Различия

Показаны различия между двумя версиями страницы.

--- router:zapret [2025/02/04 21:23] – ↷ Страница перемещена из zapret в router:zapret mirocow
+++ router:zapret [2025/09/27 22:24] (текущий) – mirocow
@@ Строка 1: / Строка 1: @@
 ====== Zapret - DPI bypass multi platform Topics (NFQWS)  ======
+  * [[:nfqws]]
 ===== Entware - Software repository =====
 <code bash>
-$ amtm ep
+$ amtm
+ ep
+ /tmp/mnt/SYS
 </code>
@@ Строка 12: / Строка 15: @@
 <code bash>
-$ wget https://github.com/bol-van/zapret/releases/download/v70/zapret-v70.tar.gz
+$ wget https://github.com/bol-van/zapret/releases/download/v71.4/zapret-v71.4.tar.gz
-$ tar -xvzf zapret-v70.tar.gz
+$ tar -xvzf zapret-v71.4.tar.gz
-$ cd zapret-v70
+$ cd zapret-v71.4
 $ ./install_easy.sh
 - Y
 - Y
 - Y
-- 1
+- Y
+- 1 : iptables
 - Y
 - N
@@ Строка 30: / Строка 34: @@
 </code>
-{{:network:7e86e3fac7f44f9d13c3a737d882a845.jpg?600|}}
+  * **Выбираем iptables**
+  * **Выбираем имя внутреннего сетевого интерфейса (LAN), br0 - обычно в роутере**
+  * **Выбираем режим фильтрации трафика (none, ipset, hostlist, autohostlist). - none**
-Выбираем имя внутреннего сетевого интерфейса (LAN), br0 - обычно в роутере:
+==== Режимы фильтрации ====
-{{:network:7e777b8bf042462347c3d9ff20170beb.jpg?600|}}
-Но заворот трафика на nfqws происходит всегда после маршрутизации, поэтому к нему применима только фильтрация по WAN, так что LAN в этом режиме работы неважен.
-<note tip>Важно: выбираем режим фильтрации трафика (none, ipset, hostlist, autohostlist).</note>
   * none - фильтрация отключена, весь трафик обрабатывается утилитой. Простейший вариант. Рекомендую его использовать, если не хотите заморачиваться настройкой списков адресов, а хотите просто, чтобы быстро и просто все работало.
@@ Строка 47: / Строка 47: @@
 Режим фильтра также можно потом менять через параметр MODE_FILTER в /opt/zapret/config.
-nano /opt/zapret/ipset/zapret-hosts-user.txt
+==== Текущие настройки ====
-<code>
-www.youtube.com
-youtube.com
-</code>
-nano /opt/zapret/init.d/sysv/zapret
-<code bash>
-#!/bin/sh
-### BEGIN INIT INFO
-# Provides:		zapret
-# Required-Start:	$local_fs $network
-# Required-Stop:	$local_fs $network
-# Default-Start:     2 3 4 5
-# Default-Stop:      0 1 6
-### END INIT INFO
-SCRIPT=$(readlink -f "$0")
-EXEDIR=$(dirname "$SCRIPT")
-ZAPRET_BASE=$(readlink -f "$EXEDIR/../..")
-. "$EXEDIR/functions"
-NAME=zapret
-DESC=anti-zapret
-do_start()
-{
-   if lsmod | grep "xt_multiport " &> /dev/null ;  then
-		echo "xt_multiport.ko is already loaded"
-    else
-        if insmod /lib/modules/$(uname -r)/xt_multiport.ko &> /dev/null; then
-			echo "iptable_raw.ko loaded"
-        else
-			echo "Cannot find xt_multiport.ko kernel module, aborting"
-			#exit 1
-        fi
-	fi
-	if lsmod | grep "xt_connbytes " &> /dev/null ;  then
-        echo "xt_connbytes.ko is already loaded"
-    else
-        if insmod /lib/modules/$(uname -r)/xt_connbytes.ko &> /dev/null; then
-			echo "xt_connbytes.ko loaded"
-        else
-			echo "Cannot find xt_connbytes.ko kernel module, aborting"
-			#exit 1
-        fi
-	fi
-	if lsmod | grep "xt_NFQUEUE " &> /dev/null ;  then
-        echo "xt_NFQUEUE.ko is already loaded"
-    else
-        if insmod /lib/modules/$(uname -r)/xt_NFQUEUE.ko &> /dev/null; then
-            echo "xt_NFQUEUE.ko loaded"
-        else
-            echo "Cannot find xt_NFQUEUE.ko kernel module, aborting"
-            #exit 1
-        fi
-    fi
-	zapret_run_daemons
-	[ "$INIT_APPLY_FW" != "1" ] || { zapret_apply_firewall; }
-}
-do_stop()
-{
-	zapret_stop_daemons
-	[ "$INIT_APPLY_FW" != "1" ] || zapret_unapply_firewall
-}
-case "$1" in
-	start)
-		do_start
-		;;
-	stop)
-		do_stop
-		;;
-	restart)
-		do_stop
-		do_start
-		;;
-	start-fw|start_fw)
-		zapret_apply_firewall
