Zapret tarayıcıda çalışırken sistem genelinde çalışmıyor

Merhabalar, sistemimde zapret sorunsuz bir şekilde çalışıyor ve tarayıcı üzerinden discord.com a erişip istediğim gibi kullanabiliyorum. Zapretin çalıştığına dair logları bırakıyorum:

❯ sudo systemctl status zapret
● zapret.service
     Loaded: loaded (/usr/lib/systemd/system/zapret.service; enabled; preset: disabled)
     Active: active (running) since Tue 2025-02-04 19:05:31 +03; 7min ago
 Invocation: fb6e42ebeb624c59a837593ddd398fe0
    Process: 1431679 ExecStart=/opt/zapret/init.d/sysv/zapret start (code=exited, status=0/SUCCESS)
      Tasks: 1 (limit: 37279)
     Memory: 568K (peak: 7.8M)
        CPU: 105ms
     CGroup: /system.slice/zapret.service
             └─1431733 /opt/zapret/nfq/nfqws --user=tpws --dpi-desync-fwmark=0x40000000 --qnum=200 --filter-tcp=80 --dpi-desync=fake multisplit --dpi-desync-split-pos=method+2 --dpi-desync-fooling=md5sig --new --filter-tcp=443 >

Feb 04 19:05:31 bellum zapret[1431679]: --filter-tcp=443 --dpi-desync=fake,multidisorder --dpi-desync-split-pos=1,midsld --dpi-desync-fooling=badseq,md5sig  --new
Feb 04 19:05:31 bellum zapret[1431679]: --filter-udp=443 --dpi-desync=fake --dpi-desync-repeats=6
Feb 04 19:05:31 bellum zapret[1431679]: Applying nftables
Feb 04 19:05:31 bellum zapret[1431679]: Creating ip list table (firewall type nftables)
Feb 04 19:05:31 bellum zapret[1431739]: setting high oom kill priority
Feb 04 19:05:31 bellum zapret[1431739]: reloading nftables set backend (no-update)
Feb 04 19:05:31 bellum zapret[1431679]: Inserting nftables ipv4 rule for nfqws postrouting (qnum 200) : tcp dport {80,443} ct original packets 1-9
Feb 04 19:05:31 bellum zapret[1431679]: Inserting nftables ipv4 rule for nfqws prerouting (qnum 200) : tcp sport {80,443} ct reply packets 1-3
Feb 04 19:05:31 bellum zapret[1431679]: Inserting nftables ipv4 rule for nfqws postrouting (qnum 200) : udp dport {443} ct original packets 1-9
Feb 04 19:05:31 bellum systemd[1]: Started zapret.service.

Zapretin configini de bırakıyorum:

# this file is included from init scripts
# change values here

# can help in case /tmp has not enough space
#TMPDIR=/opt/zapret/tmp

# redefine user for zapret daemons. required on Keenetic
#WS_USER=nobody

# override firewall type : iptables,nftables,ipfw
FWTYPE=nftables
# nftables only : set this to 0 to use pre-nat mode. default is post-nat.
# pre-nat mode disables some bypass techniques for forwarded traffic but allows to see client IP addresses in debug log
#POSTNAT=0

# options for ipsets
# maximum number of elements in sets. also used for nft sets
SET_MAXELEM=522288
# too low hashsize can cause memory allocation errors on low RAM systems , even if RAM is enough
# too large hashsize will waste lots of RAM
IPSET_OPT="hashsize 262144 maxelem $SET_MAXELEM"
# dynamically generate additional ip. $1 = ipset/nfset/table name
#IPSET_HOOK="/etc/zapret.ipset.hook"

# options for ip2net. "-4" or "-6" auto added by ipset create script
IP2NET_OPT4="--prefix-length=22-30 --v4-threshold=3/4"
IP2NET_OPT6="--prefix-length=56-64 --v6-threshold=5"
# options for auto hostlist
AUTOHOSTLIST_RETRANS_THRESHOLD=3
AUTOHOSTLIST_FAIL_THRESHOLD=3
AUTOHOSTLIST_FAIL_TIME=60
# 1 = debug autohostlist positives to ipset/zapret-hosts-auto-debug.log
AUTOHOSTLIST_DEBUGLOG=0

# number of parallel threads for domain list resolves
MDIG_THREADS=30

# ipset/*.sh can compress large lists
GZIP_LISTS=1
# command to reload ip/host lists after update
# comment or leave empty for auto backend selection : ipset or ipfw if present
# on BSD systems with PF no auto reloading happens. you must provide your own command
# set to "-" to disable reload
#LISTS_RELOAD="pfctl -f /etc/pf.conf"

# mark bit used by nfqws to prevent loop
DESYNC_MARK=0x40000000
DESYNC_MARK_POSTNAT=0x20000000

TPWS_SOCKS_ENABLE=0
# tpws socks listens on this port on localhost and LAN interfaces
TPPORT_SOCKS=987
# use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
# hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
# <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
TPWS_SOCKS_OPT="
--hostspell=hoSt --new
--hosttab --new
--hostpad=16384 --new
--methodspace --new
--tlsrec=midsld --new
--tlsrec=midsld --oob --new
--tlsrec=midsld --disorder --new
--tlsrec=midsld --oob --disorder
"

TPWS_ENABLE=0
TPWS_PORTS=80,443
# use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
# hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
# <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
TPWS_OPT="
--hostspell=hoSt --new
--hosttab --new
--hostpad=16384 --new
--methodspace --new
--tlsrec=midsld --new
--tlsrec=midsld --oob --new
--tlsrec=midsld --disorder --new
--tlsrec=midsld --oob --disorder
"

NFQWS_ENABLE=1
# redirect outgoing traffic with connbytes limiter applied in both directions.
NFQWS_PORTS_TCP=80,443
NFQWS_PORTS_UDP=443
# PKT_OUT means connbytes dir original
# PKT_IN means connbytes dir reply
# this is --dpi-desync-cutoff=nX kernel mode implementation for linux. it saves a lot of CPU.
NFQWS_TCP_PKT_OUT=$((6+$AUTOHOSTLIST_RETRANS_THRESHOLD))
NFQWS_TCP_PKT_IN=3
NFQWS_UDP_PKT_OUT=$((6+$AUTOHOSTLIST_RETRANS_THRESHOLD))
NFQWS_UDP_PKT_IN=0
# redirect outgoing traffic without connbytes limiter and incoming with connbytes limiter
# normally it's needed only for stateless DPI that matches every packet in a single TCP session
# typical example are plain HTTP keep alives
# this mode can be very CPU consuming. enable with care !
#NFQWS_PORTS_TCP_KEEPALIVE=80
#NFQWS_PORTS_UDP_KEEPALIVE=
# use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
# hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
# <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
NFQWS_OPT="
--filter-tcp=80 --dpi-desync=fake,multisplit --dpi-desync-split-pos=method+2 --dpi-desync-fooling=md5sig <HOSTLIST> --new
--filter-tcp=443 --dpi-desync=fake,multidisorder --dpi-desync-split-pos=1,midsld --dpi-desync-fooling=badseq,md5sig <HOSTLIST> --new
--filter-udp=443 --dpi-desync=fake --dpi-desync-repeats=6 <HOSTLIST_NOAUTO>
"

# none,ipset,hostlist,autohostlist
MODE_FILTER=none

# openwrt only : donttouch,none,software,hardware
FLOWOFFLOAD=none

# openwrt: specify networks to be treated as LAN. default is "lan"
#OPENWRT_LAN="lan lan2 lan3"
# openwrt: specify networks to be treated as WAN. default wans are interfaces with default route
#OPENWRT_WAN4="wan vpn"
#OPENWRT_WAN6="wan6 vpn6"

# for routers based on desktop linux and macos. has no effect in openwrt.
# CHOOSE LAN and optinally WAN/WAN6 NETWORK INTERFACES
# or leave them commented if its not router
# it's possible to specify multiple interfaces like this : IFACE_LAN="eth0 eth1 eth2"
# if IFACE_WAN6 is not defined it take the value of IFACE_WAN
IFACE_LAN=eno1
#IFACE_WAN=
#IFACE_WAN6="ipsec0 wireguard0 he_net"

# should start/stop command of init scripts apply firewall rules ?
# not applicable to openwrt with firewall3+iptables
INIT_APPLY_FW=1
# firewall apply hooks
#INIT_FW_PRE_UP_HOOK="/etc/firewall.zapret.hook.pre_up"
#INIT_FW_POST_UP_HOOK="/etc/firewall.zapret.hook.post_up"
#INIT_FW_PRE_DOWN_HOOK="/etc/firewall.zapret.hook.pre_down"
#INIT_FW_POST_DOWN_HOOK="/etc/firewall.zapret.hook.post_down"

# do not work with ipv4
#DISABLE_IPV4=1
# do not work with ipv6
DISABLE_IPV6=1

# select which init script will be used to get ip or host list
# possible values : get_user.sh get_antizapret.sh get_combined.sh get_reestr.sh get_hostlist.sh
# comment if not required
#GETLIST=

Ancak büyük bir problem var. Sistem genelinde erişim sağlayamıyorum. Örneğin curl kullanarak discord’a erişmeye çalıştığımda bir hatayla karşılaşıyorum:

❯ curl https://discord.com/api/v10
curl: (35) Recv failure: Connection reset by peer

Ancak aynı curl kullanırken --http3 parametresini kullandığımda sorunsuz bir şekilde erişim sağlayabiliyorum:

❯ curl --http3 https://discord.com/api/v10
{"message": "internal network error", "code": 40333}% 

Yine aynı şekilde terminal üzerinden discord yazıp çalıştırdığımda da güncelleniyor kısmında takılıp açılmıyor.

