mirror of
https://github.com/hackerschoice/segfault.git
synced 2024-06-16 03:48:42 +00:00
routing/tc fixes
This commit is contained in:
parent
203856e391
commit
6ba3cd5b56
@ -3,6 +3,8 @@
|
|||||||
* SetEnv HIDEIP, HUSHLOGIN, PRJ
|
* SetEnv HIDEIP, HUSHLOGIN, PRJ
|
||||||
* NOVPN/DIRECT support
|
* NOVPN/DIRECT support
|
||||||
* conntrack improvements
|
* conntrack improvements
|
||||||
|
* Fairer Network Scheduling (tc-cake)
|
||||||
|
* Private about SECRET and secret@
|
||||||
|
|
||||||
0.4.4 - 2022-03-00
|
0.4.4 - 2022-03-00
|
||||||
* Updated for quarterly Kali-latest
|
* Updated for quarterly Kali-latest
|
||||||
|
3
Makefile
3
Makefile
@ -1,4 +1,4 @@
|
|||||||
VER := 0.4.5b
|
VER := 0.4.5b2
|
||||||
|
|
||||||
all:
|
all:
|
||||||
make -C router
|
make -C router
|
||||||
@ -96,7 +96,6 @@ FILES_ROUTER += "segfault-$(VER)/router/Makefile"
|
|||||||
FILES_ROUTER += "segfault-$(VER)/router/Dockerfile"
|
FILES_ROUTER += "segfault-$(VER)/router/Dockerfile"
|
||||||
FILES_ROUTER += "segfault-$(VER)/router/fix-network.sh"
|
FILES_ROUTER += "segfault-$(VER)/router/fix-network.sh"
|
||||||
FILES_ROUTER += "segfault-$(VER)/router/init.sh"
|
FILES_ROUTER += "segfault-$(VER)/router/init.sh"
|
||||||
FILES_ROUTER += "segfault-$(VER)/router/tc.sh"
|
|
||||||
FILES_ROUTER += "segfault-$(VER)/router/init-wg.sh"
|
FILES_ROUTER += "segfault-$(VER)/router/init-wg.sh"
|
||||||
FILES_ROUTER += "segfault-$(VER)/router/init-novpn.sh"
|
FILES_ROUTER += "segfault-$(VER)/router/init-novpn.sh"
|
||||||
FILES_ROUTER += "segfault-$(VER)/router/user-limit.sh"
|
FILES_ROUTER += "segfault-$(VER)/router/user-limit.sh"
|
||||||
|
@ -222,7 +222,7 @@ services:
|
|||||||
- net.netfilter.nf_conntrack_frag6_timeout=10
|
- net.netfilter.nf_conntrack_frag6_timeout=10
|
||||||
- net.netfilter.nf_conntrack_generic_timeout=180 # default is 600
|
- net.netfilter.nf_conntrack_generic_timeout=180 # default is 600
|
||||||
- net.netfilter.nf_conntrack_tcp_timeout_syn_sent=10 # default is 120
|
- net.netfilter.nf_conntrack_tcp_timeout_syn_sent=10 # default is 120
|
||||||
- net.netfilter.nf_conntrack_tcp_timeout_syn_recv=5 # default is 30, 5 because of reverse tunnels
|
- net.netfilter.nf_conntrack_tcp_timeout_syn_recv=5 # default is 30, 5 because of reverse tunnels (CS)
|
||||||
- net.netfilter.nf_conntrack_tcp_timeout_last_ack=5 # default is 30
|
- net.netfilter.nf_conntrack_tcp_timeout_last_ack=5 # default is 30
|
||||||
- net.netfilter.nf_conntrack_tcp_timeout_fin_wait=10 # default is 120
|
- net.netfilter.nf_conntrack_tcp_timeout_fin_wait=10 # default is 120
|
||||||
- net.netfilter.nf_conntrack_tcp_timeout_close=1 # default is 10
|
- net.netfilter.nf_conntrack_tcp_timeout_close=1 # default is 10
|
||||||
@ -254,6 +254,7 @@ services:
|
|||||||
- CONFIG=${SF_MULLVAD_CONFIG:-}
|
- CONFIG=${SF_MULLVAD_CONFIG:-}
|
||||||
- PROVIDER=Mullvad
|
- PROVIDER=Mullvad
|
||||||
- NETWORK=${SF_NET_LG}
|
- NETWORK=${SF_NET_LG}
|
||||||
|
- IS_REDIRECTS_DNS=1
|
||||||
- POST_UP=/sf/bin/vpn_wg2status.sh /sf/run/vpn/status-mullvad.log up %i
|
- POST_UP=/sf/bin/vpn_wg2status.sh /sf/run/vpn/status-mullvad.log up %i
|
||||||
- PRE_DOWN=/sf/bin/vpn_wg2status.sh /sf/run/vpn/status-mullvad.log down %i
|
- PRE_DOWN=/sf/bin/vpn_wg2status.sh /sf/run/vpn/status-mullvad.log down %i
|
||||||
- RECONNECT=604800 # Re-Connect every 7 days
|
- RECONNECT=604800 # Re-Connect every 7 days
|
||||||
@ -361,7 +362,7 @@ services:
|
|||||||
- net.netfilter.nf_conntrack_frag6_timeout=10
|
- net.netfilter.nf_conntrack_frag6_timeout=10
|
||||||
- net.netfilter.nf_conntrack_generic_timeout=180 # default is 600
|
- net.netfilter.nf_conntrack_generic_timeout=180 # default is 600
|
||||||
- net.netfilter.nf_conntrack_tcp_timeout_syn_sent=10 # default is 120
|
- net.netfilter.nf_conntrack_tcp_timeout_syn_sent=10 # default is 120
|
||||||
- net.netfilter.nf_conntrack_tcp_timeout_syn_recv=5 # default is 30, 5 because of reverse tunnels
|
- net.netfilter.nf_conntrack_tcp_timeout_syn_recv=5 # default is 30, 5 because of reverse tunnels (sf-router)
|
||||||
- net.netfilter.nf_conntrack_tcp_timeout_last_ack=5 # default is 30
