use iptables/ip6tables to drop GFW packet

Add to china host:
set host default hop limit great than 64
ip6tables -t mangle -A OUTPUT -p tcp --tcp-flags RST RST -m hl --hl-gt 60  -j HL --hl-set 32
ip6tables -t mangle -A INPUT -p udp --sport 53 -m hl --hl-lt 65 -j DROP

ip6tables -t mangle -A FORWARD -p tcp --tcp-flags RST RST -m hl --hl-gt 60  -j HL --hl-set 32

Add to relay host:
set host default hop limit great than 64
ip6tables -t mangle -A FORWARD -o he-ipv6 -i sit01 -p tcp --tcp-flags RST RST -m hl --hl-gt 60 -j DROP
ip6tables -t mangle -A INPUT -p tcp --tcp-flags RST RST -m hl --hl-gt 60 -j DROP

avoid dns query inject by GFW 
ip6tables -t mangle -A OUTPUT -p udp --sport 53 -j HL --hl-inc 13

Comments

Post a Comment

Popular Posts