VPN olmaksizin tum sitelere giris (Pasif/Aktif DPI blokaji) (15. sayfa)

opkg update
opkg install git-http

mkdir /opt
cd /opt
git clone --depth 1  https://github.com/bol-van/zapret

# this file is included from init scripts
# change values here

# can help in case /tmp has not enough space
#TMPDIR=/opt/zapret/tmp

# options for ipsets
# too low hashsize can cause memory allocation errors on low RAM systems , even if RAM is enough
# too large hashsize will waste lots of RAM
#IPSET_OPT="hashsize 262144 maxelem 2097152"

# options for ip2net. "-4" or "-6" auto added by ipset create script
#IP2NET_OPT4="--prefix-length=22-30 --v4-threshold=3/4"
#IP2NET_OPT6="--prefix-length=56-64 --v6-threshold=5"

# CHOOSE OPERATION MODE
# use nfqws : nfqws_ipset nfqws_ipset_https nfqws_all nfqws_all_https
# use tpws : tpws_ipset tpws_ipset_https tpws_all tpws_all_https tpws_hostlist
# no daemon, just ipset : ipset
# custom mode : custom . should modify init script and add your own code
MODE=nfqws_all_desync

# CHOOSE NFQWS DAEMON OPTIONS. run "nfq/nfqws --help" for option list
#NFQWS_OPT="--wsize=2 --hostspell=HOST"

# CHOOSE NFQWS DAEMON OPTIONS for DPI desync mode. run "nfq/nfqws --help" for option list
#DESYNC_MARK=0x40000000
NFQWS_OPT_DESYNC="--dpi-desync --dpi-desync-ttl=9 --dpi-desync-fooling=md5sig --dpi-desync-skip-nosni=0 --dpi-desync-fwmark=0x40000000 --dpi-desync-retrans=0"

# CHOOSE TPWS DAEMON OPTIONS. run "tpws/tpws --help" for option list
#TPWS_OPT_HTTP="--hostspell=HOST --split-http-req=method"
#TPWS_OPT_HTTPS="--split-pos=2"

# for routers based on desktop linux only. has not effect in openwrt.
# CHOOSE LAN and WAN NETWORK INTERFACES
# or leave them commented if its not router
#IFACE_LAN=eth0
#IFACE_WAN=eth1

# should init scripts apply firewall rules ?
# set to 0 if firewall control system is present
# openwrt uses fw3 firewall , init never touch fw
INIT_APPLY_FW=1

# do not work with ipv4
#DISABLE_IPV4=1
# do not work with ipv6
DISABLE_IPV6=1

# select which init script will be used to get ip or host list
# possible values : get_user.sh get_antizapret.sh get_combined.sh get_reestr.sh get_hostlist.sh
# comment if not required
#GETLIST=

root@OpenWrt:~# lsmod|grep SPOOFTCP
x_tables               12816 48 xt_tcpmss,xt_string,xt_statistic,xt_recent,xt_quota,xt_pkttype,xt_owner,xt_length,xt_hl,xt_helper,xt_ecn,xt_dscp,xt_connmark,xt_connlimit,xt_connbytes,xt_bpf,xt_addrtype,xt_NFQUEUE,xt_HL,xt_DSCP,xt_CLASSIFY,ipt_ECN,xt_SPOOFTCP,ipt_REJECT,ipt_MASQUERADE,xt_time,xt_tcpudp,xt_state,xt_nat,xt_multiport,xt_mark,xt_mac,xt_limit,xt_conntrack,xt_comment,xt_TCPMSS,xt_REDIRECT,xt_LOG,xt_FLOWOFFLOAD,xt_CT,iptable_mangle,iptable_filter,ip_tables,xt_set,ip6t_REJECT,ip6table_mangle,ip6table_filter,ip6_tables
xt_SPOOFTCP             4000  0
root@OpenWrt:~# iptables -j SPOOFTCP --help
iptables v1.6.2

Usage: iptables -[ACD] chain rule-specification [options]
       iptables -I chain [rulenum] rule-specification [options]
       iptables -R chain rulenum rule-specification [options]
       iptables -D chain rulenum [options]
       iptables -[LS] [chain [rulenum]] [options]
       iptables -[FZ] [chain] [options]
       iptables -[NX] chain
       iptables -E old-chain-name new-chain-name
       iptables -P chain target [options]
       iptables -h (print this help information)

