routing/tc fixes
This commit is contained in:
SkyperTHC
parent
203856e391
commit
6ba3cd5b56
|
|
@ -3,6 +3,8 @@
|
|||
* SetEnv HIDEIP, HUSHLOGIN, PRJ
|
||||
* NOVPN/DIRECT support
|
||||
* conntrack improvements
|
||||
* Fairer Network Scheduling (tc-cake)
|
||||
* Private about SECRET and secret@
|
||||
|
||||
0.4.4 - 2022-03-00
|
||||
* Updated for quarterly Kali-latest
|
||||
|
|
|
|||
3
Makefile
3
Makefile
|
|
@ -1,4 +1,4 @@
|
|||
VER := 0.4.5b
|
||||
VER := 0.4.5b2
|
||||
|
||||
all:
|
||||
make -C router
|
||||
|
|
@ -96,7 +96,6 @@ FILES_ROUTER += "segfault-$(VER)/router/Makefile"
|
|||
FILES_ROUTER += "segfault-$(VER)/router/Dockerfile"
|
||||
FILES_ROUTER += "segfault-$(VER)/router/fix-network.sh"
|
||||
FILES_ROUTER += "segfault-$(VER)/router/init.sh"
|
||||
FILES_ROUTER += "segfault-$(VER)/router/tc.sh"
|
||||
FILES_ROUTER += "segfault-$(VER)/router/init-wg.sh"
|
||||
FILES_ROUTER += "segfault-$(VER)/router/init-novpn.sh"
|
||||
FILES_ROUTER += "segfault-$(VER)/router/user-limit.sh"
|
||||
|
|
|
|||
|
|
@ -222,7 +222,7 @@ services:
|
|||
- net.netfilter.nf_conntrack_frag6_timeout=10
|
||||
- net.netfilter.nf_conntrack_generic_timeout=180 # default is 600
|
||||
- net.netfilter.nf_conntrack_tcp_timeout_syn_sent=10 # default is 120
|
||||
- net.netfilter.nf_conntrack_tcp_timeout_syn_recv=5 # default is 30, 5 because of reverse tunnels
|
||||
- net.netfilter.nf_conntrack_tcp_timeout_syn_recv=5 # default is 30, 5 because of reverse tunnels (CS)
|
||||
- net.netfilter.nf_conntrack_tcp_timeout_last_ack=5 # default is 30
|
||||
- net.netfilter.nf_conntrack_tcp_timeout_fin_wait=10 # default is 120
|
||||
- net.netfilter.nf_conntrack_tcp_timeout_close=1 # default is 10
|
||||
|
|
@ -254,6 +254,7 @@ services:
|
|||
- CONFIG=${SF_MULLVAD_CONFIG:-}
|
||||
- PROVIDER=Mullvad
|
||||
- NETWORK=${SF_NET_LG}
|
||||
- IS_REDIRECTS_DNS=1
|
||||
- POST_UP=/sf/bin/vpn_wg2status.sh /sf/run/vpn/status-mullvad.log up %i
|
||||
- PRE_DOWN=/sf/bin/vpn_wg2status.sh /sf/run/vpn/status-mullvad.log down %i
|
||||
- RECONNECT=604800 # Re-Connect every 7 days
|
||||
|
|
@ -361,7 +362,7 @@ services:
|
|||
- net.netfilter.nf_conntrack_frag6_timeout=10
|
||||
- net.netfilter.nf_conntrack_generic_timeout=180 # default is 600
|
||||
- net.netfilter.nf_conntrack_tcp_timeout_syn_sent=10 # default is 120
|
||||
- net.netfilter.nf_conntrack_tcp_timeout_syn_recv=5 # default is 30, 5 because of reverse tunnels
|
||||
- net.netfilter.nf_conntrack_tcp_timeout_syn_recv=5 # default is 30, 5 because of reverse tunnels (sf-router)
|
||||
- net.netfilter.nf_conntrack_tcp_timeout_last_ack=5 # default is 30
|
||||
- net.netfilter.nf_conntrack_tcp_timeout_fin_wait=10 # default is 120
|
||||
- net.netfilter.nf_conntrack_tcp_timeout_close=1 # default is 10
|
||||
|
|
@ -531,6 +532,10 @@ services:
|
|||
environment:
|
||||
- SF_DEBUG
|
||||
- SF_TOR_VIA_VPN
|
||||
- NET_LG=${SF_NET_LG:?}
|
||||
- SSHD_IP=${SF_SSHD_IP:?}
|
||||
- NGINX_IP=${SF_NGINX_IP:?}
|
||||
- NET_VPN_ROUTER_IP=${SF_NET_VPN_ROUTER_IP:?}
|
||||
dns: ${SF_NET_VPN_DNS_IP}
|
||||
depends_on:
|
||||
- dnsmasq
|
||||
|
|
|
|||
|
|
@ -13,4 +13,6 @@ GS_SECRET="${GS_SECRET:0:12}"
|
|||
|
||||
echo "${GS_SECRET}" >/config/guest/gsnc-access-22.txt
|
||||
|
||||
# Give sf-router time to boot up and set the routes...
|
||||
sleep 3
|
||||
exec /gs-netcat -l -d "$1" -p 22 -s "22-${GS_SECRET}"
|
||||
|
|
|
|||
|
|
@ -555,7 +555,7 @@ RUN /pkg-install.sh HACK ghbin shadow1ng/fscan 'amd64$' fscan \
|
|||
&& /pkg-install.sh HACK ghbin 'projectdiscovery/interactsh' 'linux_amd64' interactsh-client \
|
||||
&& /pkg-install.sh HACK ghbin 'projectdiscovery/mapcidr' 'linux_amd64' mapcidr \
|
||||
&& /pkg-install.sh HACK ghbin 'lc/subjs' 'linux_amd64' subjs \
|
||||
&& /pkg-install.sh MINI ghbin 'qsocket/qs-netcat' 'linux_amd64' qs-netcat \
|
||||
&& /pkg-install.sh HACK ghbin 'qsocket/qs-netcat' 'linux_amd64' qs-netcat \
|
||||
&& /pkg-install.sh HACK ghbin 'shenwei356/rush' 'linux_amd64' rush \
|
||||
&& /pkg-install.sh HACK ghbin 'KathanP19/Gxss' 'inux_x86_64' Gxss \
|
||||
&& /pkg-install.sh HACK ghbin 'dwisiswant0/crlfuzz' 'inux_amd64' crlfuzz \
|
||||
|
|
|
|||
|
|
@ -3,6 +3,7 @@
|
|||
_IS_SHOW_MOTD=1
|
||||
[[ -z $PS1 ]] && unset _IS_SHOW_MOTD
|
||||
[[ -n $SF_HUSHLOGIN ]] && unset _IS_SHOW_MOTD
|
||||
[[ -z $SF_IS_LOGINSHELL ]] && unset _IS_SHOW_MOTD
|
||||
[[ ! -f /sf/bin/sf-motd.sh ]] && unset _IS_SHOW_MOTD
|
||||
|
||||
# Trampoline to this script:
|
||||
|
|
@ -11,6 +12,9 @@ _IS_SHOW_MOTD=1
|
|||
[[ -f /config/guest/sys-motd.sh ]] && source /config/guest/sys-motd.sh
|
||||
}
|
||||
unset _IS_SHOW_MOTD
|
||||
# No not display full info when using tmux or bash -il
|
||||
unset SF_IS_NEW_SERVER
|
||||
unset SF_IS_LOGINSHELL
|
||||
|
||||
[[ -n $BASH ]] && {
|
||||
# user on zsh and did `bash -il`
|
||||
|
|
|
|||
|
|
@ -54,10 +54,10 @@ fixr()
|
|||
}
|
||||
ln -sf /sec/usr/etc/rc.local /etc/rc.local
|
||||
chown root:root /etc /etc/profile.d /etc/profile.d/segfault.sh
|
||||
chmod 755 /usr /usr/bin /usr/sbin /etc /etc/profile.d
|
||||
chmod 755 /usr /usr/bin /usr/sbin /usr/share /etc /etc/profile.d
|
||||
chmod 755 /usr/bin/mosh-server-hook /usr/bin/xpra-hook /usr/bin/brave-browser-stable-hook /usr/share/code/code-hook /usr/share/code/bin/code-hook /usr/bin/xterm-dark /usr/sbin/halt
|
||||
chmod 644 /etc/profile.d/segfault.sh
|
||||
chmod 644 /etc/shellrc /etc/zsh_command_not_found /etc/zsh_profile
|
||||
chmod 644 /etc/shellrc /etc/zsh_command_not_found /etc/zsh_profile
|
||||
fixr /usr/share/www
|
||||
fixr /usr/share/source-highlight
|
||||
ln -s batcat /usr/bin/bat
|
||||
|
|
|
|||
|
|
@ -19,6 +19,6 @@ diff:
|
|||
diff -x '!*.[ch]' -u openssh-9.2p1-orig/ openssh-9.2p1-sf/ | grep -Ev ^"(Only in|Common)" >../sf-sshd.patch
|
||||
|
||||
clean:
|
||||
rm -rf openssh-9.2p1-sf fs-root/usr/sfbin/sshd
|
||||
rm -rf openssh-9.2p1-sf fs-root/usr/sbin/sshd
|
||||
docker image rm alpine-gcc
|
||||
|
||||
|
|
|
|||
|
|
@ -447,8 +447,8 @@ print_goodbye()
|
|||
echo -e "\
|
||||
-------> The encrypted filesystem in /sec will remain accessible until
|
||||
-------> the last shell exits or all background processes terminate.
|
||||
-------> Type ${CC}halt${CN} instead to stop this server. This will
|
||||
-------> also make /sec unavailabe until your next log in."
|
||||
-------> Log back in and type ${CC}halt${CN} instead to stop this server.
|
||||
-------> This will also make /sec unavailabe until your next log in."
|
||||
fi
|
||||
echo -en "\r"
|
||||
[[ -z $SF_IS_PAYING ]] && {
|
||||
|
|
@ -460,12 +460,19 @@ ${CDY}@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
|
|||
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@${CN}"
|
||||
|
||||
}
|
||||
[[ -n $SF_IS_NEW_SERVER ]] && echo -e "\
|
||||
Access with : ${CDC}ssh -o \"SetEnv SECRET=${SF_SEC:-UNKNOWN}\" ${SF_USER}@${SF_FQDN:-UNKNOWN}${CN}"
|
||||
|
||||
echo -e "\
|
||||
RTFM : ${CB}${CUL}https://www.thc.org/segfault/faq${CN}
|
||||
GOODBYE : ${CW}Join us on Telegram - https://t.me/thcorg${CN}"
|
||||
[[ -z $SF_IS_NEW_SERVER ]] && return
|
||||
|
||||
echo -en "Would you like to see the ${CDY}SECRET${CN} to log back in to ${CDY}${SF_HOSTNAME:-UNKNOWN}${CN}? (y/N) "
|
||||
read -r -n1 -t10 yn || echo -n "N"
|
||||
echo ""
|
||||
[[ "${yn^^}" != "Y" ]] && return
|
||||
|
||||
echo -e "\
|
||||
Access with : ${CDC}ssh -o \"SetEnv SECRET=${SF_SEC:-UNKNOWN}\" ${SF_USER}@${SF_FQDN:-UNKNOWN}${CN}"
|
||||
}
|
||||
|
||||
print_to_many_servers()
|
||||
|
|
@ -516,7 +523,7 @@ spawn_shell_exit()
|
|||
[[ ! -f "/config/self-for-guest/lg-${LID}/reverse_ip" ]] && mk_portforward "${LID}"
|
||||
|
||||
# export SF_LOG="/config/host/log/sigproxy-${LID}-${SF_HOSTNAME}.log"
|
||||
docker-exec-sigproxy exec --detach-keys='ctrl-^,z' --workdir=/sec/root --user 0:0 "${DOCKER_EXEC_ARGS[@]}" "lg-${LID}" nice -n"${SF_USER_NICE_SCORE:?}" zsh "${PARAM[@]}"
|
||||
docker-exec-sigproxy exec --detach-keys='ctrl-^,z' --workdir=/sec/root --env SF_IS_LOGINSHELL=1 --user 0:0 "${DOCKER_EXEC_ARGS[@]}" "lg-${LID}" nice -n"${SF_USER_NICE_SCORE:?}" zsh "${PARAM[@]}"
|
||||
ret="$?" # save return value and exit this script later with same return value.
