zapret/init.d/ubuntu12/zapret.conf

145 lines
6.4 KiB
Plaintext
Raw Normal View History

2016-02-21 17:45:20 +00:00
description "zapret"
2016-02-15 13:34:45 +00:00
start on runlevel [2345]
stop on runlevel [!2345]
# CHOOSE ISP HERE. UNCOMMENT ONLY ONE LINE.
2017-04-23 07:14:00 +00:00
env ISP=mns
2016-02-17 17:22:21 +00:00
#env ISP=rt
2017-04-23 07:14:00 +00:00
#env ISP=beeline
2016-12-09 13:33:29 +00:00
#env ISP=domru
2016-03-05 08:04:40 +00:00
#env ISP=tiera
2017-04-23 07:14:00 +00:00
#env ISP=athome
2016-02-15 13:34:45 +00:00
2016-12-09 13:33:29 +00:00
# If ISP is unlisted then uncomment "custom"
# Find out what works for your ISP and modify "# PLACEHOLDER" parts of this script
#env ISP=custom
2016-02-15 13:34:45 +00:00
# CHOSE NETWORK INTERFACE BEHIND NAT
2016-12-09 13:33:29 +00:00
env SLAVE_ETH=eth1
2016-02-15 13:34:45 +00:00
env QNUM=200
env TPPORT=1188
env ROUTE_TABLE_NUM=100
env NFQWS=/opt/zapret/nfq/nfqws
env TPWS=/opt/zapret/tpws/tpws
env TPWS_USER=tpws
pre-start script
/opt/zapret/ipset/create_ipset.sh
case "${ISP}" in
2016-02-17 17:22:21 +00:00
mns|rt)
2016-02-15 13:34:45 +00:00
iptables -t raw -C PREROUTING -p tcp --sport 80 --tcp-flags SYN,ACK SYN,ACK -m set --match-set zapret src -j NFQUEUE --queue-num $QNUM --queue-bypass ||
iptables -t raw -I PREROUTING -p tcp --sport 80 --tcp-flags SYN,ACK SYN,ACK -m set --match-set zapret src -j NFQUEUE --queue-num $QNUM --queue-bypass
;;
beeline)
iptables -t mangle -C POSTROUTING -p tcp --dport 80 -m set --match-set zapret dst -j NFQUEUE --queue-num $QNUM --queue-bypass ||
iptables -t mangle -I POSTROUTING -p tcp --dport 80 -m set --match-set zapret dst -j NFQUEUE --queue-num $QNUM --queue-bypass
;;
domru)
2016-03-05 08:04:40 +00:00
adduser --disabled-login --no-create-home --system --quiet $TPWS_USER
sysctl -w net.ipv4.conf.$SLAVE_ETH.route_localnet=1
iptables -t nat -C PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT ||
iptables -t nat -I PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
iptables -t nat -C OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT ||
iptables -t nat -I OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
# BLOCK SPOOFED DNS FROM DOMRU
iptables -t raw -C PREROUTING -p udp --sport 53 -m string --hex-string "|5cfff164|" --algo bm -j DROP --from 40 --to 300 ||
iptables -t raw -I PREROUTING -p udp --sport 53 -m string --hex-string "|5cfff164|" --algo bm -j DROP --from 40 --to 300
iptables -t raw -C PREROUTING -p udp --sport 53 -m string --hex-string "|2a022698a00000000000000000000064|" --algo bm -j DROP --from 40 --to 300 ||
iptables -t raw -I PREROUTING -p udp --sport 53 -m string --hex-string "|2a022698a00000000000000000000064|" --algo bm -j DROP --from 40 --to 300
2016-12-09 13:33:29 +00:00
iptables -t raw -C PREROUTING -p udp --sport 53 -m string --hex-string "|5cfff16e|" --algo bm -j DROP --from 40 --to 300 ||
iptables -t raw -I PREROUTING -p udp --sport 53 -m string --hex-string "|5cfff16e|" --algo bm -j DROP --from 40 --to 300
iptables -t raw -C PREROUTING -p udp --sport 53 -m string --hex-string "|2a022698a00000000000000000000110|" --algo bm -j DROP --from 40 --to 300 ||
iptables -t raw -I PREROUTING -p udp --sport 53 -m string --hex-string "|2a022698a00000000000000000000110|" --algo bm -j DROP --from 40 --to 300
;;
2017-04-23 07:14:00 +00:00
tiera|athome)
2016-02-15 13:34:45 +00:00
adduser --disabled-login --no-create-home --system --quiet $TPWS_USER
sysctl -w net.ipv4.conf.$SLAVE_ETH.route_localnet=1
iptables -t nat -C PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT ||
iptables -t nat -I PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
iptables -t nat -C OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT ||
iptables -t nat -I OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
;;
2016-12-09 13:33:29 +00:00
custom)
# PLACEHOLDER
echo !!! NEED ATTENTION !!!