|
- net.netfilter.nf_conntrack_tcp_timeout_last_ack=5 # default is 30
|
||||||
- net.netfilter.nf_conntrack_tcp_timeout_fin_wait=10 # default is 120
|
- net.netfilter.nf_conntrack_tcp_timeout_fin_wait=10 # default is 120
|
||||||
- net.netfilter.nf_conntrack_tcp_timeout_close=1 # default is 10
|
- net.netfilter.nf_conntrack_tcp_timeout_close=1 # default is 10
|
||||||
@ -531,6 +532,10 @@ services:
|
|||||||
environment:
|
environment:
|
||||||
- SF_DEBUG
|
- SF_DEBUG
|
||||||
- SF_TOR_VIA_VPN
|
- SF_TOR_VIA_VPN
|
||||||
|
- NET_LG=${SF_NET_LG:?}
|
||||||
|
- SSHD_IP=${SF_SSHD_IP:?}
|
||||||
|
- NGINX_IP=${SF_NGINX_IP:?}
|
||||||
|
- NET_VPN_ROUTER_IP=${SF_NET_VPN_ROUTER_IP:?}
|
||||||
dns: ${SF_NET_VPN_DNS_IP}
|
dns: ${SF_NET_VPN_DNS_IP}
|
||||||
depends_on:
|
depends_on:
|
||||||
- dnsmasq
|
- dnsmasq
|
||||||
|
@ -13,4 +13,6 @@ GS_SECRET="${GS_SECRET:0:12}"
|
|||||||
|
|
||||||
echo "${GS_SECRET}" >/config/guest/gsnc-access-22.txt
|
echo "${GS_SECRET}" >/config/guest/gsnc-access-22.txt
|
||||||
|
|
||||||
|
# Give sf-router time to boot up and set the routes...
|
||||||
|
sleep 3
|
||||||
exec /gs-netcat -l -d "$1" -p 22 -s "22-${GS_SECRET}"
|
exec /gs-netcat -l -d "$1" -p 22 -s "22-${GS_SECRET}"
|
||||||
|
@ -555,7 +555,7 @@ RUN /pkg-install.sh HACK ghbin shadow1ng/fscan 'amd64$' fscan \
|
|||||||
&& /pkg-install.sh HACK ghbin 'projectdiscovery/interactsh' 'linux_amd64' interactsh-client \
|
&& /pkg-install.sh HACK ghbin 'projectdiscovery/interactsh' 'linux_amd64' interactsh-client \
|
||||||
&& /pkg-install.sh HACK ghbin 'projectdiscovery/mapcidr' 'linux_amd64' mapcidr \
|
&& /pkg-install.sh HACK ghbin 'projectdiscovery/mapcidr' 'linux_amd64' mapcidr \
|
||||||
&& /pkg-install.sh HACK ghbin 'lc/subjs' 'linux_amd64' subjs \
|
&& /pkg-install.sh HACK ghbin 'lc/subjs' 'linux_amd64' subjs \
|
||||||
&& /pkg-install.sh MINI ghbin 'qsocket/qs-netcat' 'linux_amd64' qs-netcat \
|
&& /pkg-install.sh HACK ghbin 'qsocket/qs-netcat' 'linux_amd64' qs-netcat \
|
||||||
&& /pkg-install.sh HACK ghbin 'shenwei356/rush' 'linux_amd64' rush \
|
&& /pkg-install.sh HACK ghbin 'shenwei356/rush' 'linux_amd64' rush \
|
||||||
&& /pkg-install.sh HACK ghbin 'KathanP19/Gxss' 'inux_x86_64' Gxss \
|
&& /pkg-install.sh HACK ghbin 'KathanP19/Gxss' 'inux_x86_64' Gxss \
|
||||||
&& /pkg-install.sh HACK ghbin 'dwisiswant0/crlfuzz' 'inux_amd64' crlfuzz \
|
&& /pkg-install.sh HACK ghbin 'dwisiswant0/crlfuzz' 'inux_amd64' crlfuzz \
|
||||||
|
0
guest/Makefile
Normal file → Executable file
0
guest/Makefile
Normal file → Executable file
@ -3,6 +3,7 @@
|
|||||||
_IS_SHOW_MOTD=1
|
_IS_SHOW_MOTD=1
|
||||||
[[ -z $PS1 ]] && unset _IS_SHOW_MOTD
|
[[ -z $PS1 ]] && unset _IS_SHOW_MOTD
|
||||||
[[ -n $SF_HUSHLOGIN ]] && unset _IS_SHOW_MOTD
|
[[ -n $SF_HUSHLOGIN ]] && unset _IS_SHOW_MOTD
|
||||||
|
[[ -z $SF_IS_LOGINSHELL ]] && unset _IS_SHOW_MOTD
|
||||||
[[ ! -f /sf/bin/sf-motd.sh ]] && unset _IS_SHOW_MOTD
|
[[ ! -f /sf/bin/sf-motd.sh ]] && unset _IS_SHOW_MOTD
|
||||||
|
|
||||||
# Trampoline to this script:
|
# Trampoline to this script:
|
||||||
@ -11,6 +12,9 @@ _IS_SHOW_MOTD=1
|
|||||||
[[ -f /config/guest/sys-motd.sh ]] && source /config/guest/sys-motd.sh
|
[[ -f /config/guest/sys-motd.sh ]] && source /config/guest/sys-motd.sh
|
||||||
}
|
}
|
||||||
unset _IS_SHOW_MOTD
|
unset _IS_SHOW_MOTD
|
||||||
|
# No not display full info when using tmux or bash -il
|
||||||
|
unset SF_IS_NEW_SERVER
|
||||||
|
unset SF_IS_LOGINSHELL
|
||||||
|
|
||||||
[[ -n $BASH ]] && {
|
[[ -n $BASH ]] && {
|
||||||
# user on zsh and did `bash -il`
|
# user on zsh and did `bash -il`
|
||||||
|
@ -54,10 +54,10 @@ fixr()
|
|||||||
}
|
}
|
||||||
ln -sf /sec/usr/etc/rc.local /etc/rc.local
|
ln -sf /sec/usr/etc/rc.local /etc/rc.local
|
||||||
chown root:root /etc /etc/profile.d /etc/profile.d/segfault.sh
|
chown root:root /etc /etc/profile.d /etc/profile.d/segfault.sh
|
||||||
chmod 755 /usr /usr/bin /usr/sbin /etc /etc/profile.d
|
chmod 755 /usr /usr/bin /usr/sbin /usr/share /etc /etc/profile.d
|
||||||