|
||||
DEBUGF "Exited with $ret"
|
||||
logout
|
||||
|
|
|
|||
|
|
@ -6,11 +6,13 @@ RUN apt-get update \
|
|||
ca-certificates \
|
||||
conntrack \
|
||||
curl \
|
||||
dnsutils \
|
||||
fping \
|
||||
inetutils-ping \
|
||||
iptables \
|
||||
iproute2 \
|
||||
iperf \
|
||||
ipset \
|
||||
jq \
|
||||
lsb-release \
|
||||
gnupg \
|
||||
|
|
@ -25,6 +27,7 @@ RUN apt-get update \
|
|||
# nftables
|
||||
|
||||
RUN bash -c '{ true \
|
||||
&& echo "source /dev/shm/net-devs.txt 2>/dev/null" >>/root/.bashrc \
|
||||
&& curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg \
|
||||
&& echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null \
|
||||
&& apt-get update \
|
||||
|
|
|
|||
151
router/init.sh
151
router/init.sh
|
|
@ -121,43 +121,51 @@ use_vpn()
|
|||
{
|
||||
local gw
|
||||
local gw_ip
|
||||
local gw_dns_ip
|
||||
|
||||
# Configure FW rules for reverse port forwards.
|
||||
# Any earlier than this and the MAC of the routers are not known. Thus do it here.
|
||||
|
||||
init_revport_once
|
||||
|
||||
local _ip
|
||||
local f
|
||||
for f in /sf/run/vpn/status-*; do
|
||||
[[ ! -f "$f" ]] && break
|
||||
_ip="$(<"$f")"
|
||||
_ip="${_ip%%$'\n'*}"
|
||||
_ip="${_ip##*=}"
|
||||
_ip="${_ip//[^0-9\.]/}" # Sanitize
|
||||
[[ -z $_ip ]] && continue
|
||||
gw+=("nexthop" "via" "${_ip}" "weight" "100")
|
||||
gw_ip+=("${_ip}")
|
||||
source "$f"
|
||||
[[ -z $SFVPN_MY_IP ]] && continue
|
||||
gw+=("nexthop" "via" "${SFVPN_MY_IP}" "weight" "100")
|
||||
[[ -z $SFVPN_IS_REDIRECTS_DNS ]] && gw_dns_ip+=("${SFVPN_MY_IP}")
|
||||
gw_ip+=("${SFVPN_MY_IP}")
|
||||
done
|
||||
|
||||
[[ ${#gw[@]} -eq 0 ]] && return
|
||||
|
||||
echo -e >&2 "[$(date '+%F %T' -u)] Switching to VPN (gw=${gw_ip[*]})"
|
||||
LOG "VPN" "Switching to VPN (gw=${gw_ip[*]})"
|
||||
ip route del default
|
||||
ip route del default table 53 2>/dev/null
|
||||
[[ ${#gw_dns_ip[@]} -gt 0 ]] && [[ ${#gw_dns_ip[@]} -ne ${#gw[@]} ]] && {
|
||||
# At least 1 VPN redirects DNS. Make sure we dont route via that one....
|
||||
# echo -e >&2 "DNS via ${gw_dns_ip[0]}..."
|
||||
LOG "DNS" "DNS via ${gw_dns_ip[0]}...."
|
||||
# iproute2 does not support nexthop-multipath and fwmark tables.
|
||||
# ip route add default nexthop via 172.20.0.253 nexthop via 172.20.0.252 table 53
|
||||
# Error: "nexthop" or end of line is expected instead of "table"
|
||||
# Instead use the first for port 53 traffic.
|
||||
ip route add default via "${gw_dns_ip[0]}" table 53
|
||||
}
|
||||
ip route add default "${gw[@]}"
|
||||
|
||||
}
|
||||
|
||||
use_tor()
|
||||
{
|
||||
echo -e >&2 "$(date) Switching to TOR"
|
||||
LOG "VPN" "Switching to TOR"
|
||||
ip route del default 2>/dev/null
|
||||
ip route add default via "${TOR_IP}"
|
||||
}
|
||||
|
||||
use_novpn()
|
||||
{
|
||||
echo -e >&2 "$(date) Switching to NoVPN"
|
||||
LOG "VPN" "Switching to NoVPN"
|
||||
ip route del default 2>/dev/null
|
||||
ip route add default via "${NOVPN_IP}"
|
||||
}
|
||||
|
|
@ -195,6 +203,17 @@ monitor_failover()
