mirror of
https://github.com/bol-van/zapret.git
synced 2024-11-30 05:50:53 +03:00
Update readme.eng.md
This commit is contained in:
parent
0ee60e4f88
commit
04ace190ce
@ -1,5 +1,4 @@
|
|||||||
What is it for
|
## What is it for
|
||||||
--------------
|
|
||||||
|
|
||||||
A stand-alone (without 3rd party servers) DPI circumvention tool.
|
A stand-alone (without 3rd party servers) DPI circumvention tool.
|
||||||
May allow to bypass http(s) website blocking or speed shaping, resist signature tcp protocol discovery.
|
May allow to bypass http(s) website blocking or speed shaping, resist signature tcp protocol discovery.
|
||||||
@ -10,8 +9,7 @@ blocked by Roskomnadzor), but most others are common.
|
|||||||
|
|
||||||
Mainly OpenWRT targeted but also supports traditional Linux, FreeBSD, OpenBSD, partially MacOS.
|
Mainly OpenWRT targeted but also supports traditional Linux, FreeBSD, OpenBSD, partially MacOS.
|
||||||
|
|
||||||
How it works
|
## How it works
|
||||||
------------
|
|
||||||
|
|
||||||
In the simplest case you are dealing with passive DPI. Passive DPI can read passthrough traffic,
|
In the simplest case you are dealing with passive DPI. Passive DPI can read passthrough traffic,
|
||||||
inject its own packets, but cannot drop packets.
|
inject its own packets, but cannot drop packets.
|
||||||
@ -27,17 +25,16 @@ This project is aimed at preventing the ban rather than eliminating its conseque
|
|||||||
To do that send what DPI does not expect and what breaks its algorithm of recognizing requests and blocking them.
|
To do that send what DPI does not expect and what breaks its algorithm of recognizing requests and blocking them.
|
||||||
|
|
||||||
Some DPIs cannot recognize the http request if it is divided into TCP segments.
|
Some DPIs cannot recognize the http request if it is divided into TCP segments.
|
||||||
For example, a request of the form "GET / HTTP / 1.1 \ r \ nHost: kinozal.tv ......"
|
For example, a request of the form `GET / HTTP / 1.1 \ r \ nHost: kinozal.tv ......`
|
||||||
we send in 2 parts: first go "GET", then "/ HTTP / 1.1 \ r \ nHost: kinozal.tv .....".
|
we send in 2 parts: first go "GET", then `/ HTTP / 1.1 \ r \ nHost: kinozal.tv .....`.
|
||||||
Other DPIs stumble when the "Host:" header is written in another case: for example, "host:".
|
Other DPIs stumble when the `Host:` header is written in another case: for example, "host:".
|
||||||
Sometimes work adding extra space after the method: "GET /" => "GET /"
|
Sometimes work adding extra space after the method: `GET /` => `GET /`
|
||||||
or adding a dot at the end of the host name: "Host: kinozal.tv."
|
or adding a dot at the end of the host name: `Host: kinozal.tv.`
|
||||||
|
|
||||||
There is also more advanced magic for bypassing DPI at the packet level.
|
There is also more advanced magic for bypassing DPI at the packet level.
|
||||||
|
|
||||||
|
|
||||||
How to put this into practice in the linux system
|
## How to put this into practice in the linux system
|
||||||
-------------------------------------------------
|
|
||||||
|
|
||||||
In short, the options can be classified according to the following scheme:
|
In short, the options can be classified according to the following scheme:
|
||||||
|
|
||||||
@ -53,15 +50,16 @@ You need to run them with the necessary parameters and redirect certain traffic
|
|||||||
To redirect a TCP connection to a transparent proxy, the following commands are used:
|
To redirect a TCP connection to a transparent proxy, the following commands are used:
|
||||||
|
|
||||||
forwarded traffic :
|
forwarded traffic :
|
||||||
iptables -t nat -I PREROUTING -i <internal_interface> -p tcp --dport 80 -j DNAT --to 127.0.0.127:988
|
`iptables -t nat -I PREROUTING -i <internal_interface> -p tcp --dport 80 -j DNAT --to 127.0.0.127:988`
|
||||||
|
|
||||||
outgoing traffic :
|
outgoing traffic :
|
||||||
iptables -t nat -I OUTPUT -o <external_interface> -p tcp --dport 80 -m owner ! --uid-owner tpws -j DNAT --to 127.0.0.127:988
|
`iptables -t nat -I OUTPUT -o <external_interface> -p tcp --dport 80 -m owner ! --uid-owner tpws -j DNAT --to 127.0.0.127:988`
|
||||||
|
|
||||||
DNAT on localhost works in the OUTPUT chain, but does not work in the PREROUTING chain without enabling the route_localnet parameter:
|
DNAT on localhost works in the OUTPUT chain, but does not work in the PREROUTING chain without enabling the route_localnet parameter:
|
||||||
|
|
||||||
sysctl -w net.ipv4.conf.<internal_interface>.route_localnet=1
|
`sysctl -w net.ipv4.conf.<internal_interface>.route_localnet=1`
|
||||||
|
|
||||||
You can use "-j REDIRECT --to-port 988" instead of DNAT, but in this case the transparent proxy process
|
You can use `-j REDIRECT --to-port 988` instead of DNAT, but in this case the transparent proxy process
|
||||||
should listen on the ip address of the incoming interface or on all addresses. Listen all - not good
|
should listen on the ip address of the incoming interface or on all addresses. Listen all - not good
|
||||||
in terms of security. Listening one (local) is possible, but automated scripts will have to recognize it,
|
in terms of security. Listening one (local) is possible, but automated scripts will have to recognize it,
|
||||||
then dynamically enter it into the command. In any case, additional efforts are required.
|
then dynamically enter it into the command. In any case, additional efforts are required.
|
||||||
@ -69,8 +67,10 @@ Using route_localnet can also introduce some security risks. You make available
|
|||||||
bound to 127.0.0.0/8. Services are usually bound to 127.0.0.1. Its possible to deny input to 127.0.0.1 from all interfaces except lo
|
bound to 127.0.0.0/8. Services are usually bound to 127.0.0.1. Its possible to deny input to 127.0.0.1 from all interfaces except lo
|
||||||
or bind tpws to any other IP from 127.0.0.0/8 range, for example to 127.0.0.127, and allow incomings only to that IP :
|
or bind tpws to any other IP from 127.0.0.0/8 range, for example to 127.0.0.127, and allow incomings only to that IP :
|
||||||
|
|
||||||
|
```
|
||||||
iptables -A INPUT ! -i lo -d 127.0.0.127 -j ACCEPT
|
iptables -A INPUT ! -i lo -d 127.0.0.127 -j ACCEPT
|
||||||
iptables -A INPUT ! -i lo -d 127.0.0.0/8 -j DROP
|
iptables -A INPUT ! -i lo -d 127.0.0.0/8 -j DROP
|
||||||
|
```
|
||||||
|
|
||||||
Owner filter is necessary to prevent recursive redirection of connections from tpws itself.
|
Owner filter is necessary to prevent recursive redirection of connections from tpws itself.
|
||||||
tpws must be started under OS user "tpws".
|
tpws must be started under OS user "tpws".
|
||||||
@ -79,29 +79,28 @@ tpws must be started under OS user "tpws".
|
|||||||
NFQUEUE redirection of the outgoing traffic and forwarded traffic going towards the external interface,
|
NFQUEUE redirection of the outgoing traffic and forwarded traffic going towards the external interface,
|
||||||
can be done with the following commands:
|
can be done with the following commands:
|
||||||
|
|
||||||
iptables -t mangle -I POSTROUTING -o <external_interface> -p tcp --dport 80 -j NFQUEUE --queue-num 200 --queue-bypass
|
`iptables -t mangle -I POSTROUTING -o <external_interface> -p tcp --dport 80 -j NFQUEUE --queue-num 200 --queue-bypass`
|
||||||
|
|
||||||
In order not to touch the traffic to unblocked addresses, you can take a list of blocked hosts, resolve it
|
In order not to touch the traffic to unblocked addresses, you can take a list of blocked hosts, resolve it
|
||||||
into IP addresses and put them to ipset 'zapret', then add a filter to the command:
|
into IP addresses and put them to ipset 'zapret', then add a filter to the command:
|
||||||
|
|
||||||
iptables -t mangle -I POSTROUTING -o <external_interface> -p tcp --dport 80 -m set --match-set zapret dst -j NFQUEUE --queue-num 200 --queue-bypass
|
`iptables -t mangle -I POSTROUTING -o <external_interface> -p tcp --dport 80 -m set --match-set zapret dst -j NFQUEUE --queue-num 200 --queue-bypass`
|
||||||
|
|
||||||
Some DPIs catch only the first http request, ignoring subsequent requests in a keep-alive session.
|
Some DPIs catch only the first http request, ignoring subsequent requests in a keep-alive session.
|
||||||
Then we can reduce CPU load, refusing to process unnecessary packets.
|
Then we can reduce CPU load, refusing to process unnecessary packets.
|
||||||
|
|
||||||
iptables -t mangle -I POSTROUTING -o <external_interface> -p tcp --dport 80 -m connbytes --connbytes-dir=original --connbytes-mode=packets --connbytes 1:4 -m mark ! --mark 0x40000000/0x40000000 -m set --match-set zapret dst -j NFQUEUE --queue-num 200 --queue-bypass
|
`iptables -t mangle -I POSTROUTING -o <external_interface> -p tcp --dport 80 -m connbytes --connbytes-dir=original --connbytes-mode=packets --connbytes 1:4 -m mark ! --mark 0x40000000/0x40000000 -m set --match-set zapret dst -j NFQUEUE --queue-num 200 --queue-bypass`
|
||||||
|
|
||||||
Mark filter does not allow nfqws-generated packets to enter the queue again.
|
Mark filter does not allow nfqws-generated packets to enter the queue again.
|
||||||
Its necessary to use this filter when also using "connbytes 1:4". Without it packet ordering can be changed breaking the whole idea.
|
Its necessary to use this filter when also using "connbytes 1:4". Without it packet ordering can be changed breaking the whole idea.
|
||||||
|
|
||||||
|
|
||||||
ip6tables
|
## ip6tables
|
||||||
---------
|
|
||||||
|
|
||||||
ip6tables work almost exactly the same way as ipv4, but there are a number of important nuances.
|
ip6tables work almost exactly the same way as ipv4, but there are a number of important nuances.
|
||||||
In DNAT, you should take the address --to in square brackets. For example :
|
In DNAT, you should take the address --to in square brackets. For example :
|
||||||
|
|
||||||
ip6tables -t nat -I OUTPUT -o <external_interface> -p tcp --dport 80 -m owner ! --uid-owner tpws -j DNAT --to [::1]:988
|
`ip6tables -t nat -I OUTPUT -o <external_interface> -p tcp --dport 80 -m owner ! --uid-owner tpws -j DNAT --to [::1]:988`
|
||||||
|
|
||||||
The route_localnet parameter does not exist for ipv6.
|
The route_localnet parameter does not exist for ipv6.
|
||||||
DNAT to localhost (:: 1) is possible only in the OUTPUT chain.
|
DNAT to localhost (:: 1) is possible only in the OUTPUT chain.
|
||||||
@ -109,8 +108,7 @@ In the PREROUTING DNAT chain, it is possible to any global address or to the lin
|
|||||||
the packet came from.
|
the packet came from.
|
||||||
NFQUEUE works without changes.
|
NFQUEUE works without changes.
|
||||||
|
|
||||||
When it will not work
|
## When it will not work
|
||||||
----------------------
|
|
||||||
|
|
||||||
* If DNS server returns false responses. ISP can return false IP addresses or not return anything
|
* If DNS server returns false responses. ISP can return false IP addresses or not return anything
|
||||||
when blocked domains are queried. If this is the case change DNS to public ones, such as 8.8.8.8 or 1.1.1.1.
|
when blocked domains are queried. If this is the case change DNS to public ones, such as 8.8.8.8 or 1.1.1.1.
|
||||||
@ -123,13 +121,13 @@ as it should, it is useless to deceive him.
|
|||||||
BUT. Only small providers can afford using squid, since it is very resource intensive.
|
BUT. Only small providers can afford using squid, since it is very resource intensive.
|
||||||
Large companies usually use DPI, which is designed for much greater bandwidth.
|
Large companies usually use DPI, which is designed for much greater bandwidth.
|
||||||
|
|
||||||
nfqws
|
## nfqws
|
||||||
-----
|
|
||||||
|
|
||||||
This program is a packet modifier and a NFQUEUE queue handler.
|
This program is a packet modifier and a NFQUEUE queue handler.
|
||||||
For BSD systems there is dvtws. Its built from the same source and has almost the same parameters (see bsd.eng.txt).
|
For BSD systems there is dvtws. Its built from the same source and has almost the same parameters (see bsd.eng.txt).
|
||||||
nfqws takes the following parameters:
|
nfqws takes the following parameters:
|
||||||
|
|
||||||
|
```
|
||||||
--debug=0|1 ; 1=print debug info
|
--debug=0|1 ; 1=print debug info
|
||||||
--qnum=<nfqueue_number>
|
--qnum=<nfqueue_number>
|
||||||
--wsize=<winsize>[:<scale_factor>] ; change window size in SYN,ACK packets. default is not to change scale factor (OBSOLETE !)
|
--wsize=<winsize>[:<scale_factor>] ; change window size in SYN,ACK packets. default is not to change scale factor (OBSOLETE !)
|
||||||
@ -158,12 +156,14 @@ nfqws takes the following parameters:
|
|||||||
--dpi-desync-fake-tls=<filename> ; file containing fake TLS ClientHello (for https). replacement for built-in
|
--dpi-desync-fake-tls=<filename> ; file containing fake TLS ClientHello (for https). replacement for built-in
|
||||||
--dpi-desync-cutoff=N ; apply dpi desync only to packet numbers less than N
|
--dpi-desync-cutoff=N ; apply dpi desync only to packet numbers less than N
|
||||||
--hostlist=<filename> ; apply fooling only to the listed hosts (one host per line, subdomains auto apply)
|
--hostlist=<filename> ; apply fooling only to the listed hosts (one host per line, subdomains auto apply)
|
||||||
|
```
|
||||||
|
|
||||||
The manipulation parameters can be combined in any way.
|
The manipulation parameters can be combined in any way.
|
||||||
|
|
||||||
WARNING. --wsize parameter is now not used anymore in scripts. TCP split can be achieved using DPI desync attack.
|
WARNING. `--wsize` parameter is now not used anymore in scripts. TCP split can be achieved using DPI desync attack.
|
||||||
|
|
||||||
|
### DPI DESYNC ATTACK
|
||||||
|
|
||||||
DPI DESYNC ATTACK
|
|
||||||
After completion of the tcp 3-way handshake, the first data packet from the client goes.
|
After completion of the tcp 3-way handshake, the first data packet from the client goes.
|
||||||
It usually has "GET / ..." or TLS ClientHello. We drop this packet, replacing with something else.
|
It usually has "GET / ..." or TLS ClientHello. We drop this packet, replacing with something else.
