We configure the Internet gateway with transparent bypass of blocking (and we will block advertising)
Do you have an old (or not so) computer with two network cards? Are you tired of advertising and unnecessary gestures to bypass blockages? You do not want to put up with this? Then welcome under cat.
purpose
Configure the Internet gateway so that clients inside the local network without additional settings work with the Internet without restrictions. Blocked sites will be accessed via a torus, to the rest via a normal Internet connection. Access to .onion resources from any browser as usual sites. As a bonus, we will configure the blocking of advertising domains and access to conditionally blocked sites via a torus (meaning sites that limit functionality for users from the Russian Federation). My Internet provider
A warning
All that is described below helps to bypass the blocking, but does not ensure anonymity. From the word at all.
Ideas and methods of implementation took from here and from here . The authors of these articles thank you very much.
')
So let's go
It is assumed that at the initial stage you already have an installed OS (in my case, Ubuntu server 16.04) on a computer with two network interfaces. One of which (I have this ppp0) looks towards the provider, and the second (I have it enp7s0) to LAN. The internal IP of the gateway is 192.168.1.2. Local Area Network 192.168.1.0/24.
How to approach this stage is not considered in this article, since there is more than enough information on the network. I can only say that pppoe connection to the provider is conveniently configured using the pppoeconf utility.
Preparatory stage
If you, like me, use n {e | oy tbuk, then you might want him not to fall asleep when you close the lid.
sudo nano /etc/systemd/logind.conf HandleLidSwitch=ignore Resolve Forwarding in the kernel. I have disabled IPv6 in one.
sudo nano /etc/sysctl.conf net.ipv4.ip_forward=1 # IPv6 disabled net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1 net.ipv6.conf.lo.disable_ipv6 = 1 Apply changes without rebooting.
sudo sysctl -p DHCP setup
We want clients to be configured automatically, so you can’t do without a DHCP server.
$ sudo apt install isc-dhcp-server $ sudo nano /etc/dhcp/dhcpd.conf We give the file approximately to this form.
default-lease-time 600; max-lease-time 7200; subnet 192.168.1.0 netmask 255.255.255.0 { range 192.168.1.100 192.168.1.200; option routers 192.168.1.2; option domain-name-servers 192.168.1.2, 8.8.8.8; option broadcast-address 192.168.1.255; } Explanation
subnet 192.168.1.0 netmask 255.255.255.0 - defines the network and mask,
range 192.168.1.100 192.168.1.200; - the range of addresses that will be issued by the server,
option routers 192.168.1.2; - gateway address
option domain-name-servers 192.168.1.2, 8.8.8.8; - DN addresses of servers
option broadcast-address 192.168.1.255; - broadcast address.
range 192.168.1.100 192.168.1.200; - the range of addresses that will be issued by the server,
option routers 192.168.1.2; - gateway address
option domain-name-servers 192.168.1.2, 8.8.8.8; - DN addresses of servers
option broadcast-address 192.168.1.255; - broadcast address.
Restart server
sudo /etc/init.d/isc-dhcp-server restart TOR setting
Install and open settings.
$ sudo apt install tor $ sudo nano /etc/tor/torrc Add strings
# onion # . . VirtualAddrNetworkIPv4 10.0.0.0/8 # DNS AutomapHostsOnResolve 1 # DNS TransPort 0.0.0.0:9040 DNSPort 0.0.0.0:5353 # ExcludeExitNodes {RU}, {UA}, {BY} DNS setup
If you do not need ad blocking, then this item may not be performed. If you just want to use DNS from the torus, add the DNSPort 0.0.0.0:53 line to the / etc / tor / torrc file and that's it.
But I will cut advertising, which means install and open settings
$ sudo apt install bind9 $ sudo nano /etc/bind/named.conf.options We bring the file to the following form
options { directory "/var/cache/bind"; forwarders { 127.0.0.1 port 5353; }; listen-on { 192.168.1.2; 127.0.0.1; }; dnssec-validation auto; auth-nxdomain no; listen-on-v6 { none; }; }; If your provider does not chemically with DNS queries, you can send traffic to other DNS servers. For example, on a google server:
forwarders { 8.8.8.8; 8.8.4.4; }; Theoretically, it should work faster than through a torus.
To further configure the DNS back later. That's enough for now. Now restart the service.
sudo /etc/init.d/bind9 restart Iptables configuration
All the magic will be created here.
The essence of the idea
- We form a list of IP addresses to which we want to go through the torus.
- We wrap up requests to these addresses on a transparent proxy tor.
