drygdryg/zapret
1
0
Fork 0
mirror of https://github.com/bol-van/zapret.git synced 2025-04-22 06:52:57 +03:00
Code Issues Packages Projects Releases Wiki Activity

debian : use SLAVE_ETH only on router

Browse Source
This commit is contained in:
bolvan 2019-05-03 15:18:43 +03:00
parent 15460d87a0
commit 8d47cea3e5
2 changed files with 16 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
init.d/debian/zapret
View File

@ -39,8 +39,9 @@ TPWS_OPT="--hostspell=HOST --split-http-req=method"
# Find out what works for you and modify "# PLACEHOLDER" parts of this script # Find out what works for you and modify "# PLACEHOLDER" parts of this script
#MODE=custom #MODE=custom
# CHOSE NETWORK INTERFACE BEHIND NAT (LAN) # router only: CHOSE NETWORK INTERFACE BEHIND NAT (LAN)
SLAVE_ETH=eth0 # or leave it commented if its not router
#SLAVE_ETH=eth0
# --- REVIEW CONFIG HERE --- # --- REVIEW CONFIG HERE ---
@ -74,7 +75,7 @@ prepare_tpws()
adduser --disabled-login --no-create-home --system --quiet $TPWS_USER adduser --disabled-login --no-create-home --system --quiet $TPWS_USER
# otherwise linux kernel will treat 127.0.0.1 as "martian" ip and refuse routing to it # otherwise linux kernel will treat 127.0.0.1 as "martian" ip and refuse routing to it
# NOTE : kernels <3.6 do not have this feature. consider upgrading or change DNAT to REDIRECT and do not bind to 127.0.0.1 # NOTE : kernels <3.6 do not have this feature. consider upgrading or change DNAT to REDIRECT and do not bind to 127.0.0.1
sysctl -w net.ipv4.conf.$SLAVE_ETH.route_localnet=1 for iface in /proc/sys/net/ipv4/conf/*; do sysctl -qw net.ipv4.conf.$(basename $iface).route_localnet=1; done
} }
fw_tpws_add() fw_tpws_add()
@ -82,17 +83,22 @@ fw_tpws_add()
# $1 - iptable filter # $1 - iptable filter
prepare_tpws prepare_tpws
echo "Adding iptables rule for tpws : $1" echo "Adding iptables rule for tpws : $1"
[ -n "$SLAVE_ETH" ] && {
iptables -t nat -C PREROUTING -i $SLAVE_ETH -p tcp $1 -j DNAT --to 127.0.0.1:$TPPORT 2>/dev/null || iptables -t nat -C PREROUTING -i $SLAVE_ETH -p tcp $1 -j DNAT --to 127.0.0.1:$TPPORT 2>/dev/null ||
iptables -t nat -I PREROUTING -i $SLAVE_ETH -p tcp $1 -j DNAT --to 127.0.0.1:$TPPORT iptables -t nat -I PREROUTING -i $SLAVE_ETH -p tcp $1 -j DNAT --to 127.0.0.1:$TPPORT
}
iptables -t nat -C OUTPUT -m owner ! --uid-owner $TPWS_USER -p tcp $1 -j DNAT --to 127.0.0.1:$TPPORT 2>/dev/null || iptables -t nat -C OUTPUT -m owner ! --uid-owner $TPWS_USER -p tcp $1 -j DNAT --to 127.0.0.1:$TPPORT 2>/dev/null ||
iptables -t nat -I OUTPUT -m owner ! --uid-owner $TPWS_USER -p tcp $1 -j DNAT --to 127.0.0.1:$TPPORT iptables -t nat -I OUTPUT -m owner ! --uid-owner $TPWS_USER -p tcp $1 -j DNAT --to 127.0.0.1:$TPPORT
} }
fw_tpws_del() fw_tpws_del()
{ {
# $1 - iptable filter # $1 - iptable filter
echo "Deleting iptables rule for tpws : $1" echo "Deleting iptables rule for tpws : $1"
[ -n "$SLAVE_ETH" ] && {
iptables -t nat -C PREROUTING -i $SLAVE_ETH -p tcp $1 -j DNAT --to 127.0.0.1:$TPPORT 2>/dev/null && iptables -t nat -C PREROUTING -i $SLAVE_ETH -p tcp $1 -j DNAT --to 127.0.0.1:$TPPORT 2>/dev/null &&
iptables -t nat -D PREROUTING -i $SLAVE_ETH -p tcp $1 -j DNAT --to 127.0.0.1:$TPPORT iptables -t nat -D PREROUTING -i $SLAVE_ETH -p tcp $1 -j DNAT --to 127.0.0.1:$TPPORT
}
iptables -t nat -C OUTPUT -m owner ! --uid-owner $TPWS_USER -p tcp $1 -j DNAT --to 127.0.0.1:$TPPORT 2>/dev/null && iptables -t nat -C OUTPUT -m owner ! --uid-owner $TPWS_USER -p tcp $1 -j DNAT --to 127.0.0.1:$TPPORT 2>/dev/null &&
iptables -t nat -D OUTPUT -m owner ! --uid-owner $TPWS_USER -p tcp $1 -j DNAT --to 127.0.0.1:$TPPORT iptables -t nat -D OUTPUT -m owner ! --uid-owner $TPWS_USER -p tcp $1 -j DNAT --to 127.0.0.1:$TPPORT
true true
@ -200,7 +206,7 @@ case "$1" in
stop) stop)
case "${MODE}" in case "${MODE}" in
tpws_hostlist) tpws_hostlist|tpws_all)
fw_tpws_del "--dport 80" fw_tpws_del "--dport 80"
stop_daemon 1 $TPWS stop_daemon 1 $TPWS
;; ;;
@ -208,10 +214,6 @@ case "$1" in
fw_tpws_del "--dport 80 -m set --match-set zapret dst" fw_tpws_del "--dport 80 -m set --match-set zapret dst"
stop_daemon 1 $TPWS stop_daemon 1 $TPWS
;; ;;
tpws_all)
fw_tpws_del "--dport 80"
stop_daemon 1 $TPWS
;;
nfqws_ipset) nfqws_ipset)
fw_nfqws_del_pre "--sport 80 -m set --match-set zapret src" fw_nfqws_del_pre "--sport 80 -m set --match-set zapret src"
fw_nfqws_del_post "--dport 80 -m set --match-set zapret dst" fw_nfqws_del_post "--dport 80 -m set --match-set zapret dst"

3
readme.txt
View File

@ -241,7 +241,8 @@ TPWS_OPT="--hostspell=HOST --split-http-req=method"
cp /opt/zapret/init.d/debian/zapret /etc/init.d cp /opt/zapret/init.d/debian/zapret /etc/init.d
В /etc/init.d/zapret настроить параметры согласно разделу "Выбор режима в init скрипте". В /etc/init.d/zapret настроить параметры согласно разделу "Выбор режима в init скрипте".
Там же выбрать параметр SLAVE_ETH, соответствующий названию внутреннего сетевого интерфейса. Если ваша система - роутер, то раскомментировать параметр SLAVE_ETH и вписать в него
название внутреннего сетевого интерфейса (LAN).
Зарегистрировать init скрипт в systemd : Зарегистрировать init скрипт в systemd :
/usr/lib/lsb/install_initd zapret /usr/lib/lsb/install_initd zapret