From 3d08e29fe61f897c08a580b5f4be0c03581a788b Mon Sep 17 00:00:00 2001 From: bolvan Date: Fri, 26 Feb 2016 11:09:31 +0300 Subject: [PATCH] openwrt hotplug.d removed --- changes.txt | 4 ++++ init.d/openwrt/99-zapret | 35 ------------------------------ init.d/openwrt/firewall.user.domru | 23 ++++++++++++++++++++ init.d/openwrt/zapret | 23 +++++++++++++++++++- readme.txt | 6 ++--- 5 files changed, 51 insertions(+), 40 deletions(-) delete mode 100644 init.d/openwrt/99-zapret create mode 100644 init.d/openwrt/firewall.user.domru diff --git a/changes.txt b/changes.txt index ab04bd6..05a49b2 100644 --- a/changes.txt +++ b/changes.txt @@ -38,3 +38,7 @@ ipset : added "get_antizapret.sh" v7 tpws : added ability to insert "." after Host: name + +v8 + +openwrt init : removed hotplug.d/firewall because of race conditions. now only use /etc/firewall.user diff --git a/init.d/openwrt/99-zapret b/init.d/openwrt/99-zapret deleted file mode 100644 index 9bd757b..0000000 --- a/init.d/openwrt/99-zapret +++ /dev/null @@ -1,35 +0,0 @@ -# copy it to /etc/hotplug.d/firewall/99-zapret - -# CHOOSE ISP HERE. UNCOMMENT ONLY ONE LINE. -# if your ISP not in list then comment all lines -ISP=domru - -TPPORT=1188 -TPWS_USER=daemon - -case "$ACTION" in - add) - case "$ISP" in - domru) - case "$INTERFACE" in - wan) - # BLOCK SPOOFED DNS FROM DOMRU - iptables -t raw -C PREROUTING -i $DEVICE -p udp --sport 53 -m string --hex-string "|5cfff164|" --algo bm -j DROP --from 40 --to 300 || - iptables -t raw -I PREROUTING -i $DEVICE -p udp --sport 53 -m string --hex-string "|5cfff164|" --algo bm -j DROP --from 40 --to 300 - iptables -t raw -C PREROUTING -i $DEVICE -p udp --sport 53 -m string --hex-string "|2a022698a00000000000000000000064|" --algo bm -j DROP --from 40 --to 300 || - iptables -t raw -I PREROUTING -i $DEVICE -p udp --sport 53 -m string --hex-string "|2a022698a00000000000000000000064|" --algo bm -j DROP --from 40 --to 300 - # DNAT for local traffic - iptables -t nat -C OUTPUT -p tcp --dport 80 -o $DEVICE -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT || - iptables -t nat -I OUTPUT -p tcp --dport 80 -o $DEVICE -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT - ;; - - lan) - # DNAT for pass-thru traffic - sysctl -w net.ipv4.conf.$DEVICE.route_localnet=1 - iptables -t nat -C prerouting_lan_rule -p tcp --dport 80 -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT || - iptables -t nat -I prerouting_lan_rule -p tcp --dport 80 -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT - ;; - esac - ;; - esac -esac diff --git a/init.d/openwrt/firewall.user.domru b/init.d/openwrt/firewall.user.domru new file mode 100644 index 0000000..1f94585 --- /dev/null +++ b/init.d/openwrt/firewall.user.domru @@ -0,0 +1,23 @@ +TPPORT=1188 +TPWS_USER=daemon + +. /lib/functions/network.sh + +network_find_wan wan_iface + +for ext_iface in $wan_iface; do + network_get_device DEVICE $ext_iface + # BLOCK SPOOFED DNS FROM DOMRU + iptables -t raw -C PREROUTING -i $DEVICE -p udp --sport 53 -m string --hex-string "|5cfff164|" --algo bm -j DROP --from 40 --to 300 || + iptables -t raw -I PREROUTING -i $DEVICE -p udp --sport 53 -m string --hex-string "|5cfff164|" --algo bm -j DROP --from 40 --to 300 + iptables -t raw -C PREROUTING -i $DEVICE -p udp --sport 53 -m string --hex-string "|2a022698a00000000000000000000064|" --algo bm -j DROP --from 40 --to 300 || + iptables -t raw -I PREROUTING -i $DEVICE -p udp --sport 53 -m string --hex-string "|2a022698a00000000000000000000064|" --algo bm -j DROP --from 40 --to 300 + # DNAT for local traffic + iptables -t nat -C OUTPUT -p tcp --dport 80 -o $DEVICE -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT || + iptables -t nat -I OUTPUT -p tcp --dport 80 -o $DEVICE -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT + +done + +sysctl -w net.ipv4.conf.br-lan.route_localnet=1 +iptables -t nat -C prerouting_lan_rule -p tcp --dport 80 -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT || + iptables -t nat -I prerouting_lan_rule -p tcp --dport 80 -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT diff --git a/init.d/openwrt/zapret b/init.d/openwrt/zapret index 6936dfe..fb256e7 100755 --- a/init.d/openwrt/zapret +++ b/init.d/openwrt/zapret @@ -7,7 +7,7 @@ #ISP=beeline ISP=domru -# !!!!! in openwrt you need to add firewall rules manually to /etc/firewall.user or /etc/hotplug.d/firewall/99-zapret +# !!!!! in openwrt you need to add firewall rules manually to /etc/firewall.user QNUM=200 TPPORT=1188 @@ -20,6 +20,26 @@ TPWS_USER=daemon # start betfore firewall - we need ipset populated START=18 + +# must execute /etc/firewall.user on every firewall reload +set_firewall_user_reload() { + i=0 + while true + do + path=$(uci -q get firewall.@include[$i].path) + [ -n "$path" ] || break + [ "$path" == "/etc/firewall.user" ] && { + reload=$(uci -q get firewall.@include[$i].reload) + [ "$reload" = "1" ] || { + echo Setting 'reload' call option to /etc/firewall.user + uci set firewall.@include[$i].reload=1 + uci commit firewall + } + } + i=$((i+1)) + done +} + get_daemon() { case "${ISP}" in mns) @@ -43,6 +63,7 @@ get_daemon() { start() { + set_firewall_user_reload echo "Creating ipset" ($IPSET_CR) diff --git a/readme.txt b/readme.txt index ad6aec7..34340bc 100644 --- a/readme.txt +++ b/readme.txt @@ -1,4 +1,4 @@ -zapret v.7 +zapret v.8 Для чего это надо ----------------- @@ -242,9 +242,7 @@ opkg install iptables-mod-extra iptables-mod-nfqueue iptables-mod-filter iptable В /etc/init.d/zapret выбрать пераметр "ISP". В зависимости от него будут применены нужные правила. /etc/init.d/zapret enable /etc/init.d/zapret start -В зависимости от вашего провайдера либо внести нужные записи в /etc/firewall.user, либо -скопировать 99-zapret в /etc/hotplug.d/firewall (сначала нужно mkdir /etc/hotplug.d/firewall). -В /etc/hotplug.d/firewall/99-zapret выбрать нужного провайдера. +В зависимости от вашего провайдера внести нужные записи в /etc/firewall.user. /etc/init.d/firewall restart Посмотреть через iptables -L или через luci вкладку "firewall" появились ли нужные правила. Зашедулить задание обновления листа :