Shorewall Hairpin NAT 或 NAT Loopback 設定方式

fw  eth2:192.168.119.253/24
ap  eth2:192.168.119.231/24:3142

編輯 /etc/shorewall/interfaces
增加 內網介面  routeback 選項( Shorewall 會丟棄在同一個介面「進又出」的封包)
loc             eth2                    dhcp,routeback

編輯 /etc/shorewall/snat  (偽裝來源，讓伺服器以為是「防火牆」在找它)
SNAT(192.168.119.253)   192.168.119.0/24 eth2 tcp 3142 -

編輯/etc/shoreall/rule (定義轉發：當內網存取fw ，目標轉向伺服器)
DNAT:NFLOG(4) loc    loc:192.168.119.231 tcp 3142 - -

LEAF 關機前搬移 LOG 至封存目錄

# !/bin/sh
# /root/stoplog.sh

f=stoplog$(date +%Y%m%d-%H%M%S).tar.gz
mount /dev/vda /mnt
tar czvf /mnt/archive/$f /var/log
umount /mnt

設定方式
編輯  /etc/default/local.stop
## Commands that will be executed at the beginning of shutdown
#

/root/archivelog.sh
/root/stoplog.sh

取代 netstat-nat 指令

[ -f /proc/net/nf_conntrack ]&& cat  /proc/net/nf_conntrack
[ -f /proc/net/ip_conntrack ]&& cat /proc/net/ip_conntrack

相關模組
nf_conntrack
ip_conntrack (2.6.24 核心之前)

查詢目前連線數：
cat /proc/sys/net/netfilter/nf_conntrack_count

查看連線數上限：
sysctl net.netfilter.nf_conntrack_max

LEAF 定期搬移 LOG 至 封存目錄

#!/bin/sh
# /root/archivelog.sh
# move log to archive
#:> /var/log/conntrackd.log;

date >/tmp/archive.sh.run
echo $$>>/tmp/archive.sh.run

ADEV=/dev/vda
AMNT=/mnta
ADIR=${AMNT}/archive
LOGDIR=/var/log

Exit_safely (){ umount -f ${AMNT};  rmdir ${AMNT}; }

/usr/bin/logrotate

[ -d $AMNT ]||mkdir -p $AMNT
mount |grep ${AMNT}
[ $? -gt 0 ]&&{ mount $ADEV $AMNT && trap Exit_safely EXIT|| exit 1; }

# echo mount archive directory  ${ADEV} ${AMNT} 

[ -d ${ADIR} ]||mkdir -p ${ADIR}

for i in $LOGDIR/*.gz;do [ -f "$i" ]||exit;done

for i in $LOGDIR/*.gz;do
t=$(basename $i);t=${t%.gz}-$(date +%Y%m%d_%H%M%S).gz;echo $i $t;mv $i ${ADIR}/$t;
done

執行方式
編輯 /etc/crontab
0 *     * * *   root    /root/archivelog.sh

Dnsmasq DNS 查詢增加黑名單

 #!/bin/sh
# adblockMY.sh 

urls="donate.ssl.xmrig.com "

conf=/etc/dnsmasq.d/adblockMY.conf
for url in $urls;do echo server=/${url}/;done >${conf};

/etc/init.d/dnsmasq restart
leaf119x# 

Dnsmasq DNS 查詢增加黑名單 (pgl.yoyo.org)

#!/bin/sh
# adblock.sh

url=https://pgl.yoyo.org/as/serverlist.php?hostformat=dnsmasq-server;showintro=0

conf=/etc/dnsmasq.d/adblock.conf

tmp=${conf}.tmp

wget --no-check-certificate "${url}" -q -O ${tmp}

[ $? -gt 0 ]&&exit $?;

cat ${tmp}|grep server= >${conf} 

[ -f "${tmp}" ]&&rm ${tmp};

dnsmasq -C ${conf} --test && /etc/init.d/dnsmasq restart || rm ${conf}; 

Dnsmasq DNS 查詢增加黑名單 (filter.futa.gg)

 #!/bin/sh
# adblockFutaGuard.sh 
# https://github.com/FutaGuard/LowTechFilter?tab=readme-ov-file

#
urls="https://filter.futa.gg/hosts_domains.txt"
urls="$urls https://filter.futa.gg/TW165_domains.txt"
urls="$urls https://filter.futa.gg/TWNIC-RPZ_domains.txt"
urls="$urls https://filter.futa.gg/nofarm_domains.txt"
urls="$urls https://filter.futa.gg/nrd/past-01day_domains.txt"

for url in $urls;do
conf=/etc/dnsmasq.d/adblock$(basename $url|awk -F . '{print $1}').conf
tmp=${conf}.tmp
wget --no-check-certificate "${url}" -q -O ${tmp}
[ $? -gt 0 ]&& { [ -f "${tmp}" ]&&rm ${tmp}; continue; };                                                

cat ${tmp}|awk '{print "server=/"$1"/"}' >${conf}
[ -f "${tmp}" ]&&rm $tmp;
dnsmasq -C ${conf} --test || rm ${conf};
done

/etc/init.d/dnsmasq restart;