From 1285221f6636ae1a27715db207fc67654c4cd3a3 Mon Sep 17 00:00:00 2001 From: juewuy Date: Tue, 5 Mar 2024 21:21:40 +0800 Subject: [PATCH] =?UTF-8?q?=E9=87=8D=E5=86=99iptables=E9=98=B2=E7=81=AB?= =?UTF-8?q?=E5=A2=99=20=E4=BC=98=E5=8C=96nftables=E9=98=B2=E7=81=AB?= =?UTF-8?q?=E5=A2=99=E7=BB=93=E6=9E=84?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- scripts/getdate.sh | 28 +- scripts/menu.sh | 6 +- scripts/start.sh | 833 ++++++++++++++++++--------------------------- 3 files changed, 358 insertions(+), 509 deletions(-) diff --git a/scripts/getdate.sh b/scripts/getdate.sh index daa1f20..6da4fd7 100644 --- a/scripts/getdate.sh +++ b/scripts/getdate.sh @@ -2414,32 +2414,38 @@ testcommand(){ if [ "$firewall_mod" = "nftables" ];then nft list table inet shellcrash else - echo -------------------Redir--------------------- + echo ----------------Redir+DNS--------------------- iptables -t nat -L PREROUTING --line-numbers iptables -t nat -L shellcrash_dns --line-numbers - iptables -t nat -L shellcrash --line-numbers + [ "$redir_mod" = "Redir模式" ] && iptables -t nat -L shellcrash --line-numbers [ -n "$(echo $redir_mod | grep -E 'Tproxy模式|混合模式|Tun模式')" ] && { echo ----------------Tun/Tproxy------------------- iptables -t mangle -L PREROUTING --line-numbers - iptables -t mangle -L shellcrash --line-numbers + iptables -t mangle -L shellcrash_mark --line-numbers } - [ "$local_proxy" = "已开启" ] && [ "$local_type" = "iptables增强模式" ] && { - echo ----------------OUTPUT------------------- + [ "$firewall_area" = 2 -o "$firewall_area" = 3 ] && { + echo -------------OUTPUT-Redir+DNS---------------- iptables -t nat -L OUTPUT --line-numbers iptables -t nat -L shellcrash_dns_out --line-numbers - iptables -t nat -L shellcrash_out --line-numbers + if [ "$redir_mod" = "Redir模式" ];then + iptables -t nat -L shellcrash_out --line-numbers + else + echo ------------OUTPUT-Tun/Tproxy--------------- + iptables -t mangle -L OUTPUT --line-numbers + iptables -t mangle -L shellcrash_mark_out --line-numbers + fi } [ "$ipv6_redir" = "已开启" ] && { - [ -n "$(lsmod | grep 'ip6table_nat')" ] && { - echo -------------------Redir--------------------- + ip6tables -t nat -L >/dev/null 2>&1 && { + echo -------------IPV6-Redir+DNS------------------- ip6tables -t nat -L PREROUTING --line-numbers ip6tables -t nat -L shellcrashv6_dns --line-numbers - ip6tables -t nat -L shellcrashv6 --line-numbers + [ "$redir_mod" = "Redir模式" ] && ip6tables -t nat -L shellcrashv6 --line-numbers } [ -n "$(echo $redir_mod | grep -E 'Tproxy模式|混合模式|Tun模式')" ] && { - echo ----------------Tun/Tproxy------------------- + echo -------------IPV6-Tun/Tproxy------------------ ip6tables -t mangle -L PREROUTING --line-numbers - ip6tables -t mangle -L shellcrashv6 --line-numbers + ip6tables -t mangle -L shellcrashv6_mark --line-numbers } } fi diff --git a/scripts/menu.sh b/scripts/menu.sh index 89dca3b..e62d502 100644 --- a/scripts/menu.sh +++ b/scripts/menu.sh @@ -688,7 +688,7 @@ setipv6(){ #ipv6设置 setconfig ipv6_redir $ipv6_redir setconfig ipv6_support $ipv6_support fi - if [ -n "$(ipset -v 2>/dev/null)" -o -n "$(echo $redir_mod | grep Nft)" ];then + if [ -n "$(ipset -v 2>/dev/null)" -o "$firewall_mod" = 'nftables' ];then [ "$cn_ipv6_route" = "未开启" ] && cn_ipv6_route=已开启 || cn_ipv6_route=未开启 setconfig cn_ipv6_route $cn_ipv6_route else @@ -1168,7 +1168,7 @@ set_redir_mod(){ if [ -f /etc/init.d/qca-nss-ecm -a "$systype" = "mi_snapshot" ] ;then read -p "xiaomi设备的QOS服务与本模式冲突,是否禁用相关功能?(1/0) > " res [ "$res" = '1' ] && ${CRASHDIR}/misnap_init.sh tproxyfix && redir_mod=Tproxy模式 - elif [ -n "$(iptables -j TPROXY 2>&1 | grep 'on-port')" ] ;then + elif [ -n "$(grep -E '^TPROXY$' /proc/net/ip_tables_targets)" ] ;then redir_mod=Tproxy模式 set_redir_config else @@ -1475,7 +1475,7 @@ normal_set(){ #基础设置 normal_set elif [ "$num" = 8 ]; then - if [ -n "$(ipset -v 2>/dev/null)" -o -n "$(echo $redir_mod | grep Nft)" ];then + if [ -n "$(ipset -v 2>/dev/null)" -o "$firewall_mod" = 'nftables' ];then if [ "$cn_ip_route" = "未开启" ]; then echo -e "\033[32m已开启CN_IP绕过内核功能!!\033[0m" echo -e "\033[31m注意!!!此功能会导致全局模式及一切CN相关规则失效!!!\033[0m" diff --git a/scripts/start.sh b/scripts/start.sh index d19b12d..23c56ba 100644 --- a/scripts/start.sh +++ b/scripts/start.sh @@ -383,7 +383,7 @@ EOF } #域名嗅探配置 [ "$sniffer" = "已启用" ] && [ "$crashcore" = "meta" ] && sniffer_set="sniffer: {enable: true, parse-pure-ip: true, skip-domain: [Mijia Cloud], sniff: {tls: {ports: [443, 8443]}, http: {ports: [80, 8080-8880]}}}" - [ "$crashcore" = "clashpre" ] && [ "$dns_mod" = "redir_host" -o "$sniffer" = "已启用" ] && exper="experimental: {ignore-resolve-fail: true, interface-name: en0, sniff-tls-sni: true}" + [ "$crashcore" = "clashpre" ] && [ "$dns_mod" = "redir_host" -o "$sniffer" = "已启用" ] && exper="experimental: {ignore-resolve-fail: true, interface-name: en0,sniff-tls-sni: true}" #生成set.yaml cat > ${TMPDIR}/set.yaml </dev/null - #局域网设备过滤 - if [ "$macfilter_type" = "白名单" -a -n "$(cat ${CRASHDIR}/configs/mac)" ];then - for mac in $(cat ${CRASHDIR}/configs/mac); do #mac白名单 - iptables -t nat -A shellcrash -p tcp -m mac --mac-source $mac -j REDIRECT --to-ports $redir_port - done - else - for mac in $(cat ${CRASHDIR}/configs/mac); do #mac黑名单 - iptables -t nat -A shellcrash -m mac --mac-source $mac -j RETURN - done - #仅代理本机局域网网段流量 - for ip in $host_ipv4;do - iptables -t nat -A shellcrash -p tcp -s $ip -j REDIRECT --to-ports $redir_port - done - fi - #将PREROUTING链指向shellcrash链 - iptables -t nat -A PREROUTING -p tcp $ports -j shellcrash - [ "$dns_mod" != "redir_host" -a "$common_ports" = "已开启" ] && iptables -t nat -A PREROUTING -p tcp -d 198.18.0.0/16 -j shellcrash - #设置ipv6转发 - if [ "$ipv6_redir" = "已开启" ] && ip6tables -t nat -L >/dev/null 2>&1;then - ip6tables -t nat -N shellcrashv6 - for ip in $reserve_ipv6 $host_ipv6;do #跳过目标保留地址及目标本机网段 - ip6tables -t