gsd
/
zapret
mirror of https://github.com/bol-van/zapret/
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Tiera

pull/5/head
bolvan 9 years ago
parent
3ee83662ec
commit
24dd590ece
6 changed files with 89 additions and 7 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 2
      changes.txt
  2. 24
      init.d/debian7/zapret
  3. 18
      init.d/openwrt/firewall.user.tiera
  4. 18
      init.d/openwrt/zapret
  5. 32
      init.d/ubuntu12/zapret.conf
  6. 2
      readme.txt

2
changes.txt
View File

@ -47,3 +47,5 @@ v9
ipban : added ipban ipset. place domains banned by ip to zapret-hosts-user-ipban.txt
these IPs must be soxified for both http and https
ISP support : tiera support
ISP support : added DNS filtering to ubuntu and debian scripts

24
init.d/debian7/zapret
View File

@ -5,6 +5,7 @@ ISP=mns
#ISP=rt
#ISP=beeline
#ISP=domru
#ISP=tiera
# CHOSE NETWORK INTERFACE BEHIND NAT
SLAVE_ETH=eth0
@ -57,9 +58,24 @@ case "$1" in
iptables -t nat -I PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
iptables -t nat -C OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT 2>/dev/null ||
iptables -t nat -I OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
# BLOCK SPOOFED DNS FROM DOMRU
iptables -t raw -C PREROUTING -p udp --sport 53 -m string --hex-string "|5cfff164|" --algo bm -j DROP --from 40 --to 300 ||
iptables -t raw -I PREROUTING -p udp --sport 53 -m string --hex-string "|5cfff164|" --algo bm -j DROP --from 40 --to 300
iptables -t raw -C PREROUTING -p udp --sport 53 -m string --hex-string "|2a022698a00000000000000000000064|" --algo bm -j DROP --from 40 --to 300 ||
iptables -t raw -I PREROUTING -p udp --sport 53 -m string --hex-string "|2a022698a00000000000000000000064|" --algo bm -j DROP --from 40 --to 300
DAEMON=$TPWS
DAEMON_OPTS="--port=$TPPORT --hostcase --split-http-req=host --user=$TPWS_USER --bind-addr=127.0.0.1"
;;
tiera)
adduser --disabled-login --no-create-home --system --quiet $TPWS_USER
sysctl -w net.ipv4.conf.$SLAVE_ETH.route_localnet=1
iptables -t nat -C PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT 2>/dev/null ||
iptables -t nat -I PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
iptables -t nat -C OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT 2>/dev/null ||
iptables -t nat -I OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
DAEMON=$TPWS
DAEMON_OPTS="--port=$TPPORT --split-http-req=host --user=$TPWS_USER --bind-addr=127.0.0.1"
;;
esac
echo -n "Starting $DESC: "
@ -80,6 +96,14 @@ case "$1" in
DAEMON=$NFQWS
;;
domru)
sysctl -w net.ipv4.conf.$SLAVE_ETH.route_localnet=0
iptables -t nat -D PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
iptables -t nat -D OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
iptables -t raw -D PREROUTING -p udp --sport 53 -m string --hex-string "|5cfff164|" --algo bm -j DROP --from 40 --to 300
iptables -t raw -D PREROUTING -p udp --sport 53 -m string --hex-string "|2a022698a00000000000000000000064|" --algo bm -j DROP --from 40 --to 300
DAEMON=$TPWS
;;
tiera)
sysctl -w net.ipv4.conf.$SLAVE_ETH.route_localnet=0
iptables -t nat -D PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
iptables -t nat -D OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT

18
init.d/openwrt/firewall.user.tiera
View File

@ -0,0 +1,18 @@
TPPORT=1188
TPWS_USER=daemon
. /lib/functions/network.sh
network_find_wan wan_iface
for ext_iface in $wan_iface; do
network_get_device DEVICE $ext_iface
# DNAT for local traffic
iptables -t nat -C OUTPUT -p tcp --dport 80 -o $DEVICE -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT ||
iptables -t nat -I OUTPUT -p tcp --dport 80 -o $DEVICE -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
done
sysctl -w net.ipv4.conf.br-lan.route_localnet=1
iptables -t nat -C prerouting_lan_rule -p tcp --dport 80 -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT ||
iptables -t nat -I prerouting_lan_rule -p tcp --dport 80 -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT

18
init.d/openwrt/zapret
View File

@ -5,7 +5,9 @@
#ISP=mns
#ISP=rt
#ISP=beeline
ISP=domru
#ISP=domru
ISP=tiera
#ISP=none
# !!!!! in openwrt you need to add firewall rules manually to /etc/firewall.user
@ -58,6 +60,10 @@ get_daemon() {
DAEMON_OPTS="--port=$TPPORT --hostcase --split-http-req=host --bind-addr=127.0.0.1 --user=$TPWS_USER"
DAEMON=$TPWS
;;
tiera)
DAEMON_OPTS="--port=$TPPORT --split-http-req=host --bind-addr=127.0.0.1 --user=$TPWS_USER"
DAEMON=$TPWS
;;
esac
}
@ -68,12 +74,16 @@ start() {
($IPSET_CR)
get_daemon
echo "Starting $DAEMON"
service_start $DAEMON --daemon $DAEMON_OPTS
[ -n "$DAEMON" ] && {
echo "Starting $DAEMON"
service_start $DAEMON --daemon $DAEMON_OPTS
}
}
stop() {
get_daemon
service_stop $DAEMON
[ -n "$DAEMON" ] && {
service_stop $DAEMON
}
}

32
init.d/ubuntu12/zapret.conf
View File

@ -4,13 +4,14 @@ start on runlevel [2345]
stop on runlevel [!2345]
# CHOOSE ISP HERE. UNCOMMENT ONLY ONE LINE.
env ISP=mns
#env ISP=mns
#env ISP=rt
#env ISP=beeline
#env ISP=domru
env ISP=domru
#env ISP=tiera
# CHOSE NETWORK INTERFACE BEHIND NAT
env SLAVE_ETH=eth1
env SLAVE_ETH=eth0
env QNUM=200
@ -33,6 +34,19 @@ pre-start script
iptables -t mangle -I POSTROUTING -p tcp --dport 80 -m set --match-set zapret dst -j NFQUEUE --queue-num $QNUM --queue-bypass
;;
domru)
adduser --disabled-login --no-create-home --system --quiet $TPWS_USER
sysctl -w net.ipv4.conf.$SLAVE_ETH.route_localnet=1
iptables -t nat -C PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT ||
iptables -t nat -I PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
iptables -t nat -C OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT ||
iptables -t nat -I OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
# BLOCK SPOOFED DNS FROM DOMRU
iptables -t raw -C PREROUTING -p udp --sport 53 -m string --hex-string "|5cfff164|" --algo bm -j DROP --from 40 --to 300 ||
iptables -t raw -I PREROUTING -p udp --sport 53 -m string --hex-string "|5cfff164|" --algo bm -j DROP --from 40 --to 300
iptables -t raw -C PREROUTING -p udp --sport 53 -m string --hex-string "|2a022698a00000000000000000000064|" --algo bm -j DROP --from 40 --to 300 ||
iptables -t raw -I PREROUTING -p udp --sport 53 -m string --hex-string "|2a022698a00000000000000000000064|" --algo bm -j DROP --from 40 --to 300
;;
tiera)
adduser --disabled-login --no-create-home --system --quiet $TPWS_USER
sysctl -w net.ipv4.conf.$SLAVE_ETH.route_localnet=1
iptables -t nat -C PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT ||
@ -61,8 +75,13 @@ script
NFEXE=$TPWS
NFARG="--port=$TPPORT --hostcase --split-http-req=host --user=$TPWS_USER --bind-addr=127.0.0.1"
;;
tiera)
NFEXE=$TPWS
NFARG="--port=$TPPORT --split-http-req=host --user=$TPWS_USER --bind-addr=127.0.0.1"
;;
esac
$NFEXE $NFARG
[ -n "$NFEXE" ] && $NFEXE $NFARG
end script
pre-stop script
@ -74,6 +93,13 @@ pre-stop script
iptables -t mangle -D POSTROUTING -p tcp --dport 80 -m set --match-set zapret dst -j NFQUEUE --queue-num $QNUM --queue-bypass
;;
domru)
sysctl -w net.ipv4.conf.$SLAVE_ETH.route_localnet=0
iptables -t nat -D PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
iptables -t nat -D OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
iptables -t raw -D PREROUTING -p udp --sport 53 -m string --hex-string "|5cfff164|" --algo bm -j DROP --from 40 --to 300
iptables -t raw -D PREROUTING -p udp --sport 53 -m string --hex-string "|2a022698a00000000000000000000064|" --algo bm -j DROP --from 40 --to 300
;;
tiera)
sysctl -w net.ipv4.conf.$SLAVE_ETH.route_localnet=0
iptables -t nat -D PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
iptables -t nat -D OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT

2
readme.txt
View File

@ -134,6 +134,8 @@ tkt : помогает разделение http запроса на сегме
блокировки так же обходятся без применения "тяжелой артиллерии" следующим правилом :
iptables -t raw -I PREROUTING -p tcp --sport 80 -m string --hex-string "|0D0A|Location: http://95.167.13.50" --algo bm -j DROP --from 40 --to 200
Ростелеком : см tkt
tiera : сама тиера до последнего ничего не банила. Похоже, что банит вышестоящий оператор, возможно telia.
Требуется сплит http запросов в течение всей сессии.
Способы получения списка заблокированных IP
-------------------------------------------

Write Preview
Loading…
Cancel
Save