From 0b8df0f42a1cf418b615327483f3b043b24546bc Mon Sep 17 00:00:00 2001
From: Dmitry Chumak <mega.venik@gmail.com>
Date: Sun, 14 Jul 2024 13:52:00 +0300
Subject: [PATCH] more scripts and configs

---
 scripts/opt_etc/crontab                       | 12 +++++++
 scripts/opt_etc/dnsmasq.conf                  | 20 ++++++++++++
 scripts/opt_etc/hl-domains.dnsmasq            |  9 ++++++
 scripts/opt_etc_init.d/S09dnscrypt-proxy      | 10 ++++++
 scripts/opt_etc_init.d/S99unblock             |  5 +++
 scripts/opt_etc_ndm_fs.d/100-ipset.sh         |  8 +++++
 .../100-unblock-vpn.sh                        | 31 +++++++++++++++++++
 .../opt_etc_ndm_netfilter.d/100-redirect.sh   | 20 ++++++++++++
 scripts/opt_etc_ndm_netfilter.d/10m-mark4.sh  | 23 ++++++++++++++
 9 files changed, 138 insertions(+)
 create mode 100644 scripts/opt_etc/crontab
 create mode 100644 scripts/opt_etc/dnsmasq.conf
 create mode 100644 scripts/opt_etc/hl-domains.dnsmasq
 create mode 100644 scripts/opt_etc_init.d/S09dnscrypt-proxy
 create mode 100644 scripts/opt_etc_init.d/S99unblock
 create mode 100644 scripts/opt_etc_ndm_fs.d/100-ipset.sh
 create mode 100644 scripts/opt_etc_ndm_ifstatechanged.d/100-unblock-vpn.sh
 create mode 100644 scripts/opt_etc_ndm_netfilter.d/100-redirect.sh
 create mode 100644 scripts/opt_etc_ndm_netfilter.d/10m-mark4.sh

diff --git a/scripts/opt_etc/crontab b/scripts/opt_etc/crontab
new file mode 100644
index 0000000..751a3da
--- /dev/null
+++ b/scripts/opt_etc/crontab
@@ -0,0 +1,12 @@
+SHELL=/opt/bin/sh
+PATH=/sbin:/bin:/usr/sbin:/usr/bin:/opt/bin:/opt/sbin
+MAILTO=""
+HOME=/
+# ---------- ---------- Default is Empty ---------- ---------- #
+*/1 * * * * root /opt/bin/run-parts /opt/etc/cron.1min
+*/5 * * * * root /opt/bin/run-parts /opt/etc/cron.5mins
+01 * * * * root /opt/bin/run-parts /opt/etc/cron.hourly
+02 4 * * * root /opt/bin/run-parts /opt/etc/cron.daily
+22 4 * * 0 root /opt/bin/run-parts /opt/etc/cron.weekly
+42 4 1 * * root /opt/bin/run-parts /opt/etc/cron.monthly
+*/30 * * * * root /opt/bin/apply_unblock_rules.sh 2>&1 >> /opt/var/log/cron && date >> /opt/var/log/cron
diff --git a/scripts/opt_etc/dnsmasq.conf b/scripts/opt_etc/dnsmasq.conf
new file mode 100644
index 0000000..d0723e2
--- /dev/null
+++ b/scripts/opt_etc/dnsmasq.conf
@@ -0,0 +1,20 @@
+user=nobody
+bogus-priv
+no-negcache
+clear-on-reload
+bind-dynamic
+listen-address=192.168.0.1
+listen-address=127.0.0.1
+min-port=4096
+cache-size=1536
+expand-hosts
+log-async
+#log-queries
+#log-facility=/var/log/dnsmasq.log
+#addn-hosts=/etc/hosts
+
+conf-file=/opt/etc/unblock.dnsmasq
+conf-file=/opt/etc/its-domains.conf
+conf-file=/opt/etc/hl-domains.dnsmasq
+conf-file=/opt/etc/dnsmasq.themoviedb.conf
+server=8.8.8.8
diff --git a/scripts/opt_etc/hl-domains.dnsmasq b/scripts/opt_etc/hl-domains.dnsmasq
new file mode 100644
index 0000000..cf74e9d
--- /dev/null
+++ b/scripts/opt_etc/hl-domains.dnsmasq
@@ -0,0 +1,9 @@
+address=/jf.venya.tech/192.168.0.104
+address=/js.venya.tech/192.168.0.104
+address=/h.venya.tech/192.168.0.104
+address=/ci.venya.tech/192.168.0.104
+address=/bt.venya.tech/192.168.0.104
+address=/outline.venya.tech/192.168.0.104
+address=/cockpit.venya.tech/192.168.0.104
+address=/npm.venya.tech/192.168.0.104
+address=/photo.venya.tech/192.168.0.104
diff --git a/scripts/opt_etc_init.d/S09dnscrypt-proxy b/scripts/opt_etc_init.d/S09dnscrypt-proxy
new file mode 100644
index 0000000..0feb6e1
--- /dev/null
+++ b/scripts/opt_etc_init.d/S09dnscrypt-proxy
@@ -0,0 +1,10 @@
+#!/bin/sh
+
+ENABLED=yes
+PROCS=dnscrypt-proxy
+ARGS="--local-address=127.0.0.1:53 --daemonize -R quad9-dnscrypt-ip4-nofilter-pri"
+PREARGS=""
+DESC=
+PATH=/opt/sbin:/opt/bin:/opt/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+
+. /opt/etc/init.d/rc.func
