mirror of
https://github.com/bol-van/zapret.git
synced 2025-04-19 05:22:58 +03:00
init script http+https
This commit is contained in:
bolvan
parent
f59feffd8c
commit
2acd50e130
9
init.d/openwrt/firewall.user.nfqws_all_https
Normal file
9
init.d/openwrt/firewall.user.nfqws_all_https
Normal file
@ -0,0 +1,9 @@
|
||||
QNUM=200
|
||||
IPT_FILTER_PRE="-p tcp -m multiport --sports 80,443"
|
||||
IPT_FILTER_POST="-p tcp --dport 80"
|
||||
|
||||
iptables -t raw -C PREROUTING $IPT_FILTER_PRE -j NFQUEUE --queue-num $QNUM --queue-bypass ||
|
||||
iptables -t raw -I PREROUTING $IPT_FILTER_PRE -j NFQUEUE --queue-num $QNUM --queue-bypass
|
||||
|
||||
iptables -t mangle -C POSTROUTING $IPT_FILTER_POST -j NFQUEUE --queue-num $QNUM --queue-bypass ||
|
||||
iptables -t mangle -I POSTROUTING $IPT_FILTER_POST -j NFQUEUE --queue-num $QNUM --queue-bypass
|
||||
9
init.d/openwrt/firewall.user.nfqws_ipset_https
Normal file
9
init.d/openwrt/firewall.user.nfqws_ipset_https
Normal file
@ -0,0 +1,9 @@
|
||||
QNUM=200
|
||||
IPT_FILTER_PRE="-p tcp -m multiport --sports 80,443 -m set --match-set zapret src"
|
||||
IPT_FILTER_POST="-p tcp --dport 80 -m set --match-set zapret dst"
|
||||
|
||||
iptables -t raw -C PREROUTING $IPT_FILTER_PRE -j NFQUEUE --queue-num $QNUM --queue-bypass ||
|
||||
iptables -t raw -I PREROUTING $IPT_FILTER_PRE -j NFQUEUE --queue-num $QNUM --queue-bypass
|
||||
|
||||
iptables -t mangle -C POSTROUTING $IPT_FILTER_POST -j NFQUEUE --queue-num $QNUM --queue-bypass ||
|
||||
iptables -t mangle -I POSTROUTING $IPT_FILTER_POST -j NFQUEUE --queue-num $QNUM --queue-bypass
|
||||
@ -1,6 +1,6 @@
|
||||
TPPORT=1188
|
||||
TPPORT_HTTP=1188
|
||||
TPWS_USER=daemon
|
||||
IPT_FILTER="-p tcp --dport 80"
|
||||
IPT_FILTER_HTTP="-p tcp --dport 80"
|
||||
|
||||
. /lib/functions/network.sh
|
||||
|
||||
@ -10,12 +10,12 @@ for ext_iface in $wan_iface; do
|
||||
network_get_device DEVICE $ext_iface
|
||||
# DNAT for local traffic
|
||||
|
||||
iptables -t nat -C OUTPUT -o $DEVICE -m owner ! --uid-owner $TPWS_USER $IPT_FILTER -j DNAT --to 127.0.0.1:$TPPORT ||
|
||||
iptables -t nat -I OUTPUT -o $DEVICE -m owner ! --uid-owner $TPWS_USER $IPT_FILTER -j DNAT --to 127.0.0.1:$TPPORT
|
||||
iptables -t nat -C OUTPUT -o $DEVICE -m owner ! --uid-owner $TPWS_USER $IPT_FILTER_HTTP -j DNAT --to 127.0.0.1:$TPPORT_HTTP ||
|
||||
iptables -t nat -I OUTPUT -o $DEVICE -m owner ! --uid-owner $TPWS_USER $IPT_FILTER_HTTP -j DNAT --to 127.0.0.1:$TPPORT_HTTP
