mirror of
https://github.com/bol-van/zapret.git
synced 2025-01-22 12:12:40 +00:00
openwrt hotplug.d removed
This commit is contained in:
parent
5c8f4c2d66
commit
3d08e29fe6
@ -38,3 +38,7 @@ ipset : added "get_antizapret.sh"
|
||||
v7
|
||||
|
||||
tpws : added ability to insert "." after Host: name
|
||||
|
||||
v8
|
||||
|
||||
openwrt init : removed hotplug.d/firewall because of race conditions. now only use /etc/firewall.user
|
||||
|
@ -1,35 +0,0 @@
|
||||
# copy it to /etc/hotplug.d/firewall/99-zapret
|
||||
|
||||
# CHOOSE ISP HERE. UNCOMMENT ONLY ONE LINE.
|
||||
# if your ISP not in list then comment all lines
|
||||
ISP=domru
|
||||
|
||||
TPPORT=1188
|
||||
TPWS_USER=daemon
|
||||
|
||||
case "$ACTION" in
|
||||
add)
|
||||
case "$ISP" in
|
||||
domru)
|
||||
case "$INTERFACE" in
|
||||
wan)
|
||||
# BLOCK SPOOFED DNS FROM DOMRU
|
||||
iptables -t raw -C PREROUTING -i $DEVICE -p udp --sport 53 -m string --hex-string "|5cfff164|" --algo bm -j DROP --from 40 --to 300 ||
|
||||
iptables -t raw -I PREROUTING -i $DEVICE -p udp --sport 53 -m string --hex-string "|5cfff164|" --algo bm -j DROP --from 40 --to 300
|
||||
iptables -t raw -C PREROUTING -i $DEVICE -p udp --sport 53 -m string --hex-string "|2a022698a00000000000000000000064|" --algo bm -j DROP --from 40 --to 300 ||
|
||||
iptables -t raw -I PREROUTING -i $DEVICE -p udp --sport 53 -m string --hex-string "|2a022698a00000000000000000000064|" --algo bm -j DROP --from 40 --to 300
|
||||
# DNAT for local traffic
|
||||
iptables -t nat -C OUTPUT -p tcp --dport 80 -o $DEVICE -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT ||
|
||||
iptables -t nat -I OUTPUT -p tcp --dport 80 -o $DEVICE -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
|
||||
;;
|
||||
|
||||
lan)
|
||||
# DNAT for pass-thru traffic
|
||||
sysctl -w net.ipv4.conf.$DEVICE.route_localnet=1
|
||||
iptables -t nat -C prerouting_lan_rule -p tcp --dport 80 -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT ||
|
||||
iptables -t nat -I prerouting_lan_rule -p tcp --dport 80 -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
|
||||
;;
|
||||
esac
|
||||
;;
|
||||
esac
|
||||
esac
|
23
init.d/openwrt/firewall.user.domru
Normal file
23
init.d/openwrt/firewall.user.domru
Normal file
@ -0,0 +1,23 @@
|
||||
TPPORT=1188
|
||||
TPWS_USER=daemon
|
||||
|
||||
. /lib/functions/network.sh
|
||||
|
||||
network_find_wan wan_iface
|
||||
|
||||
for ext_iface in $wan_iface; do
|
||||
network_get_device DEVICE $ext_iface
|
||||
# BLOCK SPOOFED DNS FROM DOMRU
|
||||
iptables -t raw -C PREROUTING -i $DEVICE -p udp --sport 53 -m string --hex-string "|5cfff164|" --algo bm -j DROP --from 40 --to 300 ||
|
||||
iptables -t raw -I PREROUTING -i $DEVICE -p udp --sport 53 -m string --hex-string "|5cfff164|" --algo bm -j DROP --from 40 --to 300
|
||||
iptables -t raw -C PREROUTING -i $DEVICE -p udp --sport 53 -m string --hex-string "|2a022698a00000000000000000000064|" --algo bm -j DROP --from 40 --to 300 ||
|
||||
iptables -t raw -I PREROUTING -i $DEVICE -p udp --sport 53 -m string --hex-string "|2a022698a00000000000000000000064|" --algo bm -j DROP --from 40 --to 300
|
||||
# DNAT for local traffic
|
||||
iptables -t nat -C OUTPUT -p tcp --dport 80 -o $DEVICE -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT ||
|
||||
iptables -t nat -I OUTPUT -p tcp --dport 80 -o $DEVICE -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
|
||||
|
||||
done
|
||||
|
||||
sysctl -w net.ipv4.conf.br-lan.route_localnet=1
|
||||
iptables -t nat -C prerouting_lan_rule -p tcp --dport 80 -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT ||
|
||||
iptables -t nat -I prerouting_lan_rule -p tcp --dport 80 -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
|
@ -7,7 +7,7 @@
|
||||
#ISP=beeline
|
||||
ISP=domru
|
||||
|
||||
# !!!!! in openwrt you need to add firewall rules manually to /etc/firewall.user or /etc/hotplug.d/firewall/99-zapret
|
||||
# !!!!! in openwrt you need to add firewall rules manually to /etc/firewall.user
|
||||
|
||||
QNUM=200
|
||||
TPPORT=1188
|
||||
@ -20,6 +20,26 @@ TPWS_USER=daemon
|
||||
# start betfore firewall - we need ipset populated
|
||||
START=18
|
||||
|
||||
|
||||
# must execute /etc/firewall.user on every firewall reload
|
||||
set_firewall_user_reload() {
|
||||
i=0
|
||||
while true
|
||||
do
|
||||
path=$(uci -q get firewall.@include[$i].path)
|
||||
[ -n "$path" ] || break
|
||||
[ "$path" == "/etc/firewall.user" ] && {
|
||||
reload=$(uci -q get firewall.@include[$i].reload)
|
||||
[ "$reload" = "1" ] || {
|
||||
echo Setting 'reload' call option to /etc/firewall.user
|
||||
uci set firewall.@include[$i].reload=1
|
||||
uci commit firewall
|
||||
}
|
||||
}
|
||||
i=$((i+1))
|
||||
done
|
||||
}
|
||||
|
||||
get_daemon() {
|
||||
case "${ISP}" in
|
||||
mns)
|
||||
@ -43,6 +63,7 @@ get_daemon() {
|
||||
|
||||
|
||||
start() {
|
||||
set_firewall_user_reload
|
||||
echo "Creating ipset"
|
||||
($IPSET_CR)
|
||||
|
||||
|
@ -1,4 +1,4 @@
|
||||
zapret v.7
|
||||
zapret v.8
|
||||
|
||||
Для чего это надо
|
||||
-----------------
|
||||
@ -242,9 +242,7 @@ opkg install iptables-mod-extra iptables-mod-nfqueue iptables-mod-filter iptable
|
||||
В /etc/init.d/zapret выбрать пераметр "ISP". В зависимости от него будут применены нужные правила.
|
||||
/etc/init.d/zapret enable
|
||||
/etc/init.d/zapret start
|
||||
В зависимости от вашего провайдера либо внести нужные записи в /etc/firewall.user, либо
|
||||
скопировать 99-zapret в /etc/hotplug.d/firewall (сначала нужно mkdir /etc/hotplug.d/firewall).
|
||||
В /etc/hotplug.d/firewall/99-zapret выбрать нужного провайдера.
|
||||
В зависимости от вашего провайдера внести нужные записи в /etc/firewall.user.
|
||||
/etc/init.d/firewall restart
|
||||
Посмотреть через iptables -L или через luci вкладку "firewall" появились ли нужные правила.
|
||||
Зашедулить задание обновления листа :
|
||||
|
Loading…
Reference in New Issue
Block a user