❯ discord
Discord 0.0.82

(discord:1431851): Gtk-WARNING **: 19:05:39.776: Theme parsing error: gtk.css:3213:16: Unit is missing.
Starting app.
Starting updater.
2/4/2025, 7:05:39 PM GMT+3 [Modules] Modules initializing
2/4/2025, 7:05:39 PM GMT+3 [Modules] Distribution: remote
2/4/2025, 7:05:39 PM GMT+3 [Modules] Host updates: enabled
2/4/2025, 7:05:39 PM GMT+3 [Modules] Module updates: enabled
2/4/2025, 7:05:39 PM GMT+3 [Modules] Module install path: /home/burak/.config/discord/0.0.82/modules
2/4/2025, 7:05:39 PM GMT+3 [Modules] Module installed file path: /home/burak/.config/discord/0.0.82/modules/installed.json
2/4/2025, 7:05:39 PM GMT+3 [Modules] Module download path: /home/burak/.config/discord/0.0.82/modules/pending
splashScreen.initSplash(false)
CDM component API found

(discord:1431851): Gtk-WARNING **: 19:05:39.845: Theme parsing error: gtk-dark.css:3213:16: Unit is missing.
blackbox: 2/4/2025, 7:05:39 PM GMT+3 0 

----------------------------------------------
CDM completed with status: cdm-ready-success
blackbox: 2/4/2025, 7:05:39 PM GMT+3 1 Discord starting: {"releaseChannel":"stable","version":"0.0.82"}, modulepath: /home/burak/.config/discord/0.0.82/modules
blackbox: 2/4/2025, 7:05:39 PM GMT+3 2 ✅ webContents.created web1 "index.html"
blackbox: 2/4/2025, 7:05:39 PM GMT+3 3 ✅ window.created win1 "discord"
src/gbm_drv_common.c:131: GBM-DRV error (get_bytes_per_component): Unknown or not supported format: 808530000

src/gbm_drv_common.c:131: GBM-DRV error (get_bytes_per_component): Unknown or not supported format: 808530000

src/gbm_drv_common.c:131: GBM-DRV error (get_bytes_per_component): Unknown or not supported format: 808530000

src/gbm_drv_common.c:131: GBM-DRV error (get_bytes_per_component): Unknown or not supported format: 808530000

src/gbm_drv_common.c:131: GBM-DRV error (get_bytes_per_component): Unknown or not supported format: 808530000

src/gbm_drv_common.c:131: GBM-DRV error (get_bytes_per_component): Unknown or not supported format: 808530000

src/gbm_drv_common.c:131: GBM-DRV error (get_bytes_per_component): Unknown or not supported format: 808530000

src/gbm_drv_common.c:131: GBM-DRV error (get_bytes_per_component): Unknown or not supported format: 808530000

src/gbm_drv_common.c:131: GBM-DRV error (get_bytes_per_component): Unknown or not supported format: 808530000

src/gbm_drv_common.c:131: GBM-DRV error (get_bytes_per_component): Unknown or not supported format: 808530000

19:05:40.158 › DiscordSplash.signalReady
splashScreen: SPLASH_SCREEN_READY
2/4/2025, 7:05:40 PM GMT+3 [Modules] No updates to install
splashScreen: no-pending-updates
2/4/2025, 7:05:40 PM GMT+3 [Modules] Checking for host updates.
splashScreen: checking-for-updates
splashScreen.updateSplashState checking-for-updates checking-for-updates {}
splashScreen.webContentsSend: SPLASH_UPDATE_STATE SPLASH_UPDATE_STATE [ { status: 'checking-for-updates' } ]
19:05:40.163 › DiscordSplash.onStateUpdate: {"status":"checking-for-updates"}
19:05:40.163 › Splash.onStateUpdate: {"status":"checking-for-updates"}
[1431851:0204/190540.164429:ERROR:mime_util_xdg.cc(137)] Invalid mime.cache file does not contain null prior to ALIAS_LIST_OFFSET=44
blackbox: 2/4/2025, 7:05:40 PM GMT+3 4 ✅ webContents.did-finish-load web1
Error downloading with electron net: net::ERR_CONNECTION_RESET
Falling back to node net library..
[Updates] Error fetching https://discord.com/api/updates/stable?platform=linux&version=0.0.82: read ECONNRESET
2/4/2025, 7:05:40 PM GMT+3 [Modules] Host update failed: Error: read ECONNRESET
splashScreen: update-check-finished false 0 false
splashScreen.scheduleUpdateCheck: updateAttempt = 0
splashScreen.updateSplashState update-failure update-failure { seconds: 10 }
splashScreen.webContentsSend: SPLASH_UPDATE_STATE SPLASH_UPDATE_STATE [ { status: 'update-failure', seconds: 10 } ]
19:05:40.954 › DiscordSplash.onStateUpdate: {"status":"update-failure","seconds":10}
19:05:40.954 › Splash.onStateUpdate: {"status":"update-failure","seconds":10}
19:05:41.158 › Splash.updateCountdownSeconds: 10
19:05:42.158 › Splash.updateCountdownSeconds: 9
19:05:43.158 › Splash.updateCountdownSeconds: 8
...

Sorun neden kaynaklanıyor olabilir?

Son düzenleyen: @burakbey 2025-02-05T22:20:07Z

Zapret hakkında bilgim yok, ancak şu bağlantıdaki konuyu incelemeniz faydalı olabilir.

1 Like

Merhabalar, zaten bu şekilde bir kurulum izledim.

hata çıktılarını gpt ile paylaştınız mı?

İnternette araştırdığım kadarıyla bunun sebebi tarayıcıların DNS sorguları HTTPS ile gönderdiği için zapret’in tarayıcılar ile çalışıyor olması, ancak diğer uygulamalar sistem DNS adresini kullanarak şifreleme yapmadan istek attığı içinzapret’in çalışmıyor olduğuymuş.

Reddit’te /etc/systemd/resolved.conf dosyasında değişiklik yaparak zapret’i sistem genelinde çalıştırmayı başarmış ancak değişikliğin nasıl yapıldığını tam olarak anlayamadım o yüzden siz de göz atsanız iyi olur.

Veya başka bir alternatif olarak sistem genelinde “DNS over HTTPS” ayarını açıp kullanmayı deneyebilirsiniz.

Kullandığım kaynaklar:
https://www.reddit.com/r/animepiracy/comments/12jxpfv/query_regarding_unblocking_nyaa_using_zapret/

Merhabalar, öncelikle yardımlarınız için teşekkür ederim. Evimde Raspberry Pi var ve bunun içerisinde Pi-Hole çalıştırıyorum ve Pi-Hole’da yine Raspberry Pi içerisinde çalışan DNSCrypt-Proxy’e upstream edilmiş durumda. Yani kısacası sistem genelinde DoT/DoH kullanıyorum, ISP’nin buna müdahele etmesi söz konusu değil. Bunu size şu şekilde kanıtlayabilirim:

❯ dig discord.com

; <<>> DiG 9.20.5 <<>> discord.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54630
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;discord.com.			IN	A

;; ANSWER SECTION:
discord.com.		1721	IN	A	162.159.137.232
discord.com.		1721	IN	A	162.159.138.232
discord.com.		1721	IN	A	162.159.135.232
discord.com.		1721	IN	A	162.159.136.232
discord.com.		1721	IN	A	162.159.128.233

;; Query time: 0 msec
;; SERVER: 192.168.0.135#53(192.168.0.135) (UDP)
;; WHEN: Wed Feb 05 18:35:09 +03 2025
;; MSG SIZE  rcvd: 120


❯ nslookup discord.com
Server:		192.168.0.135
Address:	192.168.0.135#53

Non-authoritative answer:
Name:	discord.com
Address: 162.159.128.233
Name:	discord.com
Address: 162.159.137.232
Name:	discord.com
Address: 162.159.138.232
Name:	discord.com
Address: 162.159.135.232
Name:	discord.com
Address: 162.159.136.232

Görmüş olduğunuz üzere sorunsuz bir şekilde DNS kayıtlarına ulaşabiliyorum. Sorunun DNS’ten de kaynaklanmadığını yine curl kullanarak görebiliriz:

❯ curl -v https://discord.com/api/v10
* Host discord.com:443 was resolved.
* IPv6: (none)
* IPv4: 162.159.136.232, 162.159.128.233, 162.159.137.232, 162.159.138.232, 162.159.135.232
*   Trying 162.159.136.232:443...
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: none
* Recv failure: Connection reset by peer
* TLS connect error: error:00000000:lib(0)::reason(0)
* OpenSSL SSL_connect: Connection reset by peer in connection to discord.com:443 
* closing connection #0
curl: (35) Recv failure: Connection reset by peer

Gördüğünüz üzere curl dns kayıtlarına sorunsuz bir şekilde erişiyor. Client Hello’dan sonra ISP bağlantıyı kesiyor anladığım kadarıyla.

Eğer zapret bozuk olsaydı tarayıcıdan da kullanamazdım, tarayıcıdan kullanıp terminal üzerinden ya da masaüstü uygulamaları üzerinden erişememe sebebine gerçekten bir anlam bulamıyorum.

Edit:
Sanırım Firefox’da HTTP3 kullandığı için tarayıcıdan giriş sağlayabiliyorum:
image