|
||||
|
||||
done
|
||||
|
||||
network_get_device DEVICE lan
|
||||
sysctl -w net.ipv4.conf.$DEVICE.route_localnet=1
|
||||
iptables -t nat -C prerouting_lan_rule $IPT_FILTER -j DNAT --to 127.0.0.1:$TPPORT ||
|
||||
iptables -t nat -I prerouting_lan_rule $IPT_FILTER -j DNAT --to 127.0.0.1:$TPPORT
|
||||
iptables -t nat -C prerouting_lan_rule $IPT_FILTER_HTTP -j DNAT --to 127.0.0.1:$TPPORT_HTTP ||
|
||||
iptables -t nat -I prerouting_lan_rule $IPT_FILTER_HTTP -j DNAT --to 127.0.0.1:$TPPORT_HTTP
|
||||
|
||||
27
init.d/openwrt/firewall.user.tpws_all_https
Normal file
27
init.d/openwrt/firewall.user.tpws_all_https
Normal file
@ -0,0 +1,27 @@
|
||||
TPPORT_HTTP=1188
|
||||
TPPORT_HTTPS=1189
|
||||
TPWS_USER=daemon
|
||||
IPT_FILTER_HTTP="-p tcp --dport 80"
|
||||
IPT_FILTER_HTTPS="-p tcp --dport 443"
|
||||
|
||||
. /lib/functions/network.sh
|
||||
|
||||
network_find_wan wan_iface
|
||||
|
||||
for ext_iface in $wan_iface; do
|
||||
network_get_device DEVICE $ext_iface
|
||||
# DNAT for local traffic
|
||||
|
||||
iptables -t nat -C OUTPUT -o $DEVICE -m owner ! --uid-owner $TPWS_USER $IPT_FILTER_HTTP -j DNAT --to 127.0.0.1:$TPPORT_HTTP ||
|
||||
iptables -t nat -I OUTPUT -o $DEVICE -m owner ! --uid-owner $TPWS_USER $IPT_FILTER_HTTP -j DNAT --to 127.0.0.1:$TPPORT_HTTP
|
||||
iptables -t nat -C OUTPUT -o $DEVICE -m owner ! --uid-owner $TPWS_USER $IPT_FILTER_HTTPS -j DNAT --to 127.0.0.1:$TPPORT_HTTPS ||
|
||||
iptables -t nat -I OUTPUT -o $DEVICE -m owner ! --uid-owner $TPWS_USER $IPT_FILTER_HTTPS -j DNAT --to 127.0.0.1:$TPPORT_HTTPS
|
||||
|
||||
done
|
||||
|
||||
network_get_device DEVICE lan
|
||||
sysctl -w net.ipv4.conf.$DEVICE.route_localnet=1
|
||||
iptables -t nat -C prerouting_lan_rule $IPT_FILTER_HTTP -j DNAT --to 127.0.0.1:$TPPORT_HTTP ||
|
||||
iptables -t nat -I prerouting_lan_rule $IPT_FILTER_HTTP -j DNAT --to 127.0.0.1:$TPPORT_HTTP
|
||||
iptables -t nat -C prerouting_lan_rule $IPT_FILTER_HTTPS -j DNAT --to 127.0.0.1:$TPPORT_HTTPS ||
|
||||
iptables -t nat -I prerouting_lan_rule $IPT_FILTER_HTTPS -j DNAT --to 127.0.0.1:$TPPORT_HTTPS
|
||||
@ -1,6 +1,6 @@
|
||||
TPPORT=1188
|
||||
TPPORT_HTTP=1188
|
||||
TPWS_USER=daemon
|
||||
IPT_FILTER="-p tcp --dport 80 -m set --match-set zapret dst"
|
||||
IPT_FILTER_HTTP="-p tcp --dport 80 -m set --match-set zapret dst"
|
||||
|
||||
. /lib/functions/network.sh
|
||||
|
||||
@ -10,12 +10,12 @@ for ext_iface in $wan_iface; do
|
||||
network_get_device DEVICE $ext_iface
