да именно так и прописывал но тоже не работал на 2 провайдере
может лог чем поможет
Спойлер
initializing conntrack with timeouts tcp=60:300:60 udp=60
opening library handle
unbinding existing nf_queue handler for AF_INET (if any)
binding nfnetlink_queue as nf_queue handler for AF_INET
binding this socket to queue ‘200’
setting copy_packet mode
initializing raw sockets bind-fix4=0 bind-fix6=0
set_socket_buffers fd=4 rcvbuf=2048 sndbuf=32768
fd=4 SO_RCVBUF=4096
fd=4 SO_SNDBUF=65536
set_socket_buffers fd=5 rcvbuf=2048 sndbuf=32768
fd=5 SO_RCVBUF=4096
fd=5 SO_SNDBUF=65536
seccomp: Invalid argument
seccomp: this can be safely ignored if kernel does not support seccomp
Running as UID=65534 GID=65534
set_socket_buffers fd=3 rcvbuf=65536 sndbuf=32768
fd=3 SO_RCVBUF=131072
fd=3 SO_SNDBUF=65536
packet: id=1 len=52 mark=0FFFFAAA
IP4: 192.168.1.34 => 217.69.139.200 proto=tcp ttl=127 sport=55567 dport=443 flags=S seq=3090842023 ack_seq=0
packet: id=1 pass unmodified
packet: id=2 len=40 mark=0FFFFAAA
IP4: 192.168.1.34 => 217.69.139.200 proto=tcp ttl=127 sport=55567 dport=443 flags=A seq=3090842024 ack_seq=1614145841
packet: id=2 pass unmodified
packet: id=3 len=557 mark=0FFFFAAA
IP4: 192.168.1.34 => 217.69.139.200 proto=tcp ttl=127 sport=55567 dport=443 flags=AP seq=3090842024 ack_seq=1614145841
TCP: 16 03 01 02 00 01 00 01 FC 03 03 FA E5 9A 64 3B 6D A8 3A C9 89 8F BC 4F FE 00 E9 BF BB 2A D2 67 … : …d;m.:…O….g …
packet contains full TLS ClientHello
req retrans : seq interval 3090842024-3090842540
hostname: mail.ru
dpi desync src=192.168.1.34:55567 dst=217.69.139.200:443
split pos 2
sending fake request : 16 03 01 02 00 01 00 01 FC 03 03 6F 0B B6 85 58 28 59 D5 0D 6C 78 39 7F 2B 0B 45 A3 71 4F 49 D6 … : …o…X(Y…lx+.E.qOI. …
rawsend: sendto: Operation not permitted
packet: id=3 pass unmodified
packet: id=4 len=557 mark=0FFFFAAA
IP4: 192.168.1.34 => 217.69.139.200 proto=tcp ttl=127 sport=55567 dport=443 flags=AP seq=3090842024 ack_seq=1614145841
TCP: 16 03 01 02 00 01 00 01 FC 03 03 FA E5 9A 64 3B 6D A8 3A C9 89 8F BC 4F FE 00 E9 BF BB 2A D2 67 … : …d;m.:…O….g …
packet contains full TLS ClientHello
hostname: mail.ru
dpi desync src=192.168.1.34:55567 dst=217.69.139.200:443
split pos 2
sending fake request : 16 03 01 02 00 01 00 01 FC 03 03 6F 0B B6 85 58 28 59 D5 0D 6C 78 39 7F 2B 0B 45 A3 71 4F 49 D6 … : …o…X(Y…lx+.E.qOI. …
reinjecting original packet. len=557 len_payload=517
packet: id=4 drop
packet: id=5 len=557 mark=0FFFFAAA
IP4: 192.168.1.34 => 217.69.139.200 proto=tcp ttl=127 sport=55567 dport=443 flags=AP seq=3090842024 ack_seq=1614145841
TCP: 16 03 01 02 00 01 00 01 FC 03 03 FA E5 9A 64 3B 6D A8 3A C9 89 8F BC 4F FE 00 E9 BF BB 2A D2 67 … : …d;m.:…O….g …
packet contains full TLS ClientHello
hostname: mail.ru
dpi desync src=192.168.1.34:55567 dst=217.69.139.200:443
split pos 2
sending fake request : 16 03 01 02 00 01 00 01 FC 03 03 6F 0B B6 85 58 28 59 D5 0D 6C 78 39 7F 2B 0B 45 A3 71 4F 49 D6 … : …o…X(Y…lx+.E.qOI. …
reinjecting original packet. len=557 len_payload=517
packet: id=5 drop
packet: id=6 len=557 mark=0FFFFAAA
IP4: 192.168.1.34 => 217.69.139.200 proto=tcp ttl=127 sport=55567 dport=443 flags=AP seq=3090842024 ack_seq=1614145841
TCP: 16 03 01 02 00 01 00 01 FC 03 03 FA E5 9A 64 3B 6D A8 3A C9 89 8F BC 4F FE 00 E9 BF BB 2A D2 67 … : …d;m.:…O….g …
packet contains full TLS ClientHello
hostname: mail.ru
dpi desync src=192.168.1.34:55567 dst=217.69.139.200:443
split pos 2
sending fake request : 16 03 01 02 00 01 00 01 FC 03 03 6F 0B B6 85 58 28 59 D5 0D 6C 78 39 7F 2B 0B 45 A3 71 4F 49 D6 … : …o…X(Y…lx+.E.qOI. …
reinjecting original packet. len=557 len_payload=517
packet: id=6 drop
packet: id=7 len=40 mark=0FFFFAAA
IP4: 192.168.1.34 => 62.128.100.252 proto=tcp ttl=127 sport=55559 dport=443 flags=AF seq=4226481216 ack_seq=3277573411
packet: id=7 pass unmodified
packet: id=8 len=60 mark=00000000
IP4: 100.120.87.198 => 95.213.212.51 proto=tcp ttl=64 sport=60746 dport=80 flags=S seq=3600033095 ack_seq=0
packet: id=8 pass unmodified
packet: id=9 len=52 mark=00000000
IP4: 100.120.87.198 => 95.213.212.51 proto=tcp ttl=64 sport=60746 dport=80 flags=A seq=3600033096 ack_seq=1896571047
packet: id=9 pass unmodified
packet: id=10 len=103 mark=00000000
IP4: 100.120.87.198 => 95.213.212.51 proto=tcp ttl=64 sport=60746 dport=80 flags=AP seq=3600033096 ack_seq=1896571047
TCP: 48 45 41 44 20 2F 63 68 65 63 6B 20 48 54 54 50 2F 31 2E 31 0D 0A 48 6F 73 74 3A 20 63 61 70 74 … : HEAD /check HTTP/1.1…Host: capt …
packet contains HTTP request
req retrans : tcp seq interval 3600033096-3600033146
dpi desync src=100.120.87.198:60746 dst=95.213.212.51:80
split pos 2
sending fake request : 47 45 54 20 2F 20 48 54 54 50 2F 31 2E 31 0D 0A 48 6F 73 74 3A 20 77 77 77 2E 69 61 6E 61 2E 6F … : GET / HTTP/1.1…Host: www.iana.o …
reinjecting original packet. len=103 len_payload=51
packet: id=10 drop
packet: id=11 len=236 mark=00000000
IP4: 95.213.212.51 => 100.120.87.198 proto=tcp ttl=59 sport=80 dport=60746 flags=AP seq=1896571047 ack_seq=3600033147
TCP: 48 54 54 50 2F 31 2E 31 20 32 30 30 20 4F 4B 0D 0A 53 65 72 76 65 72 3A 20 6E 67 69 6E 78 0D 0A … : HTTP/1.1 200 OK…Server: nginx… …
packet: id=11 pass unmodified
packet: id=12 len=52 mark=00000000
IP4: 95.213.212.51 => 100.120.87.198 proto=tcp ttl=59 sport=80 dport=60746 flags=AF seq=1896571231 ack_seq=3600033147
