From 13fbc6923f285f24526fa6833cf98fee5c5fc6e7 Mon Sep 17 00:00:00 2001 From: juewuy Date: Sun, 13 Nov 2022 18:11:22 +0800 Subject: [PATCH] =?UTF-8?q?v1.6.6=20~=E6=96=B0=E5=A2=9ETproxy=E6=A8=A1?= =?UTF-8?q?=E5=BC=8F=20=20=20=C2=B7tcp=20=20=20=C2=B7MAC=E8=BF=87=E6=BB=A4?= =?UTF-8?q?=20=20=20=C2=B7=E5=B8=B8=E7=94=A8=E7=AB=AF=E5=8F=A3=E8=BF=87?= =?UTF-8?q?=E6=BB=A4=20=20=20=C2=B7=E5=B1=8F=E8=94=BDQUIC=20=20=20=C2=B7ip?= =?UTF-8?q?v6=E6=94=AF=E6=8C=81(=E6=9C=AA=E6=B5=8B=E8=AF=95)=20~=E6=96=B0?= =?UTF-8?q?=E5=A2=9ENftables=E6=94=AF=E6=8C=81=20=20=20=C2=B7tcp&udp=20=20?= =?UTF-8?q?=20=C2=B7MAC=E8=BF=87=E6=BB=A4=20=20=20=C2=B7=E5=B8=B8=E7=94=A8?= =?UTF-8?q?=E7=AB=AF=E5=8F=A3=E8=BF=87=E6=BB=A4=20=20=20=C2=B7=E5=B1=8F?= =?UTF-8?q?=E8=94=BDQUIC=20=20=20=C2=B7ipv6=E6=94=AF=E6=8C=81(=E6=9C=AA?= =?UTF-8?q?=E6=B5=8B=E8=AF=95)=20=20=20=C2=B7=E6=9C=AC=E6=9C=BA=E4=BB=A3?= =?UTF-8?q?=E7=90=86=20~=E4=BF=AE=E5=A4=8D=E9=83=A8=E5=88=86Linux=E8=AE=BE?= =?UTF-8?q?=E5=A4=87grep=E5=91=BD=E4=BB=A4=E6=8A=A5=E9=94=99=E7=9A=84?= =?UTF-8?q?=E9=97=AE=E9=A2=98?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- scripts/clash.sh | 32 +++++++------- scripts/getdate.sh | 41 +++++++++++------- scripts/start.sh | 103 +++++++++++++++++++++++++++------------------ 3 files changed, 103 insertions(+), 73 deletions(-) diff --git a/scripts/clash.sh b/scripts/clash.sh index 074014e..ca9adb9 100644 --- a/scripts/clash.sh +++ b/scripts/clash.sh @@ -516,13 +516,15 @@ localproxy(){ [ -z "$local_proxy" ] && local_proxy='未开启' [ -z "$local_type" ] && local_type='环境变量' [ "$local_proxy" = "已开启" ] && proxy_set='禁用' || proxy_set='启用' + [ -w /etc/systemd/system/clash.service -o -w /usr/lib/systemd/system/clash.service -o -x /bin/su ] && local_enh=1 + [ -f /etc/rc.common -a -w /etc/passwd ] && local_enh=1 echo ----------------------------------------------- echo -e "\033[33m当前本机代理配置方式为:\033[32m$local_type\033[0m" echo ----------------------------------------------- echo -e " 1 \033[36m$proxy_set本机代理\033[0m" echo -e " 2 使用\033[32m环境变量\033[0m方式配置(部分应用可能无法使用)" [ -n "$(lsmod | grep ^xt_owner)" ] && echo -e " 3 使用\033[32miptables增强模式\033[0m配置(支持docker)" - [ -n "$(type nft)" ] && echo -e " 4 使用\033[32mnftables增强模式\033[0m配置(支持docker)" + type nft 2> /dev/null && echo -e " 4 使用\033[32mnftables增强模式\033[0m配置(支持docker)" echo -e " 0 返回上级菜单" echo ----------------------------------------------- read -p "请输入对应数字 > " num @@ -566,26 +568,23 @@ localproxy(){ setconfig local_type $local_type localproxy elif [ "$num" = 3 ]; then - if [ -w /etc/systemd/system/clash.service -o -w /usr/lib/systemd/system/clash.service -o -x /bin/su ];then - local_type="iptables增强模式" - setconfig local_type $local_type - elif [ -f /etc/rc.common -a -w /etc/passwd ]; then + if [ -n "$local_enh" ];then local_type="iptables增强模式" setconfig local_type $local_type else echo -e "\033[31m当前设备无法使用iptables增强模式!\033[0m" - sleep 1 fi + sleep 1 localproxy elif [ "$num" = 4 ]; then - if [ -n "$(echo $redir_mod|grep Nft)" ];then + if [ -n "$local_enh" ];then local_type="nftables增强模式" setconfig local_type $local_type else - echo -e "\033[31m请先启用任意nftable相关模式!\033[0m" - sleep 1 + echo -e "\033[31m当前设备无法使用nftables增强模式!