mirror of
https://github.com/bol-van/zapret.git
synced 2024-12-02 14:40:52 +03:00
Tiera
This commit is contained in:
parent
3ee83662ec
commit
24dd590ece
@ -47,3 +47,5 @@ v9
|
||||
|
||||
ipban : added ipban ipset. place domains banned by ip to zapret-hosts-user-ipban.txt
|
||||
these IPs must be soxified for both http and https
|
||||
ISP support : tiera support
|
||||
ISP support : added DNS filtering to ubuntu and debian scripts
|
||||
|
@ -5,6 +5,7 @@ ISP=mns
|
||||
#ISP=rt
|
||||
#ISP=beeline
|
||||
#ISP=domru
|
||||
#ISP=tiera
|
||||
|
||||
# CHOSE NETWORK INTERFACE BEHIND NAT
|
||||
SLAVE_ETH=eth0
|
||||
@ -57,9 +58,24 @@ case "$1" in
|
||||
iptables -t nat -I PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
|
||||
iptables -t nat -C OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT 2>/dev/null ||
|
||||
iptables -t nat -I OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
|
||||
# BLOCK SPOOFED DNS FROM DOMRU
|
||||
iptables -t raw -C PREROUTING -p udp --sport 53 -m string --hex-string "|5cfff164|" --algo bm -j DROP --from 40 --to 300 ||
|
||||
iptables -t raw -I PREROUTING -p udp --sport 53 -m string --hex-string "|5cfff164|" --algo bm -j DROP --from 40 --to 300
|
||||
iptables -t raw -C PREROUTING -p udp --sport 53 -m string --hex-string "|2a022698a00000000000000000000064|" --algo bm -j DROP --from 40 --to 300 ||
|
||||
iptables -t raw -I PREROUTING -p udp --sport 53 -m string --hex-string "|2a022698a00000000000000000000064|" --algo bm -j DROP --from 40 --to 300
|
||||
DAEMON=$TPWS
|
||||
DAEMON_OPTS="--port=$TPPORT --hostcase --split-http-req=host --user=$TPWS_USER --bind-addr=127.0.0.1"
|
||||
;;
|
||||
tiera)
|
||||
adduser --disabled-login --no-create-home --system --quiet $TPWS_USER
|
||||
sysctl -w net.ipv4.conf.$SLAVE_ETH.route_localnet=1
|
||||
iptables -t nat -C PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT 2>/dev/null ||
|
||||
iptables -t nat -I PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
|
||||
iptables -t nat -C OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT 2>/dev/null ||
|
||||
iptables -t nat -I OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
|
||||
DAEMON=$TPWS
|
||||
DAEMON_OPTS="--port=$TPPORT --split-http-req=host --user=$TPWS_USER --bind-addr=127.0.0.1"
|
||||
;;
|
||||
esac
|
||||
|
||||
echo -n "Starting $DESC: "
|
||||
@ -80,6 +96,14 @@ case "$1" in
|
||||
DAEMON=$NFQWS
|
||||
;;
|
||||
domru)
|
||||
sysctl -w net.ipv4.conf.$SLAVE_ETH.route_localnet=0
|
||||
iptables -t nat -D PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
|
||||
iptables -t nat -D OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