|
|||
done
|
||||
}
|
||||
|
||||
# Some rules need no further processing.
|
||||
ipt_mark_ret()
|
||||
{
|
||||
local id
|
||||
id=$1
|
||||
|
||||
shift 1
|
||||
iptables "$@" -j MARK --set-mark "$id"
|
||||
iptables "$@" -j RETURN
|
||||
}
|
||||
|
||||
# Set Iptables Forwarding rules
|
||||
ipt_set()
|
||||
{
|
||||
|
|
@ -260,6 +279,59 @@ ipt_set()
|
|||
# => Already set by SSHD -D1080 setup
|
||||
}
|
||||
|
||||
ipset_add_ip()
|
||||
{
|
||||
local ip
|
||||
ip="$1"
|
||||
|
||||
# IPv6 not supported
|
||||
[[ "$ip" == *:* ]] && return
|
||||
|
||||
ip="${ip//[^0-9\.\/]}"
|
||||
ipset -exist -A direct "${ip}"
|
||||
}
|
||||
|
||||
ipset_add_domain()
|
||||
{
|
||||
local domain
|
||||
domain="$1"
|
||||
# Remove CNAME. Only output IP
|
||||
for ip in $(dig +short "$domain" | grep -v '\.$'); do
|
||||
ipset_add_ip "$ip" || ERR "DOMAIN='$domain', IP='$ip'"
|
||||
done
|
||||
}
|
||||
|
||||
# Some IP's are routed DIRECTLY and not via VPN
|
||||
# Mostly to save latency and data usage
|
||||
ipt_direct()
|
||||
{
|
||||
ipset -N direct iphash
|
||||
|
||||
ipset_add_domain http.kali.org
|
||||
|
||||
# GitHub
|
||||
ipset_add_domain github.com
|
||||
curl -SsfL https://api.github.com/meta | jq -r '.packages[], .git[] | select(. != null)' | while read ip; do
|
||||
ipset_add_ip "$ip" || ERR "IP=$ip"
|
||||
done
|
||||
|
||||
# Do not add Fastly
|
||||
# ipset_add_domain pypi.python.org
|
||||
# ipset_add_domain pypi.org
|
||||
# curl -SsfL "https://api.fastly.com/public-ip-list" | jq -r '.addresses[] | select(. != null)' | while read ip; do
|
||||
# ipset_add_ip "$ip" || ERR "IP=$ip"
|
||||
# done
|
||||
|
||||
# Do not add gsocket
|
||||
# for x {1..8}; do
|
||||
# ipset -A direct gs${x}.thc.org 2>/dev/null
|
||||
# done
|
||||
|
||||
# Do not add CloudFlared/ArgoTunnels, ngrok, pagekite etc etc.
|
||||
|
||||
ipt_mark_ret "22" -t mangle -A PREROUTING -i "${DEV_LG}" -p tcp -m set --match-set direct dst
|
||||
}
|
||||
|
||||
ipt_syn_limit_set()
|
||||
{
|
||||
local in
|
||||
|
|
@ -325,6 +397,10 @@ ipt_set
|
|||
|
||||
ipt_syn_limit
|
||||
|
||||
set +e
|
||||
ipt_direct
|
||||
set -e
|
||||
|
||||
ip route del default
|
||||
|
||||
# -----BEGIN SSH traffic is routed via Direct Internet-----
|
||||
|
|
@ -341,13 +417,13 @@ ip route del default
|
|||
# - ip rule show
|
||||
# - ip route show table 207
|
||||
# Forward all SSHD traffic to the router (172.28.0.2) to sf-host:22.
|
||||
iptables -t mangle -A PREROUTING -i "${DEV_DIRECT}" -p tcp -d "${NET_DIRECT_ROUTER_IP}" --dport 22 -j MARK --set-mark 722
|
||||
ipt_mark_ret "722" -t mangle -A PREROUTING -i "${DEV_DIRECT}" -p tcp -d "${NET_DIRECT_ROUTER_IP}" --dport 22
|
||||
ip rule add fwmark 722 table 207
|
||||
ip route add default via "${SSHD_IP}" dev "${DEV_ACCESS}" table 207
|
||||
|
||||
# Any return traffic from the SSHD shall go out (directly) to the Internet or to TOR (if arrived from TOR)
|
||||
iptables -t mangle -A PREROUTING -i "${DEV_ACCESS}" -p tcp -s "${SSHD_IP}" --sport 22 -d "${TOR_IP}" -j RETURN
|
||||
iptables -t mangle -A PREROUTING -i "${DEV_ACCESS}" -p tcp -s "${SSHD_IP}" --sport 22 -j MARK --set-mark 22
|
||||
ipt_mark_ret "22" -t mangle -A PREROUTING -i "${DEV_ACCESS}" -p tcp -s "${SSHD_IP}" --sport 22
|
||||
ip rule add fwmark 22 table 201
|
||||
ip route add default via "${NET_DIRECT_BRIDGE_IP}" dev "${DEV_DIRECT}" table 201
|
||||
|
||||
|
|
@ -418,24 +494,37 @@ iptables -A FORWARD -o "${DEV_DIRECT}" -i "${DEV_LG}" -p udp --sport 25002:26023
|
|||
iptables -t nat -A POSTROUTING -o "${DEV_LG}" -m mark --mark 52 -j MASQUERADE
|
||||
|
||||
# Return traffic to _router_ should be routed via DIRECT (it's MASQ'ed return traffic)
|
||||
iptables -t mangle -A PREROUTING -i "${DEV_LG}" -p udp -d "${NET_LG_ROUTER_IP}" --sport 25002:26023 -j MARK --set-mark 22
|
||||
ipt_mark_ret "22" -t mangle -A PREROUTING -i "${DEV_LG}" -p udp -d "${NET_LG_ROUTER_IP}" --sport 25002:26023