|
||||
# DNAT for local traffic
|
||||
|
||||
iptables -t nat -C OUTPUT -o $DEVICE -m owner ! --uid-owner $TPWS_USER $IPT_FILTER -j DNAT --to 127.0.0.1:$TPPORT ||
|
||||
iptables -t nat -I OUTPUT -o $DEVICE -m owner ! --uid-owner $TPWS_USER $IPT_FILTER -j DNAT --to 127.0.0.1:$TPPORT
|
||||
iptables -t nat -C OUTPUT -o $DEVICE -m owner ! --uid-owner $TPWS_USER $IPT_FILTER_HTTP -j DNAT --to 127.0.0.1:$TPPORT_HTTP ||
|
||||
iptables -t nat -I OUTPUT -o $DEVICE -m owner ! --uid-owner $TPWS_USER $IPT_FILTER_HTTP -j DNAT --to 127.0.0.1:$TPPORT_HTTP
|
||||
|
||||
done
|
||||
|
||||
network_get_device DEVICE lan
|
||||
sysctl -w net.ipv4.conf.$DEVICE.route_localnet=1
|
||||
iptables -t nat -C prerouting_lan_rule $IPT_FILTER -j DNAT --to 127.0.0.1:$TPPORT ||
|
||||
iptables -t nat -I prerouting_lan_rule $IPT_FILTER -j DNAT --to 127.0.0.1:$TPPORT
|
||||
iptables -t nat -C prerouting_lan_rule $IPT_FILTER_HTTP -j DNAT --to 127.0.0.1:$TPPORT_HTTP ||
|
||||
iptables -t nat -I prerouting_lan_rule $IPT_FILTER_HTTP -j DNAT --to 127.0.0.1:$TPPORT_HTTP
|
||||
|
||||
27
init.d/openwrt/firewall.user.tpws_ipset_https
Normal file
27
init.d/openwrt/firewall.user.tpws_ipset_https
Normal file
@ -0,0 +1,27 @@
|
||||
TPPORT_HTTP=1188
|
||||
TPPORT_HTTPS=1189
|
||||
TPWS_USER=daemon
|
||||
IPT_FILTER_HTTP="-p tcp --dport 80 -m set --match-set zapret dst"
|
||||
IPT_FILTER_HTTPS="-p tcp --dport 443 -m set --match-set zapret dst"
|
||||
|
||||
. /lib/functions/network.sh
|
||||
|
||||
network_find_wan wan_iface
|
||||
|
||||
for ext_iface in $wan_iface; do
|
||||
network_get_device DEVICE $ext_iface
|
||||
# DNAT for local traffic
|
||||
|
||||
iptables -t nat -C OUTPUT -o $DEVICE -m owner ! --uid-owner $TPWS_USER $IPT_FILTER_HTTP -j DNAT --to 127.0.0.1:$TPPORT_HTTP ||
|
||||
iptables -t nat -I OUTPUT -o $DEVICE -m owner ! --uid-owner $TPWS_USER $IPT_FILTER_HTTP -j DNAT --to 127.0.0.1:$TPPORT_HTTP
|
||||
iptables -t nat -C OUTPUT -o $DEVICE -m owner ! --uid-owner $TPWS_USER $IPT_FILTER_HTTPS -j DNAT --to 127.0.0.1:$TPPORT_HTTPS ||
|
||||
iptables -t nat -I OUTPUT -o $DEVICE -m owner ! --uid-owner $TPWS_USER $IPT_FILTER_HTTPS -j DNAT --to 127.0.0.1:$TPPORT_HTTPS
|
||||
|
||||
done
|
||||
|
||||
network_get_device DEVICE lan
|
||||
sysctl -w net.ipv4.conf.$DEVICE.route_localnet=1
|
||||
iptables -t nat -C prerouting_lan_rule $IPT_FILTER_HTTP -j DNAT --to 127.0.0.1:$TPPORT_HTTP ||
|
||||
iptables -t nat -I prerouting_lan_rule $IPT_FILTER_HTTP -j DNAT --to 127.0.0.1:$TPPORT_HTTP
