drygdryg/zapret
1
0
Fork 0
mirror of https://github.com/bol-van/zapret.git synced 2024-12-04 15:40:52 +03:00
Code Issues Packages Projects Releases Wiki Activity

openwrt hotplug.d removed

Browse Source
This commit is contained in:
bolvan 2016-02-26 11:09:31 +03:00
parent 5c8f4c2d66
commit 3d08e29fe6
5 changed files with 51 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
changes.txt
View File

@ -38,3 +38,7 @@ ipset : added "get_antizapret.sh"
v7 v7
tpws : added ability to insert "." after Host: name tpws : added ability to insert "." after Host: name
v8
openwrt init : removed hotplug.d/firewall because of race conditions. now only use /etc/firewall.user

35
init.d/openwrt/99-zapret
View File

@ -1,35 +0,0 @@
# copy it to /etc/hotplug.d/firewall/99-zapret
# CHOOSE ISP HERE. UNCOMMENT ONLY ONE LINE.
# if your ISP not in list then comment all lines
ISP=domru
TPPORT=1188
TPWS_USER=daemon
case "$ACTION" in
add)
case "$ISP" in
domru)
case "$INTERFACE" in
wan)
# BLOCK SPOOFED DNS FROM DOMRU
iptables -t raw -C PREROUTING -i $DEVICE -p udp --sport 53 -m string --hex-string "|5cfff164|" --algo bm -j DROP --from 40 --to 300 ||
iptables -t raw -I PREROUTING -i $DEVICE -p udp --sport 53 -m string --hex-string "|5cfff164|" --algo bm -j DROP --from 40 --to 300
iptables -t raw -C PREROUTING -i $DEVICE -p udp --sport 53 -m string --hex-string "|2a022698a00000000000000000000064|" --algo bm -j DROP --from 40 --to 300 ||
iptables -t raw -I PREROUTING -i $DEVICE -p udp --sport 53 -m string --hex-string "|2a022698a00000000000000000000064|" --algo bm -j DROP --from 40 --to 300
# DNAT for local traffic
iptables -t nat -C OUTPUT -p tcp --dport 80 -o $DEVICE -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT ||
iptables -t nat -I OUTPUT -p tcp --dport 80 -o $DEVICE -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
;;
lan)
# DNAT for pass-thru traffic
sysctl -w net.ipv4.conf.$DEVICE.route_localnet=1
iptables -t nat -C prerouting_lan_rule -p tcp --dport 80 -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT ||
iptables -t nat -I prerouting_lan_rule -p tcp --dport 80 -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
;;
esac
;;
esac
esac

23
init.d/openwrt/firewall.user.domru Normal file
View File

@ -0,0 +1,23 @@
TPPORT=1188
TPWS_USER=daemon
. /lib/functions/network.sh
network_find_wan wan_iface
for ext_iface in $wan_iface; do
network_get_device DEVICE $ext_iface
# BLOCK SPOOFED DNS FROM DOMRU
iptables -t raw -C PREROUTING -i $DEVICE -p udp --sport 53 -m string --hex-string "|5cfff164|" --algo bm -j DROP --from 40 --to 300 ||
iptables -t raw -I PREROUTING -i $DEVICE -p udp --sport 53 -m string --hex-string "|5cfff164|" --algo bm -j DROP --from 40 --to 300
iptables -t raw -C PREROUTING -i $DEVICE -p udp --sport 53 -m string --hex-string "|2a022698a00000000000000000000064|" --algo bm -j DROP --from 40 --to 300 ||
iptables -t raw -I PREROUTING -i $DEVICE -p udp --sport 53 -m string --hex-string "|2a022698a00000000000000000000064|" --algo bm -j DROP --from 40 --to 300
# DNAT for local traffic
iptables -t nat -C OUTPUT -p tcp --dport 80 -o $DEVICE -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT ||
iptables -t nat -I OUTPUT -p tcp --dport 80 -o $DEVICE -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
done
sysctl -w net.ipv4.conf.br-lan.route_localnet=1
iptables -t nat -C prerouting_lan_rule -p tcp --dport 80 -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT ||
iptables -t nat -I prerouting_lan_rule -p tcp --dport 80 -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT

23
init.d/openwrt/zapret
View File

@ -7,7 +7,7 @@
#ISP=beeline #ISP=beeline
ISP=domru ISP=domru
# !!!!! in openwrt you need to add firewall rules manually to /etc/firewall.user or /etc/hotplug.d/firewall/99-zapret # !!!!! in openwrt you need to add firewall rules manually to /etc/firewall.user
QNUM=200 QNUM=200
TPPORT=1188 TPPORT=1188
@ -20,6 +20,26 @@ TPWS_USER=daemon
# start betfore firewall - we need ipset populated # start betfore firewall - we need ipset populated
START=18 START=18
# must execute /etc/firewall.user on every firewall reload
set_firewall_user_reload() {
i=0
while true
do
path=$(uci -q get firewall.@include[$i].path)
[ -n "$path" ] || break
[ "$path" == "/etc/firewall.user" ] && {
reload=$(uci -q get firewall.@include[$i].reload)
[ "$reload" = "1" ] || {
echo Setting 'reload' call option to /etc/firewall.user
uci set firewall.@include[$i].reload=1
uci commit firewall
}
}
i=$((i+1))
done
}
get_daemon() { get_daemon() {
case "${ISP}" in case "${ISP}" in
mns) mns)
@ -43,6 +63,7 @@ get_daemon() {
start() { start() {
set_firewall_user_reload
echo "Creating ipset" echo "Creating ipset"
($IPSET_CR) ($IPSET_CR)

6
readme.txt
View File

@ -1,4 +1,4 @@
zapret v.7 zapret v.8
Для чего это надо Для чего это надо
----------------- -----------------
@ -242,9 +242,7 @@ opkg install iptables-mod-extra iptables-mod-nfqueue iptables-mod-filter iptable
В /etc/init.d/zapret выбрать пераметр "ISP". В зависимости от него будут применены нужные правила. В /etc/init.d/zapret выбрать пераметр "ISP". В зависимости от него будут применены нужные правила.
/etc/init.d/zapret enable /etc/init.d/zapret enable
/etc/init.d/zapret start /etc/init.d/zapret start
В зависимости от вашего провайдера либо внести нужные записи в /etc/firewall.user, либо В зависимости от вашего провайдера внести нужные записи в /etc/firewall.user.
скопировать 99-zapret в /etc/hotplug.d/firewall (сначала нужно mkdir /etc/hotplug.d/firewall).
В /etc/hotplug.d/firewall/99-zapret выбрать нужного провайдера.
/etc/init.d/firewall restart /etc/init.d/firewall restart
Посмотреть через iptables -L или через luci вкладку "firewall" появились ли нужные правила. Посмотреть через iptables -L или через luci вкладку "firewall" появились ли нужные правила.
Зашедулить задание обновления листа : Зашедулить задание обновления листа :