nat -A shellcrashv6 -d $ip -j RETURN - done - #绕过CN_IPV6 - [ "$dns_mod" != "fake-ip" -a "$cn_ipv6_route" = "已开启" ] && \ - ip6tables -t nat -A shellcrashv6 -m set --match-set cn_ip6 dst -j RETURN 2>/dev/null - #局域网设备过滤 - if [ "$macfilter_type" = "白名单" -a -n "$(cat ${CRASHDIR}/configs/mac)" ];then - for mac in $(cat ${CRASHDIR}/configs/mac); do #mac白名单 - ip6tables -t nat -A shellcrashv6 -p tcp -m mac --mac-source $mac -j REDIRECT --to-ports $redir_port - done - else - for mac in $(cat ${CRASHDIR}/configs/mac); do #mac黑名单 - ip6tables -t nat -A shellcrashv6 -m mac --mac-source $mac -j RETURN - done - #仅代理本机局域网网段流量 - for ip in $host_ipv6;do - ip6tables -t nat -A shellcrashv6 -p tcp -s $ip -j REDIRECT --to-ports $redir_port - done - fi - ip6tables -t nat -A PREROUTING -p tcp $ports -j shellcrashv6 - fi - return 0 -} -start_ipt_dns(){ #iptables-dns - #屏蔽OpenWrt内置53端口转发 - [ "$(uci get dhcp.@dnsmasq[0].dns_redirect 2>/dev/null)" = 1 ] && { - uci del dhcp.@dnsmasq[0].dns_redirect - uci commit dhcp.@dnsmasq[0] +start_ipt_route(){ #iptables-route通用工具 + #$1:iptables/ip6tables $2:所在的表(nat/mangle) $3:所在的链(OUTPUT/PREROUTING) $4:新创建的shellcrash链表 $5:tcp/udp/all + #区分ipv4/ipv6 + [ "$1" = 'iptables' ] && { + RESERVED_IP=$reserve_ipv4 + HOST_IP=$host_ipv4 + [ "$4" = 'OUTPUT' ] && HOST_IP="127.0.0.0/8 $local_ipv4" } - #设置dns转发 - iptables -t nat -N shellcrash_dns - if [ "$macfilter_type" = "白名单" -a -n "$(cat ${CRASHDIR}/configs/mac)" ];then - for mac in $(cat ${CRASHDIR}/configs/mac); do #mac白名单 - iptables -t nat -A shellcrash_dns -p udp -m mac --mac-source $mac -j REDIRECT --to $dns_port - done - else - for mac in $(cat ${CRASHDIR}/configs/mac); do #mac黑名单 - iptables -t nat -A shellcrash_dns -m mac --mac-source $mac -j RETURN - done - iptables -t nat -A shellcrash_dns -p tcp -j REDIRECT --to $dns_port - iptables -t nat -A shellcrash_dns -p udp -j REDIRECT --to $dns_port - fi - iptables -t nat -I PREROUTING -p tcp --dport 53 -j shellcrash_dns - iptables -t nat -I PREROUTING -p udp --dport 53 -j shellcrash_dns - #ipv6DNS - if [ -n "$(lsmod | grep 'ip6table_nat')" -a -n "$(lsmod | grep 'xt_nat')" ];then - ip6tables -t nat -N shellcrashv6_dns > /dev/null 2>&1 - if [ "$macfilter_type" = "白名单" -a -n "$(cat ${CRASHDIR}/configs/mac)" ];then - for mac in $(cat ${CRASHDIR}/configs/mac); do #mac白名单 - ip6tables -t nat -A shellcrashv6_dns -p udp -m mac --mac-source $mac -j REDIRECT --to $dns_port - done - else - for mac in $(cat ${CRASHDIR}/configs/mac); do #mac黑名单 - ip6tables -t nat -A shellcrashv6_dns -m mac --mac-source $mac -j RETURN - done - ip6tables -t nat -A shellcrashv6_dns -p tcp -j REDIRECT --to $dns_port - ip6tables -t nat -A shellcrashv6_dns -p udp -j REDIRECT --to $dns_port - fi - ip6tables -t nat -I PREROUTING -p tcp --dport 53 -j shellcrashv6_dns - ip6tables -t nat -I PREROUTING -p udp --dport 53 -j shellcrashv6_dns - else - ip6tables -I INPUT -p udp --dport 53 -m comment --comment "ShellCrash-IPV6_DNS-REJECT" -j REJECT 2>/dev/null - fi - return 0 - -} -start_tproxy(){ #iptables-tproxy - #获取局域网host地址 - getlanip - modprobe xt_TPROXY >/dev/null 2>&1 - ip rule add fwmark $fwmark table 100 - ip route add local default dev lo table 100 - iptables -t mangle -N shellcrash - iptables -t mangle -A shellcrash -p udp --dport 53 -j RETURN - for ip in $host_ipv4 $reserve_ipv4;do #跳过目标保留地址及目标本机网段 - iptables -t mangle -A shellcrash -d $ip -j RETURN + [ "$1" = 'ip6tables' ] && { + RESERVED_IP=$reserve_ipv6 + HOST_IP=$host_ipv6 + } + #创建新的shellcrash链表 + $1 -t $2 -N $4 + #本机代理防回环 + [ "$3" = 'OUTPUT' ] && for gid in 453 7890;do + $1 -t $2 -A $4 -m owner --gid-owner $gid -j RETURN + done + #跳过目标保留地址及目标本机网段 + for ip in $HOST_IP $RESERVED_IP;do + $1 -t $2 -A $4 -d $ip -j RETURN done #绕过CN_IP [ "$dns_mod" != "fake-ip" -a "$cn_ip_route" = "已开启" ] && \ - iptables -t mangle -A shellcrash -m set --match-set cn_ip dst -j RETURN 2>/dev/null + $1 -t $2 -A $4 -m set --match-set cn_ip dst -j RETURN 2>/dev/null + #局域网mac地址黑名单过滤 + [ -s "$(cat ${CRASHDIR}/configs/mac)" -a "$macfilter_type" != "白名单" ] && \ + for mac in $(cat ${CRASHDIR}/configs/mac); do + $1 -t $2 -A $4 -m mac --mac-source $mac -j RETURN + done #tcp&udp分别进代理链 - tproxy_set(){ + proxy_set(){ + if [ "$macfilter_type" = "白名单" -a -n "$(cat ${CRASHDIR}/configs/mac)" ];then + for mac in $(cat ${CRASHDIR}/configs/mac); do #mac白名单 + $1 -t $2 -A $4 -p $5 -m mac --mac-source $mac -j $JUMP + done + else + for ip in $HOST_IP;do #仅限指定网段流量 + $1 -t $2 -A $4 -p $5 -s $ip -j $JUMP + done + fi + #将所在链指定流量指向shellcrash表 + $1 -t $2 -I $3 -p $5 $ports -j $4 + [ "$dns_mod" != "redir_host" ] && [ "$common_ports" = "已开启" ] && [ "$1" = iptables ] && $1 -t $2 -I $3 -p $5 -d 198.18.0.0/16 -j $4 + } + [ "$5" = "tcp" -o "$5" = "all" ] && proxy_set $1 $2 $3 $4 tcp + [ "$5" = "udp" -o "$5" = "all" ] && proxy_set $1 $2 $3 $4 udp +} +start_ipt_dns(){ #iptables-dns通用工具 + #$1:iptables/ip6tables $2:所在的表(OUTPUT/PREROUTING) $3:新创建的shellcrash表 + $1 -t nat -N $3 + #绕过本机dns应用 + [ "$2" = 'OUTPUT' ] && for gid in 453 7890;do + $1 -t nat -A $3 -m owner --gid-owner $gid -j RETURN + done if [ "$macfilter_type" = "白名单" -a -n "$(cat ${CRASHDIR}/configs/mac)" ];then for mac in $(cat ${CRASHDIR}/configs/mac); do #mac白名单 - iptables -t mangle -A shellcrash -p $1 -m mac --mac-source $mac -j TPROXY --on-port $tproxy_port --tproxy-mark $fwmark + $1 -t nat -A $3 -p tcp -m mac --mac-source $mac -j REDIRECT --to $dns_port + $1 -t nat -A $3 -p udp -m mac --mac-source $mac -j REDIRECT --to $dns_port done else for mac in $(cat ${CRASHDIR}/configs/mac); do #mac黑名单 - iptables -t mangle -A shellcrash -m mac --mac-source $mac -j RETURN - done - #仅代理本机局域网网段流量 - for ip in $host_ipv4;do - iptables -t mangle -A shellcrash -p $1 -s $ip -j TPROXY --on-port $tproxy_port --tproxy-mark $fwmark - done - fi - iptables -t mangle -A PREROUTING -p $1 $ports -j shellcrash - [ "$dns_mod" != "redir_host" -a "$common_ports" = "已开启" ] && iptables -t mangle -A PREROUTING -p $1 -d 198.18.0.0/16 -j shellcrash - } - [ "$1" = "all" ] && tproxy_set tcp - tproxy_set udp - - #屏蔽QUIC - [ "$quic_rj" = 已启用 ] && { - [ "$dns_mod" != "fake-ip" -a "$cn_ip_route" = "已开启" ] && set_cn_ip='-m set ! --match-set cn_ip dst' - iptables -I INPUT -p udp --dport 443 -m comment --comment "ShellCrash-QUIC-REJECT" $set_cn_ip -j REJECT >/dev/null 2>&1 - } - #设置ipv6转发 - [ "$ipv6_redir" = "已开启" ] && ip6tables -t nat -L >/dev/null 2>&1 && { - ip -6 rule add fwmark $fwmark table 101 - ip -6 route add local ::/0 dev lo table 101 - ip6tables -t mangle -N shellcrashv6 - ip6tables -t mangle -A shellcrashv6 -p udp --dport 53 -j RETURN - for ip in $host_ipv6 $reserve_ipv6;do #跳过目标保留地址及目标本机网段 - ip6tables -t mangle -A shellcrashv6 -d $ip -j RETURN - done - #绕过CN_IPV6 - [ "$dns_mod" != "fake-ip" -a "$cn_ipv6_route" = "已开启" ] && \ - ip6tables -t mangle -A shellcrashv6 -m set --match-set cn_ip6 dst -j RETURN 2>/dev/null - #tcp&udp分别进代理链 - tproxy_set6(){ - if [ "$macfilter_type" = "白名单" -a -n "$(cat ${CRASHDIR}/configs/mac)" ];then - #mac白名单 - for mac in $(cat ${CRASHDIR}/configs/mac); do - ip6tables -t mangle -A shellcrashv6 -p $1 -m mac --mac-source $mac -j TPROXY --on-port $tproxy_port --tproxy-mark $fwmark - done - else - #mac黑名单 - for mac in $(cat ${CRASHDIR}/configs/mac); do - ip6tables -t mangle -A shellcrashv6 -m mac --mac-source $mac -j RETURN - done - #仅代理本机局域网网段流量 - for ip in $host_ipv6;do - ip6tables -t mangle -A shellcrashv6 -p $1 -s $ip -j TPROXY --on-port $tproxy_port --tproxy-mark $fwmark - done - fi - ip6tables -t mangle -A PREROUTING -p $1 $ports -j shellcrashv6 - } - [ "$1" = "all" ] && tproxy_set6 tcp - tproxy_set6 udp - - #屏蔽QUIC - [ "$quic_rj" = 已启用 ] && { - [ "$dns_mod" != "fake-ip" -a "$cn_ipv6_route" = "已开启" ] && set_cn_ip6='-m set ! --match-set cn_ip6 dst' - ip6tables -I INPUT -p udp --dport 443 -m comment --comment "ShellCrash-QUIC-REJECT" $set_cn_ip6 -j REJECT 2>/dev/null - } - } -} -start_output(){ #iptables本机代理 - #获取局域网host地址 - getlanip - #流量过滤 - iptables -t nat -N shellcrash_out - iptables -t nat -A shellcrash_out -m owner --gid-owner 7890 -j RETURN - for ip in $local_ipv4 $reserve_ipv4;do #跳过目标保留地址及目标本机网段 - iptables -t nat -A shellcrash_out -d $ip -j RETURN - done - #绕过CN_IP - [ "$dns_mod" != "fake-ip" -a "$cn_ip_route" = "已开启" ] && \ - iptables -t nat -A shellcrash_out -m set --match-set cn_ip dst -j RETURN >/dev/null 2>&1 - #仅允许本机流量 - for ip in 127.0.0.0/8 $local_ipv4;do - iptables -t nat -A shellcrash_out -p tcp -s $ip -j REDIRECT --to-ports $redir_port - done - iptables -t nat -A OUTPUT -p tcp $ports -j shellcrash_out - #设置dns转发 - [ "$dns_no" != "已禁用" ] && { - [ -z "$(grep 'nameserver 127.0.0.1' /etc/resolv.conf 2>/dev/null)" ] && echo 'nameserver 127.0.0.1' >> /etc/resolv.conf #修复部分虚拟机dns查询失败的问题 - iptables -t nat -N shellcrash_dns_out - iptables -t nat -A shellcrash_dns_out -m owner --gid-owner 453 -j RETURN #绕过本机dnsmasq - iptables -t nat -A shellcrash_dns_out -m owner --gid-owner 7890 -j RETURN - iptables -t nat -A shellcrash_dns_out -p udp -j REDIRECT --to $dns_port - iptables -t nat -A OUTPUT -p udp --dport 53 -j shellcrash_dns_out - } - #Docker转发 - ckcmd docker && { - iptables -t nat -N shellcrash_docker - for ip in $host_ipv4 $reserve_ipv4;do #跳过目标保留地址及目标本机网段 - iptables -t nat -A shellcrash_docker -d $ip -j RETURN - done - iptables -t nat -A shellcrash_docker -p tcp -j REDIRECT --to-ports $redir_port - iptables -t nat -A PREROUTING -p tcp -s 172.16.0.0/12 -j shellcrash_docker - [ "$dns_no" != "已禁用" ] && iptables -t nat -A PREROUTING -p udp --dport 53 -s 172.16.0.0/12 -j REDIRECT --to $dns_port - } -} -start_tun(){ #iptables-tun - modprobe tun >/dev/null 2>&1 - #允许流量 - iptables -I FORWARD -o utun -j ACCEPT - iptables -I FORWARD -s 198.18.0.0/16 -o utun -j RETURN #防止回环 - ip6tables -I FORWARD -o utun -j ACCEPT > /dev/null 2>&1 - #屏蔽QUIC - if [ "$quic_rj" = 已启用 ];then - [ "$dns_mod" != "fake-ip" -a "$cn_ip_route" = "已开启" ] && { - set_cn_ip='-m set ! --match-set cn_ip dst' - set_cn_ip6='-m set ! --match-set cn_ip6 dst' - } - iptables -I FORWARD -p udp --dport 443 -o utun -m comment --comment "ShellCrash-QUIC-REJECT" $set_cn_ip -j REJECT >/dev/null 2>&1 - ip6tables -I FORWARD -p udp --dport 443 -o utun -m comment --comment "ShellCrash-QUIC-REJECT" $set_cn_ip6 -j REJECT >/dev/null 2>&1 - fi - if [ -n "$(iptables -j MARK 2>&1 | grep 'mark')" ];then - i=1 - while [ -z "$(ip route list |grep utun)" -a "$i" -le 29 ];do - sleep 1 - i=$((i+1)) - done - if [ -z "$(ip route list |grep utun)" ];then - logger "找不到tun模块,放弃启动tun相关防火墙规则!" 31 - else - ip route add default dev utun table 100 - ip rule add fwmark $fwmark table 100 - #获取局域网host地址 - getlanip - iptables -t mangle -N shellcrash - iptables -t mangle -A shellcrash -p udp --dport 53 -j RETURN - for ip in $host_ipv4 $reserve_ipv4;do #跳过目标保留地址及目标本机网段 - iptables -t mangle -A shellcrash -d $ip -j RETURN - done - #防止回环 - iptables -t mangle -A shellcrash -s 198.18.0.0/16 -j RETURN - #绕过CN_IP - [ "$dns_mod" != "fake-ip" -a "$cn_ip_route" = "已开启" ] && \ - iptables -t mangle -A shellcrash -m set --match-set cn_ip dst -j RETURN 2>/dev/null - #局域网设备过滤 - if [ "$macfilter_type" = "白名单" -a -n "$(cat ${CRASHDIR}/configs/mac)" ];then - for mac in $(cat ${CRASHDIR}/configs/mac); do #mac白名单 - iptables -t mangle -A shellcrash -m mac --mac-source $mac -j MARK --set-mark $fwmark - done - else - for mac in $(cat ${CRASHDIR}/configs/mac); do #mac黑名单 - iptables -t mangle -A shellcrash -m mac --mac-source $mac -j RETURN - done - #仅代理本机局域网网段流量 - for ip in $host_ipv4;do - iptables -t mangle -A shellcrash -s $ip -j MARK --set-mark $fwmark - done - fi - iptables -t mangle -A PREROUTING -p udp $ports -j shellcrash - [ "$1" = "all" ] && iptables -t mangle -A PREROUTING -p tcp $ports -j shellcrash - - #设置ipv6转发 - [ "$ipv6_redir" = "已开启" ] && ip6tables -t nat -L >/dev/null 2>&1 && [ "$crashcore" != clash ] && { - ip -6 route add default dev utun table 101 - ip -6 rule add fwmark $fwmark table 101 - ip6tables -t mangle -N shellcrashv6 - ip6tables -t mangle -A shellcrashv6 -p udp --dport 53 -j RETURN - for ip in $host_ipv6 $reserve_ipv6;do #跳过目标保留地址及目标本机网段 - ip6tables -t mangle -A shellcrashv6 -d $ip -j RETURN - done - #绕过CN_IPV6 - [ "$dns_mod" != "fake-ip" -a "$cn_ipv6_route" = "已开启" ] && \ - ip6tables -t mangle -A shellcrashv6 -m set --match-set cn_ip6 dst -j RETURN 2>/dev/null - #局域网设备过滤 - if [ "$macfilter_type" = "白名单" -a -n "$(cat ${CRASHDIR}/configs/mac)" ];then - for mac in $(cat ${CRASHDIR}/configs/mac); do #mac白名单 - ip6tables -t mangle -A shellcrashv6 -m mac --mac-source $mac -j MARK --set-mark $fwmark - done - else - for mac in $(cat ${CRASHDIR}/configs/mac); do #mac黑名单 - ip6tables -t mangle -A shellcrashv6 -m mac --mac-source $mac -j RETURN - done - #仅代理本机局域网网段流量 - for ip in $host_ipv6;do - ip6tables -t mangle -A shellcrashv6 -s $ip -j MARK --set-mark $fwmark - done - fi - ip6tables -t mangle -A PREROUTING -p udp $ports -j shellcrashv6 - [ "$1" = "all" ] && ip6tables -t mangle -A PREROUTING -p tcp $ports -j shellcrashv6 - } - fi - else - logger "iptables缺少-J MARK功能,放弃启动tun相关防火墙规则!" 31 + $1 -t nat -A $3 -m mac --mac-source $mac -j RETURN + done + $1 -t nat -A $3 -p tcp -j REDIRECT --to $dns_port + $1 -t nat -A $3 -p udp -j REDIRECT --to $dns_port fi + $1 -t nat -I $2 -p tcp --dport 53 -j $3 + $1 -t nat -I $2 -p udp --dport 53 -j $3 } start_ipt_wan(){ #iptables公网防火墙 #获取局域网host地址 @@ -1194,110 +959,151 @@ start_ipt_wan(){ #iptables公网防火墙 fi iptables -I INPUT -p tcp -d 127.0.0.1 -j ACCEPT #本机请求全放行 } -start_nft(){ #nftables-all-in-one - table_type=$1 - [ -n "$2" ] && table=$2 || table=$1 +start_iptables(){ #iptables配置总入口 + #启动公网访问防火墙 + start_ipt_wan + #启动DNS劫持 + [ "$dns_no" != "已禁用" -a "$dns_redir" != "已开启" -a "$firewall_area" -le 3 ] && { + [ "$lan_proxy" = true ] && { + start_ipt_dns iptables PREROUTING shellcrash_dns #ipv4-局域网dns转发 + if ip6tables -t nat -L >/dev/null 2>&1;then + start_ipt_dns ip6tables PREROUTING shellcrashv6_dns #ipv6-局域网dns转发 + else + ip6tables -I INPUT -p udp --dport 53 -m comment --comment "ShellCrash-IPV6_DNS-REJECT" -j REJECT 2>/dev/null + fi + } + [ "$local_proxy" = true ] && start_ipt_dns iptables OUTPUT shellcrash_dns_out #ipv4-本机dns转发 + } + #分模式设置流量劫持 + [ "$redir_mod" = "Redir模式" -o "$redir_mod" = "混合模式" ] && { + JUMP="REDIRECT --to-ports $redir_port" #跳转劫持的具体命令 + [ "$lan_proxy" = true ] && { + start_ipt_route iptables nat PREROUTING shellcrash tcp #ipv4-局域网tcp转发 + [ "$ipv6_redir" = "已开启" ] && { + if ip6tables -t nat -L >/dev/null 2>&1;then + start_ipt_route ip6tables nat PREROUTING shellcrashv6 tcp #ipv6-局域网tcp转发 + else + logger "当前设备内核缺少ip6tables-nat模块支持,已放弃启动相关规则!" 31 + fi + } + } + [ "$local_proxy" = true ] && start_ipt_route iptables nat OUTPUT shellcrash_out tcp #ipv4-本机tcp转发 + } + [ "$redir_mod" = "Tproxy模式" ] && { + JUMP="TPROXY --on-port $tproxy_port --tproxy-mark $fwmark" #跳转劫持的具体命令 + if [ -n "$(grep -E '^TPROXY$' /proc/net/ip_tables_targets)" ];then + [ "$lan_proxy" = true ] && start_ipt_route iptables mangle PREROUTING shellcrash_mark all + [ "$local_proxy" = true ] && start_ipt_route iptables mangle OUTPUT shellcrash_mark_out all + else + logger "当前设备内核可能缺少kmod-ipt-tproxy模块支持,已放弃启动相关规则!" 31 + fi + [ "$ipv6_redir" = "已开启" ] && [ "$lan_proxy" = true ] && { + if [ -n "$(grep -E '^TPROXY$' /proc/net/ip6_tables_targets)" ];then + start_ipt_route ip6tables mangle PREROUTING shellcrashv6_mark all + else + logger "当前设备内核可能缺少kmod-ipt-tproxy模块支持,已放弃启动相关规则!" 31 + fi + } + } + [ "$redir_mod" = "Tun模式" -o "$redir_mod" = "混合模式" -o "$redir_mod" = "T&U旁路转发" -o "$redir_mod" = "TCP旁路转发" ] && { + JUMP="MARK --set-mark $fwmark" #跳转劫持的具体命令 + [ "$redir_mod" = "Tun模式" -o "$redir_mod" = "T&U旁路转发" ] && protocol=all + [ "$redir_mod" = "混合模式" ] && protocol=udp + [ "$redir_mod" = "TCP旁路转发" ] && protocol=tcp + if [ -n "$(grep -E '^MARK$' /proc/net/ip_tables_targets)" ];then + [ "$lan_proxy" = true ] && start_ipt_route iptables mangle PREROUTING shellcrash_mark $protocol + [ "$local_proxy" = true ] && start_ipt_route iptables mangle OUTPUT shellcrash_mark_out $protocol + else + logger "当前设备内核可能缺少xt-mark模块支持,已放弃启动相关规则!" 31 + fi + [ "$ipv6_redir" = "已开启" ] && [ "$lan_proxy" = true ] && { + if [ -n "$(grep -E '^MARK$' /proc/net/ip6_tables_targets)" ];then + start_ipt_route ip6tables mangle PREROUTING shellcrashv6_mark $protocol + else + logger "当前设备内核可能缺少xt-mark模块支持,已放弃启动相关规则!" 31 + fi + } + } + #屏蔽QUIC + [ "$quic_rj" = '已启用' -a "$lan_proxy" = true -a "$redir_mod" != "Redir模式" ] && { + [ "$dns_mod" != "fake-ip" -a "$cn_ip_route" = "已开启" ] && { + set_cn_ip='-m set ! --match-set cn_ip dst' + set_cn_ip6='-m set ! --match-set cn_ip6 dst' + } + iptables -I FORWARD -p udp --dport 443 -o utun -m comment --comment "ShellCrash-QUIC-REJECT" $set_cn_ip -j REJECT >/dev/null 2>&1 + ip6tables -I FORWARD -p udp --dport 443 -o utun -m comment --comment "ShellCrash-QUIC-REJECT" $set_cn_ip6 -j REJECT >/dev/null 2>&1 + } +} +start_nft_route(){ #nftables-route通用工具 + #$1:name $2:hook(prerouting/output) $3:type(nat/mangle/filter) $4:priority(-100/-150) [ "$common_ports" = "已开启" ] && PORTS=$(echo $multiport | sed 's/,/, /g') RESERVED_IP=$(echo $reserve_ipv4 | sed 's/ /, /g') - if [ "$1" = 'output' ];then - HOST_IP="127.0.0.0/8, $(echo $local_ipv4 | sed 's/ /, /g')" - chain_type=route - else - HOST_IP=$(echo $host_ipv4 | sed 's/ /, /g') - chain_type=nat - fi - #不同模式调整 - [ "$redir_mod" = "Redir模式" ] && \ - nft add chain inet shellcrash $table { type nat hook $table_type priority -100 \; } - [ "$redir_mod" = "Tproxy模式" ] && { - modprobe nft_tproxy >/dev/null 2>&1 - nft add chain inet shellcrash $table { type $chain_type hook $table_type priority mangle \; } - } - [ "$redir_mod" = "Tun模式" -o "$redir_mod" = "混合模式" ] && { - modprobe tun >/dev/null 2>&1 - i=1 - while [ -z "$(ip route list |grep utun)" -a "$i" -le 29 ];do - sleep 1 - i=$((i+1)) - done - if [ -z "$(ip route list |grep utun)" ];then - logger "找不到tun模块,放弃启动tun相关防火墙规则!" 