|
||||
iptables -t nat -C prerouting_lan_rule $IPT_FILTER_HTTPS -j DNAT --to 127.0.0.1:$TPPORT_HTTPS ||
|
||||
iptables -t nat -I prerouting_lan_rule $IPT_FILTER_HTTPS -j DNAT --to 127.0.0.1:$TPPORT_HTTPS
|
||||
@ -13,19 +13,24 @@ START=18
|
||||
|
||||
# using nfqws with ipset
|
||||
#MODE=nfqws_ipset
|
||||
#MODE=nfqws_ipset_https
|
||||
# using nfqws for all
|
||||
#MODE=nfqws_all
|
||||
#MODE=nfqws_all_https
|
||||
# CHOOSE NFQWS DAEMON OPTIONS. run "nfq/nfqws --help" for option list
|
||||
NFQWS_OPT="--wsize=3 --hostspell=HOST"
|
||||
|
||||
# using tpws with ipset
|
||||
MODE=tpws_ipset
|
||||
#MODE=tpws_ipset
|
||||
MODE=tpws_ipset_https
|
||||
# using tpws for all
|
||||
#MODE=tpws_all
|
||||
#MODE=tpws_all_https
|
||||
# using tpws with hostlist
|
||||
#MODE=tpws_hostlist
|
||||
# CHOOSE TPWS DAEMON OPTIONS. run "tpws/tpws --help" for option list
|
||||
TPWS_OPT="--hostspell=HOST --split-http-req=method"
|
||||
TPWS_OPT_HTTP="--hostspell=HOST --split-http-req=method"
|
||||
TPWS_OPT_HTTPS="--split-pos=3"
|
||||
|
||||
# only fill ipset, do not run daemons
|
||||
#MODE=ipset
|
||||
@ -47,11 +52,14 @@ QNUM=200
|
||||
NFQWS=$ZAPRET_BASE/nfq/nfqws
|
||||
NFQWS_OPT_BASE="--qnum=$QNUM"
|
||||
|
||||
TPPORT=1188
|
||||
TPPORT_HTTP=1188
|
||||
TPPORT_HTTPS=1189
|
||||
TPWS=$ZAPRET_BASE/tpws/tpws
|
||||
TPWS_USER=daemon
|
||||
TPWS_HOSTLIST=$ZAPRET_BASE/ipset/zapret-hosts.txt
|
||||
TPWS_OPT_BASE="--port=$TPPORT --user=$TPWS_USER --bind-addr=127.0.0.1"
|
||||
TPWS_OPT_BASE="--user=$TPWS_USER --bind-addr=127.0.0.1"
|
||||
TPWS_OPT_BASE_HTTP="--port=$TPPORT_HTTP $TPWS_OPT_BASE"
|
||||
TPWS_OPT_BASE_HTTPS="--port=$TPPORT_HTTPS $TPWS_OPT_BASE"
|
||||
|
||||
|
||||
# must execute /etc/firewall.user on every firewall reload
|
||||
@ -99,20 +107,22 @@ start_service() {
|
||||
|
||||
case "${MODE}" in
|
||||
tpws_hostlist)
|
||||
run_daemon 1 $TPWS "$TPWS_OPT_BASE $TPWS_OPT --hostlist=$TPWS_HOSTLIST"
|
||||
run_daemon 1 $TPWS "$TPWS_OPT_BASE_HTTP $TPWS_OPT_HTTP --hostlist=$TPWS_HOSTLIST"
|
||||
;;
|
||||
tpws_ipset)
|
||||
tpws_ipset|tpws_all)
|
||||
create_ipset
|
||||
run_daemon 1 $TPWS "$TPWS_OPT_BASE $TPWS_OPT"
|
||||
run_daemon 1 $TPWS "$TPWS_OPT_BASE_HTTP $TPWS_OPT_HTTP"
|
||||
;;
|
||||
tpws_all)
|
||||
run_daemon 1 $TPWS "$TPWS_OPT_BASE $TPWS_OPT"
|
||||
tpws_ipset_https|tpws_all_https)
|
||||
create_ipset
|
||||
run_daemon 1 $TPWS "$TPWS_OPT_BASE_HTTP $TPWS_OPT_HTTP"
