mirror of
https://github.com/bol-van/zapret.git
synced 2024-12-02 22:50:53 +03:00
164 lines
7.2 KiB
Bash
164 lines
7.2 KiB
Bash
#!/bin/sh
|
|
# For systemd :
|
|
# install : /usr/lib/lsb/install_initd zapret
|
|
# remove : /usr/lib/lsb/remove_initd zapret
|
|
### BEGIN INIT INFO
|
|
# Provides: zapret
|
|
# Required-Start: $local_fs $network
|
|
# Required-Stop: $local_fs $network
|
|
# Default-Start: 2 3 4 5
|
|
# Default-Stop: 0 1 6
|
|
### END INIT INFO
|
|
|
|
# CHOOSE ISP HERE. UNCOMMENT ONLY ONE LINE.
|
|
ISP=mns
|
|
#ISP=rt
|
|
#ISP=beeline
|
|
#ISP=domru
|
|
#ISP=tiera
|
|
|
|
# If ISP is unlisted then uncomment "custom"
|
|
# Find out what works for your ISP and modify "# PLACEHOLDER" parts of this script
|
|
#ISP=custom
|
|
|
|
# CHOSE NETWORK INTERFACE BEHIND NAT
|
|
SLAVE_ETH=eth0
|
|
|
|
|
|
IPSET_CR=/opt/zapret/ipset/create_ipset.sh
|
|
NAME=zapret
|
|
DESC=anti-zapret
|
|
|
|
QNUM=200
|
|
TPPORT=1188
|
|
ROUTE_TABLE_NUM=100
|
|
NFQWS=/opt/zapret/nfq/nfqws
|
|
TPWS=/opt/zapret/tpws/tpws
|
|
TPWS_USER=tpws
|
|
|
|
PIDFILE=/var/run/$NAME.pid
|
|
|
|
set -e
|
|
|
|
case "$1" in
|
|
start)
|
|
echo "Creating ipset"
|
|
($IPSET_CR)
|
|
|
|
echo "Adding iptables rule"
|
|
case "${ISP}" in
|
|
mns)
|
|
iptables -t raw -C PREROUTING -p tcp --sport 80 --tcp-flags SYN,ACK SYN,ACK -m set --match-set zapret src -j NFQUEUE --queue-num $QNUM --queue-bypass 2>/dev/null ||
|
|
iptables -t raw -I PREROUTING -p tcp --sport 80 --tcp-flags SYN,ACK SYN,ACK -m set --match-set zapret src -j NFQUEUE --queue-num $QNUM --queue-bypass
|
|
DAEMON=$NFQWS
|
|
DAEMON_OPTS="--qnum=$QNUM --wsize=4"
|
|
;;
|
|
rt)
|
|
iptables -t raw -C PREROUTING -p tcp --sport 80 --tcp-flags SYN,ACK SYN,ACK -m set --match-set zapret src -j NFQUEUE --queue-num $QNUM --queue-bypass 2>/dev/null ||
|
|
iptables -t raw -I PREROUTING -p tcp --sport 80 --tcp-flags SYN,ACK SYN,ACK -m set --match-set zapret src -j NFQUEUE --queue-num $QNUM --queue-bypass
|
|
DAEMON=$NFQWS
|
|
DAEMON_OPTS="--qnum=$QNUM --wsize=20"
|
|
;;
|
|
beeline)
|
|
iptables -t mangle -C POSTROUTING -p tcp --dport 80 -m set --match-set zapret dst -j NFQUEUE --queue-num $QNUM --queue-bypass 2>/dev/null ||
|
|
iptables -t mangle -I POSTROUTING -p tcp --dport 80 -m set --match-set zapret dst -j NFQUEUE --queue-num $QNUM --queue-bypass
|
|
DAEMON=$NFQWS
|
|
DAEMON_OPTS="--qnum=$QNUM --hostspell=HOST"
|
|
;;
|
|
domru)
|
|
adduser --disabled-login --no-create-home --system --quiet $TPWS_USER
|
|
sysctl -w net.ipv4.conf.$SLAVE_ETH.route_localnet=1
|
|
iptables -t nat -C PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT 2>/dev/null ||
|
|
iptables -t nat -I PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
|
|
iptables -t nat -C OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT 2>/dev/null ||
|
|
iptables -t nat -I OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
|
|
# BLOCK SPOOFED DNS FROM DOMRU
|
|
iptables -t raw -C PREROUTING -p udp --sport 53 -m string --hex-string "|5cfff164|" --algo bm -j DROP --from 40 --to 300 ||
|
|
iptables -t raw -I PREROUTING -p udp --sport 53 -m string --hex-string "|5cfff164|" --algo bm -j DROP --from 40 --to 300
|
|
iptables -t raw -C PREROUTING -p udp --sport 53 -m string --hex-string "|2a022698a00000000000000000000064|" --algo bm -j DROP --from 40 --to 300 ||
|
|
iptables -t raw -I PREROUTING -p udp --sport 53 -m string --hex-string "|2a022698a00000000000000000000064|" --algo bm -j DROP --from 40 --to 300
|
|
iptables -t raw -C PREROUTING -p udp --sport 53 -m string --hex-string "|5cfff16e|" --algo bm -j DROP --from 40 --to 300 ||
|
|
