From 2acd50e130e80ef32e50589d9c2379ff534b4ad1 Mon Sep 17 00:00:00 2001 From: bolvan Date: Sun, 5 May 2019 23:35:10 +0300 Subject: [PATCH] init script http+https --- init.d/openwrt/firewall.user.nfqws_all_https | 9 ++ .../openwrt/firewall.user.nfqws_ipset_https | 9 ++ init.d/openwrt/firewall.user.tpws_all | 12 +-- init.d/openwrt/firewall.user.tpws_all_https | 27 +++++ init.d/openwrt/firewall.user.tpws_ipset | 12 +-- init.d/openwrt/firewall.user.tpws_ipset_https | 27 +++++ init.d/openwrt/zapret | 32 +++--- init.d/sysv/zapret | 98 +++++++++++++++---- readme.txt | 7 +- 9 files changed, 189 insertions(+), 44 deletions(-) create mode 100644 init.d/openwrt/firewall.user.nfqws_all_https create mode 100644 init.d/openwrt/firewall.user.nfqws_ipset_https create mode 100644 init.d/openwrt/firewall.user.tpws_all_https create mode 100644 init.d/openwrt/firewall.user.tpws_ipset_https diff --git a/init.d/openwrt/firewall.user.nfqws_all_https b/init.d/openwrt/firewall.user.nfqws_all_https new file mode 100644 index 0000000..74e7dd7 --- /dev/null +++ b/init.d/openwrt/firewall.user.nfqws_all_https @@ -0,0 +1,9 @@ +QNUM=200 +IPT_FILTER_PRE="-p tcp -m multiport --sports 80,443" +IPT_FILTER_POST="-p tcp --dport 80" + +iptables -t raw -C PREROUTING $IPT_FILTER_PRE -j NFQUEUE --queue-num $QNUM --queue-bypass || + iptables -t raw -I PREROUTING $IPT_FILTER_PRE -j NFQUEUE --queue-num $QNUM --queue-bypass + +iptables -t mangle -C POSTROUTING $IPT_FILTER_POST -j NFQUEUE --queue-num $QNUM --queue-bypass || + iptables -t mangle -I POSTROUTING $IPT_FILTER_POST -j NFQUEUE --queue-num $QNUM --queue-bypass diff --git a/init.d/openwrt/firewall.user.nfqws_ipset_https b/init.d/openwrt/firewall.user.nfqws_ipset_https new file mode 100644 index 0000000..ea33ab7 --- /dev/null +++ b/init.d/openwrt/firewall.user.nfqws_ipset_https @@ -0,0 +1,9 @@ +QNUM=200 +IPT_FILTER_PRE="-p tcp -m multiport --sports 80,443 -m set --match-set zapret src" +IPT_FILTER_POST="-p tcp --dport 80 -m set --match-set zapret dst" + +iptables -t raw -C PREROUTING $IPT_FILTER_PRE -j NFQUEUE --queue-num $QNUM --queue-bypass || + iptables -t raw -I PREROUTING $IPT_FILTER_PRE -j NFQUEUE --queue-num $QNUM --queue-bypass + +iptables -t mangle -C POSTROUTING $IPT_FILTER_POST -j NFQUEUE --queue-num $QNUM --queue-bypass || + iptables -t mangle -I POSTROUTING $IPT_FILTER_POST -j NFQUEUE --queue-num $QNUM --queue-bypass diff --git a/init.d/openwrt/firewall.user.tpws_all b/init.d/openwrt/firewall.user.tpws_all index a59221e..3f30f6e 100644 --- a/init.d/openwrt/firewall.user.tpws_all +++ b/init.d/openwrt/firewall.user.tpws_all @@ -1,6 +1,6 @@ -TPPORT=1188 +TPPORT_HTTP=1188 TPWS_USER=daemon -IPT_FILTER="-p tcp --dport 80" +IPT_FILTER_HTTP="-p