packet: id=12 pass unmodified
packet: id=13 len=52 mark=00000000
IP4: 100.120.87.198 => 95.213.212.51 proto=tcp ttl=64 sport=60746 dport=80 flags=A seq=3600033147 ack_seq=1896571231
packet: id=13 pass unmodified
packet: id=14 len=40 mark=0FFFFAAA
IP4: 192.168.1.34 => 195.122.177.190 proto=tcp ttl=127 sport=55563 dport=443 flags=AF seq=2194387144 ack_seq=1981830576
packet: id=14 pass unmodified
packet: id=15 len=52 mark=0FFFFAAA
IP4: 192.168.1.34 => 130.255.77.28 proto=tcp ttl=127 sport=55568 dport=443 flags=S seq=364003295 ack_seq=0
packet: id=15 pass unmodified
packet: id=16 len=40 mark=0FFFFAAA
IP4: 192.168.1.34 => 130.255.77.28 proto=tcp ttl=127 sport=55568 dport=443 flags=A seq=364003296 ack_seq=394516371
packet: id=16 pass unmodified
packet: id=17 len=557 mark=0FFFFAAA
IP4: 192.168.1.34 => 130.255.77.28 proto=tcp ttl=127 sport=55568 dport=443 flags=AP seq=364003296 ack_seq=394516371
TCP: 16 03 01 02 00 01 00 01 FC 03 03 67 8F 2B 28 D1 87 BE B8 E5 4C B3 80 E8 07 E0 89 E1 AC 01 FB E9 … : …g.+(…L… …
packet contains full TLS ClientHello
req retrans : seq interval 364003296-364003812
hostname: ntc.party
dpi desync src=192.168.1.34:55568 dst=130.255.77.28:443
split pos 2
sending fake request : 16 03 01 02 00 01 00 01 FC 03 03 6F 0B B6 85 58 28 59 D5 0D 6C 78 39 7F 2B 0B 45 A3 71 4F 49 D6 … : …o…X(Y…lx+.E.qOI. …
rawsend: sendto: Operation not permitted
packet: id=17 pass unmodified
packet: id=18 len=557 mark=0FFFFAAA
IP4: 192.168.1.34 => 130.255.77.28 proto=tcp ttl=127 sport=55568 dport=443 flags=AP seq=364003296 ack_seq=394516371
TCP: 16 03 01 02 00 01 00 01 FC 03 03 67 8F 2B 28 D1 87 BE B8 E5 4C B3 80 E8 07 E0 89 E1 AC 01 FB E9 … : …g.+(…L… …
packet contains full TLS ClientHello
hostname: ntc.party
dpi desync src=192.168.1.34:55568 dst=130.255.77.28:443
split pos 2
sending fake request : 16 03 01 02 00 01 00 01 FC 03 03 6F 0B B6 85 58 28 59 D5 0D 6C 78 39 7F 2B 0B 45 A3 71 4F 49 D6 … : …o…X(Y…lx+.E.qOI. …
reinjecting original packet. len=557 len_payload=517
packet: id=18 drop
packet: id=19 len=557 mark=0FFFFAAA
IP4: 192.168.1.34 => 130.255.77.28 proto=tcp ttl=127 sport=55568 dport=443 flags=AP seq=364003296 ack_seq=394516371
TCP: 16 03 01 02 00 01 00 01 FC 03 03 67 8F 2B 28 D1 87 BE B8 E5 4C B3 80 E8 07 E0 89 E1 AC 01 FB E9 … : …g.+(…L… …
packet contains full TLS ClientHello
hostname: ntc.party
dpi desync src=192.168.1.34:55568 dst=130.255.77.28:443
split pos 2
sending fake request : 16 03 01 02 00 01 00 01 FC 03 03 6F 0B B6 85 58 28 59 D5 0D 6C 78 39 7F 2B 0B 45 A3 71 4F 49 D6 … : …o…X(Y…lx+.E.qOI. …
reinjecting original packet. len=557 len_payload=517
packet: id=19 drop
packet: id=20 len=557 mark=0FFFFAAA
IP4: 192.168.1.34 => 130.255.77.28 proto=tcp ttl=127 sport=55568 dport=443 flags=AP seq=364003296 ack_seq=394516371
TCP: 16 03 01 02 00 01 00 01 FC 03 03 67 8F 2B 28 D1 87 BE B8 E5 4C B3 80 E8 07 E0 89 E1 AC 01 FB E9 … : …g.+(…L… …
packet contains full TLS ClientHello
hostname: ntc.party
dpi desync src=192.168.1.34:55568 dst=130.255.77.28:443
split pos 2
sending fake request : 16 03 01 02 00 01 00 01 FC 03 03 6F 0B B6 85 58 28 59 D5 0D 6C 78 39 7F 2B 0B 45 A3 71 4F 49 D6 … : …o…X(Y…lx+.E.qOI. …
reinjecting original packet. len=557 len_payload=517
packet: id=20 drop
packet: id=21 len=40 mark=0FFFFAAA
IP4: 192.168.1.34 => 46.8.206.102 proto=tcp ttl=127 sport=55566 dport=443 flags=AF seq=812272676 ack_seq=1606382845
packet: id=21 pass unmodified
packet: id=22 len=52 mark=0FFFFAAA
IP4: 192.168.1.34 => 217.69.139.202 proto=tcp ttl=127 sport=55569 dport=443 flags=S seq=1453781481 ack_seq=0
packet: id=22 pass unmodified
packet: id=23 len=40 mark=0FFFFAAA
IP4: 192.168.1.34 => 217.69.139.202 proto=tcp ttl=127 sport=55569 dport=443 flags=A seq=1453781482 ack_seq=3809911992
packet: id=23 pass unmodified
packet: id=24 len=557 mark=0FFFFAAA
IP4: 192.168.1.34 => 217.69.139.202 proto=tcp ttl=127 sport=55569 dport=443 flags=AP seq=1453781482 ack_seq=3809911992
TCP: 16 03 01 02 00 01 00 01 FC 03 03 51 0A D4 F3 AC CE 5C C9 C7 95 6D 18 44 11 79 23 A6 33 D8 AE B7 … : …Q….…m.D.y#.3… …
packet contains full TLS ClientHello
req retrans : seq interval 1453781482-1453781998
hostname: mail.ru
dpi desync src=192.168.1.34:55569 dst=217.69.139.202:443
split pos 2
sending fake request : 16 03 01 02 00 01 00 01 FC 03 03 6F 0B B6 85 58 28 59 D5 0D 6C 78 39 7F 2B 0B 45 A3 71 4F 49 D6 … : …o…X(Y…lx+.E.qOI. …
rawsend: sendto: Operation not permitted
packet: id=24 pass unmodified
packet: id=25 len=557 mark=0FFFFAAA
IP4: 192.168.1.34 => 217.69.139.202 proto=tcp ttl=127 sport=55569 dport=443 flags=AP seq=1453781482 ack_seq=3809911992
TCP: 16 03 01 02 00 01 00 01 FC 03 03 51 0A D4 F3 AC CE 5C C9 C7 95 6D 18 44 11 79 23 A6 33 D8 AE B7 … : …Q….…m.D.y#.3… …
packet contains full TLS ClientHello
hostname: mail.ru
dpi desync src=192.168.1.34:55569 dst=217.69.139.202:443
split pos 2
sending fake request : 16 03 01 02 00 01 00 01 FC 03 03 6F 0B B6 85 58 28 59 D5 0D 6C 78 39 7F 2B 0B 45 A3 71 4F 49 D6 … : …o…X(Y…lx+.E.qOI. …
reinjecting original packet. len=557 len_payload=517
packet: id=25 drop
packet: id=26 len=557 mark=0FFFFAAA
IP4: 192.168.1.34 => 217.69.139.202 proto=tcp ttl=127 sport=55569 dport=443 flags=AP seq=1453781482 ack_seq=3809911992