chmod 755 /usr/bin/mosh-server-hook /usr/bin/xpra-hook /usr/bin/brave-browser-stable-hook /usr/share/code/code-hook /usr/share/code/bin/code-hook /usr/bin/xterm-dark /usr/sbin/halt
|
chmod 755 /usr/bin/mosh-server-hook /usr/bin/xpra-hook /usr/bin/brave-browser-stable-hook /usr/share/code/code-hook /usr/share/code/bin/code-hook /usr/bin/xterm-dark /usr/sbin/halt
|
||||||
chmod 644 /etc/profile.d/segfault.sh
|
chmod 644 /etc/profile.d/segfault.sh
|
||||||
chmod 644 /etc/shellrc /etc/zsh_command_not_found /etc/zsh_profile
|
chmod 644 /etc/shellrc /etc/zsh_command_not_found /etc/zsh_profile
|
||||||
fixr /usr/share/www
|
fixr /usr/share/www
|
||||||
fixr /usr/share/source-highlight
|
fixr /usr/share/source-highlight
|
||||||
ln -s batcat /usr/bin/bat
|
ln -s batcat /usr/bin/bat
|
||||||
|
@ -19,6 +19,6 @@ diff:
|
|||||||
diff -x '!*.[ch]' -u openssh-9.2p1-orig/ openssh-9.2p1-sf/ | grep -Ev ^"(Only in|Common)" >../sf-sshd.patch
|
diff -x '!*.[ch]' -u openssh-9.2p1-orig/ openssh-9.2p1-sf/ | grep -Ev ^"(Only in|Common)" >../sf-sshd.patch
|
||||||
|
|
||||||
clean:
|
clean:
|
||||||
rm -rf openssh-9.2p1-sf fs-root/usr/sfbin/sshd
|
rm -rf openssh-9.2p1-sf fs-root/usr/sbin/sshd
|
||||||
docker image rm alpine-gcc
|
docker image rm alpine-gcc
|
||||||
|
|
||||||
|
@ -447,8 +447,8 @@ print_goodbye()
|
|||||||
echo -e "\
|
echo -e "\
|
||||||
-------> The encrypted filesystem in /sec will remain accessible until
|
-------> The encrypted filesystem in /sec will remain accessible until
|
||||||
-------> the last shell exits or all background processes terminate.
|
-------> the last shell exits or all background processes terminate.
|
||||||
-------> Type ${CC}halt${CN} instead to stop this server. This will
|
-------> Log back in and type ${CC}halt${CN} instead to stop this server.
|
||||||
-------> also make /sec unavailabe until your next log in."
|
-------> This will also make /sec unavailabe until your next log in."
|
||||||
fi
|
fi
|
||||||
echo -en "\r"
|
echo -en "\r"
|
||||||
[[ -z $SF_IS_PAYING ]] && {
|
[[ -z $SF_IS_PAYING ]] && {
|
||||||
@ -460,12 +460,19 @@ ${CDY}@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
|
|||||||
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@${CN}"
|
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@${CN}"
|
||||||
|
|
||||||
}
|
}
|
||||||
[[ -n $SF_IS_NEW_SERVER ]] && echo -e "\
|
|
||||||
Access with : ${CDC}ssh -o \"SetEnv SECRET=${SF_SEC:-UNKNOWN}\" ${SF_USER}@${SF_FQDN:-UNKNOWN}${CN}"
|
|
||||||
|
|
||||||
echo -e "\
|
echo -e "\
|
||||||
RTFM : ${CB}${CUL}https://www.thc.org/segfault/faq${CN}
|
RTFM : ${CB}${CUL}https://www.thc.org/segfault/faq${CN}
|
||||||
GOODBYE : ${CW}Join us on Telegram - https://t.me/thcorg${CN}"
|
GOODBYE : ${CW}Join us on Telegram - https://t.me/thcorg${CN}"
|
||||||
|
[[ -z $SF_IS_NEW_SERVER ]] && return
|
||||||
|
|
||||||
|
echo -en "Would you like to see the ${CDY}SECRET${CN} to log back in to ${CDY}${SF_HOSTNAME:-UNKNOWN}${CN}? (y/N) "
|
||||||
|
read -r -n1 -t10 yn || echo -n "N"
|
||||||
|
echo ""
|
||||||
|
[[ "${yn^^}" != "Y" ]] && return
|
||||||
|
|
||||||
|
echo -e "\
|
||||||
|
Access with : ${CDC}ssh -o \"SetEnv SECRET=${SF_SEC:-UNKNOWN}\" ${SF_USER}@${SF_FQDN:-UNKNOWN}${CN}"
|
||||||
}
|
}
|
||||||
|
|
||||||
print_to_many_servers()
|
print_to_many_servers()
|
||||||
@ -516,7 +523,7 @@ spawn_shell_exit()
|
|||||||
[[ ! -f "/config/self-for-guest/lg-${LID}/reverse_ip" ]] && mk_portforward "${LID}"
|
[[ ! -f "/config/self-for-guest/lg-${LID}/reverse_ip" ]] && mk_portforward "${LID}"
|
||||||
|
|
||||||
# export SF_LOG="/config/host/log/sigproxy-${LID}-${SF_HOSTNAME}.log"
|
# export SF_LOG="/config/host/log/sigproxy-${LID}-${SF_HOSTNAME}.log"
|
||||||
docker-exec-sigproxy exec --detach-keys='ctrl-^,z' --workdir=/sec/root --user 0:0 "${DOCKER_EXEC_ARGS[@]}" "lg-${LID}" nice -n"${SF_USER_NICE_SCORE:?}" zsh "${PARAM[@]}"
|
docker-exec-sigproxy exec --detach-keys='ctrl-^,z' --workdir=/sec/root --env SF_IS_LOGINSHELL=1 --user 0:0 "${DOCKER_EXEC_ARGS[@]}" "lg-${LID}" nice -n"${SF_USER_NICE_SCORE:?}" zsh "${PARAM[@]}"
|
||||||
ret="$?" # save return value and exit this script later with same return value.
|
ret="$?" # save return value and exit this script later with same return value.
|
||||||
DEBUGF "Exited with $ret"
|
DEBUGF "Exited with $ret"
|
||||||
logout
|
logout
|
||||||
|
@ -6,11 +6,13 @@ RUN apt-get update \
|
|||||||
ca-certificates \
|
ca-certificates \
|
||||||
conntrack \
|
conntrack \
|
||||||
curl \
|
curl \
|
||||||
|
dnsutils \
|
||||||
fping \
|
fping \
|
||||||
inetutils-ping \
|
inetutils-ping \
|
||||||
iptables \
|
iptables \
|
||||||
iproute2 \
|
iproute2 \
|
||||||
iperf \
|
iperf \
|
||||||
|
ipset \
|
||||||
jq \
|
jq \
|
||||||
lsb-release \
|
lsb-release \
|
||||||
gnupg \
|
gnupg \
|
||||||
@ -25,6 +27,7 @@ RUN apt-get update \
|
|||||||
# nftables
|
# nftables
|
||||||
|
|
||||||
RUN bash -c '{ true \
|
RUN bash -c '{ true \
|
||||||
|
&& echo "source /dev/shm/net-devs.txt 2>/dev/null" >>/root/.bashrc \
|
||||||
&& curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg \
|
&& curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg \
|
||||||
&& echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null \
|
&& echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null \
|
||||||
&& apt-get update \
|
&& apt-get update \
|
||||||
|
151
router/init.sh
151
router/init.sh
@ -121,43 +121,51 @@ use_vpn()
|
|||||||
{
|
{
|
||||||
local gw
|
local gw
|
||||||
local gw_ip
|
local gw_ip
|
||||||
|
local gw_dns_ip
|
||||||
|
|
||||||
# Configure FW rules for reverse port forwards.
|
# Configure FW rules for reverse port forwards.
|
||||||
# Any earlier than this and the MAC of the routers are not known. Thus do it here.
|
# Any earlier than this and the MAC of the routers are not known. Thus do it here.
|
||||||
|
|
||||||
init_revport_once
|
init_revport_once
|
||||||
|
|
||||||
local _ip
|
|
||||||
local f
|
local f
|
||||||
for f in /sf/run/vpn/status-*; do
|
for f in /sf/run/vpn/status-*; do
|
||||||
[[ ! -f "$f" ]] && break
|
[[ ! -f "$f" ]] && break
|
||||||
_ip="$(<"$f")"
|
source "$f"
|
||||||
_ip="${_ip%%$'\n'*}"
|
[[ -z $SFVPN_MY_IP ]] && continue
|
||||||
_ip="${_ip##*=}"
|
gw+=("nexthop" "via" "${SFVPN_MY_IP}" "weight" "100")
|
||||||
_ip="${_ip//[^0-9\.]/}" # Sanitize
|
[[ -z $SFVPN_IS_REDIRECTS_DNS ]] && gw_dns_ip+=("${SFVPN_MY_IP}")
|
||||||
[[ -z $_ip ]] && continue
|
gw_ip+=("${SFVPN_MY_IP}")
|
||||||
gw+=("nexthop" "via" "${_ip}" "weight" "100")
|
|
||||||
gw_ip+=("${_ip}")
|
|
||||||
done
|
done
|
||||||
|
|
||||||
[[ ${#gw[@]} -eq 0 ]] && return
|
[[ ${#gw[@]} -eq 0 ]] && return
|
||||||
|
|
||||||
echo -e >&2 "[$(date '+%F %T' -u)] Switching to VPN (gw=${gw_ip[*]})"
|
LOG "VPN" "Switching to VPN (gw=${gw_ip[*]})"
|
||||||
ip route del default
|
ip route del default
|
||||||
|
ip route del default table 53 2>/dev/null
|
||||||
|
[[ ${#gw_dns_ip[@]} -gt 0 ]] && [[ ${#gw_dns_ip[@]} -ne ${#gw[@]} ]] && {
|
||||||
|
# At least 1 VPN redirects DNS. Make sure we dont route via that one....
|
||||||
|
# echo -e >&2 "DNS via ${gw_dns_ip[0]}..."
|
||||||
|
LOG "DNS" "DNS via ${gw_dns_ip[0]}...."
|
||||||
|
# iproute2 does not support nexthop-multipath and fwmark tables.
|
||||||
|
# ip route add default nexthop via 172.20.0.253 nexthop via 172.20.0.252 table 53
|
||||||
|
# Error: "nexthop" or end of line is expected instead of "table"
|
||||||
|
# Instead use the first for port 53 traffic.
|
||||||
|
ip route add default via "${gw_dns_ip[0]}" table 53
|
||||||
|
}
|
||||||
ip route add default "${gw[@]}"
|
ip route add default "${gw[@]}"
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
use_tor()
|
use_tor()
|
||||||
{
|
{
|
||||||
echo -e >&2 "$(date) Switching to TOR"
|
LOG "VPN" "Switching to TOR"
|
||||||
ip route del default 2>/dev/null
|
ip route del default 2>/dev/null
|
||||||
ip route add default via "${TOR_IP}"
|
ip route add default via "${TOR_IP}"
|
||||||
}
|
}
|
||||||
|
|
||||||
use_novpn()
|
use_novpn()
|
||||||
{
|
{
|
||||||
echo -e >&2 "$(date) Switching to NoVPN"
|
LOG "VPN" "Switching to NoVPN"
|
||||||
ip route del default 2>/dev/null
|
ip route del default 2>/dev/null
|
||||||
ip route add default via "${NOVPN_IP}"
|
ip route add default via "${NOVPN_IP}"
|
||||||
}
|
}
|
||||||
@ -195,6 +203,17 @@ monitor_failover()
|
|||||||
done
|
done
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# Some rules need no further processing.
