From c0f01c38296d1ed9610ed79b1a6cde3e87f1cf0d Mon Sep 17 00:00:00 2001 From: bol-van Date: Sun, 19 Jun 2022 16:16:20 +0300 Subject: [PATCH] wireguard, redsocks: nozapret notice --- docs/redsocks.txt | 12 ++++++------ docs/wireguard/wireguard_iproute_openwrt.txt | 3 ++- 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/docs/redsocks.txt b/docs/redsocks.txt index c475655..99feb23 100644 --- a/docs/redsocks.txt +++ b/docs/redsocks.txt @@ -113,8 +113,8 @@ create_ipset no-update network_find_wan_all wan_iface for ext_iface in $wan_iface; do network_get_device ext_device $ext_iface - ipt OUTPUT -t nat -o $ext_device -p tcp --dport 443 -m set --match-set zapret dst -j REDIRECT --to-port $SOXIFIER_PORT - ipt OUTPUT -t nat -o $ext_device -p tcp -m set --match-set ipban dst -j REDIRECT --to-port $SOXIFIER_PORT + ipt OUTPUT -t nat -o $ext_device -p tcp --dport 443 -m set --match-set zapret dst -m set ! --match-set nozapret dst -j REDIRECT --to-port $SOXIFIER_PORT + ipt OUTPUT -t nat -o $ext_device -p tcp -m set --match-set ipban dst -m set ! --match-set nozapret dst -j REDIRECT --to-port $SOXIFIER_PORT done prepare_route_localnet @@ -165,13 +165,13 @@ prepare_route_localnet cat << EOF | nft -f - add chain inet $ZAPRET_NFT_TABLE my_output { type nat hook output priority -102; } flush chain inet $ZAPRET_NFT_TABLE my_output - add rule inet $ZAPRET_NFT_TABLE my_output oifname @wanif meta l4proto tcp ip daddr @ipban dnat to $TPWS_LOCALHOST4:$SOXIFIER_PORT - add rule inet $ZAPRET_NFT_TABLE my_output oifname @wanif tcp dport 443 ip daddr @zapret dnat to $TPWS_LOCALHOST4:$SOXIFIER_PORT + add rule inet $ZAPRET_NFT_TABLE my_output oifname @wanif meta l4proto tcp ip daddr @ipban ip daddr != @nozapret dnat to $TPWS_LOCALHOST4:$SOXIFIER_PORT + add rule inet $ZAPRET_NFT_TABLE my_output oifname @wanif tcp dport 443 ip daddr @zapret ip daddr != @nozapret dnat to $TPWS_LOCALHOST4:$SOXIFIER_PORT add chain inet $ZAPRET_NFT_TABLE my_prerouting { type nat hook prerouting priority -102; } flush chain inet $ZAPRET_NFT_TABLE my_prerouting - add rule inet $ZAPRET_NFT_TABLE my_prerouting iifname @lanif meta l4proto tcp ip daddr @ipban dnat to $TPWS_LOCALHOST4:$SOXIFIER_PORT - add rule inet $ZAPRET_NFT_TABLE my_prerouting iifname @lanif tcp dport 443 ip daddr @zapret dnat to $TPWS_LOCALHOST4:$SOXIFIER_PORT + add rule inet $ZAPRET_NFT_TABLE my_prerouting iifname @lanif meta l4proto tcp ip daddr @ipban ip daddr != @nozapret dnat to $TPWS_LOCALHOST4:$SOXIFIER_PORT + add rule inet $ZAPRET_NFT_TABLE my_prerouting iifname @lanif tcp dport 443 ip daddr @zapret ip daddr != @nozapret dnat to $TPWS_LOCALHOST4:$SOXIFIER_PORT EOF ---------------------------- diff --git a/docs/wireguard/wireguard_iproute_openwrt.txt b/docs/wireguard/wireguard_iproute_openwrt.txt index 7ca61cd..880d528 100644 --- a/docs/wireguard/wireguard_iproute_openwrt.txt +++ b/docs/wireguard/wireguard_iproute_openwrt.txt @@ -267,7 +267,8 @@ config rule все равно ресолвится. Вы всегда можете расчитывать на ipset/nfset "ipban", "nozapret". "nozapret" - это ipset/nfset, связанный с системой исключения ip. Сюда загоняется все из ipset/zapret-hosts-user-exclude.txt после ресолвинга. - +Его учет крайне желателен, чтобы вдруг из скачанного листа не просочились записи, например, 192.168.0.0/16 и не заставили лезть туда через VPN. +Хотя скрипты получения листов и пытаются отсечь IP локалок, но так будет намного надежнее. --- Маркировка трафика ---