Ломается L4 после отключения/удаления zapret

[alexgadai]

Добрый день, Тестирую zapret на ноутбуке с Ubuntu 18.04.6 в режиме tpws. Заметил, что после выключения службы ломается весь внешний трафик на L4, хотя на L3 работает:

my@PC:/opt/zapret$ systemctl stop zapret
my@PC:/opt/zapret$ systemctl status zapret
● zapret.service
   Loaded: loaded (/opt/zapret/init.d/systemd/zapret.service; enabled; vendor preset: enabled)
   Active: inactive (dead) since Sat 2024-08-17 10:23:25 MSK; 2s ago
  Process: 1804 ExecStop=/opt/zapret/init.d/sysv/zapret stop (code=exited, status=0/SUCCESS)
  Process: 770 ExecStart=/opt/zapret/init.d/sysv/zapret start (code=exited, status=0/SUCCESS)

авг 17 09:40:41 PC zapret[770]: Creating ip list table (firewall type iptables)
авг 17 09:40:41 PC zapret[770]: setting high oom kill priority
авг 17 09:40:41 PC zapret[770]: reloading ipset backend (no-update)
авг 17 09:40:41 PC zapret[770]: Adding iptables rule for tpws (port 988) :  -p tcp -m multiport --dports 443
авг 17 09:40:41 PC systemd[1]: Started zapret.service.
авг 17 10:23:25 PC systemd[1]: Stopping zapret.service...
авг 17 10:23:25 PC zapret[1804]: Stopping daemon 1: /opt/zapret/tpws/tpws
авг 17 10:23:25 PC zapret[1804]: Clearing iptables
авг 17 10:23:25 PC zapret[1804]: Deleting iptables rule for tpws (port 988) :  -p tcp -m multiport --dports 443
авг 17 10:23:25 PC systemd[1]: Stopped zapret.service.
my@PC:/opt/zapret$ ping vk.com
PING vk.com (87.240.132.72) 56(84) bytes of data.
64 bytes from srv72-132-240-87.vk.com (87.240.132.72): icmp_seq=1 ttl=55 time=13.8 ms
64 bytes from srv72-132-240-87.vk.com (87.240.132.72): icmp_seq=2 ttl=55 time=13.3 ms
^C
--- vk.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 13.380/13.611/13.843/0.259 ms
my@PC:/opt/zapret$ telnet vk.com 443
Trying 87.240.132.72...
Trying 87.240.132.67...
Trying 87.240.137.164...
Trying 93.186.225.194...
Trying 87.240.132.78...
Trying 87.240.129.133...
telnet: Unable to connect to remote host: Connection refused
my@PC:/opt/zapret$ systemctl start zapret
my@PC:/opt/zapret$ telnet vk.com 443
Trying 87.240.132.72...
Connected to vk.com.
Escape character is '^]'.
^\Connection closed by foreign host.
my@PC:/opt/zapret$ sudo ufw status
Status: inactive

Удаление через uninstall_easy.sh не меняет ситуацию. Подскажите, пожалуйста, куда копать? Как починить L4 и вернуть всё как было до установки?

Лог установки через install_easy.sh прикладываю:

my@PC:~/zapret$ ./install_easy.sh 
* checking system
system is based on systemd
* checking executables
found architecture "x86_64"
* checking privileges
root is required
[sudo] password for my: 
* checking system
system is based on systemd
* checking executables
found architecture "x86_64"
* checking privileges
* checking readonly system
* checking location

easy install is supported only from default location : /opt/zapret
currently its run from /home/my/zapret
do you want the installer to copy it for you (default : N) (Y/N) ? Y
relaunching itself from /opt/zapret
* checking system
system is based on systemd
* checking executables
found architecture "x86_64"
* checking privileges
* checking readonly system
* checking location
running from /opt/zapret
* checking DNS
system DNS is working
* checking virtualization
running on bare metal
* stopping zapret service
Failed to disable unit: Unit file zapret.service does not exist.
Failed to stop zapret.service: Unit zapret.service not loaded.

select firewall type :
1 : iptables
2 : nftables
your choice (default : iptables) : 
selected : iptables
* checking prerequisites
* installing prerequisites
packages required : curl ipset
Hit:1 http://ru.archive.ubuntu.com/ubuntu bionic InRelease
Hit:2 http://ru.archive.ubuntu.com/ubuntu bionic-updates InRelease             
Hit:3 http://ru.archive.ubuntu.com/ubuntu bionic-backports InRelease           
Hit:4 http://ppa.launchpad.net/danielrichter2007/grub-customizer/ubuntu bionic InRelease
Hit:5 http://security.ubuntu.com/ubuntu bionic-security InRelease              
Hit:6 https://download.sublimetext.com apt/stable/ InRelease                   
Reading package lists... Done  
Reading package lists... Done
Building dependency tree       
Reading state information... Done
dnsutils is already the newest version (1:9.11.3+dfsg-1ubuntu1.18).
The following additional packages will be installed:
  libcurl4 libipset3
The following packages will be REMOVED:
  libcurl3
The following NEW packages will be installed:
  curl ipset libcurl4 libipset3
0 upgraded, 4 newly installed, 1 to remove and 0 not upgraded.
Need to get 457 kB of archives.
After this operation, 836 kB of additional disk space will be used.
Get:1 http://ru.archive.ubuntu.com/ubuntu bionic-updates/main amd64 libcurl4 amd64 7.58.0-2ubuntu3.24 [221 kB]
Get:2 http://ru.archive.ubuntu.com/ubuntu bionic-updates/main amd64 curl amd64 7.58.0-2ubuntu3.24 [159 kB]
Get:3 http://ru.archive.ubuntu.com/ubuntu bionic/main amd64 libipset3 amd64 6.34-1 [43,9 kB]
Get:4 http://ru.archive.ubuntu.com/ubuntu bionic/main amd64 ipset amd64 6.34-1 [33,7 kB]
Fetched 457 kB in 0s (1 170 kB/s) 
dpkg: libcurl3:amd64: dependency problems, but removing anyway as you requested:
 sublime-text depends on libcurl3 | libcurl4; however:
  Package libcurl3:amd64 is to be removed.
  Package libcurl4 is not installed.

(Reading database ... 173656 files and directories currently installed.)
Removing libcurl3:amd64 (7.58.0-2ubuntu2) ...
Selecting previously unselected package libcurl4:amd64.
(Reading database ... 173650 files and directories currently installed.)
Preparing to unpack .../libcurl4_7.58.0-2ubuntu3.24_amd64.deb ...
Unpacking libcurl4:amd64 (7.58.0-2ubuntu3.24) ...
Selecting previously unselected package curl.
Preparing to unpack .../curl_7.58.0-2ubuntu3.24_amd64.deb ...
Unpacking curl (7.58.0-2ubuntu3.24) ...
Selecting previously unselected package libipset3:amd64.
Preparing to unpack .../libipset3_6.34-1_amd64.deb ...
Unpacking libipset3:amd64 (6.34-1) ...
Selecting previously unselected package ipset.
Preparing to unpack .../ipset_6.34-1_amd64.deb ...
Unpacking ipset (6.34-1) ...
Setting up libcurl4:amd64 (7.58.0-2ubuntu3.24) ...
Setting up libipset3:amd64 (6.34-1) ...
Setting up ipset (6.34-1) ...
Setting up curl (7.58.0-2ubuntu3.24) ...
Processing triggers for man-db (2.8.3-2ubuntu0.1) ...
Processing triggers for libc-bin (2.27-3ubuntu1.6) ...
* installing binaries
x86_64 is OK
installing binaries ...
linking : ../binaries/x86_64/ip2net => /opt/zapret/ip2net
linking : ../binaries/x86_64/mdig => /opt/zapret/mdig
linking : ../binaries/x86_64/nfqws => /opt/zapret/nfq
linking : ../binaries/x86_64/tpws => /opt/zapret/tpws

enable ipv6 support (default : N) (Y/N) ? 

