mirror of
https://github.com/bol-van/zapret.git
synced 2025-05-24 22:32:58 +03:00
init script http+https
This commit is contained in:
bolvan
9
init.d/openwrt/firewall.user.nfqws_all_https
Normal file
9
init.d/openwrt/firewall.user.nfqws_all_https
Normal file
@@ -0,0 +1,9 @@
|
||||
QNUM=200
|
||||
IPT_FILTER_PRE="-p tcp -m multiport --sports 80,443"
|
||||
IPT_FILTER_POST="-p tcp --dport 80"
|
||||
|
||||
iptables -t raw -C PREROUTING $IPT_FILTER_PRE -j NFQUEUE --queue-num $QNUM --queue-bypass ||
|
||||
iptables -t raw -I PREROUTING $IPT_FILTER_PRE -j NFQUEUE --queue-num $QNUM --queue-bypass
|
||||
|
||||
iptables -t mangle -C POSTROUTING $IPT_FILTER_POST -j NFQUEUE --queue-num $QNUM --queue-bypass ||
|
||||
iptables -t mangle -I POSTROUTING $IPT_FILTER_POST -j NFQUEUE --queue-num $QNUM --queue-bypass
|
||||
9
init.d/openwrt/firewall.user.nfqws_ipset_https
Normal file
9
init.d/openwrt/firewall.user.nfqws_ipset_https
Normal file
@@ -0,0 +1,9 @@
|
||||
QNUM=200
|
||||
IPT_FILTER_PRE="-p tcp -m multiport --sports 80,443 -m set --match-set zapret src"
|
||||
IPT_FILTER_POST="-p tcp --dport 80 -m set --match-set zapret dst"
|
||||
|
||||
iptables -t raw -C PREROUTING $IPT_FILTER_PRE -j NFQUEUE --queue-num $QNUM --queue-bypass ||
|
||||
iptables -t raw -I PREROUTING $IPT_FILTER_PRE -j NFQUEUE --queue-num $QNUM --queue-bypass
|
||||
|
||||
iptables -t mangle -C POSTROUTING $IPT_FILTER_POST -j NFQUEUE --queue-num $QNUM --queue-bypass ||
|
||||
iptables -t mangle -I POSTROUTING $IPT_FILTER_POST -j NFQUEUE --queue-num $QNUM --queue-bypass
|
||||
@@ -1,6 +1,6 @@
|
||||
TPPORT=1188
|
||||
TPPORT_HTTP=1188
|
||||
TPWS_USER=daemon
|
||||
IPT_FILTER="-p tcp --dport 80"
|
||||
IPT_FILTER_HTTP="-p tcp --dport 80"
|
||||
|
||||
. /lib/functions/network.sh
|
||||
|
||||
@@ -10,12 +10,12 @@ for ext_iface in $wan_iface; do
|
||||
network_get_device DEVICE $ext_iface
|
||||
# DNAT for local traffic
|
||||
|
||||
iptables -t nat -C OUTPUT -o $DEVICE -m owner ! --uid-owner $TPWS_USER $IPT_FILTER -j DNAT --to 127.0.0.1:$TPPORT ||
|
||||
iptables -t nat -I OUTPUT -o $DEVICE -m owner ! --uid-owner $TPWS_USER $IPT_FILTER -j DNAT --to 127.0.0.1:$TPPORT
|
||||
iptables -t nat -C OUTPUT -o $DEVICE -m owner ! --uid-owner $TPWS_USER $IPT_FILTER_HTTP -j DNAT --to 127.0.0.1:$TPPORT_HTTP ||
|
||||
iptables -t nat -I OUTPUT -o $DEVICE -m owner ! --uid-owner $TPWS_USER $IPT_FILTER_HTTP -j DNAT --to 127.0.0.1:$TPPORT_HTTP
|
||||
|
||||
done
|
||||
|
||||
network_get_device DEVICE lan
|
||||
sysctl -w net.ipv4.conf.$DEVICE.route_localnet=1
|