TCP: 16 03 01 02 00 01 00 01 FC 03 03 51 0A D4 F3 AC CE 5C C9 C7 95 6D 18 44 11 79 23 A6 33 D8 AE B7 … : …Q….…m.D.y#.3… …
packet contains full TLS ClientHello
hostname: mail.ru
dpi desync src=192.168.1.34:55569 dst=217.69.139.202:443
split pos 2
sending fake request : 16 03 01 02 00 01 00 01 FC 03 03 6F 0B B6 85 58 28 59 D5 0D 6C 78 39 7F 2B 0B 45 A3 71 4F 49 D6 … : …o…X(Y…lx+.E.qOI. …
reinjecting original packet. len=557 len_payload=517
packet: id=26 drop
packet: id=27 len=557 mark=0FFFFAAA
IP4: 192.168.1.34 => 217.69.139.202 proto=tcp ttl=127 sport=55569 dport=443 flags=AP seq=1453781482 ack_seq=3809911992
TCP: 16 03 01 02 00 01 00 01 FC 03 03 51 0A D4 F3 AC CE 5C C9 C7 95 6D 18 44 11 79 23 A6 33 D8 AE B7 … : …Q….…m.D.y#.3… …
packet contains full TLS ClientHello
hostname: mail.ru
dpi desync src=192.168.1.34:55569 dst=217.69.139.202:443
split pos 2
sending fake request : 16 03 01 02 00 01 00 01 FC 03 03 6F 0B B6 85 58 28 59 D5 0D 6C 78 39 7F 2B 0B 45 A3 71 4F 49 D6 … : …o…X(Y…lx+.E.qOI. …
reinjecting original packet. len=557 len_payload=517
packet: id=27 drop
packet: id=28 len=60 mark=00000000
IP4: 100.120.87.198 => 95.213.212.51 proto=tcp ttl=64 sport=60760 dport=80 flags=S seq=2079849284 ack_seq=0
packet: id=28 pass unmodified
packet: id=29 len=52 mark=00000000
IP4: 100.120.87.198 => 95.213.212.51 proto=tcp ttl=64 sport=60760 dport=80 flags=A seq=2079849285 ack_seq=996207854
packet: id=29 pass unmodified
packet: id=30 len=103 mark=00000000
IP4: 100.120.87.198 => 95.213.212.51 proto=tcp ttl=64 sport=60760 dport=80 flags=AP seq=2079849285 ack_seq=996207854
TCP: 48 45 41 44 20 2F 63 68 65 63 6B 20 48 54 54 50 2F 31 2E 31 0D 0A 48 6F 73 74 3A 20 63 61 70 74 … : HEAD /check HTTP/1.1…Host: capt …
packet contains HTTP request
req retrans : tcp seq interval 2079849285-2079849335
dpi desync src=100.120.87.198:60760 dst=95.213.212.51:80
split pos 2
sending fake request : 47 45 54 20 2F 20 48 54 54 50 2F 31 2E 31 0D 0A 48 6F 73 74 3A 20 77 77 77 2E 69 61 6E 61 2E 6F … : GET / HTTP/1.1…Host: www.iana.o …
reinjecting original packet. len=103 len_payload=51
packet: id=30 drop
packet: id=31 len=52 mark=00000000
IP4: 100.120.87.198 => 95.213.212.51 proto=tcp ttl=64 sport=60760 dport=80 flags=A seq=2079849336 ack_seq=996208038
packet: id=31 pass unmodified
packet: id=32 len=52 mark=0FFFFAAA
IP4: 192.168.1.34 => 130.255.77.28 proto=tcp ttl=127 sport=55570 dport=443 flags=S seq=4292954029 ack_seq=0
packet: id=32 pass unmodified
packet: id=33 len=40 mark=0FFFFAAA
IP4: 192.168.1.34 => 130.255.77.28 proto=tcp ttl=127 sport=55570 dport=443 flags=A seq=4292954030 ack_seq=2230576104
packet: id=33 pass unmodified
packet: id=34 len=557 mark=0FFFFAAA
IP4: 192.168.1.34 => 130.255.77.28 proto=tcp ttl=127 sport=55570 dport=443 flags=AP seq=4292954030 ack_seq=2230576104
TCP: 16 03 01 02 00 01 00 01 FC 03 03 F6 25 F4 E0 2F 01 E2 35 0E E7 8C 9C 92 FE 0A 65 7A 42 AD E5 C6 … : …%…/…5…ezB… …
packet contains full TLS ClientHello
req retrans : seq interval 4292954030-4292954546
hostname: ntc.party
dpi desync src=192.168.1.34:55570 dst=130.255.77.28:443
split pos 2
sending fake request : 16 03 01 02 00 01 00 01 FC 03 03 6F 0B B6 85 58 28 59 D5 0D 6C 78 39 7F 2B 0B 45 A3 71 4F 49 D6 … : …o…X(Y…lx+.E.qOI. …
rawsend: sendto: Operation not permitted
packet: id=34 pass unmodified
packet: id=35 len=557 mark=0FFFFAAA
IP4: 192.168.1.34 => 130.255.77.28 proto=tcp ttl=127 sport=55570 dport=443 flags=AP seq=4292954030 ack_seq=2230576104
TCP: 16 03 01 02 00 01 00 01 FC 03 03 F6 25 F4 E0 2F 01 E2 35 0E E7 8C 9C 92 FE 0A 65 7A 42 AD E5 C6 … : …%…/…5…ezB… …
packet contains full TLS ClientHello
hostname: ntc.party
dpi desync src=192.168.1.34:55570 dst=130.255.77.28:443
split pos 2
sending fake request : 16 03 01 02 00 01 00 01 FC 03 03 6F 0B B6 85 58 28 59 D5 0D 6C 78 39 7F 2B 0B 45 A3 71 4F 49 D6 … : …o…X(Y…lx+.E.qOI. …
reinjecting original packet. len=557 len_payload=517
packet: id=35 drop
packet: id=36 len=557 mark=0FFFFAAA
IP4: 192.168.1.34 => 130.255.77.28 proto=tcp ttl=127 sport=55570 dport=443 flags=AP seq=4292954030 ack_seq=2230576104
TCP: 16 03 01 02 00 01 00 01 FC 03 03 F6 25 F4 E0 2F 01 E2 35 0E E7 8C 9C 92 FE 0A 65 7A 42 AD E5 C6 … : …%…/…5…ezB… …
packet contains full TLS ClientHello
hostname: ntc.party
dpi desync src=192.168.1.34:55570 dst=130.255.77.28:443
split pos 2
sending fake request : 16 03 01 02 00 01 00 01 FC 03 03 6F 0B B6 85 58 28 59 D5 0D 6C 78 39 7F 2B 0B 45 A3 71 4F 49 D6 … : …o…X(Y…lx+.E.qOI. …
reinjecting original packet. len=557 len_payload=517
packet: id=36 drop
packet: id=37 len=557 mark=0FFFFAAA
IP4: 192.168.1.34 => 130.255.77.28 proto=tcp ttl=127 sport=55570 dport=443 flags=AP seq=4292954030 ack_seq=2230576104
TCP: 16 03 01 02 00 01 00 01 FC 03 03 F6 25 F4 E0 2F 01 E2 35 0E E7 8C 9C 92 FE 0A 65 7A 42 AD E5 C6 … : …%…/…5…ezB… …
packet contains full TLS ClientHello
hostname: ntc.party
dpi desync src=192.168.1.34:55570 dst=130.255.77.28:443
split pos 2
sending fake request : 16 03 01 02 00 01 00 01 FC 03 03 6F 0B B6 85 58 28 59 D5 0D 6C 78 39 7F 2B 0B 45 A3 71 4F 49 D6 … : …o…X(Y…lx+.E.qOI. …
reinjecting original packet. len=557 len_payload=517
packet: id=37 drop
packet: id=38 len=60 mark=00000000
IP4: 100.120.87.198 => 95.213.212.51 proto=tcp ttl=64 sport=60770 dport=80 flags=S seq=1477173190 ack_seq=0