|
||||||
It can be a fake version with another harmless but valid http or https request (fake), tcp reset packet (rst,rstack),
|
It can be a fake version with another harmless but valid http or https request (fake), tcp reset packet (rst,rstack),
|
||||||
@ -197,7 +197,7 @@ add tcp option "MD5 signature". All of them have their own disadvantages :
|
|||||||
This way you cant hurt anything, but good chances it will help to open local ISP websites.
|
This way you cant hurt anything, but good chances it will help to open local ISP websites.
|
||||||
If automatic solution cannot be found then use zapret-hosts-user-exclude.txt.
|
If automatic solution cannot be found then use zapret-hosts-user-exclude.txt.
|
||||||
|
|
||||||
--dpi-desync-fooling takes multiple comma separated values.
|
`--dpi-desync-fooling` takes multiple comma separated values.
|
||||||
|
|
||||||
For fake,rst,rstack modes original packet can be sent after the fake one or just dropped.
|
For fake,rst,rstack modes original packet can be sent after the fake one or just dropped.
|
||||||
If its dropped OS will perform first retransmission after 0.2 sec, then the delay increases exponentially.
|
If its dropped OS will perform first retransmission after 0.2 sec, then the delay increases exponentially.
|
||||||
@ -255,7 +255,8 @@ mark is needed to keep away generated packets from NFQUEUE. nfqws sets fwmark wh
|
|||||||
nfqws can internally filter marked packets. but when connbytes filter is used without mark filter
|
nfqws can internally filter marked packets. but when connbytes filter is used without mark filter
|
||||||
packet ordering can be changed breaking the whole idea of desync attack.
|
packet ordering can be changed breaking the whole idea of desync attack.
|
||||||
|
|
||||||
DPI DESYNC COMBOS
|
### DPI DESYNC COMBOS
|
||||||
|
|
||||||
dpi-desync parameter takes up to 3 comma separated arguments.
|
dpi-desync parameter takes up to 3 comma separated arguments.
|
||||||
zero phase means tcp connection establishement (before sending data payload). Mode can be "synack".
|
zero phase means tcp connection establishement (before sending data payload). Mode can be "synack".
|
||||||
Hostlist filter is not applicable to the zero phase.
|
Hostlist filter is not applicable to the zero phase.
|
||||||
@ -263,7 +264,8 @@ Next phases work on packets with data payload.
|
|||||||
1st phase mode can be fake,rst,rstack, 2nd phase mode - disorder,disorder2,split,split2.
|
1st phase mode can be fake,rst,rstack, 2nd phase mode - disorder,disorder2,split,split2.
|
||||||
Can be useful for ISPs with more than one DPI.
|
Can be useful for ISPs with more than one DPI.
|
||||||
|
|
||||||
SYNACK MODE
|
### SYNACK MODE
|
||||||
|
|
||||||
In geneva docs it's called "TCP turnaround". Attempt to make the DPI believe the roles of client and server are reversed.
|
In geneva docs it's called "TCP turnaround". Attempt to make the DPI believe the roles of client and server are reversed.
|
||||||
!!! This mode breaks NAT operation and can be used only if there's no NAT between the attacker's device and the DPI !
|
!!! This mode breaks NAT operation and can be used only if there's no NAT between the attacker's device and the DPI !
|
||||||
In linux it's required to remove standard firewall rule dropping INVALID packets in the OUTPUT chain,
|
In linux it's required to remove standard firewall rule dropping INVALID packets in the OUTPUT chain,
|
||||||
@ -284,13 +286,14 @@ then /etc/init.d/firewall restart
|
|||||||
Otherwise raw sending SYN,ACK frame will cause error stopping the further processing.
|
Otherwise raw sending SYN,ACK frame will cause error stopping the further processing.
|
||||||
If you realize you don't need the synack mode it's highly suggested to restore drop INVALID rule.
|
If you realize you don't need the synack mode it's highly suggested to restore drop INVALID rule.
|
||||||
|
|
||||||
VIRTUAL MACHINES
|
### VIRTUAL MACHINES
|
||||||
Most of nfqws packet magic does not work from VMs powered by virtualbox and vmware when network is NATed.
|
|
||||||
|
Most of nfqws packet magic does not work from VMs powered byvirtualbox and vmware when network is NATed.
|
||||||
Hypervisor forcibly changes ttl and does not forward fake packets.
|
Hypervisor forcibly changes ttl and does not forward fake packets.
|
||||||
Set up bridge networking.
|
Set up bridge networking.
|
||||||
|
|
||||||
|
### CONNTRACK
|
||||||
|
|
||||||
CONNTRACK
|
|
||||||
nfqws is equipped with minimalistic connection tracking system (conntrack)
|
nfqws is equipped with minimalistic connection tracking system (conntrack)
|
||||||
It's enabled if some specific DPI circumvention methods are involved.
|
It's enabled if some specific DPI circumvention methods are involved.
|
||||||
Currently these are --wssize and --dpi-desync-cutoff options.
|
Currently these are --wssize and --dpi-desync-cutoff options.
|
||||||
@ -301,7 +304,7 @@ That's why iptables redirection must start with the first packet although can be
|
|||||||
A connection is deleted from the table as soon as it's no more required to satisfy nfqws needs or when a timeout happens.