|
||||
run_daemon 2 $TPWS "$TPWS_OPT_BASE_HTTPS $TPWS_OPT_HTTPS"
|
||||
;;
|
||||
nfqws_ipset)
|
||||
nfqws_ipset|nfqws_ipset_https)
|
||||
create_ipset
|
||||
run_daemon 1 $NFQWS "$NFQWS_OPT_BASE $NFQWS_OPT"
|
||||
;;
|
||||
nfqws_all)
|
||||
nfqws_all|nfqws_all_https)
|
||||
run_daemon 1 $NFQWS "$NFQWS_OPT_BASE $NFQWS_OPT"
|
||||
;;
|
||||
ipset)
|
||||
|
||||
@ -18,19 +18,24 @@
|
||||
|
||||
# using nfqws with ipset
|
||||
#MODE=nfqws_ipset
|
||||
#MODE=nfqws_ipset_https
|
||||
# using nfqws for all
|
||||
#MODE=nfqws_all
|
||||
#MODE=nfqws_all_https
|
||||
# CHOOSE NFQWS DAEMON OPTIONS. run "nfq/nfqws --help" for option list
|
||||
NFQWS_OPT="--wsize=3 --hostspell=HOST"
|
||||
|
||||
# using tpws with ipset
|
||||
MODE=tpws_ipset
|
||||
#MODE=tpws_ipset
|
||||
MODE=tpws_ipset_https
|
||||
# using tpws for all
|
||||
#MODE=tpws_all
|
||||
#MODE=tpws_all_https
|
||||
# using tpws with hostlist
|
||||
#MODE=tpws_hostlist
|
||||
# CHOOSE TPWS DAEMON OPTIONS. run "tpws/tpws --help" for option list
|
||||
TPWS_OPT="--hostspell=HOST --split-http-req=method"
|
||||
TPWS_OPT_HTTP="--hostspell=HOST --split-http-req=method"
|
||||
TPWS_OPT_HTTPS="--split-pos=3"
|
||||
|
||||
# only fill ipset, do not run daemons
|
||||
#MODE=ipset
|
||||
@ -58,11 +63,14 @@ QNUM=200
|
||||
NFQWS=$ZAPRET_BASE/nfq/nfqws
|
||||
NFQWS_OPT_BASE="--qnum=$QNUM"
|
||||
|
||||
TPPORT=1188
|
||||
TPPORT_HTTP=1188
|
||||
TPPORT_HTTPS=1189
|
||||
TPWS=$ZAPRET_BASE/tpws/tpws
|
||||
TPWS_USER=tpws
|
||||
TPWS_HOSTLIST=$ZAPRET_BASE/ipset/zapret-hosts.txt
|
||||
TPWS_OPT_BASE="--port=$TPPORT --user=$TPWS_USER --bind-addr=127.0.0.1"
|
||||
TPWS_OPT_BASE="--user=$TPWS_USER --bind-addr=127.0.0.1"
|
||||
TPWS_OPT_BASE_HTTP="--port=$TPPORT_HTTP $TPWS_OPT_BASE"
|
||||
TPWS_OPT_BASE_HTTPS="--port=$TPPORT_HTTPS $TPWS_OPT_BASE"
|
||||
|
||||
# exit script on any error
|
||||
set -e
|
||||
@ -75,25 +83,27 @@ exists()
|
||||
fw_tpws_add()
|
||||
{
|
||||
# $1 - iptable filter
|
||||
# $2 - tpws port
|
||||
echo "Adding iptables rule for tpws : $1"
|
||||
[ -n "$SLAVE_ETH" ] && {
|
||||
iptables -t nat -C PREROUTING -i $SLAVE_ETH -p tcp $1 -j DNAT --to 127.0.0.1:$TPPORT 2>/dev/null ||
|
||||
iptables -t nat -I PREROUTING -i $SLAVE_ETH -p tcp $1 -j DNAT --to 127.0.0.1:$TPPORT
|
||||
iptables -t nat -C PREROUTING -i $SLAVE_ETH -p tcp $1 -j DNAT --to 127.0.0.1:$2 2>/dev/null ||
|
||||
iptables -t nat -I PREROUTING -i $SLAVE_ETH -p tcp $1 -j DNAT --to 127.0.0.1:$2
|