\033[0m" fi + sleep 1 localproxy else errornum @@ -606,8 +605,8 @@ clashcfg(){ } [ -n "$(iptables -j TPROXY 2>&1 | grep 'on-port')" ] && sup_tp=1 [ -n "$(lsmod | grep '^tun')" ] && sup_tun=1 - [ -n "$(type nft)" ] && sup_nft=1 - [ -n "$(type nft)" -a -n "$(lsmod | grep 'nft_tproxy')" ] && sup_nft=2 + type nft 2> /dev/null && sup_nft=1 + [ -n "$sup_nft" -a -n "$(lsmod | grep 'nft_tproxy')" ] && sup_nft=2 echo ----------------------------------------------- echo -e "当前代理模式为:\033[47;30m $redir_mod \033[0m;Clash核心为:\033[47;30m $clashcore \033[0m" echo -e "\033[33m切换模式后需要手动重启clash服务以生效!\033[0m" @@ -817,7 +816,7 @@ clashcfg(){ elif [ "$num" = 7 ]; then echo ----------------------------------------------- - if [ "$redir_mod" = "混合模式" -o "$redir_mod" = "Tun模式" -o "$tproxy_mod" = "已开启" ];then + if [ -n "$(echo "$redir_mod" | grep -oE '混合|Tproxy|Tun')" ];then if [ "$quic_rj" = "未开启" ]; then echo -e "\033[33m已禁止QUCI流量通过clash内核!!\033[0m" quic_rj=已启用 @@ -829,6 +828,7 @@ clashcfg(){ else echo -e "\033[33m当前模式默认不会代理UDP流量,无需设置!!\033[0m" fi + sleep 1 clashcfg elif [ "$num" = 8 ]; then @@ -837,10 +837,7 @@ clashcfg(){ fake_ip_filter clashcfg else - if ! ipset -v >/dev/null 2>&1;then - echo -e "\033[31m当前设备缺少ipset模块,无法启用绕过功能!!\033[0m" - sleep 1 - else + if [ -n "$(ipset -v 2>/dev/null)" -o -n "$(echo $redir_mod | grep Nft)" ];then if [ "$cn_ip_route" = "未开启" ]; then echo -e "\033[32m已开启CN_IP绕过内核功能!!\033[0m" cn_ip_route=已开启 @@ -850,6 +847,9 @@ clashcfg(){ cn_ip_route=未开启 fi setconfig cn_ip_route $cn_ip_route + else + echo -e "\033[31m当前设备缺少ipset模块或未使用Nft模式,无法启用绕过功能!!\033[0m" + sleep 1 fi fi clashcfg diff --git a/scripts/getdate.sh b/scripts/getdate.sh index 705dd82..4c2847b 100644 --- a/scripts/getdate.sh +++ b/scripts/getdate.sh @@ -1097,7 +1097,7 @@ testcommand(){ echo " 1 查看Clash运行时的报错信息(会停止clash服务)" echo " 2 查看系统DNS端口(:53)占用 " echo " 3 测试ssl加密(aes-128-gcm)跑分" - echo " 4 查看iptables端口转发详情" + echo " 4 查看clash相关路由规则" echo " 5 查看config.yaml前40行" echo " 6 测试代理服务器连通性(google.tw)" echo " 7 重新进入新手引导" @@ -1129,20 +1129,31 @@ testcommand(){ echo ----------------------------------------------- exit; elif [ "$num" = 4 ]; then - echo ----------------------------------------------- - iptables -t nat -L PREROUTING --line-numbers - echo ----------------------------------------------- - iptables -t nat -L clash --line-numbers - echo ----------------------------------------------- - iptables -t mangle -L clash --line-numbers - echo ----------------------------------------------- - iptables -t nat -L clash_dns --line-numbers - echo ----------------------------------------------- - ip6tables -t nat -L PREROUTING --line-numbers - echo ----------------------------------------------- - ip6tables -t nat -L clashv6 --line-numbers - echo ----------------------------------------------- - ip6tables -t nat -L clashv6_dns --line-numbers + + if [ -n "$(echo $redir_mod | grep 'Nft')" ];then + nft list table shellclash + else + echo -------------------Redir--------------------- + iptables -t nat -L PREROUTING --line-numbers + iptables -t nat -L clash_dns --line-numbers + iptables -t nat -L clash --line-numbers + [ -n "$(echo $redir_mod | grep 'Tproxy')" ] && { + echo -------------------Tproxy-------------------- + iptables -t mangle -L PREROUTING --line-numbers + iptables -t mangle -L clash --line-numbers + } + [ -n "$(ip6tables -t nat -L 2>&1 | grep -o 'Chain')" -a "$ipv6_support" = "已开启" ] && { + echo -------------------Redir--------------------- + ip6tables -t nat -L PREROUTING --line-numbers + ip6tables -t nat -L clashv6_dns --line-numbers + ip6tables -t nat -L clashv6 --line-numbers + [ -n "$(echo $redir_mod | grep 'Tproxy')" ] && { + echo -------------------Tproxy-------------------- + ip6tables -t mangle -L PREROUTING --line-numbers + ip6tables -t mangle -L clashv6 --line-numbers + } + } + fi exit; elif [ "$num" = 5 ]; then echo ----------------------------------------------- diff --git a/scripts/start.sh b/scripts/start.sh index 94e67c5..364edf2 100644 --- a/scripts/start.sh +++ b/scripts/start.sh @@ -660,6 +660,8 @@ start_tun(){ #ip6tables -A FORWARD -o utun -j ACCEPT > /dev/null 2>&1 } start_nft(){ + [ "$common_ports" = "已开启" ] && PORTS=$(echo $multiport | sed 's/,/, /g') + RESERVED_IP="{0.0.0.0/8, 10.0.0.0/8, 127.0.0.0/8, 100.64.0.0/10, 169.254.0.0/16, 172.16.0.0/12, 192.168.0.0/16, 224.0.0.0/4, 240.0.0.0/4}" #设置策略路由 ip rule add fwmark 1 table 100 2> /dev/null ip route add local default dev lo table 100 2> /dev/null @@ -670,49 +672,62 @@ start_nft(){ #初始化nftables nft add table shellclash 2> /dev/null nft flush table shellclash 2> /dev/null - nft add chain shellclash prerouting { type nat hook prerouting priority -100 \; } - #过滤局域网设备 ether saddr - [ -n "$(cat $clashdir/mac)" ] && { - MAC=$(awk '{printf "%s, ",$1}' $clashdir/mac) - [ "$macfilter_type" = "黑名单" ] && nft add rule shellclash prerouting ether saddr {${MAC}} return - [ "$macfilter_type" = "白名单" ] && nft add rule shellclash prerouting ether saddr != {${MAC}} return - } - #设置DNS转发 - nft add rule shellclash prerouting udp dport 53 redirect to ${dns_port} - nft add rule shellclash prerouting tcp dport 53 redirect to ${dns_port} - #过滤保留地址 - RESERVED_IP="{0.0.0.0/8, 10.0.0.0/8, 127.0.0.0/8, 100.64.0.0/10, 169.254.0.0/16, 172.16.0.0/12, 192.168.0.0/16, 224.0.0.0/4, 240.0.0.0/4}" - nft add rule shellclash prerouting ip daddr {${RESERVED_IP}} return - #过滤CN-IP - [ "$dns_mod" = "redir_host" -a "$cn_ip_route" = "已开启" -a -f $bindir/cn_ip.txt ] && { - CN_IP=$(awk '{printf "%s, ",$1}' $bindir/cn_ip.txt) - [ -n "$CN_IP" ] && nft add rule shellclash prerouting ip daddr {${CN_IP}} return - } - #过滤常用端口 - [ "$common_ports" = "已开启" ] && { - PORTS=$(echo $multiport | sed 's/,/, /g') - nft add rule shellclash prerouting tcp dport != {${PORTS}} return + [ "$redir_mod" = "Nft基础" ] && nft add chain shellclash prerouting { type nat hook prerouting priority -100 \; } + [ "$redir_mod" = "Nft混合" ] && nft add chain shellclash prerouting { type filter hook prerouting priority 0 \; } + [ -n "$(echo $redir_mod|grep Nft)" ] && { + #设置DNS转发 + nft add chain shellclash dns { type nat hook prerouting priority -100 \; } + nft add rule shellclash dns udp dport 53 redirect to ${dns_port} + nft add rule shellclash dns tcp dport 53 redirect to ${dns_port} + #过滤局域网设备 + [ -n "$(cat $clashdir/mac)" ] && { + MAC=$(awk '{printf "%s, ",$1}' $clashdir/mac) + [ "$macfilter_type" = "黑名单" ] && { + nft add rule shellclash dns ether saddr {${MAC}} return + nft add rule shellclash prerouting ether saddr {${MAC}} return + } + [ "$macfilter_type" = "白名单" ] && { + nft add rule shellclash dns ether saddr != {${MAC}} return + nft add rule shellclash prerouting ether saddr != {${MAC}} return + } + } + #过滤保留地址 + nft add rule shellclash prerouting ip daddr {${RESERVED_IP}} return + #过滤CN-IP + [ "$dns_mod" = "redir_host" -a "$cn_ip_route" = "已开启" -a -f $bindir/cn_ip.txt ] && { + CN_IP=$(awk '{printf "%s, ",$1}' $bindir/cn_ip.txt) + [ -n "$CN_IP" ] && nft add rule shellclash prerouting ip daddr {${CN_IP}} return + } + #过滤常用端口 + [ -n "$PORTS" ] && nft add rule shellclash prerouting tcp dport != {${PORTS}} return + #透明路由 + [ "$redir_mod" = "Nft基础" ] && nft add