drygdryg/zapret
1
0
Fork 0
mirror of https://github.com/bol-van/zapret.git synced 2025-04-19 21:42:59 +03:00
Code Issues Packages Projects Releases Wiki Activity

firewall code deduplication

Browse Source
This commit is contained in:
bolvan 2019-05-15 22:58:24 +03:00
parent c5c55e5419
commit 11b839c43c
2 changed files with 97 additions and 143 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
init.d/openwrt/functions
View File

@ -167,7 +167,7 @@ __fw_tpws6()
done done
network_get_device DEVICE lan network_get_device DEVICE lan
dnat6_target dnat6_target
[ "$DNAT6_TARGET" != '-' ] && { [ "$DNAT6_TARGET" != "-" ] && {
ipt6 PREROUTING -t nat -i $DEVICE $IPT_FILTER_HTTP -j DNAT --to [$DNAT6_TARGET]:$TPPORT_HTTP ipt6 PREROUTING -t nat -i $DEVICE $IPT_FILTER_HTTP -j DNAT --to [$DNAT6_TARGET]:$TPPORT_HTTP
[ "$1" != "1" ] || ipt6 PREROUTING -t nat -i $DEVICE $IPT_FILTER_HTTPS -j DNAT --to [$DNAT6_TARGET]:$TPPORT_HTTPS [ "$1" != "1" ] || ipt6 PREROUTING -t nat -i $DEVICE $IPT_FILTER_HTTPS -j DNAT --to [$DNAT6_TARGET]:$TPPORT_HTTPS
} }

238
init.d/sysv/functions
View File

@ -45,6 +45,16 @@ ipt_del()
{ {
iptables -C $@ 2>/dev/null && iptables -D $@ iptables -C $@ 2>/dev/null && iptables -D $@
} }
ipt_add_del()
{
if [ "$1" = "1" ]; then
shift
ipt $@
else
shift
ipt_del $@
fi
}
ipt6() ipt6()
{ {
ip6tables -C $@ 2>/dev/null || ip6tables -I $@ ip6tables -C $@ 2>/dev/null || ip6tables -I $@
@ -53,6 +63,16 @@ ipt6_del()
{ {
ip6tables -C $@ 2>/dev/null && ip6tables -D $@ ip6tables -C $@ 2>/dev/null && ip6tables -D $@
} }
ipt6_add_del()
{
if [ "$1" = "1" ]; then
shift
ipt6 $@
else
shift
ipt6_del $@
fi
}
# there's no route_localnet for ipv6 # there's no route_localnet for ipv6
# the best we can is to route to link local of the incoming interface # the best we can is to route to link local of the incoming interface
@ -127,99 +147,63 @@ dnat6_target()
} }
} }
fw_tpws_add() print_op()
{ {
# $1 - iptable filter for ipv4 if [ "$1" = "1" ]; then
# $2 - iptable filter for ipv6 echo "Adding ip$4tables rule for $3 : $2"
# $3 - tpws port else
[ "$DISABLE_IPV4" = "1" ] || { echo "Deleting ip$4tables rule for $3 : $2"
echo "Adding iptables rule for tpws : $1" fi
[ -n "$IFACE_LAN" ] && {
ipt PREROUTING -t nat $IPT_ILAN -p tcp $1 -j DNAT --to 127.0.0.1:$3
}
ipt OUTPUT -t nat $IPT_OWAN -m owner ! --uid-owner $TPWS_USER -p tcp $1 -j DNAT --to 127.0.0.1:$3
}
[ "$DISABLE_IPV6" = "1" ] || {
echo "Adding ip6tables rule for tpws : $2"
[ -n "$IFACE_LAN" ] && {
dnat6_target
[ "$DNAT6_TARGET" != '-' ] && ipt6 PREROUTING -t nat $IPT_ILAN -p tcp $2 -j DNAT --to [$DNAT6_TARGET]:$3
}
ipt6 OUTPUT -t nat $IPT_OWAN -m owner ! --uid-owner $TPWS_USER -p tcp $2 -j DNAT --to [::1]:$3
}
}
fw_tpws_del()
{
# $1 - iptable filter for ipv4
# $2 - iptable filter for ipv6
# $3 - tpws port
[ "$DISABLE_IPV4" = "1" ] || {
echo "Deleting iptables rule for tpws : $1"
[ -n "$IFACE_LAN" ] && {
ipt_del PREROUTING -t nat $IPT_ILAN -p tcp $1 -j DNAT --to 127.0.0.1:$3
}
ipt_del OUTPUT -t nat $IPT_OWAN -m owner ! --uid-owner $TPWS_USER -p tcp $1 -j DNAT --to 127.0.0.1:$3