diff --git a/scripts/opt_etc_init.d/S99unblock b/scripts/opt_etc_init.d/S99unblock
new file mode 100644
index 0000000..4e56bca
--- /dev/null
+++ b/scripts/opt_etc_init.d/S99unblock
@@ -0,0 +1,5 @@
+#!/bin/sh
+
+[ "$1" != "start" ] && exit 0
+
+/opt/bin/unblock_ipset.sh &
diff --git a/scripts/opt_etc_ndm_fs.d/100-ipset.sh b/scripts/opt_etc_ndm_fs.d/100-ipset.sh
new file mode 100644
index 0000000..8d9de30
--- /dev/null
+++ b/scripts/opt_etc_ndm_fs.d/100-ipset.sh
@@ -0,0 +1,8 @@
+#!/bin/sh
+
+[ "$1" != "start" ] && exit 0
+
+ipset create unblock hash:net -exist
+
+exit 0
+
diff --git a/scripts/opt_etc_ndm_ifstatechanged.d/100-unblock-vpn.sh b/scripts/opt_etc_ndm_ifstatechanged.d/100-unblock-vpn.sh
new file mode 100644
index 0000000..dd1133b
--- /dev/null
+++ b/scripts/opt_etc_ndm_ifstatechanged.d/100-unblock-vpn.sh
@@ -0,0 +1,31 @@
+#!/bin/sh
+
+LOG=/opt/tmp/ndm-debug.log
+
+echo "=====================" >> $LOG
+echo "$1\n\n$change\n\n$id" >> $LOG
+echo "${id}-${change}-${connected}-${link}-${up}" >> $LOG
+
+#!/bin/sh
+
+[ "$1" == "hook" ] || exit 0
+#[ "$change" == "link" ] || exit 0
+[ "$id" == "Wireguard0" ] || exit 0
+
+IF_NAME=nwg0
+IF_GW4=$(ip -4 addr show "$IF_NAME" | grep -Po "(?<=inet ).*(?=/)")
+
+case ${id}-${change}-${connected}-${link}-${up} in
+    ${id}-config-no-down-down)
+        ip -4 rule del fwmark 0xd1000 lookup 1001 priority 1778 2>/dev/null
+        ip -4 route flush table 1001
+    ;;
+    ${id}-connected-yes-up-up)
+        ip -4 route add table 1001 default via "$IF_GW4" dev "$IF_NAME" 2>/dev/null
+        ip -4 route show table main |grep -Ev ^default |while read ROUTE; do ip -4 route add table 1001 $ROUTE 2>/dev/null; done
+        ip -4 rule add fwmark 0xd1000 lookup 1001 priority 1778 2>/dev/null
+        ip -4 route flush cache
+    ;;
+esac
+
+exit 0
diff --git a/scripts/opt_etc_ndm_netfilter.d/100-redirect.sh b/scripts/opt_etc_ndm_netfilter.d/100-redirect.sh
new file mode 100644
index 0000000..30c6058
--- /dev/null
+++ b/scripts/opt_etc_ndm_netfilter.d/100-redirect.sh
@@ -0,0 +1,20 @@
+#!/bin/sh
+
+[ "$type" == "ip6tables" ] && exit 0
+
+if [ -z "$(iptables-save 2>/dev/null | grep unblock)" ]; then
+        ipset create unblock hash:net -exist
+        #iptables -w -t nat -A PREROUTING -i br0 -p tcp -m set --match-set unblock dst -j REDIRECT --to-port 9141
+        iptables -t nat -A POSTROUTING -o nwg0 -p tcp -m set --match-set unblock dst -j MASQUERADE
+        iptables -t nat -A OUTPUT -p tcp -m set --match-set unblock dst -j MASQUERADE -o nwg0
+fi
+
+if [ -z "$(iptables-save 2>/dev/null | grep "udp \-\-dport 53 \-j DNAT")" ]; then
+        iptables -w -t nat -I PREROUTING -i br0 -p udp --dport 53 -j DNAT --to 192.168.0.1
+fi
+
+if [ -z "$(iptables-save 2>/dev/null | grep "tcp \-\-dport 53 \-j DNAT")" ]; then
+        iptables -w -t nat -I PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to 192.168.0.1
+fi
+
+exit 0
diff --git a/scripts/opt_etc_ndm_netfilter.d/10m-mark4.sh b/scripts/opt_etc_ndm_netfilter.d/10m-mark4.sh
new file mode 100644
index 0000000..bb1f424
--- /dev/null
+++ b/scripts/opt_etc_ndm_netfilter.d/10m-mark4.sh
@@ -0,0 +1,23 @@
+#!/bin/sh
+
+[ "$type" != "iptables" ] && exit 0
+[ "$table" != "mangle" ] && exit 0
+
+ip4t() {
+    if ! iptables -C "$@" &>/dev/null; then
+        iptables -A "$@"
+    fi
+}
+
+# VPN
+ipset create unblock hash:net family inet -exist
+
+# С отключением fastnat и ускорителей
+#ip4t PREROUTING -t mangle -i br0 -p tcp -m set --match-set unblock dst -j MARK --set-mark 0xd1000
+#ip4t PREROUTING -t mangle -i br0 -p udp -m set --match-set unblock dst -j MARK --set-mark 0xd1000
+
+# Без отключения
+ip4t PREROUTING -t mangle -m conntrack --ctstate NEW -m set --match-set unblock dst -j CONNMARK --set-mark 0xd1000
+ip4t PREROUTING -t mangle -j CONNMARK --restore-mark
+
+exit 0