Last active
May 31, 2019 04:07
-
-
Save nirui/c97bf8e3f7534abc206131b66374c6f3 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?xml version="1.0" encoding="utf-8"?> | |
<direct> | |
<chain table="filter" ipv="ipv4" chain="proxy_restriction"/> | |
<chain table="nat" ipv="ipv4" chain="proxy_redirect"/> | |
<rule priority="1" table="filter" ipv="ipv4" chain="proxy_restriction">-p tcp --sport 2302 -j RETURN</rule> | |
<rule priority="1" table="filter" ipv="ipv4" chain="proxy_restriction">-p udp --sport 2302 -j RETURN</rule> | |
<rule priority="1" table="filter" ipv="ipv4" chain="proxy_restriction">-p tcp --dport 3128 -j RETURN</rule> | |
<rule priority="1" table="filter" ipv="ipv4" chain="proxy_restriction">-p tcp --dport 8080 -j RETURN</rule> | |
<rule priority="1" table="filter" ipv="ipv4" chain="proxy_restriction">-p tcp --dport 1080 -j RETURN</rule> | |
<rule priority="1" table="filter" ipv="ipv4" chain="proxy_restriction">-p tcp --dport 995 -j RETURN</rule> | |
<rule priority="1" table="filter" ipv="ipv4" chain="proxy_restriction">-p tcp --dport 587 -j RETURN</rule> | |
<rule priority="1" table="filter" ipv="ipv4" chain="proxy_restriction">-p tcp --dport 465 -j RETURN</rule> | |
<rule priority="1" table="filter" ipv="ipv4" chain="proxy_restriction">-p tcp --dport 443 -j RETURN</rule> | |
<rule priority="1" table="filter" ipv="ipv4" chain="proxy_restriction">-p tcp --dport 22 -j RETURN</rule> | |
<rule priority="1" table="filter" ipv="ipv4" chain="proxy_restriction">-p tcp --dport 21 -j RETURN</rule> | |
<rule priority="1" table="filter" ipv="ipv4" chain="proxy_restriction">-p tcp --dport 53 -j RETURN</rule> | |
<rule priority="1" table="filter" ipv="ipv4" chain="proxy_restriction">-p udp --dport 53 -m limit --limit 6/s --limit-burst 12 -j RETURN</rule> | |
<rule priority="255" table="filter" ipv="ipv4" chain="proxy_restriction">-p tcp -j REJECT --reject-with tcp-reset</rule> | |
<rule priority="255" table="filter" ipv="ipv4" chain="proxy_restriction">-p udp -j DROP</rule> | |
<rule priority="1" table="nat" ipv="ipv4" chain="proxy_redirect">-p tcp --dport 80 -j REDIRECT --to-port 3128</rule> | |
<rule priority="1" table="filter" ipv="ipv4" chain="OUTPUT">-m owner --uid-owner shadowsocks -j proxy_restriction</rule> | |
<rule priority="1" table="nat" ipv="ipv4" chain="OUTPUT">-m owner --uid-owner shadowsocks -j proxy_redirect</rule> | |
</direct> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
iptables -P INPUT DROP | |
iptables -P FORWARD ACCEPT | |
iptables -P OUTPUT ACCEPT | |
iptables -A INPUT -i lo -j ACCEPT | |
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT | |
iptables -A INPUT -p tcp --dport 29082 -j ACCEPT | |
# COWARD projector at port 8899 | |
iptables -A INPUT -p tcp --syn --dport 8899 -m connlimit --connlimit-above 64 --connlimit-mask 64 -j DROP | |
iptables -A INPUT -p tcp --dport 8899 -j ACCEPT | |
iptables -t filter -m owner --uid-owner shadowsocks -A OUTPUT -p tcp --sport 8899 -j ACCEPT | |
iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 1024 --connlimit-mask 1024 -j DROP | |
iptables -A INPUT -p tcp --dport 80 -j ACCEPT | |
iptables -A INPUT -p tcp --syn --dport 443 -m connlimit --connlimit-above 1024 --connlimit-mask 1024 -j DROP | |