select MODE :
1 : tpws
2 : tpws-socks
3 : nfqws
4 : filter
5 : custom
your choice (default : tpws) : 1
selected : tpws

TPWS_OPT="--hostspell=HOST --split-http-req=method --split-pos=3 --oob"
do you want to edit the options (default : N) (Y/N) ? 
select LAN interface to operate in router mode. select NONE for local outgoing traffic only.
WARNING ! This installer will not configure routing, NAT, ... for you. Its your responsibility.
LAN interface :
1 : NONE
2 : enp3s0
3 : lo
4 : wlp2s0
your choice (default : NONE) : 
selected : NONE
select WAN interface for tpws operations. select ANY to operate on any interface.
WAN interface :
1 : ANY
2 : enp3s0
3 : lo
4 : wlp2s0
your choice (default : ANY) : 
selected : ANY

enable http support (default : Y) (Y/N) ? 

enable https support (default : Y) (Y/N) ? 

select filtering :
1 : none
2 : ipset
3 : hostlist
4 : autohostlist
your choice (default : none) : 3
selected : hostlist

do you want to auto download ip/host list (default : Y) (Y/N) ? N
* installing zapret service
Created symlink /etc/systemd/system/multi-user.target.wants/zapret.service → /opt/zapret/init.d/systemd/zapret.service.
Created symlink /etc/systemd/system/zapret.service → /opt/zapret/init.d/systemd/zapret.service.
* downloading blocked ip/host list
setting high oom kill priority
clearing all known DNS caches
DNS is working
digging 6 ipv4 domains : /opt/zapret/ipset/zapret-hosts-user-exclude.txt
mdig stats : 00:00:00 : domains=6 success=4 error=2
digging 0 ipv4 domains : /opt/zapret/ipset/zapret-hosts-user-ipban.txt
mdig stats : 00:00:00 : domains=0 success=0 error=0
setting high oom kill priority
reloading ipset backend (forced-update)
Adding to ipset ipban : /opt/zapret/ipset/zapret-ip-user-ipban.txt
Adding to ipset nozapret : /opt/zapret/ipset/zapret-ip-exclude.txt
forcing zapret daemons to reload their hostlist
* installing zapret-list-update timer
Failed to disable unit: Unit file zapret-list-update.timer does not exist.
Failed to stop zapret-list-update.timer: Unit zapret-list-update.timer not loaded.
Created symlink /etc/systemd/system/timers.target.wants/zapret-list-update.timer → /opt/zapret/init.d/systemd/zapret-list-update.timer.
Created symlink /etc/systemd/system/zapret-list-update.timer → /opt/zapret/init.d/systemd/zapret-list-update.timer.
* starting zapret service

press enter to continue

[bol-van]

iptables не вычищены возможно вы меняли конфиг не останавливая сервис лечение iptables -t nat -F или ребут

[alexgadai]

спасибо, помогло

[Hi-Angel]

возможно вы меняли конфиг не останавливая сервис

Прошу прощения за вопрос: а zapret требуется останавливать перед изменением конфигов…? Я просто привык что обычно конфиги на старте читаются, поэтому ничего не стопорю, а рестартую zapret уже после смены конфига. Получается, что мои текущие результаты могут перестать воспроизводиться после ребута, потому что сейчас что-то с iptables?

[bol-van]

iptables удаляются согласно конфигу если настройки сменились, удаляться буду несуществующие записи, а старые остаются наверно надо было делать отдельные цепочки,чтобы их сносить, не трогая остальное но пока оно вносится в корень потому если сносить, попортятся правила не от запрета

в nft этой проблемы нет. там отдельная таблица но на слишком старых системах старый nft и ядро. не взлетит