-		;;
-	stop-fw|stop_fw)
-		zapret_unapply_firewall
-		;;
-	restart-fw|restart_fw)
-		zapret_unapply_firewall
-		zapret_apply_firewall
-		;;
-	start-daemons|start_daemons)
-		zapret_run_daemons
-		;;
-	stop-daemons|stop_daemons)
-		zapret_stop_daemons
-		;;
-	restart-daemons|restart_daemons)
-		zapret_stop_daemons
-		zapret_run_daemons
-		;;
-	reload-ifsets|reload_ifsets)
-		zapret_reload_ifsets
-		;;
-	list-ifsets|list_ifsets)
-		zapret_list_ifsets
-		;;
-	list-table|list_table)
-		zapret_list_table
-		;;
-  *)
-	N=/etc/init.d/$NAME
-	echo "Usage: $N {start|stop|restart|start-fw|stop-fw|restart-fw|start-daemons|stop-daemons|restart-daemons|reload-ifsets|list-ifsets|list-table}" >&2
-	exit 1
-	;;
-esac
-exit 0
-</code>
 nano /opt/zapret/config
 <code bash>
-# this file is included from init scripts
-# change values here
-# can help in case /tmp has not enough space
-#TMPDIR=/opt/zapret/tmp
-# redefine user for zapret daemons. required on Keenetic
 WS_USER=nobody
-# override firewall type : iptables,nftables,ipfw
 FWTYPE=iptables
-# nftables only : set this to 0 to use pre-nat mode. default is post-nat.
+SET_MAXELEM=1048576
-# pre-nat mode disables some bypass techniques for forwarded traffic but allows to see client IP addresses in debug log
-#POSTNAT=0
-# options for ipsets
-# maximum number of elements in sets. also used for nft sets
-SET_MAXELEM=522288
-# too low hashsize can cause memory allocation errors on low RAM systems , even if RAM is enough
-# too large hashsize will waste lots of RAM
 IPSET_OPT="hashsize 262144 maxelem $SET_MAXELEM"
-# dynamically generate additional ip. $1 = ipset/nfset/table name
-#IPSET_HOOK="/etc/zapret.ipset.hook"
-# options for ip2net. "-4" or "-6" auto added by ipset create script
 IP2NET_OPT4="--prefix-length=22-30 --v4-threshold=3/4"
-IP2NET_OPT6="--prefix-length=56-64 --v6-threshold=5"
+IP2NET_OPT6="--prefix-length=48-64 --v6-threshold=3"
-# options for auto hostlist
 AUTOHOSTLIST_RETRANS_THRESHOLD=3
 AUTOHOSTLIST_FAIL_THRESHOLD=3
-AUTOHOSTLIST_FAIL_TIME=60
+AUTOHOSTLIST_FAIL_TIME=30
-# 1 = debug autohostlist positives to ipset/zapret-hosts-auto-debug.log
 AUTOHOSTLIST_DEBUGLOG=0
+MDIG_THREADS=50
-# number of parallel threads for domain list resolves
-MDIG_THREADS=30
-# ipset/*.sh can compress large lists
 GZIP_LISTS=1
-# command to reload ip/host lists after update
-# comment or leave empty for auto backend selection : ipset or ipfw if present
-# on BSD systems with PF no auto reloading happens. you must provide your own command
-# set to "-" to disable reload
-#LISTS_RELOAD="pfctl -f /etc/pf.conf"
-# mark bit used by nfqws to prevent loop
 DESYNC_MARK=0x40000000
 DESYNC_MARK_POSTNAT=0x20000000
 TPWS_SOCKS_ENABLE=0
-# tpws socks listens on this port on localhost and LAN interfaces
 TPPORT_SOCKS=987
-# use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
-# hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
-# <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 TPWS_SOCKS_OPT="
---filter-tcp=80 --methodeol <HOSTLIST> --new
+--filter-tcp=80 --methodeol  <HOSTLIST> --new
 --filter-tcp=443 --split-pos=1,midsld --disorder <HOSTLIST>
 "
 TPWS_ENABLE=0
 TPWS_PORTS=80,443
-# use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
-# hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
-# <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 TPWS_OPT="
---filter-tcp=80 --methodeol <HOSTLIST> --new
+--filter-tcp=80 --methodeol --split-pos=2,midsld --hostlist=/opt/zapret/ipset/youtube_domain_list.txt --new
---filter-tcp=443 --split-pos=1,midsld --disorder <HOSTLIST>
+--filter-tcp=443 --split-pos=2,midsld --disorder --hostlist=/opt/zapret/ipset/youtube_domain_list.txt
 "
 NFQWS_ENABLE=1
-# redirect outgoing traffic with connbytes limiter applied in both directions.
