From a8d3f7d29ec8efacaac3585bcf85e100c27a9e10 Mon Sep 17 00:00:00 2001
From: Ali Khadivi <khadiviali39@gmail.com>
Date: Sun, 17 Apr 2022 15:36:53 +0430
Subject: [PATCH] Init

---
 .gitignore        |   0
 Dockerfile        |  11 +
 LICENSE           |  21 ++
 README.md         |  98 ++++++++
 build.sh          |  20 ++
 dnsmasq.sh        |  69 ++++++
 domains           |   8 +
 instl             |   9 +
 my_init           |  15 ++
 services.ini      |  23 ++
 sniproxy.sh       |  44 ++++
 tariq             | 604 ++++++++++++++++++++++++++++++++++++++++++++++
 update_domains.sh |  25 ++
 13 files changed, 947 insertions(+)
 create mode 100644 .gitignore
 create mode 100644 Dockerfile
 create mode 100644 LICENSE
 create mode 100644 README.md
 create mode 100644 build.sh
 create mode 100644 dnsmasq.sh
 create mode 100644 domains
 create mode 100644 instl
 create mode 100644 my_init
 create mode 100644 services.ini
 create mode 100644 sniproxy.sh
 create mode 100644 tariq
 create mode 100644 update_domains.sh

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..e69de29
diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 0000000..a57aa78
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,11 @@
+FROM alpine
+
+RUN apk add --no-cache supervisor bind-tools iptables sniproxy dnsmasq
+
+ADD instl /usr/local/bin/
+RUN mkdir -p /opt/tariq
+ADD dnsmasq.sh sniproxy.sh domains tariq /opt/tariq/
+
+ADD services.ini /etc/supervisor.d/
+ADD my_init /
+CMD ["/my_init"]
diff --git a/LICENSE b/LICENSE
new file mode 100644
index 0000000..32eaf3d
--- /dev/null
+++ b/LICENSE
@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2017 AliKhadivi
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..c917871
--- /dev/null
+++ b/README.md
@@ -0,0 +1,98 @@
+## About
+
+Tariq is yet another smart DNS solution to bypass geo-blocking.
+
+## Dependencies
+
+* Docker ([Install](https://docs.docker.com/engine/install/ubuntu/))
+* systemd
+* BASH v4
+* crontab (By default is instaled but is optional)
+* dig
+<!-- * iptables & ipset -->
+<!-- ## Install iptables & ipset on debian based 
+```bash
+sudo apt install iptables ipset
+``` -->
+
+## Install from DockerHub
+
+```bash
+docker pull AliKhadivi/tariq
+docker run -v /usr/local/bin:/install AliKhadivi/tariq instl
+```
+
+## Install from GitHub
+
+```bash
+git clone https://github.com/AliKhadivi/tariq
+cd tariq
+docker build -t AliKhadivi/tariq .
+ln -snf $PWD/tariq /usr/local/bin/tariq
+```
+
+## Usage
+
+Tariq needs to be installed on a server to the region you are interested.
+After you start it, change the DNS of your TV to the IP of your server.
+
+### Start Tariq and enable it on boot
+
+```bash
+tariq start
+tariq enable
+```
+
+### Check if it's running
+
+```bash
+tariq status
+```
+
+### Allow an IP to use your smart DNS
+
+```bash
+tariq add-ip 1.2.3.4
+```
+
+### Remove an IP
+
+```bash
+tariq rm-ip 1.2.3.4
+```
+
+### List all allowed IPs
+
+```bash
+tariq list-ips
+```
+
+### Configuration
+
+If you want to use OpenDNS servers instead Google DNS then do:
+
+```bash
+tariq config-set dns '208.67.222.222,208.67.220.220'
+tariq restart
+```
+
+Tariq by default is using iptables to allow ports `443`, `80`, `53`
+only for the IPs you want. If you prefer to manage this with your own
+firewall rules, then you can disable this feature with:
+
+```bash
+tariq config-set iptables false
+tariq restart
+```
+
+Tariq detects if you have a global IPv6 and it creates IPv6 NAT. This
+feature adds an iptables rule even if `iptables` config options is `false`.
