From 6ba3cd5b56c608282872c5c4c31a4348f487325a Mon Sep 17 00:00:00 2001 From: SkyperTHC Date: Wed, 26 Apr 2023 18:57:44 +0100 Subject: [PATCH] routing/tc fixes --- ChangeLog | 2 + Makefile | 3 +- docker-compose.yml | 9 +- gsnc/sf-gsnc.sh | 2 + guest/Dockerfile | 2 +- guest/Makefile | 0 guest/fs-root/etc/profile.d/segfault.sh | 4 + guest/setup.sh | 4 +- host/Makefile | 2 +- host/fs-root/bin/segfaultsh | 17 ++- router/Dockerfile | 3 + router/init.sh | 151 +++++++++++++++++++----- router/user-limit.sh | 3 +- sfbin/funcs_net.sh | 18 +-- sfbin/vpn_wg2status.sh | 2 + tor/fs-root/sf-tor.sh | 19 ++- 16 files changed, 176 insertions(+), 65 deletions(-) mode change 100644 => 100755 guest/Makefile diff --git a/ChangeLog b/ChangeLog index 296fdb4..8ea583b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,8 @@ * SetEnv HIDEIP, HUSHLOGIN, PRJ * NOVPN/DIRECT support * conntrack improvements + * Fairer Network Scheduling (tc-cake) + * Private about SECRET and secret@ 0.4.4 - 2022-03-00 * Updated for quarterly Kali-latest diff --git a/Makefile b/Makefile index 69f53e3..18ce907 100644 --- a/Makefile +++ b/Makefile @@ -1,4 +1,4 @@ -VER := 0.4.5b +VER := 0.4.5b2 all: make -C router @@ -96,7 +96,6 @@ FILES_ROUTER += "segfault-$(VER)/router/Makefile" FILES_ROUTER += "segfault-$(VER)/router/Dockerfile" FILES_ROUTER += "segfault-$(VER)/router/fix-network.sh" FILES_ROUTER += "segfault-$(VER)/router/init.sh" -FILES_ROUTER += "segfault-$(VER)/router/tc.sh" FILES_ROUTER += "segfault-$(VER)/router/init-wg.sh" FILES_ROUTER += "segfault-$(VER)/router/init-novpn.sh" FILES_ROUTER += "segfault-$(VER)/router/user-limit.sh" diff --git a/docker-compose.yml b/docker-compose.yml index e2b0081..dfdec76 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -222,7 +222,7 @@ services: - net.netfilter.nf_conntrack_frag6_timeout=10 - net.netfilter.nf_conntrack_generic_timeout=180 # default is 600 - net.netfilter.nf_conntrack_tcp_timeout_syn_sent=10 # default is 120 - - net.netfilter.nf_conntrack_tcp_timeout_syn_recv=5 # default is 30, 5 because of reverse tunnels + - net.netfilter.nf_conntrack_tcp_timeout_syn_recv=5 # default is 30, 5 because of reverse tunnels (CS) - net.netfilter.nf_conntrack_tcp_timeout_last_ack=5 # default is 30 - net.netfilter.nf_conntrack_tcp_timeout_fin_wait=10 # default is 120 - net.netfilter.nf_conntrack_tcp_timeout_close=1 # default is 10 @@ -254,6 +254,7 @@ services: - CONFIG=${SF_MULLVAD_CONFIG:-} - PROVIDER=Mullvad - NETWORK=${SF_NET_LG} + - IS_REDIRECTS_DNS=1 - POST_UP=/sf/bin/vpn_wg2status.sh /sf/run/vpn/status-mullvad.log up %i - PRE_DOWN=/sf/bin/vpn_wg2status.sh /sf/run/vpn/status-mullvad.log down %i - RECONNECT=604800 # Re-Connect every 7 days @@ -361,7 +362,7 @@ services: - net.netfilter.nf_conntrack_frag6_timeout=10 - net.netfilter.nf_conntrack_generic_timeout=180 # default is 600 - net.netfilter.nf_conntrack_tcp_timeout_syn_sent=10 # default is 120 - - net.netfilter.nf_conntrack_tcp_timeout_syn_recv=5 # default is 30, 5 because of reverse tunnels + - net.netfilter.nf_conntrack_tcp_timeout_syn_recv=5 # default is 30, 5 because of reverse tunnels (sf-router) - net.netfilter.nf_conntrack_tcp_timeout_last_ack=5 # default is 30 - net.netfilter.nf_conntrack_tcp_timeout_fin_wait=10 # default is 120 - net.netfilter.nf_conntrack_tcp_timeout_close=1 # default is 10 @@ -531,6 +532,10 @@ services: environment: - SF_DEBUG - SF_TOR_VIA_VPN + - NET_LG=${SF_NET_LG:?} + - SSHD_IP=${SF_SSHD_IP:?} + - NGINX_IP=${SF_NGINX_IP:?} + - NET_VPN_ROUTER_IP=${SF_NET_VPN_ROUTER_IP:?} dns: ${SF_NET_VPN_DNS_IP} depends_on: - dnsmasq diff --git a/gsnc/sf-gsnc.sh b/gsnc/sf-gsnc.sh index 87a417c..c1da56c 100755 --- a/gsnc/sf-gsnc.sh +++ b/gsnc/sf-gsnc.sh @@ -13,4 +13,6 @@ GS_SECRET="${GS_SECRET:0:12}" echo "${GS_SECRET}" >/config/guest/gsnc-access-22.txt +# Give sf-router time to boot up and set the routes... +sleep 3 exec /gs-netcat -l -d "$1" -p 22 -s "22-${GS_SECRET}" diff --git a/guest/Dockerfile b/guest/Dockerfile index 334c0aa..c886d57 100644 --- a/guest/Dockerfile +++ b/guest/Dockerfile @@ -555,7 +555,7 @@ RUN /pkg-install.sh HACK ghbin shadow1ng/fscan 'amd64$' fscan \ && /pkg-install.sh HACK ghbin 'projectdiscovery/interactsh' 'linux_amd64' interactsh-client \ && /pkg-install.sh HACK ghbin 'projectdiscovery/mapcidr' 'linux_amd64' mapcidr \ && /pkg-install.sh HACK ghbin 'lc/subjs' 'linux_amd64' subjs \ - && /pkg-install.sh MINI ghbin 'qsocket/qs-netcat' 'linux_amd64' qs-netcat \ + && /pkg-install.sh HACK ghbin 'qsocket/qs-netcat' 'linux_amd64' qs-netcat \ && /pkg-install.sh HACK ghbin 'shenwei356/rush' 'linux_amd64' rush \ && /pkg-install.sh HACK ghbin 'KathanP19/Gxss' 'inux_x86_64' Gxss \ && /pkg-install.sh HACK ghbin 'dwisiswant0/crlfuzz' 'inux_amd64' crlfuzz \ diff --git a/guest/Makefile b/guest/Makefile old mode 100644 new mode 100755 diff --git a/guest/fs-root/etc/profile.d/segfault.sh b/guest/fs-root/etc/profile.d/segfault.sh index 025fe9c..0a50638 100644 --- a/guest/fs-root/etc/profile.d/segfault.sh +++ b/guest/fs-root/etc/profile.d/segfault.sh @@ -3,6 +3,7 @@ _IS_SHOW_MOTD=1 [[ -z $PS1 ]] && unset _IS_SHOW_MOTD [[ -n $SF_HUSHLOGIN ]] && unset _IS_SHOW_MOTD +[[ -z $SF_IS_LOGINSHELL ]] && unset _IS_SHOW_MOTD [[ ! -f /sf/bin/sf-motd.sh ]] && unset _IS_SHOW_MOTD # Trampoline to this script: @@ -11,6 +12,9 @@ _IS_SHOW_MOTD=1 [[ -f /config/guest/sys-motd.sh ]] && source /config/guest/sys-motd.sh } unset _IS_SHOW_MOTD +# No not display full info when using tmux or bash -il +unset SF_IS_NEW_SERVER +unset SF_IS_LOGINSHELL [[ -n $BASH ]] && { # user on zsh and did `bash -il` diff --git a/guest/setup.sh b/guest/setup.sh index 40988e8..4241a02 100755 --- a/guest/setup.sh +++ b/guest/setup.sh @@ -54,10 +54,10 @@ fixr() } ln -sf /sec/usr/etc/rc.local /etc/rc.local chown root:root /etc /etc/profile.d /etc/profile.d/segfault.sh -chmod 755 /usr /usr/bin /usr/sbin /etc /etc/profile.d +chmod 755 /usr /usr/bin /usr/sbin /usr/share /etc /etc/profile.d chmod 755 /usr/bin/mosh-server-hook /usr/bin/xpra-hook /usr/bin/brave-browser-stable-hook /usr/share/code/code-hook /usr/share/code/bin/code-hook /usr/bin/xterm-dark /usr/sbin/halt chmod 644 /etc/profile.d/segfault.sh -chmod 644 /etc/shellrc /etc/zsh_command_not_found /etc/zsh_profile +chmod 644 /etc/shellrc /etc/zsh_command_not_found /etc/zsh_profile fixr /usr/share/www fixr /usr/share/source-highlight ln -s batcat /usr/bin/bat diff --git a/host/Makefile b/host/Makefile index 8db8f9e..066a026 100644 --- a/host/Makefile +++ b/host/Makefile @@ -19,6 +19,6 @@ diff: diff -x '!*.[ch]' -u openssh-9.2p1-orig/ openssh-9.2p1-sf/ | grep -Ev ^"(Only in|Common)" >../sf-sshd.patch clean: - rm -rf openssh-9.2p1-sf fs-root/usr/sfbin/sshd + rm -rf openssh-9.2p1-sf fs-root/usr/sbin/sshd docker image rm alpine-gcc diff --git a/host/fs-root/bin/segfaultsh b/host/fs-root/bin/segfaultsh index d5a95fe..e5940df 100755 --- a/host/fs-root/bin/segfaultsh +++ b/host/fs-root/bin/segfaultsh @@ -447,8 +447,8 @@ print_goodbye() echo -e "\ -------> The encrypted filesystem in /sec will remain accessible until -------> the last shell exits or all background processes terminate. --------> Type ${CC}halt${CN} instead to stop this server. This will --------> also make /sec unavailabe until your next log in." +-------> Log back in and type ${CC}halt${CN} instead to stop this server. +-------> This will also make /sec unavailabe until your next log in." fi echo -en "\r" [[ -z $SF_IS_PAYING ]] && { @@ -460,12 +460,19 @@ ${CDY}@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@${CN}" } - [[ -n $SF_IS_NEW_SERVER ]] && echo -e "\ -Access with : ${CDC}ssh -o \"SetEnv SECRET=${SF_SEC:-UNKNOWN}\" ${SF_USER}@${SF_FQDN:-UNKNOWN}${CN}" echo -e "\ RTFM : ${CB}${CUL}https://www.thc.org/segfault/faq${CN} GOODBYE : ${CW}Join us on Telegram - https://t.me/thcorg${CN}" + [[ -z $SF_IS_NEW_SERVER ]] && return + + echo -en "Would you like to see the ${CDY}SECRET${CN} to log back in to ${CDY}${SF_HOSTNAME:-UNKNOWN}${CN}? (y/N) " + read -r -n1 -t10 yn || echo -n "N" + echo "" + [[ "${yn^^}" != "Y" ]] && return + + echo -e "\ +Access with : ${CDC}ssh -o \"SetEnv SECRET=${SF_SEC:-UNKNOWN}\" ${SF_USER}@${SF_FQDN:-UNKNOWN}${CN}" } print_to_many_servers() @@ -516,7 +523,7 @@ spawn_shell_exit() [[ ! -f "/config/self-for-guest/lg-${LID}/reverse_ip" ]] && mk_portforward "${LID}" # export SF_LOG="/config/host/log/sigproxy-${LID}-${SF_HOSTNAME}.log" - docker-exec-sigproxy exec --detach-keys='ctrl-^,z' --workdir=/sec/root --user 0:0 "${DOCKER_EXEC_ARGS[@]}" "lg-${LID}" nice -n"${SF_USER_NICE_SCORE:?