||||
}
|
||||
iptables -t nat -C OUTPUT -m owner ! --uid-owner $TPWS_USER -p tcp $1 -j DNAT --to 127.0.0.1:$TPPORT 2>/dev/null ||
|
||||
iptables -t nat -I OUTPUT -m owner ! --uid-owner $TPWS_USER -p tcp $1 -j DNAT --to 127.0.0.1:$TPPORT
|
||||
iptables -t nat -C OUTPUT -m owner ! --uid-owner $TPWS_USER -p tcp $1 -j DNAT --to 127.0.0.1:$2 2>/dev/null ||
|
||||
iptables -t nat -I OUTPUT -m owner ! --uid-owner $TPWS_USER -p tcp $1 -j DNAT --to 127.0.0.1:$2
|
||||
|
||||
}
|
||||
fw_tpws_del()
|
||||
{
|
||||
# $1 - iptable filter
|
||||
# $2 - tpws port
|
||||
echo "Deleting iptables rule for tpws : $1"
|
||||
[ -n "$SLAVE_ETH" ] && {
|
||||
iptables -t nat -C PREROUTING -i $SLAVE_ETH -p tcp $1 -j DNAT --to 127.0.0.1:$TPPORT 2>/dev/null &&
|
||||
iptables -t nat -D PREROUTING -i $SLAVE_ETH -p tcp $1 -j DNAT --to 127.0.0.1:$TPPORT
|
||||
iptables -t nat -C PREROUTING -i $SLAVE_ETH -p tcp $1 -j DNAT --to 127.0.0.1:$2 2>/dev/null &&
|
||||
iptables -t nat -D PREROUTING -i $SLAVE_ETH -p tcp $1 -j DNAT --to 127.0.0.1:$2
|
||||
}
|
||||
iptables -t nat -C OUTPUT -m owner ! --uid-owner $TPWS_USER -p tcp $1 -j DNAT --to 127.0.0.1:$TPPORT 2>/dev/null &&
|
||||
iptables -t nat -D OUTPUT -m owner ! --uid-owner $TPWS_USER -p tcp $1 -j DNAT --to 127.0.0.1:$TPPORT
|
||||
iptables -t nat -C OUTPUT -m owner ! --uid-owner $TPWS_USER -p tcp $1 -j DNAT --to 127.0.0.1:$2 2>/dev/null &&
|
||||
iptables -t nat -D OUTPUT -m owner ! --uid-owner $TPWS_USER -p tcp $1 -j DNAT --to 127.0.0.1:$2
|
||||
true
|
||||
}
|
||||
fw_nfqws_add_pre()
|
||||
@ -199,19 +209,34 @@ case "$1" in
|
||||
case "${MODE}" in
|
||||
tpws_hostlist)
|
||||
prepare_tpws
|
||||
fw_tpws_add "--dport 80"
|
||||
run_daemon 1 $TPWS "$TPWS_OPT_BASE $TPWS_OPT --hostlist=$TPWS_HOSTLIST"
|
||||
fw_tpws_add "--dport 80" $TPPORT_HTTP
|
||||
run_daemon 1 $TPWS "$TPWS_OPT_BASE_HTTP $TPWS_OPT_HTTP --hostlist=$TPWS_HOSTLIST"
|
||||
;;
|
||||
tpws_ipset)
|
||||
create_ipset
|
||||
prepare_tpws
|
||||
fw_tpws_add "--dport 80 -m set --match-set zapret dst"
|
||||
run_daemon 1 $TPWS "$TPWS_OPT_BASE $TPWS_OPT"
|
||||
fw_tpws_add "--dport 80 -m set --match-set zapret dst" $TPPORT_HTTP
|
||||
run_daemon 1 $TPWS "$TPWS_OPT_BASE_HTTP $TPWS_OPT_HTTP"
|
||||
;;
|
||||
tpws_ipset_https)
|
||||
create_ipset
|
||||
prepare_tpws
|
||||
fw_tpws_add "--dport 80 -m set --match-set zapret dst" $TPPORT_HTTP
|
||||
fw_tpws_add "--dport 443 -m set --match-set zapret dst" $TPPORT_HTTPS
|
||||
