2016-02-21 17:45:20 +00:00
|
|
|
description "zapret"
|
2016-02-15 13:34:45 +00:00
|
|
|
|
|
|
|
start on runlevel [2345]
|
|
|
|
stop on runlevel [!2345]
|
|
|
|
|
|
|
|
# CHOOSE ISP HERE. UNCOMMENT ONLY ONE LINE.
|
2016-03-05 08:04:40 +00:00
|
|
|
#env ISP=mns
|
2016-02-17 17:22:21 +00:00
|
|
|
#env ISP=rt
|
2016-02-15 13:34:45 +00:00
|
|
|
#env ISP=beeline
|
2016-03-05 08:04:40 +00:00
|
|
|
env ISP=domru
|
|
|
|
#env ISP=tiera
|
2016-02-15 13:34:45 +00:00
|
|
|
|
|
|
|
# CHOSE NETWORK INTERFACE BEHIND NAT
|
2016-03-05 08:04:40 +00:00
|
|
|
env SLAVE_ETH=eth0
|
2016-02-15 13:34:45 +00:00
|
|
|
|
|
|
|
|
|
|
|
env QNUM=200
|
|
|
|
env TPPORT=1188
|
|
|
|
env ROUTE_TABLE_NUM=100
|
|
|
|
env NFQWS=/opt/zapret/nfq/nfqws
|
|
|
|
env TPWS=/opt/zapret/tpws/tpws
|
|
|
|
env TPWS_USER=tpws
|
|
|
|
|
|
|
|
pre-start script
|
|
|
|
/opt/zapret/ipset/create_ipset.sh
|
|
|
|
|
|
|
|
case "${ISP}" in
|
2016-02-17 17:22:21 +00:00
|
|
|
mns|rt)
|
2016-02-15 13:34:45 +00:00
|
|
|
iptables -t raw -C PREROUTING -p tcp --sport 80 --tcp-flags SYN,ACK SYN,ACK -m set --match-set zapret src -j NFQUEUE --queue-num $QNUM --queue-bypass ||
|
|
|
|
iptables -t raw -I PREROUTING -p tcp --sport 80 --tcp-flags SYN,ACK SYN,ACK -m set --match-set zapret src -j NFQUEUE --queue-num $QNUM --queue-bypass
|
|
|
|
;;
|
|
|
|
beeline)
|
|
|
|
iptables -t mangle -C POSTROUTING -p tcp --dport 80 -m set --match-set zapret dst -j NFQUEUE --queue-num $QNUM --queue-bypass ||
|
|
|
|
iptables -t mangle -I POSTROUTING -p tcp --dport 80 -m set --match-set zapret dst -j NFQUEUE --queue-num $QNUM --queue-bypass
|
|
|
|
;;
|
|
|
|
domru)
|
2016-03-05 08:04:40 +00:00
|
|
|
adduser --disabled-login --no-create-home --system --quiet $TPWS_USER
|
|
|
|
sysctl -w net.ipv4.conf.$SLAVE_ETH.route_localnet=1
|
|
|
|
iptables -t nat -C PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT ||
|
|
|
|
iptables -t nat -I PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
|
|
|
|
iptables -t nat -C OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT ||
|
|
|
|
iptables -t nat -I OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
|
|
|
|
# BLOCK SPOOFED DNS FROM DOMRU
|
|
|
|
iptables -t raw -C PREROUTING -p udp --sport 53 -m string --hex-string "|5cfff164|" --algo bm -j DROP --from 40 --to 300 ||
|
|
|
|
iptables -t raw -I PREROUTING -p udp --sport 53 -m string --hex-string "|5cfff164|" --algo bm -j DROP --from 40 --to 300
|
|
|
|
iptables -t raw -C PREROUTING -p udp --sport 53 -m string --hex-string "|2a022698a00000000000000000000064|" --algo bm -j DROP --from 40 --to 300 ||
|
|
|
|
iptables -t raw -I PREROUTING -p udp --sport 53 -m string --hex-string "|2a022698a00000000000000000000064|" --algo bm -j DROP --from 40 --to 300
|
|
|
|
;;
|
|
|
|
tiera)
|