}" zsh "${PARAM[@]}" + docker-exec-sigproxy exec --detach-keys='ctrl-^,z' --workdir=/sec/root --env SF_IS_LOGINSHELL=1 --user 0:0 "${DOCKER_EXEC_ARGS[@]}" "lg-${LID}" nice -n"${SF_USER_NICE_SCORE:?}" zsh "${PARAM[@]}" ret="$?" # save return value and exit this script later with same return value. DEBUGF "Exited with $ret" logout diff --git a/router/Dockerfile b/router/Dockerfile index bfb61f0..e5bb748 100644 --- a/router/Dockerfile +++ b/router/Dockerfile @@ -6,11 +6,13 @@ RUN apt-get update \ ca-certificates \ conntrack \ curl \ + dnsutils \ fping \ inetutils-ping \ iptables \ iproute2 \ iperf \ + ipset \ jq \ lsb-release \ gnupg \ @@ -25,6 +27,7 @@ RUN apt-get update \ # nftables RUN bash -c '{ true \ + && echo "source /dev/shm/net-devs.txt 2>/dev/null" >>/root/.bashrc \ && curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg \ && echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null \ && apt-get update \ diff --git a/router/init.sh b/router/init.sh index f87cb73..a3debb8 100755 --- a/router/init.sh +++ b/router/init.sh @@ -121,43 +121,51 @@ use_vpn() { local gw local gw_ip + local gw_dns_ip # Configure FW rules for reverse port forwards. # Any earlier than this and the MAC of the routers are not known. Thus do it here. init_revport_once - local _ip local f for f in /sf/run/vpn/status-*; do [[ ! -f "$f" ]] && break - _ip="$(<"$f")" - _ip="${_ip%%$'\n'*}" - _ip="${_ip##*=}" - _ip="${_ip//[^0-9\.]/}" # Sanitize - [[ -z $_ip ]] && continue - gw+=("nexthop" "via" "${_ip}" "weight" "100") - gw_ip+=("${_ip}") + source "$f" + [[ -z $SFVPN_MY_IP ]] && continue + gw+=("nexthop" "via" "${SFVPN_MY_IP}" "weight" "100") + [[ -z $SFVPN_IS_REDIRECTS_DNS ]] && gw_dns_ip+=("${SFVPN_MY_IP}") + gw_ip+=("${SFVPN_MY_IP}") done [[ ${#gw[@]} -eq 0 ]] && return - echo -e >&2 "[$(date '+%F %T' -u)] Switching to VPN (gw=${gw_ip[*]})" + LOG "VPN" "Switching to VPN (gw=${gw_ip[*]})" ip route del default + ip route del default table 53 2>/dev/null + [[ ${#gw_dns_ip[@]} -gt 0 ]] && [[ ${#gw_dns_ip[@]} -ne ${#gw[@]} ]] && { + # At least 1 VPN redirects DNS. Make sure we dont route via that one.... + # echo -e >&2 "DNS via ${gw_dns_ip[0]}..." + LOG "DNS" "DNS via ${gw_dns_ip[0]}...." + # iproute2 does not support nexthop-multipath and fwmark tables. + # ip route add default nexthop via 172.20.0.253 nexthop via 172.20.0.252 table 53 + # Error: "nexthop" or end of line is expected instead of "table" + # Instead use the first for port 53 traffic. + ip route add default via "${gw_dns_ip[0]}" table 