tcp --dport 80" . /lib/functions/network.sh @@ -10,12 +10,12 @@ for ext_iface in $wan_iface; do network_get_device DEVICE $ext_iface # DNAT for local traffic - iptables -t nat -C OUTPUT -o $DEVICE -m owner ! --uid-owner $TPWS_USER $IPT_FILTER -j DNAT --to 127.0.0.1:$TPPORT || - iptables -t nat -I OUTPUT -o $DEVICE -m owner ! --uid-owner $TPWS_USER $IPT_FILTER -j DNAT --to 127.0.0.1:$TPPORT + iptables -t nat -C OUTPUT -o $DEVICE -m owner ! --uid-owner $TPWS_USER $IPT_FILTER_HTTP -j DNAT --to 127.0.0.1:$TPPORT_HTTP || + iptables -t nat -I OUTPUT -o $DEVICE -m owner ! --uid-owner $TPWS_USER $IPT_FILTER_HTTP -j DNAT --to 127.0.0.1:$TPPORT_HTTP done network_get_device DEVICE lan sysctl -w net.ipv4.conf.$DEVICE.route_localnet=1 -iptables -t nat -C prerouting_lan_rule $IPT_FILTER -j DNAT --to 127.0.0.1:$TPPORT || - iptables -t nat -I prerouting_lan_rule $IPT_FILTER -j DNAT --to 127.0.0.1:$TPPORT +iptables -t nat -C prerouting_lan_rule $IPT_FILTER_HTTP -j DNAT --to 127.0.0.1:$TPPORT_HTTP || + iptables -t nat -I prerouting_lan_rule $IPT_FILTER_HTTP -j DNAT --to 127.0.0.1:$TPPORT_HTTP diff --git a/init.d/openwrt/firewall.user.tpws_all_https b/init.d/openwrt/firewall.user.tpws_all_https new file mode 100644 index 0000000..6cdd2fa --- /dev/null +++ b/init.d/openwrt/firewall.user.tpws_all_https @@ -0,0 +1,27 @@ +TPPORT_HTTP=1188 +TPPORT_HTTPS=1189 +TPWS_USER=daemon +IPT_FILTER_HTTP="-p tcp --dport 80" +IPT_FILTER_HTTPS="-p tcp --dport 443" + +. /lib/functions/network.sh + +network_find_wan wan_iface + +for ext_iface in $wan_iface; do + network_get_device DEVICE $ext_iface + # DNAT for local traffic + + iptables -t nat -C OUTPUT -o $DEVICE -m owner ! --uid-owner $TPWS_USER $IPT_FILTER_HTTP -j DNAT --to 127.0.0.1:$TPPORT_HTTP || + iptables -t nat -I OUTPUT -o $DEVICE -m owner ! --uid-owner $TPWS_USER $IPT_FILTER_HTTP -j DNAT --to 127.0.0.1:$TPPORT_HTTP + iptables -t nat -C OUTPUT -o $DEVICE -m owner ! --uid-owner $TPWS_USER $IPT_FILTER_HTTPS -j DNAT --to 127.0.0.1:$TPPORT_HTTPS || + iptables -t nat -I OUTPUT -o $DEVICE -m owner ! --uid-owner $TPWS_USER $IPT_FILTER_HTTPS -j DNAT --to 127.0.0.1:$TPPORT_HTTPS + +done + +network_get_device DEVICE lan +sysctl -w net.ipv4.conf.$DEVICE.route_localnet=1 +iptables -t nat -C prerouting_lan_rule $IPT_FILTER_HTTP -j DNAT --to 127.0.0.1:$TPPORT_HTTP || + iptables -t nat -I prerouting_lan_rule $IPT_FILTER_HTTP -j DNAT --to 127.0.0.1:$TPPORT_HTTP +iptables -t nat -C prerouting_lan_rule $IPT_FILTER_HTTPS -j DNAT --to 127.0.0.1:$TPPORT_HTTPS || + iptables -t nat -I prerouting_lan_rule $IPT_FILTER_HTTPS -j DNAT --to 127.0.0.1:$TPPORT_HTTPS diff --git a/init.d/openwrt/firewall.user.tpws_ipset b/init.d/openwrt/firewall.user.tpws_ipset