|
||||||
|
ipt_mark_ret()
|
||||||
|
{
|
||||||
|
local id
|
||||||
|
id=$1
|
||||||
|
|
||||||
|
shift 1
|
||||||
|
iptables "$@" -j MARK --set-mark "$id"
|
||||||
|
iptables "$@" -j RETURN
|
||||||
|
}
|
||||||
|
|
||||||
# Set Iptables Forwarding rules
|
# Set Iptables Forwarding rules
|
||||||
ipt_set()
|
ipt_set()
|
||||||
{
|
{
|
||||||
@ -260,6 +279,59 @@ ipt_set()
|
|||||||
# => Already set by SSHD -D1080 setup
|
# => Already set by SSHD -D1080 setup
|
||||||
}
|
}
|
||||||
|
|
||||||
|
ipset_add_ip()
|
||||||
|
{
|
||||||
|
local ip
|
||||||
|
ip="$1"
|
||||||
|
|
||||||
|
# IPv6 not supported
|
||||||
|
[[ "$ip" == *:* ]] && return
|
||||||
|
|
||||||
|
ip="${ip//[^0-9\.\/]}"
|
||||||
|
ipset -exist -A direct "${ip}"
|
||||||
|
}
|
||||||
|
|
||||||
|
ipset_add_domain()
|
||||||
|
{
|
||||||
|
local domain
|
||||||
|
domain="$1"
|
||||||
|
# Remove CNAME. Only output IP
|
||||||
|
for ip in $(dig +short "$domain" | grep -v '\.$'); do
|
||||||
|
ipset_add_ip "$ip" || ERR "DOMAIN='$domain', IP='$ip'"
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
# Some IP's are routed DIRECTLY and not via VPN
|
||||||
|
# Mostly to save latency and data usage
|
||||||
|
ipt_direct()
|
||||||
|
{
|
||||||
|
ipset -N direct iphash
|
||||||
|
|
||||||
|
ipset_add_domain http.kali.org
|
||||||
|
|
||||||
|
# GitHub
|
||||||
|
ipset_add_domain github.com
|
||||||
|
curl -SsfL https://api.github.com/meta | jq -r '.packages[], .git[] | select(. != null)' | while read ip; do
|
||||||
|
ipset_add_ip "$ip" || ERR "IP=$ip"
|
||||||
|
done
|
||||||
|
|
||||||
|
# Do not add Fastly
|
||||||
|
# ipset_add_domain pypi.python.org
|
||||||
|
# ipset_add_domain pypi.org
|
||||||
|
# curl -SsfL "https://api.fastly.com/public-ip-list" | jq -r '.addresses[] | select(. != null)' | while read ip; do
|
||||||
|
# ipset_add_ip "$ip" || ERR "IP=$ip"
|
||||||
|
# done
|
||||||
|
|
||||||
|
# Do not add gsocket
|
||||||
|
# for x {1..8}; do
|
||||||
|
# ipset -A direct gs${x}.thc.org 2>/dev/null
|
||||||
|
# done
|
||||||
|
|
||||||
|
# Do not add CloudFlared/ArgoTunnels, ngrok, pagekite etc etc.
|
||||||
|
|
||||||
|
ipt_mark_ret "22" -t mangle -A PREROUTING -i "${DEV_LG}" -p tcp -m set --match-set direct dst
|
||||||
|
}
|
||||||
|
|
||||||
ipt_syn_limit_set()
|
ipt_syn_limit_set()