packet: id=38 pass unmodified
packet: id=39 len=52 mark=00000000
IP4: 100.120.87.198 => 95.213.212.51 proto=tcp ttl=64 sport=60770 dport=80 flags=A seq=1477173191 ack_seq=598613237
packet: id=39 pass unmodified
packet: id=40 len=103 mark=00000000
IP4: 100.120.87.198 => 95.213.212.51 proto=tcp ttl=64 sport=60770 dport=80 flags=AP seq=1477173191 ack_seq=598613237
TCP: 48 45 41 44 20 2F 63 68 65 63 6B 20 48 54 54 50 2F 31 2E 31 0D 0A 48 6F 73 74 3A 20 63 61 70 74 … : HEAD /check HTTP/1.1…Host: capt …
packet contains HTTP request
req retrans : tcp seq interval 1477173191-1477173241
dpi desync src=100.120.87.198:60770 dst=95.213.212.51:80
split pos 2
sending fake request : 47 45 54 20 2F 20 48 54 54 50 2F 31 2E 31 0D 0A 48 6F 73 74 3A 20 77 77 77 2E 69 61 6E 61 2E 6F … : GET / HTTP/1.1…Host: www.iana.o …
reinjecting original packet. len=103 len_payload=51
packet: id=40 drop
packet: id=41 len=236 mark=00000000
IP4: 95.213.212.51 => 100.120.87.198 proto=tcp ttl=60 sport=80 dport=60770 flags=AP seq=598613237 ack_seq=1477173242
TCP: 48 54 54 50 2F 31 2E 31 20 32 30 30 20 4F 4B 0D 0A 53 65 72 76 65 72 3A 20 6E 67 69 6E 78 0D 0A … : HTTP/1.1 200 OK…Server: nginx… …
packet: id=41 pass unmodified
packet: id=42 len=52 mark=00000000
IP4: 95.213.212.51 => 100.120.87.198 proto=tcp ttl=60 sport=80 dport=60770 flags=AF seq=598613421 ack_seq=1477173242
packet: id=42 pass unmodified
packet: id=43 len=52 mark=00000000
IP4: 100.120.87.198 => 95.213.212.51 proto=tcp ttl=64 sport=60770 dport=80 flags=A seq=1477173242 ack_seq=598613421
packet: id=43 pass unmodified
packet: id=44 len=52 mark=0FFFFAAA
IP4: 192.168.1.34 => 217.69.139.200 proto=tcp ttl=127 sport=55571 dport=443 flags=S seq=3822802805 ack_seq=0
packet: id=44 pass unmodified
packet: id=45 len=40 mark=0FFFFAAA
IP4: 192.168.1.34 => 217.69.139.200 proto=tcp ttl=127 sport=55571 dport=443 flags=A seq=3822802806 ack_seq=4040221001
packet: id=45 pass unmodified
packet: id=46 len=557 mark=0FFFFAAA
IP4: 192.168.1.34 => 217.69.139.200 proto=tcp ttl=127 sport=55571 dport=443 flags=AP seq=3822802806 ack_seq=4040221001
TCP: 16 03 01 02 00 01 00 01 FC 03 03 F3 0C 00 D3 56 A4 BF 2F 26 A8 DE 9C 04 65 11 D6 04 4E 02 4B BF … : …V…/&…e…N.K. …
packet contains full TLS ClientHello
req retrans : seq interval 3822802806-3822803322
hostname: mail.ru
dpi desync src=192.168.1.34:55571 dst=217.69.139.200:443
split pos 2
sending fake request : 16 03 01 02 00 01 00 01 FC 03 03 6F 0B B6 85 58 28 59 D5 0D 6C 78 39 7F 2B 0B 45 A3 71 4F 49 D6 … : …o…X(Y…lx+.E.qOI. …
rawsend: sendto: Operation not permitted
packet: id=46 pass unmodified
packet: id=47 len=557 mark=0FFFFAAA
IP4: 192.168.1.34 => 217.69.139.200 proto=tcp ttl=127 sport=55571 dport=443 flags=AP seq=3822802806 ack_seq=4040221001
TCP: 16 03 01 02 00 01 00 01 FC 03 03 F3 0C 00 D3 56 A4 BF 2F 26 A8 DE 9C 04 65 11 D6 04 4E 02 4B BF … : …V…/&…e…N.K. …
packet contains full TLS ClientHello
hostname: mail.ru
dpi desync src=192.168.1.34:55571 dst=217.69.139.200:443
split pos 2
sending fake request : 16 03 01 02 00 01 00 01 FC 03 03 6F 0B B6 85 58 28 59 D5 0D 6C 78 39 7F 2B 0B 45 A3 71 4F 49 D6 … : …o…X(Y…lx+.E.qOI. …
reinjecting original packet. len=557 len_payload=517
packet: id=47 drop
packet: id=48 len=557 mark=0FFFFAAA
IP4: 192.168.1.34 => 217.69.139.200 proto=tcp ttl=127 sport=55571 dport=443 flags=AP seq=3822802806 ack_seq=4040221001
TCP: 16 03 01 02 00 01 00 01 FC 03 03 F3 0C 00 D3 56 A4 BF 2F 26 A8 DE 9C 04 65 11 D6 04 4E 02 4B BF … : …V…/&…e…N.K. …
packet contains full TLS ClientHello
hostname: mail.ru
dpi desync src=192.168.1.34:55571 dst=217.69.139.200:443
split pos 2
sending fake request : 16 03 01 02 00 01 00 01 FC 03 03 6F 0B B6 85 58 28 59 D5 0D 6C 78 39 7F 2B 0B 45 A3 71 4F 49 D6 … : …o…X(Y…lx+.E.qOI. …
reinjecting original packet. len=557 len_payload=517
packet: id=48 drop
packet: id=49 len=557 mark=0FFFFAAA
IP4: 192.168.1.34 => 217.69.139.200 proto=tcp ttl=127 sport=55571 dport=443 flags=AP seq=3822802806 ack_seq=4040221001
TCP: 16 03 01 02 00 01 00 01 FC 03 03 F3 0C 00 D3 56 A4 BF 2F 26 A8 DE 9C 04 65 11 D6 04 4E 02 4B BF … : …V…/&…e…N.K. …
packet contains full TLS ClientHello
hostname: mail.ru
dpi desync src=192.168.1.34:55571 dst=217.69.139.200:443
split pos 2
sending fake request : 16 03 01 02 00 01 00 01 FC 03 03 6F 0B B6 85 58 28 59 D5 0D 6C 78 39 7F 2B 0B 45 A3 71 4F 49 D6 … : …o…X(Y…lx+.E.qOI. …
reinjecting original packet. len=557 len_payload=517
packet: id=49 drop
packet: id=50 len=52 mark=0FFFFAAA
IP4: 192.168.1.34 => 130.255.77.28 proto=tcp ttl=127 sport=55572 dport=443 flags=S seq=1149355692 ack_seq=0
packet: id=50 pass unmodified
packet: id=51 len=40 mark=0FFFFAAA
IP4: 192.168.1.34 => 130.255.77.28 proto=tcp ttl=127 sport=55572 dport=443 flags=A seq=1149355693 ack_seq=3111673898
packet: id=51 pass unmodified
packet: id=52 len=557 mark=0FFFFAAA
IP4: 192.168.1.34 => 130.255.77.28 proto=tcp ttl=127 sport=55572 dport=443 flags=AP seq=1149355693 ack_seq=3111673898
TCP: 16 03 01 02 00 01 00 01 FC 03 03 D9 70 63 EE CD B3 0A 77 D9 FF E4 23 8D EF 74 42 2C 4D 01 2D A5 … : …pc…w…#…tB,M.-. …
packet contains full TLS ClientHello
req retrans : seq interval 1149355693-1149356209
hostname: ntc.party
dpi desync src=192.168.1.34:55572 dst=130.255.77.28:443
split pos 2