|
A connection is deleted from the table as soon as it's no more required to satisfy nfqws needs or when a timeout happens.
|
||||||
There're 3 timeouts for each connection state. They can be changed in --ctrack-timeouts parameter.
|
There're 3 timeouts for each connection state. They can be changed in --ctrack-timeouts parameter.
|
||||||
|
|
||||||
--wssize changes tcp window size for the server to force it to send split replies.
|
`--wssize` changes tcp window size for the server to force it to send split replies.
|
||||||
In order for this to affect all server operating systems, it is necessary to change the window size in each outgoing packet
|
In order for this to affect all server operating systems, it is necessary to change the window size in each outgoing packet
|
||||||
before sending the message, the answer to which must be split (for example, TLS ClientHello).
|
before sending the message, the answer to which must be split (for example, TLS ClientHello).
|
||||||
That's why conntrack is required to know when to stop applying low window size.
|
That's why conntrack is required to know when to stop applying low window size.
|
||||||
@ -329,19 +332,18 @@ On the other hand, the server response must not be large enough for the DPI to f
|
|||||||
|
|
||||||
Hostlist filter does not affect --wssize because it works since the connection initiation when it's not yet possible
|
Hostlist filter does not affect --wssize because it works since the connection initiation when it's not yet possible
|
||||||
to extract the host name.
|
to extract the host name.
|
||||||
--wssize may slow down sites and/or increase response time. It's desired to use another methods if possible.
|
`--wssize` may slow down sites and/or increase response time. It's desired to use another methods if possible.
|
||||||
|
|
||||||
--dpi-desync-cutoff allows you to set the limit on the number of the outgoing packet, at which it stops
|
`--dpi-desync-cutoff` allows you to set the limit on the number of the outgoing packet, at which it stops
|
||||||
applying dpi-desync. Useful with --dpi-desync-any-protocol=1.
|
applying dpi-desync. Useful with --dpi-desync-any-protocol=1.
|
||||||
If the connection falls out of the conntrack and --dpi-desync-cutoff is set, dpi desync will not be applied.
|
If the connection falls out of the conntrack and --dpi-desync-cutoff is set, dpi desync will not be applied.
|
||||||
Set conntrack timeouts appropriately.
|
Set conntrack timeouts appropriately.
|
||||||
|
|
||||||
|
## tpws
|
||||||
tpws
|
|
||||||
-----
|
|
||||||
|
|
||||||
tpws is transparent proxy.
|
tpws is transparent proxy.
|
||||||
|
|
||||||
|
```
|
||||||
--debug=0|1|2 ; 0(default)=silent 1=verbose 2=debug
|
--debug=0|1|2 ; 0(default)=silent 1=verbose 2=debug
|
||||||
--bind-addr=<v4_addr>|<v6_addr>; for v6 link locals append %interface_name : fe80::1%br-lan
|
--bind-addr=<v4_addr>|<v6_addr>; for v6 link locals append %interface_name : fe80::1%br-lan
|
||||||
--bind-iface4=<interface_name> ; bind to the first ipv4 addr of interface
|
--bind-iface4=<interface_name> ; bind to the first ipv4 addr of interface
|
||||||
@ -386,6 +388,7 @@ tpws is transparent proxy.
|
|||||||
--pidfile=<filename> ; write pid to file
|
--pidfile=<filename> ; write pid to file
|
||||||
--user=<username> ; drop root privs
|
--user=<username> ; drop root privs
|
||||||
--uid=uid[:gid] ; drop root privs
|
--uid=uid[:gid] ; drop root privs
|
||||||
|
```
|
||||||
|
|
||||||
The manipulation parameters can be combined in any way.
|
The manipulation parameters can be combined in any way.
|
||||||
|
|
||||||
@ -397,10 +400,14 @@ Port number is always the same.
|
|||||||
Parameters --bind-iface* and --bind-addr create new bind.
|
Parameters --bind-iface* and --bind-addr create new bind.
|
||||||
Other parameters --bind-* are related to the last bind.
|
Other parameters --bind-* are related to the last bind.
|
||||||
link local ipv6 (fe80::/8) mode selection :
|
link local ipv6 (fe80::/8) mode selection :
|
||||||
|
|
||||||
|
```
|
||||||
--bind-iface6 --bind-linklocal=no : first selects private address fd00::/8, then global address
|
--bind-iface6 --bind-linklocal=no : first selects private address fd00::/8, then global address
|
||||||
--bind-iface6 --bind-linklocal=unwanted : first selects private address fd00::/8, then global address, then LL
|
--bind-iface6 --bind-linklocal=unwanted : first selects private address fd00::/8, then global address, then LL
|
||||||
--bind-iface6 --bind-linklocal=prefer : first selects LL, then private address fd00::/8, then global address
|
--bind-iface6 --bind-linklocal=prefer : first selects LL, then private address fd00::/8, then global address
|
||||||
--bind-iface6 --bind-linklocal=force : select only LL
|
--bind-iface6 --bind-linklocal=force : select only LL
|
||||||
|
```
|
||||||
|
|
||||||
To bind to all ipv4 specify --bind-addr "0.0.0.0", all ipv6 - "::". --bind-addr="" - mean bind to all ipv4 and ipv6.