+To disable this feature do:
+
+```bash
+tariq config-set ipv6nat false
+tariq restart
+```
+
+## License
+MIT
diff --git a/build.sh b/build.sh
new file mode 100644
index 0000000..7b04cd2
--- /dev/null
+++ b/build.sh
@@ -0,0 +1,20 @@
+#!/bin/bash
+beforeMD5="$(md5sum domains | sed 's/ //g')"
+curl https://gist.githubusercontent.com/AliKhadivi/465b897173ebe1f2922a7adc85c5f214/raw > domains
+afterMD5="$(md5sum domains | sed 's/ //g')"
+if [ $beforeMD5 == $afterMD5 ]
+then
+        echo "Not changed Domains"
+	# exit
+fi
+
+
+
+#./update_domains.sh
+docker build -t AliKhadivi/tariq .
+tariq restart
+#tariq stop
+#tariq start
+#sleep 14
+#tariq status
+
diff --git a/dnsmasq.sh b/dnsmasq.sh
new file mode 100644
index 0000000..d027ef6
--- /dev/null
+++ b/dnsmasq.sh
@@ -0,0 +1,69 @@
+#!/bin/sh
+
+ipv6_iface() {
+    ip -6 route | grep '^default' | sed 's/.*dev[[:space:]]\+\([^[:space:]]\+\).*/\1/'
+}
+
+has_global_ipv6() {
+    local x
+
+    for x in $(ipv6_iface); do
+        if ip -6 addr show dev "$x" | grep -q 'scope global'; then
+            return 0
+        fi
+    done
+
+    return 1
+}
+
+get_ext_ip() {
+    dig +short myip.opendns.com @resolver1.opendns.com 2> /dev/null
+}
+
+get_ext_ipv6() {
+    if has_global_ipv6; then
+        dig AAAA +short myip.opendns.com @2620:0:ccc::2 2> /dev/null
+    fi
+}
+
+cache_server=0
+[ "$1" == "--cache" ] && cache_server=1
+
+if [ "$cache_server" -eq 1 ]; then
+    conf=/tmp/dnsmasq-cache.conf
+    resolv=/tmp/dnsmasq-cache.resolv
+else
+    conf=/tmp/dnsmasq.conf
+    resolv=/tmp/dnsmasq.resolv
+fi
+
+rm -f $conf $resolve
+
+cat > $conf << EOF
+keep-in-foreground
+no-hosts
+resolv-file=$resolv
+EOF
+
+if [ "$cache_server" -eq 1 ]; then
+    echo "port=5399" >> $conf
+    iptables -w -t nat -A OUTPUT -s 127.0.0.1 -p udp -m udp --dport 53 -j REDIRECT --to 5399
+    iptables -w -t nat -A OUTPUT -s 127.0.0.1 -p tcp -m tcp --dport 53 -j REDIRECT --to 5399
+else
+    EXT_IP=${EXT_IP:-$(get_ext_ip)}
+    EXT_IPV6=${EXT_IPV6:-$(get_ext_ipv6)}
+
+    for x in $(cat /opt/tariq/domains); do
+        [[ -n "$EXT_IP" ]] && echo "address=/$x/$EXT_IP" >> $conf
+        [[ -n "$EXT_IPV6" ]] && echo "address=/$x/$EXT_IPV6" >> $conf
+    done
+fi
+
+DNS_SERVER="${DNS_SERVER:-8.8.8.8,8.8.4.4}"
+DNS_SERVER="${DNS_SERVER//,/ }"
+
+for x in $DNS_SERVER; do
+    echo "nameserver $x" >> $resolv
+done
+
+exec dnsmasq -C $conf
diff --git a/domains b/domains
new file mode 100644
index 0000000..3c2b3da
--- /dev/null
+++ b/domains
@@ -0,0 +1,8 @@
+docker.com
+*.docker.com
+gitlab.com
+*.gitlab.com
+grafana.com
+grafana.org
+*.grafana.org
+*.grafana.com
diff --git a/instl b/instl
