nirui/oc_boot.sh

## oc_boot.sh
#!/bin/bash

# DEFAULT
iptables -P INPUT DROP
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 30001 -j ACCEPT

# HTTP server
iptables -A INPUT -p tcp --dport 80 -j ACCEPT

# Public SS-Server shared to friends on 2302
iptables -A INPUT -p tcp --syn --dport 2302 -m connlimit --connlimit-above 32 --connlimit-mask 32 -j DROP
iptables -A INPUT -p tcp --dport 2302 -j ACCEPT
iptables -A INPUT -p udp --dport 2302 -m limit --limit 16/s --limit-burst 32 -j ACCEPT
iptables -t filter -m owner --uid-owner shadowsocks -A OUTPUT -p tcp --sport 2302 -j ACCEPT
iptables -t filter -m owner --uid-owner shadowsocks -A OUTPUT -p udp --sport 2302 -j ACCEPT

# COWARD server on 8808
iptables -A INPUT -p tcp --syn --dport 8808 -m connlimit --connlimit-above 64 --connlimit-mask 64 -j DROP
iptables -A INPUT -p tcp --dport 8808 -j ACCEPT
iptables -t filter -m owner --uid-owner shadowsocks -A OUTPUT -p tcp --sport 8808 -j ACCEPT

iptables -t nat -m owner --uid-owner shadowsocks -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port 9128

iptables -t filter -m owner --uid-owner shadowsocks -A OUTPUT -p tcp --dport 995 -j ACCEPT
iptables -t filter -m owner --uid-owner shadowsocks -A OUTPUT -p tcp --dport 465 -j ACCEPT
iptables -t filter -m owner --uid-owner shadowsocks -A OUTPUT -p tcp --dport 119 -j ACCEPT
iptables -t filter -m owner --uid-owner shadowsocks -A OUTPUT -p tcp --dport 2302 -j ACCEPT
iptables -t filter -m owner --uid-owner shadowsocks -A OUTPUT -p tcp --dport 9999 -j ACCEPT
iptables -t filter -m owner --uid-owner shadowsocks -A OUTPUT -p udp --dport 2302 -j ACCEPT
iptables -t filter -m owner --uid-owner shadowsocks -A OUTPUT -p tcp --dport 30001 -j ACCEPT
iptables -t filter -m owner --uid-owner shadowsocks -A OUTPUT -p tcp --dport 221 -j ACCEPT
iptables -t filter -m owner --uid-owner shadowsocks -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -m owner --uid-owner shadowsocks -A OUTPUT -p tcp --dport 9128 -j ACCEPT
iptables -t filter -m owner --uid-owner shadowsocks -A OUTPUT -p tcp --dport 443 -j ACCEPT
iptables -t filter -m owner --uid-owner shadowsocks -A OUTPUT -p udp --dport 53 -m limit --limit 6/s --limit-burst 12 -j ACCEPT
iptables -t filter -m owner --uid-owner shadowsocks -A OUTPUT -p tcp --dport 53 -j ACCEPT
iptables -t filter -m owner --uid-owner shadowsocks -A OUTPUT -p tcp -j REJECT --reject-with tcp-reset


#       -s <server_host>           host name or ip address of your remote server
#       -p <server_port>           port number of your remote server
#       -l <local_port>            port number of your local server
#       -k <password>              password of your remote server

su - shadowsocks -c "ss-server -s 0.0.0.0 -p 2302 -l 1080 -k public -m aes-128-cfb -u &>/tmp/ss-crash.log &"
su - shadowsocks -c "/opt/coward/coward -p /opt/coward/proxy.conf -d -log /tmp/coward.log -s proxy &>/tmp/coward-crash.log &"

# OCserv
iptables -A INPUT -p tcp --syn --dport 443 -m connlimit --connlimit-above 32 --connlimit-mask 32 -j DROP
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p udp --dport 443 -m limit --limit 16/s --limit-burst 32 -j ACCEPT

iptables -t filter -A FORWARD -s 192.168.251.0/24 -d 192.168.251.0/24 -j DROP
iptables -t filter -A FORWARD -d 192.168.251.0/24 -j ACCEPT

iptables -t nat -A PREROUTING -s 192.168.251.0/24 -p tcp --dport 80 -j REDIRECT --to-port 9128
iptables -t filter -A INPUT -s 192.168.251.0/24 -p tcp --dport 9128 -j ACCEPT

iptables -t filter -A FORWARD -s 192.168.251.0/24 -p udp --dport 53 -j ACCEPT
iptables -t filter -A FORWARD -s 192.168.251.0/24 -p tcp --dport 53 -j ACCEPT
iptables -t filter -A FORWARD -s 192.168.251.0/24 -p tcp --dport 21 -j ACCEPT
iptables -t filter -A FORWARD -s 192.168.251.0/24 -p tcp --dport 443 -j ACCEPT
iptables -t filter -A FORWARD -s 192.168.251.0/24 -p tcp --dport 993 -j ACCEPT
iptables -t filter -A FORWARD -s 192.168.251.0/24 -p tcp --dport 995 -j ACCEPT
iptables -t filter -A FORWARD -s 192.168.251.0/24 -p tcp --syn -m limit --limit 1/s --limit-burst 2 --dport 465 -j ACCEPT
iptables -t filter -A FORWARD -s 192.168.251.0/24 -p tcp --syn -m connlimit --connlimit-above 32 --connlimit-mask 32 -j DROP
iptables -t filter -A FORWARD -s 192.168.251.0/24 -p tcp -j REJECT --reject-with tcp-reset
iptables -t filter -A FORWARD -s 192.168.251.0/24 -j DROP

iptables -t nat -A POSTROUTING -s 192.168.251.0/24 -j MASQUERADE

/opt/ocserv/sbin/ocserv -c /opt/ocserv/etc/config

su - root -c "/opt/trap/trap -config /opt/trap/trap-config.json -log /tmp/trap.log -profiling-cpu /tmp/trap-cpu.pprof -profiling-mem /tmp/trap-mem.pprof 2>/tmp/trap-crash.log &"
	#!/bin/bash

	# DEFAULT
	iptables -P INPUT DROP
	iptables -P FORWARD ACCEPT
	iptables -P OUTPUT ACCEPT
	iptables -A INPUT -i lo -j ACCEPT
	iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
	iptables -A INPUT -p tcp --dport 30001 -j ACCEPT

	# HTTP server
	iptables -A INPUT -p tcp --dport 80 -j ACCEPT

	# Public SS-Server shared to friends on 2302
	iptables -A INPUT -p tcp --syn --dport 2302 -m connlimit --connlimit-above 32 --connlimit-mask 32 -j DROP
	iptables -A INPUT -p tcp --dport 2302 -j ACCEPT
	iptables -A INPUT -p udp --dport 2302 -m limit --limit 16/s --limit-burst 32 -j ACCEPT
	iptables -t filter -m owner --uid-owner shadowsocks -A OUTPUT -p tcp --sport 2302 -j ACCEPT
	iptables -t filter -m owner --uid-owner shadowsocks -A OUTPUT -p udp --sport 2302 -j ACCEPT

	# COWARD server on 8808
	iptables -A INPUT -p tcp --syn --dport 8808 -m connlimit --connlimit-above 64 --connlimit-mask 64 -j DROP
	iptables -A INPUT -p tcp --dport 8808 -j ACCEPT
	iptables -t filter -m owner --uid-owner shadowsocks -A OUTPUT -p tcp --sport 8808 -j ACCEPT

	iptables -t nat -m owner --uid-owner shadowsocks -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port 9128