- Wrapping DNS requests for resources .onion on DNS torus
- When resolving names from the .onion zone, the top returns the IP address from the subnet 10.0.0.0/8 (which we specified when setting the TOP). Of course, this zone is not routed on the Internet and we need to wrap calls on this subnet on a transparent proxy.
Lyrical digression
Initially, I thought that you can do without redirecting DNS requests to .onion in iptables. That it is possible to configure bind so that it redirects requests to the DNS torus and returns addresses from the 10th zone. I did not manage to configure it.
It does not lead to the desired result, as well as the allocation of a separate zone ".onion" with forwarders at 127.0.0.1 port 5353.
If anyone knows why this is happening and how to fix it, write in the comments.
forwarders { 127.0.0.1 port 5353; }; It does not lead to the desired result, as well as the allocation of a separate zone ".onion" with forwarders at 127.0.0.1 port 5353.
If anyone knows why this is happening and how to fix it, write in the comments.
I assume that iptables is already installed. Install ipset. With this utility, we can manage the list of blocked addresses and wrap packets in a transparent proxy.
sudo apt install ipset Next, sequentially from under the root execute commands to configure iptables. Of course, you need to replace the interface names and addresses with your own. I put these commands in /etc/rc.local before exit 0 and they are executed every time after loading.
I suggest that you do the same.
# ipset ipset -exist create blacklist hash:ip # DNS TOR onion. bind9 iptables -t nat -A PREROUTING -p udp --dport 53 -m string --hex-string "|056f6e696f6e00|" --algo bm -j REDIRECT --to-port 5353 iptables -t nat -A OUTPUT -p udp --dport 53 -m string --hex-string "|056f6e696f6e00|" --algo bm -j REDIRECT --to-port 5353 # IP iptables -t nat -A PREROUTING -p tcp -m set --match-set blacklist dst -j REDIRECT --to-port 9040 iptables -t nat -A OUTPUT -p tcp -m set --match-set blacklist dst -j REDIRECT --to-port 9040 # 10.0.0.0/8 # .onion iptables -t nat -A PREROUTING -p tcp -d 10.0.0.0/8 -j REDIRECT --to-port 9040 iptables -t nat -A OUTPUT -p tcp -d 10.0.0.0/8 -j REDIRECT --to-port 9040 ########################################### # , # ########################################### # NAT iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE # iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT # iptables -A INPUT -m state --state INVALID -j DROP iptables -A FORWARD -m state --state INVALID -j DROP # iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP # syn-flood iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP iptables -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP # , iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -i enp7s0 -j ACCEPT iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # iptables -P INPUT DROP # . iptables -A FORWARD -i enp7s0 -j ACCEPT iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # iptables -P FORWARD DROP After rebooting, we need to get a gateway that:
- Provides IP addresses and network settings to clients.
- Distributes the Internet.
- Resolvit names through DNS torus.
- Resolves the names .onion and allows you to visit these resources through a regular browser.
- Closes us from incoming connections.
There is no bypass of locks, since despite the fact that we created a blacklist and configured routing, the blacklist itself is still empty. It is time to fix it.
Fill in the blacklist
We create the directory in which the script will lie.
# mkdir -p /var/local/blacklist Create a script
# nano /var/local/blacklist/blacklist-update.sh with the following content
#! /bin/bash # cd $(dirname $0) # github git pull -q || git clone https://github.com/zapret-info/zi.git . # dump.csv blacklist.txt IP cat dump.csv | cut -f1 -d\; | grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | sort | uniq > blacklist.txt # my-blacklist c , # . blacklist.txt dig +short -f my-blacklist >> blacklist.txt # ipset ipset flush blacklist #c cat blacklist.txt | xargs -n1 ipset add blacklist Making the script executable
# chmod +x /var/local/blacklist/blacklist-update.sh We create the file my-blacklist, which we will later manually fill with the resources that we want to go through the torus.
# echo lostfilm.tv > /var/local/blacklist/my-blacklist Execute the script
# /var/local/blacklist/blacklist-update.sh The script works for a long time,
# , , # DNS sleep 60 # . . /var/local/blacklist/blacklist-update.sh Customize the advertising filter
The essence of the idea
- Install and run a micro HTTP server that listens to port 80 and returns a png image with one transparent pixel to any request.
- We get a list of advertising domains.
- We configure bind as an authoritative server for them.
- Wraps all requests for advertising domains on our HTTP server with a wonderful picture.
Let's get started Let us deal with the north. Create a file
# nano /usr/local/bin/pixelserv with content
#! /usr/bin/perl -Tw use IO::Socket::INET; $crlf="\015\012"; $pixel=pack("C*",qw(71 73 70 56 57 97 1 0 1 0 128 0 0 255 255 255 0 0 0 33 249 4 1 0 0 0 0 44 0 0 0 0 1 0 1 0 0 2 2 68 1 0 59)); $sock = new IO::Socket::INET ( LocalHost => '0.0.0.0', LocalPort => '80', Proto => 'tcp', Listen => 30, Reuse => 1); if (!defined($sock)) { print "error : cannot bind : $! exit\n"; exit(1); } while ($new_sock = $sock->accept()) { while (<$new_sock>) { chop;chop; # print "$_\n"; if ($_ eq '') { last; } } print $new_sock "HTTP/1.1 200 OK$crlf"; print $new_sock "Content-type: image/gif$crlf"; print $new_sock "Accept-ranges: bytes$crlf"; print $new_sock "Content-length: 43$crlf$crlf"; print $new_sock $pixel; shutdown($new_sock,2); undef($new_sock); } close($sock); exit(0); make it executable
# chmod +x /usr/local/bin/pixelserv Create server initialization file
# nano /etc/init.d/pixelserv with content
#! /bin/sh # /etc/init.d/pixelserv # # Carry out specific functions when asked to by the system case "$1" in start) echo "Starting pixelserv " /usr/local/bin/pixelserv & ;; stop) echo "Stopping script pixelserv" killall pixelserv ;; *) echo "Usage: /etc/init.d/pixelserv {start|stop}" exit 1 ;; esac exit 0 Make it executable, register the service, start the http server
# chmod +x /etc/init.d/pixelserv # update-rc.d pixelserv defaults # /etc/init.d/pixelserv start Now we create a script for updating advertising domains.
# nano var/local/blacklist/ad-update.sh with content
#! /bin/bash cd /etc/bind/ curl "http://pgl.yoyo.org/adservers/serverlist.php?hostformat=bindconfig&showintro=0&mimetype=plaintext" | sed 's/null.zone.file/\/etc\/bind\/db.adzone/g' > named.ad.conf rndc reload Making it executable
# chmod +x /var/local/blacklist/ad-update.sh and perform
# /var/local/blacklist/ad-update.sh Create a zone file
# nano /etc/bind/db.adzone with the following content service
$TTL 86400 ; one day @ IN SOA ads.example.com. hostmaster.example.com. ( 2014090102 28800 7200 864000 86400 ) NS my.dns.server.org A 192.168.1.2 @ IN A 192.168.1.2 * IN A 192.168.1.2 Add to file
# nano /etc/bind/named.conf the string
include "/etc/bind/named.ad.conf"; Apply changes
rndc reload We configure updating of the list of domains when loading. To do this, open the file /etc/rc.local and add after sleep 60
/var/local/blacklist/ad-update.sh Finishing touches
To periodically update the lists, create a file
# nano /etc/cron.daily/blacklist-update With the following content
#!/bin/bash # /var/local/blacklist/ad-update.sh # . . /var/local/blacklist/blacklist-update.sh Making it executable
# chmod +x /etc/cron.daily/blacklist-update .Note for users of Ubuntu desktop versions
Despite the fact that the goal was to create a gateway that does not require client settings, in my case it didn’t work out quite like that. As a working operating system, I use desktop Ubuntu 16.04. To configure the network, it uses the NetworkManager utility, which by default is configured so that the server DN is not taken from the DHCP server, but is set as 127.0.1.1:53. On this port, dnsmasq hangs and resolves names only by its rules. In ordinary life, this does not interfere, and in our case makes the zone .onion completely inoperative
To fix this, you need to comment out the line in /etc/NetworkManager/NetworkManager.conf
dns=dnsmasq like this
#dns=dnsmasq After rebooting, everything works.
Imprisonment only
Android clients work fine without additional settings.
Windows did not check, because I do not use it, but I think there should be no problems.
The limitations for firefox and iOs are described here.
I apologize for the chaotic presentation. Additions, corrections, comments are welcome.
Thanks for attention.
Update as of September 3, 2017
At the request of workers laid out their settings on github.
The settings are given as reference information. Out of the box, they do not suit you with a probability close to 100%. Requires a fit for yourself.
The settings are given as reference information. Out of the box, they do not suit you with a probability close to 100%. Requires a fit for yourself.
Source: https://habr.com/ru/post/336966/
All Articles