31 - exit 1 - else - nft add chain inet shellcrash $table { type $chain_type hook $table_type priority mangle \; } - nft add rule inet shellcrash $table ip saddr 198.18.0.0/16 return #防止回环 - fi - } - [ "$firewall_area" = 5 ] && { - nft add chain inet shellcrash $table { type $chain_type hook $table_type priority mangle \; } - nft add rule inet shellcrash $table ip daddr {$bypass_host} return - } - #本机流量防回环 - [ "$table_type" = 'output' ] && nft add rule inet shellcrash $table meta skgid 7890 return + HOST_IP=$(echo $host_ipv4 | sed 's/ /, /g') + [ "$1" = 'output' ] && HOST_IP="127.0.0.0/8, $(echo $local_ipv4 | sed 's/ /, /g')" + #添加新链 + nft add chain inet shellcrash $1 { type $3 hook $2 priority $4 \; } + #防回环 + nft add rule inet shellcrash $1 meta skgid 7890 return + nft add rule inet shellcrash $1 ip saddr 198.18.0.0/16 return + [ "$firewall_area" = 5 ] && nft add rule inet shellcrash $1 ip daddr $bypass_host return #过滤局域网设备 [ -n "$(cat ${CRASHDIR}/configs/mac)" ] && { MAC=$(awk '{printf "%s, ",$1}' ${CRASHDIR}/configs/mac) - [ "$macfilter_type" = "黑名单" ] && \ - nft add rule inet shellcrash $table ether saddr {$MAC} return || \ - nft add rule inet shellcrash $table ether saddr != {$MAC} return + if [ "$macfilter_type" = "黑名单" ];then + nft add rule inet shellcrash $1 ether saddr {$MAC} return + else + nft add rule inet shellcrash $1 ether saddr != {$MAC} return + fi } - #过滤保留地址 - nft add rule inet shellcrash $table ip daddr {$RESERVED_IP} return - #仅代理本机局域网网段流量 - nft add rule inet shellcrash $table ip saddr != {$HOST_IP} return + nft add rule inet shellcrash $1 ip daddr {$RESERVED_IP} return #过滤保留地址 + nft add rule inet shellcrash $1 ip saddr != {$HOST_IP} return #仅代理本机局域网网段流量 #绕过CN-IP [ "$dns_mod" != "fake-ip" -a "$cn_ip_route" = "已开启" -a -f ${BINDIR}/cn_ip.txt ] && { CN_IP=$(awk '{printf "%s, ",$1}' ${BINDIR}/cn_ip.txt) - [ -n "$CN_IP" ] && nft add rule inet shellcrash $table ip daddr {$CN_IP} return + [ -n "$CN_IP" ] && nft add rule inet shellcrash $1 ip daddr {$CN_IP} return } - #过滤常用端口 - [ -n "$PORTS" ] && nft add rule inet shellcrash $table tcp dport != {$PORTS} ip daddr != {198.18.0.0/16} return + [ -n "$PORTS" ] && nft add rule inet shellcrash $1 tcp dport != {$PORTS} ip daddr != {198.18.0.0/16} return #过滤常用端口 #局域网ipv6支持 - if [ "$ipv6_redir" = "已开启" -a "$table_type" = 'prerouting' -a "$firewall_area" != 5 ];then + if [ "$ipv6_redir" = "已开启" -a "$1" = 'prerouting' -a "$firewall_area" != 5 ];then RESERVED_IP6="$(echo "$reserve_ipv6 $host_ipv6" | sed 's/ /, /g')" HOST_IP6="$(echo $host_ipv6 | sed 's/ /, /g')" - ip -6 rule add fwmark $fwmark table 101 2> /dev/null - ip -6 route add local ::/0 dev lo table 101 2> /dev/null #过滤保留地址及本机地址 - nft add rule inet shellcrash $table ip6 daddr {$RESERVED_IP6} return + nft add rule inet shellcrash $1 ip6 daddr {$RESERVED_IP6} return #仅代理本机局域网网段流量 - nft add rule inet shellcrash $table ip6 saddr != {$HOST_IP6} return + nft add rule inet shellcrash $1 ip6 saddr != {$HOST_IP6} return #绕过CN_IPV6 [ "$dns_mod" != "fake-ip" -a "$cn_ipv6_route" = "已开启" -a -f ${BINDIR}/cn_ipv6.txt ] && { CN_IP6=$(awk '{printf "%s, ",$1}' ${BINDIR}/cn_ipv6.txt) - [ -n "$CN_IP6" ] && nft add rule inet shellcrash $table ip6 daddr {$CN_IP6} return + [ -n "$CN_IP6" ] && nft add rule inet shellcrash $1 ip6 daddr {$CN_IP6} return } else - nft add rule inet shellcrash $table meta nfproto ipv6 return + nft add rule inet shellcrash $1 meta nfproto ipv6 return fi - # nft add rule inet shellcrash local_tproxy log prefix \"pre\" level debug - [ "$redir_mod" = "Redir模式" ] && nft add rule inet shellcrash $table meta l4proto tcp redirect to $redir_port - [ "$redir_mod" = "混合模式" ] && { - nft add rule inet shellcrash $table meta l4proto udp mark set $fwmark - nft add rule inet shellcrash $table meta l4proto tcp mark set $((fwmark + 1)) - nft add chain inet shellcrash ${table}_mixtcp { type nat hook $table_type priority -100 \; } - nft add rule inet shellcrash ${table}_mixtcp mark == $((fwmark + 1)) meta l4proto tcp redirect to $redir_port - } + #添加通用路由 + nft add rule inet shellcrash $1 $JUMP + #处理特殊路由 [ "$redir_mod" = "Tproxy模式" ] && { - nft add rule inet shellcrash $table meta l4proto {tcp, udp} mark set $fwmark - nft add chain inet shellcrash ${table}_tproxy { type filter hook $table_type priority -100 \; } - nft add rule inet shellcrash ${table}_tproxy meta mark == $fwmark meta l4proto {tcp, udp} tproxy to :$tproxy_port + nft add chain inet shellcrash ${1}_tproxy { type filter hook $2 priority -100 \; } + nft add rule inet shellcrash ${1}_tproxy meta mark == $fwmark meta l4proto {tcp, udp} tproxy to :$tproxy_port } - [ "$redir_mod" = "Tun模式" ] && nft add rule inet shellcrash $table meta l4proto {tcp, udp} mark set $fwmark - [ "$redir_mod" = "TCP旁路转发" ] && nft add rule inet shellcrash $table meta l4proto tcp mark set $fwmark - [ "$redir_mod" = "T&U旁路转发" ] && nft add rule inet shellcrash $table meta l4proto {tcp, udp} mark set $fwmark + [ "$redir_mod" = "混合模式" ] && { + nft add rule inet shellcrash $1 meta l4proto tcp mark set $((fwmark + 1)) + nft add chain inet shellcrash ${1}_mixtcp { type nat hook $2 priority -100 \; } + nft add rule inet shellcrash ${1}_mixtcp mark == $((fwmark + 1)) meta l4proto tcp redirect to $redir_port + } + #nft add rule inet shellcrash local_tproxy log prefix \"pre\" level debug } start_nft_dns(){ #nftables-dns nft add chain inet shellcrash ${1}_dns { type nat hook $1 priority -100 \; } + nft add rule inet shellcrash ${1}_dns meta skgid { 453, 7890 } return #过滤局域网设备 [ -n "$(cat ${CRASHDIR}/configs/mac)" ] && { MAC=$(awk '{printf "%s, ",$1}' ${CRASHDIR}/configs/mac) - [ "$macfilter_type" = "黑名单" ] && \ - nft add rule inet shellcrash ${1}_dns ether saddr {$MAC} return || \ + if [ "$macfilter_type" = "黑名单" ];then + nft add rule inet shellcrash ${1}_dns ether saddr {$MAC} return + else nft add rule inet shellcrash ${1}_dns ether saddr != {$MAC} return - } - [ "$1" = 'output' ] && { - nft add rule inet shellcrash ${1}_dns meta skgid { 453, 7890 } return + fi } nft add rule inet shellcrash ${1}_dns udp dport 53 redirect to ${dns_port} nft add rule inet shellcrash ${1}_dns tcp dport 53 redirect to ${dns_port} @@ -1322,6 +1128,105 @@ start_nft_wan(){ #nftables公网防火墙 nft add rule inet shellcrash input tcp dport $mix_port ip saddr {$HOST_IP} accept nft add rule inet shellcrash input tcp dport $mix_port reject fi +} +start_nftables(){ #nftables配置总入口 + #初始化nftables + nft add table inet shellcrash + nft flush table inet shellcrash + #公网访问防火墙 + start_nft_wan + #启动DNS劫持 + [ "$dns_no" != "已禁用" -a "$dns_redir" != "已开启" -a "$firewall_area" -le 3 ] && { + [ "$lan_proxy" = true ] && start_nft_dns prerouting #局域网dns转发 + [ "$local_proxy" = true ] && start_nft_dns output #本机dns转发 + } + #分模式设置流量劫持 + [ "$redir_mod" = "Redir模式" ] && { + JUMP="meta l4proto tcp redirect to $redir_port" #跳转劫持的具体命令 + [ "$lan_proxy" = true ] && start_nft_route prerouting prerouting nat -100 + [ "$local_proxy" = true ] && start_nft_route output output nat -100 + } + [ "$redir_mod" = "Tproxy模式" ] && modprobe nft_tproxy >/dev/null 2>&1 && { + JUMP="meta l4proto {tcp, udp} mark set $fwmark" #跳转劫持的具体命令 + [ "$lan_proxy" = true ] && start_nft_route prerouting prerouting nat -150 + [ "$local_proxy" = true ] && start_nft_route output output route -150 + } + [ "$redir_mod" = "Tun模式" ] && [ "$tun_statu" != false ] && { + JUMP="meta l4proto {tcp, udp} mark set $fwmark" #跳转劫持的具体命令 + [ "$lan_proxy" = true ] && start_nft_route prerouting prerouting nat -150 + [ "$local_proxy" = true ] && start_nft_route output output route -150 + } + [ "$redir_mod" = "混合模式" ] && [ "$tun_statu" != false ] && { + JUMP="meta l4proto udp mark set $fwmark" #跳转劫持的具体命令 + [ "$lan_proxy" = true ] && start_nft_route prerouting prerouting nat -150 + [ "$local_proxy" = true ] && start_nft_route output output route -150 + } + [ "$firewall_area" = 5 ] && { + [ "$redir_mod" = "T&U旁路转发" ] && JUMP="meta l4proto {tcp, udp} mark set $fwmark" #跳转劫持的具体命令 + [ "$redir_mod" = "TCP旁路转发" ] && JUMP="meta l4proto tcp mark set $fwmark" #跳转劫持的具体命令 + [ "$lan_proxy" = true ] && start_nft_route prerouting prerouting nat -150 + [ "$local_proxy" = true ] && start_nft_route output output route -150 + } + #屏蔽QUIC + [ "$quic_rj" = '已启用' -a "$lan_proxy" = true -a "$redir_mod" != "Redir模式" ] && { + nft add chain inet shellcrash quic_rj { type filter hook input priority 0 \; } + [ -n "$CN_IP" ] && nft add rule inet shellcrash quic_rj ip daddr {$CN_IP} return + [ -n "$CN_IP6" ] && nft add rule inet shellcrash quic_rj ip6 daddr {$CN_IP6} return + nft add rule inet shellcrash quic_rj udp dport {443, 8443} reject comment 'ShellCrash-QUIC-REJECT' + } +} +start_firewall(){ #路由规则总入口 + getlanip #获取局域网host地址 + #设置策略路由 + [ "$firewall_area" != 4 ] && { + local table=100 + [ "$redir_mod" = "Tproxy模式" ] && ip route add local default dev lo table $table + [ "$redir_mod" = "Tun模式" -o "$redir_mod" = "混合模式" ] && { + i=1 + while [ -z "$(ip route list |grep utun)" -a "$i" -le 29 ];do + sleep 1 + i=$((i+1)) + done + if [ -z "$(ip route list |grep utun)" ];then + tun_statu=false + logger "找不到tun模块,放弃启动tun相关防火墙规则!" 31 + else + ip route add default dev utun table $table + #iptables -I FORWARD -o utun -j ACCEPT + fi + } + [ "$firewall_area" = 5 ] && ip route add default via $bypass_host table $table + [ "$redir_mod" != "Redir模式" ] && ip rule add fwmark $fwmark table $table + } + #添加ipv6路由 + [ "$ipv6_redir" = "已开启" -a "$firewall_area" -le 3 ] && { + [ "$redir_mod" = "Tproxy模式" ] && ip -6 route add local default dev lo table $((table + 1)) + [ -n "$(ip route list |grep utun)" ] && ip -6 route add default dev utun table $((table + 1)) + [ "$redir_mod" != "Redir模式" ] && ip -6 rule add fwmark $fwmark table $((table + 1)) + } + #判断代理用途 + [ "$firewall_area" = 2 -o "$firewall_area" = 3 ] && [ -n "$(grep '0:7890' /etc/passwd)" ] && local_proxy=true + [ "$firewall_area" = 1 -o "$firewall_area" = 3 -o "$firewall_area" = 5 ] && lan_proxy=true + #防火墙配置 + [ "$firewall_mod" = 'iptables' ] && start_iptables + [ "$firewall_mod" = 'nftables' ] && start_nftables + #修复部分虚拟机dns查询失败的问题 + [ "$firewall_area" = 2 -o "$firewall_area" = 3 ] && [ -z "$(grep 'nameserver 127.0.0.1' /etc/resolv.conf 2>/dev/null)" ] && { + line=$(grep -n 'nameserver' /etc/resolv.conf | awk -F: 'FNR==1{print $1}') + sed -i "$line i\nameserver 127.0.0.1 #shellcrash-dns-repair" /etc/resolv.conf + } + #openwrt使用dnsmasq转发DNS + if [ "$dns_redir" = "已开启" -a "$firewall_area" -le 3 -a "$dns_no" != "已禁用" ];then + uci del dhcp.@dnsmasq[-1].server >/dev/null 2>&1 + uci delete dhcp.@dnsmasq[0].resolvfile 2>/dev/null + uci add_list dhcp.@dnsmasq[0].server=127.0.0.1#$dns_port > /dev/null 2>&1 + uci set dhcp.@dnsmasq[0].noresolv=1 2>/dev/null + uci commit dhcp >/dev/null 2>&1 + /etc/init.d/dnsmasq restart >/dev/null 2>&1 + elif [ "$(uci get dhcp.@dnsmasq[0].dns_redirect 2>/dev/null)" = 1 ];then + uci del dhcp.@dnsmasq[0].dns_redirect + uci commit dhcp.