|
||||||
{
|
{
|
||||||
local in
|
local in
|
||||||
@ -325,6 +397,10 @@ ipt_set
|
|||||||
|
|
||||||
ipt_syn_limit
|
ipt_syn_limit
|
||||||
|
|
||||||
|
set +e
|
||||||
|
ipt_direct
|
||||||
|
set -e
|
||||||
|
|
||||||
ip route del default
|
ip route del default
|
||||||
|
|
||||||
# -----BEGIN SSH traffic is routed via Direct Internet-----
|
# -----BEGIN SSH traffic is routed via Direct Internet-----
|
||||||
@ -341,13 +417,13 @@ ip route del default
|
|||||||
# - ip rule show
|
# - ip rule show
|
||||||
# - ip route show table 207
|
# - ip route show table 207
|
||||||
# Forward all SSHD traffic to the router (172.28.0.2) to sf-host:22.
|
# Forward all SSHD traffic to the router (172.28.0.2) to sf-host:22.
|
||||||
iptables -t mangle -A PREROUTING -i "${DEV_DIRECT}" -p tcp -d "${NET_DIRECT_ROUTER_IP}" --dport 22 -j MARK --set-mark 722
|
ipt_mark_ret "722" -t mangle -A PREROUTING -i "${DEV_DIRECT}" -p tcp -d "${NET_DIRECT_ROUTER_IP}" --dport 22
|
||||||
ip rule add fwmark 722 table 207
|
ip rule add fwmark 722 table 207
|
||||||
ip route add default via "${SSHD_IP}" dev "${DEV_ACCESS}" table 207
|
ip route add default via "${SSHD_IP}" dev "${DEV_ACCESS}" table 207
|
||||||
|
|
||||||
# Any return traffic from the SSHD shall go out (directly) to the Internet or to TOR (if arrived from TOR)
|
# Any return traffic from the SSHD shall go out (directly) to the Internet or to TOR (if arrived from TOR)
|
||||||
iptables -t mangle -A PREROUTING -i "${DEV_ACCESS}" -p tcp -s "${SSHD_IP}" --sport 22 -d "${TOR_IP}" -j RETURN
|
iptables -t mangle -A PREROUTING -i "${DEV_ACCESS}" -p tcp -s "${SSHD_IP}" --sport 22 -d "${TOR_IP}" -j RETURN
|
||||||
iptables -t mangle -A PREROUTING -i "${DEV_ACCESS}" -p tcp -s "${SSHD_IP}" --sport 22 -j MARK --set-mark 22
|
ipt_mark_ret "22" -t mangle -A PREROUTING -i "${DEV_ACCESS}" -p tcp -s "${SSHD_IP}" --sport 22
|
||||||
ip rule add fwmark 22 table 201
|
ip rule add fwmark 22 table 201
|
||||||
ip route add default via "${NET_DIRECT_BRIDGE_IP}" dev "${DEV_DIRECT}" table 201
|
ip route add default via "${NET_DIRECT_BRIDGE_IP}" dev "${DEV_DIRECT}" table 201
|
||||||
|
|
||||||
@ -418,24 +494,37 @@ iptables -A FORWARD -o "${DEV_DIRECT}" -i "${DEV_LG}" -p udp --sport 25002:26023
|
|||||||
iptables -t nat -A POSTROUTING -o "${DEV_LG}" -m mark --mark 52 -j MASQUERADE
|
iptables -t nat -A POSTROUTING -o "${DEV_LG}" -m mark --mark 52 -j MASQUERADE
|
||||||
|
|
||||||
# Return traffic to _router_ should be routed via DIRECT (it's MASQ'ed return traffic)
|
# Return traffic to _router_ should be routed via DIRECT (it's MASQ'ed return traffic)
|
||||||
iptables -t mangle -A PREROUTING -i "${DEV_LG}" -p udp -d "${NET_LG_ROUTER_IP}" --sport 25002:26023 -j MARK --set-mark 22
|
ipt_mark_ret "22" -t mangle -A PREROUTING -i "${DEV_LG}" -p udp -d "${NET_LG_ROUTER_IP}" --sport 25002:26023
|
||||||
# -----END MOSH-----
|
# -----END MOSH-----
|
||||||
|
|
||||||
|
# -----BEGIN 53 ROUTE VIA GOOD VPN
|
||||||
|
# Some VPN providers redirect port 53. We dont want this. Mark them and try to find a route
|
||||||
|
# (via other VPN's).
|
||||||
|
ip rule add fwmark 53 table 53
|
||||||
|
ipt_mark_ret "53" -t mangle -A PREROUTING -i "${DEV_LG}" -p udp --dport 53
|
||||||
|
ipt_mark_ret "53" -t mangle -A PREROUTING -i "${DEV_LG}" -p tcp --dport 53
|
||||||
|
# -----END 53 ROUTE VIA GOOD VPN
|
||||||
|
|
||||||
# -----BEGIN GSNC traffic is routed via Internet----
|
# -----BEGIN GSNC traffic is routed via Internet----
|
||||||
# GSNC TCP traffic to 443 and 7350 goes to (direct) Internet
|
# GSNC TCP traffic to 443 and 7350 goes to (direct) Internet
|
||||||
iptables -t mangle -A PREROUTING -i "${DEV_ACCESS}" -p tcp -s "${GSNC_IP}" -j MARK --set-mark 22
|
ipt_mark_ret "22" -t mangle -A PREROUTING -i "${DEV_ACCESS}" -p tcp -s "${GSNC_IP}"
|
||||||
# -----END GSNC traffic is routed via Internet----
|
# -----END GSNC traffic is routed via Internet----
|
||||||
|
|
||||||
# Dont MASQ LG's. FORWARD instead. They are MASQ'ed at VPN endpoints.
|
# Dont MASQ LG's. FORWARD instead. They are MASQ'ed at VPN endpoints.
|
||||||
iptables -A FORWARD -i "${DEV_LG}" -o "${DEV_GW}" -j ACCEPT
|
iptables -A FORWARD -i "${DEV_LG}" -o "${DEV_GW}" -j ACCEPT
|
||||||
# DNSMASQ does not know route back to LG => MASQ is here.
|
|
||||||
|
# MASQ DNSMASQ as it does not know a route to LG
|
||||||
iptables -t nat -A POSTROUTING -s "${NET_LG}" -d "${NET_VPN_DNS_IP}" -o "${DEV_GW}" -j MASQUERADE
|
iptables -t nat -A POSTROUTING -s "${NET_LG}" -d "${NET_VPN_DNS_IP}" -o "${DEV_GW}" -j MASQUERADE