sending fake request : 16 03 01 02 00 01 00 01 FC 03 03 6F 0B B6 85 58 28 59 D5 0D 6C 78 39 7F 2B 0B 45 A3 71 4F 49 D6 … : …o…X(Y…lx+.E.qOI. …
rawsend: sendto: Operation not permitted
packet: id=52 pass unmodified
packet: id=53 len=557 mark=0FFFFAAA
IP4: 192.168.1.34 => 130.255.77.28 proto=tcp ttl=127 sport=55572 dport=443 flags=AP seq=1149355693 ack_seq=3111673898
TCP: 16 03 01 02 00 01 00 01 FC 03 03 D9 70 63 EE CD B3 0A 77 D9 FF E4 23 8D EF 74 42 2C 4D 01 2D A5 … : …pc…w…#…tB,M.-. …
packet contains full TLS ClientHello
hostname: ntc.party
dpi desync src=192.168.1.34:55572 dst=130.255.77.28:443
split pos 2
sending fake request : 16 03 01 02 00 01 00 01 FC 03 03 6F 0B B6 85 58 28 59 D5 0D 6C 78 39 7F 2B 0B 45 A3 71 4F 49 D6 … : …o…X(Y…lx+.E.qOI. …
reinjecting original packet. len=557 len_payload=517
packet: id=53 drop
packet: id=54 len=557 mark=0FFFFAAA
IP4: 192.168.1.34 => 130.255.77.28 proto=tcp ttl=127 sport=55572 dport=443 flags=AP seq=1149355693 ack_seq=3111673898
TCP: 16 03 01 02 00 01 00 01 FC 03 03 D9 70 63 EE CD B3 0A 77 D9 FF E4 23 8D EF 74 42 2C 4D 01 2D A5 … : …pc…w…#…tB,M.-. …
packet contains full TLS ClientHello
hostname: ntc.party
dpi desync src=192.168.1.34:55572 dst=130.255.77.28:443
split pos 2
sending fake request : 16 03 01 02 00 01 00 01 FC 03 03 6F 0B B6 85 58 28 59 D5 0D 6C 78 39 7F 2B 0B 45 A3 71 4F 49 D6 … : …o…X(Y…lx+.E.qOI. …
reinjecting original packet. len=557 len_payload=517
packet: id=54 drop
packet: id=55 len=557 mark=0FFFFAAA
IP4: 192.168.1.34 => 130.255.77.28 proto=tcp ttl=127 sport=55572 dport=443 flags=AP seq=1149355693 ack_seq=3111673898
TCP: 16 03 01 02 00 01 00 01 FC 03 03 D9 70 63 EE CD B3 0A 77 D9 FF E4 23 8D EF 74 42 2C 4D 01 2D A5 … : …pc…w…#…tB,M.-. …
packet contains full TLS ClientHello
hostname: ntc.party
dpi desync src=192.168.1.34:55572 dst=130.255.77.28:443
split pos 2
sending fake request : 16 03 01 02 00 01 00 01 FC 03 03 6F 0B B6 85 58 28 59 D5 0D 6C 78 39 7F 2B 0B 45 A3 71 4F 49 D6 … : …o…X(Y…lx+.E.qOI. …
reinjecting original packet. len=557 len_payload=517
packet: id=55 drop
packet: id=56 len=60 mark=00000000
IP4: 100.120.87.198 => 95.213.212.51 proto=tcp ttl=64 sport=60780 dport=80 flags=S seq=4053319156 ack_seq=0
packet: id=56 pass unmodified
packet: id=57 len=52 mark=00000000
IP4: 100.120.87.198 => 95.213.212.51 proto=tcp ttl=64 sport=60780 dport=80 flags=A seq=4053319157 ack_seq=3378629152
packet: id=57 pass unmodified
packet: id=58 len=103 mark=00000000
IP4: 100.120.87.198 => 95.213.212.51 proto=tcp ttl=64 sport=60780 dport=80 flags=AP seq=4053319157 ack_seq=3378629152
TCP: 48 45 41 44 20 2F 63 68 65 63 6B 20 48 54 54 50 2F 31 2E 31 0D 0A 48 6F 73 74 3A 20 63 61 70 74 … : HEAD /check HTTP/1.1…Host: capt …
packet contains HTTP request
req retrans : tcp seq interval 4053319157-4053319207
dpi desync src=100.120.87.198:60780 dst=95.213.212.51:80
split pos 2
sending fake request : 47 45 54 20 2F 20 48 54 54 50 2F 31 2E 31 0D 0A 48 6F 73 74 3A 20 77 77 77 2E 69 61 6E 61 2E 6F … : GET / HTTP/1.1…Host: www.iana.o …
reinjecting original packet. len=103 len_payload=51
packet: id=58 drop
packet: id=59 len=236 mark=00000000
IP4: 95.213.212.51 => 100.120.87.198 proto=tcp ttl=59 sport=80 dport=60780 flags=AP seq=3378629152 ack_seq=4053319208
TCP: 48 54 54 50 2F 31 2E 31 20 32 30 30 20 4F 4B 0D 0A 53 65 72 76 65 72 3A 20 6E 67 69 6E 78 0D 0A … : HTTP/1.1 200 OK…Server: nginx… …
packet: id=59 pass unmodified
packet: id=60 len=52 mark=00000000
IP4: 95.213.212.51 => 100.120.87.198 proto=tcp ttl=59 sport=80 dport=60780 flags=AF seq=3378629336 ack_seq=4053319208
packet: id=60 pass unmodified
packet: id=61 len=52 mark=00000000
IP4: 100.120.87.198 => 95.213.212.51 proto=tcp ttl=64 sport=60780 dport=80 flags=A seq=4053319208 ack_seq=3378629336
packet: id=61 pass unmodified
А что делать людям с МГТС? Zapret полностью отвалился, как я понял заблокировали cloudflare полностью. Т.е ютуб - работает, а например Discord - нет.
Всё, решено, попробывал ещё раз, заработало, спасибо за программу!
rawsend: sendto: Operation not permitted
В этом, наверно, проблема.
Можно попробовать опцию --bind-fix4
Кинетики при адвансед настройках могут портить марк своими правилами.
Надо бы посмотреть
ip addr
ip rule
ip route
iptables -S
Если есть ссылки на какие-то доп таблицы в ip rule, ip route show table XXX
А как узнать, какой в конкретном случаи протокол применяется. (Параметры подключения там разные смотрел, там не написано).
*Ну по идее OpenVPN применяться не должен, он же вообще заблокирован уже наглухо вроде-как.
Надо разбираться в софте. Я им не пользовался, так что сказать не могу
Особо не разбирался, но у кинетика по ощущениям срабатывает какой-то жесткий блок на отправку любых пакетов на соединение которое сейчас не является default gw. На оврт даже с iptables такого нет
Это давно известная проблема с raw сокетами в linux.
Они не проходят адекватно схему ip rule и могут улетать с другого интерфейса, если не принять ряд специальных мер. bind to ip, bind to device. Для этого и служат --bind-fix4 и --bind-fix6
Они берут из NFQUEUE исходящий интерфейс пакета и биндают сокет на этот интерфейс при каждой отправке
Ошибку denied может вызывать какое-то из правил iptables в цепочке OUTPUT, призванное не допустить leak чужого для интерфейса ip
УРАААААА вот это --bind-fix4 сработала спасибо за программу!
