# Интернет

### tor

{% stepper %}
{% step %}
Установите [homebrew](https://guide.kodersha.ru/repo#homebrew).
{% endstep %}

{% step %}
{% code overflow="wrap" %}

```bash
brew install tor torsocks obfs4proxy
```

{% endcode %}
{% endstep %}

{% step %}
Создайте папку для `DataDirectory`:

{% code overflow="wrap" %}

```bash
mkdir /home/linuxbrew/.linuxbrew/var/lib && mkdir /home/linuxbrew/.linuxbrew/var/lib/tor
```

{% endcode %}
{% endstep %}

{% step %}
Создайте файл конфигурации:

{% code overflow="wrap" %}

```bash
nano /home/linuxbrew/.linuxbrew/etc/tor/torrc
```

{% endcode %}
{% endstep %}

{% step %}
Пример конфигурации:

{% code title="torrc" overflow="wrap" %}

```ini
## Конфигурация tor для использования мостов

# Разрешить использование мостов
UseBridges 1

# Указание, как Tor должен интерактивно подключаться к мостам с использованием obfs4
ClientTransportPlugin obfs4 exec /home/linuxbrew/.linuxbrew/bin/obfs4proxy

# Добавление моста obfs4

Bridge obfs4 89.217.174.207:9001 B64C5A360D530633CB2D8DEC5D19CA35C4360C93 cert=aJecxsni6mgSTU0BPz3v0W7GA+RmjuDFA7NF+KffQNydMX7npDvjqrCXRnzY0ym9EKlLTw iat-mode=0

# Не запускать Tor в режиме сервиса
RunAsDaemon 0

# SOCKS-порт
SocksPort 9050

DataDirectory /home/linuxbrew/.linuxbrew/var/lib/tor
```

{% endcode %}
{% endstep %}

{% step %}
Запустите сервис:

{% code overflow="wrap" %}

```bash
brew services start tor
```

{% endcode %}
{% endstep %}
{% endstepper %}

Адрес хоста подключения SOCKS5: `127.0.0.1:9050`

### zapret

#### **Автоматическая настройка**

{% stepper %}
{% step %}
Клонируйте репозиторий:

{% code overflow="wrap" %}

```bash
git clone https://github.com/Sergeydigl3/zapret-discord-youtube-linux.git
```

{% endcode %}
{% endstep %}

{% step %}
Перейдите в папку:

{% code overflow="wrap" %}

```bash
mv zapret-discord-youtube-linux .zapret && cd .zapret
```

{% endcode %}
{% endstep %}

{% step %}
Запустите скрипт:

{% code overflow="wrap" %}

```bash
sudo bash main_script.sh
```

{% endcode %}
{% endstep %}

{% step %}
Следуйте предложенным шагам - выберете ваше интернет соединение и стратегию.
{% endstep %}

{% step %}
Проверьте работоспособность, затем остановите скрипт <kbd>Ctrl</kbd> + <kbd>C</kbd>.
{% endstep %}

{% step %}
Запустите скрипт установки сервиса:

{% code overflow="wrap" %}

```bash
sudo bash service.sh
```

{% endcode %}
{% endstep %}
{% endstepper %}

{% embed url="<https://github.com/Sergeydigl3/zapret-discord-youtube-linux/tree/stable2>" %}

#### **Ручная настройка**

{% hint style="danger" %}
Это лишь пример базовой настройки и запуска сервиса. Конфигурация может быть устаревшей.
{% endhint %}

{% stepper %}
{% step %}
{% code overflow="wrap" %}

```bash
wget -qO- https://github.com/bol-van/zapret/releases/download/v71.3/zapret-v71.3.tar.gz | tar -xvz && cd zapret-v71.3 && ./install_bin.sh && ./install_prereq.sh
```

{% endcode %}
{% endstep %}

{% step %}
При необходимости запустите тест:

{% code overflow="wrap" %}

```bash
./blockcheck.sh
```

{% endcode %}
{% endstep %}

{% step %}
Установите сервис игнорируя предупреждения установщика:

{% code overflow="wrap" %}

```bash
./install_easy.sh
```

{% endcode %}
{% endstep %}

{% step %}
Отредактируйте файл конфигурации:

{% code overflow="wrap" %}

```bash
sudo nano /opt/zapret/config
```

{% endcode %}
{% endstep %}

{% step %}
Пример конфигурации:

{% code title="/opt/zapret/config" overflow="wrap" %}

```ini
# this file is included from init scripts
# change values here

# can help in case /tmp has not enough space
#TMPDIR=/opt/zapret/tmp

# redefine user for zapret daemons. required on Keenetic
#WS_USER=nobody

# override firewall type : iptables,nftables,ipfw
FWTYPE=nftables
# nftables only : set this to 0 to use pre-nat mode. default is post-nat.
# pre-nat mode disables some bypass techniques for forwarded traffic but allows to see client IP addresses in debug log
#POSTNAT=0

# options for ipsets
# maximum number of elements in sets. also used for nft sets
SET_MAXELEM=522288
# too low hashsize can cause memory allocation errors on low RAM systems , even if RAM is enough
# too large hashsize will waste lots of RAM
IPSET_OPT="hashsize 262144 maxelem $SET_MAXELEM"
# dynamically generate additional ip. $1 = ipset/nfset/table name
#IPSET_HOOK="/etc/zapret.ipset.hook"

# options for ip2net. "-4" or "-6" auto added by ipset create script
IP2NET_OPT4="--prefix-length=22-30 --v4-threshold=3/4"
IP2NET_OPT6="--prefix-length=56-64 --v6-threshold=5"
# options for auto hostlist
AUTOHOSTLIST_RETRANS_THRESHOLD=3
AUTOHOSTLIST_FAIL_THRESHOLD=3
AUTOHOSTLIST_FAIL_TIME=60
# 1 = debug autohostlist positives to ipset/zapret-hosts-auto-debug.log
AUTOHOSTLIST_DEBUGLOG=0

# number of parallel threads for domain list resolves
MDIG_THREADS=30

# ipset/*.sh can compress large lists
GZIP_LISTS=1
# command to reload ip/host lists after update
# comment or leave empty for auto backend selection : ipset or ipfw if present
# on BSD systems with PF no auto reloading happens. you must provide your own command
# set to "-" to disable reload
#LISTS_RELOAD="pfctl -f /etc/pf.conf"

# mark bit used by nfqws to prevent loop
DESYNC_MARK=0x40000000
DESYNC_MARK_POSTNAT=0x20000000

# do not pass outgoing traffic to tpws/nfqws not marked with this bit
# this setting allows to write your own rules to limit traffic that should be fooled
# for example based on source IP or incoming interface name
# no filter if not defined
#FILTER_MARK=0x10000000

TPWS_SOCKS_ENABLE=0
# tpws socks listens on this port on localhost and LAN interfaces
TPPORT_SOCKS=987
# use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
# hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
# <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
TPWS_SOCKS_OPT="
--filter-tcp=80 --methodeol <HOSTLIST> --new
--filter-tcp=443 --split-pos=1,midsld --disorder <HOSTLIST>
"

TPWS_ENABLE=0
TPWS_PORTS=80,443
# use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
# hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
# <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
TPWS_OPT="
--filter-tcp=80 --methodeol <HOSTLIST> --new
--filter-tcp=443 --split-pos=1,midsld --disorder <HOSTLIST>
"

NFQWS_ENABLE=1
# redirect outgoing traffic with connbytes limiter applied in both directions.
NFQWS_PORTS_TCP=80,443
NFQWS_PORTS_UDP=443
# PKT_OUT means connbytes dir original
# PKT_IN means connbytes dir reply
# this is --dpi-desync-cutoff=nX kernel mode implementation for linux. it saves a lot of CPU.
NFQWS_TCP_PKT_OUT=$((6+$AUTOHOSTLIST_RETRANS_THRESHOLD))
NFQWS_TCP_PKT_IN=3
NFQWS_UDP_PKT_OUT=$((6+$AUTOHOSTLIST_RETRANS_THRESHOLD))
NFQWS_UDP_PKT_IN=0
# redirect outgoing traffic without connbytes limiter and incoming with connbytes limiter
# normally it's needed only for stateless DPI that matches every packet in a single TCP session
# typical example are plain HTTP keep alives
# this mode can be very CPU consuming. enable with care !
#NFQWS_PORTS_TCP_KEEPALIVE=80
#NFQWS_PORTS_UDP_KEEPALIVE=
# use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
# hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
# <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
NFQWS_OPT="
--filter-tcp=443
--dpi-desync=multisplit
--dpi-desync-split-pos=1,sniext+1
--dpi-desync-split-seqovl=1
--new
--filter-udp=443
--dpi-desync=fake
--dpi-desync-repeats=2
--dpi-desync-fake-quic=/opt/zapret/files/fake/quic_initial_www_google_com.bin
"

# none,ipset,hostlist,autohostlist
MODE_FILTER=ipset,hostlist

# donttouch,none,software,hardware
FLOWOFFLOAD=donttouch

# openwrt: specify networks to be treated as LAN. default is "lan"
# OPENWRT_LAN="lan lan2 lan3"
# openwrt: specify networks to be treated as WAN. default wans are interfaces with default route
# OPENWRT_WAN4="wan vpn"
# OPENWRT_WAN6="wan6 vpn6"

# for routers based on desktop linux and macos. has no effect in openwrt.
# CHOOSE LAN and optinally WAN/WAN6 NETWORK INTERFACES
# or leave them commented if its not router
# it's possible to specify multiple interfaces like this : IFACE_LAN="eth0 eth1 eth2"
# if IFACE_WAN6 is not defined it take the value of IFACE_WAN
# IFACE_LAN=enp3s0
# IFACE_WAN=wlo1
# IFACE_WAN6="ipsec0 wireguard0 he_net"

# should start/stop command of init scripts apply firewall rules ?
# not applicable to openwrt with firewall3+iptables
INIT_APPLY_FW=1
# firewall apply hooks
#INIT_FW_PRE_UP_HOOK="/etc/firewall.zapret.hook.pre_up"
#INIT_FW_POST_UP_HOOK="/etc/firewall.zapret.hook.post_up"
#INIT_FW_PRE_DOWN_HOOK="/etc/firewall.zapret.hook.pre_down"
#INIT_FW_POST_DOWN_HOOK="/etc/firewall.zapret.hook.post_down"

# do not work with ipv4
#DISABLE_IPV4=0
# do not work with ipv6
DISABLE_IPV6=0

# drop icmp time exceeded messages for nfqws tampered connections
# in POSTNAT mode this can interfere with default mtr/traceroute in tcp or udp mode. use source port not redirected to nfqws
# set to 0 if you are not expecting connection breakage due to icmp in response to TCP SYN or UDP
FILTER_TTL_EXPIRED_ICMP=1

# select which init script will be used to get ip or host list
# possible values : get_user.sh get_antizapret.sh get_combined.sh get_reestr.sh get_hostlist.sh
# comment if not required
GETLIST=get_antizapret_domains.sh
```

