From 24dd590ece73e4c5d4689f2edd6175021dd1ef06 Mon Sep 17 00:00:00 2001 From: bolvan Date: Sat, 5 Mar 2016 11:04:40 +0300 Subject: [PATCH] Tiera --- changes.txt | 2 ++ init.d/debian7/zapret | 24 ++++++++++++++++++++++ init.d/openwrt/firewall.user.tiera | 18 +++++++++++++++++ init.d/openwrt/zapret | 18 +++++++++++++---- init.d/ubuntu12/zapret.conf | 32 +++++++++++++++++++++++++++--- readme.txt | 2 ++ 6 files changed, 89 insertions(+), 7 deletions(-) create mode 100644 init.d/openwrt/firewall.user.tiera diff --git a/changes.txt b/changes.txt index 9b3ce66..cc38eef 100644 --- a/changes.txt +++ b/changes.txt @@ -47,3 +47,5 @@ v9 ipban : added ipban ipset. place domains banned by ip to zapret-hosts-user-ipban.txt these IPs must be soxified for both http and https +ISP support : tiera support +ISP support : added DNS filtering to ubuntu and debian scripts diff --git a/init.d/debian7/zapret b/init.d/debian7/zapret index 1aebd3a..ad19062 100755 --- a/init.d/debian7/zapret +++ b/init.d/debian7/zapret @@ -5,6 +5,7 @@ ISP=mns #ISP=rt #ISP=beeline #ISP=domru +#ISP=tiera # CHOSE NETWORK INTERFACE BEHIND NAT SLAVE_ETH=eth0 @@ -57,9 +58,24 @@ case "$1" in iptables -t nat -I PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT iptables -t nat -C OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT 2>/dev/null || iptables -t nat -I OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT + # BLOCK SPOOFED DNS FROM DOMRU + iptables -t raw -C PREROUTING -p udp --sport 53 -m string --hex-string "|5cfff164|" --algo bm -j DROP --from 40 --to 300 || + iptables -t raw -I PREROUTING -p udp --sport 53 -m string --hex-string "|5cfff164|" --algo bm -j DROP --from 40 --to 300 + iptables -t raw -C PREROUTING -p udp --sport 53 -m string --hex-string "|2a022698a00000000000000000000064|" --algo bm -j DROP --from 40 --to 300 || + iptables -t raw -I PREROUTING -p udp --sport 53 -m string --hex-string "|2a022698a00000000000000000000064|" --algo bm -j DROP --from 40 --to 300 DAEMON=$TPWS DAEMON_OPTS="--port=$TPPORT --hostcase --split-http-req=host --user=$TPWS_USER --bind-addr=127.0.0.1" ;; + tiera) + adduser --disabled-login --no-create-home --system --quiet $TPWS_USER + sysctl -w net.ipv4.conf.$SLAVE_ETH.route_localnet=1 + iptables -t nat -C PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT 2>/dev/null || + iptables -t nat -I PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT + iptables -t nat -C OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT 2>/dev/null || + iptables -t nat -I OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT + DAEMON=$TPWS + DAEMON_OPTS="--port=$TPPORT --split-http-req=host --user=$TPWS_USER --bind-addr=127.0.0.1" + ;; esac echo -n "Starting $DESC: " @@ -80,6 +96,14 @@ case "$1" in DAEMON=$NFQWS ;; domru) + sysctl -w net.ipv4.conf.$SLAVE_ETH.route_localnet=0 + iptables -t nat -D PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT + iptables -t nat -D OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT + iptables -t raw -D PREROUTING -p udp --sport 53 -m string --hex-string "|5cfff164|" --algo bm -j DROP --from 40 --to 300 + iptables -t raw -D PREROUTING -p udp --sport 53 -m string --hex-string "|2a022698a00000000000000000000064|" --algo bm -j DROP --from 40 --to 300 + DAEMON=$TPWS + ;; + tiera) sysctl -w net.ipv4.conf.$SLAVE_ETH.route_localnet=0 iptables -t nat -D PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT iptables -t nat -D OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT diff --git a/init.d/openwrt/firewall.user.tiera b/init.d/openwrt/firewall.user.tiera new file mode 100644 index 0000000..59b541f --- /dev/null +++ b/init.d/openwrt/firewall.user.tiera @@ -0,0 +1,18 @@ +TPPORT=1188 +TPWS_USER=daemon + +. /lib/functions/network.sh + +network_find_wan wan_iface + +for ext_iface in $wan_iface; do + network_get_device DEVICE $ext_iface + # DNAT for local traffic + iptables -t nat -C OUTPUT -p tcp --dport 80 -o $DEVICE -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT || + iptables -t nat -I OUTPUT -p tcp --dport 80 -o $DEVICE -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT + +done + +sysctl -w net.ipv4.conf.br-lan.route_localnet=1 +iptables -t nat -C prerouting_lan_rule -p tcp --dport 80 -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT || + iptables -t nat -I prerouting_lan_rule -p tcp --dport 80 -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT diff --git a/init.d/openwrt/zapret b/init.d/openwrt/zapret index fb256e7..2e7b449 100755 --- a/init.d/openwrt/zapret +++ b/init.d/openwrt/zapret @@ -5,7 +5,9 @@ #ISP=mns #ISP=rt #ISP=beeline -ISP=domru +#ISP=domru +ISP=tiera +#ISP=none # !!!!! in openwrt you need to add firewall rules manually to /etc/firewall.user @@ -58,6 +60,10 @@ get_daemon() { DAEMON_OPTS="--port=$TPPORT --hostcase --split-http-req=host --bind-addr=127.0.0.1 --user=$TPWS_USER" DAEMON=$TPWS ;; + tiera) + DAEMON_OPTS="--port=$TPPORT --split-http-req=host --bind-addr=127.0.0.1 --user=$TPWS_USER" + DAEMON=$TPWS + ;; esac } @@ -68,12 +74,16 @@ start() { ($IPSET_CR) get_daemon - echo "Starting $DAEMON" - service_start $DAEMON --daemon $DAEMON_OPTS + [ -n "$DAEMON" ] && { + echo "Starting $DAEMON" + service_start $DAEMON --daemon $DAEMON_OPTS + } } stop() { get_daemon - service_stop $DAEMON + [ -n "$DAEMON" ] && { + service_stop $DAEMON + } } diff --git a/init.d/ubuntu12/zapret.conf b/init.d/ubuntu12/zapret.conf index c095169..ad4e297 100644 --- a/init.d/ubuntu12/zapret.conf +++ b/init.d/ubuntu12/zapret.conf @@ -4,13 +4,14 @@ start on runlevel [2345] stop on runlevel [!2345] # CHOOSE ISP HERE. UNCOMMENT ONLY ONE LINE. -env ISP=mns +#env ISP=mns #env ISP=rt #env ISP=beeline -#env ISP=domru +env ISP=domru +#env ISP=tiera # CHOSE NETWORK INTERFACE BEHIND NAT -env SLAVE_ETH=eth1 +env SLAVE_ETH=eth0 env QNUM=200 @@ -33,6 +34,19 @@ pre-start script iptables -t mangle -I POSTROUTING -p tcp --dport 80 -m set --match-set zapret dst -j NFQUEUE --queue-num $QNUM --queue-bypass ;; domru) + adduser --disabled-login --no-create-home --system --quiet $TPWS_USER + sysctl -w net.ipv4.conf.$SLAVE_ETH.route_localnet=1 + iptables -t nat -C PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT || + iptables -t nat -I PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT + iptables -t nat -C OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT || + iptables -t nat -I OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT + # BLOCK SPOOFED DNS FROM DOMRU + iptables -t raw -C PREROUTING -p udp --sport 53 -m string --hex-string "|5cfff164|" --algo bm -j DROP --from 40 --to 300 || + iptables -t raw -I PREROUTING -p udp --sport 53 -m string --hex-string "|5cfff164|" --algo bm -j DROP --from 40 --to 300 + iptables -t raw -C PREROUTING -p udp --sport 53 -m string --hex-string "|2a022698a00000000000000000000064|" --algo bm -j DROP --from 40 --to 300 || + iptables -t raw -I PREROUTING -p udp --sport 53 -m string --hex-string "|2a022698a00000000000000000000064|" --algo bm -j DROP --from 40 --to 300 + ;; + tiera) adduser --disabled-login --no-create-home --system --quiet $TPWS_USER sysctl -w net.ipv4.conf.$SLAVE_ETH.route_localnet=1 iptables -t nat -C PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT || @@ -61,8 +75,13 @@ script NFEXE=$TPWS NFARG="--port=$TPPORT --hostcase --split-http-req=host --user=$TPWS_USER --bind-addr=127.0.0.1" ;; + tiera) + NFEXE=$TPWS + NFARG="--port=$TPPORT --split-http-req=host --user=$TPWS_USER --bind-addr=127.0.0.1" + ;; esac $NFEXE $NFARG + [ -n "$NFEXE" ] && $NFEXE $NFARG end script pre-stop script @@ -74,6 +93,13 @@ pre-stop script iptables -t mangle -D POSTROUTING -p tcp --dport 80 -m set --match-set zapret dst -j NFQUEUE --queue-num $QNUM --queue-bypass ;; domru) + sysctl -w net.ipv4.conf.$SLAVE_ETH.route_localnet=0 + iptables -t nat -D PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT + iptables -t nat -D OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT + iptables -t raw -D PREROUTING -p udp --sport 53 -m string --hex-string "|5cfff164|" --algo bm -j DROP --from 40 --to 300 + iptables -t raw -D PREROUTING -p udp --sport 53 -m string --hex-string "|2a022698a00000000000000000000064|" --algo bm -j DROP --from 40 --to 300 + ;; + tiera) sysctl -w net.ipv4.conf.$SLAVE_ETH.route_localnet=0 iptables -t nat -D PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT iptables -t nat -D OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT diff --git a/readme.txt b/readme.txt index 08f8ecf..1b9f030 100644 --- a/readme.txt +++ b/readme.txt @@ -134,6 +134,8 @@ tkt : помогает разделение http запроса на сегме блокировки так же обходятся без применения "тяжелой артиллерии" следующим правилом : iptables -t raw -I PREROUTING -p tcp --sport 80 -m string --hex-string "|0D0A|Location: http://95.167.13.50" --algo bm -j DROP --from 40 --to 200 Ростелеком : см tkt +tiera : сама тиера до последнего ничего не банила. Похоже, что банит вышестоящий оператор, возможно telia. + Требуется сплит http запросов в течение всей сессии. Способы получения списка заблокированных IP -------------------------------------------