||||
iptables -t nat -C prerouting_lan_rule $IPT_FILTER -j DNAT --to 127.0.0.1:$TPPORT ||
|
||||
iptables -t nat -I prerouting_lan_rule $IPT_FILTER -j DNAT --to 127.0.0.1:$TPPORT
|
||||
iptables -t nat -C prerouting_lan_rule $IPT_FILTER_HTTP -j DNAT --to 127.0.0.1:$TPPORT_HTTP ||
|
||||
iptables -t nat -I prerouting_lan_rule $IPT_FILTER_HTTP -j DNAT --to 127.0.0.1:$TPPORT_HTTP
|
||||
|
||||
27
init.d/openwrt/firewall.user.tpws_all_https
Normal file
27
init.d/openwrt/firewall.user.tpws_all_https
Normal file
@@ -0,0 +1,27 @@
|
||||
TPPORT_HTTP=1188
|
||||
TPPORT_HTTPS=1189
|
||||
TPWS_USER=daemon
|
||||
IPT_FILTER_HTTP="-p tcp --dport 80"
|
||||
IPT_FILTER_HTTPS="-p tcp --dport 443"
|
||||
|
||||
. /lib/functions/network.sh
|
||||
|
||||
network_find_wan wan_iface
|
||||
|
||||
for ext_iface in $wan_iface; do
|
||||
network_get_device DEVICE $ext_iface
|
||||
# DNAT for local traffic
|
||||
|
||||
iptables -t nat -C OUTPUT -o $DEVICE -m owner ! --uid-owner $TPWS_USER $IPT_FILTER_HTTP -j DNAT --to 127.0.0.1:$TPPORT_HTTP ||
|
||||
iptables -t nat -I OUTPUT -o $DEVICE -m owner ! --uid-owner $TPWS_USER $IPT_FILTER_HTTP -j DNAT --to 127.0.0.1:$TPPORT_HTTP
|
||||
iptables -t nat -C OUTPUT -o $DEVICE -m owner ! --uid-owner $TPWS_USER $IPT_FILTER_HTTPS -j DNAT --to 127.0.0.1:$TPPORT_HTTPS ||
|
||||
iptables -t nat -I OUTPUT -o $DEVICE -m owner ! --uid-owner $TPWS_USER $IPT_FILTER_HTTPS -j DNAT --to 127.0.0.1:$TPPORT_HTTPS
|
||||
|
||||
done
|
||||
|
||||
network_get_device DEVICE lan
|
||||
sysctl -w net.ipv4.conf.$DEVICE.route_localnet=1
|
||||
iptables -t nat -C prerouting_lan_rule $IPT_FILTER_HTTP -j DNAT --to 127.0.0.1:$TPPORT_HTTP ||
|
||||
iptables -t nat -I prerouting_lan_rule $IPT_FILTER_HTTP -j DNAT --to 127.0.0.1:$TPPORT_HTTP
|
||||
iptables -t nat -C prerouting_lan_rule $IPT_FILTER_HTTPS -j DNAT --to 127.0.0.1:$TPPORT_HTTPS ||
|
||||
iptables -t nat -I prerouting_lan_rule $IPT_FILTER_HTTPS -j DNAT --to 127.0.0.1:$TPPORT_HTTPS
|
||||
@@ -1,6 +1,6 @@
|
||||
TPPORT=1188
|
||||
TPPORT_HTTP=1188
|
||||
TPWS_USER=daemon
|
||||
IPT_FILTER="-p tcp --dport 80 -m set --match-set zapret dst"
|
||||
IPT_FILTER_HTTP="-p tcp --dport 80 -m set --match-set zapret dst"
|
||||
|
||||
. /lib/functions/network.sh
|
||||
|
||||
@@ -10,12 +10,12 @@ for ext_iface in $wan_iface; do
|
||||
network_get_device DEVICE $ext_iface
|
||||
# DNAT for local traffic
|
||||
|
||||
iptables -t nat -C OUTPUT -o $DEVICE -m owner ! --uid-owner $TPWS_USER $IPT_FILTER -j DNAT --to 127.0.0.1:$TPPORT ||
|
||||
