Last active
June 2, 2020 08:19
-
-
Save konarev/deef14c43e8449b1ffca05a08f7ec9e6 to your computer and use it in GitHub Desktop.
Revisions
-
konarev revised this gist
Jun 2, 2020 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,4 +1,4 @@ https://habr.com/ru/post/317354/#comment_9958456 Выгрузка ip адресов с rublacklist, должен выполняться по крону каждые n-минут/часов/дней: #!/bin/sh -
Jun 2, 2020 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,4 +1,4 @@ [Тык] (https://habr.com/ru/post/317354/#comment_9958456) Выгрузка ip адресов с rublacklist, должен выполняться по крону каждые n-минут/часов/дней: #!/bin/sh -
Jun 2, 2020 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,32 @@ [Тык](https://habr.com/ru/post/317354/#comment_9958456) Выгрузка ip адресов с rublacklist, должен выполняться по крону каждые n-минут/часов/дней: #!/bin/sh TARGET_SET=vpn-whitelist TARGET_TMP=vpn-whitelist-tmp ipset destroy -q ${TARGET_TMP} || true ipset create -q ${TARGET_SET} hash:ip || true ipset create ${TARGET_TMP} hash:ip wget -O - https://reestr.rublacklist.net/api/ips | \ awk '{gsub(/"/,"",$1); gsub(";"," ",$1); print $1}' | \ xargs -n1 ipset add ${TARGET_TMP} ipset swap ${TARGET_TMP} ${TARGET_SET} ipset destroy ${TARGET_TMP} Добавляем алиас для таблицы маршрутизации: echo 99 vpn >> /etc/iproute2/rt_tables Говорим, что все пакеты с меткой 0x99 должны идти через эту таблицу: ip rule add fwmark 0x99/0x99 lookup vpn Помечаем адреса из ipset vpn-whitelist меткой 0x99: iptables -t mangle -A PREROUTING -i br-lan -m set --match-set vpn-whitelist dst -j MARK --set-xmark 0x99/0x99 Превентивно помечаем чистый http (не https) как подлежащий маршрутизации через vpn (опциональный шаг): iptables -t mangle -A PREROUTING -i br-lan -m tcp -p tcp --dport 80 -j MARK --set-xmark 0x99/0x99