new file mode 100644
index 0000000..76cdcb9
--- /dev/null
+++ b/instl
@@ -0,0 +1,9 @@
+#!/bin/sh
+
+if [ ! -d /install ]; then
+    echo "You need to mount the installation directory to /install" >&2
+    echo "You can to it with: '-v /usr/local/bin:/install'" >&2
+    exit 1
+fi
+
+install -m755 /opt/tariq/tariq /install/tariq
diff --git a/my_init b/my_init
new file mode 100644
index 0000000..2e52375
--- /dev/null
+++ b/my_init
@@ -0,0 +1,15 @@
+#!/bin/sh
+
+# from http://stackoverflow.com/a/32144661
+is_privileged() {
+    ip link add dummy0 type dummy > /dev/null 2>&1 || return 1
+    ip link delete dummy0 > /dev/null 2>&1
+    return 0
+}
+
+if ! is_privileged; then
+    echo "This container needs to be run with '--privileged' or '--cap-add=NET_ADMIN' option" >&2
+    exit 1
+fi
+
+exec supervisord -c /etc/supervisord.conf -n
diff --git a/services.ini b/services.ini
new file mode 100644
index 0000000..0f3230d
--- /dev/null
+++ b/services.ini
@@ -0,0 +1,23 @@
+[program:dnsmasq]
+autorestart = true
+stdout_logfile = /dev/stdout
+stdout_logfile_maxbytes = 0
+stderr_logfile = /dev/stderr
+stderr_logfile_maxbytes = 0
+command = /opt/tariq/dnsmasq.sh
+
+[program:dnsmasq-cache]
+autorestart = true
+stdout_logfile = /dev/stdout
+stdout_logfile_maxbytes = 0
+stderr_logfile = /dev/stderr
+stderr_logfile_maxbytes = 0
+command = /opt/tariq/dnsmasq.sh --cache
+
+[program:sniproxy]
+autorestart = true
+stdout_logfile = /dev/stdout
+stdout_logfile_maxbytes = 0
+stderr_logfile = /dev/stderr
+stderr_logfile_maxbytes = 0
+command = /opt/tariq/sniproxy.sh
diff --git a/sniproxy.sh b/sniproxy.sh
new file mode 100644
index 0000000..02d35d9
--- /dev/null
+++ b/sniproxy.sh
@@ -0,0 +1,44 @@
+#!/bin/sh
+
+ipv6_iface() {
+    ip -6 route | grep '^default' | sed 's/.*dev[[:space:]]\+\([^[:space:]]\+\).*/\1/'
+}
+
+has_global_ipv6() {
+    local x
+
+    for x in $(ipv6_iface); do
+        if ip -6 addr show dev "$x" | grep -q 'scope global'; then
+            return 0
+        fi
+    done
+
+    return 1
+}
+
+resolver_mode=ipv4_only
+has_global_ipv6 && resolver_mode=ipv6_first
+
+cat > /tmp/sniproxy.conf << EOF
+user nobody
+group nobody
+
+listener 80 {
+    proto http
+}
+
+listener 443 {
+    proto tls
+}
+
+resolver {
+    nameserver 127.0.0.1
+    mode $resolver_mode
+}
+
+table {
+    .* *
+}
+EOF
+
+exec sniproxy -c /tmp/sniproxy.conf -f
diff --git a/tariq b/tariq
new file mode 100644
index 0000000..162ee85
--- /dev/null
+++ b/tariq
@@ -0,0 +1,604 @@
+#!/bin/bash
+
+PROG="$(basename $0)"
+PROG_DIR="$(readlink -f "$(dirname "${BASH_SOURCE[0]}")")"
+
+typeset -A config
+config=(
+    [dns]='8.8.8.8,8.8.4.4'
+    [iptables]='true'
+    [ipv6nat]='true'
+)
+
+usage() {
+    echo "Usage: $PROG <command>"
+    echo
+    echo "Commands:"
+    echo "  help                            Show this help"
+    echo "  start                           Start Tariq"
+    echo "  stop                            Stop Tariq"
+    echo "  restart                         Restart Tariq"
+    echo "  enable                          Enable Tariq service (i.e. starts on boot)"
+    echo "  disable                         Disable Tariq service"
+    echo "  status                          Check Tariq status"
+    echo "  add-ip                          Add allowed IP"
+    echo "  rm-ip                           Remove allowed IP"
+    echo "  list-ips                        List IPs"
+    echo "  add-ddns                        Add allowed DDNS"
+    echo "  rm-ddns                         Remove allowed DDNS"
+    echo "  list-ddns                       List DDNS"
+    echo "  reload-ddns                     Reload DDNS"
+    echo "  config-get [<option>]           Get value of a config option"
+    echo "  config-set <option> [<value>]   Set value to a config option"
+    echo
+    echo "Config options:"
+    echo "  dns <ip-list>           DNS servers (default: 8.8.8.8,8.8.4.4)"
+    echo "  iptables <true|false>   Set iptables rules (default: true)"
+    echo "  ipv6nat <true|false>    Create IPv6 NAT (default: true)"
+}
+
+load_config() {
+    local line
+    local var
+
+    if [[ -f /etc/tariq/config ]]; then
+        while read line; do
+            if echo "$line" | grep -qE '^[_a-zA-Z][-_a-zA-Z0-9]+='; then
+                var="${line%%=*}"
+                config[$var]="${line#*=}"
+            fi
+        done < /etc/tariq/config
+    fi
+}
+
+save_config() {
+    local var
+    for var in "${!config[@]}"; do
+        echo "${var}=${config[$var]}"
+    done > /etc/tariq/config
+}
+
+is_true() {
+    echo "$1" | grep -qiE '^[[:space:]]*(true|t|yes|y|1)[[:space:]]*$'
+}
+
+echo_err() {
+    echo "$@" >&2
+}
+
+noout() {
+    "$@" > /dev/null 2>&1
+}
+
+is_running() {
+    docker inspect -f '{{.State.Running}}' "$1" 2> /dev/null | grep -qE '^true$'
+}
+
+is_container() {
+    [[ -n "$(docker inspect -f '{{.State.Running}}' "$1" 2> /dev/null)" ]]
+}
+
+is_num() {
+    [[ "$1" =~ ^[0-9]+$ ]]
+}
+
+is_ipv4() {
+    local old_ifs="$IFS"
+    local ip="$(echo "$1" | awk -F / '{ print $1 }')"
+    local mask="$(echo "$1" | awk -F / '{ print $2 }')"
+    local ret=0
+    local x
+
+    if [[ -n "$mask" ]]; then
+        if ! is_num "$mask" || [[ "$mask" -lt 0 || "$mask" -gt 32 ]]; then
+            return 1
+        fi
+    fi
+
+    IFS='.'