Commands:
Either long or short options are allowed.
  --append  -A chain            Append to chain
  --check   -C chain            Check for the existence of a rule
  --delete  -D chain            Delete matching rule from chain
  --delete  -D chain rulenum
                                Delete rule rulenum (1 = first) from chain
  --insert  -I chain [rulenum]
                                Insert in chain as rulenum (default 1=first)
  --replace -R chain rulenum
                                Replace rule rulenum (1 = first) in chain
  --list    -L [chain [rulenum]]
                                List the rules in a chain or all chains
  --list-rules -S [chain [rulenum]]
                                Print the rules in a chain or all chains
  --flush   -F [chain]          Delete all rules in  chain or all chains
  --zero    -Z [chain [rulenum]]
                                Zero counters in chain or all chains
  --new     -N chain            Create a new user-defined chain
  --delete-chain
            -X [chain]          Delete a user-defined chain
  --policy  -P chain target
                                Change policy on chain to target
  --rename-chain
            -E old-chain new-chain
                                Change chain name, (moving any references)
Options:
    --ipv4      -4              Nothing (line is ignored by ip6tables-restore)
    --ipv6      -6              Error (line is ignored by iptables-restore)
[!] --protocol  -p proto        protocol: by number or name, eg. `tcp'
[!] --source    -s address[/mask][...]
                                source specification
[!] --destination -d address[/mask][...]
                                destination specification
[!] --in-interface -i input name[+]
                                network interface name ([+] for wildcard)
 --jump -j target
                                target for rule (may load target extension)
  --goto      -g chain
                              jump to chain with no return
  --match       -m match
                                extended match (may load extension)
  --numeric     -n              numeric output of addresses and ports
[!] --out-interface -o output name[+]
                                network interface name ([+] for wildcard)
  --table       -t table        table to manipulate (default: `filter')
  --verbose     -v              verbose mode
  --wait        -w [seconds]    maximum wait to acquire xtables lock before give up
  --wait-interval -W [usecs]    wait time to try to acquire xtables lock
                                default is 1 second
  --line-numbers                print line numbers when listing
  --exact       -x              expand numbers (display exact values)
[!] --fragment  -f              match second or further fragments only
  --modprobe=<command>          try to insert modules using this command
  --set-counters PKTS BYTES     set the counter during insert/append
[!] --version   -V              print package version.

SPOOFTCP target options:
 --ttl value    The hop limit/ttl value of spoofed packet (0 for inherit)
 --tcp-flags    TCP FLAGS of spoofed packet
 --corrupt-checksum     Invert checksum for spoofed packet
 --corrupt-seq  Invert TCP SEQ # for spoofed packet
 --delay value  Delay the matched(original) packet by <value> ms (max 255)
 --payload-length value Length of TCP payload (max 255)
 --md5  Add TCP MD5 (Option 19) header
 --ts   Add TCP Timestamp (Option 8) header
 --masq Enable MASQUERADE workaround

ipset create spooftcp_bypass nethash 
 ipset add spooftcp_bypass 0.0.0.0/8 
 ipset add spooftcp_bypass 10.0.0.0/8 
 ipset add spooftcp_bypass 192.168.0.0/16 
 iptables -t mangle  -A POSTROUTING  -m set ! --match-set spooftcp_bypass dst -p tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK SYN -j SPOOFTCP --ttl 5 --tcp-flags PSH,ACK --delay 15 --payload-length 1 --corrupt-seq --md5 --ts --masq 
 iptables -t mangle  -A POSTROUTING  -m set ! --match-set spooftcp_bypass dst -p tcp --dport 443 --tcp-flags FIN,SYN,RST,ACK SYN -j SPOOFTCP --ttl 5 --tcp-flags PSH,ACK --delay 15 --payload-length 1 --corrupt-seq --md5 --ts --masq

root@OpenWrt:~# cat /etc/resolv.conf
search wan
nameserver 127.0.0.1

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

curl https://www.wikipedia.org

root@OpenWrt:~# iptables -t mangle -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
SPOOFTCP   tcp  --  anywhere             anywhere             ! match-set spooftcp_bypass dst tcp dpt:www flags:FIN,SYN,RST,ACK/SYN SPOOFTCP ttl = 5 tcp flags PSH,ACK Corrupt SEQ Delay by 15ms Payload length 1 with MD5 option with Timestamp option with MASQUERADE workaround
SPOOFTCP   tcp  --  anywhere             anywhere             ! match-set spooftcp_bypass dst tcp dpt:https flags:FIN,SYN,RST,ACK/SYN SPOOFTCP ttl = 5 tcp flags PSH,ACK Corrupt SEQ Delay by 15ms Payload length 1 with MD5 option with Timestamp option with MASQUERADE workaround

root@OpenWrt:~# curlhttps://www.wikipedia.org
curl: (35) ssl_handshake returned - mbedTLS: (-0x0050) NET - Connection was reset by peer

 traceroute wikipedia.org
traceroute to wikipedia.org (103.102.166.224), 64 hops max
  1   *  *  *
  2   *  *  *
  3   *  *  *
  4   *  *  *
  5   *  *  *
  6   *  *  *
  7   *  *  *
  8   *