|
||||
# -----END MOSH-----
|
||||
|
||||
# -----BEGIN 53 ROUTE VIA GOOD VPN
|
||||
# Some VPN providers redirect port 53. We dont want this. Mark them and try to find a route
|
||||
# (via other VPN's).
|
||||
ip rule add fwmark 53 table 53
|
||||
ipt_mark_ret "53" -t mangle -A PREROUTING -i "${DEV_LG}" -p udp --dport 53
|
||||
ipt_mark_ret "53" -t mangle -A PREROUTING -i "${DEV_LG}" -p tcp --dport 53
|
||||
# -----END 53 ROUTE VIA GOOD VPN
|
||||
|
||||
# -----BEGIN GSNC traffic is routed via Internet----
|
||||
# GSNC TCP traffic to 443 and 7350 goes to (direct) Internet
|
||||
iptables -t mangle -A PREROUTING -i "${DEV_ACCESS}" -p tcp -s "${GSNC_IP}" -j MARK --set-mark 22
|
||||
ipt_mark_ret "22" -t mangle -A PREROUTING -i "${DEV_ACCESS}" -p tcp -s "${GSNC_IP}"
|
||||
# -----END GSNC traffic is routed via Internet----
|
||||
|
||||
# Dont MASQ LG's. FORWARD instead. They are MASQ'ed at VPN endpoints.
|
||||
iptables -A FORWARD -i "${DEV_LG}" -o "${DEV_GW}" -j ACCEPT
|
||||
# DNSMASQ does not know route back to LG => MASQ is here.
|
||||
|
||||
# MASQ DNSMASQ as it does not know a route to LG
|
||||
iptables -t nat -A POSTROUTING -s "${NET_LG}" -d "${NET_VPN_DNS_IP}" -o "${DEV_GW}" -j MASQUERADE