случайно)
возможно ли запрет для android сделать вне рут доступа, создавая прокси сервер и через bromite пользоваться запретом?
наверное проще на виртуалку поставить линукс накатить zapret и сделать прокси?
Без рута только tpws --socks.
Но для него нет приложения.
Есть byedpi, и у него больше возможностей + приложение
byedpi не интересен
для iptables и nfqws нужны cap_net_admin и cap_net_raw
без рута их получить невозможно
еще терки с selinux
@bolvan
Может быть есть смысл сделать файл предупреждение? по типу \ipset!!!DO NOT PUT YOUR FILES HERE!!!.txt
Понимаю что надо читать мануал и там написано, но почему бы не сделать какой нибудь похожий файл на который бы люди обратили внимание?
и еще идея добавить предупреждение при запуске блокчека, ему же можно дать понимания какие файлы должны быть в папке ipset, если есть другие то добавить предупреждение?
Блокчек забивать не относящимся к нему функционалом не буду.
Предупреждение в виде файлов можно, но как-то не очень оно будет смотреться для грамотных людей. Что нас за идиотов считают ? Везде сюда ходи туда не ходи кирпич упадет.
А проверка файлов в коде - значит надо все время знать какие должны быть, какие нет. С версиями меняется.
Нафиг. Будут учиться на собственных граблях. Если все устраивает, переписать после установки заново несложно, то и пусть
у меня на новых прошивках начал переодически отваливаться 10-keenetic-udp-fix : лечащая добавка для кинетика против отсутствия маскарада без ndmmark иногда через пять минут иногда через 20 минут пока не перезапустишь запрет не одно приложение опен впн варгуарт не работает по udp есть какие нибудь предположение почему так происходит и что с этим делать при этом в роутере опенвпн и варгуарт прекрасно работают по udp
лечилка делает вот что
-o $wan -p udp -m mark --mark $DESYNC_MARK/$DESYNC_MARK -j MASQUERADE
desync_mark - это бит 0x40000000, которым помечает nfqws все сгенерированные им пакеты
проверьте не создает ли прошивка правила, выставляющие этот бит ?
iptables -vL
что в counter выдает по этому правилу ?
Если без лечилки, все работает ?
вот что показывает
Спойлер
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
323 110K _NDM_MULTICAST_INPUT udp – any any anywhere base-address.mcast.net/4
6 192 ACCEPT igmp – any any anywhere anywhere
1369 120K _NDM_ACL_IN_EXCEPTIONS all – any any anywhere anywhere
1078 102K ACCEPT all – any any anywhere anywhere state RELATED,ESTABLISHED
37 2489 ACCEPT all – lo any anywhere anywhere
164 10788 _NDM_BFD_INPUT all – any any anywhere anywhere
164 10788 _NDM_ACL_IN all – any any anywhere anywhere
164 10788 _NDM_IPSEC_INPUT_FILTER all – any any anywhere anywhere
164 10788 _NDM_TUNNELS_INPUT all – any any anywhere anywhere
0 0 DROP all – any any anywhere anywhere state INVALID
0 0 ACCEPT all – any any anywhere anywhere ctstate DNAT
164 10788 _NDM_INPUT all – any any anywhere anywhere
119 7658 _NDM_SL_PRIVATE all – any any anywhere anywhere
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 _NDM_MULTICAST_INPUT udp – any any anywhere base-address.mcast.net/4
849 330K ACCEPT all – any any anywhere anywhere state RELATED,ESTABLISHED
243 26860 _NDM_ACL_IN all – any any anywhere anywhere
243 26860 _NDM_ACL_OUT all – any any anywhere anywhere
243 26860 _NDM_IPSEC_FORWARD all – any any anywhere anywhere
243 26860 _NDM_VPN_FORWARD all – any any anywhere anywhere
243 26860 _NDM_FORWARD all – any any anywhere anywhere
12 480 DROP all – any any anywhere anywhere state INVALID
0 0 ACCEPT all – any any anywhere anywhere ctstate DNAT
231 26380 _NDM_SL_FORWARD all – any any anywhere anywhere
0 0 ACCEPT all – lo any anywhere anywhere
0 0 ACCEPT all – br0 br0 anywhere anywhere
0 0 ACCEPT all – br1 br1 anywhere anywhere
Chain OUTPUT (policy ACCEPT 2279 packets, 765K bytes)
pkts bytes target prot opt in out source destination
2279 765K _NDM_BFD_OUTPUT all – any any anywhere anywhere
2279 765K _NDM_ACL_OUT all – any any anywhere anywhere
2279 765K _NDM_IPSEC_OUTPUT_FILTER all – any any anywhere anywhere
2279 765K _NDM_OUTPUT all – any any anywhere anywhere
2279 765K _NDM_IKE1SRVVPN_OUT all – any any anywhere anywhere
2279 765K _NDM_IKE2SRVVPN_OUT all – any any anywhere anywhere
Chain @Bridge0 (1 references)
pkts bytes target prot opt in out source destination
Chain @PPPoE0 (1 references)
pkts bytes target prot opt in out source destination
Chain @WifiMaster0/WifiStation0 (1 references)
pkts bytes target prot opt in out source destination
Chain CLOUD_UDP_SERVICE_NF_CHAIN_ (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp – any any ndns111.omni.ru 10.181.214.251 udp spt:4044 dpt:4043
Chain COALAGENT_NF_CHAIN_ (1 references)
pkts bytes target prot opt in out source destination
90 4350 ACCEPT udp – any any anywhere anywhere udp dpt:55092
Chain Ftp_IN (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP tcp – any any anywhere anywhere tcp dpt:ftp-data match-set _NDM_BFD_Ftp4 src return-nomatch ! update-counters ! update-subcounters
0 0 DROP tcp – any any anywhere anywhere tcp dpt:ftp match-set _NDM_BFD_Ftp4 src return-nomatch ! update-counters ! update-subcounters
Chain Ftp_OUT (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP tcp – any any anywhere anywhere tcp spt:ftp-data match-set _NDM_BFD_Ftp4 dst return-nomatch ! update-counters ! update-subcounters
0 0 DROP tcp – any any anywhere anywhere tcp spt:ftp match-set _NDM_BFD_Ftp4 dst return-nomatch ! update-counters ! update-subcounters
Chain Http_IN (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP tcp – any any anywhere anywhere tcp dpt:http match-set _NDM_BFD_Http4 src return-nomatch ! update-counters ! update-subcounters
0 0 DROP tcp – any any anywhere anywhere tcp dpt:https match-set _NDM_BFD_Http4 src return-nomatch ! update-counters ! update-subcounters
Chain Http_OUT (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP tcp – any any anywhere anywhere tcp spt:http match-set _NDM_BFD_Http4 dst return-nomatch ! update-counters ! update-subcounters
0 0 DROP tcp – any any anywhere anywhere tcp spt:https match-set _NDM_BFD_Http4 dst return-nomatch ! update-counters ! update-subcounters
