gsd
/
zapret
mirror of https://github.com/bol-van/zapret/
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

init.d: openwrt-minimal exclude local subnets

pull/666/head
bol-van 6 months ago
parent
c645e17b0b
commit
2dc7332533
2 changed files with 34 additions and 6 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 24
      init.d/openwrt-minimal/tpws/etc/firewall.user
  2. 16
      init.d/openwrt-minimal/tpws/etc/nftables.d/90-tpws.nft

24
init.d/openwrt-minimal/tpws/etc/firewall.user
View File

@ -1,6 +1,9 @@
TP_PORT=900
TP_USER=daemon
EXCLUDE4="10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 169.254.0.0/16"
EXCLUDE6="fc00::/7 fe80::/10"
exists()
{
which "$1" >/dev/null 2>/dev/null
@ -8,13 +11,12 @@ exists()
ipt()
{
$IPTABLES $FW_EXTRA_PRE -C "$@" $FW_EXTRA_POST >/dev/null 2>/dev/null || $IPTABLES $FW_EXTRA_PRE -I "$@" $FW_EXTRA_POST
$IPTABLES -C "$@" >/dev/null 2>/dev/null || $IPTABLES -I "$@"
}
redirect_port()
{
ipt PREROUTING -t nat -p tcp --dport $1 -j REDIRECT --to-port $2
ipt OUTPUT -t nat -p tcp --dport $1 -m owner ! --uid-owner $TP_USER -j REDIRECT --to-port $2
ipt tpws -t nat -p tcp --dport $1 -j REDIRECT --to-port $2
}
redirect()
@ -24,5 +26,21 @@ redirect()
}
for IPTABLES in iptables ip6tables; do
$IPTABLES -t nat -N tpws 2>/dev/null
$IPTABLES -t nat -F tpws
exists $IPTABLES && redirect
done
for net in $EXCLUDE4
do
iptables -t nat -I tpws -d $net -j RETURN
done
for net in $EXCLUDE6
do
ip6tables -t nat -I tpws -d $net -j RETURN
done
for IPTABLES in iptables ip6tables; do
ipt PREROUTING -t nat -j tpws
ipt OUTPUT -t nat -m owner ! --uid-owner $TP_USER -j tpws
done

16
init.d/openwrt-minimal/tpws/etc/nftables.d/90-tpws.nft
View File

@ -1,8 +1,18 @@
chain tpws_re {
set tpws_exclude4 {
type ipv4_addr; flags interval; auto-merge;
elements = { 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,169.254.0.0/16 }
}
set tpws_exclude6 {
type ipv6_addr; flags interval; auto-merge;
elements = { fc00::/7, fe80::/10 }
}
chain tpws_pre {
type nat hook prerouting priority dstnat; policy accept;
tcp dport {80,443} redirect to :900
tcp dport {80,443} ip daddr != @tpws_exclude4 redirect to :900
tcp dport {80,443} ip6 daddr != @tpws_exclude6 redirect to :900
}
chain tpws_out {
type nat hook output priority -100; policy accept;
tcp dport {80,443} skuid != daemon redirect to :900
tcp dport {80,443} skuid != daemon ip daddr != @tpws_exclude4 redirect to :900
tcp dport {80,443} skuid != daemon ip6 daddr != @tpws_exclude6 redirect to :900
}

Write Preview
Loading…
Cancel
Save