From 8d47cea3e5eb96c03d5718f1856e4ceed387f805 Mon Sep 17 00:00:00 2001 From: bolvan Date: Fri, 3 May 2019 15:18:43 +0300 Subject: [PATCH] debian : use SLAVE_ETH only on router --- init.d/debian/zapret | 26 ++++++++++++++------------ readme.txt | 3 ++- 2 files changed, 16 insertions(+), 13 deletions(-) diff --git a/init.d/debian/zapret b/init.d/debian/zapret index db73e81..3fecf28 100755 --- a/init.d/debian/zapret +++ b/init.d/debian/zapret @@ -39,8 +39,9 @@ TPWS_OPT="--hostspell=HOST --split-http-req=method" # Find out what works for you and modify "# PLACEHOLDER" parts of this script #MODE=custom -# CHOSE NETWORK INTERFACE BEHIND NAT (LAN) -SLAVE_ETH=eth0 +# router only: CHOSE NETWORK INTERFACE BEHIND NAT (LAN) +# or leave it commented if its not router +#SLAVE_ETH=eth0 # --- REVIEW CONFIG HERE --- @@ -74,7 +75,7 @@ prepare_tpws() adduser --disabled-login --no-create-home --system --quiet $TPWS_USER # otherwise linux kernel will treat 127.0.0.1 as "martian" ip and refuse routing to it # NOTE : kernels <3.6 do not have this feature. consider upgrading or change DNAT to REDIRECT and do not bind to 127.0.0.1 - sysctl -w net.ipv4.conf.$SLAVE_ETH.route_localnet=1 + for iface in /proc/sys/net/ipv4/conf/*; do sysctl -qw net.ipv4.conf.$(basename $iface).route_localnet=1; done } fw_tpws_add() @@ -82,17 +83,22 @@ fw_tpws_add() # $1 - iptable filter prepare_tpws echo "Adding iptables rule for tpws : $1" - iptables -t nat -C PREROUTING -i $SLAVE_ETH -p tcp $1 -j DNAT --to 127.0.0.1:$TPPORT 2>/dev/null || - iptables -t nat -I PREROUTING -i $SLAVE_ETH -p tcp $1 -j DNAT --to 127.0.0.1:$TPPORT + [ -n "$SLAVE_ETH" ] && { + iptables -t nat -C PREROUTING -i $SLAVE_ETH -p tcp $1 -j DNAT --to 127.0.0.1:$TPPORT 2>/dev/null || + iptables -t nat -I PREROUTING -i $SLAVE_ETH -p tcp $1 -j DNAT --to 127.0.0.1:$TPPORT + } iptables -t nat -C OUTPUT -m owner ! --uid-owner $TPWS_USER -p tcp $1 -j DNAT --to 127.0.0.1:$TPPORT 2>/dev/null || iptables -t nat -I OUTPUT -m owner ! --uid-owner $TPWS_USER -p tcp $1 -j DNAT --to 127.0.0.1:$TPPORT + } fw_tpws_del() { # $1 - iptable filter echo "Deleting iptables rule for tpws : $1" - iptables -t nat -C PREROUTING -i $SLAVE_ETH -p tcp $1 -j DNAT --to 127.0.0.1:$TPPORT 2>/dev/null && - iptables -t nat -D PREROUTING -i $SLAVE_ETH -p tcp $1 -j DNAT --to 127.0.0.1:$TPPORT + [ -n "$SLAVE_ETH" ] && { + iptables -t nat -C PREROUTING -i $SLAVE_ETH -p tcp $1 -j DNAT --to 127.0.0.1:$TPPORT 2>/dev/null && + iptables -t nat -D PREROUTING -i $SLAVE_ETH -p tcp $1 -j DNAT --to 127.0.0.1:$TPPORT + } iptables -t nat -C OUTPUT -m owner ! --uid-owner $TPWS_USER -p tcp $1 -j DNAT --to 127.0.0.1:$TPPORT 2>/dev/null && iptables -t nat -D OUTPUT -m owner ! --uid-owner $TPWS_USER -p tcp $1 -j DNAT --to 127.0.0.1:$TPPORT true @@ -200,7 +206,7 @@ case "$1" in stop) case "${MODE}" in - tpws_hostlist) + tpws_hostlist|tpws_all) fw_tpws_del "--dport 80" stop_daemon 1 $TPWS ;; @@ -208,10 +214,6 @@ case "$1" in fw_tpws_del "--dport 80 -m set --match-set zapret dst" stop_daemon 1 $TPWS ;; - tpws_all) - fw_tpws_del "--dport 80" - stop_daemon 1 $TPWS - ;; nfqws_ipset) fw_nfqws_del_pre "--sport 80 -m set --match-set zapret src" fw_nfqws_del_post "--dport 80 -m set --match-set zapret dst" diff --git a/readme.txt b/readme.txt index ab00eb9..b87423b 100644 --- a/readme.txt +++ b/readme.txt @@ -241,7 +241,8 @@ TPWS_OPT="--hostspell=HOST --split-http-req=method" cp /opt/zapret/init.d/debian/zapret /etc/init.d В /etc/init.d/zapret настроить параметры согласно разделу "Выбор режима в init скрипте". -Там же выбрать параметр SLAVE_ETH, соответствующий названию внутреннего сетевого интерфейса. +Если ваша система - роутер, то раскомментировать параметр SLAVE_ETH и вписать в него +название внутреннего сетевого интерфейса (LAN). Зарегистрировать init скрипт в systemd : /usr/lib/lsb/install_initd zapret