53 + } ip route add default "${gw[@]}" - } use_tor() { - echo -e >&2 "$(date) Switching to TOR" + LOG "VPN" "Switching to TOR" ip route del default 2>/dev/null ip route add default via "${TOR_IP}" } use_novpn() { - echo -e >&2 "$(date) Switching to NoVPN" + LOG "VPN" "Switching to NoVPN" ip route del default 2>/dev/null ip route add default via "${NOVPN_IP}" } @@ -195,6 +203,17 @@ monitor_failover() done } +# Some rules need no further processing. +ipt_mark_ret() +{ + local id + id=$1 + + shift 1 + iptables "$@" -j MARK --set-mark "$id" + iptables "$@" -j RETURN +} + # Set Iptables Forwarding rules ipt_set() { @@ -260,6 +279,59 @@ ipt_set() # => Already set by SSHD -D1080 setup } +ipset_add_ip() +{ + local ip + ip="$1" + + # IPv6 not supported + [[ "$ip" == *:* ]] && return + + ip="${ip//[^0-9\.\/]}" + ipset -exist -A direct "${ip}" +} + +ipset_add_domain() +{ + local domain + domain="$1" + # Remove CNAME. Only output IP + for ip in $(dig +short "$domain" | grep -v '\.$'); do + ipset_add_ip "$ip" || ERR "DOMAIN='$domain', IP='$ip'" + done +} + +# Some IP's are routed DIRECTLY and not via VPN +# Mostly to save latency and data usage +ipt_direct() +{ + ipset -N direct iphash + + ipset_add_domain http.kali.org + + # GitHub + ipset_add_domain github.com + curl -SsfL https://api.github.com/meta | jq -r '.packages[], .git[] | select(. != null)' | while read ip; do + ipset_add_ip "$ip" || ERR "IP=$ip" + done + + # Do not add Fastly + # ipset_add_domain pypi.python.org + # ipset_add_domain pypi.org + # curl -SsfL "https://api.fastly.com/public-ip-list" | jq -r '.addresses[] | select(. != null)' | while read ip; do + # ipset_add_ip "$ip" || ERR "IP=$ip" + # done + + # Do not add gsocket + # for x {1..8}; do + # ipset -A direct gs${x}.thc.org 2>/dev/null + # done + + # Do not add CloudFlared/ArgoTunnels, ngrok, pagekite etc etc. + + ipt_mark_ret "22" -t mangle -A PREROUTING -i "${DEV_LG}" -p tcp -m set --match-set direct dst +} + ipt_syn_limit_set() { local in @@ -325,6 +397,10 @@ ipt_set ipt_syn_limit +set +e +ipt_direct +set -e + ip route del default # -----BEGIN SSH traffic is routed via Direct Internet----- @@ -341,13 +417,13 @@ ip route del default # - ip rule show # - ip route show table 207 # Forward all SSHD traffic to the router (172.28.0.2) to sf-host:22. -iptables -t mangle -A PREROUTING -i "${DEV_DIRECT}" -p tcp -d "${NET_DIRECT_ROUTER_IP}" --dport 22 -j MARK --set-mark 722 +ipt_mark_ret "722" -t mangle -A PREROUTING -i "${DEV_DIRECT}" -p tcp -d "${NET_DIRECT_ROUTER_IP}" --dport 22 ip rule add fwmark 722 table 207 ip route add default via "${SSHD_IP}" dev "${DEV_ACCESS}" table 207 # Any return traffic from the SSHD shall go out (directly) to the Internet or to TOR (if arrived from TOR) iptables -t mangle -A PREROUTING -i "${DEV_ACCESS}" -p tcp -s "${SSHD_IP}" --sport 22 -d "${TOR_IP}" -j RETURN -iptables -t mangle -A PREROUTING -i "${DEV_ACCESS}" -p tcp -s "${SSHD_IP}" --sport 22 -j MARK --set-mark 22 +ipt_mark_ret "22" -t mangle -A PREROUTING -i "${DEV_ACCESS}" -p tcp -s "${SSHD_IP}" --sport 22 ip rule add fwmark 22 table 201 ip route add default via "${NET_DIRECT_BRIDGE_IP}" dev "${DEV_DIRECT}" table 201 @@ -418,24 +494,37 @@ iptables -A FORWARD -o "${DEV_DIRECT}" -i "${DEV_LG}" -p udp --sport 25002:26023 iptables -t nat -A POSTROUTING -o "${DEV_LG}" -m mark --mark 52 -j MASQUERADE # Return traffic to _router_ should be routed via DIRECT (it's MASQ'ed return traffic) -iptables -t mangle -A PREROUTING -i "${DEV_LG}" -p udp -d "${NET_LG_ROUTER_IP}" --sport 25002:26023 -j MARK --set-mark 22 +ipt_mark_ret "22" -t mangle -A PREROUTING -i "${DEV_LG}" -p udp -d "${NET_LG_ROUTER_IP}" --sport 25002:26023 # -----END MOSH----- +# -----BEGIN 53 ROUTE VIA GOOD VPN +# Some VPN providers redirect port 53. We dont want this. Mark them and try to find a route +# (via other VPN's). +ip rule add fwmark 53 table 53 +ipt_mark_ret "53" -t mangle -A PREROUTING -i "${DEV_LG}" -p udp --dport 53 +ipt_mark_ret "53" -t mangle -A PREROUTING -i "${DEV_LG}" -p tcp --dport 53 +# -----END 53 ROUTE VIA GOOD VPN + # -----BEGIN GSNC traffic is routed via Internet---- # GSNC TCP traffic to 443 and 7350 goes to (direct) Internet -iptables -t mangle -A PREROUTING -i "${DEV_ACCESS}" -p tcp -s "${GSNC_IP}" -j MARK --set-mark 22 +ipt_mark_ret "22" -t mangle -A PREROUTING -i "${DEV_ACCESS}" -p tcp -s "${GSNC_IP}" # -----END GSNC traffic is routed via Internet---- # Dont MASQ LG's. FORWARD instead. They are MASQ'ed at VPN endpoints. iptables -A FORWARD -i "${DEV_LG}" -o "${DEV_GW}" -j ACCEPT -# DNSMASQ does not know route back to LG => MASQ is here. + +# MASQ DNSMASQ as it does not know a route to LG iptables -t nat -A POSTROUTING -s "${NET_LG}" -d "${NET_VPN_DNS_IP}" -o "${DEV_GW}" -j MASQUERADE -# MASQ all traffic from NON-LG's (the VPN/TOR/DNS dont know the route back to them). -# iptables -t nat -A POSTROUTING ! -s "${NET_LG}" -o "${DEV_GW}" -j MASQUERADE -# MASQ GSNC to (direct) Internet -iptables -t nat -A POSTROUTING -s "${GSNC_IP}" -o "${DEV_DIRECT}" -j MASQUERADE -# MASQ traffic from TOR to DMZ (nginx) +# MASQ traffic from TOR to DMZ (nginx) as DMZ does not know about TOR_IP. iptables -t nat -A POSTROUTING -o "${DEV_DMZ}" -j MASQUERADE + +# MASQ GSNC to (direct) Internet +# iptables -t nat -A POSTROUTING -s "${GSNC_IP}" -o "${DEV_DIRECT}" -j MASQUERADE +# MASQ traffic 'forced' via (direct) Internet (e.g ipt_set, sf-gsnc) +iptables -t nat -A POSTROUTING -o "${DEV_DIRECT}" -m mark --mark 22 -m state --state NEW,ESTABLISHED -j