diff --git a/scripts/ks-on.sh b/scripts/ks-on.sh index 23dff34..fc32539 100644 --- a/scripts/ks-on.sh +++ b/scripts/ks-on.sh @@ -35,6 +35,9 @@ if [ "$ipv6_cnt" -gt 0 ]; then fi echo "Включаем UFW kill switch..." + ufw default deny outgoing >/dev/null 2>&1 || true + ufw allow out on amn0 >/dev/null 2>&1 || true + ufw enable echo "" echo "Готово. Kill switch активен." diff --git a/scripts/ru-bypass.sh b/scripts/ru-bypass.sh index 46b9414..92ab0c4 100644 --- a/scripts/ru-bypass.sh +++ b/scripts/ru-bypass.sh @@ -14,6 +14,7 @@ GATEWAY="${GATEWAY:-192.168.1.1}" DEV="${DEV:-wlp1s0}" LOCAL_DNS="${LOCAL_DNS:-}" +AMNEZIA_SERVER="${AMNEZIA_SERVER:-}" SETNAME="ru-direct" CACHE="/var/cache/ru-delegations.txt" IPSET_SAVE="/etc/ipset.conf" @@ -159,9 +160,17 @@ import sys; print(f'# entries: {entries}', file=sys.stderr) ENTRIES=$(ipset list "$SETNAME" 2>/dev/null | grep -c '/') echo "ipset обновлён: $ENTRIES записей" -# Сохраняем ipset на диск — ru-ipset-restore.service восстановит его до UFW при перезагрузке -ipset save "$SETNAME" > "$IPSET_SAVE" -echo "ipset сохранён в $IPSET_SAVE" + +# --- Сервер Amnezia в исключения (чтобы мог подключиться при kill switch) --- + +if [ -n "$AMNEZIA_SERVER" ]; then + ipset add "$SETNAME" "$AMNEZIA_SERVER" -exist 2>/dev/null || true + echo "Сервер Amnezia $AMNEZIA_SERVER добавлен в ipset $SETNAME" +fi + # Сохраняем ipset на диск (с учётом сервера Amnezia) + ipset save "$SETNAME" > "$IPSET_SAVE" + echo "ipset сохранён в $IPSET_SAVE" + # --- Добавляем маршруты --- @@ -194,6 +203,13 @@ for net in $LOCAL_NETS; do ip route replace "$net" via "$GATEWAY" dev "$DEV" 2>/dev/null done + # Маршрут для сервера Amnezia (чтобы мог подключиться при kill switch) + if [ -n "$AMNEZIA_SERVER" ]; then + ip route replace "$AMNEZIA_SERVER/32" via "$GATEWAY" dev "$DEV" 2>/dev/null + echo "Маршрут для сервера Amnezia $AMNEZIA_SERVER добавлен" + fi + + # --- DNS для *.loc через LOCAL_DNS (если задан) --- if [ -n "$LOCAL_DNS" ]; then @@ -222,7 +238,13 @@ if ! grep -q "$UFW_LOCAL_MARKER" "$UFW_BEFORE" 2>/dev/null; then echo "UFW обновлён (локальные сети)." fi + +# --- Настройка UFW default deny + allow amn0 (однократно) --- +ufw default deny outgoing >/dev/null 2>&1 || true +ufw allow out on amn0 >/dev/null 2>&1 || true + if grep -qE "$UFW_MARKER|$UFW_LOCAL_MARKER" "$UFW_BEFORE" 2>/dev/null; then + if ufw status | grep -qE "активен|active"; then ufw reload fi diff --git a/setup.sh b/setup.sh index 3c63051..d3334fc 100755 --- a/setup.sh +++ b/setup.sh @@ -93,10 +93,12 @@ case "$choice" in auto_gw="${auto_gw:-192.168.1.1}" auto_dev="${auto_dev:-wlp1s0}" saved_local_dns="" + saved_amn_srv="" if [ -f "$net_conf" ]; then saved_gw=$(grep '^GATEWAY=' "$net_conf" | cut -d= -f2) saved_dev=$(grep '^DEV=' "$net_conf" | cut -d= -f2) saved_local_dns=$(grep '^LOCAL_DNS=' "$net_conf" | cut -d= -f2) + saved_amn_srv=$(grep '^AMNEZIA_SERVER=' "$net_conf" | cut -d= -f2) auto_gw="${saved_gw:-$auto_gw}" auto_dev="${saved_dev:-$auto_dev}" echo -e "Загружены параметры профиля ${BLD}${chosen_profile}${CLR}: GATEWAY=${BLD}${auto_gw}${CLR} DEV=${BLD}${auto_dev}${CLR}" @@ -108,13 +110,16 @@ case "$choice" in read -rp "GATEWAY (IP роутера) [${auto_gw}]: " gw read -rp "DEV (интерфейс) [${auto_dev}]: " dev read -rp "LOCAL_DNS (DNS для *.loc) [${saved_local_dns:-пусто}]: " local_dns + read -rp "AMNEZIA_SERVER (IP сервера Amnezia) [${saved_amn_srv:-пусто}]: " amn_srv gw="${gw:-$auto_gw}" dev="${dev:-$auto_dev}" [ "$local_dns" = "пусто" ] && local_dns="" local_dns="${local_dns:-$saved_local_dns}" - printf 'GATEWAY=%s\nDEV=%s\nLOCAL_DNS=%s\n' "$gw" "$dev" "$local_dns" > "$net_conf" + [ "$amn_srv" = "пусто" ] && amn_srv="" + amn_srv="${amn_srv:-$saved_amn_srv}" + printf 'GATEWAY=%s\nDEV=%s\nLOCAL_DNS=%s\nAMNEZIA_SERVER=%s\n' "$gw" "$dev" "$local_dns" "$amn_srv" > "$net_conf" echo "" - sudo GATEWAY="$gw" DEV="$dev" LOCAL_DNS="$local_dns" USER_HOME="$HOME" bash scripts/ru-bypass.sh + sudo GATEWAY="$gw" DEV="$dev" LOCAL_DNS="$local_dns" AMNEZIA_SERVER="$amn_srv" USER_HOME="$HOME" bash scripts/ru-bypass.sh ;; 3) echo -e "${YEL}Перед этим выйди из Claude Code — сессия сменит IP.${CLR}" diff --git a/tests/test_network.sh b/tests/test_network.sh index 0956e60..a7fc006 100644 --- a/tests/test_network.sh +++ b/tests/test_network.sh @@ -26,7 +26,13 @@ check() { echo "=== 1. Проверка окружения ===" check "Amnezia интерфейс (amn0) существует" "amn0" "ip link show amn0 2>/dev/null" -check "wlp1s0 wifi интерфейс" "wlp1s0" "ip link show wlp1s0 2>/dev/null" + +# Определяем DEV из конфига или из default route +if [ -f "$HOME/.config/ai-setup/network_$(hostname).conf" ]; then + source "$HOME/.config/ai-setup/network_$(hostname).conf" +fi +DEV="${DEV:-$(ip route show default 2>/dev/null | awk '/default/ {print $5; exit}')}" +echo " DEV=$DEV (из конфига)" IPSET_INFO=$(sudo ipset list ru-direct 2>/dev/null) if [ -n "$IPSET_INFO" ]; then @@ -44,7 +50,7 @@ else fi echo "" echo "=== 2. Маршрутизация .ru vs не-.ru ===" -check ".ru IP ($RU_IP) → НЕ через amn0" "wl[pi]" "ip route get $RU_IP 2>/dev/null" +check ".ru IP ($RU_IP) → НЕ через amn0" "$DEV" "ip route get $RU_IP 2>/dev/null" check "8.8.8.8 → через amn0" "amn0" "ip route get 8.8.8.8 2>/dev/null" check "1.1.1.1 → через amn0" "amn0" "ip route get 1.1.1.1 2>/dev/null" @@ -74,7 +80,7 @@ check "NM dispatcher есть" "99-ru-bypass" "ls -la /etc/NetworkManager/dispat echo "" echo "=== 6. Краевые случаи ===" check "api.anthropic.com → amn0" "amn0" "ip route get $(dig +short api.anthropic.com A | head -1) 2>/dev/null" -check "ya.ru → НЕ через amn0 (прямо)" "wl[pi]" "ip route get $(dig +short ya.ru A | head -1) 2>/dev/null" +check "ya.ru → НЕ через amn0 (прямо)" "$DEV" "ip route get $(dig +short ya.ru A | head -1) 2>/dev/null" echo "" echo "=== 7. Geo: внешние IP ==="