iptables -t nat -I OUTPUT -o $DEVICE -m owner ! --uid-owner $TPWS_USER $IPT_FILTER -j DNAT --to 127.0.0.1:$TPPORT
|
||||
iptables -t nat -C OUTPUT -o $DEVICE -m owner ! --uid-owner $TPWS_USER $IPT_FILTER_HTTP -j DNAT --to 127.0.0.1:$TPPORT_HTTP ||
|
||||
iptables -t nat -I OUTPUT -o $DEVICE -m owner ! --uid-owner $TPWS_USER $IPT_FILTER_HTTP -j DNAT --to 127.0.0.1:$TPPORT_HTTP
|
||||
|
||||
done
|
||||
|
||||
network_get_device DEVICE lan
|
||||
sysctl -w net.ipv4.conf.$DEVICE.route_localnet=1
|
||||
iptables -t nat -C prerouting_lan_rule $IPT_FILTER -j DNAT --to 127.0.0.1:$TPPORT ||
|
||||
iptables -t nat -I prerouting_lan_rule $IPT_FILTER -j DNAT --to 127.0.0.1:$TPPORT
|
||||
iptables -t nat -C prerouting_lan_rule $IPT_FILTER_HTTP -j DNAT --to 127.0.0.1:$TPPORT_HTTP ||
|
||||
iptables -t nat -I prerouting_lan_rule $IPT_FILTER_HTTP -j DNAT --to 127.0.0.1:$TPPORT_HTTP
|
||||
|
||||
27
init.d/openwrt/firewall.user.tpws_ipset_https
Normal file
27
init.d/openwrt/firewall.user.tpws_ipset_https
Normal file
@@ -0,0 +1,27 @@
|
||||
TPPORT_HTTP=1188
|
||||
TPPORT_HTTPS=1189
|
||||
TPWS_USER=daemon
|
||||
IPT_FILTER_HTTP="-p tcp --dport 80 -m set --match-set zapret dst"
|
||||
IPT_FILTER_HTTPS="-p tcp --dport 443 -m set --match-set zapret dst"
|
||||
|
||||
. /lib/functions/network.sh
|
||||
|
||||
network_find_wan wan_iface
|
||||
|
||||
for ext_iface in $wan_iface; do
|
||||
network_get_device DEVICE $ext_iface
|
||||
# DNAT for local traffic
|
||||
|
||||
iptables -t nat -C OUTPUT -o $DEVICE -m owner ! --uid-owner $TPWS_USER $IPT_FILTER_HTTP -j DNAT --to 127.0.0.1:$TPPORT_HTTP ||
|
||||
iptables -t nat -I OUTPUT -o $DEVICE -m owner ! --uid-owner $TPWS_USER $IPT_FILTER_HTTP -j DNAT --to 127.0.0.1:$TPPORT_HTTP
|
||||
iptables -t nat -C OUTPUT -o $DEVICE -m owner ! --uid-owner $TPWS_USER $IPT_FILTER_HTTPS -j DNAT --to 127.0.0.1:$TPPORT_HTTPS ||
|
||||
iptables -t nat -I OUTPUT -o $DEVICE -m owner ! --uid-owner $TPWS_USER $IPT_FILTER_HTTPS -j DNAT --to 127.0.0.1:$TPPORT_HTTPS
|
||||
|
||||
done
|
||||
|
||||
network_get_device DEVICE lan
|
||||
sysctl -w net.ipv4.conf.$DEVICE.route_localnet=1
|
||||
iptables -t nat -C prerouting_lan_rule $IPT_FILTER_HTTP -j DNAT --to 127.0.0.1:$TPPORT_HTTP ||
|
||||
iptables -t nat -I prerouting_lan_rule $IPT_FILTER_HTTP -j DNAT --to 127.0.0.1:$TPPORT_HTTP
|
||||
iptables -t nat -C prerouting_lan_rule $IPT_FILTER_HTTPS -j DNAT --to 127.0.0.1:$TPPORT_HTTPS ||
|
||||
iptables -t nat -I prerouting_lan_rule $IPT_FILTER_HTTPS -j DNAT --to 127.0.0.1:$TPPORT_HTTPS
|
||||
@@ -13,19 +13,24 @@ START=18
|
||||
|
||||