}
[ "$DISABLE_IPV6" = "1" ] || {
echo "Deleting ip6tables rule for tpws : $2"
[ -n "$IFACE_LAN" ] && {
dnat6_target
[ "$DNAT6_TARGET" != '-' ] && ipt6_del PREROUTING -t nat $IPT_ILAN -p tcp $2 -j DNAT --to [$DNAT6_TARGET]:$3
}
ipt6_del OUTPUT -t nat $IPT_OWAN -m owner ! --uid-owner $TPWS_USER -p tcp $2 -j DNAT --to [::1]:$3
}
} }
fw_nfqws_add_pre() fw_tpws()
{ {
# $1 - iptable filter for ipv4 # $1 - 1 - add, 0 - del
# $2 - iptable filter for ipv6 # $2 - iptable filter for ipv4
# $3 - iptable filter for ipv6
# $4 - tpws port
[ "$DISABLE_IPV4" = "1" ] || { [ "$DISABLE_IPV4" = "1" ] || {
echo "Adding iptables rule for nfqws prerouting : $1" print_op $1 "$2" "tpws"
ipt PREROUTING -t raw $IPT_IWAN -p tcp --tcp-flags SYN,ACK SYN,ACK $1 -j NFQUEUE --queue-num $QNUM --queue-bypass [ -n "$IFACE_LAN" ] && {
ipt_add_del $1 PREROUTING -t nat $IPT_ILAN -p tcp $2 -j DNAT --to 127.0.0.1:$4
}
ipt_add_del $1 OUTPUT -t nat $IPT_OWAN -m owner ! --uid-owner $TPWS_USER -p tcp $2 -j DNAT --to 127.0.0.1:$4
} }
[ "$DISABLE_IPV6" = "1" ] || { [ "$DISABLE_IPV6" = "1" ] || {
echo "Adding ip6tables rule for nfqws prerouting : $2" print_op $1 "$3" "tpws" 6
ipt6 PREROUTING -t raw $IPT_IWAN -p tcp --tcp-flags SYN,ACK SYN,ACK $2 -j NFQUEUE --queue-num $QNUM --queue-bypass [ -n "$IFACE_LAN" ] && {
dnat6_target
[ "$DNAT6_TARGET" != "-" ] && ipt6_add_del $1 PREROUTING -t nat $IPT_ILAN -p tcp $3 -j DNAT --to [$DNAT6_TARGET]:$4
}
ipt6_add_del $1 OUTPUT -t nat $IPT_OWAN -m owner ! --uid-owner $TPWS_USER -p tcp $3 -j DNAT --to [::1]:$4
} }
} }
fw_nfqws_del_pre() fw_nfqws_pre()
{ {
# $1 - iptable filter for ipv4 # $1 - 1 - add, 0 - del
# $2 - iptable filter for ipv6 # $2 - iptable filter for ipv4
# $3 - iptable filter for ipv6
[ "$DISABLE_IPV4" = "1" ] || { [ "$DISABLE_IPV4" = "1" ] || {
echo "Deleting iptables rule for nfqws prerouting : $1" print_op $1 "$2" "nfqws prerouting"
ipt_del PREROUTING -t raw $IPT_IWAN -p tcp --tcp-flags SYN,ACK SYN,ACK $1 -j NFQUEUE --queue-num $QNUM --queue-bypass ipt_add_del $1 PREROUTING -t raw $IPT_IWAN -p tcp --tcp-flags SYN,ACK SYN,ACK $2 -j NFQUEUE --queue-num $QNUM --queue-bypass
} }
[ "$DISABLE_IPV6" = "1" ] || { [ "$DISABLE_IPV6" = "1" ] || {
echo "Deleting ip6tables rule for nfqws prerouting : $2" print_op $1 "$3" "nfqws prerouting" 6
ipt6_del PREROUTING -t raw $IPT_IWAN -p tcp --tcp-flags SYN,ACK SYN,ACK $2 -j NFQUEUE --queue-num $QNUM --queue-bypass ipt6_add_del $1 PREROUTING -t raw $IPT_IWAN -p tcp --tcp-flags SYN,ACK SYN,ACK $3 -j NFQUEUE --queue-num $QNUM --queue-bypass
} }
} }
fw_nfqws_add_post() fw_nfqws_post()
{ {
# $1 - iptable filter for ipv4 # $1 - 1 - add, 0 - del
# $2 - iptable filter for ipv6 # $2 - iptable filter for ipv4
# $3 - iptable filter for ipv6
[ "$DISABLE_IPV4" = "1" ] || { [ "$DISABLE_IPV4" = "1" ] || {
echo "Adding iptables rule for nfqws postrouting : $1" print_op $1 "$2" "nfqws postrouting"
ipt POSTROUTING -t mangle $IPT_OWAN -p tcp $1 -j NFQUEUE --queue-num $QNUM --queue-bypass ipt_add_del $1 POSTROUTING -t mangle $IPT_OWAN -p tcp $2 -j NFQUEUE --queue-num $QNUM --queue-bypass