|
To bind to all ipv4 specify --bind-addr "0.0.0.0", all ipv6 - "::". --bind-addr="" - mean bind to all ipv4 and ipv6.
|
||||||
If no binds are specified default bind to all ipv4 and ipv6 addresses is created.
|
If no binds are specified default bind to all ipv4 and ipv6 addresses is created.
|
||||||
To bind to a specific link local address do : --bind-iface6=fe80::aaaa:bbbb:cccc:dddd%iface-name
|
To bind to a specific link local address do : --bind-iface6=fe80::aaaa:bbbb:cccc:dddd%iface-name
|
||||||
@ -419,8 +426,7 @@ if tpws serves many clients it can cause trouble. also DoS attack is possible ag
|
|||||||
if remote resolving causes trouble configure clients to use local name resolution and use
|
if remote resolving causes trouble configure clients to use local name resolution and use
|
||||||
--no-resolve option on tpws side.
|
--no-resolve option on tpws side.
|
||||||
|
|
||||||
Ways to get a list of blocked IP
|
## Ways to get a list of blocked IP
|
||||||
--------------------------------
|
|
||||||
|
|
||||||
1) Enter the blocked domains to ipset/zapret-hosts-user.txt and run ipset/get_user.sh
|
1) Enter the blocked domains to ipset/zapret-hosts-user.txt and run ipset/get_user.sh
|
||||||
At the output, you get ipset/zapret-ip-user.txt with IP addresses.
|
At the output, you get ipset/zapret-ip-user.txt with IP addresses.
|
||||||
@ -473,8 +479,7 @@ Its useful on BSD systems with PF.
|
|||||||
LISTS_RELOAD=- disables reloading ip list backend.
|
LISTS_RELOAD=- disables reloading ip list backend.
|
||||||
|
|
||||||
|
|
||||||
Domain name filtering
|
## Domain name filtering
|
||||||
---------------------
|
|
||||||
|
|
||||||
An alternative to ipset is to use tpws or nfqws with a list of domains. Only one list is supported.
|
An alternative to ipset is to use tpws or nfqws with a list of domains. Only one list is supported.
|
||||||
|
|
||||||
@ -488,13 +493,11 @@ When filtering by domain name, daemons should run without filtering by ipset.
|
|||||||
When using large regulator lists estimate the amount of RAM on the router !
|
When using large regulator lists estimate the amount of RAM on the router !
|
||||||
|
|
||||||
|
|
||||||
Choosing parameters
|
## Choosing parameters
|
||||||
-------------------
|
|
||||||
|
|
||||||
The file /opt/zapret/config is used by various components of the system and contains basic settings.
|
The file /opt/zapret/config is used by various components of the system and contains basic settings.
|
||||||
It needs to be viewed and edited if necessary.
|
It needs to be viewed and edited if necessary.
|
||||||
|
|
||||||
|
|
||||||
Main mode :
|
Main mode :
|
||||||
tpws - tpws transparent mode
|
tpws - tpws transparent mode
|
||||||
tpws-socks - tpws socks mode
|
tpws-socks - tpws socks mode
|
||||||
@ -536,10 +539,12 @@ NFQWS_OPT_DESYNC="--dpi-desync=fake --dpi-desync-ttl=0 --dpi-desync-fooling=bads
|
|||||||
|
|
||||||
Separate nfqws options for http and https and ip protocol versions 4,6:
|
Separate nfqws options for http and https and ip protocol versions 4,6:
|
||||||
|
|
||||||
|
```
|
||||||
NFQWS_OPT_DESYNC_HTTP="--dpi-desync=split --dpi-desync-ttl=0 --dpi-desync-fooling=badsum"
|
NFQWS_OPT_DESYNC_HTTP="--dpi-desync=split --dpi-desync-ttl=0 --dpi-desync-fooling=badsum"
|
||||||
NFQWS_OPT_DESYNC_HTTPS="--wssize=1:6 --dpi-desync=split --dpi-desync-ttl=0 --dpi-desync-fooling=badsum"
|
NFQWS_OPT_DESYNC_HTTPS="--wssize=1:6 --dpi-desync=split --dpi-desync-ttl=0 --dpi-desync-fooling=badsum"
|
||||||
NFQWS_OPT_DESYNC_HTTP6="--dpi-desync=split --dpi-desync-ttl=5 --dpi-desync-fooling=none"
|
NFQWS_OPT_DESYNC_HTTP6="--dpi-desync=split --dpi-desync-ttl=5 --dpi-desync-fooling=none"
|
||||||
NFQWS_OPT_DESYNC_HTTPS6="--wssize=1:6 --dpi-desync=split --dpi-desync-ttl=5 --dpi-desync-fooling=none"
|
NFQWS_OPT_DESYNC_HTTPS6="--wssize=1:6 --dpi-desync=split --dpi-desync-ttl=5 --dpi-desync-fooling=none"
|
||||||
|
```
|
||||||
|
|
||||||
If one of NFQWS_OPT_DESYNC_HTTP/NFQWS_OPT_DESYNC_HTTPS is not defined it takes value of NFQWS_OPT_DESYNC.