+    for x in $ip; do
+        if ! is_num "$x" || [[ "$x" -lt 0 || "$x" -gt 255 ]]; then
+            ret=1
+            break
+        fi
+    done
+    IFS="$old_ifs"
+
+    return $ret
+}
+
+is_ipv6() {
+    local old_ifs="$IFS"
+    local ip="$(echo "$1" | awk -F / '{ print $1 }')"
+    local mask="$(echo "$1" | awk -F / '{ print $2 }')"
+    local ret=0
+    local x
+
+    if [[ -n "$mask" ]]; then
+        if ! is_num "$mask" || [[ "$mask" -lt 0 || "$mask" -gt 128 ]]; then
+            return 1
+        fi
+    fi
+
+    IFS=':'
+    for x in $ip; do
+        if ! echo "$x" | grep -qE '^[a-fA-F0-9]{0,4}$'; then
+            ret=1
+            break
+        fi
+    done
+    IFS="$old_ifs"
+
+    return $ret
+}
+
+ipv6_iface() {
+    ip -6 route | grep '^default' | sed 's/.*dev[[:space:]]\+\([^[:space:]]\+\).*/\1/'
+}
+
+has_global_ipv6() {
+    local x
+
+    for x in $(ipv6_iface); do
+        if ip -6 addr show dev "$x" | grep -q 'scope global'; then
+            return 0
+        fi
+    done
+
+    return 1
+}
+
+create_systemd_service() {
+    local service="[Unit]
+After=docker.service
+Requires=docker.service
+
+[Service]
+ExecStart=$PROG_DIR/tariq start-container
+ExecStop=$PROG_DIR/tariq stop-container
+
+[Install]
+WantedBy=multi-user.target"
+
+    if ! echo "$service" | cmp -s - /etc/systemd/system/tariq.service; then
+        echo "$service" > /etc/systemd/system/tariq.service
+        systemctl daemon-reload
+    fi
+}
+
+reset_iptables() {
+    local chains=$(iptables -w -S | awk '/^-N tariq/ { print $2 }')
+    local x
+
+    for x in $chains; do
+        noout iptables -w -F $x
+        iptables -w -S | grep -- "-j ${x}\([[:space:]]\|$\)" | tac | \
+            awk '{ $1 = "-D"; system("iptables -w "$0) }'
+        iptables -w -X $x
+    done
+}
+
+reset_ip6tables() {
+    local chains=$(ip6tables -w -S | awk '/^-N tariq/ { print $2 }')
+    local x
+
+    for x in $chains; do
+        noout ip6tables -w -F $x
+        ip6tables -w -S | grep -- "-j ${x}\([[:space:]]\|$\)" | tac | \
+            awk '{ $1 = "-D"; system("ip6tables -w "$0) }'
+        ip6tables -w -X $x
+    done
+}
+
+prepare_iptables() {
+    reset_iptables
+
+    # create chains
+    iptables -w -N tariq-input
+    iptables -w -N tariq-forward
+    iptables -w -N tariq-filter
+
+    iptables -w -I INPUT -j tariq-input
+    iptables -w -I FORWARD -j tariq-forward
+    iptables -w -A tariq-input -j tariq-filter
+    iptables -w -A tariq-forward -o tariq0 -j tariq-filter
+
+    # block our services for all IPs
+    iptables -w -A tariq-input ! -i lo -p tcp --dport 443 -j REJECT --reject-with tcp-reset
+    iptables -w -A tariq-input ! -i lo -p tcp --dport 80 -j REJECT --reject-with tcp-reset
+    iptables -w -A tariq-input ! -i lo -p tcp --dport 53 -j REJECT --reject-with tcp-reset
+    iptables -w -A tariq-input ! -i lo -p udp --dport 53 -j REJECT --reject-with icmp-port-unreachable
+
+    iptables -w -A tariq-forward -o tariq0 -p tcp --dport 443 -j REJECT --reject-with tcp-reset
+    iptables -w -A tariq-forward -o tariq0 -p tcp --dport 80 -j REJECT --reject-with tcp-reset
+    iptables -w -A tariq-forward -o tariq0 -p tcp --dport 53 -j REJECT --reject-with tcp-reset
