Tiera

2024-12-02 14:40:52 +03:00 · 2016-03-05 11:04:40 +03:00 · 2016-03-05 11:04:40 +03:00 · 24dd590ece
commit 24dd590ece
parent 3ee83662ec
6 changed files with 89 additions and 7 deletions
--- a/changes.txt
+++ b/changes.txt
@ -47,3 +47,5 @@ v9

 ipban : added ipban ipset. place domains banned by ip to zapret-hosts-user-ipban.txt
 	these IPs must be soxified for both http and https
+ISP support : tiera support
+ISP support : added DNS filtering to ubuntu and debian scripts
--- a/init.d/debian7/zapret
+++ b/init.d/debian7/zapret
@ -5,6 +5,7 @@ ISP=mns
 #ISP=rt
 #ISP=beeline
 #ISP=domru
+#ISP=tiera

 # CHOSE NETWORK INTERFACE BEHIND NAT
 SLAVE_ETH=eth0
@ -57,9 +58,24 @@ case "$1" in
 		 iptables -t nat -I PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
 		iptables -t nat -C OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT 2>/dev/null ||
 		 iptables -t nat -I OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
+		# BLOCK SPOOFED DNS FROM DOMRU
+		iptables -t raw -C PREROUTING -p udp --sport 53 -m string --hex-string "|5cfff164|" --algo bm -j DROP --from 40 --to 300 ||
+		 iptables -t raw -I PREROUTING -p udp --sport 53 -m string --hex-string "|5cfff164|" --algo bm -j DROP --from 40 --to 300
+		iptables -t raw -C PREROUTING -p udp --sport 53 -m string --hex-string "|2a022698a00000000000000000000064|" --algo bm -j DROP --from 40 --to 300 ||
+		 iptables -t raw -I PREROUTING -p udp --sport 53 -m string --hex-string "|2a022698a00000000000000000000064|" --algo bm -j DROP --from 40 --to 300
 		DAEMON=$TPWS
 		DAEMON_OPTS="--port=$TPPORT --hostcase --split-http-req=host --user=$TPWS_USER --bind-addr=127.0.0.1"
 		;;
+	    tiera)
+		adduser --disabled-login --no-create-home --system --quiet $TPWS_USER
+		sysctl -w net.ipv4.conf.$SLAVE_ETH.route_localnet=1
+		iptables -t nat -C PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT 2>/dev/null ||
+		 iptables -t nat -I PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
+		iptables -t nat -C OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT 2>/dev/null ||
+		 iptables -t nat -I OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
+		DAEMON=$TPWS
+		DAEMON_OPTS="--port=$TPPORT --split-http-req=host --user=$TPWS_USER --bind-addr=127.0.0.1"
+		;;
 	esac

 	echo -n "Starting $DESC: "
@ -80,6 +96,14 @@ case "$1" in
 		DAEMON=$NFQWS
 		;;
 	    domru)
+		sysctl -w net.ipv4.conf.$SLAVE_ETH.route_localnet=0
+		iptables -t nat -D PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
+		iptables -t nat -D OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
+		iptables -t raw -D PREROUTING -p udp --sport 53 -m string --hex-string "|5cfff164|" --algo bm -j DROP --from 40 --to 300
+		iptables -t raw -D PREROUTING -p udp --sport 53 -m string --hex-string "|2a022698a00000000000000000000064|" --algo bm -j DROP --from 40 --to 300
+		DAEMON=$TPWS
+		;;
+	    tiera)
 		sysctl -w net.ipv4.conf.$SLAVE_ETH.route_localnet=0
 		iptables -t nat -D PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
 		iptables -t nat -D OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
--- a/init.d/openwrt/firewall.user.tiera
+++ b/init.d/openwrt/firewall.user.tiera
@ -0,0 +1,18 @@
+TPPORT=1188
+TPWS_USER=daemon
+
+. /lib/functions/network.sh
+
+network_find_wan wan_iface
+
+for ext_iface in $wan_iface; do
+    network_get_device DEVICE $ext_iface
+    # DNAT for local traffic
+    iptables -t nat -C OUTPUT -p tcp --dport 80 -o $DEVICE -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT ||
+     iptables -t nat -I OUTPUT -p tcp --dport 80 -o $DEVICE -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
+
+done
+
+sysctl -w net.ipv4.conf.br-lan.route_localnet=1
+iptables -t nat -C prerouting_lan_rule -p tcp --dport 80 -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT ||
+ iptables -t nat -I prerouting_lan_rule -p tcp --dport 80 -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
--- a/init.d/openwrt/zapret
+++ b/init.d/openwrt/zapret
@ -5,7 +5,9 @@
 #ISP=mns
 #ISP=rt
 #ISP=beeline
-ISP=domru
+#ISP=domru
+ISP=tiera
+#ISP=none

 # !!!!! in openwrt you need to add firewall rules manually to /etc/firewall.user

@ -58,6 +60,10 @@ get_daemon() {
 		DAEMON_OPTS="--port=$TPPORT --hostcase --split-http-req=host --bind-addr=127.0.0.1 --user=$TPWS_USER"
 		DAEMON=$TPWS
 		;;
+	    tiera)
+		DAEMON_OPTS="--port=$TPPORT --split-http-req=host --bind-addr=127.0.0.1 --user=$TPWS_USER"
+		DAEMON=$TPWS
+		;;
 	esac
 }