2016-02-15 13:34:45 +00:00
|
|
|
adduser --disabled-login --no-create-home --system --quiet $TPWS_USER
|
|
|
|
sysctl -w net.ipv4.conf.$SLAVE_ETH.route_localnet=1
|
|
|
|
iptables -t nat -C PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT ||
|
|
|
|
iptables -t nat -I PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
|
|
|
|
iptables -t nat -C OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT ||
|
|
|
|
iptables -t nat -I OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
|
|
|
|
;;
|
|
|
|
esac
|
|
|
|
end script
|
|
|
|
|
|
|
|
script
|
|
|
|
case "${ISP}" in
|
2016-02-17 17:22:21 +00:00
|
|
|
mns)
|
2016-02-15 13:34:45 +00:00
|
|
|
NFEXE=$NFQWS
|
|
|
|
NFARG="--qnum $QNUM --wsize=4"
|
|
|
|
;;
|
2016-02-17 17:22:21 +00:00
|
|
|
rt)
|
|
|
|
NFEXE=$NFQWS
|
|
|
|
NFARG="--qnum $QNUM --wsize=20"
|
|
|
|
;;
|
2016-02-15 13:34:45 +00:00
|
|
|
beeline)
|
|
|
|
NFEXE=$NFQWS
|
|
|
|
NFARG="--qnum $QNUM --hostcase"
|
|
|
|
;;
|
|
|
|
domru)
|
|
|
|
NFEXE=$TPWS
|
|
|
|
NFARG="--port=$TPPORT --hostcase --split-http-req=host --user=$TPWS_USER --bind-addr=127.0.0.1"
|
|
|
|
;;
|
2016-03-05 08:04:40 +00:00
|
|
|
tiera)
|
|
|
|
NFEXE=$TPWS
|
|
|
|
NFARG="--port=$TPPORT --split-http-req=host --user=$TPWS_USER --bind-addr=127.0.0.1"
|
|
|
|
;;
|
2016-02-15 13:34:45 +00:00
|
|
|
esac
|
|
|
|
$NFEXE $NFARG
|
2016-03-05 08:04:40 +00:00
|
|
|
[ -n "$NFEXE" ] && $NFEXE $NFARG
|
2016-02-15 13:34:45 +00:00
|
|
|
end script
|
|
|
|
|
|
|
|
pre-stop script
|
|
|
|
case "${ISP}" in
|
2016-02-17 17:22:21 +00:00
|
|
|
mns|rt)
|
2016-02-15 13:34:45 +00:00
|
|
|
iptables -t raw -D PREROUTING -p tcp --sport 80 --tcp-flags SYN,ACK SYN,ACK -m set --match-set zapret src -j NFQUEUE --queue-num $QNUM --queue-bypass
|
|
|
|
;;
|
|
|
|
beeline)
|
|
|
|
iptables -t mangle -D POSTROUTING -p tcp --dport 80 -m set --match-set zapret dst -j NFQUEUE --queue-num $QNUM --queue-bypass
|
|
|
|
;;
|
|
|
|
domru)
|
2016-03-05 08:04:40 +00:00
|
|
|
sysctl -w net.ipv4.conf.$SLAVE_ETH.route_localnet=0
|
|
|
|
iptables -t nat -D PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
|
|
|
|
iptables -t nat -D OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
|
|
|
|
iptables -t raw -D PREROUTING -p udp --sport 53 -m string --hex-string "|5cfff164|" --algo bm -j DROP --from 40 --to 300
|
|
|
|
iptables -t raw -D PREROUTING -p udp --sport 53 -m string --hex-string "|2a022698a00000000000000000000064|" --algo bm -j DROP --from 40 --to 300
|
|
|
|
;;
|
|
|
|
tiera)
|
2016-02-15 13:34:45 +00:00
|
|
|
sysctl -w net.ipv4.conf.$SLAVE_ETH.route_localnet=0
|
|
|
|
iptables -t nat -D PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
|
|
|
|
iptables -t nat -D OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
|
|
|
|
;;
|
|
|
|
esac
|
|
|
|
end script
|