} }
[ "$DISABLE_IPV6" = "1" ] || { [ "$DISABLE_IPV6" = "1" ] || {
echo "Adding ip6tables rule for nfqws postrouting : $2" print_op $1 "$3" "nfqws postrouting" 6
ipt6 POSTROUTING -t mangle $IPT_OWAN -p tcp $2 -j NFQUEUE --queue-num $QNUM --queue-bypass ipt6_add_del $1 POSTROUTING -t mangle $IPT_OWAN -p tcp $3 -j NFQUEUE --queue-num $QNUM --queue-bypass
}
}
fw_nfqws_del_post()
{
# $1 - iptable filter for ipv4
# $2 - iptable filter for ipv6
[ "$DISABLE_IPV4" = "1" ] || {
echo "Deleting iptables rule for nfqws postrouting : $1"
ipt_del POSTROUTING -t mangle $IPT_OWAN -p tcp $1 -j NFQUEUE --queue-num $QNUM --queue-bypass
}
[ "$DISABLE_IPV6" = "1" ] || {
echo "Deleting ip6tables rule for nfqws postrouting : $2"
ipt6_del POSTROUTING -t mangle $IPT_OWAN -p tcp $2 -j NFQUEUE --queue-num $QNUM --queue-bypass
} }
} }
@ -308,53 +292,56 @@ create_ipset()
} }
zapret_apply_firewall()
zapret_do_firewall()
{ {
# $1 - 1 - add, 0 - del
case "${MODE}" in case "${MODE}" in
tpws_hostlist) tpws_hostlist)
prepare_tpws [ "$1" = "1" ] && prepare_tpws
fw_tpws_add "--dport 80" "--dport 80" $TPPORT_HTTP fw_tpws $1 "--dport 80" "--dport 80" $TPPORT_HTTP
;; ;;
tpws_ipset) tpws_ipset)
create_ipset [ "$1" = "1" ] && create_ipset
prepare_tpws [ "$1" = "1" ] && prepare_tpws
fw_tpws_add "--dport 80 -m set --match-set zapret dst" "--dport 80 -m set --match-set zapret6 dst" $TPPORT_HTTP fw_tpws $1 "--dport 80 -m set --match-set zapret dst" "--dport 80 -m set --match-set zapret6 dst" $TPPORT_HTTP
;; ;;
tpws_ipset_https) tpws_ipset_https)
create_ipset [ "$1" = "1" ] && create_ipset
prepare_tpws [ "$1" = "1" ] && prepare_tpws
fw_tpws_add "--dport 80 -m set --match-set zapret dst" "--dport 80 -m set --match-set zapret6 dst" $TPPORT_HTTP fw_tpws $1 "--dport 80 -m set --match-set zapret dst" "--dport 80 -m set --match-set zapret6 dst" $TPPORT_HTTP
fw_tpws_add "--dport 443 -m set --match-set zapret dst" "--dport 443 -m set --match-set zapret6 dst" $TPPORT_HTTPS fw_tpws $1 "--dport 443 -m set --match-set zapret dst" "--dport 443 -m set --match-set zapret6 dst" $TPPORT_HTTPS
;; ;;
tpws_all) tpws_all)
prepare_tpws [ "$1" = "1" ] && prepare_tpws
fw_tpws_add "--dport 80" "--dport 80" $TPPORT_HTTP fw_tpws $1 "--dport 80" "--dport 80" $TPPORT_HTTP
;; ;;
tpws_all_https) tpws_all_https)
prepare_tpws [ "$1" = "1" ] && prepare_tpws
fw_tpws_add "--dport 80" "--dport 80" $TPPORT_HTTP fw_tpws $1 "--dport 80" "--dport 80" $TPPORT_HTTP
fw_tpws_add "--dport 443" "--dport 443" $TPPORT_HTTPS fw_tpws $1 "--dport 443" "--dport 443" $TPPORT_HTTPS
;; ;;
nfqws_ipset) nfqws_ipset)
create_ipset [ "$1" = "1" ] && create_ipset
fw_nfqws_add_pre "--sport 80 -m set --match-set zapret src" "--sport 80 -m set --match-set zapret6 src" fw_nfqws_pre $1 "--sport 80 -m set --match-set zapret src" "--sport 80 -m set --match-set zapret6 src"
fw_nfqws_add_post "--dport 80 -m set --match-set zapret dst" "--dport 80 -m set --match-set zapret6 dst" fw_nfqws_post $1 "--dport 80 -m set --match-set zapret dst" "--dport 80 -m set --match-set zapret6 dst"
;; ;;
nfqws_ipset_https) nfqws_ipset_https)