Chain NDM_FORWARD_ACL (0 references)
pkts bytes target prot opt in out source destination
Chain Telnet_IN (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP tcp – any any anywhere anywhere tcp dpt:2022 match-set _NDM_BFD_Telnet4 src return-nomatch ! update-counters ! update-subcounters
Chain Telnet_OUT (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP tcp – any any anywhere anywhere tcp spt:2022 match-set _NDM_BFD_Telnet4 dst return-nomatch ! update-counters ! update-subcounters
Chain _NDM_ACL_IN (2 references)
pkts bytes target prot opt in out source destination
0 0 @WifiMaster0/WifiStation0 all – apcli0 any anywhere anywhere
407 37648 @Bridge0 all – br0 any anywhere anywhere
0 0 @PPPoE0 all – ppp0 any anywhere anywhere
Chain NDM_ACL_IN_EXCEPTIONS (1 references)
pkts bytes target prot opt in out source destination
1369 120K COALAGENT_NF_CHAIN all – any any anywhere anywhere
1279 115K CLOUD_UDP_SERVICE_NF_CHAIN_ all – any any anywhere anywhere
Chain _NDM_ACL_OUT (2 references)
pkts bytes target prot opt in out source destination
Chain _NDM_BFD_INPUT (1 references)
pkts bytes target prot opt in out source destination
164 10788 Telnet_IN all – any any anywhere anywhere
164 10788 Http_IN all – any any anywhere anywhere
164 10788 Ftp_IN all – any any anywhere anywhere
Chain _NDM_BFD_OUTPUT (1 references)
pkts bytes target prot opt in out source destination
2279 765K Telnet_OUT all – any any anywhere anywhere
2279 765K Http_OUT all – any any anywhere anywhere
2279 765K Ftp_OUT all – any any anywhere anywhere
Chain _NDM_FORWARD (1 references)
pkts bytes target prot opt in out source destination
243 26860 _NDM_HOTSPOT_FWD all – any any anywhere anywhere
243 26860 _NDM_UPNP_FORWARD_SYS all – any any anywhere anywhere ndmmark match 0x0/0x8
Chain _NDM_HOTSPOT_FWD (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all – any any anywhere anywhere slin ! 3 (public) slout ! 3 (public)
0 0 RETURN all – any any anywhere anywhere MAC 9C:30:5B:51:C1:C3
0 0 RETURN all – any any anywhere anywhere MAC AE:1B:B4:29:0C:A8
0 0 RETURN all – any any anywhere anywhere MAC D2:CC:16:C1:16:F4
0 0 RETURN all – any any anywhere anywhere MAC 26:2C:73:4E:D5:F3
0 0 RETURN all – any any anywhere anywhere MAC 66:B7:1D:6A:7D:1A
0 0 RETURN all – any any anywhere anywhere MAC D4:38:9C:85:35:D9
243 26860 RETURN all – any any anywhere anywhere MAC D8:5E:D3:54:3E:D3
0 0 RETURN all – any br0 anywhere 192.168.40.35
0 0 RETURN all – any any anywhere anywhere MAC FC:03:9F:1D:4A:90
0 0 RETURN all – ra6 any anywhere anywhere
0 0 RETURN all – ra2 any anywhere anywhere
0 0 RETURN all – ra3 any anywhere anywhere
0 0 RETURN all – ra1 any anywhere anywhere
0 0 RETURN all – ra0 any anywhere anywhere
0 0 RETURN all – ra5 any anywhere anywhere
0 0 RETURN all – ra4 any anywhere anywhere
0 0 RETURN all – rai6 any anywhere anywhere
0 0 RETURN all – rai5 any anywhere anywhere
0 0 RETURN all – rai4 any anywhere anywhere
0 0 RETURN all – rai3 any anywhere anywhere
0 0 RETURN all – rai2 any anywhere anywhere
0 0 RETURN all – rai1 any anywhere anywhere
0 0 RETURN all – br0 any anywhere anywhere
0 0 RETURN all – br1 any anywhere anywhere
0 0 RETURN all – any any anywhere anywhere MAC 94:17:00:3F:BF:AE
Chain _NDM_IKE1SRVVPN_FWD (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all – xfrms1 br0 anywhere anywhere
0 0 ACCEPT all – br0 xfrms1 anywhere anywhere
0 0 ACCEPT all – xfrms1 xfrms1 anywhere anywhere
0 0 ACCEPT all – xfrms1 ppp0 anywhere anywhere
0 0 ACCEPT all – ppp0 xfrms1 anywhere anywhere
0 0 ACCEPT all – vpn+ xfrms1 anywhere anywhere match-set _NDM_SRV_IKE1SRVVPN src return-nomatch ! update-counters ! update-subcounters
0 0 ACCEPT all – sstp+ xfrms1 anywhere anywhere match-set _NDM_SRV_IKE1SRVVPN src return-nomatch ! update-counters ! update-subcounters
0 0 ACCEPT all – l2tp+ xfrms1 anywhere anywhere match-set _NDM_SRV_IKE1SRVVPN src return-nomatch ! update-counters ! update-subcounters
0 0 ACCEPT all – oc+ xfrms1 anywhere anywhere match-set _NDM_SRV_IKE1SRVVPN src return-nomatch ! update-counters ! update-subcounters
0 0 ACCEPT all – xfrms2 xfrms1 anywhere anywhere match-set _NDM_SRV_IKE1SRVVPN src return-nomatch ! update-counters ! update-subcounters
Chain _NDM_IKE1SRVVPN_IN (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all – xfrms1 any anywhere 192.168.40.1
0 0 ACCEPT udp – xfrms1 any anywhere anywhere udp dpt:bootps
Chain _NDM_IKE1SRVVPN_OUT (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all – any xfrms1 192.168.40.1 anywhere
Chain _NDM_IKE2SRVVPN_FWD (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all – xfrms2 br0 anywhere anywhere
0 0 ACCEPT all – br0 xfrms2 anywhere anywhere
0 0 ACCEPT all – xfrms2 xfrms2 anywhere anywhere
0 0 ACCEPT all – xfrms2 ppp0 anywhere anywhere
0 0 ACCEPT all – ppp0 xfrms2 anywhere anywhere
0 0 ACCEPT all – vpn+ xfrms2 anywhere anywhere match-set _NDM_SRV_IKE2SRVVPN src return-nomatch ! update-counters ! update-subcounters
0 0 ACCEPT all – sstp+ xfrms2 anywhere anywhere match-set _NDM_SRV_IKE2SRVVPN src return-nomatch ! update-counters ! update-subcounters
0 0 ACCEPT all – l2tp+ xfrms2 anywhere anywhere match-set _NDM_SRV_IKE2SRVVPN src return-nomatch ! update-counters ! update-subcounters
0 0 ACCEPT all – oc+ xfrms2 anywhere anywhere match-set _NDM_SRV_IKE2SRVVPN src return-nomatch ! update-counters ! update-subcounters
0 0 ACCEPT all – xfrms1 xfrms2 anywhere anywhere match-set _NDM_SRV_IKE2SRVVPN src return-nomatch ! update-counters ! update-subcounters
Chain _NDM_IKE2SRVVPN_IN (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all – xfrms2 any anywhere 192.168.40.1
0 0 ACCEPT udp – xfrms2 any anywhere anywhere udp dpt:bootps
Chain _NDM_IKE2SRVVPN_OUT (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all – any xfrms2 192.168.40.1 anywhere
Chain _NDM_INPUT (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp – any any anywhere anywhere udp spt:bootps dpt:bootpc
0 0 _NDM_SL_PROTECT udp – any any anywhere anywhere udp spts:bootps:bootpc dpts:bootps:bootpc
0 0 _NDM_IP_PUBLIC all – eth3 any anywhere !my.keenetic.net slin 3 (public)
0 0 _NDM_IP_PRIVATE all – ra6 any anywhere anywhere slin 1 (private)