@ -68,12 +74,16 @@ start() {
 	($IPSET_CR)

 	get_daemon
+	[ -n "$DAEMON" ] && {
 	    echo "Starting $DAEMON"
 	    service_start $DAEMON --daemon $DAEMON_OPTS
 	}
+}

 stop() {
 	get_daemon
+	[ -n "$DAEMON" ] && {
 	    service_stop $DAEMON
 	}
+}

--- a/init.d/ubuntu12/zapret.conf
+++ b/init.d/ubuntu12/zapret.conf
@ -4,13 +4,14 @@ start on runlevel [2345]
 stop on runlevel [!2345]

 # CHOOSE ISP HERE. UNCOMMENT ONLY ONE LINE.
-env ISP=mns
+#env ISP=mns
 #env ISP=rt
 #env ISP=beeline
-#env ISP=domru
+env ISP=domru
+#env ISP=tiera

 # CHOSE NETWORK INTERFACE BEHIND NAT
-env SLAVE_ETH=eth1
+env SLAVE_ETH=eth0


 env QNUM=200
@ -33,6 +34,19 @@ pre-start script
 		 iptables -t mangle -I POSTROUTING -p tcp --dport 80 -m set --match-set zapret dst -j NFQUEUE --queue-num $QNUM --queue-bypass
 		;;
 	    domru)
+		adduser --disabled-login --no-create-home --system --quiet $TPWS_USER
+		sysctl -w net.ipv4.conf.$SLAVE_ETH.route_localnet=1
+		iptables -t nat -C PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT ||
+		 iptables -t nat -I PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
+		iptables -t nat -C OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT ||
+		 iptables -t nat -I OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
+		# BLOCK SPOOFED DNS FROM DOMRU
+		iptables -t raw -C PREROUTING -p udp --sport 53 -m string --hex-string "|5cfff164|" --algo bm -j DROP --from 40 --to 300 ||
+		 iptables -t raw -I PREROUTING -p udp --sport 53 -m string --hex-string "|5cfff164|" --algo bm -j DROP --from 40 --to 300
+		iptables -t raw -C PREROUTING -p udp --sport 53 -m string --hex-string "|2a022698a00000000000000000000064|" --algo bm -j DROP --from 40 --to 300 ||
+		 iptables -t raw -I PREROUTING -p udp --sport 53 -m string --hex-string "|2a022698a00000000000000000000064|" --algo bm -j DROP --from 40 --to 300
+		;;
+	    tiera)
 		adduser --disabled-login --no-create-home --system --quiet $TPWS_USER
 		sysctl -w net.ipv4.conf.$SLAVE_ETH.route_localnet=1
 		iptables -t nat -C PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT ||
@ -61,8 +75,13 @@ script
 		NFEXE=$TPWS
 		NFARG="--port=$TPPORT --hostcase --split-http-req=host --user=$TPWS_USER --bind-addr=127.0.0.1"
 		;;
+	    tiera)
+		NFEXE=$TPWS
+		NFARG="--port=$TPPORT --split-http-req=host --user=$TPWS_USER --bind-addr=127.0.0.1"
+		;;
 	esac
 	$NFEXE $NFARG
+	[ -n "$NFEXE" ] && $NFEXE $NFARG
 end script

 pre-stop script
@ -74,6 +93,13 @@ pre-stop script
 		iptables -t mangle -D POSTROUTING -p tcp --dport 80 -m set --match-set zapret dst -j NFQUEUE --queue-num $QNUM --queue-bypass
 		;;
 	    domru)
+		sysctl -w net.ipv4.conf.$SLAVE_ETH.route_localnet=0
+		iptables -t nat -D PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
+		iptables -t nat -D OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
+		iptables -t raw -D PREROUTING -p udp --sport 53 -m string --hex-string "|5cfff164|" --algo bm -j DROP --from 40 --to 300
+		iptables -t raw -D PREROUTING -p udp --sport 53 -m string --hex-string "|2a022698a00000000000000000000064|" --algo bm -j DROP --from 40 --to 300
+		;;
+	    tiera)
 		sysctl -w net.ipv4.conf.$SLAVE_ETH.route_localnet=0
 		iptables -t nat -D PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
 		iptables -t nat -D OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
--- a/readme.txt
+++ b/readme.txt
@ -134,6 +134,8 @@ tkt : помогает разделение http запроса на сегме
  блокировки так же обходятся без применения "тяжелой артиллерии" следующим правилом :
  iptables -t raw -I PREROUTING -p tcp --sport 80 -m string --hex-string "|0D0A|Location: http://95.167.13.50" --algo bm -j DROP --from 40 --to 200
 Ростелеком : см tkt
+tiera : сама тиера до последнего ничего не банила. Похоже, что банит вышестоящий оператор, возможно telia.
+  Требуется сплит http запросов в течение всей сессии.

 Способы получения списка заблокированных IP
 -------------------------------------------