iptables -t raw -I PREROUTING -p udp --sport 53 -m string --hex-string "|5cfff16e|" --algo bm -j DROP --from 40 --to 300
|
|
iptables -t raw -C PREROUTING -p udp --sport 53 -m string --hex-string "|2a022698a00000000000000000000110|" --algo bm -j DROP --from 40 --to 300 ||
|
|
iptables -t raw -I PREROUTING -p udp --sport 53 -m string --hex-string "|2a022698a00000000000000000000110|" --algo bm -j DROP --from 40 --to 300
|
|
DAEMON=$TPWS
|
|
DAEMON_OPTS="--port=$TPPORT --hostcase --split-http-req=host --user=$TPWS_USER --bind-addr=127.0.0.1"
|
|
;;
|
|
tiera)
|
|
adduser --disabled-login --no-create-home --system --quiet $TPWS_USER
|
|
sysctl -w net.ipv4.conf.$SLAVE_ETH.route_localnet=1
|
|
iptables -t nat -C PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT 2>/dev/null ||
|
|
iptables -t nat -I PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
|
|
iptables -t nat -C OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT 2>/dev/null ||
|
|
iptables -t nat -I OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
|
|
DAEMON=$TPWS
|
|
DAEMON_OPTS="--port=$TPPORT --split-http-req=host --user=$TPWS_USER --bind-addr=127.0.0.1"
|
|
;;
|
|
custom)
|
|
# PLACEHOLDER
|
|
echo !!! NEED ATTENTION !!!
|
|
echo Select daemon and options that work for you
|
|
echo \(optional\) Prepare environment for running daemon
|
|
echo Configure iptables for required actions
|
|
echo Study how other sections work
|
|
DAEMON=/bin/sleep
|
|
DAEMON_OPTS=20
|
|
;;
|
|
esac
|
|
|
|
echo -n "Starting $DESC: "
|
|
start-stop-daemon --start --quiet --pidfile $PIDFILE --background --make-pidfile \
|
|
--exec $DAEMON -- $DAEMON_OPTS
|
|
echo "$NAME."
|
|
;;
|
|
stop)
|
|
echo "Deleting iptables rule"
|
|
|
|
case "${ISP}" in
|
|
mns|rt)
|
|
iptables -t raw -D PREROUTING -p tcp --sport 80 --tcp-flags SYN,ACK SYN,ACK -m set --match-set zapret src -j NFQUEUE --queue-num $QNUM --queue-bypass
|
|
DAEMON=$NFQWS
|
|
;;
|
|
beeline)
|
|
iptables -t mangle -D POSTROUTING -p tcp --dport 80 -m set --match-set zapret dst -j NFQUEUE --queue-num $QNUM --queue-bypass
|
|
DAEMON=$NFQWS
|
|
;;
|
|
domru)
|
|
sysctl -w net.ipv4.conf.$SLAVE_ETH.route_localnet=0
|
|
iptables -t nat -D PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
|
|
iptables -t nat -D OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
|
|
iptables -t raw -D PREROUTING -p udp --sport 53 -m string --hex-string "|5cfff164|" --algo bm -j DROP --from 40 --to 300
|
|
iptables -t raw -D PREROUTING -p udp --sport 53 -m string --hex-string "|2a022698a00000000000000000000064|" --algo bm -j DROP --from 40 --to 300
|
|
iptables -t raw -D PREROUTING -p udp --sport 53 -m string --hex-string "|5cfff16e|" --algo bm -j DROP --from 40 --to 300
|
|
iptables -t raw -D PREROUTING -p udp --sport 53 -m string --hex-string "|2a022698a00000000000000000000110|" --algo bm -j DROP --from 40 --to 300
|
|
DAEMON=$TPWS
|
|
;;
|
|
tiera)
|
|
sysctl -w net.ipv4.conf.$SLAVE_ETH.route_localnet=0
|
|
iptables -t nat -D PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
|
|
iptables -t nat -D OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
|
|
DAEMON=$TPWS
|
|
;;
|
|
custom)
|
|
# PLACEHOLDER
|
|
echo !!! NEED ATTENTION !!!
|
|
echo Clear firewall rules here. Remove iptables changes made previously.
|
|
echo Select which daemon to stop.
|
|
echo Study how other sections work
|
|
;;
|
|
esac
|
|
|
|
echo -n "Stopping $DESC: "
|
|
start-stop-daemon --oknodo --stop --quiet --pidfile $PIDFILE \
|
|
--exec $DAEMON
|
|
echo "$NAME."
|
|
;;
|
|
*)
|
|
N=/etc/init.d/$NAME
|
|
echo "Usage: $N {start|stop}" >&2
|
|
exit 1
|
|
;;
|
|
esac
|
|
|
|
exit 0
|