|
||||
# MASQ all traffic from NON-LG's (the VPN/TOR/DNS dont know the route back to them).
|
||||
# iptables -t nat -A POSTROUTING ! -s "${NET_LG}" -o "${DEV_GW}" -j MASQUERADE
|
||||
# MASQ GSNC to (direct) Internet
|
||||
iptables -t nat -A POSTROUTING -s "${GSNC_IP}" -o "${DEV_DIRECT}" -j MASQUERADE
|
||||
# MASQ traffic from TOR to DMZ (nginx)
|
||||
# MASQ traffic from TOR to DMZ (nginx) as DMZ does not know about TOR_IP.
|
||||
iptables -t nat -A POSTROUTING -o "${DEV_DMZ}" -j MASQUERADE
|
||||
|
||||
# MASQ GSNC to (direct) Internet
|
||||
# iptables -t nat -A POSTROUTING -s "${GSNC_IP}" -o "${DEV_DIRECT}" -j MASQUERADE
|
||||
# MASQ traffic 'forced' via (direct) Internet (e.g ipt_set, sf-gsnc)
|
||||
iptables -t nat -A POSTROUTING -o "${DEV_DIRECT}" -m mark --mark 22 -m state --state NEW,ESTABLISHED -j MASQUERADE
|
||||
iptables -A FORWARD -i "${DEV_LG}" -o "${DEV_DIRECT}" -p tcp -m mark --mark 22 -j ACCEPT
|
||||
iptables -A FORWARD -i "${DEV_DIRECT}" -o "${DEV_LG}" -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
|
||||
# TOR traffic (169.254.240.0/21) always goes to TOR (transparent proxy)
|
||||
ip route add "${NET_ONION}" via "${TOR_IP}"
|
||||
|
||||
|
|
@ -444,23 +533,24 @@ ip route add "${NET_ONION}" via "${TOR_IP}"
|
|||
iptables -A FORWARD -p tcp -j REJECT --reject-with tcp-reset
|
||||
iptables -A FORWARD -j REJECT
|
||||
set +e
|
||||
echo -e >&2 "FW: SUCCESS"
|
||||
LOG "FW" "SUCCESS"
|
||||
|
||||
# Set up Traffic Control (limit bandwidth)
|
||||
|
||||
unset err
|
||||
### Shape/Limit EGRESS LG -> VPN
|
||||
tc_set "${DEV_GW}" "${SF_MAXOUT}" "nfct-src" || err=1
|
||||
# tc_set "${DEV_GW}" "${SF_MAXOUT}" "nfct-src" || err=1
|
||||
tc_set "${DEV_GW}" "${SF_MAXOUT}" "dual-srchost" "src" || err=1
|
||||
### Shape/Limit INGRESS VPN -> LG
|
||||
tc_set "${DEV_LG}" "${SF_MAXIN}" "dst" || err=1
|
||||
tc_set "${DEV_LG}" "${SF_MAXIN}" "dual-dsthost" "dst" || err=1
|
||||
|
||||
### Shape/Limit EGRESS SSHD -> SSH (direct internet)
|
||||
tc_set "${DEV_DIRECT}" "${SF_MAXOUT}" "dst" || err=1
|
||||
tc_set "${DEV_DIRECT}" "${SF_MAXOUT}" "dsthost" "dst" || err=1
|
||||
### Shape/Limit INGRESS SSH -> SSHD (sf-host)
|
||||
tc_set "${DEV_ACCESS}" "${SF_MAXIN}" "src" || err=1
|
||||
tc_set "${DEV_ACCESS}" "${SF_MAXIN}" "srchost" "src" || err=1
|
||||
|
||||
[[ -n $err ]] && SLEEPEXIT 0 5 "cls_matchall.ko not available? NO TRAFFIC LIMIT."
|
||||
echo -e >&2 "TC: SUCCESS"
|
||||
[[ -n $err ]] && SLEEPEXIT 0 5 "TC failed. NO TRAFFIC LIMIT."
|
||||
LOG "TC" "SUCCESS"
|
||||
|
||||
# By default go via DIRECT or TOR + VPN until vpn_status exists
|
||||
use_other
|
||||
|
|
@ -468,6 +558,5 @@ monitor_failover
|
|||
|
||||
# REACHED IF ANY CMD FAILS
|
||||
ip route del default
|
||||
echo -e >&2 "FAILED to set routes"
|
||||
exit 250
|
||||
ERREXIT 255 "FAILED to set routes"
|
||||
|
||||
|
|
|
|||
|
|
@ -47,8 +47,7 @@ source /dev/shm/net-devs.txt || exit
|
|||
# IPIDX=$((C * 256 + D))
|
||||
# unset C D str
|
||||
|
||||
# echo "FOOBAR"
|
||||
# # FIXME: use iptables quota2 or new nft to throttle upload speed after 8gb transfer?
|
||||
# # FIXME: nft to throttle upload speed after 8gb transfer?
|
||||
# }
|
||||
|
||||
exit 0
|
||||
|
|
|
|||
|
|
@ -42,24 +42,24 @@ tc_set()
|
|||
{
|
||||
local dev
|
||||
local rate
|
||||
local cakekey
|
||||
local key
|
||||
dev=$1
|
||||
rate=$2
|
||||
key=$3
|
||||
cakekey=$3
|
||||
key=$4
|
||||
|
||||
# Should not happen:
|
||||
# Should not be set but lets make sure:
|
||||
tc qdisc del dev "${dev}" root 2>/dev/null
|
||||
|
||||
set -e
|
||||
sfq_parent=("root")