|
||||
iptables -t raw -D PREROUTING -p udp --sport 53 -m string --hex-string "|5cfff164|" --algo bm -j DROP --from 40 --to 300
|
||||
iptables -t raw -D PREROUTING -p udp --sport 53 -m string --hex-string "|2a022698a00000000000000000000064|" --algo bm -j DROP --from 40 --to 300
|
||||
DAEMON=$TPWS
|
||||
;;
|
||||
tiera)
|
||||
sysctl -w net.ipv4.conf.$SLAVE_ETH.route_localnet=0
|
||||
iptables -t nat -D PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
|
||||
iptables -t nat -D OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
|
||||
|
18
init.d/openwrt/firewall.user.tiera
Normal file
18
init.d/openwrt/firewall.user.tiera
Normal file
@ -0,0 +1,18 @@
|
||||
TPPORT=1188
|
||||
TPWS_USER=daemon
|
||||
|
||||
. /lib/functions/network.sh
|
||||
|
||||
network_find_wan wan_iface
|
||||
|
||||
for ext_iface in $wan_iface; do
|
||||
network_get_device DEVICE $ext_iface
|
||||
# DNAT for local traffic
|
||||
iptables -t nat -C OUTPUT -p tcp --dport 80 -o $DEVICE -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT ||
|
||||
iptables -t nat -I OUTPUT -p tcp --dport 80 -o $DEVICE -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
|
||||
|
||||
done
|
||||
|
||||
sysctl -w net.ipv4.conf.br-lan.route_localnet=1
|
||||
iptables -t nat -C prerouting_lan_rule -p tcp --dport 80 -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT ||
|
||||
iptables -t nat -I prerouting_lan_rule -p tcp --dport 80 -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
|
@ -5,7 +5,9 @@
|
||||
#ISP=mns
|
||||
#ISP=rt
|
||||
#ISP=beeline
|
||||
ISP=domru
|
||||
#ISP=domru
|
||||
ISP=tiera
|
||||
#ISP=none
|
||||
|
||||
# !!!!! in openwrt you need to add firewall rules manually to /etc/firewall.user
|
||||
|
||||
@ -58,6 +60,10 @@ get_daemon() {
|
||||
DAEMON_OPTS="--port=$TPPORT --hostcase --split-http-req=host --bind-addr=127.0.0.1 --user=$TPWS_USER"
|
||||
DAEMON=$TPWS
|
||||
;;
|
||||
tiera)
|
||||
DAEMON_OPTS="--port=$TPPORT --split-http-req=host --bind-addr=127.0.0.1 --user=$TPWS_USER"
|
||||
DAEMON=$TPWS
|
||||
;;
|
||||
esac
|
||||
}
|
||||
|
||||
@ -68,12 +74,16 @@ start() {
|
||||
($IPSET_CR)
|
||||
|
||||
get_daemon
|
||||
echo "Starting $DAEMON"
|
||||
service_start $DAEMON --daemon $DAEMON_OPTS
|
||||
[ -n "$DAEMON" ] && {
|
||||
echo "Starting $DAEMON"
|
||||
service_start $DAEMON --daemon $DAEMON_OPTS
|
||||
}
|
||||
}
|
||||
|
||||
stop() {
|
||||
get_daemon
|
||||
service_stop $DAEMON
|
||||
[ -n "$DAEMON" ] && {
|
||||
service_stop $DAEMON
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -4,13 +4,14 @@ start on runlevel [2345]
|
||||
stop on runlevel [!2345]
