drygdryg/zapret
1
0
Fork 0
mirror of https://github.com/bol-van/zapret.git synced 2024-12-02 14:40:52 +03:00
Code Issues Packages Projects Releases Wiki Activity

Tiera

Browse Source
This commit is contained in:
bolvan 2016-03-05 11:04:40 +03:00
parent 3ee83662ec
commit 24dd590ece
6 changed files with 89 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
changes.txt
View File

@ -47,3 +47,5 @@ v9
ipban : added ipban ipset. place domains banned by ip to zapret-hosts-user-ipban.txt ipban : added ipban ipset. place domains banned by ip to zapret-hosts-user-ipban.txt
these IPs must be soxified for both http and https these IPs must be soxified for both http and https
ISP support : tiera support
ISP support : added DNS filtering to ubuntu and debian scripts

24
init.d/debian7/zapret
View File

@ -5,6 +5,7 @@ ISP=mns
#ISP=rt #ISP=rt
#ISP=beeline #ISP=beeline
#ISP=domru #ISP=domru
#ISP=tiera
# CHOSE NETWORK INTERFACE BEHIND NAT # CHOSE NETWORK INTERFACE BEHIND NAT
SLAVE_ETH=eth0 SLAVE_ETH=eth0
@ -57,9 +58,24 @@ case "$1" in
iptables -t nat -I PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT iptables -t nat -I PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
iptables -t nat -C OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT 2>/dev/null || iptables -t nat -C OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT 2>/dev/null ||
iptables -t nat -I OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT iptables -t nat -I OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
# BLOCK SPOOFED DNS FROM DOMRU
iptables -t raw -C PREROUTING -p udp --sport 53 -m string --hex-string "|5cfff164|" --algo bm -j DROP --from 40 --to 300 ||
iptables -t raw -I PREROUTING -p udp --sport 53 -m string --hex-string "|5cfff164|" --algo bm -j DROP --from 40 --to 300
iptables -t raw -C PREROUTING -p udp --sport 53 -m string --hex-string "|2a022698a00000000000000000000064|" --algo bm -j DROP --from 40 --to 300 ||
iptables -t raw -I PREROUTING -p udp --sport 53 -m string --hex-string "|2a022698a00000000000000000000064|" --algo bm -j DROP --from 40 --to 300
DAEMON=$TPWS DAEMON=$TPWS
DAEMON_OPTS="--port=$TPPORT --hostcase --split-http-req=host --user=$TPWS_USER --bind-addr=127.0.0.1" DAEMON_OPTS="--port=$TPPORT --hostcase --split-http-req=host --user=$TPWS_USER --bind-addr=127.0.0.1"
;; ;;
tiera)
adduser --disabled-login --no-create-home --system --quiet $TPWS_USER
sysctl -w net.ipv4.conf.$SLAVE_ETH.route_localnet=1
iptables -t nat -C PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT 2>/dev/null ||
iptables -t nat -I PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
iptables -t nat -C OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT 2>/dev/null ||
iptables -t nat -I OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
DAEMON=$TPWS
DAEMON_OPTS="--port=$TPPORT --split-http-req=host --user=$TPWS_USER --bind-addr=127.0.0.1"
;;
esac esac
echo -n "Starting $DESC: " echo -n "Starting $DESC: "
@ -80,6 +96,14 @@ case "$1" in
DAEMON=$NFQWS DAEMON=$NFQWS
;; ;;
domru) domru)
sysctl -w net.ipv4.conf.$SLAVE_ETH.route_localnet=0
iptables -t nat -D PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
iptables -t nat -D OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
iptables -t raw -D PREROUTING -p udp --sport 53 -m string --hex-string "|5cfff164|" --algo bm -j DROP --from 40 --to 300
iptables -t raw -D PREROUTING -p udp --sport 53 -m string --hex-string "|2a022698a00000000000000000000064|" --algo bm -j DROP --from 40 --to 300
DAEMON=$TPWS
;;
tiera)
sysctl -w net.ipv4.conf.$SLAVE_ETH.route_localnet=0 sysctl -w net.ipv4.conf.$SLAVE_ETH.route_localnet=0
iptables -t nat -D PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT iptables -t nat -D PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
iptables -t nat -D OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT iptables -t nat -D OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT

18
init.d/openwrt/firewall.user.tiera Normal file
View File

@ -0,0 +1,18 @@
TPPORT=1188
TPWS_USER=daemon
. /lib/functions/network.sh
network_find_wan wan_iface
for ext_iface in $wan_iface; do
network_get_device DEVICE $ext_iface
# DNAT for local traffic
iptables -t nat -C OUTPUT -p tcp --dport 80 -o $DEVICE -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT ||
iptables -t nat -I OUTPUT -p tcp --dport 80 -o $DEVICE -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
done
sysctl -w net.ipv4.conf.br-lan.route_localnet=1
iptables -t nat -C prerouting_lan_rule -p tcp --dport 80 -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT ||
iptables -t nat -I prerouting_lan_rule -p tcp --dport 80 -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT

12
init.d/openwrt/zapret
View File

@ -5,7 +5,9 @@
#ISP=mns #ISP=mns
#ISP=rt #ISP=rt
#ISP=beeline #ISP=beeline
ISP=domru #ISP=domru
ISP=tiera
#ISP=none
# !!!!! in openwrt you need to add firewall rules manually to /etc/firewall.user # !!!!! in openwrt you need to add firewall rules manually to /etc/firewall.user
@ -58,6 +60,10 @@ get_daemon() {
DAEMON_OPTS="--port=$TPPORT --hostcase --split-http-req=host --bind-addr=127.0.0.1 --user=$TPWS_USER" DAEMON_OPTS="--port=$TPPORT --hostcase --split-http-req=host --bind-addr=127.0.0.1 --user=$TPWS_USER"
DAEMON=$TPWS DAEMON=$TPWS
;; ;;
tiera)
DAEMON_OPTS="--port=$TPPORT --split-http-req=host --bind-addr=127.0.0.1 --user=$TPWS_USER"
DAEMON=$TPWS
;;
esac esac
} }
@ -68,12 +74,16 @@ start() {
($IPSET_CR) ($IPSET_CR)
get_daemon get_daemon
[ -n "$DAEMON" ] && {
echo "Starting $DAEMON" echo "Starting $DAEMON"
service_start $DAEMON --daemon $DAEMON_OPTS service_start $DAEMON --daemon $DAEMON_OPTS
}
} }
stop() { stop() {
get_daemon get_daemon
[ -n "$DAEMON" ] && {
service_stop $DAEMON service_stop $DAEMON
}
} }