iptables -A INPUT -p tcp --dport 443 -j ACCEPT | |
iptables -A INPUT -p tcp --syn --dport 221 -m connlimit --connlimit-above 64 --connlimit-mask 64 -j DROP | |
iptables -A INPUT -p tcp --dport 221 -j ACCEPT | |
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 55580 | |
iptables -A INPUT -p tcp -m tcp --dport 55580 -j ACCEPT | |
iptables -t filter -m owner --uid-owner shadowsocks -A OUTPUT -p tcp --sport 55580 -j ACCEPT | |
iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 55443 | |
iptables -A INPUT -p tcp -m tcp --dport 55443 -j ACCEPT | |
iptables -t filter -m owner --uid-owner shadowsocks -A OUTPUT -p tcp --sport 55443 -j ACCEPT | |
iptables -t nat -A PREROUTING -p tcp --dport 221 -j REDIRECT --to-port 55521 | |
iptables -A INPUT -p tcp -m tcp --dport 55521 -j ACCEPT | |
iptables -t filter -m owner --uid-owner shadowsocks -A OUTPUT -p tcp --sport 55521 -j ACCEPT | |
# COWARD server at port 2302 | |
iptables -A INPUT -p tcp --syn --dport 2302 -m connlimit --connlimit-above 64 --connlimit-mask 64 -j DROP | |
iptables -A INPUT -p tcp --dport 2302 -j ACCEPT | |
iptables -t filter -m owner --uid-owner shadowsocks -A OUTPUT -p tcp --sport 2302 -j ACCEPT | |
iptables -t filter -m owner --uid-owner shadowsocks -A OUTPUT -p udp --sport 2302 -j ACCEPT | |
# Public SS-Server shared to friends on 9999 | |
iptables -A INPUT -p tcp --syn --dport 9999 -m connlimit --connlimit-above 32 --connlimit-mask 32 -j DROP | |
iptables -A INPUT -p tcp --dport 9999 -j ACCEPT | |
iptables -t filter -m owner --uid-owner shadowsocks -A OUTPUT -p tcp --sport 9999 -j ACCEPT | |
iptables -t filter -m owner --uid-owner shadowsocks -A OUTPUT -p udp --sport 9999 -j ACCEPT | |
iptables -t nat -m owner --uid-owner shadowsocks -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port 8080 | |
iptables -t filter -m owner --uid-owner shadowsocks -A OUTPUT -p tcp --dport 8080 -j ACCEPT | |
iptables -t filter -m owner --uid-owner shadowsocks -A OUTPUT -p tcp --dport 80 -j ACCEPT | |
iptables -t filter -m owner --uid-owner shadowsocks -A OUTPUT -p tcp --dport 443 -j ACCEPT | |
iptables -t filter -m owner --uid-owner shadowsocks -A OUTPUT -p udp --dport 53 -m limit --limit 6/s --limit-burst 12 -j ACCEPT | |
iptables -t filter -m owner --uid-owner shadowsocks -A OUTPUT -p tcp --dport 53 -j ACCEPT | |
iptables -t filter -m owner --uid-owner shadowsocks -A OUTPUT -p tcp -j REJECT --reject-with tcp-reset | |
# -s <server_host> host name or ip address of your remote server | |
# -p <server_port> port number of your remote server | |
# -l <local_port> port number of your local server | |
# -k <password> password of your remote server | |
su - shadowsocks -c "ss-server -s 0.0.0.0 -p 9999 -l 1080 -k public -m rc4-md5 -u &" | |
su - shadowsocks -c "/opt/coward/coward -p /opt/coward/proxy.conf -d -log /tmp/coward.log -s proxy &>/tmp/coward-crash.log &" | |
su - shadowsocks -c "/opt/coward/coward -p /opt/coward/projector.conf -d -log /tmp/coward-projector.log -s projector &>/tmp/coward-projector-crash.log &" | |
su - root -c "/opt/trap/trap -config /opt/trap/trap-config.json -log /tmp/trap.log -profiling-cpu /tmp/trap-cpu.pprof -profiling-mem /tmp/trap-mem.pprof 2>/tmp/trap-crash.log &" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment