ForkMaster/zapret
1
0
Fork 0
mirror of https://github.com/bol-van/zapret.git synced 2024-11-15 02:58:34 +05:00
Code Issues Actions Packages Projects Releases Wiki Activity

init.d: openwrt-minimal exclude local subnets

Browse Source
This commit is contained in:
bol-van 2024-10-21 20:50:28 +03:00
parent c645e17b0b
commit 2dc7332533
2 changed files with 34 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
init.d/openwrt-minimal/tpws/etc/firewall.user
View File

@ -1,6 +1,9 @@
TP_PORT=900
TP_USER=daemon
EXCLUDE4="10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 169.254.0.0/16"
EXCLUDE6="fc00::/7 fe80::/10"
exists()
{
which "$1" >/dev/null 2>/dev/null
@ -8,13 +11,12 @@ exists()
ipt()
{
$IPTABLES $FW_EXTRA_PRE -C "$@" $FW_EXTRA_POST >/dev/null 2>/dev/null || $IPTABLES $FW_EXTRA_PRE -I "$@" $FW_EXTRA_POST
$IPTABLES -C "$@" >/dev/null 2>/dev/null || $IPTABLES -I "$@"
}
redirect_port()
{
ipt PREROUTING -t nat -p tcp --dport $1 -j REDIRECT --to-port $2
ipt OUTPUT -t nat -p tcp --dport $1 -m owner ! --uid-owner $TP_USER -j REDIRECT --to-port $2
ipt tpws -t nat -p tcp --dport $1 -j REDIRECT --to-port $2
}
redirect()
@ -24,5 +26,21 @@ redirect()
}
for IPTABLES in iptables ip6tables; do
$IPTABLES -t nat -N tpws 2>/dev/null
$IPTABLES -t nat -F tpws
exists $IPTABLES && redirect
done
for net in $EXCLUDE4
do
iptables -t nat -I tpws -d $net -j RETURN
done
for net in $EXCLUDE6
do
ip6tables -t nat -I tpws -d $net -j RETURN
done
for IPTABLES in iptables ip6tables; do
ipt PREROUTING -t nat -j tpws
ipt OUTPUT -t nat -m owner ! --uid-owner $TP_USER -j tpws
done

16
init.d/openwrt-minimal/tpws/etc/nftables.d/90-tpws.nft
View File

@ -1,8 +1,18 @@
chain tpws_re {
set tpws_exclude4 {
type ipv4_addr; flags interval; auto-merge;
elements = { 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,169.254.0.0/16 }
}
set tpws_exclude6 {
type ipv6_addr; flags interval; auto-merge;
elements = { fc00::/7, fe80::/10 }
}
chain tpws_pre {
type nat hook prerouting priority dstnat; policy accept;
tcp dport {80,443} redirect to :900
tcp dport {80,443} ip daddr != @tpws_exclude4 redirect to :900
tcp dport {80,443} ip6 daddr != @tpws_exclude6 redirect to :900
}
chain tpws_out {
type nat hook output priority -100; policy accept;
tcp dport {80,443} skuid != daemon redirect to :900
tcp dport {80,443} skuid != daemon ip daddr != @tpws_exclude4 redirect to :900
tcp dport {80,443} skuid != daemon ip6 daddr != @tpws_exclude6 redirect to :900
}