echo \(optional\) Prepare environment for running daemon
echo Configure iptables for required actions
echo Study how other sections work
;;
2016-02-15 13:34:45 +00:00
esac
end script
script
case "${ISP}" in
2016-02-17 17:22:21 +00:00
mns)
2016-02-15 13:34:45 +00:00
NFEXE=$NFQWS
2017-02-19 11:06:58 +00:00
NFARG="--qnum $QNUM --wsize=3"
2016-02-15 13:34:45 +00:00
;;
2016-02-17 17:22:21 +00:00
rt)
NFEXE=$NFQWS
NFARG="--qnum $QNUM --wsize=20"
;;
2016-02-15 13:34:45 +00:00
beeline)
NFEXE=$NFQWS
NFARG="--qnum $QNUM --hostspell=HOST"
2016-02-15 13:34:45 +00:00
;;
domru)
NFEXE=$TPWS
NFARG="--port=$TPPORT --hostcase --split-http-req=host --user=$TPWS_USER --bind-addr=127.0.0.1"
;;
2016-03-05 08:04:40 +00:00
tiera)
NFEXE=$TPWS
NFARG="--port=$TPPORT --split-http-req=host --user=$TPWS_USER --bind-addr=127.0.0.1"
;;
2017-04-23 07:14:00 +00:00
athome)
NFEXE=$TPWS
NFARG="--port=$TPPORT --split-http-req=method --user=$TPWS_USER --bind-addr=127.0.0.1"
;;
2016-12-09 13:33:29 +00:00
custom)
# PLACEHOLDER
echo !!! NEED ATTENTION !!!
echo Select which daemon and what options work for you
echo Study how other sections work
NFEXE=/bin/sleep
NFARG=20
;;
2016-02-15 13:34:45 +00:00
esac
$NFEXE $NFARG
2016-03-05 08:04:40 +00:00
[ -n "$NFEXE" ] && $NFEXE $NFARG
2016-02-15 13:34:45 +00:00
end script
pre-stop script
case "${ISP}" in
2016-02-17 17:22:21 +00:00
mns|rt)
2016-02-15 13:34:45 +00:00
iptables -t raw -D PREROUTING -p tcp --sport 80 --tcp-flags SYN,ACK SYN,ACK -m set --match-set zapret src -j NFQUEUE --queue-num $QNUM --queue-bypass
;;
beeline)
iptables -t mangle -D POSTROUTING -p tcp --dport 80 -m set --match-set zapret dst -j NFQUEUE --queue-num $QNUM --queue-bypass
;;
domru)
2016-03-05 08:04:40 +00:00
sysctl -w net.ipv4.conf.$SLAVE_ETH.route_localnet=0
iptables -t nat -D PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
iptables -t nat -D OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
iptables -t raw -D PREROUTING -p udp --sport 53 -m string --hex-string "|5cfff164|" --algo bm -j DROP --from 40 --to 300
iptables -t raw -D PREROUTING -p udp --sport 53 -m string --hex-string "|2a022698a00000000000000000000064|" --algo bm -j DROP --from 40 --to 300
2016-12-09 13:33:29 +00:00
iptables -t raw -D PREROUTING -p udp --sport 53 -m string --hex-string "|5cfff16e|" --algo bm -j DROP --from 40 --to 300
iptables -t raw -D PREROUTING -p udp --sport 53 -m string --hex-string "|2a022698a00000000000000000000110|" --algo bm -j DROP --from 40 --to 300
2016-03-05 08:04:40 +00:00
;;
2017-04-23 07:14:00 +00:00
tiera|athome)
2016-02-15 13:34:45 +00:00
sysctl -w net.ipv4.conf.$SLAVE_ETH.route_localnet=0
iptables -t nat -D PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
iptables -t nat -D OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
;;
2016-12-09 13:33:29 +00:00
custom)
# PLACEHOLDER
echo !!! NEED ATTENTION !!!
echo Clear firewall rules here. Remove iptables changes made previously.
echo Study how other sections work
;;
2016-02-15 13:34:45 +00:00
esac
end script