{% endcode %}
{% endstep %}

{% step %}
При необходимости отредактируйте список адресов:

{% code overflow="wrap" %}

```bash
sudo nano /opt/zapret/ipset/zapret-hosts-user.txt
```

{% endcode %}
{% endstep %}

{% step %}
{% code title="zapret-hosts-user.txt" overflow="wrap" %}

```
googlevideo.com
googleapis.com
i.ytimg.com
i9.ytimg.com
wide-youtube.l.google.com
youtu.be
youtube.com
youtube.googleapis.com
yt3.ggpht.com
yt3.googleusercontent.com
```

{% endcode %}
{% endstep %}

{% step %}
Отключите `firewalld`:

{% code overflow="wrap" %}

```bash
sudo systemctl disable firewalld
```

{% endcode %}
{% endstep %}

{% step %}
Настройте службу:

{% code overflow="wrap" %}

```bash
sudo nano /etc/rc.d/rc.local && sudo chmod 755 /etc/rc.d/rc.local
```

{% endcode %}
{% endstep %}

{% step %}
{% code title="rc.local" overflow="wrap" %}

```bash
#!/bin/bash

exec bash /opt/zapret/init.d/sysv/zapret start
```

{% endcode %}
{% endstep %}

{% step %}
Создайте файл сервиса:

{% code overflow="wrap" %}

```bash
sudo nano /etc/systemd/system/rc-local.service
```

{% endcode %}
{% endstep %}

{% step %}
{% code title="rc-local.service" %}

```ini
[Unit]
Description=Compatibility rc.local
ConditionPathExists=/etc/rc.d/rc.local

[Service]
Type=forking
ExecStart=/etc/rc.d/rc.local
TimeoutSec=0
StandardOutput=tty
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target
```

{% endcode %}
{% endstep %}

{% step %}
Запустите сервис:

{% code overflow="wrap" %}

```bash
sudo systemctl daemon-reload && sudo systemctl enable --now rc-local.service
```

{% endcode %}
{% endstep %}
{% endstepper %}

### Hosts

{% stepper %}
{% step %}
{% code overflow="wrap" %}

```sh
sudo nano /etc/hosts
```

{% endcode %}
{% endstep %}

{% step %}
{% code overflow="wrap" %}

```
# Facebook
1.13.72.36      facebook.com
31.13.72.36     www.facebook.com
31.13.72.12     external-hel3-1.xx.fbcdn.net
31.13.72.12     scontent-hel3-1.xx.fbcdn.net
31.13.72.12     static.xx.fbcdn.net
31.13.72.53     static.cdninstagram.com
157.240.224.63  scontent.cdninstagram.com
157.240.224.63  scontent-hel3-1.cdninstagram.com
157.240.225.174 instagram.com
157.240.225.174 www.instagram.com
157.240.245.174 b.i.instagram.com
157.240.245.174 z-p42-chat-e2ee-ig.facebook.com
157.240.224.63  threads.com
157.240.224.63  www.threads.com

# Proton
3.66.189.153    mail.proton.me
3.66.189.153    protonmail.com

# OpenAI / ChatGPT
134.0.118.88    ab.chatgpt.com
134.0.118.88    android.chat.openai.com
134.0.118.88    api.openai.com
134.0.118.88    auth.openai.com
134.0.118.88    auth0.openai.com
134.0.118.88    cdn.auth0.com
134.0.118.88    cdn.oaistatic.com
134.0.118.88    chatgpt.com
134.0.118.88    platform.openai.com
134.0.118.88    tcr9i.chat.openai.com
134.0.118.88    us.posthog.com
134.0.118.88    webrtc.chatgpt.com
95.81.117.88    sora.chatgpt.com
95.81.117.88    sora.com
95.81.117.88    videos.openai.com

# Google
134.0.118.88    gemini.google.com
84.21.191.240   alkalimakersuite-pa.clients6.google.com
84.21.191.240   aisandbox-pa.googleapis.com
84.21.191.240   labs.google
84.21.191.240   o.pki.goog
89.108.98.20    notebooklm.google
89.108.98.20    notebooklm.google.com

# Microsoft / GitHub Copilot
45.95.233.23    copilot.microsoft.com
45.95.233.23    edgeservices.bing.com
45.95.233.23    rewards.bing.com
45.95.233.23    sydney.bing.com
45.95.233.23    xsts.auth.xboxlive.com
89.108.98.20    api.individual.githubcopilot.com
89.108.98.20    proxy.individual.githubcopilot.com

# Spotify
84.21.191.240   aet.spotify.com
84.21.191.240   api-partner.spotify.com
84.21.191.240   api.spotify.com
84.21.191.240   appresolve.spotify.com
84.21.191.240   gew1-dealer.spotify.com
84.21.191.240   gew1-spclient.spotify.com
84.21.191.240   login.app.spotify.com
84.21.191.240   login5.spotify.com
84.21.191.240   spclient.wg.spotify.com
84.21.191.240   www.spotify.com
84.21.191.240   accounts.spotify.com
84.21.191.240   spotifycdn.com
84.21.191.240   open-exp.spotifycdn.com
84.21.191.240   ap-gew1.spotify.com
84.21.191.240   xpui.app.spotify.com

# Notion
84.21.191.240   calendar.notion.so
84.21.191.240   notion.so
84.21.191.240   www.notion.so

# Canva
50.7.85.222     www.canva.com

# NVIDIA
204.12.192.220  developer.nvidia.com

# Dell
204.12.192.219  www.dell.com

# Codeium
50.7.87.85      codeium.com
50.7.85.219     inference.codeium.com

# JetBrains
50.7.85.221     datalore.jetbrains.com
107.150.34.100  plugins.jetbrains.com

# Pixabay
84.21.191.240   pixabay.com
84.21.191.240   cdn.pixabay.com

# TikTok
84.21.191.240   mcs-sg.tiktok.com
84.21.191.240   mon.tiktokv.com
84.21.191.240   www.tiktok.com

# ElevenLabs
84.21.191.240   api.us.elevenlabs.io
84.21.191.240   elevenlabs.io
84.21.191.240   elevenreader.io

# Truth Social
204.12.192.221  static-assets-1.truthsocial.com
204.12.192.221  truthsocial.com

# Grok / xAI
185.250.151.49  accounts.x.ai
185.250.151.49  assets.grok.com
185.250.151.49  grok.com

# Autodesk
94.131.119.85   accounts.autodesk.com
94.131.119.85   autodesk.com

# Netflix
158.255.0.189   netflix.com
158.255.0.189   www.netflix.com

# Hulu
2.19.183.66     www.hulu.com
2.22.31.233     hulu.com

# SoundCloud
3.164.206.34    a-v2.sndcdn.com
13.224.222.71   style.sndcdn.com
18.165.140.56   secure.sndcdn.com
18.238.243.27   soundcloud.com

# Anilib
172.67.192.246  anilib.me

# NTC.party
130.255.77.28   ntc.party

# PUMP.fun
84.21.191.240   frontend-api-v3.pump.fun
84.21.191.240   images.pump.fun
84.21.191.240   pump.fun
84.21.191.240   swap-api.pump.fun

# DeepL
45.95.233.23    deepl.com
45.95.233.23    www.deepl.com
45.95.233.23    s.deepl.com
45.95.233.23    login-wall.deepl.com
45.95.233.23    w.deepl.com
45.95.233.23    experimentation.deepl.com
45.95.233.23    gtm.deepl.com
45.95.233.23    ita-free.www.deepl.com
84.21.191.240   checkout.www.deepl.com

# Intel
84.21.191.240   www.intel.com

# DNS Malware link
104.21.24.110   info.dns.malw.link

# Rutracker
172.67.182.196  rutracker.org
104.21.50.150   static.rutracker.cc

# Rutor
172.64.33.155   d.rutor.info
172.64.33.155   rutor.info
173.245.59.155  rutor.is
0.0.0.0	        rutor.org
```

{% endcode %}
{% endstep %}
{% endstepper %}