|
||||
# use TC-CAKE if there is a rate limit. Otherwise use faster SFQ below.
|
||||
[[ -n $rate ]] && {
|
||||
tc qdisc add dev "${dev}" root handle 1: htb
|
||||
tc class add dev "${dev}" parent 1: classid 1:10 htb rate "${rate}"
|
||||
tc filter add dev "${dev}" parent 1: protocol ip matchall flowid 1:10
|
||||
sfq_parent=("parent" "1:10")
|
||||
tc qdisc add dev "${dev}" root cake bandwidth "${rate}" "${cakekey}"
|
||||
return
|
||||
}
|
||||
|
||||
tc qdisc add dev "${dev}" "${sfq_parent[@]}" handle 11: sfq
|
||||
set -e
|
||||
tc qdisc add dev "${dev}" root handle 11: sfq
|
||||
tc filter add dev "${dev}" parent 11: handle 11 flow hash keys "${key}" divisor 1024
|
||||
set +e
|
||||
}
|
||||
|
|
|
|||
|
|
@ -14,6 +14,7 @@ if [[ -f /dev/shm/env.txt ]]; then
|
|||
else
|
||||
echo -e "SF_DEBUG=\"${SF_DEBUG}\"\n\
|
||||
SF_REDIS_AUTH=\"${SF_REDIS_AUTH}\"\n\
|
||||
IS_REDIRECTS_DNS=\"${IS_REDIRECTS_DNS}\"\n\
|
||||
PROVIDER=\"${PROVIDER}\"\n" >/dev/shm/env.txt
|
||||
fi
|
||||
|
||||
|
|
@ -111,6 +112,7 @@ up()
|
|||
myip="${myip#*inet }"
|
||||
myip="${myip%%/*}"
|
||||
echo -en "\
|
||||
SFVPN_IS_REDIRECTS_DNS=\"${IS_REDIRECTS_DNS}\"\n\
|
||||
SFVPN_MY_IP=\"${myip}\"\n\
|
||||
SFVPN_EXEC_TS=\"$(date -u +%s)\"\n\
|
||||
SFVPN_ENDPOINT_IP=\"${ep_ip}\"\n\
|
||||
|
|
|
|||
|
|
@ -8,9 +8,6 @@ ERREXIT()
|
|||
{
|
||||
local code
|
||||
code="$1"
|
||||
# shellcheck disable=SC2181 #(style): Check exit code directly with e.g
|
||||
[[ $? -ne 0 ]] && code="$?"
|
||||
[[ -z $code ]] && code=99
|
||||
|
||||
shift 1
|
||||
[[ -n "$1" ]] && echo -e >&2 "${CR}ERROR:${CN} $*"
|
||||
|
|
@ -57,8 +54,8 @@ genkey_hidden()
|
|||
}
|
||||
|
||||
# Always fix permission (and also when files already existed)
|
||||
find "${dir}" -type d -exec chmod 700 {} \; || ERREXIT
|
||||
find "${dir}" -type f -exec chmod 600 {} \; || ERREXIT
|
||||
find "${dir}" -type d -exec chmod 700 {} \; || ERREXIT "$?"
|
||||
find "${dir}" -type f -exec chmod 600 {} \; || ERREXIT "$?"
|
||||
}
|
||||
|
||||
# Route all traffic that comes to this instance through TOR.
|
||||
|
|
@ -67,13 +64,15 @@ iptables -t nat -A PREROUTING -p tcp ! -d sf-tor --syn -j REDIRECT --to-ports 90
|
|||
if [[ -n $SF_TOR_VIA_VPN ]]; then
|
||||
# Route TOR via VPN
|
||||
ip route del default
|
||||
ip route add default via 172.20.0.2
|
||||
ip route add default via "${NET_VPN_ROUTER_IP}"
|
||||
else
|
||||
# Route TOR directly to Internet but incoming
|
||||
# onion connectoins to these two (via sf-router)
|
||||
ip route add 172.22.0.22/32 via 172.20.0.2
|
||||
ip route add 172.20.1.80/32 via 172.20.0.2
|
||||
# .onion connections to these SSHD and NGINX
|
||||
ip route add "${SSHD_IP}/32" via "${NET_VPN_ROUTER_IP}"
|
||||
ip route add "${NGINX_IP}/32" via "${NET_VPN_ROUTER_IP}"
|
||||
fi
|
||||
# Route to LG
|
||||
ip route add "${NET_LG}" via "${NET_VPN_ROUTER_IP}"
|
||||
|
||||
umask 0077
|
||||
genkey_hidden 22
|
||||
|
|
@ -83,7 +82,7 @@ xadd 22
|
|||
xadd 80
|
||||
|
||||
chmod 700 /var/lib/tor
|
||||
chown -R tor /var/lib/tor/hidden || ERREXIT
|
||||
chown -R tor /var/lib/tor/hidden || ERREXIT "$?"
|
||||
|
||||
if [[ -f /config/host/etc/tor/torrc ]]; then
|
||||
exec su -s /bin/ash - tor -c "tor --hush -f /config/host/etc/tor/torrc"
|
||||
|
|
|
|||
Loading…
Reference in New Issue