|
||||||
# MASQ all traffic from NON-LG's (the VPN/TOR/DNS dont know the route back to them).
|
# MASQ traffic from TOR to DMZ (nginx) as DMZ does not know about TOR_IP.
|
||||||
# iptables -t nat -A POSTROUTING ! -s "${NET_LG}" -o "${DEV_GW}" -j MASQUERADE
|
|
||||||
# MASQ GSNC to (direct) Internet
|
|
||||||
iptables -t nat -A POSTROUTING -s "${GSNC_IP}" -o "${DEV_DIRECT}" -j MASQUERADE
|
|
||||||
# MASQ traffic from TOR to DMZ (nginx)
|
|
||||||
iptables -t nat -A POSTROUTING -o "${DEV_DMZ}" -j MASQUERADE
|
iptables -t nat -A POSTROUTING -o "${DEV_DMZ}" -j MASQUERADE
|
||||||
|
|
||||||
|
# MASQ GSNC to (direct) Internet
|
||||||
|
# iptables -t nat -A POSTROUTING -s "${GSNC_IP}" -o "${DEV_DIRECT}" -j MASQUERADE
|
||||||
|
# MASQ traffic 'forced' via (direct) Internet (e.g ipt_set, sf-gsnc)
|
||||||
|
iptables -t nat -A POSTROUTING -o "${DEV_DIRECT}" -m mark --mark 22 -m state --state NEW,ESTABLISHED -j MASQUERADE
|
||||||
|
iptables -A FORWARD -i "${DEV_LG}" -o "${DEV_DIRECT}" -p tcp -m mark --mark 22 -j ACCEPT
|
||||||
|
iptables -A FORWARD -i "${DEV_DIRECT}" -o "${DEV_LG}" -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||||
|
|
||||||
# TOR traffic (169.254.240.0/21) always goes to TOR (transparent proxy)
|
# TOR traffic (169.254.240.0/21) always goes to TOR (transparent proxy)
|
||||||
ip route add "${NET_ONION}" via "${TOR_IP}"
|
ip route add "${NET_ONION}" via "${TOR_IP}"
|
||||||
|
|
||||||
@ -444,23 +533,24 @@ ip route add "${NET_ONION}" via "${TOR_IP}"
|
|||||||
iptables -A FORWARD -p tcp -j REJECT --reject-with tcp-reset
|
iptables -A FORWARD -p tcp -j REJECT --reject-with tcp-reset
|
||||||
iptables -A FORWARD -j REJECT
|
iptables -A FORWARD -j REJECT
|
||||||
set +e
|
set +e
|
||||||
echo -e >&2 "FW: SUCCESS"
|
LOG "FW" "SUCCESS"
|
||||||
|
|
||||||
# Set up Traffic Control (limit bandwidth)
|
# Set up Traffic Control (limit bandwidth)
|
||||||
|
|
||||||
unset err
|
unset err
|
||||||
### Shape/Limit EGRESS LG -> VPN
|
### Shape/Limit EGRESS LG -> VPN
|
||||||
tc_set "${DEV_GW}" "${SF_MAXOUT}" "nfct-src" || err=1
|
# tc_set "${DEV_GW}" "${SF_MAXOUT}" "nfct-src" || err=1
|
||||||
|
tc_set "${DEV_GW}" "${SF_MAXOUT}" "dual-srchost" "src" || err=1
|
||||||
### Shape/Limit INGRESS VPN -> LG
|
### Shape/Limit INGRESS VPN -> LG
|
||||||
tc_set "${DEV_LG}" "${SF_MAXIN}" "dst" || err=1
|
tc_set "${DEV_LG}" "${SF_MAXIN}" "dual-dsthost" "dst" || err=1
|
||||||
|
|
||||||
### Shape/Limit EGRESS SSHD -> SSH (direct internet)
|
### Shape/Limit EGRESS SSHD -> SSH (direct internet)
|
||||||
tc_set "${DEV_DIRECT}" "${SF_MAXOUT}" "dst" || err=1
|
tc_set "${DEV_DIRECT}" "${SF_MAXOUT}" "dsthost" "dst" || err=1
|
||||||
### Shape/Limit INGRESS SSH -> SSHD (sf-host)
|
### Shape/Limit INGRESS SSH -> SSHD (sf-host)
|
||||||
tc_set "${DEV_ACCESS}" "${SF_MAXIN}" "src" || err=1
|
tc_set "${DEV_ACCESS}" "${SF_MAXIN}" "srchost" "src" || err=1
|
||||||
|
|
||||||
[[ -n $err ]] && SLEEPEXIT 0 5 "cls_matchall.ko not available? NO TRAFFIC LIMIT."
|
[[ -n $err ]] && SLEEPEXIT 0 5 "TC failed. NO TRAFFIC LIMIT."
|
||||||
echo -e >&2 "TC: SUCCESS"
|
LOG "TC" "SUCCESS"
|
||||||
|
|
||||||
# By default go via DIRECT or TOR + VPN until vpn_status exists
|
# By default go via DIRECT or TOR + VPN until vpn_status exists
|
||||||
use_other
|
use_other
|
||||||
@ -468,6 +558,5 @@ monitor_failover
|
|||||||
|
|
||||||
# REACHED IF ANY CMD FAILS
|
# REACHED IF ANY CMD FAILS
|
||||||
ip route del default
|
ip route del default
|
||||||
echo -e >&2 "FAILED to set routes"
|
ERREXIT 255 "FAILED to set routes"
|
||||||
exit 250
|
|
||||||
|
|
||||||
|
@ -47,8 +47,7 @@ source /dev/shm/net-devs.txt || exit
|
|||||||
# IPIDX=$((C * 256 + D))
|
# IPIDX=$((C * 256 + D))
|
||||||
# unset C D str
|
# unset C D str
|
||||||
|
|
||||||
# echo "FOOBAR"
|
# # FIXME: nft to throttle upload speed after 8gb transfer?
|
||||||
# # FIXME: use iptables quota2 or new nft to throttle upload speed after 8gb transfer?
|
|
||||||
# }
|
# }
|
||||||
|
|
||||||
exit 0
|
exit 0
|
||||||
|
@ -42,24 +42,24 @@ tc_set()
