREROUTING -p tcp --sport 80 --tcp-flags SYN,ACK SYN,ACK -m set --match-set zapret src -j NFQUEUE --queue-num 200 --queue-bypass |
@ -1,19 +0,0 @@ |
|||
TPPORT=1188 |
|||
TPWS_USER=daemon |
|||
|
|||
. /lib/functions/network.sh |
|||
|
|||
network_find_wan wan_iface |
|||
|
|||
for ext_iface in $wan_iface; do |
|||
network_get_device DEVICE $ext_iface |
|||
# DNAT for local traffic |
|||
iptables -t nat -C OUTPUT -p tcp --dport 80 -o $DEVICE -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT || |
|||
iptables -t nat -I OUTPUT -p tcp --dport 80 -o $DEVICE -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT |
|||
|
|||
done |
|||
|
|||
network_get_device DEVICE lan |
|||
sysctl -w net.ipv4.conf.$DEVICE.route_localnet=1 |
|||
iptables -t nat -C prerouting_lan_rule -p tcp --dport 80 -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT || |
|||
iptables -t nat -I prerouting_lan_rule -p tcp --dport 80 -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT |
@ -0,0 +1,21 @@ |
|||
TPPORT=1188 |
|||
TPWS_USER=daemon |
|||
IPT_FILTER="-p tcp --dport 80" |
|||
|
|||
. /lib/functions/network.sh |
|||
|
|||
network_find_wan wan_iface |
|||
|
|||
for ext_iface in $wan_iface; do |
|||
network_get_device DEVICE $ext_iface |
|||
# DNAT for local traffic |
|||
|
|||
iptables -t nat -C OUTPUT -o $DEVICE -m owner ! --uid-owner $TPWS_USER $IPT_FILTER -j DNAT --to 127.0.0.1:$TPPORT || |
|||
iptables -t nat -I OUTPUT -o $DEVICE -m owner ! --uid-owner $TPWS_USER $IPT_FILTER -j DNAT --to 127.0.0.1:$TPPORT |
|||
|
|||
done |
|||
|
|||
network_get_device DEVICE lan |
|||
sysctl -w net.ipv4.conf.$DEVICE.route_localnet=1 |
|||
iptables -t nat -C prerouting_lan_rule $IPT_FILTER -j DNAT --to 127.0.0.1:$TPPORT || |
|||
iptables -t nat -I prerouting_lan_rule $IPT_FILTER -j DNAT --to 127.0.0.1:$TPPORT |
@ -0,0 +1 @@ |
|||
firewall.user.tpws_all |
@ -0,0 +1,21 @@ |
|||
TPPORT=1188 |
|||
TPWS_USER=daemon |
|||
IPT_FILTER="-p tcp --dport 80 -m set --match-set zapret dst" |
|||
|
|||
. /lib/functions/network.sh |
|||
|
|||
network_find_wan wan_iface |
|||
|
|||
for ext_iface in $wan_iface; do |
|||
network_get_device DEVICE $ext_iface |
|||
# DNAT for local traffic |
|||
|
|||
iptables -t nat -C OUTPUT -o $DEVICE -m owner ! --uid-owner $TPWS_USER $IPT_FILTER -j DNAT --to 127.0.0.1:$TPPORT || |
|||
iptables -t nat -I OUTPUT -o $DEVICE -m owner ! --uid-owner $TPWS_USER $IPT_FILTER -j DNAT --to 127.0.0.1:$TPPORT |
|||
|
|||
done |
|||
|
|||
network_get_device DEVICE lan |
|||
sysctl -w net.ipv4.conf.$DEVICE.route_localnet=1 |
|||
iptables -t nat -C prerouting_lan_rule $IPT_FILTER -j DNAT --to 127.0.0.1:$TPPORT || |
|||
iptables -t nat -I prerouting_lan_rule $IPT_FILTER -j DNAT --to 127.0.0.1:$TPPORT |
Loading…
Reference in new issue