+    iptables -w -A tariq-forward -o tariq0 -p udp --dport 53 -j REJECT --reject-with icmp-port-unreachable
+
+    # unblock our services for the allowed IPs
+    if [[ -f /etc/tariq/allowed_ips ]]; then
+        local x
+        for x in $(cat /etc/tariq/allowed_ips); do
+            allow_ip "$x"
+        done
+    fi
+}
+
+prepare_ip6tables() {
+    reset_ip6tables
+
+    ip6tables -w -N tariq-input
+    ip6tables -w -N tariq-forward
+    ip6tables -w -N tariq-filter
+
+    ip6tables -w -I INPUT -j tariq-input
+    ip6tables -w -I FORWARD -j tariq-forward
+    ip6tables -w -A tariq-input -j tariq-filter
+    ip6tables -w -A tariq-forward -o tariq0 -j tariq-filter
+
+    # block our services for all IPs
+    ip6tables -w -A tariq-input ! -i lo -p tcp --dport 443 -j REJECT --reject-with tcp-reset
+    ip6tables -w -A tariq-input ! -i lo -p tcp --dport 80 -j REJECT --reject-with tcp-reset
+    ip6tables -w -A tariq-input ! -i lo -p tcp --dport 53 -j REJECT --reject-with tcp-reset
+    ip6tables -w -A tariq-input ! -i lo -p udp --dport 53 -j REJECT --reject-with icmp6-adm-prohibited
+
+    ip6tables -w -A tariq-forward -o tariq0 -p tcp --dport 443 -j REJECT --reject-with tcp-reset
+    ip6tables -w -A tariq-forward -o tariq0 -p tcp --dport 80 -j REJECT --reject-with tcp-reset
+    ip6tables -w -A tariq-forward -o tariq0 -p tcp --dport 53 -j REJECT --reject-with tcp-reset
+    ip6tables -w -A tariq-forward -o tariq0 -p udp --dport 53 -j REJECT --reject-with icmp6-adm-prohibited
+
+    # unblock our services for the allowed IPs
+    if [[ -f /etc/tariq/allowed_ips ]]; then
+        local x
+        for x in $(cat /etc/tariq/allowed_ips); do
+            allow_ip "$x"
+        done
+    fi
+}
+
+start_container() {
+    local x
+
+    if is_running tariq; then
+        echo_err 'Tariq is not already running.'
+        return 1
+    fi
+
+    noout docker network rm tariq-net
+
+    # in general IPv6 NAT is not suggested but some VPS providers do not offer
+    # configurable IPv6 address range, so we workaround this.
+    local ipv6_masq=0
+    if is_true "${config[ipv6nat]}" && has_global_ipv6; then
+        local net_opts=(--ipv6 --subnet=fd00::/64)
+        ip6tables -t nat -I POSTROUTING -s fd00::/64 ! -o tariq0 -j MASQUERADE
+        sysctl -qw net.ipv6.conf.all.forwarding=1
+        ipv6_masq=1
+    fi
+
+    noout docker network create "${net_opts[@]}" \
+        --opt com.docker.network.bridge.name=tariq0 \
+        tariq-net
+
+    if is_true "${config[iptables]}"; then
+        prepare_iptables
+        prepare_ip6tables
+    fi
+
+    is_container tariq && docker rm tariq
+    docker run -i --rm -p 53:53 -p 53:53/udp -p 80:80 -p 443:443 \
+        --cap-add=NET_ADMIN --name tariq \
+        --net=tariq-net \
+        -e DNS_SERVER="${config[dns]}" \
+        AliKhadivi/tariq
+
+    if is_true "${config[iptables]}"; then
+        reset_iptables
+        reset_ip6tables
+    fi
+
+    if is_true "$ipv6_masq"; then
+        while noout ip6tables -t nat -D POSTROUTING -s fd00::/64 ! -o tariq0 -j MASQUERADE; do
+            true
+        done
+    fi
+}
+
+stop_container() {
+    is_running tariq || return 1
+    docker stop tariq
+}
+
+start() {
+    if is_running tariq; then
+        echo_err 'Tariq is not already running.'
+        return 1
+    fi
+
+    create_systemd_service
+    systemctl start tariq
+}
+
+stop() {
+    systemctl stop tariq
+}
+
+enable() {
+    create_systemd_service
+    systemctl enable tariq
+}
+
+disable() {
+    systemctl disable tariq
+}
+
+status() {
+    local boot=no
+    local running=no
+
+    [[ "$(systemctl is-enabled tariq 2> /dev/null)" == "enabled" ]] && boot=yes
+    is_running tariq && running=yes
+
+    echo "Start on boot: $boot"
+    echo "Running: $running"
+}
+
+get_allowed_ips() {
+    iptables -w -S tariq-filter | grep -- "-j ACCEPT\([[:space:]]\|$\)" | \
+        awk '{ sub("/32", "", $4); print $4 }' | sort | uniq
+    ip6tables -w -S tariq-filter | grep -- "-j ACCEPT\([[:space:]]\|$\)" | \
+        awk '{ sub("/128", "", $4); print $4 }' | sort | uniq
+    return 0
+}
+
+update_allowed_ips_file() {
+    get_allowed_ips > /etc/tariq/allowed_ips
+}
+
+allow_ip() {
+    disallow_ip "$1" || return 1
+
+    if is_ipv4 "$1"; then
+        iptables -w -A tariq-filter -s "$1" -j ACCEPT && return 0
+    elif is_ipv6 "$1"; then
+        ip6tables -w -A tariq-filter -s "$1" -j ACCEPT && return 0
+    fi
+
+    return 1
+}
+
+disallow_ip() {
+    if is_ipv4 "$1"; then
+        while noout iptables -w -D tariq-filter -s "$1" -j ACCEPT; do
+            true
+        done
+        return 0
+    elif is_ipv6 "$1"; then
+        while noout ip6tables -w -D tariq-filter -s "$1" -j ACCEPT; do
+            true
+        done
+        return 0
+    fi
+    return 1
+
+}
+
+add_ip() {
+    if ! is_running tariq; then
+        echo_err 'Tariq is not running.'
+        return 1
+    fi
+
+    if ! is_true "${config[iptables]}"; then
+        echo_err "This command is disabled because you have iptables config option as false."
+        return 1
+    fi
+
+    allow_ip "$1" && update_allowed_ips_file
+    return 0
+}
+
+rm_ip() {
+    if ! is_running tariq; then
+        echo_err 'Tariq is not running.'
+        return 1
+    fi
+
+    if ! is_true "${config[iptables]}"; then
+        echo_err "This command is disabled because you have iptables config option as false."
+        return 1
+    fi
+
+    disallow_ip "$1" && update_allowed_ips_file
+    return 0
+}
+
+list_ips() {
+    if ! is_running tariq; then
+        echo_err 'Tariq is not running.'
+        return 1
+    fi
+
+    if ! is_true "${config[iptables]}"; then
+        echo_err "This command is disabled because you have iptables config option as false."
+        return 1
+    fi
+
+    get_allowed_ips
+}
+
+
+
+add_ddns() {
+    if ! is_running tariq; then
+        echo_err 'Tariq is not running.'
+        return 1
+    fi
+
+    if ! is_true "${config[iptables]}"; then
+        echo_err "This command is disabled because you have iptables config option as false."
+        return 1
+    fi
+    ip=$(dig $1 +short A)
+    allow_ip "$ip" && update_allowed_ips_file
+    echo "$ip" >> /etc/tariq/allowed_ddns
+    reload_ddns
+    return 0
+}
+
+rm_ddns() {
+    if ! is_running tariq; then
+        echo_err 'Tariq is not running.'
+        return 1
+    fi
+
+    if ! is_true "${config[iptables]}"; then
+        echo_err "This command is disabled because you have iptables config option as false."
+        return 1
+    fi
+    ip=$(dig $1 +short A)
+    disallow_ip "$ip" && update_allowed_ips_file
+    # disallow_ip "$1" && update_allowed_ips_file
+    sed -i '/^'"$1"'/d' /etc/tariq/allowed_ddns
+    reload_ddns
+    return 0
+}
+
+list_ddns() {
+    if ! is_running tariq; then
+        echo_err 'Tariq is not running.'
+        return 1
+    fi
+
+    if ! is_true "${config[iptables]}"; then
+        echo_err "This command is disabled because you have iptables config option as false."
