diff --git a/mptcp/files/usr/share/omr/post-tracking.d/post-tracking b/mptcp/files/usr/share/omr/post-tracking.d/post-tracking index aee2c6473..c764e794d 100755 --- a/mptcp/files/usr/share/omr/post-tracking.d/post-tracking +++ b/mptcp/files/usr/share/omr/post-tracking.d/post-tracking @@ -1470,5 +1470,6 @@ if [ "$(pgrep openmptcprouter-vps)" = "" ] && ([ "$(uci -q show openmptcprouter #/etc/init.d/v2ray rules_up >/dev/null 2>&1 #/etc/init.d/omr-bypass reload_rules >/dev/null 2>&1 #sh /etc/firewall.gre-tunnel >/dev/null 2>&1 + /bin/blocklanfw >/dev/null 2>&1 sleep 5 fi \ No newline at end of file diff --git a/openmptcprouter/files/bin/blocklanfw b/openmptcprouter/files/bin/blocklanfw index 0f4a85367..cf507eba4 100755 --- a/openmptcprouter/files/bin/blocklanfw +++ b/openmptcprouter/files/bin/blocklanfw @@ -5,13 +5,15 @@ ss_rules_fw_drop() { fwrule=$(echo "$c" | sed 's/reject/REDIRECT --to-ports 65535/') if [ -n "$fwrule" ] && [ -z "$(iptables-save | grep zone_lan_prerouting | grep '${fwrule}')" ]; then eval "iptables -w -t nat -A zone_lan_prerouting ${fwrule} 2>&1 >/dev/null" + fw=$((fw+1)) fi done - fw3 -4 print 2>/dev/null | awk '/iptables/&&/zone_lan_forward/&&/tcp/&&/-t filter/&&/-j drop/ {for(i=6; i<=NF; i++) { printf "%s ",$i } print "\n" }' | + fw3 -4 print 2>/dev/null | awk '/iptables/&&/zone_lan_forward/&&/tcp/&&/-t filter/&&/-j DROP/ {for(i=6; i<=NF; i++) { printf "%s ",$i } print "\n" }' | while IFS=$"\n" read -r c; do - fwrule=$(echo "$c" | sed 's/drop/REDIRECT --to-ports 65535/') + fwrule=$(echo "$c" | sed 's/DROP/REDIRECT --to-ports 65535/') if [ -n "$fwrule" ] && [ -z "$(iptables-save | grep zone_lan_prerouting | grep '${fwrule}')" ]; then eval "iptables -t nat -A zone_lan_prerouting ${fwrule} 2>&1 >/dev/null" + fw=$((fw+1)) fi done } @@ -22,13 +24,15 @@ ss_rules6_fw_drop() { fwrule=$(echo "$c" | sed 's/reject/REDIRECT --to-ports 65535/') if [ -n "$fwrule" ] && [ -z "$(iptables-save | grep zone_lan_prerouting | grep '${fwrule}')" ]; then eval "ip6tables -w -t nat -A zone_lan_prerouting ${fwrule} 2>&1 >/dev/null" + fw=$((fw+1)) fi done - fw3 -6 print 2>/dev/null | awk '/iptables/&&/zone_lan_forward/&&/tcp/&&/-t filter/&&/-j drop/ {for(i=6; i<=NF; i++) { printf "%s ",$i } print "\n" }' | + fw3 -6 print 2>/dev/null | awk '/iptables/&&/zone_lan_forward/&&/tcp/&&/-t filter/&&/-j DROP/ {for(i=6; i<=NF; i++) { printf "%s ",$i } print "\n" }' | while IFS=$"\n" read -r c; do - fwrule=$(echo "$c" | sed 's/drop/REDIRECT --to-ports 65535/') + fwrule=$(echo "$c" | sed 's/DROP/REDIRECT --to-ports 65535/') if [ -n "$fwrule" ] && [ -z "$(iptables-save | grep zone_lan_prerouting | grep '${fwrule}')" ]; then eval "ip6tables -t nat -A zone_lan_prerouting ${fwrule} 2>&1 >/dev/null" + fw=$((fw+1)) fi done } @@ -38,14 +42,16 @@ v2r_rules_fw_drop() { while IFS=$"\n" read -r c; do fwrule=$(echo "$c" | sed 's/reject/REDIRECT --to-ports 65535/') if [ -n "$fwrule" ] && [ -z "$(iptables-save | grep zone_lan_prerouting | grep '${fwrule}')" ]; then - eval "iptables -w -t nat -A zone_lan_prerouting ${fwrule} 2>&1 >/dev/null" + eval "iptables -w -t nat -I zone_lan_prerouting 1 ${fwrule} 2>&1 >/dev/null" + fw=$((fw+1)) fi done - fw3 -4 print 2>/dev/null | awk '/iptables/&&/zone_lan_forward/&&/tcp/&&/-t filter/&&/-j drop/ {for(i=6; i<=NF; i++) { printf "%s ",$i } print "\n" }' | + fw3 -4 print 2>/dev/null | awk '/iptables/&&/zone_lan_forward/&&/tcp/&&/-t filter/&&/-j DROP/ {for(i=6; i<=NF; i++) { printf "%s ",$i } print "\n" }' | while IFS=$"\n" read -r c; do - fwrule=$(echo "$c" | sed 's/drop/REDIRECT --to-ports 65535/') + fwrule=$(echo "$c" | sed 's/DROP/REDIRECT --to-ports 65535/') if [ -n "$fwrule" ] && [ -z "$(iptables-save | grep zone_lan_prerouting | grep '${fwrule}')" ]; then - eval "iptables -t nat -A zone_lan_prerouting ${fwrule} 2>&1 >/dev/null" + eval "iptables -t nat -I zone_lan_prerouting 1 ${fwrule} 2>&1 >/dev/null" + fw=$((fw+1)) fi done } @@ -55,18 +61,19 @@ v2ray_rules6_fw_drop() { while IFS=$"\n" read -r c; do fwrule=$(echo "$c" | sed 's/reject/REDIRECT --to-ports 65535/') if [ -n "$fwrule" ] && [ -z "$(iptables-save | grep zone_lan_prerouting | grep '${fwrule}')" ]; then - eval "ip6tables -w -t nat -A zone_lan_prerouting ${fwrule} 2>&1 >/dev/null" + eval "ip6tables -w -t nat -I zone_lan_prerouting 1 ${fwrule} 2>&1 >/dev/null" fi done - fw3 -6 print 2>/dev/null | awk '/iptables/&&/zone_lan_forward/&&/tcp/&&/-t filter/&&/-j drop/ {for(i=6; i<=NF; i++) { printf "%s ",$i } print "\n" }' | + fw3 -6 print 2>/dev/null | awk '/iptables/&&/zone_lan_forward/&&/tcp/&&/-t filter/&&/-j DROP/ {for(i=6; i<=NF; i++) { printf "%s ",$i } print "\n" }' | while IFS=$"\n" read -r c; do - fwrule=$(echo "$c" | sed 's/drop/REDIRECT --to-ports 65535/') + fwrule=$(echo "$c" | sed 's/DROP/REDIRECT --to-ports 65535/') if [ -n "$fwrule" ] && [ -z "$(iptables-save | grep zone_lan_prerouting | grep '${fwrule}')" ]; then - eval "ip6tables -t nat -A zone_lan_prerouting ${fwrule} 2>&1 >/dev/null" + eval "ip6tables -t nat -I zone_lan_prerouting 1 ${fwrule} 2>&1 >/dev/null" fi done } +fw=0 if [ "$(uci -q get openmptcprouter.settings.proxy)" = "shadowsocks" ]; then ss_rules6_fw_drop ss_rules_fw_drop @@ -74,3 +81,7 @@ elif [ "$(uci -q get openmptcprouter.settings.proxy)" = "v2ray" ]; then v2r_rules_fw_drop v2ray_rules6_fw_drop fi +rule=$(fw3 -4 print | grep 'A PREROUTING' | grep zone_lan_prerouting | sed 's/-A PREROUTING/-D PREROUTING/') +eval "$rule 2>&1 >/dev/null" +newrule=$(echo "$rule" | sed 's/-D PREROUTING/-I PREROUTING 1/') +eval "$newrule 2>&1 >/dev/null" diff --git a/openmptcprouter/files/etc/firewall.omr-server b/openmptcprouter/files/etc/firewall.omr-server index 4f5a33809..a3aaccd16 100644 --- a/openmptcprouter/files/etc/firewall.omr-server +++ b/openmptcprouter/files/etc/firewall.omr-server @@ -13,3 +13,4 @@ config_load openmptcprouter config_foreach _enable_firewall_check server uci -q commit firewall #/etc/init.d/openmptcprouter-vps set_vps_firewall & +/bin/blocklanfw 2>&1 >/dev/null