Skip to content

Instantly share code, notes, and snippets.

@alllexx88

alllexx88/R3600-zapret-tor.sh

Last active September 6, 2021 10:10
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save alllexx88/00a592466bed9eeb554c0b96a51e032c to your computer and use it in GitHub Desktop.
Save alllexx88/00a592466bed9eeb554c0b96a51e032c to your computer and use it in GitHub Desktop.
Download ZIP
Raw
R3600-zapret-tor.sh
echo 'Creating startup script to mount /opt, /root and start Entware services'
cat << 'EOF' > /etc/init.d/rootopt
#!/bin/sh /etc/rc.common
START=99
STOP=00
start() {
[ -d /etc/root ] && mount -o bind /etc/root /root
[ -d /etc/opt ] && mount -o bind /etc/opt /opt
[ -x /opt/etc/init.d/rc.unslung ] && /opt/etc/init.d/rc.unslung start
return 0
}
stop() {
[ -x /opt/etc/init.d/rc.unslung ] && /opt/etc/init.d/rc.unslung stop
[ -d /etc/opt ] && umount /opt
[ -d /etc/root ] && umount /root
return 0
}
EOF
chmod 755 /etc/init.d/rootopt
mkdir -p /etc/opt /etc/root || exit 1
/etc/init.d/rootopt enable
/etc/init.d/rootopt start
echo 'Install Entware'
wget http://bin.entware.net/aarch64-k3.10/installer/generic.sh -O- | sh -
#Add /opt/bin /opt/sbin to PATH
echo 'export PATH=$PATH:/opt/bin:/opt/sbin' >> /root/.profile
echo 'Install tor'
/opt/bin/opkg update
/opt/bin/opkg install tor
echo 'Configure and (re)start tor'
mv -f /opt/etc/tor/torrc /opt/etc/tor/torrc.bak
cat << 'EOF' > /opt/etc/tor/torrc
#Log to syslog
Log notice syslog
#Dir for storing keys/etc
DataDirectory /var/lib/tor
#Resolve onion domain names to
VirtualAddrNetworkIPv4 10.192.0.0/10
#Enable tor DNS
AutomapHostsOnResolve 1
#Transparent proxy and DNS
TransPort 0.0.0.0:9040
DNSPort 0.0.0.0:5353
#Exclude exit nodes from RU, UA, BY
ExcludeExitNodes {RU}, {UA}, {BY}
EOF
/opt/etc/init.d/S35tor restart
echo 'Add tor DNS to dnsmasq'
echo 'server=127.0.0.1#5353' > /etc/dnsmasq.d/tor
/etc/init.d/dnsmasq restart
echo 'Screate and launch script to fetch blocked IPs list from github.com/zapret-info/z-i'
cat << 'EOF' > /root/blacklist.sh
#!/bin/sh
curl --silent --insecure https://raw.githubusercontent.com/zapret-info/z-i/master/dump.csv --output /tmp/dump.csv
cat /tmp/dump.csv | cut -f1 -d\; | grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | sort | uniq > /root/blacklist.txt
rm -f /tmp/dump.csv
EOF
chmod 755 /root/blacklist.sh
/root/blacklist.sh
echo 'Create /opt/etc/init.d/S36tor_iptables with iptables rules'
cat << 'EOF' > /opt/etc/init.d/S36tor_iptables
#!/bin/sh
#access to .onion sites:
# intercept .onion DNS requests
iptables -t nat -A PREROUTING -p udp --dport 53 -m string \
--hex-string "|056f6e696f6e00|" --algo bm -j REDIRECT --to-ports 5353
iptables -t nat -A OUTPUT -p udp --dport 53 -m string \
--hex-string "|056f6e696f6e00|" --algo bm -j REDIRECT --to-ports 5353
# forward onion subnet 10.192.0.0/10
iptables -t nat -A PREROUTING -p tcp -d 10.192.0.0/10 -j REDIRECT --to-port 9040
iptables -t nat -A OUTPUT -p tcp -d 10.192.0.0/10 -j REDIRECT --to-port 9040
#forward blocked sites to tor
ipset create blacklist iphash --maxelem 500000 --hashsize 2097152
#iptables -t nat -A PREROUTING -p tcp -m multiport --dports 80,443 \
iptables -t nat -A PREROUTING -p tcp \
-m set --match-set blacklist dst -j REDIRECT --to-port 9040
#iptables -t nat -A OUTPUT -p tcp -m multiport --dports 80,443 \
iptables -t nat -A OUTPUT -p tcp \
-m set --match-set blacklist dst -j REDIRECT --to-port 9040
[ -e /root/blacklist.txt ] && cat /root/blacklist.txt | xargs -n1 ipset add blacklist
EOF
chmod 755 /opt/etc/init.d/S36tor_iptables
echo 'Run /opt/etc/init.d/S36tor_iptables: this will probably take a long time'
/opt/etc/init.d/S36tor_iptables
cat << 'EOF'
Done. To update blocked IPs list from github.com/zapret-info/z-i launch:
# /root/blacklist.sh
# ipset flush blacklist
# cat /root/blacklist.txt | xargs -n1 ipset add blacklist
EOF
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment