mirror of
https://github.com/bol-van/zapret.git
synced 2024-12-04 23:50:53 +03:00
127 lines
5.5 KiB
Bash
Executable File
127 lines
5.5 KiB
Bash
Executable File
#!/bin/sh
|
|
|
|
# CHOOSE ISP HERE. UNCOMMENT ONLY ONE LINE.
|
|
ISP=mns
|
|
#ISP=rt
|
|
#ISP=beeline
|
|
#ISP=domru
|
|
#ISP=tiera
|
|
|
|
# CHOSE NETWORK INTERFACE BEHIND NAT
|
|
SLAVE_ETH=eth0
|
|
|
|
|
|
IPSET_CR=/opt/zapret/ipset/create_ipset.sh
|
|
NAME=zapret
|
|
DESC=anti-zapret
|
|
|
|
QNUM=200
|
|
TPPORT=1188
|
|
ROUTE_TABLE_NUM=100
|
|
NFQWS=/opt/zapret/nfq/nfqws
|
|
TPWS=/opt/zapret/tpws/tpws
|
|
TPWS_USER=tpws
|
|
|
|
PIDFILE=/var/run/$NAME.pid
|
|
|
|
set -e
|
|
|
|
case "$1" in
|
|
start)
|
|
echo "Creating ipset"
|
|
($IPSET_CR)
|
|
|
|
echo "Adding iptables rule"
|
|
case "${ISP}" in
|
|
mns)
|
|
iptables -t raw -C PREROUTING -p tcp --sport 80 --tcp-flags SYN,ACK SYN,ACK -m set --match-set zapret src -j NFQUEUE --queue-num $QNUM --queue-bypass 2>/dev/null ||
|
|
iptables -t raw -I PREROUTING -p tcp --sport 80 --tcp-flags SYN,ACK SYN,ACK -m set --match-set zapret src -j NFQUEUE --queue-num $QNUM --queue-bypass
|
|
DAEMON=$NFQWS
|
|
DAEMON_OPTS="--qnum=$QNUM --wsize=4"
|
|
;;
|
|
rt)
|
|
iptables -t raw -C PREROUTING -p tcp --sport 80 --tcp-flags SYN,ACK SYN,ACK -m set --match-set zapret src -j NFQUEUE --queue-num $QNUM --queue-bypass 2>/dev/null ||
|
|
iptables -t raw -I PREROUTING -p tcp --sport 80 --tcp-flags SYN,ACK SYN,ACK -m set --match-set zapret src -j NFQUEUE --queue-num $QNUM --queue-bypass
|
|
DAEMON=$NFQWS
|
|
DAEMON_OPTS="--qnum=$QNUM --wsize=20"
|
|
;;
|
|
beeline)
|
|
iptables -t mangle -C POSTROUTING -p tcp --dport 80 -m set --match-set zapret dst -j NFQUEUE --queue-num $QNUM --queue-bypass 2>/dev/null ||
|
|
iptables -t mangle -I POSTROUTING -p tcp --dport 80 -m set --match-set zapret dst -j NFQUEUE --queue-num $QNUM --queue-bypass
|
|
DAEMON=$NFQWS
|
|
DAEMON_OPTS="--qnum=$QNUM --hostcase"
|
|
;;
|
|
domru)
|
|
adduser --disabled-login --no-create-home --system --quiet $TPWS_USER
|
|
sysctl -w net.ipv4.conf.$SLAVE_ETH.route_localnet=1
|
|
iptables -t nat -C PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT 2>/dev/null ||
|
|
iptables -t nat -I PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
|
|
iptables -t nat -C OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT 2>/dev/null ||
|
|
iptables -t nat -I OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
|
|
# BLOCK SPOOFED DNS FROM DOMRU
|
|
iptables -t raw -C PREROUTING -p udp --sport 53 -m string --hex-string "|5cfff164|" --algo bm -j DROP --from 40 --to 300 ||
|
|
iptables -t raw -I PREROUTING -p udp --sport 53 -m string --hex-string "|5cfff164|" --algo bm -j DROP --from 40 --to 300
|
|
iptables -t raw -C PREROUTING -p udp --sport 53 -m string --hex-string "|2a022698a00000000000000000000064|" --algo bm -j DROP --from 40 --to 300 ||
|
|
iptables -t raw -I PREROUTING -p udp --sport 53 -m string --hex-string "|2a022698a00000000000000000000064|" --algo bm -j DROP --from 40 --to 300
|
|
DAEMON=$TPWS
|
|
DAEMON_OPTS="--port=$TPPORT --hostcase --split-http-req=host --user=$TPWS_USER --bind-addr=127.0.0.1"
|
|
;;
|
|
tiera)
|
|
adduser --disabled-login --no-create-home --system --quiet $TPWS_USER
|
|
sysctl -w net.ipv4.conf.$SLAVE_ETH.route_localnet=1
|
|
iptables -t nat -C PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT 2>/dev/null ||
|
|
iptables -t nat -I PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
|
|
iptables -t nat -C OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT 2>/dev/null ||
|
|
iptables -t nat -I OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
|
|
DAEMON=$TPWS
|
|
DAEMON_OPTS="--port=$TPPORT --split-http-req=host --user=$TPWS_USER --bind-addr=127.0.0.1"
|
|
;;
|
|
esac
|
|
|
|
echo -n "Starting $DESC: "
|
|
start-stop-daemon --start --quiet --pidfile $PIDFILE --background --make-pidfile \
|
|
--exec $DAEMON -- $DAEMON_OPTS
|
|
echo "$NAME."
|
|
;;
|
|
stop)
|
|
echo "Deleting iptables rule"
|
|
|
|
case "${ISP}" in
|
|
mns|rt)
|
|
iptables -t raw -D PREROUTING -p tcp --sport 80 --tcp-flags SYN,ACK SYN,ACK -m set --match-set zapret src -j NFQUEUE --queue-num $QNUM --queue-bypass
|
|
DAEMON=$NFQWS
|
|
;;
|
|
beeline)
|
|
iptables -t mangle -D POSTROUTING -p tcp --dport 80 -m set --match-set zapret dst -j NFQUEUE --queue-num $QNUM --queue-bypass
|
|
DAEMON=$NFQWS
|
|
;;
|
|
domru)
|
|
sysctl -w net.ipv4.conf.$SLAVE_ETH.route_localnet=0
|
|
iptables -t nat -D PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
|
|
iptables -t nat -D OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
|
|
iptables -t raw -D PREROUTING -p udp --sport 53 -m string --hex-string "|5cfff164|" --algo bm -j DROP --from 40 --to 300
|
|
iptables -t raw -D PREROUTING -p udp --sport 53 -m string --hex-string "|2a022698a00000000000000000000064|" --algo bm -j DROP --from 40 --to 300
|
|
DAEMON=$TPWS
|
|
;;
|
|
tiera)
|
|
sysctl -w net.ipv4.conf.$SLAVE_ETH.route_localnet=0
|
|
iptables -t nat -D PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
|
|
iptables -t nat -D OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
|
|
DAEMON=$TPWS
|
|
;;
|
|
esac
|
|
|
|
echo -n "Stopping $DESC: "
|
|
start-stop-daemon --oknodo --stop --quiet --pidfile $PIDFILE \
|
|
--exec $DAEMON
|
|
echo "$NAME."
|
|
;;
|
|
*)
|
|
N=/etc/init.d/$NAME
|
|
echo "Usage: $N {start|stop}" >&2
|
|
exit 1
|
|
;;
|
|
esac
|
|
|
|
exit 0
|