first commit

init.d/openwrt/99-zapret

@@ -0,0 +1,35 @@
+# copy it to /etc/hotplug.d/firewall/99-zapret
+
+# CHOOSE ISP HERE. UNCOMMENT ONLY ONE LINE.
+# if your ISP not in list then comment all lines
+ISP=domru
+
+TPPORT=1188
+TPWS_USER=daemon
+
+case "$ACTION" in
+    add)
+    case "$ISP" in
+	domru)
+	case "$INTERFACE" in
+	    wan)
+	    # BLOCK SPOOFED DNS FROM DOMRU
+	    iptables -t raw -C PREROUTING -i $DEVICE -p udp --sport 53 -m string --hex-string "|5cfff164|" --algo bm -j DROP --from 40 --to 300 ||
+	     iptables -t raw -I PREROUTING -i $DEVICE -p udp --sport 53 -m string --hex-string "|5cfff164|" --algo bm -j DROP --from 40 --to 300
+	    iptables -t raw -C PREROUTING -i $DEVICE -p udp --sport 53 -m string --hex-string "|2a022698a00000000000000000000064|" --algo bm -j DROP --from 40 --to 300 ||
+	     iptables -t raw -I PREROUTING -i $DEVICE -p udp --sport 53 -m string --hex-string "|2a022698a00000000000000000000064|" --algo bm -j DROP --from 40 --to 300
+	    # DNAT for local traffic
+	    iptables -t nat -C OUTPUT -p tcp --dport 80 -o $DEVICE -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT ||
+	     iptables -t nat -I OUTPUT -p tcp --dport 80 -o $DEVICE -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
+	    ;;
+	    
+	    lan)
+	    # DNAT for pass-thru traffic
+	    sysctl -w net.ipv4.conf.$DEVICE.route_localnet=1
+	    iptables -t nat -C prerouting_lan_rule -p tcp --dport 80 -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT ||
+	     iptables -t nat -I prerouting_lan_rule -p tcp --dport 80 -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
+	    ;;
+     	esac
+	;;
+    esac
+esac

init.d/openwrt/firewall.user.beeline

@@ -0,0 +1,5 @@
+# put it to /etc/firewall.user
+
+# for BEELINE ISP
+iptables -t mangle -D POSTROUTING -p tcp --dport 80 -m set --match-set zapret dst -j NFQUEUE --queue-num 200 --queue-bypass 2>/dev/null
+iptables -t mangle -I POSTROUTING -p tcp --dport 80 -m set --match-set zapret dst -j NFQUEUE --queue-num 200 --queue-bypass

init.d/openwrt/firewall.user.mns

@@ -0,0 +1,5 @@
+# put it to /etc/firewall.user
+
+# for MNS ISP
+iptables -t raw -D PREROUTING -p tcp --sport 80 --tcp-flags SYN,ACK SYN,ACK -m set --match-set zapret src -j NFQUEUE --queue-num 200 --queue-bypass 2>/dev/null
+iptables -t raw -I PREROUTING -p tcp --sport 80 --tcp-flags SYN,ACK SYN,ACK -m set --match-set zapret src -j NFQUEUE --queue-num 200 --queue-bypass

init.d/openwrt/zapret

@@ -0,0 +1,53 @@
+#!/bin/sh /etc/rc.common
+# Copyright (C) 2006-2011 OpenWrt.org
+
+# CHOOSE ISP HERE. UNCOMMENT ONLY ONE LINE.
+#ISP=mns
+#ISP=beeline
+ISP=domru
+
+# !!!!! in openwrt you need to add firewall rules manually to /etc/firewall.user or /etc/hotplug.d/firewall/99-zapret
+
+QNUM=200
+TPPORT=1188
+ROUTE_TABLE_NUM=100
+NFQWS=/opt/zapret/nfq/nfqws
+TPWS=/opt/zapret/tpws/tpws
+IPSET_CR=/opt/zapret/ipset/create_ipset.sh
+TPWS_USER=daemon
+
+# start betfore firewall - we need ipset populated
+START=18
+
+get_daemon() {
+	case "${ISP}" in
+	    mns)
+		DAEMON_OPTS="--qnum=$QNUM --wsize=4"
+		DAEMON=$NFQWS
+		;;
+	    beeline)
+		DAEMON_OPTS="--qnum=$QNUM --hostcase"
+		DAEMON=$NFQWS
+		;;
+	    domru)
+		DAEMON_OPTS="--port=$TPPORT --hostcase --split-http-req=host --bind-addr=127.0.0.1 --user=$TPWS_USER"
+		DAEMON=$TPWS
+		;;
+	esac
+}
+
+
+start() {
+	echo "Creating ipset"
+	($IPSET_CR)
+
+	get_daemon
+	echo "Starting $DAEMON"
+	service_start $DAEMON --daemon $DAEMON_OPTS
+}
+
+stop() {
+	get_daemon
+	service_stop $DAEMON
+}
+