0 0 _NDM_IP_PRIVATE all – ra2 any anywhere anywhere slin 1 (private)
0 0 _NDM_IP_PRIVATE all – ra3 any anywhere anywhere slin 1 (private)
0 0 _NDM_IP_PRIVATE all – ra5 any anywhere anywhere slin 1 (private)
0 0 _NDM_IP_PRIVATE all – ra4 any anywhere anywhere slin 1 (private)
0 0 _NDM_IP_PUBLIC all – apcli0 any anywhere !my.keenetic.net slin 3 (public)
0 0 _NDM_IP_PRIVATE all – rai6 any anywhere anywhere slin 1 (private)
0 0 _NDM_IP_PRIVATE all – rai5 any anywhere anywhere slin 1 (private)
0 0 _NDM_IP_PRIVATE all – rai4 any anywhere anywhere slin 1 (private)
0 0 _NDM_IP_PRIVATE all – rai3 any anywhere anywhere slin 1 (private)
0 0 _NDM_IP_PRIVATE all – rai2 any anywhere anywhere slin 1 (private)
0 0 _NDM_IP_PUBLIC all – apclii0 any anywhere !my.keenetic.net slin 3 (public)
0 0 _NDM_SL_PROTECT tcp – any any anywhere anywhere tcp dpt:3517
0 0 _NDM_SL_PROTECT udp – any any anywhere anywhere udp dpt:3517
6 456 _NDM_SL_PROTECT udp – any any anywhere anywhere udp dpt:3518
158 10332 _NDM_IKE1SRVVPN_IN all – any any anywhere anywhere
158 10332 _NDM_IKE2SRVVPN_IN all – any any anywhere anywhere
158 10332 _NDM_IP_PRIVATE all – br0 any anywhere anywhere slin 1 (private)
0 0 _NDM_IP_PROTECT all – br1 any anywhere !my.keenetic.net slin 2 (protected)
0 0 _NDM_IP_PUBLIC all – ppp0 any anywhere !my.keenetic.net slin 3 (public)
0 0 _NDM_IP_PUBLIC all – ppp1 any anywhere !my.keenetic.net slin 3 (public)
0 0 _NDM_IP_PUBLIC all – ppp2 any anywhere !my.keenetic.net slin 3 (public)
0 0 _NDM_IP_PUBLIC all – ppp3 any anywhere !my.keenetic.net slin 3 (public)
0 0 _NDM_IP_PUBLIC all – ovpn_br0 any anywhere !my.keenetic.net slin 3 (public)
0 0 _NDM_IP_PUBLIC all – nwg0 any anywhere !my.keenetic.net slin 3 (public)
0 0 _NDM_IP_PUBLIC all – nwg1 any anywhere !my.keenetic.net slin 3 (public)
0 0 _NDM_IP_PUBLIC all – nwg2 any anywhere !my.keenetic.net slin 3 (public)
0 0 _NDM_IP_PUBLIC all – ovpn_br1 any anywhere !my.keenetic.net slin 3 (public)
0 0 _NDM_IP_PUBLIC all – nwg3 any anywhere !my.keenetic.net slin 3 (public)
Chain _NDM_IPSEC_FORWARD (1 references)
pkts bytes target prot opt in out source destination
Chain _NDM_IPSEC_INPUT_FILTER (1 references)
pkts bytes target prot opt in out source destination
Chain _NDM_IPSEC_INPUT_FLT_BPS (0 references)
pkts bytes target prot opt in out source destination
Chain _NDM_IPSEC_OUTPUT_FILTER (1 references)
pkts bytes target prot opt in out source destination
Chain _NDM_IPSEC_OUTPUT_FLT_BPS (0 references)
pkts bytes target prot opt in out source destination
Chain _NDM_IP_PRIVATE (11 references)
pkts bytes target prot opt in out source destination
158 10332 _NDM_IP_PROTECT all – any any anywhere anywhere
Chain _NDM_IP_PROTECT (2 references)
pkts bytes target prot opt in out source destination
158 10332 _NDM_IP_PUBLIC all – any any anywhere anywhere
39 2674 _NDM_SL_PROTECT udp – any any anywhere anywhere udp dpt:domain
0 0 _NDM_SL_PROTECT tcp – any any anywhere anywhere tcp dpt:domain
Chain _NDM_IP_PUBLIC (14 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp – any any anywhere anywhere udp dpt:isakmp
0 0 ACCEPT udp – any any anywhere anywhere udp dpt:4500
0 0 ACCEPT udp – any any anywhere anywhere udp dpt:44852
0 0 ACCEPT udp – any any anywhere anywhere udp dpt:43077
0 0 ACCEPT tcp – any any anywhere anywhere tcp dpt:2022
0 0 ACCEPT udp – any any anywhere anywhere udp dpt:42716
0 0 ACCEPT udp – any any anywhere anywhere udp dpt:42442
0 0 ACCEPT udp – any any anywhere anywhere udp dpt:44171
Chain _NDM_MULTICAST_INPUT (2 references)
pkts bytes target prot opt in out source destination
323 110K ACCEPT all – any any anywhere anywhere
Chain _NDM_OUTPUT (1 references)
pkts bytes target prot opt in out source destination
Chain _NDM_SL_FORWARD (1 references)
pkts bytes target prot opt in out source destination
0 0 _NDM_SL_PROTECT all – any eth3 anywhere anywhere state NEW
0 0 _NDM_SL_PROTECT all – any apcli0 anywhere anywhere state NEW
0 0 _NDM_SL_PROTECT all – any apclii0 anywhere anywhere state NEW
231 26380 _NDM_SL_PROTECT all – any ppp0 anywhere anywhere state NEW
0 0 _NDM_SL_PROTECT all – any ppp1 anywhere anywhere state NEW
0 0 _NDM_SL_PROTECT all – any ppp2 anywhere anywhere state NEW
0 0 _NDM_SL_PROTECT all – any ppp3 anywhere anywhere state NEW
0 0 _NDM_SL_PROTECT all – any ovpn_br0 anywhere anywhere state NEW
0 0 _NDM_SL_PROTECT all – any nwg0 anywhere anywhere state NEW
0 0 _NDM_SL_PROTECT all – any nwg1 anywhere anywhere state NEW
0 0 _NDM_SL_PROTECT all – any nwg2 anywhere anywhere state NEW
0 0 _NDM_SL_PROTECT all – any ovpn_br1 anywhere anywhere state NEW
0 0 _NDM_SL_PROTECT all – any nwg3 anywhere anywhere state NEW
Chain _NDM_SL_PRIVATE (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all – ra6 any anywhere anywhere state NEW
0 0 ACCEPT all – ra2 any anywhere anywhere state NEW
0 0 ACCEPT all – ra3 any anywhere anywhere state NEW
0 0 ACCEPT all – ra5 any anywhere anywhere state NEW
0 0 ACCEPT all – ra4 any anywhere anywhere state NEW
0 0 ACCEPT all – rai6 any anywhere anywhere state NEW
0 0 ACCEPT all – rai5 any anywhere anywhere state NEW
0 0 ACCEPT all – rai4 any anywhere anywhere state NEW
0 0 ACCEPT all – rai3 any anywhere anywhere state NEW
0 0 ACCEPT all – rai2 any anywhere anywhere state NEW
395 37168 ACCEPT all – br0 any anywhere anywhere state NEW
Chain _NDM_SL_PROTECT (19 references)
pkts bytes target prot opt in out source destination
276 29510 _NDM_SL_PRIVATE all – any any anywhere anywhere
0 0 ACCEPT all – br1 any anywhere anywhere state NEW
Chain _NDM_TUNNELS_INPUT (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT ipv6-crypt-- any any anywhere anywhere
0 0 ACCEPT gre – any any anywhere anywhere
0 0 ACCEPT ipencap-- any any anywhere anywhere
Chain _NDM_UPNP_FORWARD_SYS (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp – any any anywhere 192.168.40.35 match-set _UPNP_SYS src,src udp dpt:13688
Chain _NDM_VPN_FORWARD (1 references)
pkts bytes target prot opt in out source destination
243 26860 _NDM_IKE1SRVVPN_FWD all – any any anywhere anywhere
243 26860 _NDM_IKE2SRVVPN_FWD all – any any anywhere anywhere