# using nfqws with ipset
|
||||
#MODE=nfqws_ipset
|
||||
#MODE=nfqws_ipset_https
|
||||
# using nfqws for all
|
||||
#MODE=nfqws_all
|
||||
#MODE=nfqws_all_https
|
||||
# CHOOSE NFQWS DAEMON OPTIONS. run "nfq/nfqws --help" for option list
|
||||
NFQWS_OPT="--wsize=3 --hostspell=HOST"
|
||||
|
||||
# using tpws with ipset
|
||||
MODE=tpws_ipset
|
||||
#MODE=tpws_ipset
|
||||
MODE=tpws_ipset_https
|
||||
# using tpws for all
|
||||
#MODE=tpws_all
|
||||
#MODE=tpws_all_https
|
||||
# using tpws with hostlist
|
||||
#MODE=tpws_hostlist
|
||||
# CHOOSE TPWS DAEMON OPTIONS. run "tpws/tpws --help" for option list
|
||||
TPWS_OPT="--hostspell=HOST --split-http-req=method"
|
||||
TPWS_OPT_HTTP="--hostspell=HOST --split-http-req=method"
|
||||
TPWS_OPT_HTTPS="--split-pos=3"
|
||||
|
||||
# only fill ipset, do not run daemons
|
||||
#MODE=ipset
|
||||
@@ -47,11 +52,14 @@ QNUM=200
|
||||
NFQWS=$ZAPRET_BASE/nfq/nfqws
|
||||
NFQWS_OPT_BASE="--qnum=$QNUM"
|
||||
|
||||
TPPORT=1188
|
||||
TPPORT_HTTP=1188
|
||||
TPPORT_HTTPS=1189
|
||||
TPWS=$ZAPRET_BASE/tpws/tpws
|
||||
TPWS_USER=daemon
|
||||
TPWS_HOSTLIST=$ZAPRET_BASE/ipset/zapret-hosts.txt
|
||||
TPWS_OPT_BASE="--port=$TPPORT --user=$TPWS_USER --bind-addr=127.0.0.1"
|
||||
TPWS_OPT_BASE="--user=$TPWS_USER --bind-addr=127.0.0.1"
|
||||
TPWS_OPT_BASE_HTTP="--port=$TPPORT_HTTP $TPWS_OPT_BASE"
|
||||
TPWS_OPT_BASE_HTTPS="--port=$TPPORT_HTTPS $TPWS_OPT_BASE"
|
||||
|
||||
|
||||
# must execute /etc/firewall.user on every firewall reload
|
||||
@@ -99,20 +107,22 @@ start_service() {
|
||||
|
||||
case "${MODE}" in
|
||||
tpws_hostlist)
|
||||
run_daemon 1 $TPWS "$TPWS_OPT_BASE $TPWS_OPT --hostlist=$TPWS_HOSTLIST"
|
||||
run_daemon 1 $TPWS "$TPWS_OPT_BASE_HTTP $TPWS_OPT_HTTP --hostlist=$TPWS_HOSTLIST"
|
||||
;;
|
||||
tpws_ipset)
|
||||
tpws_ipset|tpws_all)
|
||||
create_ipset
|
||||
run_daemon 1 $TPWS "$TPWS_OPT_BASE $TPWS_OPT"
|
||||
run_daemon 1 $TPWS "$TPWS_OPT_BASE_HTTP $TPWS_OPT_HTTP"
|
||||
;;
|
||||
tpws_all)
|
||||
run_daemon 1 $TPWS "$TPWS_OPT_BASE $TPWS_OPT"
|
||||
tpws_ipset_https|tpws_all_https)
|
||||
create_ipset
|
||||
run_daemon 1 $TPWS "$TPWS_OPT_BASE_HTTP $TPWS_OPT_HTTP"
|
||||
run_daemon 2 $TPWS "$TPWS_OPT_BASE_HTTPS $TPWS_OPT_HTTPS"
|
||||
;;
|
||||
nfqws_ipset)
|
||||
nfqws_ipset|nfqws_ipset_https)
|
||||
create_ipset
|
||||
run_daemon 1 $NFQWS "$NFQWS_OPT_BASE $NFQWS_OPT"
|
||||
;;
|
||||
nfqws_all)
|
||||
nfqws_all|nfqws_all_https)
|
||||
run_daemon 1 $NFQWS "$NFQWS_OPT_BASE $NFQWS_OPT"
|
||||
;;
|
||||
ipset)
|
||||
|
||||
Reference in New Issue
Block a user