@dnsmasq[0] + fi } stop_firewall(){ #还原防火墙配置 getconfig @@ -1329,83 +1234,83 @@ stop_firewall(){ #还原防火墙配置 getlanip #重置iptables相关规则 ckcmd iptables && { - #redir - iptables -t nat -D PREROUTING -p tcp $ports -j shellcrash 2> /dev/null - iptables -t nat -D PREROUTING -p tcp -d 198.18.0.0/16 -j shellcrash 2> /dev/null - iptables -t nat -F shellcrash 2> /dev/null - iptables -t nat -X shellcrash 2> /dev/null + #清理shellcrash自建表 + for table in shellcrash_dns shellcrash shellcrash_out shellcrash_dns_out;do + iptables -t nat -F $table 2>/dev/null + iptables -t nat -X $table 2>/dev/null + done + for table in shellcrash_mark shellcrash_mark_out;do + iptables -t mangle -F $table 2>/dev/null + iptables -t mangle -X $table 2>/dev/null + done #dns - iptables -t nat -D PREROUTING -p tcp --dport 53 -j shellcrash_dns 2> /dev/null - iptables -t nat -D PREROUTING -p udp --dport 53 -j shellcrash_dns 2> /dev/null - iptables -t nat -F shellcrash_dns 2> /dev/null - iptables -t nat -X shellcrash_dns 2> /dev/null + iptables -t nat -D PREROUTING -p tcp --dport 53 -j shellcrash_dns 2>/dev/null + iptables -t nat -D PREROUTING -p udp --dport 53 -j shellcrash_dns 2>/dev/null + iptables -t nat -D OUTPUT -p udp --dport 53 -j shellcrash_dns_out 2>/dev/null + iptables -t nat -D OUTPUT -p tcp --dport 53 -j shellcrash_dns_out 2>/dev/null + #redir + iptables -t nat -D PREROUTING -p tcp $ports -j shellcrash 2>/dev/null + iptables -t nat -D PREROUTING -p tcp -d 198.18.0.0/16 -j shellcrash 2>/dev/null + iptables -t nat -D OUTPUT -p tcp $ports -j shellcrash_out 2>/dev/null + iptables -t nat -D OUTPUT -p tcp -d 198.18.0.0/16 -j shellcrash_out 2>/dev/null + #TPROXY&tun + iptables -t mangle -D PREROUTING -p tcp $ports -j shellcrash_mark 2>/dev/null + iptables -t mangle -D PREROUTING -p udp $ports -j shellcrash_mark 2>/dev/null + iptables -t mangle -D PREROUTING -p tcp -d 198.18.0.0/16 -j shellcrash_mark 2>/dev/null + iptables -t mangle -D PREROUTING -p udp -d 198.18.0.0/16 -j shellcrash_mark 2>/dev/null + iptables -t mangle -D OUTPUT -p tcp $ports -j shellcrash_mark_out 2>/dev/null + iptables -t mangle -D OUTPUT -p udp $ports -j shellcrash_mark_out 2>/dev/null + iptables -t mangle -D OUTPUT -p tcp -d 198.18.0.0/16 -j shellcrash_mark_out 2>/dev/null + iptables -t mangle -D OUTPUT -p udp -d 198.18.0.0/16 -j shellcrash_mark_out 2>/dev/null #tun - iptables -D FORWARD -o utun -j ACCEPT 2> /dev/null - iptables -D FORWARD -s 198.18.0.0/16 -o utun -j RETURN 2> /dev/null + iptables -D FORWARD -o utun -j ACCEPT 2>/dev/null + iptables -D FORWARD -s 198.18.0.0/16 -o utun -j RETURN 2>/dev/null #屏蔽QUIC [ "$dns_mod" != "fake-ip" -a "$cn_ip_route" = "已开启" ] && set_cn_ip='-m set ! --match-set cn_ip dst' - iptables -D INPUT -p udp --dport 443 -m comment --comment "ShellCrash-QUIC-REJECT" $set_cn_ip -j REJECT 2> /dev/null - iptables -D FORWARD -p udp --dport 443 -o utun -m comment --comment "ShellCrash-QUIC-REJECT" $set_cn_ip -j REJECT 2> /dev/null - #本机代理 - iptables -t nat -D OUTPUT -p tcp $ports -j shellcrash_out 2> /dev/null - iptables -t nat -F shellcrash_out 2> /dev/null - iptables -t nat -X shellcrash_out 2> /dev/null - iptables -t nat -D OUTPUT -p udp --dport 53 -j shellcrash_dns_out 2> /dev/null - iptables -t nat -F shellcrash_dns_out 2> /dev/null - iptables -t nat -X shellcrash_dns_out 2> /dev/null - #docker - iptables -t nat -F shellcrash_docker 2> /dev/null - iptables -t nat -X shellcrash_docker 2> /dev/null - iptables -t nat -D PREROUTING -p tcp -s 172.16.0.0/12 -j shellcrash_docker 2> /dev/null - iptables -t nat -D PREROUTING -p udp --dport 53 -s 172.16.0.0/12 -j REDIRECT --to $dns_port 2> /dev/null - #TPROXY&tun - iptables -t mangle -D PREROUTING -p tcp $ports -j shellcrash 2> /dev/null - iptables -t mangle -D PREROUTING -p udp $ports -j shellcrash 2> /dev/null - iptables -t mangle -D PREROUTING -p tcp -d 198.18.0.0/16 -j shellcrash 2> /dev/null - iptables -t mangle -D PREROUTING -p udp -d 198.18.0.0/16 -j shellcrash 2> /dev/null - iptables -t mangle -F shellcrash 2> /dev/null - iptables -t mangle -X shellcrash 2> /dev/null + iptables -D INPUT -p udp --dport 443 -m comment --comment "ShellCrash-QUIC-REJECT" $set_cn_ip -j REJECT 2>/dev/null + iptables -D FORWARD -p udp --dport 443 -o utun -m comment --comment "ShellCrash-QUIC-REJECT" $set_cn_ip -j REJECT 2>/dev/null #公网访问 for ip in $host_ipv4 $local_ipv4 $reserve_ipv4;do - iptables -D INPUT -p tcp -s $ip --dport $mix_port -j ACCEPT 2> /dev/null - iptables -D INPUT -p tcp -s $ip --dport $db_port -j ACCEPT 2> /dev/null + iptables -D INPUT -p tcp -s $ip --dport $mix_port -j ACCEPT 2>/dev/null + iptables -D INPUT -p tcp -s $ip --dport $db_port -j ACCEPT 2>/dev/null done - iptables -D INPUT -p tcp -d 127.0.0.1 -j ACCEPT 2> /dev/null - iptables -D INPUT -p tcp --dport $mix_port -j REJECT 2> /dev/null - iptables -D INPUT -p tcp --dport $mix_port -j ACCEPT 2> /dev/null - iptables -D INPUT -p tcp --dport $db_port -j REJECT 2> /dev/null - iptables -D INPUT -p tcp --dport $db_port -j ACCEPT 2> /dev/null + iptables -D INPUT -p tcp -d 127.0.0.1 -j ACCEPT 2>/dev/null + iptables -D INPUT -p tcp --dport $mix_port -j REJECT 2>/dev/null + iptables -D INPUT -p tcp --dport $mix_port -j ACCEPT 2>/dev/null + iptables -D INPUT -p tcp --dport $db_port -j REJECT 2>/dev/null + iptables -D INPUT -p tcp --dport $db_port -j ACCEPT 2>/dev/null } #重置ipv6规则 ckcmd ip6tables && { - #redir - ip6tables -t nat -D PREROUTING -p tcp $ports -j shellcrashv6 2> /dev/null - ip6tables -D INPUT -p udp --dport 53 -m comment --comment "ShellCrash-IPV6_DNS-REJECT" -j REJECT 2> /dev/null - ip6tables -t nat -F shellcrashv6 2> /dev/null - ip6tables -t nat -X shellcrashv6 2> /dev/null + #清理shellcrash自建表 + for table in shellcrashv6_dns shellcrashv6;do + ip6tables -t nat -F $table 2>/dev/null + ip6tables -t nat -X $table 2>/dev/null + done + ip6tables -t mangle -F shellcrashv6_mark 2>/dev/null + ip6tables -t mangle -X shellcrashv6_mark 2>/dev/null #dns ip6tables -t nat -D PREROUTING -p tcp --dport 53 -j shellcrashv6_dns 2>/dev/null - ip6tables -t nat -D PREROUTING -p udp --dport 53 -j shellcrashv6_dns 2>/dev/null - ip6tables -t nat -F shellcrashv6_dns 2> /dev/null - ip6tables -t nat -X shellcrashv6_dns 2> /dev/null + ip6tables -t nat -D PREROUTING -p udp --dport 53 -j shellcrashv6_dns 2>/dev/null + #redir + ip6tables -t nat -D PREROUTING -p tcp $ports -j shellcrashv6 2>/dev/null + ip6tables -D INPUT -p udp --dport 53 -m comment --comment "ShellCrash-IPV6_DNS-REJECT" -j REJECT 2>/dev/null + #mark + ip6tables -t mangle -D PREROUTING -p tcp $ports -j shellcrashv6_mark 2>/dev/null + ip6tables -t mangle -D PREROUTING -p udp $ports -j shellcrashv6_mark 2>/dev/null + ip6tables -D INPUT -p udp --dport 443 -m comment --comment "ShellCrash-QUIC-REJECT" $set_cn_ip -j REJECT 2>/dev/null #tun - ip6tables -D FORWARD -o utun -j ACCEPT 2> /dev/null + ip6tables -D FORWARD -o utun -j ACCEPT 2>/dev/null ip6tables -D FORWARD -p udp --dport 443 -o utun -m comment --comment "ShellCrash-QUIC-REJECT" -j REJECT >/dev/null 2>&1 #屏蔽QUIC [ "$dns_mod" != "fake-ip" -a "$cn_ipv6_route" = "已开启" ] && set_cn_ip6='-m set ! --match-set cn_ip6 dst' - iptables -D INPUT -p udp --dport 443 -m comment --comment "ShellCrash-QUIC-REJECT" $set_cn_ip6 -j REJECT 2> /dev/null - iptables -D FORWARD -p udp --dport 443 -o utun -m comment --comment "ShellCrash-QUIC-REJECT" $set_cn_ip6 -j REJECT 2> /dev/null + iptables -D INPUT -p udp --dport 443 -m comment --comment "ShellCrash-QUIC-REJECT" $set_cn_ip6 -j REJECT 2>/dev/null + iptables -D FORWARD -p udp --dport 443 -o utun -m comment --comment "ShellCrash-QUIC-REJECT" $set_cn_ip6 -j REJECT 2>/dev/null #公网访问 - ip6tables -D INPUT -p tcp --dport $mix_port -j REJECT 2> /dev/null - ip6tables -D INPUT -p tcp --dport $mix_port -j ACCEPT 2> /dev/null - ip6tables -D INPUT -p tcp --dport $db_port -j REJECT 2> /dev/null - ip6tables -D INPUT -p tcp --dport $db_port -j ACCEPT 2> /dev/null - #tproxy&tun - ip6tables -t mangle -D PREROUTING -p tcp $ports -j shellcrashv6 2> /dev/null - ip6tables -t mangle -D PREROUTING -p udp $ports -j shellcrashv6 2> /dev/null - ip6tables -t mangle -F shellcrashv6 2> /dev/null - ip6tables -t mangle -X shellcrashv6 2> /dev/null - ip6tables -D INPUT -p udp --dport 443 -m comment --comment "ShellCrash-QUIC-REJECT" $set_cn_ip -j REJECT 2> /dev/null + ip6tables -D INPUT -p tcp --dport $mix_port -j REJECT 2>/dev/null + ip6tables -D INPUT -p tcp --dport $mix_port -j ACCEPT 2>/dev/null + ip6tables -D INPUT -p tcp --dport $db_port -j REJECT 2>/dev/null + ip6tables -D INPUT -p tcp --dport $db_port -j ACCEPT 2>/dev/null } #清理ipset规则 ipset destroy cn_ip >/dev/null 2>&1 @@ -1418,10 +1323,10 @@ stop_firewall(){ #还原防火墙配置 /etc/init.d/dnsmasq restart >/dev/null 2>&1 } #清理路由规则 - ip rule del fwmark $fwmark table 100 2> /dev/null - ip route del local default dev lo table 100 2> /dev/null - ip -6 rule del fwmark $fwmark table 101 2> /dev/null - ip -6 route del local ::/0 dev lo table 101 2> /dev/null + ip rule del fwmark $fwmark table 100 2>/dev/null + ip route flush table 100 2>/dev/null + ip -6 rule del fwmark $fwmark table 101 2>/dev/null + ip -6 route flush table 101 2>/dev/null #重置nftables相关规则 ckcmd nft && { nft flush table inet shellcrash >/dev/null 2>&1 @@ -1711,69 +1616,7 @@ afstart(){ #启动后 done if [ -n "$test" -o -n "$(pidof CrashCore)" ];then rm -rf ${TMPDIR}/CrashCore #删除缓存目录内核文件 - #设置DNS转发 - start_dns(){ - if [ "$dns_no" != "已禁用" ];then - if [ "$dns_redir" != "已开启" ];then - [ "$firewall_mod" = 'iptables' ] && start_ipt_dns - [ "$firewall_mod" = 'nftables' ] && start_nft_dns prerouting - else - #openwrt使用dnsmasq转发 - uci del dhcp.@dnsmasq[-1].server >/dev/null 2>&1 - uci delete dhcp.@dnsmasq[0].resolvfile 2>/dev/null - uci add_list dhcp.@dnsmasq[0].server=127.0.0.1#$dns_port > /dev/null 2>&1 - uci set dhcp.@dnsmasq[0].noresolv=1 2>/dev/null - uci commit dhcp >/dev/null 2>&1 - /etc/init.d/dnsmasq restart >/dev/null 2>&1 - fi - fi - return 0 - } - #设置路由规则 - [ "$firewall_area" != 4 ] && { - getlanip #获取局域网host地址 - #设置策略路由 - [ "$redir_mod" = "Tproxy模式" ] && ip route add local default dev lo table 100 - [ "$redir_mod" = "Tun模式" -o "$redir_mod" = "混合模式" ] && ip route add default dev utun table 100 - [ "$firewall_area" = 5 ] && ip route add default via $bypass_host table 100 - [ "$redir_mod" != "纯净模式" -a "$redir_mod" != "Redir模式" ] && ip rule add fwmark $fwmark table 100 - [ "$firewall_mod" = 'iptables' ] && { - [ "$redir_mod" = "Redir模式" ] && start_dns && start_redir - [ "$redir_mod" = "混合模式" ] && start_dns && start_redir && start_tun udp - [ "$redir_mod" = "Tun模式" ] && start_dns && start_tun all - [ "$redir_mod" = "Tproxy模式" ] && start_dns && start_tproxy all - [ "$firewall_area" = 2 -o "$firewall_area" = 3 ] && [ -n "$(grep '0:7890' /etc/passwd)" ] && start_output #设置本机代理 - } - [ "$firewall_mod" = 'nftables' ] && { - nft add table inet shellcrash #初始化nftables - nft flush table inet shellcrash - #局域网代理 - [ "$firewall_area" = 1 -o "$firewall_area" = 3 -o "$firewall_area" = 5 ] && { - start_dns - start_nft prerouting - #屏蔽QUIC - [ "$quic_rj" = 已启用 ] && { - nft add chain inet shellcrash input { type filter hook input priority 0 \; } - [ -n "$CN_IP" ] && nft add rule inet shellcrash input ip daddr {$CN_IP} return - [ -n "$CN_IP6" ] && nft add rule inet shellcrash input ip6 daddr {$CN_IP6} return - nft add rule inet shellcrash input udp dport 443 reject comment 'ShellCrash-QUIC-REJECT' - } - } - #设置本机代理 - [ "$firewall_area" = 2 -o "$firewall_area" = 3 ] && [ -n "$(grep '0:7890' /etc/passwd)" ] && { - start_nft_dns output - start_nft output - #修复部分虚拟机dns查询失败的问题 - [ -z "$(grep 'nameserver 127.0.0.1' /etc/resolv.conf 2>/dev/null)" ] && { - line=$(grep -n 'nameserver' /etc/resolv.conf | awk -F: 'FNR==1{print $1}') - sed -i "$line i\nameserver 127.0.0.1 #shellcrash-dns-repair" /etc/resolv.conf - } - } - } - } - #启用公网访问防火墙 - [ "$firewall_mod" = 'iptables' ] && start_ipt_wan - [ "$firewall_mod" = 'nftables' ] && start_nft_wan + start_firewall #配置防火墙流量劫持 mark_time #标记启动时间 [ -s ${CRASHDIR}/configs/web_save -o -s ${CRASHDIR}/configs/web_configs ] && web_restore >/dev/null 2>&1 & #后台还原面板配置 { sleep 5;logger ShellCrash服务已启动!;} & #推送日志