|
||||
|
||||
# CHOOSE ISP HERE. UNCOMMENT ONLY ONE LINE.
|
||||
env ISP=mns
|
||||
#env ISP=mns
|
||||
#env ISP=rt
|
||||
#env ISP=beeline
|
||||
#env ISP=domru
|
||||
env ISP=domru
|
||||
#env ISP=tiera
|
||||
|
||||
# CHOSE NETWORK INTERFACE BEHIND NAT
|
||||
env SLAVE_ETH=eth1
|
||||
env SLAVE_ETH=eth0
|
||||
|
||||
|
||||
env QNUM=200
|
||||
@ -33,6 +34,19 @@ pre-start script
|
||||
iptables -t mangle -I POSTROUTING -p tcp --dport 80 -m set --match-set zapret dst -j NFQUEUE --queue-num $QNUM --queue-bypass
|
||||
;;
|
||||
domru)
|
||||
adduser --disabled-login --no-create-home --system --quiet $TPWS_USER
|
||||
sysctl -w net.ipv4.conf.$SLAVE_ETH.route_localnet=1
|
||||
iptables -t nat -C PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT ||
|
||||
iptables -t nat -I PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
|
||||
iptables -t nat -C OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT ||
|
||||
iptables -t nat -I OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
|
||||
# BLOCK SPOOFED DNS FROM DOMRU
|
||||
iptables -t raw -C PREROUTING -p udp --sport 53 -m string --hex-string "|5cfff164|" --algo bm -j DROP --from 40 --to 300 ||
|
||||
iptables -t raw -I PREROUTING -p udp --sport 53 -m string --hex-string "|5cfff164|" --algo bm -j DROP --from 40 --to 300
|
||||
iptables -t raw -C PREROUTING -p udp --sport 53 -m string --hex-string "|2a022698a00000000000000000000064|" --algo bm -j DROP --from 40 --to 300 ||
|
||||
iptables -t raw -I PREROUTING -p udp --sport 53 -m string --hex-string "|2a022698a00000000000000000000064|" --algo bm -j DROP --from 40 --to 300
|
||||
;;
|
||||
tiera)
|
||||
adduser --disabled-login --no-create-home --system --quiet $TPWS_USER
|
||||
sysctl -w net.ipv4.conf.$SLAVE_ETH.route_localnet=1
|
||||
iptables -t nat -C PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT ||
|
||||
@ -61,8 +75,13 @@ script
|
||||
NFEXE=$TPWS
|
||||
NFARG="--port=$TPPORT --hostcase --split-http-req=host --user=$TPWS_USER --bind-addr=127.0.0.1"
|
||||
;;
|
||||
tiera)
|
||||
NFEXE=$TPWS
|
||||
NFARG="--port=$TPPORT --split-http-req=host --user=$TPWS_USER --bind-addr=127.0.0.1"
|
||||
;;
|
||||
esac
|
||||
$NFEXE $NFARG
|
||||
[ -n "$NFEXE" ] && $NFEXE $NFARG
|
||||
end script
|
||||
|
||||
pre-stop script
|
||||
@ -74,6 +93,13 @@ pre-stop script
|
||||
iptables -t mangle -D POSTROUTING -p tcp --dport 80 -m set --match-set zapret dst -j NFQUEUE --queue-num $QNUM --queue-bypass
|
||||
;;
|
||||
domru)
|
||||
sysctl -w net.ipv4.conf.$SLAVE_ETH.route_localnet=0
|
||||
iptables -t nat -D PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
|
||||
iptables -t nat -D OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
|
||||
iptables -t raw -D PREROUTING -p udp --sport 53 -m string --hex-string "|5cfff164|" --algo bm -j DROP --from 40 --to 300
|
||||
iptables -t raw -D PREROUTING -p udp --sport 53 -m string --hex-string "|2a022698a00000000000000000000064|" --algo bm -j DROP --from 40 --to 300
|
||||
;;
|
||||
tiera)
|
||||
sysctl -w net.ipv4.conf.$SLAVE_ETH.route_localnet=0
|
||||
iptables -t nat -D PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
|
||||
iptables -t nat -D OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
|
||||
|
@ -134,6 +134,8 @@ tkt : помогает разделение http запроса на сегме
|
||||
блокировки так же обходятся без применения "тяжелой артиллерии" следующим правилом :
|
||||
iptables -t raw -I PREROUTING -p tcp --sport 80 -m string --hex-string "|0D0A|Location: http://95.167.13.50" --algo bm -j DROP --from 40 --to 200
|
||||
Ростелеком : см tkt
|
||||
tiera : сама тиера до последнего ничего не банила. Похоже, что банит вышестоящий оператор, возможно telia.
|
||||
Требуется сплит http запросов в течение всей сессии.
|
||||
|
||||
Способы получения списка заблокированных IP
|
||||
-------------------------------------------
|
||||
|
Loading…
Reference in New Issue
Block a user