description "zapret" start on runlevel [2345] stop on runlevel [!2345] # CHOOSE ISP HERE. UNCOMMENT ONLY ONE LINE. #env ISP=mns #env ISP=rt env ISP=beeline #env ISP=domru #env ISP=tiera # If ISP is unlisted then uncomment "custom" # Find out what works for your ISP and modify "# PLACEHOLDER" parts of this script #env ISP=custom # CHOSE NETWORK INTERFACE BEHIND NAT env SLAVE_ETH=eth1 env QNUM=200 env TPPORT=1188 env ROUTE_TABLE_NUM=100 env NFQWS=/opt/zapret/nfq/nfqws env TPWS=/opt/zapret/tpws/tpws env TPWS_USER=tpws pre-start script /opt/zapret/ipset/create_ipset.sh case "${ISP}" in mns|rt) iptables -t raw -C PREROUTING -p tcp --sport 80 --tcp-flags SYN,ACK SYN,ACK -m set --match-set zapret src -j NFQUEUE --queue-num $QNUM --queue-bypass || iptables -t raw -I PREROUTING -p tcp --sport 80 --tcp-flags SYN,ACK SYN,ACK -m set --match-set zapret src -j NFQUEUE --queue-num $QNUM --queue-bypass ;; beeline) iptables -t mangle -C POSTROUTING -p tcp --dport 80 -m set --match-set zapret dst -j NFQUEUE --queue-num $QNUM --queue-bypass || iptables -t mangle -I POSTROUTING -p tcp --dport 80 -m set --match-set zapret dst -j NFQUEUE --queue-num $QNUM --queue-bypass ;; domru) adduser --disabled-login --no-create-home --system --quiet $TPWS_USER sysctl -w net.ipv4.conf.$SLAVE_ETH.route_localnet=1 iptables -t nat -C PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT || iptables -t nat -I PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT iptables -t nat -C OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT || iptables -t nat -I OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT # BLOCK SPOOFED DNS FROM DOMRU iptables -t raw -C PREROUTING -p udp --sport 53 -m string --hex-string "|5cfff164|" --algo bm -j DROP --from 40 --to 300 || iptables -t raw -I PREROUTING -p udp --sport 53 -m string --hex-string "|5cfff164|" --algo bm -j DROP --from 40 --to 300 iptables -t raw -C PREROUTING -p udp --sport 53 -m string --hex-string "|2a022698a00000000000000000000064|" --algo bm -j DROP --from 40 --to 300 || iptables -t raw -I PREROUTING -p udp --sport 53 -m string --hex-string "|2a022698a00000000000000000000064|" --algo bm -j DROP --from 40 --to 300 iptables -t raw -C PREROUTING -p udp --sport 53 -m string --hex-string "|5cfff16e|" --algo bm -j DROP --from 40 --to 300 || iptables -t raw -I PREROUTING -p udp --sport 53 -m string --hex-string "|5cfff16e|" --algo bm -j DROP --from 40 --to 300 iptables -t raw -C PREROUTING -p udp --sport 53 -m string --hex-string "|2a022698a00000000000000000000110|" --algo bm -j DROP --from 40 --to 300 || iptables -t raw -I PREROUTING -p udp --sport 53 -m string --hex-string "|2a022698a00000000000000000000110|" --algo bm -j DROP --from 40 --to 300 ;; tiera) adduser --disabled-login --no-create-home --system --quiet $TPWS_USER sysctl -w net.ipv4.conf.$SLAVE_ETH.route_localnet=1 iptables -t nat -C PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT || iptables -t nat -I PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT iptables -t nat -C OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT || iptables -t nat -I OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT ;; custom) # PLACEHOLDER echo !!! NEED ATTENTION !!! echo \(optional\) Prepare environment for running daemon echo Configure iptables for required actions echo Study how other sections work ;; esac end script script case "${ISP}" in mns) NFEXE=$NFQWS NFARG="--qnum $QNUM --wsize=4" ;; rt) NFEXE=$NFQWS NFARG="--qnum $QNUM --wsize=20" ;; beeline) NFEXE=$NFQWS NFARG="--qnum $QNUM --hostspell=HOST" ;; domru) NFEXE=$TPWS NFARG="--port=$TPPORT --hostcase --split-http-req=host --user=$TPWS_USER --bind-addr=127.0.0.1" ;; tiera) NFEXE=$TPWS NFARG="--port=$TPPORT --split-http-req=host --user=$TPWS_USER --bind-addr=127.0.0.1" ;; custom) # PLACEHOLDER echo !!! NEED ATTENTION !!! echo Select which daemon and what options work for you echo Study how other sections work NFEXE=/bin/sleep NFARG=20 ;; esac $NFEXE $NFARG [ -n "$NFEXE" ] && $NFEXE $NFARG end script pre-stop script case "${ISP}" in mns|rt) iptables -t raw -D PREROUTING -p tcp --sport 80 --tcp-flags SYN,ACK SYN,ACK -m set --match-set zapret src -j NFQUEUE --queue-num $QNUM --queue-bypass ;; beeline) iptables -t mangle -D POSTROUTING -p tcp --dport 80 -m set --match-set zapret dst -j NFQUEUE --queue-num $QNUM --queue-bypass ;; domru) sysctl -w net.ipv4.conf.$SLAVE_ETH.route_localnet=0 iptables -t nat -D PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT iptables -t nat -D OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT iptables -t raw -D PREROUTING -p udp --sport 53 -m string --hex-string "|5cfff164|" --algo bm -j DROP --from 40 --to 300 iptables -t raw -D PREROUTING -p udp --sport 53 -m string --hex-string "|2a022698a00000000000000000000064|" --algo bm -j DROP --from 40 --to 300 iptables -t raw -D PREROUTING -p udp --sport 53 -m string --hex-string "|5cfff16e|" --algo bm -j DROP --from 40 --to 300 iptables -t raw -D PREROUTING -p udp --sport 53 -m string --hex-string "|2a022698a00000000000000000000110|" --algo bm -j DROP --from 40 --to 300 ;; tiera) sysctl -w net.ipv4.conf.$SLAVE_ETH.route_localnet=0 iptables -t nat -D PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT iptables -t nat -D OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT ;; custom) # PLACEHOLDER echo !!! NEED ATTENTION !!! echo Clear firewall rules here. Remove iptables changes made previously. echo Study how other sections work ;; esac end script