ax3600-uablacklist-tor.sh

# curl --insecure https://gist.githubusercontent.com/ww7/62febe18b7f886a7219dbeca879db807/raw/ax3600-uablacklist-tor.sh | sh -

echo 'Creating startup script to mount /opt, /root and start Entware services'
cat << 'EOF' > /etc/init.d/rootopt
#!/bin/sh /etc/rc.common

START=99
STOP=00

start() {
        [ -d /etc/root ] && mount -o bind /etc/root /root
        [ -d /etc/opt ] && mount -o bind /etc/opt /opt
        [ -x /opt/etc/init.d/rc.unslung ] && /opt/etc/init.d/rc.unslung start
        return 0
}

stop() {
        [ -x /opt/etc/init.d/rc.unslung ] && /opt/etc/init.d/rc.unslung stop
        [ -d /etc/opt ] && umount /opt
        [ -d /etc/root ] && umount /root
        return 0
}
EOF
chmod 755 /etc/init.d/rootopt

mkdir -p /etc/opt /etc/root || exit 1
/etc/init.d/rootopt enable
/etc/init.d/rootopt start

echo 'Install Entware'
wget http://bin.entware.net/aarch64-k3.10/installer/generic.sh -O- | sh -
#Add /opt/bin /opt/sbin to PATH
echo 'export PATH=$PATH:/opt/bin:/opt/sbin' >> /root/.profile

echo 'Install tor'
/opt/bin/opkg update
/opt/bin/opkg install tor

echo 'Configure and (re)start tor'
mv -f /opt/etc/tor/torrc /opt/etc/tor/torrc.bak
cat << 'EOF' > /opt/etc/tor/torrc
#Log to syslog
Log notice syslog
#Dir for storing keys/etc
DataDirectory /var/lib/tor
#Resolve onion domain names to
VirtualAddrNetworkIPv4 10.192.0.0/10
#Enable tor DNS
AutomapHostsOnResolve 1
#Transparent proxy and DNS
TransPort 0.0.0.0:9040
DNSPort 0.0.0.0:5353
#Exclude exit nodes from RU, UA, BY
ExcludeExitNodes {RU}, {UA}, {BY}
EOF
/opt/etc/init.d/S35tor restart

echo 'Add tor DNS to dnsmasq'
echo 'server=127.0.0.1#5353' > /etc/dnsmasq.d/tor
/etc/init.d/dnsmasq restart

echo 'Create and launch script to fetch blocked IPs list from https://uablacklist.net/'
cat << 'EOF' > /root/blacklist.sh
#!/bin/sh

curl --silent --insecure https://uablacklist.ww7.work/ips.txt --output /tmp/ips.txt
curl --silent --insecure https://uablacklist.ww7.work/subnets.txt --output /tmp/subnets.txt
awk '{print}' /tmp/ips.txt /tmp/subnets.txt > /root/blacklist.txt
rm -f /tmp/subnets.txt /tmp/ips.txt
EOF
chmod 755 /root/blacklist.sh
/root/blacklist.sh

echo 'Create /etc/firewall.d/uablacklist with iptables rules'
cat << 'EOF' > /etc/firewall.d/uablacklist
#!/bin/sh

#access to .onion sites:
#    intercept .onion DNS requests
iptables -t nat -A PREROUTING -p udp --dport 53 -m string \
  --hex-string "|056f6e696f6e00|" --algo bm -j REDIRECT --to-ports 5353
iptables -t nat -A OUTPUT -p udp --dport 53 -m string \
  --hex-string "|056f6e696f6e00|" --algo bm -j REDIRECT --to-ports 5353
#    forward onion subnet 10.192.0.0/10
iptables -t nat -A PREROUTING -p tcp -d 10.192.0.0/10 -j REDIRECT --to-port 9040
iptables -t nat -A OUTPUT -p tcp -d 10.192.0.0/10 -j REDIRECT --to-port 9040

#forward blocked sites to tor
ipset create blacklist iphash --maxelem 500000 --hashsize 2097152

#iptables -t nat -A PREROUTING -p tcp -m multiport --dports 80,443 \

iptables -t nat -A PREROUTING -p tcp \
    -m set --match-set blacklist dst -j REDIRECT --to-port 9040

#iptables -t nat -A OUTPUT -p tcp -m multiport --dports 80,443 \

iptables -t nat -A OUTPUT -p tcp \
    -m set --match-set blacklist dst -j REDIRECT --to-port 9040

[ -e /root/blacklist.txt ] && cat /root/blacklist.txt | xargs -n1 ipset add blacklist
EOF
chmod 755 /etc/firewall.d/uablacklist
echo 'Run /etc/firewall.d/uablacklist: this will probably take a long time'
/etc/firewall.d/uablacklist

cat << 'EOF'
Done. To update blocked IPs list from https://uablacklist.net/ launch:
# /root/blacklist.sh
# ipset flush blacklist
# cat /root/blacklist.txt | xargs -n1 ipset add blacklist
# or run /root/blacklist_upd.sh
EOF

echo 'Script to blacklist update and reload'
cat << 'EOF' > /root/blacklist_upd.sh
#!/bin/sh

/root/blacklist.sh
ipset flush blacklist
cat /root/blacklist.txt | xargs -n1 ipset add blacklist
EOF
chmod 755 /root/blacklist_upd.sh