	iptables -t filter -m owner --uid-owner shadowsocks -A OUTPUT -p tcp --dport 995 -j ACCEPT
	iptables -t filter -m owner --uid-owner shadowsocks -A OUTPUT -p tcp --dport 465 -j ACCEPT
	iptables -t filter -m owner --uid-owner shadowsocks -A OUTPUT -p tcp --dport 119 -j ACCEPT
	iptables -t filter -m owner --uid-owner shadowsocks -A OUTPUT -p tcp --dport 2302 -j ACCEPT
	iptables -t filter -m owner --uid-owner shadowsocks -A OUTPUT -p tcp --dport 9999 -j ACCEPT
	iptables -t filter -m owner --uid-owner shadowsocks -A OUTPUT -p udp --dport 2302 -j ACCEPT
	iptables -t filter -m owner --uid-owner shadowsocks -A OUTPUT -p tcp --dport 30001 -j ACCEPT
	iptables -t filter -m owner --uid-owner shadowsocks -A OUTPUT -p tcp --dport 221 -j ACCEPT
	iptables -t filter -m owner --uid-owner shadowsocks -A OUTPUT -p tcp --dport 80 -j ACCEPT
	iptables -t filter -m owner --uid-owner shadowsocks -A OUTPUT -p tcp --dport 9128 -j ACCEPT
	iptables -t filter -m owner --uid-owner shadowsocks -A OUTPUT -p tcp --dport 443 -j ACCEPT
	iptables -t filter -m owner --uid-owner shadowsocks -A OUTPUT -p udp --dport 53 -m limit --limit 6/s --limit-burst 12 -j ACCEPT
	iptables -t filter -m owner --uid-owner shadowsocks -A OUTPUT -p tcp --dport 53 -j ACCEPT
	iptables -t filter -m owner --uid-owner shadowsocks -A OUTPUT -p tcp -j REJECT --reject-with tcp-reset


	# -s <server_host> host name or ip address of your remote server
	# -p <server_port> port number of your remote server
	# -l <local_port> port number of your local server
	# -k <password> password of your remote server

	su - shadowsocks -c "ss-server -s 0.0.0.0 -p 2302 -l 1080 -k public -m aes-128-cfb -u &>/tmp/ss-crash.log &"
	su - shadowsocks -c "/opt/coward/coward -p /opt/coward/proxy.conf -d -log /tmp/coward.log -s proxy &>/tmp/coward-crash.log &"

	# OCserv
	iptables -A INPUT -p tcp --syn --dport 443 -m connlimit --connlimit-above 32 --connlimit-mask 32 -j DROP
	iptables -A INPUT -p tcp --dport 443 -j ACCEPT
	iptables -A INPUT -p udp --dport 443 -m limit --limit 16/s --limit-burst 32 -j ACCEPT

	iptables -t filter -A FORWARD -s 192.168.251.0/24 -d 192.168.251.0/24 -j DROP
	iptables -t filter -A FORWARD -d 192.168.251.0/24 -j ACCEPT

	iptables -t nat -A PREROUTING -s 192.168.251.0/24 -p tcp --dport 80 -j REDIRECT --to-port 9128
	iptables -t filter -A INPUT -s 192.168.251.0/24 -p tcp --dport 9128 -j ACCEPT

	iptables -t filter -A FORWARD -s 192.168.251.0/24 -p udp --dport 53 -j ACCEPT
	iptables -t filter -A FORWARD -s 192.168.251.0/24 -p tcp --dport 53 -j ACCEPT
	iptables -t filter -A FORWARD -s 192.168.251.0/24 -p tcp --dport 21 -j ACCEPT
	iptables -t filter -A FORWARD -s 192.168.251.0/24 -p tcp --dport 443 -j ACCEPT
	iptables -t filter -A FORWARD -s 192.168.251.0/24 -p tcp --dport 993 -j ACCEPT
	iptables -t filter -A FORWARD -s 192.168.251.0/24 -p tcp --dport 995 -j ACCEPT
	iptables -t filter -A FORWARD -s 192.168.251.0/24 -p tcp --syn -m limit --limit 1/s --limit-burst 2 --dport 465 -j ACCEPT
	iptables -t filter -A FORWARD -s 192.168.251.0/24 -p tcp --syn -m connlimit --connlimit-above 32 --connlimit-mask 32 -j DROP
	iptables -t filter -A FORWARD -s 192.168.251.0/24 -p tcp -j REJECT --reject-with tcp-reset
	iptables -t filter -A FORWARD -s 192.168.251.0/24 -j DROP

	iptables -t nat -A POSTROUTING -s 192.168.251.0/24 -j MASQUERADE

	/opt/ocserv/sbin/ocserv -c /opt/ocserv/etc/config

	su - root -c "/opt/trap/trap -config /opt/trap/trap-config.json -log /tmp/trap.log -profiling-cpu /tmp/trap-cpu.pprof -profiling-mem /tmp/trap-mem.pprof 2>/tmp/trap-crash.log &"