index 929b4d3..53c546f 100644 --- a/init.d/openwrt/firewall.user.tpws_ipset +++ b/init.d/openwrt/firewall.user.tpws_ipset @@ -1,6 +1,6 @@ -TPPORT=1188 +TPPORT_HTTP=1188 TPWS_USER=daemon -IPT_FILTER="-p tcp --dport 80 -m set --match-set zapret dst" +IPT_FILTER_HTTP="-p tcp --dport 80 -m set --match-set zapret dst" . /lib/functions/network.sh @@ -10,12 +10,12 @@ for ext_iface in $wan_iface; do network_get_device DEVICE $ext_iface # DNAT for local traffic - iptables -t nat -C OUTPUT -o $DEVICE -m owner ! --uid-owner $TPWS_USER $IPT_FILTER -j DNAT --to 127.0.0.1:$TPPORT || - iptables -t nat -I OUTPUT -o $DEVICE -m owner ! --uid-owner $TPWS_USER $IPT_FILTER -j DNAT --to 127.0.0.1:$TPPORT + iptables -t nat -C OUTPUT -o $DEVICE -m owner ! --uid-owner $TPWS_USER $IPT_FILTER_HTTP -j DNAT --to 127.0.0.1:$TPPORT_HTTP || + iptables -t nat -I OUTPUT -o $DEVICE -m owner ! --uid-owner $TPWS_USER $IPT_FILTER_HTTP -j DNAT --to 127.0.0.1:$TPPORT_HTTP done network_get_device DEVICE lan sysctl -w net.ipv4.conf.$DEVICE.route_localnet=1 -iptables -t nat -C prerouting_lan_rule $IPT_FILTER -j DNAT --to 127.0.0.1:$TPPORT || - iptables -t nat -I prerouting_lan_rule $IPT_FILTER -j DNAT --to 127.0.0.1:$TPPORT +iptables -t nat -C prerouting_lan_rule $IPT_FILTER_HTTP -j DNAT --to 127.0.0.1:$TPPORT_HTTP || + iptables -t nat -I prerouting_lan_rule $IPT_FILTER_HTTP -j DNAT --to 127.0.0.1:$TPPORT_HTTP diff --git a/init.d/openwrt/firewall.user.tpws_ipset_https b/init.d/openwrt/firewall.user.tpws_ipset_https new file mode 100644 index 0000000..1738426 --- /dev/null +++ b/init.d/openwrt/firewall.user.tpws_ipset_https @@ -0,0 +1,27 @@ +TPPORT_HTTP=1188 +TPPORT_HTTPS=1189 +TPWS_USER=daemon +IPT_FILTER_HTTP="-p tcp --dport 80 -m set --match-set zapret dst" +IPT_FILTER_HTTPS="-p tcp --dport 443 -m set --match-set zapret dst" + +. /lib/functions/network.sh + +network_find_wan wan_iface + +for ext_iface in $wan_iface; do + network_get_device DEVICE $ext_iface + # DNAT for local traffic + + iptables -t nat -C OUTPUT -o $DEVICE -m owner ! --uid-owner $TPWS_USER $IPT_FILTER_HTTP -j DNAT --to 127.0.0.1:$TPPORT_HTTP || + iptables -t nat -I OUTPUT -o $DEVICE -m owner ! --uid-owner $TPWS_USER $IPT_FILTER_HTTP -j DNAT --to 127.0.0.1:$TPPORT_HTTP + iptables -t nat -C OUTPUT -o $DEVICE -m owner ! --uid-owner $TPWS_USER $IPT_FILTER_HTTPS -j DNAT --to 127.0.0.1:$TPPORT_HTTPS || + iptables -t nat -I OUTPUT -o $DEVICE -m owner ! --uid-owner $TPWS_USER $IPT_FILTER_HTTPS -j DNAT --to 127.0.0.1:$TPPORT_HTTPS + +done + +network_get_device DEVICE lan +sysctl -w net.ipv4.conf.$DEVICE.route_localnet=1 +iptables -t nat -C prerouting_lan_rule $IPT_FILTER_HTTP -j DNAT --to 127.0.0.1:$TPPORT_HTTP || + iptables -t nat -I prerouting_lan_rule $IPT_FILTER_HTTP -j DNAT --to 127.0.0.1:$TPPORT_HTTP +iptables -t nat -C prerouting_lan_rule $IPT_FILTER_HTTPS -j DNAT --to 127.0.0.1:$TPPORT_HTTPS || + iptables -t nat -I prerouting_lan_rule $IPT_FILTER_HTTPS -j DNAT --to 127.0.0.1:$TPPORT_HTTPS diff --git a/init.d/openwrt/zapret b/init.d/openwrt/zapret index f89c441..1b0ab74 100755 --- a/init.d/openwrt/zapret +++ b/init.d/openwrt/zapret @@ -13,19 +13,24 @@ START=18 # using nfqws with ipset #MODE=nfqws_ipset +#MODE=nfqws_ipset_https # using nfqws for all #MODE=nfqws_all +#MODE=nfqws_all_https # CHOOSE NFQWS DAEMON OPTIONS. run "nfq/nfqws --help" for option list NFQWS_OPT="--wsize=3 --hostspell=HOST" # using tpws with ipset -MODE=tpws_ipset +#MODE=tpws_ipset +MODE=tpws_ipset_https # using tpws for all #MODE=tpws_all +#MODE=tpws_all_https # using tpws with hostlist #MODE=tpws_hostlist # CHOOSE TPWS DAEMON OPTIONS. run "tpws/tpws --help" for option list -TPWS_OPT="--hostspell=HOST --split-http-req=method" +TPWS_OPT_HTTP="--hostspell=HOST --split-http-req=method" +TPWS_OPT_HTTPS="--split-pos=3" # only fill ipset, do not run daemons #MODE=ipset @@ -47,11 +52,14 @@ QNUM=200 NFQWS=$ZAPRET_BASE/nfq/nfqws NFQWS_OPT_BASE="--qnum=$QNUM" -TPPORT=1188 +TPPORT_HTTP=1188 +TPPORT_HTTPS=1189 TPWS=$ZAPRET_BASE/tpws/tpws TPWS_USER=daemon TPWS_HOSTLIST=$ZAPRET_BASE/ipset/zapret-hosts.txt -TPWS_OPT_BASE="--port=$TPPORT --user=$TPWS_USER --bind-addr=127.0.0.1" +TPWS_OPT_BASE="--user=$TPWS_USER --bind-addr=127.0.0.1" +TPWS_OPT_BASE_HTTP="--port=$TPPORT_HTTP $TPWS_OPT_BASE" +TPWS_OPT_BASE_HTTPS="--port=$TPPORT_HTTPS $TPWS_OPT_BASE" # must execute /etc/firewall.user on every firewall reload @@ -99,20 +107,22 @@ start_service() { case "${MODE}" in tpws_hostlist) - run_daemon 1 $TPWS "$TPWS_OPT_BASE $TPWS_OPT --hostlist=$TPWS_HOSTLIST" + run_daemon 1 $TPWS "$TPWS_OPT_BASE_HTTP $TPWS_OPT_HTTP --hostlist=$TPWS_HOSTLIST" ;; - tpws_ipset) + tpws_ipset|tpws_all) create_ipset - run_daemon 1 $TPWS "$TPWS_OPT_BASE $TPWS_OPT" + run_daemon 1 $TPWS "$TPWS_OPT_BASE_HTTP $TPWS_OPT_HTTP" ;; - tpws_all) - run_daemon 1 $TPWS "$TPWS_OPT_BASE $TPWS_OPT" + tpws_ipset_https|tpws_all_https) + create_ipset + run_daemon 1 $TPWS "$TPWS_OPT_BASE_HTTP $TPWS_OPT_HTTP" + run_daemon 2 $TPWS "$TPWS_OPT_BASE_HTTPS $TPWS_OPT_HTTPS" ;; - nfqws_ipset) + nfqws_ipset|nfqws_ipset_https) create_ipset run_daemon 1 $NFQWS "$NFQWS_OPT_BASE $NFQWS_OPT" ;; - nfqws_all) + nfqws_all|nfqws_all_https) run_daemon 1 $NFQWS "$NFQWS_OPT_BASE $NFQWS_OPT" ;; ipset) diff --git a/init.d/sysv/zapret b/init.d/sysv/zapret index ed2d5f5..6facc50 100755 --- a/init.d/sysv/zapret +++ b/init.d/sysv/zapret @@ -18,19 +18,24 @@ # using nfqws with ipset #MODE=nfqws_ipset +#MODE=nfqws_ipset_https # using nfqws for all #MODE=nfqws_all +#MODE=nfqws_all_https # CHOOSE NFQWS DAEMON OPTIONS. run "nfq/nfqws --help" for option list NFQWS_OPT="--wsize=3 --hostspell=HOST" # using tpws with ipset -MODE=tpws_ipset +#MODE=tpws_ipset +MODE=tpws_ipset_https # using tpws for all #MODE=tpws_all +#MODE=tpws_all_https # using tpws with hostlist #MODE=tpws_hostlist # CHOOSE TPWS DAEMON OPTIONS. run "tpws/tpws --help" for option list -TPWS_OPT="--hostspell=HOST --split-http-req=method" +TPWS_OPT_HTTP="--hostspell=HOST --split-http-req=method" +TPWS_OPT_HTTPS="--split-pos=3" # only fill ipset, do not run daemons #MODE=ipset @@ -58,11 +63,14 @@ QNUM=200 NFQWS=$ZAPRET_BASE/nfq/nfqws NFQWS_OPT_BASE="--qnum=$QNUM" -TPPORT=1188 +TPPORT_HTTP=1188 +TPPORT_HTTPS=1189 TPWS=$ZAPRET_BASE/tpws/tpws TPWS_USER=tpws TPWS_HOSTLIST=$ZAPRET_BASE/ipset/zapret-hosts.txt -TPWS_OPT_BASE="--port=$TPPORT --user=$TPWS_USER --bind-addr=127.0.0.1" +TPWS_OPT_BASE="--user=$TPWS_USER --bind-addr=127.0.0.1" +TPWS_OPT_BASE_HTTP="--port=$TPPORT_HTTP $TPWS_OPT_BASE" +TPWS_OPT_BASE_HTTPS="--port=$TPPORT_HTTPS $TPWS_OPT_BASE" # exit script on any error set -e @@ -75,25 +83,27 @@ exists() fw_tpws_add() { # $1 - iptable filter + # $2 - tpws port echo "Adding iptables rule for tpws : $1" [ -n "$SLAVE_ETH" ] && { - iptables -t nat -C PREROUTING -i $SLAVE_ETH -p tcp $1 -j DNAT --to 127.0.0.1:$TPPORT 2>/dev/null || - iptables -t nat -I PREROUTING -i $SLAVE_ETH -p tcp $1 -j DNAT --to 127.0.0.1:$TPPORT + iptables -t nat -C PREROUTING -i $SLAVE_ETH -p tcp $1 -j DNAT --to 127.0.0.1:$2 2>/dev/null || + iptables -t nat -I PREROUTING -i $SLAVE_ETH -p tcp $1 -j DNAT --to 127.0.0.1:$2 } - iptables -t nat -C OUTPUT -m owner ! --uid-owner $TPWS_USER -p tcp $1 -j DNAT --to 127.0.0.1:$TPPORT 2>/dev/null || - iptables -t nat -I OUTPUT -m owner ! --uid-owner $TPWS_USER -p tcp $1 -j DNAT --to 127.0.0.1:$TPPORT + iptables -t nat -C OUTPUT -m owner ! --uid-owner $TPWS_USER -p tcp $1 -j DNAT --to 127.0.0.1:$2 2>/dev/null || + iptables -t nat -I OUTPUT -m owner ! --uid-owner $TPWS_USER -p tcp $1 -j DNAT --to 127.0.0.1:$2 } fw_tpws_del() { # $1 - iptable filter + # $2 - tpws port echo "Deleting iptables rule for tpws : $1" [ -n "$SLAVE_ETH" ] && { - iptables -t nat -C PREROUTING -i $SLAVE_ETH -p tcp $1 -j DNAT --to 127.0.0.1:$TPPORT 2>/dev/null && - iptables -t nat -D PREROUTING -i $SLAVE_ETH -p tcp $1 -j DNAT --to 127.0.0.1:$TPPORT + iptables -t nat -C PREROUTING -i $SLAVE_ETH -p tcp $1 -j DNAT --to 127.0.0.1:$2 2>/dev/null && + iptables -t nat -D PREROUTING -i $SLAVE_ETH -p tcp $1 -j DNAT --to 127.0.0.1:$2 } - iptables -t nat -C OUTPUT -m owner ! --uid-owner $TPWS_USER -p tcp $1 -j DNAT --to 127.0.0.1:$TPPORT 2>/dev/null && - iptables -t nat -D OUTPUT -m owner ! --uid-owner $TPWS_USER -p tcp $1 -j DNAT --to 127.0.0.1:$TPPORT + iptables -t nat -C OUTPUT -m owner ! --uid-owner $TPWS_USER -p tcp $1 -j DNAT --to 127.0.0.1:$2 2>/dev/null && + iptables -t nat -D OUTPUT -m owner ! --uid-owner $TPWS_USER -p tcp $1 -j DNAT --to 127.0.0.1:$2 true } fw_nfqws_add_pre() @@ -199,19 +209,34 @@ case "$1" in case "${MODE}" in tpws_hostlist) prepare_tpws - fw_tpws_add "--dport 80" - run_daemon 1 $TPWS "$TPWS_OPT_BASE $TPWS_OPT --hostlist=$TPWS_HOSTLIST" + fw_tpws_add "--dport 80" $TPPORT_HTTP + run_daemon 1 $TPWS "$TPWS_OPT_BASE_HTTP $TPWS_OPT_HTTP --hostlist=$TPWS_HOSTLIST" ;; tpws_ipset) create_ipset prepare_tpws - fw_tpws_add "--dport 80 -m set --match-set zapret dst" - run_daemon 1 $TPWS "$TPWS_OPT_BASE $TPWS_OPT" + fw_tpws_add "--dport 80 -m set --match-set zapret dst" $TPPORT_HTTP + run_daemon 1 $TPWS "$TPWS_OPT_BASE_HTTP $TPWS_OPT_HTTP" + ;; + tpws_ipset_https) + create_ipset + prepare_tpws + fw_tpws_add "--dport 80 -m set --match-set zapret dst" $TPPORT_HTTP + fw_tpws_add "--dport 443 -m set --match-set zapret dst" $TPPORT_HTTPS + run_daemon 1 $TPWS "$TPWS_OPT_BASE_HTTP $TPWS_OPT_HTTP" + run_daemon 2 $TPWS "$TPWS_OPT_BASE_HTTPS $TPWS_OPT_HTTPS" ;; tpws_all) prepare_tpws - fw_tpws_add "--dport 80" - run_daemon 1 $TPWS "$TPWS_OPT_BASE $TPWS_OPT" + fw_tpws_add "--dport 80" $TPPORT_HTTP + run_daemon 1 $TPWS "$TPWS_OPT_BASE_HTTP $TPWS_OPT_HTTP" + ;; + tpws_all_https) + prepare_tpws + fw_tpws_add "--dport 80" $TPPORT_HTTP + fw_tpws_add "--dport 443" $TPPORT_HTTPS + run_daemon 1 $TPWS "$TPWS_OPT_BASE_HTTP $TPWS_OPT_HTTP" + run_daemon 2 $TPWS "$TPWS_OPT_BASE_HTTPS $TPWS_OPT_HTTPS" ;; nfqws_ipset) create_ipset @@ -219,11 +244,22 @@ case "$1" in fw_nfqws_add_post "--dport 80 -m set --match-set zapret dst" run_daemon 1 $NFQWS "$NFQWS_OPT_BASE $NFQWS_OPT" ;; + nfqws_ipset_https) + create_ipset + fw_nfqws_add_pre "-m multiport --sports 80,443 -m set --match-set zapret src" + fw_nfqws_add_post "--dport 80 -m set --match-set zapret dst" + run_daemon 1 $NFQWS "$NFQWS_OPT_BASE $NFQWS_OPT" + ;; nfqws_all) fw_nfqws_add_pre "--sport 80" fw_nfqws_add_post "--dport 80" run_daemon 1 $NFQWS "$NFQWS_OPT_BASE $NFQWS_OPT" ;; + nfqws_all_https) + fw_nfqws_add_pre "-m multiport --sports 80,443" + fw_nfqws_add_post "--dport 80" + run_daemon 1 $NFQWS "$NFQWS_OPT_BASE $NFQWS_OPT" + ;; ipset) create_ipset ;; @@ -241,23 +277,45 @@ case "$1" in stop) case "${MODE}" in tpws_hostlist|tpws_all) - fw_tpws_del "--dport 80" + fw_tpws_del "--dport 80" $TPPORT_HTTP stop_daemon 1 $TPWS ;; tpws_ipset) - fw_tpws_del "--dport 80 -m set --match-set zapret dst" + fw_tpws_del "--dport 80 -m set --match-set zapret dst" $TPPORT_HTTP stop_daemon 1 $TPWS ;; + tpws_ipset_https) + fw_tpws_del "--dport 80 -m set --match-set zapret dst" $TPPORT_HTTP + fw_tpws_del "--dport 443 -m set --match-set zapret dst" $TPPORT_HTTPS + stop_daemon 1 $TPWS + stop_daemon 2 $TPWS + ;; + tpws_all_https) + fw_tpws_del "--dport 80" $TPPORT_HTTP + fw_tpws_del "--dport 443" $TPPORT_HTTPS + stop_daemon 1 $TPWS + stop_daemon 2 $TPWS + ;; nfqws_ipset) fw_nfqws_del_pre "--sport 80 -m set --match-set zapret src" fw_nfqws_del_post "--dport 80 -m set --match-set zapret dst" stop_daemon 1 $NFQWS ;; + nfqws_ipset_https) + fw_nfqws_del_pre "-m multiport --sports 80,443 -m set --match-set zapret src" + fw_nfqws_del_post "--dport 80 -m set --match-set zapret dst" + stop_daemon 1 $NFQWS + ;; nfqws_all) fw_nfqws_del_pre "--sport 80" fw_nfqws_del_post "--dport 80" stop_daemon 1 $NFQWS ;; + nfqws_all_https) + fw_nfqws_del_pre "-m multiport --sports 80,443" + fw_nfqws_del_post "--dport 80" + stop_daemon 1 $NFQWS + ;; custom) # PLACEHOLDER echo !!! NEED ATTENTION !!! diff --git a/readme.txt b/readme.txt index 7ea7e0b..a439606 100644 --- a/readme.txt +++ b/readme.txt @@ -210,9 +210,13 @@ tpws должен запускаться без фильтрации по ipset. Выберите MODE. Снимите комментарий только с одного из присваиваний. nfqws_ipset - использовать nfqws для модификации трафика на порт 80 только на IP из ipset "zapret" +nfqws_ipset_https - использовать nfqws для модификации трафика на порты 80 и 443 только на IP из ipset "zapret" nfqws_all - использовать nfqws для модификации трафика на порт 80 для всех IP +nfqws_all_https - использовать nfqws для модификации трафика на порты 80 и 443 для всех IP tpws_ipset - использовать tpws для модификации трафика на порт 80 только на IP из ipset "zapret" +tpws_ipset_https - использовать tpws для модификации трафика на порты 80 и 443 только на IP из ipset "zapret" tpws_all - использовать tpws для модификации трафика на порт 80 для всех IP +tpws_all_https - использовать tpws для модификации трафика на порты 80 и 443 для всех IP tpws_hostlist - пропускать через tpws весь трафик на порт 80. tpws применяет дурение только к хостам из hostlist. ipset - только заполнить ipset. ipset может быть применен для заворота трафика на прокси или на VPN custom - нужно самому запрограммировать запуск демонов и правила iptables @@ -220,7 +224,8 @@ custom - нужно самому запрограммировать запуск Можно изменить опции дурения, применяемые демонами nfqws и tpws : NFQWS_OPT="--wsize=3 --hostspell=HOST" -TPWS_OPT="--hostspell=HOST --split-http-req=method" +TPWS_OPT_HTTP="--hostspell=HOST --split-http-req=method" +TPWS_OPT_HTTPS="--split-pos=3" Пример установки на debian-подобную систему -------------------------------------------