MASQUERADE +iptables -A FORWARD -i "${DEV_LG}" -o "${DEV_DIRECT}" -p tcp -m mark --mark 22 -j ACCEPT +iptables -A FORWARD -i "${DEV_DIRECT}" -o "${DEV_LG}" -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT + # TOR traffic (169.254.240.0/21) always goes to TOR (transparent proxy) ip route add "${NET_ONION}" via "${TOR_IP}" @@ -444,23 +533,24 @@ ip route add "${NET_ONION}" via "${TOR_IP}" iptables -A FORWARD -p tcp -j REJECT --reject-with tcp-reset iptables -A FORWARD -j REJECT set +e -echo -e >&2 "FW: SUCCESS" +LOG "FW" "SUCCESS" # Set up Traffic Control (limit bandwidth) unset err ### Shape/Limit EGRESS LG -> VPN -tc_set "${DEV_GW}" "${SF_MAXOUT}" "nfct-src" || err=1 +# tc_set "${DEV_GW}" "${SF_MAXOUT}" "nfct-src" || err=1 +tc_set "${DEV_GW}" "${SF_MAXOUT}" "dual-srchost" "src" || err=1 ### Shape/Limit INGRESS VPN -> LG -tc_set "${DEV_LG}" "${SF_MAXIN}" "dst" || err=1 +tc_set "${DEV_LG}" "${SF_MAXIN}" "dual-dsthost" "dst" || err=1 ### Shape/Limit EGRESS SSHD -> SSH (direct internet) -tc_set "${DEV_DIRECT}" "${SF_MAXOUT}" "dst" || err=1 +tc_set "${DEV_DIRECT}" "${SF_MAXOUT}" "dsthost" "dst" || err=1 ### Shape/Limit INGRESS SSH -> SSHD (sf-host) -tc_set "${DEV_ACCESS}" "${SF_MAXIN}" "src" || err=1 +tc_set "${DEV_ACCESS}" "${SF_MAXIN}" "srchost" "src" || err=1 -[[ -n $err ]] && SLEEPEXIT 0 5 "cls_matchall.ko not available? NO TRAFFIC LIMIT." -echo -e >&2 "TC: SUCCESS" +[[ -n $err ]] && SLEEPEXIT 0 5 "TC failed. NO TRAFFIC LIMIT." +LOG "TC" "SUCCESS" # By default go via DIRECT or TOR + VPN until vpn_status exists use_other @@ -468,6 +558,5 @@ monitor_failover # REACHED IF ANY CMD FAILS ip route del default -echo -e >&2 "FAILED to set routes" -exit 250 +ERREXIT 255 "FAILED to set routes" diff --git a/router/user-limit.sh b/router/user-limit.sh index 5d0e2c5..a084175 100755 --- a/router/user-limit.sh +++ b/router/user-limit.sh @@ -47,8 +47,7 @@ source /dev/shm/net-devs.txt || exit # IPIDX=$((C * 256 + D)) # unset C D str -# echo "FOOBAR" -# # FIXME: use iptables quota2 or new nft to throttle upload speed after 8gb transfer? +# # FIXME: nft to throttle upload speed after 8gb transfer? # } exit 0 diff --git a/sfbin/funcs_net.sh b/sfbin/funcs_net.sh index 47687a3..258fedf 100644 --- a/sfbin/funcs_net.sh +++ b/sfbin/funcs_net.sh @@ -42,24 +42,24 @@ tc_set() { local dev local rate + local cakekey local key dev=$1 rate=$2 - key=$3 + cakekey=$3 + key=$4 - # Should not happen: + # Should not be set but lets make sure: tc qdisc del dev "${dev}" root 2>/dev/null - set -e - sfq_parent=("root") + # use TC-CAKE if there is a rate limit. Otherwise use faster SFQ below. [[ -n $rate ]] && { - tc qdisc add dev "${dev}" root handle 1: htb - tc class add dev "${dev}" parent 1: classid 1:10 htb rate "${rate}" - tc filter add