run_daemon 1 $TPWS "$TPWS_OPT_BASE_HTTP $TPWS_OPT_HTTP"
|
||||
run_daemon 2 $TPWS "$TPWS_OPT_BASE_HTTPS $TPWS_OPT_HTTPS"
|
||||
;;
|
||||
tpws_all)
|
||||
prepare_tpws
|
||||
fw_tpws_add "--dport 80"
|
||||
run_daemon 1 $TPWS "$TPWS_OPT_BASE $TPWS_OPT"
|
||||
fw_tpws_add "--dport 80" $TPPORT_HTTP
|
||||
run_daemon 1 $TPWS "$TPWS_OPT_BASE_HTTP $TPWS_OPT_HTTP"
|
||||
;;
|
||||
tpws_all_https)
|
||||
prepare_tpws
|
||||
fw_tpws_add "--dport 80" $TPPORT_HTTP
|
||||
fw_tpws_add "--dport 443" $TPPORT_HTTPS
|
||||
run_daemon 1 $TPWS "$TPWS_OPT_BASE_HTTP $TPWS_OPT_HTTP"
|
||||
run_daemon 2 $TPWS "$TPWS_OPT_BASE_HTTPS $TPWS_OPT_HTTPS"
|
||||
;;
|
||||
nfqws_ipset)
|
||||
create_ipset
|
||||
@ -219,11 +244,22 @@ case "$1" in
|
||||
fw_nfqws_add_post "--dport 80 -m set --match-set zapret dst"
|
||||
run_daemon 1 $NFQWS "$NFQWS_OPT_BASE $NFQWS_OPT"
|
||||
;;
|
||||
nfqws_ipset_https)
|
||||
create_ipset
|
||||
fw_nfqws_add_pre "-m multiport --sports 80,443 -m set --match-set zapret src"
|
||||
fw_nfqws_add_post "--dport 80 -m set --match-set zapret dst"
|
||||
run_daemon 1 $NFQWS "$NFQWS_OPT_BASE $NFQWS_OPT"
|
||||
;;
|
||||
nfqws_all)
|
||||
fw_nfqws_add_pre "--sport 80"
|
||||
fw_nfqws_add_post "--dport 80"
|
||||
run_daemon 1 $NFQWS "$NFQWS_OPT_BASE $NFQWS_OPT"
|
||||
;;
|
||||
nfqws_all_https)
|
||||
fw_nfqws_add_pre "-m multiport --sports 80,443"
|
||||
fw_nfqws_add_post "--dport 80"
|
||||
run_daemon 1 $NFQWS "$NFQWS_OPT_BASE $NFQWS_OPT"
|
||||
;;
|
||||
ipset)
|
||||
create_ipset
|
||||
;;
|
||||
@ -241,23 +277,45 @@ case "$1" in
|
||||
stop)
|
||||
case "${MODE}" in
|
||||
tpws_hostlist|tpws_all)
|
||||
fw_tpws_del "--dport 80"
|
||||
fw_tpws_del "--dport 80" $TPPORT_HTTP
|
||||
stop_daemon 1 $TPWS
|
||||
;;
|
||||
tpws_ipset)
|
||||
fw_tpws_del "--dport 80 -m set --match-set zapret dst"
|
||||
fw_tpws_del "--dport 80 -m set --match-set zapret dst" $TPPORT_HTTP
|
||||
stop_daemon 1 $TPWS
|
||||
;;
|
||||
tpws_ipset_https)
|
||||
fw_tpws_del "--dport 80 -m set --match-set zapret dst" $TPPORT_HTTP
|
||||
fw_tpws_del "--dport 443 -m set --match-set zapret dst" $TPPORT_HTTPS
|
||||
stop_daemon 1 $TPWS
|
||||
stop_daemon 2 $TPWS
|
||||
;;
|
||||
tpws_all_https)
|
||||
fw_tpws_del "--dport 80" $TPPORT_HTTP
|
||||
fw_tpws_del "--dport 443" $TPPORT_HTTPS
|
||||
stop_daemon 1 $TPWS
|
||||
stop_daemon 2 $TPWS
|
||||
;;
|
||||
nfqws_ipset)
|
||||
fw_nfqws_del_pre "--sport 80 -m set --match-set zapret src"
|
||||