32
init.d/ubuntu12/zapret.conf
View File

@ -4,13 +4,14 @@ start on runlevel [2345]
stop on runlevel [!2345] stop on runlevel [!2345]
# CHOOSE ISP HERE. UNCOMMENT ONLY ONE LINE. # CHOOSE ISP HERE. UNCOMMENT ONLY ONE LINE.
env ISP=mns #env ISP=mns
#env ISP=rt #env ISP=rt
#env ISP=beeline #env ISP=beeline
#env ISP=domru env ISP=domru
#env ISP=tiera
# CHOSE NETWORK INTERFACE BEHIND NAT # CHOSE NETWORK INTERFACE BEHIND NAT
env SLAVE_ETH=eth1 env SLAVE_ETH=eth0
env QNUM=200 env QNUM=200
@ -33,6 +34,19 @@ pre-start script
iptables -t mangle -I POSTROUTING -p tcp --dport 80 -m set --match-set zapret dst -j NFQUEUE --queue-num $QNUM --queue-bypass iptables -t mangle -I POSTROUTING -p tcp --dport 80 -m set --match-set zapret dst -j NFQUEUE --queue-num $QNUM --queue-bypass
;; ;;
domru) domru)
adduser --disabled-login --no-create-home --system --quiet $TPWS_USER
sysctl -w net.ipv4.conf.$SLAVE_ETH.route_localnet=1
iptables -t nat -C PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT ||
iptables -t nat -I PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
iptables -t nat -C OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT ||
iptables -t nat -I OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
# BLOCK SPOOFED DNS FROM DOMRU
iptables -t raw -C PREROUTING -p udp --sport 53 -m string --hex-string "|5cfff164|" --algo bm -j DROP --from 40 --to 300 ||
iptables -t raw -I PREROUTING -p udp --sport 53 -m string --hex-string "|5cfff164|" --algo bm -j DROP --from 40 --to 300
iptables -t raw -C PREROUTING -p udp --sport 53 -m string --hex-string "|2a022698a00000000000000000000064|" --algo bm -j DROP --from 40 --to 300 ||
iptables -t raw -I PREROUTING -p udp --sport 53 -m string --hex-string "|2a022698a00000000000000000000064|" --algo bm -j DROP --from 40 --to 300
;;
tiera)
adduser --disabled-login --no-create-home --system --quiet $TPWS_USER adduser --disabled-login --no-create-home --system --quiet $TPWS_USER
sysctl -w net.ipv4.conf.$SLAVE_ETH.route_localnet=1 sysctl -w net.ipv4.conf.$SLAVE_ETH.route_localnet=1
iptables -t nat -C PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT || iptables -t nat -C PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT ||
@ -61,8 +75,13 @@ script
NFEXE=$TPWS NFEXE=$TPWS
NFARG="--port=$TPPORT --hostcase --split-http-req=host --user=$TPWS_USER --bind-addr=127.0.0.1" NFARG="--port=$TPPORT --hostcase --split-http-req=host --user=$TPWS_USER --bind-addr=127.0.0.1"
;; ;;
tiera)
NFEXE=$TPWS
NFARG="--port=$TPPORT --split-http-req=host --user=$TPWS_USER --bind-addr=127.0.0.1"
;;
esac esac
$NFEXE $NFARG $NFEXE $NFARG
[ -n "$NFEXE" ] && $NFEXE $NFARG
end script end script
pre-stop script pre-stop script
@ -74,6 +93,13 @@ pre-stop script
iptables -t mangle -D POSTROUTING -p tcp --dport 80 -m set --match-set zapret dst -j NFQUEUE --queue-num $QNUM --queue-bypass iptables -t mangle -D POSTROUTING -p tcp --dport 80 -m set --match-set zapret dst -j NFQUEUE --queue-num $QNUM --queue-bypass
;; ;;
domru) domru)
sysctl -w net.ipv4.conf.$SLAVE_ETH.route_localnet=0
iptables -t nat -D PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
iptables -t nat -D OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
iptables -t raw -D PREROUTING -p udp --sport 53 -m string --hex-string "|5cfff164|" --algo bm -j DROP --from 40 --to 300
iptables -t raw -D PREROUTING -p udp --sport 53 -m string --hex-string "|2a022698a00000000000000000000064|" --algo bm -j DROP --from 40 --to 300
;;
tiera)
sysctl -w net.ipv4.conf.$SLAVE_ETH.route_localnet=0 sysctl -w net.ipv4.conf.$SLAVE_ETH.route_localnet=0
iptables -t nat -D PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT iptables -t nat -D PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
iptables -t nat -D OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT iptables -t nat -D OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT

2
readme.txt
View File

@ -134,6 +134,8 @@ tkt : помогает разделение http запроса на сегме
блокировки так же обходятся без применения "тяжелой артиллерии" следующим правилом : блокировки так же обходятся без применения "тяжелой артиллерии" следующим правилом :
iptables -t raw -I PREROUTING -p tcp --sport 80 -m string --hex-string "|0D0A|Location: http://95.167.13.50" --algo bm -j DROP --from 40 --to 200 iptables -t raw -I PREROUTING -p tcp --sport 80 -m string --hex-string "|0D0A|Location: http://95.167.13.50" --algo bm -j DROP --from 40 --to 200
Ростелеком : см tkt Ростелеком : см tkt
tiera : сама тиера до последнего ничего не банила. Похоже, что банит вышестоящий оператор, возможно telia.
Требуется сплит http запросов в течение всей сессии.
Способы получения списка заблокированных IP Способы получения списка заблокированных IP
------------------------------------------- -------------------------------------------