|
If one of NFQWS_OPT_DESYNC_HTTP/NFQWS_OPT_DESYNC_HTTPS is not defined it takes value of NFQWS_OPT_DESYNC.
|
||||||
If one of NFQWS_OPT_DESYNC_HTTP6/NFQWS_OPT_DESYNC_HTTPS6 is not defined it takes value from
|
If one of NFQWS_OPT_DESYNC_HTTP6/NFQWS_OPT_DESYNC_HTTPS6 is not defined it takes value from
|
||||||
@ -564,12 +569,16 @@ If not, then the parameter should be commented out.
|
|||||||
|
|
||||||
You can individually disable ipv4 or ipv6. If the parameter is commented out or not equal to "1",
|
You can individually disable ipv4 or ipv6. If the parameter is commented out or not equal to "1",
|
||||||
use of the protocol is permitted.
|
use of the protocol is permitted.
|
||||||
|
|
||||||
|
```
|
||||||
#DISABLE_IPV4=1
|
#DISABLE_IPV4=1
|
||||||
DISABLE_IPV6=1
|
DISABLE_IPV6=1
|
||||||
|
```
|
||||||
|
|
||||||
The number of threads for mdig multithreaded DNS resolver (1..100).
|
The number of threads for mdig multithreaded DNS resolver (1..100).
|
||||||
The more of them, the faster, but will your DNS server be offended by hammering ?
|
The more of them, the faster, but will your DNS server be offended by hammering ?
|
||||||
MDIG_THREADS=30
|
|
||||||
|
`MDIG_THREADS=30`
|
||||||
|
|
||||||
temp directory. Used by ipset/*.sh scripts for large lists processing.
|
temp directory. Used by ipset/*.sh scripts for large lists processing.
|
||||||
/tmp by default. Can be reassigned if /tmp is tmpfs and RAM is low.
|
/tmp by default. Can be reassigned if /tmp is tmpfs and RAM is low.
|
||||||
@ -585,11 +594,15 @@ On low RAM systems it can cause errors.
|
|||||||
Do not use too high hashsize. This way you waste your RAM. And dont use too low hashsize to avoid reallocs.
|
Do not use too high hashsize. This way you waste your RAM. And dont use too low hashsize to avoid reallocs.
|
||||||
|
|
||||||
ip2net options. separate for ipv4 and ipv6.
|
ip2net options. separate for ipv4 and ipv6.
|
||||||
|
|
||||||
|
```
|
||||||
IP2NET_OPT4="--prefix-length=22-30 --v4-threshold=3/4"
|
IP2NET_OPT4="--prefix-length=22-30 --v4-threshold=3/4"
|
||||||
IP2NET_OPT6="--prefix-length=56-64 --v6-threshold=5"
|
IP2NET_OPT6="--prefix-length=56-64 --v6-threshold=5"
|
||||||
|
```
|
||||||
|
|
||||||
Enable gzip compression for large lists. Used by ipset/*.sh scripts.
|
Enable gzip compression for large lists. Used by ipset/*.sh scripts.
|
||||||
GZIP_LISTS=1
|
|
||||||
|
`GZIP_LISTS=1`
|
||||||
|
|
||||||
Command to reload ip/host lists after update.
|
Command to reload ip/host lists after update.
|
||||||
Comment or leave empty for auto backend selection : ipset or ipfw if present.
|
Comment or leave empty for auto backend selection : ipset or ipfw if present.
|
||||||
@ -605,19 +618,20 @@ OPENWRT_LAN="lan lan2 lan3"
|
|||||||
The following settings are not relevant for openwrt :
|
The following settings are not relevant for openwrt :
|
||||||
|
|
||||||
If your system works as a router, then you need to enter the names of the internal and external interfaces:
|
If your system works as a router, then you need to enter the names of the internal and external interfaces:
|
||||||
|
```
|
||||||
IFACE_LAN = eth0
|
IFACE_LAN = eth0
|
||||||
IFACE_WAN = eth1
|
IFACE_WAN = eth1
|
||||||
|
```
|
||||||
IMPORTANT: configuring routing, masquerade, etc. not a zapret task.
|
IMPORTANT: configuring routing, masquerade, etc. not a zapret task.
|
||||||
Only modes that intercept transit traffic are enabled.
|
Only modes that intercept transit traffic are enabled.
|
||||||
It's possible to specify multiple interfaces like this : IFACE_LAN="eth0 eth1 eth2"
|
It's possible to specify multiple interfaces like this : `IFACE_LAN="eth0 eth1 eth2"`
|
||||||
|
|
||||||
The INIT_APPLY_FW=1 parameter enables the init script to independently apply iptables rules.
|
The INIT_APPLY_FW=1 parameter enables the init script to independently apply iptables rules.
|
||||||
With other values or if the parameter is commented out, the rules will not be applied.
|
With other values or if the parameter is commented out, the rules will not be applied.
|
||||||
This is useful if you have a firewall management system, in the settings of which you should tie the rules.
|
This is useful if you have a firewall management system, in the settings of which you should tie the rules.
