mirror of
https://github.com/bol-van/zapret.git
synced 2024-11-30 05:50:53 +03:00
commit
4fcd3bba96
@ -53,7 +53,7 @@ You need to run them with the necessary parameters and redirect certain traffic
|
||||
|
||||
To redirect a TCP connection to a transparent proxy, the following commands are used:
|
||||
|
||||
forwarded fraffic :
|
||||
forwarded traffic :
|
||||
iptables -t nat -I PREROUTING -i <internal_interface> -p tcp --dport 80 -j DNAT --to 127.0.0.127:988
|
||||
outgoing traffic :
|
||||
iptables -t nat -I OUTPUT -o <external_interface> -p tcp --dport 80 -m owner ! --uid-owner tpws -j DNAT --to 127.0.0.127:988
|
||||
@ -172,12 +172,12 @@ add tcp option "MD5 signature". All of them have their own disadvantages :
|
||||
* md5sig does not work on all servers
|
||||
* badsum doesn't work if your device is behind NAT which does not pass invalid packets.
|
||||
Linux NAT by default does not pass them without special setting "sysctl -w net.netfilter.nf_conntrack_checksum=0"
|
||||
Openwrt sets it from the box, other routers in most cases dont, and its not always possible to change it.
|
||||
If nfqws is on the router, its not neccessary to switch of "net.netfilter.nf_conntrack_checksum".
|
||||
Openwrt sets it from the box, other routers in most cases don't, and its not always possible to change it.
|
||||
If nfqws is on the router, its not necessary to switch of "net.netfilter.nf_conntrack_checksum".
|
||||
Fake packet doesn't go through FORWARD chain, it goes through OUTPUT. But if your router is behind another NAT, for example ISP NAT,
|
||||
and that NAT does not pass invalid packets, you cant do anything.
|
||||
* badseq packets will be dropped by server, but DPI also can ignore them
|
||||
* TTL looks like the best option, but it requires special tuning for earch ISP. If DPI is further than local ISP websites
|
||||
* TTL looks like the best option, but it requires special tuning for each ISP. If DPI is further than local ISP websites
|
||||
you can cut access to them. Manual IP exclude list is required. Its possible to use md5sig with ttl.
|
||||
This way you cant hurt anything, but good chances it will help to open local ISP websites.
|
||||
If automatic solution cannot be found then use zapret-hosts-user-exclude.txt.
|
||||
@ -223,7 +223,7 @@ doing something about it is hardly possible without the help of the server.
|
||||
The best solution is to enable TLS 1.3 support on the server. TLS 1.3 sends the server certificate in encrypted form.
|
||||
This is recommendation to all admins of blocked sites. Enable TLS 1.3. You will give more opportunities to overcome DPI.
|
||||
|
||||
Hosts are extracted from plain http request Host: header and SNI of ClientHelllo TLS message.
|
||||
Hosts are extracted from plain http request Host: header and SNI of ClientHello TLS message.
|
||||
Subdomains are applied automatically. gzip lists are supported.
|
||||
|
||||
iptables for performing the attack on the first packet :
|
||||
|
@ -836,7 +836,7 @@ tpws к http и nfqws к https. При этом поддерживаются у
|
||||
|
||||
enable auto start : systemctl enable zapret
|
||||
disable auto start : systemctl disable zapret
|
||||
start : sytemctl start zapret
|
||||
start : systemctl start zapret
|
||||
stop : systemctl stop zapret
|
||||
status, output messages : systemctl status zapret
|
||||
timer info : systemctl list-timer
|
||||
@ -972,7 +972,7 @@ opkg install iptables-mod-extra iptables-mod-nfqueue iptables-mod-filter iptable
|
||||
ЭКОНОМИЯ МЕСТА :
|
||||
|
||||
gzip от busybox в разы медленней полноценного варианта. gzip используется скриптами получения листов.
|
||||
sort от busybox медленней полноценного варианта и жрет намного болше памяти. sort используется скриптами получения листов.
|
||||
sort от busybox медленней полноценного варианта и жрет намного больше памяти. sort используется скриптами получения листов.
|
||||
grep от busybox катастрофически медленный с опцией -f. она применяется в get_reestr_combined.sh. если вы не собираетесь
|
||||
пользоваться этим скриптом, gnu grep можно не устанавливать
|
||||
iptables-mod-nfqueue можно выкинуть, если не будем пользоваться nfqws
|
||||
|
Loading…
Reference in New Issue
Block a user