dev "${dev}" parent 1: protocol ip matchall flowid 1:10 - sfq_parent=("parent" "1:10") + tc qdisc add dev "${dev}" root cake bandwidth "${rate}" "${cakekey}" + return } - tc qdisc add dev "${dev}" "${sfq_parent[@]}" handle 11: sfq + set -e + tc qdisc add dev "${dev}" root handle 11: sfq tc filter add dev "${dev}" parent 11: handle 11 flow hash keys "${key}" divisor 1024 set +e } diff --git a/sfbin/vpn_wg2status.sh b/sfbin/vpn_wg2status.sh index 271b27c..9f9625b 100755 --- a/sfbin/vpn_wg2status.sh +++ b/sfbin/vpn_wg2status.sh @@ -14,6 +14,7 @@ if [[ -f /dev/shm/env.txt ]]; then else echo -e "SF_DEBUG=\"${SF_DEBUG}\"\n\ SF_REDIS_AUTH=\"${SF_REDIS_AUTH}\"\n\ +IS_REDIRECTS_DNS=\"${IS_REDIRECTS_DNS}\"\n\ PROVIDER=\"${PROVIDER}\"\n" >/dev/shm/env.txt fi @@ -111,6 +112,7 @@ up() myip="${myip#*inet }" myip="${myip%%/*}" echo -en "\ +SFVPN_IS_REDIRECTS_DNS=\"${IS_REDIRECTS_DNS}\"\n\ SFVPN_MY_IP=\"${myip}\"\n\ SFVPN_EXEC_TS=\"$(date -u +%s)\"\n\ SFVPN_ENDPOINT_IP=\"${ep_ip}\"\n\ diff --git a/tor/fs-root/sf-tor.sh b/tor/fs-root/sf-tor.sh index b9079c4..1f6b54f 100755 --- a/tor/fs-root/sf-tor.sh +++ b/tor/fs-root/sf-tor.sh @@ -8,9 +8,6 @@ ERREXIT() { local code code="$1" - # shellcheck disable=SC2181 #(style): Check exit code directly with e.g - [[ $? -ne 0 ]] && code="$?" - [[ -z $code ]] && code=99 shift 1 [[ -n "$1" ]] && echo -e >&2 "${CR}ERROR:${CN} $*" @@ -57,8 +54,8 @@ genkey_hidden() } # Always fix permission (and also when files already existed) - find "${dir}" -type d -exec chmod 700 {} \; || ERREXIT - find "${dir}" -type f -exec chmod 600 {} \; || ERREXIT + find "${dir}" -type d -exec chmod 700 {} \; || ERREXIT "$?" + find "${dir}" -type f -exec chmod 600 {} \; || ERREXIT "$?" } # Route all traffic that comes to this instance through TOR. @@ -67,13 +64,15 @@ iptables -t nat -A PREROUTING -p tcp ! -d sf-tor --syn -j REDIRECT --to-ports 90 if [[ -n $SF_TOR_VIA_VPN ]]; then # Route TOR via VPN ip route del default - ip route add default via 172.20.0.2 + ip route add default via "${NET_VPN_ROUTER_IP}" else # Route TOR directly to Internet but incoming - # onion connectoins to these two (via sf-router) - ip route add 172.22.0.22/32 via 172.20.0.2 - ip route add 172.20.1.80/32 via 172.20.0.2 + # .onion connections to these SSHD and NGINX + ip route add "${SSHD_IP}/32" via "${NET_VPN_ROUTER_IP}" + ip route add "${NGINX_IP}/32" via "${NET_VPN_ROUTER_IP}" fi +# Route to LG +ip route add "${NET_LG}" via "${NET_VPN_ROUTER_IP}" umask 0077 genkey_hidden 22 @@ -83,7 +82,7 @@ xadd 22 xadd 80 chmod 700 /var/lib/tor -chown -R tor /var/lib/tor/hidden || ERREXIT +chown -R tor /var/lib/tor/hidden || ERREXIT "$?" if [[ -f /config/host/etc/tor/torrc ]]; then exec su -s /bin/ash - tor -c "tor --hush -f /config/host/etc/tor/torrc"