|
||||||
|
|
||||||
|
|
||||||
Screwing to the firewall control system or your launch system
|
## Screwing to the firewall control system or your launch system
|
||||||
-------------------------------------------------------------
|
|
||||||
|
|
||||||
If you use some kind of firewall management system, then it may conflict with an existing startup script.
|
If you use some kind of firewall management system, then it may conflict with an existing startup script.
|
||||||
When re-applying the rules, it could break the iptables settings from the zapret.
|
When re-applying the rules, it could break the iptables settings from the zapret.
|
||||||
@ -625,23 +639,26 @@ In this case, the rules for iptables should be screwed to your firewall separate
|
|||||||
|
|
||||||
The following calls allow you to apply or remove iptables rules separately:
|
The following calls allow you to apply or remove iptables rules separately:
|
||||||
|
|
||||||
|
```
|
||||||
/opt/zapret/init.d/sysv/zapret start-fw
|
/opt/zapret/init.d/sysv/zapret start-fw
|
||||||
/opt/zapret/init.d/sysv/zapret stop-fw
|
/opt/zapret/init.d/sysv/zapret stop-fw
|
||||||
|
```
|
||||||
|
|
||||||
And you can start or stop the demons separately from the firewall:
|
And you can start or stop the demons separately from the firewall:
|
||||||
|
|
||||||
|
```
|
||||||
/opt/zapret/init.d/sysv/zapret start-daemons
|
/opt/zapret/init.d/sysv/zapret start-daemons
|
||||||
/opt/zapret/init.d/sysv/zapret stop-daemons
|
/opt/zapret/init.d/sysv/zapret stop-daemons
|
||||||
|
```
|
||||||
|
|
||||||
|
## Installation
|
||||||
|
|
||||||
Simple install to desktop linux system
|
### desktop linux system
|
||||||
--------------------------------------
|
|
||||||
|
|
||||||
Simple install works on most modern linux distributions with systemd or openrc, OpenWRT and MacOS.
|
Simple install works on most modern linux distributions with systemd or openrc, OpenWRT and MacOS.
|
||||||
Run install_easy.sh and answer its questions.
|
Run install_easy.sh and answer its questions.
|
||||||
|
|
||||||
Simple install to openwrt
|
### OpenWRT
|
||||||
-------------------------
|
|
||||||
|
|
||||||
install_easy.sh works on openwrt but there're additional challenges.
|
install_easy.sh works on openwrt but there're additional challenges.
|
||||||
They are mainly about possibly low flash free space.
|
They are mainly about possibly low flash free space.
|
||||||
@ -657,8 +674,7 @@ After installation remove /tmp/zapret to free RAM.
|
|||||||
The absolute minimum for openwrt is 64/8 system, 64/16 is comfortable, 128/extroot is recommended.
|
The absolute minimum for openwrt is 64/8 system, 64/16 is comfortable, 128/extroot is recommended.
|
||||||
|
|
||||||
|
|
||||||
Android
|
### Android
|
||||||
-------
|
|
||||||
|
|
||||||
Its not possible to use nfqws and tpws in transparent proxy mode without root privileges.
|
Its not possible to use nfqws and tpws in transparent proxy mode without root privileges.
|
||||||
Without root tpws can run in --socks mode.
|
Without root tpws can run in --socks mode.
|
||||||
@ -695,14 +711,12 @@ chcon u:object_r:system_file:s0 /data/local/tmp/zapret/tpws
|
|||||||
Now its possible to run /data/local/tmp/zapret/tpws from any app such as tasker.
|
Now its possible to run /data/local/tmp/zapret/tpws from any app such as tasker.
|
||||||
|
|
||||||
|
|
||||||
FreeBSD, OpenBSD, MacOS
|
### FreeBSD, OpenBSD, MacOS
|
||||||
-----------------------
|
|
||||||
|
|
||||||
see docs/bsd.eng.txt
|
see docs/bsd.eng.txt
|
||||||
|
|
||||||
|
|
||||||
Windows (WSL)
|
### Windows (WSL)
|
||||||
-------------
|
|
||||||
|
|
||||||
Using WSL (Windows subsystem for Linux) it's possible to run tpws in socks mode under rather new builds of
|
Using WSL (Windows subsystem for Linux) it's possible to run tpws in socks mode under rather new builds of
|
||||||
windows 10 and windows server.
|
windows 10 and windows server.
|
||||||
@ -722,8 +736,7 @@ Tested in windows 10 build 19041 (20.04).
|
|||||||
NOTICE. There is native windows solution GoodByeDPI. It works on packet level like nfqws.
|
NOTICE. There is native windows solution GoodByeDPI. It works on packet level like nfqws.
|
||||||
|
|
||||||
|
|
||||||
Other devices
|
### Other devices
|
||||||
-------------
|
|
||||||
|
|
||||||
Author's goal does not include easy supporting as much devices as possibles.
|
Author's goal does not include easy supporting as much devices as possibles.
|
||||||
Please do not ask for easy supporting firmwares. It requires a lot of work and owning lots of devices. Its counterproductive.
|
Please do not ask for easy supporting firmwares. It requires a lot of work and owning lots of devices. Its counterproductive.
|
||||||
|
Loading…
Reference in New Issue
Block a user