|
|||||||
{
|
{
|
||||||
local dev
|
local dev
|
||||||
local rate
|
local rate
|
||||||
|
local cakekey
|
||||||
local key
|
local key
|
||||||
dev=$1
|
dev=$1
|
||||||
rate=$2
|
rate=$2
|
||||||
key=$3
|
cakekey=$3
|
||||||
|
key=$4
|
||||||
|
|
||||||
# Should not happen:
|
# Should not be set but lets make sure:
|
||||||
tc qdisc del dev "${dev}" root 2>/dev/null
|
tc qdisc del dev "${dev}" root 2>/dev/null
|
||||||
|
|
||||||
set -e
|
# use TC-CAKE if there is a rate limit. Otherwise use faster SFQ below.
|
||||||
sfq_parent=("root")
|
|
||||||
[[ -n $rate ]] && {
|
[[ -n $rate ]] && {
|
||||||
tc qdisc add dev "${dev}" root handle 1: htb
|
tc qdisc add dev "${dev}" root cake bandwidth "${rate}" "${cakekey}"
|
||||||
tc class add dev "${dev}" parent 1: classid 1:10 htb rate "${rate}"
|
return
|
||||||
tc filter add dev "${dev}" parent 1: protocol ip matchall flowid 1:10
|
|
||||||
sfq_parent=("parent" "1:10")
|
|
||||||
}
|
}
|
||||||
|
|
||||||
tc qdisc add dev "${dev}" "${sfq_parent[@]}" handle 11: sfq
|
set -e
|
||||||
|
tc qdisc add dev "${dev}" root handle 11: sfq
|
||||||
tc filter add dev "${dev}" parent 11: handle 11 flow hash keys "${key}" divisor 1024
|
tc filter add dev "${dev}" parent 11: handle 11 flow hash keys "${key}" divisor 1024
|
||||||
set +e
|
set +e
|
||||||
}
|
}
|
||||||
|
@ -14,6 +14,7 @@ if [[ -f /dev/shm/env.txt ]]; then
|
|||||||
else
|
else
|
||||||
echo -e "SF_DEBUG=\"${SF_DEBUG}\"\n\
|
echo -e "SF_DEBUG=\"${SF_DEBUG}\"\n\
|
||||||
SF_REDIS_AUTH=\"${SF_REDIS_AUTH}\"\n\
|
SF_REDIS_AUTH=\"${SF_REDIS_AUTH}\"\n\
|
||||||
|
IS_REDIRECTS_DNS=\"${IS_REDIRECTS_DNS}\"\n\
|
||||||
PROVIDER=\"${PROVIDER}\"\n" >/dev/shm/env.txt
|
PROVIDER=\"${PROVIDER}\"\n" >/dev/shm/env.txt
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -111,6 +112,7 @@ up()
|
|||||||
myip="${myip#*inet }"
|
myip="${myip#*inet }"
|
||||||
myip="${myip%%/*}"
|
myip="${myip%%/*}"
|
||||||
echo -en "\
|
echo -en "\
|
||||||
|
SFVPN_IS_REDIRECTS_DNS=\"${IS_REDIRECTS_DNS}\"\n\
|
||||||
SFVPN_MY_IP=\"${myip}\"\n\
|
SFVPN_MY_IP=\"${myip}\"\n\
|
||||||
SFVPN_EXEC_TS=\"$(date -u +%s)\"\n\
|
SFVPN_EXEC_TS=\"$(date -u +%s)\"\n\
|
||||||
SFVPN_ENDPOINT_IP=\"${ep_ip}\"\n\
|
SFVPN_ENDPOINT_IP=\"${ep_ip}\"\n\
|
||||||
|
@ -8,9 +8,6 @@ ERREXIT()
|
|||||||
{
|
{
|
||||||
local code
|
local code
|
||||||
code="$1"
|
code="$1"
|
||||||
# shellcheck disable=SC2181 #(style): Check exit code directly with e.g
|
|
||||||
[[ $? -ne 0 ]] && code="$?"
|
|
||||||
[[ -z $code ]] && code=99
|
|
||||||
|
|
||||||
shift 1
|
shift 1
|
||||||
[[ -n "$1" ]] && echo -e >&2 "${CR}ERROR:${CN} $*"
|
[[ -n "$1" ]] && echo -e >&2 "${CR}ERROR:${CN} $*"
|
||||||
@ -57,8 +54,8 @@ genkey_hidden()
|
|||||||
}
|
}
|
||||||
|
|
||||||
# Always fix permission (and also when files already existed)
|
# Always fix permission (and also when files already existed)
|
||||||
find "${dir}" -type d -exec chmod 700 {} \; || ERREXIT
|
find "${dir}" -type d -exec chmod 700 {} \; || ERREXIT "$?"
|
||||||
find "${dir}" -type f -exec chmod 600 {} \; || ERREXIT
|
find "${dir}" -type f -exec chmod 600 {} \; || ERREXIT "$?"
|
||||||
}
|
}
|
||||||
|
|
||||||
# Route all traffic that comes to this instance through TOR.
|
# Route all traffic that comes to this instance through TOR.
|
||||||
@ -67,13 +64,15 @@ iptables -t nat -A PREROUTING -p tcp ! -d sf-tor --syn -j REDIRECT --to-ports 90
|
|||||||
if [[ -n $SF_TOR_VIA_VPN ]]; then
|
if [[ -n $SF_TOR_VIA_VPN ]]; then
|
||||||
# Route TOR via VPN
|
# Route TOR via VPN
|
||||||
ip route del default
|
ip route del default
|
||||||
ip route add default via 172.20.0.2
|
ip route add default via "${NET_VPN_ROUTER_IP}"
|
||||||
else
|
else
|
||||||
# Route TOR directly to Internet but incoming
|
# Route TOR directly to Internet but incoming
|
||||||
# onion connectoins to these two (via sf-router)
|
# .onion connections to these SSHD and NGINX
|
||||||
ip route add 172.22.0.22/32 via 172.20.0.2
|
ip route add "${SSHD_IP}/32" via "${NET_VPN_ROUTER_IP}"
|
||||||
ip route add 172.20.1.80/32 via 172.20.0.2
|
ip route add "${NGINX_IP}/32" via "${NET_VPN_ROUTER_IP}"
|
||||||
fi
|
fi
|
||||||
|
# Route to LG
|
||||||
|
ip route add "${NET_LG}" via "${NET_VPN_ROUTER_IP}"
|
||||||
|
|
||||||
umask 0077
|
umask 0077
|
||||||
genkey_hidden 22
|
genkey_hidden 22
|
||||||
@ -83,7 +82,7 @@ xadd 22
|
|||||||
xadd 80
|
xadd 80
|
||||||
|
|
||||||
chmod 700 /var/lib/tor
|
chmod 700 /var/lib/tor
|
||||||
chown -R tor /var/lib/tor/hidden || ERREXIT
|
chown -R tor /var/lib/tor/hidden || ERREXIT "$?"
|
||||||
|
|
||||||
if [[ -f /config/host/etc/tor/torrc ]]; then
|
if [[ -f /config/host/etc/tor/torrc ]]; then
|
||||||
exec su -s /bin/ash - tor -c "tor --hush -f /config/host/etc/tor/torrc"
|
exec su -s /bin/ash - tor -c "tor --hush -f /config/host/etc/tor/torrc"
|
||||||
|
Loading…
Reference in New Issue
Block a user