 NFQWS_PORTS_TCP=80,443
 NFQWS_PORTS_UDP=443
-# PKT_OUT means connbytes dir original
-# PKT_IN means connbytes dir reply
-# this is --dpi-desync-cutoff=nX kernel mode implementation for linux. it saves a lot of CPU.
 NFQWS_TCP_PKT_OUT=$((6+$AUTOHOSTLIST_RETRANS_THRESHOLD))
 NFQWS_TCP_PKT_IN=3
 NFQWS_UDP_PKT_OUT=$((6+$AUTOHOSTLIST_RETRANS_THRESHOLD))
 NFQWS_UDP_PKT_IN=0
-# redirect outgoing traffic without connbytes limiter and incoming with connbytes limiter
+MODE_HTTP=1
-# normally it's needed only for stateless DPI that matches every packet in a single TCP session
+MODE_HTTPS=1
-# typical example are plain HTTP keep alives
+MODE_QUIC=1
-# this mode can be very CPU consuming. enable with care !
-#NFQWS_PORTS_TCP_KEEPALIVE=80
-#NFQWS_PORTS_UDP_KEEPALIVE=
-# use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
-# hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
-# <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 NFQWS_OPT="
---filter-tcp=80 --dpi-desync=fake,multisplit --dpi-desync-ttl=0 --dpi-desync-fooling=md5sig,badsum <HOSTLIST> --new
+# YouTube rules
---filter-tcp=443 --dpi-desync=fake,multidisorder --dpi-desync-split-pos=method+2,midsld,5 --dpi-desync-ttl=0 --dpi-desync-fooling=md5sig,badsum,badseq --dpi-desync-repeats=15 --dpi-desync-fake-tls=/opt/zapret/files/fake/tls_clienthello_www_google_com.bin <HOSTLIST> --new
+--filter-tcp=80 --dpi-desync=fake,multisplit --dpi-desync-ttl=1 --hostlist=/opt/zapret/ipset/youtube_domain_list.txt --new
---filter-udp=443 --dpi-desync=fake --dpi-desync-repeats=15 --dpi-desync-ttl=0  --dpi-desync-any-protocol --dpi-desync-cutoff=d4 --dpi-desync-fooling=md5sig,badsum --dpi-desync-fake-quic=/opt/zapret/files/fake/quic_initial_www_google_com.bin <HOSTLIST>
+--filter-tcp=443 --dpi-desync=fake,multidisorder --dpi-desync-split-pos=1 --dpi-desync-ttl=1 --dpi-desync-fake-tls=/opt/zapret/files/fake/tls_clienthello_www_google_com.bin --hostlist=/opt/zapret/ipset/youtube_domain_list.txt --new
+#--filter-udp=443 --dpi-desync=fake --dpi-desync-ttl=1 --dpi-desync-fake-quic=/opt/zapret/files/fake/quic_initial_www_google_com.bin --hostlist=/opt/zapret/ipset/youtube_domain_list.txt
+--filter-udp=443 --dpi-desync=fake --dpi-desync-repeats=6 --dpi-desync-ttl=0 --dpi-desync-any-protocol --dpi-desync-cutoff=d4 --dpi-desync-fooling=md5sig,badsum --dpi-desync-fake-quic=/opt/zapret/files/fake/quic_initial_www_google_com.bin --hostlist=/opt/zapret/ipset/youtube_domain_list.txt
+# Main rules
+--filter-tcp=80,443 --dpi-desync=fake --dpi-desync-ttl=0
+--filter-udp=443 --dpi-desync=fake --dpi-desync-ttl=0
 "
+NFQWS_OPT_DESYNC="--dpi-desync=fake,disorder2 --dpi-desync-split-pos=1 --dpi-desync-ttl=0 --dpi-desync-fooling=md5sig,badsum --dpi-desync-repeats=6 --dpi-desync-any-protocol --dpi-desync-cutoff=d4 --dpi-desync-fake-tls=/opt/zapret/files/fake/tls_clienthello_www_google_com.bin"
-# none,ipset,hostlist,autohostlist
+NFQWS_OPT_DESYNC_QUIC="--dpi-desync=fake --dpi-desync-repeats=6 --dpi-desync-ttl=0 --dpi-desync-any-protocol --dpi-desync-cutoff=d4 --dpi-desync-fooling=md5sig,badsum --dpi-desync-fake-quic=/opt/zapret/files/fake/quic_initial_www_google_com.bin"
 MODE_FILTER=none
+FLOWOFFLOAD=disable
-# openwrt only : donttouch,none,software,hardware
-FLOWOFFLOAD=donttouch
-# openwrt: specify networks to be treated as LAN. default is "lan"
-#OPENWRT_LAN="lan lan2 lan3"
-# openwrt: specify networks to be treated as WAN. default wans are interfaces with default route
-#OPENWRT_WAN4="wan vpn"
-#OPENWRT_WAN6="wan6 vpn6"
-# for routers based on desktop linux and macos. has no effect in openwrt.