create_ipset [ "$1" = "1" ] && create_ipset
fw_nfqws_add_pre "-m multiport --sports 80,443 -m set --match-set zapret src" "-m multiport --sports 80,443 -m set --match-set zapret6 src" fw_nfqws_pre $1 "-m multiport --sports 80,443 -m set --match-set zapret src" "-m multiport --sports 80,443 -m set --match-set zapret6 src"
fw_nfqws_add_post "--dport 80 -m set --match-set zapret dst" "--dport 80 -m set --match-set zapret6 dst" fw_nfqws_post $1 "--dport 80 -m set --match-set zapret dst" "--dport 80 -m set --match-set zapret6 dst"
;; ;;
nfqws_all) nfqws_all)
fw_nfqws_add_pre "--sport 80" "--sport 80" fw_nfqws_pre $1 "--sport 80" "--sport 80"
fw_nfqws_add_post "--dport 80" "--dport 80" fw_nfqws_post $1 "--dport 80" "--dport 80"
;; ;;
nfqws_all_https) nfqws_all_https)
fw_nfqws_add_pre "-m multiport --sports 80,443" "-m multiport --sports 80,443" fw_nfqws_pre $1 "-m multiport --sports 80,443" "-m multiport --sports 80,443"
fw_nfqws_add_post "--dport 80" "--dport 80" fw_nfqws_post $1 "--dport 80" "--dport 80"
;; ;;
ipset) ipset)
create_ipset [ "$1" = "1" ] && create_ipset
;; ;;
custom) custom)
# PLACEHOLDER # PLACEHOLDER
@ -364,6 +351,15 @@ zapret_apply_firewall()
;; ;;
esac esac
} }
zapret_apply_firewall()
{
zapret_do_firewall 1 $@
}
zapret_unapply_firewall()
{
zapret_do_firewall 0 $@
}
zapret_run_daemons() zapret_run_daemons()
{ {
case "${MODE}" in case "${MODE}" in
@ -395,48 +391,6 @@ zapret_run_daemons()
;; ;;
esac esac
} }
zapret_unapply_firewall()
{
case "${MODE}" in
tpws_hostlist|tpws_all)
fw_tpws_del "--dport 80" "--dport 80" $TPPORT_HTTP
;;
tpws_ipset)
fw_tpws_del "--dport 80 -m set --match-set zapret dst" "--dport 80 -m set --match-set zapret6 dst" $TPPORT_HTTP
;;
tpws_ipset_https)
fw_tpws_del "--dport 80 -m set --match-set zapret dst" "--dport 80 -m set --match-set zapret6 dst" $TPPORT_HTTP
fw_tpws_del "--dport 443 -m set --match-set zapret dst" "--dport 443 -m set --match-set zapret6 dst" $TPPORT_HTTPS
;;
tpws_all_https)
fw_tpws_del "--dport 80" "--dport 80" $TPPORT_HTTP
fw_tpws_del "--dport 443" "--dport 443" $TPPORT_HTTPS
;;
nfqws_ipset)
fw_nfqws_del_pre "--sport 80 -m set --match-set zapret src" "--sport 80 -m set --match-set zapret6 src"
fw_nfqws_del_post "--dport 80 -m set --match-set zapret dst" "--dport 80 -m set --match-set zapret6 dst"
;;
nfqws_ipset_https)
fw_nfqws_del_pre "-m multiport --sports 80,443 -m set --match-set zapret src" "-m multiport --sports 80,443 -m set --match-set zapret6 src"
fw_nfqws_del_post "--dport 80 -m set --match-set zapret dst" "--dport 80 -m set --match-set zapret6 dst"
;;
nfqws_all)
fw_nfqws_del_pre "--sport 80" "--sport 80"
fw_nfqws_del_post "--dport 80" "--dport 80"
;;
nfqws_all_https)
fw_nfqws_del_pre "-m multiport --sports 80,443" "-m multiport --sports 80,443"
fw_nfqws_del_post "--dport 80" "--dport 80"
;;
custom)
# PLACEHOLDER
echo !!! NEED ATTENTION !!!
echo Clear firewall rules here. Remove iptables changes made previously.
echo Study how other sections work.
;;
esac
}
zapret_stop_daemons() zapret_stop_daemons()
{ {
case "${MODE}" in case "${MODE}" in