fw_nfqws_del_post "--dport 80 -m set --match-set zapret dst"
|
||||
stop_daemon 1 $NFQWS
|
||||
;;
|
||||
nfqws_ipset_https)
|
||||
fw_nfqws_del_pre "-m multiport --sports 80,443 -m set --match-set zapret src"
|
||||
fw_nfqws_del_post "--dport 80 -m set --match-set zapret dst"
|
||||
stop_daemon 1 $NFQWS
|
||||
;;
|
||||
nfqws_all)
|
||||
fw_nfqws_del_pre "--sport 80"
|
||||
fw_nfqws_del_post "--dport 80"
|
||||
stop_daemon 1 $NFQWS
|
||||
;;
|
||||
nfqws_all_https)
|
||||
fw_nfqws_del_pre "-m multiport --sports 80,443"
|
||||
fw_nfqws_del_post "--dport 80"
|
||||
stop_daemon 1 $NFQWS
|
||||
;;
|
||||
custom)
|
||||
# PLACEHOLDER
|
||||
echo !!! NEED ATTENTION !!!
|
||||
|
||||
@ -210,9 +210,13 @@ tpws должен запускаться без фильтрации по ipset.
|
||||
Выберите MODE. Снимите комментарий только с одного из присваиваний.
|
||||
|
||||
nfqws_ipset - использовать nfqws для модификации трафика на порт 80 только на IP из ipset "zapret"
|
||||
nfqws_ipset_https - использовать nfqws для модификации трафика на порты 80 и 443 только на IP из ipset "zapret"
|
||||
nfqws_all - использовать nfqws для модификации трафика на порт 80 для всех IP
|
||||
nfqws_all_https - использовать nfqws для модификации трафика на порты 80 и 443 для всех IP
|
||||
tpws_ipset - использовать tpws для модификации трафика на порт 80 только на IP из ipset "zapret"
|
||||
tpws_ipset_https - использовать tpws для модификации трафика на порты 80 и 443 только на IP из ipset "zapret"
|
||||
tpws_all - использовать tpws для модификации трафика на порт 80 для всех IP
|
||||
tpws_all_https - использовать tpws для модификации трафика на порты 80 и 443 для всех IP
|
||||
tpws_hostlist - пропускать через tpws весь трафик на порт 80. tpws применяет дурение только к хостам из hostlist.
|
||||
ipset - только заполнить ipset. ipset может быть применен для заворота трафика на прокси или на VPN
|
||||
custom - нужно самому запрограммировать запуск демонов и правила iptables
|
||||
@ -220,7 +224,8 @@ custom - нужно самому запрограммировать запуск
|
||||
Можно изменить опции дурения, применяемые демонами nfqws и tpws :
|
||||
|
||||
NFQWS_OPT="--wsize=3 --hostspell=HOST"
|
||||
TPWS_OPT="--hostspell=HOST --split-http-req=method"
|
||||
TPWS_OPT_HTTP="--hostspell=HOST --split-http-req=method"
|
||||
TPWS_OPT_HTTPS="--split-pos=3"
|
||||
|
||||
Пример установки на debian-подобную систему
|
||||
-------------------------------------------
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user