-# CHOOSE LAN and optinally WAN/WAN6 NETWORK INTERFACES
-# or leave them commented if its not router
-# it's possible to specify multiple interfaces like this : IFACE_LAN="eth0 eth1 eth2"
-# if IFACE_WAN6 is not defined it take the value of IFACE_WAN
 IFACE_LAN=br0
-IFACE_WAN=eth3
+IFACE_WAN=eth0
-#IFACE_WAN6="ipsec0 wireguard0 he_net"
-# should start/stop command of init scripts apply firewall rules ?
-# not applicable to openwrt with firewall3+iptables
 INIT_APPLY_FW=1
-# firewall apply hooks
-#INIT_FW_PRE_UP_HOOK="/etc/firewall.zapret.hook.pre_up"
-#INIT_FW_POST_UP_HOOK="/etc/firewall.zapret.hook.post_up"
-#INIT_FW_PRE_DOWN_HOOK="/etc/firewall.zapret.hook.pre_down"
-#INIT_FW_POST_DOWN_HOOK="/etc/firewall.zapret.hook.post_down"
-# do not work with ipv4
-#DISABLE_IPV4=1
-# do not work with ipv6
 DISABLE_IPV6=0
+DEBUGLOG=0
+</code>
-# select which init script will be used to get ip or host list
+<code bash>
-# possible values : get_user.sh get_antizapret.sh get_combined.sh get_reestr.sh get_hostlist.sh
+$ echo '' > /opt/zapret/ipset/youtube_domain_list.txt
-# comment if not required
-#GETLIST
 </code>
-  * [[config-default]]
+=== Только для теста ===
-  * [[config-2]]
-  * [[config-3]]
+  * [[:config-default]]
-  * [[config-4]]
 ===== NWQWS_OPT =====
@@ Строка 379: / Строка 178: @@
 </code>
+===== Фильтры =====
-==== Скрипты ====
+nano /opt/zapret/ipset/zapret-hosts-user.txt
+<code>
+www.youtube.com
+youtube.com
+</code>
+nano /opt/zapret/ipset/zapret-hosts-user-exclude.txt
+<code>
-<code bash>
-$ ls -la /opt/zapret/ipset
-$ cp -a /opt/zapret/init.d/custom.d.examples.linux/10-keenetic-udp-fix /opt/zapret/init.d/sysv/custom.d/10-keenetic-udp-fix
 </code>
-  * [[discord]]
+nano /opt/zapret/ipset/youtube_domain_list.txt
+<code>
+youtube.com
+youtu.be
+googlevideo.com
+googleapis.com
+ggpht.com
+ytimg.com
+youtube-nocookie.com
+play.google.com
+gstatic.com
+googlevideo.com
+ggpht.com
+ytimg.com
+l.google.com
+youtube.com
+www.youtube.com
+play.google.com
+youtubei.googleapis.com
+youtu.be
+nhacmp3youtube.com
+googleusercontent.com
+googleads.g.doubleclick.net
+</code>
+nano /opt/zapret/ipset/zapret-ip-exclude.txt
+<code>
+.0.0.0/8
+.0.0.0/8
+.168.0.0/16
+.16.0.0/12
+.64.0.0/10
+.254.0.0/16
+.0.0.0/3
+.255.255.255/32
+</code>
+==== Скрипты ====
+  * [[:discord]]
 ==== Отключение проверки контрольной суммы пакетов ====
@@ Строка 425: / Строка 269: @@
 <code bash>
-$ /tmp/mnt/USB/entware/zapret/ipset/get_refilter_domains.sh
+$ /tmp/mnt/SYS/entware/zapret/ipset/get_refilter_domains.sh
 $ /opt/zapret/init.d/sysv/zapret restart
 $ /opt/etc/init.d/S00fix start
@@ Строка 433: / Строка 277: @@
 ==== Автозапуск ====
 nano /jffs/scripts/firewall-start
 <code bash>
-/tmp/mnt/USB/entware/zapret/ipset/get_refilter_domains.sh
+#!/bin/sh
-/opt/etc/init.d/S00fix start
+sleep 10
+logger "hostlist" "Update domains list"
+/tmp/mnt/SYS/entware/zapret/ipset/get_refilter_domains.sh
+logger "firewall" "Applying dpi-start rules"
 /opt/zapret/init.d/sysv/zapret restart
+/opt/etc/init.d/S00fix start
+</code>
+<code bash>
+$ chmod +x /jffs/scripts/firewall-start
 </code>