+        return 1
+    fi
+    
+    if [[ -f /etc/tariq/allowed_ddns ]]; then
+        echo "List of ddns:"
+        local x
+        for x in $(cat /etc/tariq/allowed_ddns); do
+            ip=$(dig $x +short A)
+            echo "$x : $ip"
+        done
+    fi
+
+    # get_allowed_ips
+}
+
+reload_ddns() {
+    if [[ -f /etc/tariq/allowed_ddns ]]; then
+        local x
+        for x in $(cat /etc/tariq/allowed_ddns); do
+            ip=$(dig $x +short A)
+            allow_ip "$ip"
+        done
+    fi
+}
+
+
+config_get() {
+    local var="$1"
+    shift
+
+    if [[ -z "$var" ]]; then
+        for var in "${!config[@]}"; do
+            echo "${var}=${config[$var]}"
+        done
+    else
+        echo "${config[$var]}"
+    fi
+    return 0
+}
+
+config_set() {
+    local var="$1"
+    shift
+    if [[ -z "$@" ]]; then
+        unset -v 'config[$var]'
+    else
+        config[$var]="$@"
+    fi
+    save_config
+}
+
+if [[ -z "$1" || "$1" == "help" ]]; then
+    usage
+    exit 0
+fi
+
+if [[ $(id -u) -ne 0 ]]; then
+    echo_err "You must run it as root."
+    exit 1
+fi
+
+mkdir -p /etc/tariq
+load_config
+
+case "$1" in
+    start-container)
+        start_container
+        ;;
+    stop-container)
+        stop_container
+        ;;
+    start)
+        start
+        ;;
+    stop)
+        stop
+        ;;
+    restart)
+        stop
+        start
+        ;;
+    enable)
+        enable
+        ;;
+    disable)
+        disable
+        ;;
+    status)
+        status
+        ;;
+    add-ip)
+        shift
+        add_ip "$@"
+        ;;
+    rm-ip)
+        shift
+        rm_ip "$@"
+        ;;
+    list-ips)
+        list_ips
+        ;;
+    add-ddns)
+        shift
+        add_ddns "$@"
+        ;;
+    rm-ddns)
+        shift
+        rm_ddns "$@"
+        ;;
+    list-ddns)
+        list_ddns
+        ;;
+    reload-ddns)
+        reload_ddns
+        ;;
+    config-get)
+        shift
+        config_get "$@"
+        ;;
+    config-set)
+        shift
+        config_set "$@"
+        ;;
+    *)
+        [[ -n "$1" ]] && echo_err "Invalid command: $1"
+        echo_err "For usage run: $0 help"
+        exit 1
+        ;;
+esac
+
+exit $?
diff --git a/update_domains.sh b/update_domains.sh
new file mode 100644
index 0000000..50d4fd8
--- /dev/null
+++ b/update_domains.sh
@@ -0,0 +1,25 @@
+#!/bin/bash
+
+beforeMD5="$(md5sum domains | sed 's/ //g')"
+#curl https://raw.githubusercontent.com/ab77/netflix-proxy/master/data/conf/zones.override.template | \
+curl https://gist.githubusercontent.com/AliKhadivi/465b897173ebe1f2922a7adc85c5f214/raw/c67c5e5ae6517fd27f45e5e8d5a319c841650baa/beshcan-domains.txt > domains
+#curl https://gist.githubusercontent.com/AliKhadivi/465b897173ebe1f2922a7adc85c5f214/raw/c67c5e5ae6517fd27f45e5e8d5a319c841650baa/beshcan-domains.txt | \
+#    awk '/^zone\s/ { if (match($2, /^"(.+)\."$/, m) != 0) print m[1]; }' > domains
+
+
+afterMD5="$(md5sum domains | sed 's/ //g')"
+
+#echo "$beforeMD5 \n\n $afterMD5"
+
+if [ $beforeMD5 == $afterMD5 ]
+then
+	echo "Not changed Domains"
+	exit
+fi
+
+docker build -t AliKhadivi/tariq .
+tariq restart
+
+# to check your speed run: wget https://cachefly.cachefly.net/100mb.test
+#echo cachefly.net >> domains
+