rule shellclash prerouting meta l4proto tcp mark set 1 redirect to ${redir_port} + [ "$redir_mod" = "Nft混合" ] && nft add rule shellclash prerouting meta l4proto {tcp, udp} mark set 1 tproxy to 127.0.0.1:${tproxy_port} } #屏蔽QUIC [ "$quic_rj" = 已启用 ] && { nft add chain shellclash input { type filter hook input priority 0 \; } - nft add rule shellclash input udp dport 443 reject comment "ShellClash QUIC REJECT" - } - #代理局域网设备 - if [ "$redir_mod" = "Nft混合" ];then - nft add chain shellclash prerouting { type filter hook prerouting priority 0 \; } - nft add rule shellclash prerouting meta l4proto {tcp, udp} mark set 1 tproxy to 127.0.0.1:${tproxy_port} - else - nft add rule shellclash prerouting meta l4proto tcp mark set 1 redirect to ${redir_port} - fi + nft add rule shellclash input udp dport 443 reject comment 'ShellClash-QUIC-REJECT' + } #代理本机 [ "$local_proxy" = "已开启" ] && [ "$local_type" = "nftables增强模式" ] && { - nft add chain shellclash output { type route hook output priority 0 \; } - nft add rule shellclash output meta skgid 7890 return - #[ "$common_ports" = "已开启" ] && nft add rule shellclash output tcp dport != {${PORTS}} return - #nft add rule shellclash output ip daddr {${RESERVED_IP}} return - nft add rule shellclash output meta l4proto udp dport 53 mark set 1 redirect to ${dns_port} - nft add rule shellclash output meta l4proto tcp mark set 1 + #dns + nft add chain shellclash dns_out { type nat hook output priority -100 \; } + nft add rule shellclash dns_out meta skgid 7890 return && { + nft add rule shellclash dns_out udp dport 53 redirect to ${dns_port} + } + #output + nft add chain shellclash output { type nat hook output priority -100 \; } + nft add rule shellclash output meta skgid 7890 return && { + [ -n "$PORTS" ] && nft add rule shellclash output tcp dport != {${PORTS}} return + nft add rule shellclash output ip daddr {${RESERVED_IP}} return + nft add rule shellclash output meta l4proto tcp mark set 1 redirect to ${redir_port} + } + #Docker + type docker &>/dev/null && { + ip rule add fwmark 1 table 102 2> /dev/null + ip route add local 172.16.0.0/12 dev lo table 102 2> /dev/null + } } } start_wan(){ @@ -811,6 +826,8 @@ stop_firewall(){ ip route del local default dev lo table 100 2> /dev/null ip -6 rule del fwmark 1 table 101 2> /dev/null ip -6 route del local ::/0 dev lo table 101 2> /dev/null + ip rule del fwmark 1 table 102 2> /dev/null + ip route del local 172.16.0.0/12 dev lo table 102 2> /dev/null #重置nftables相关规则 type nft >/dev/null 2>&1 && { nft flush table shellclash >/dev/null 2>&1 @@ -989,7 +1006,7 @@ afstart(){ getconfig $bindir/clash -t -d $bindir >/dev/null if [ "$?" = 0 ];then - #设置iptables转发规则 + #设置DNS转发 start_dns(){ [ "$dns_mod" = "redir_host" ] && [ "$cn_ip_route" = "已开启" ] && cn_ip_route if [ "$dns_no" != "已禁用" ];then @@ -1006,19 +1023,21 @@ afstart(){ fi fi } + #设置路由规则 [ "$redir_mod" = "Redir模式" ] && start_dns && start_redir [ "$redir_mod" = "混合模式" ] && start_dns && start_redir && start_tun [ "$redir_mod" = "Tproxy混合" ] && start_dns && start_redir && start_tproxy udp [ "$redir_mod" = "Tun模式" ] && start_dns && start_tun [ "$redir_mod" = "Tproxy模式" ] && start_dns && start_tproxy all - [ "$redir_mod" = "Nft基础" ] && start_nft 'tcp' - [ "$redir_mod" = "Nft混合" ] && start_nft '{tcp, udp}' + [ "$redir_mod" = "Nft基础" ] && start_nft + [ "$redir_mod" = "Nft混合" ] && start_nft + #设置本机代理 + [ "$local_proxy" = "已开启" ] && [ "$local_type" = "环境变量" ] && $0 set_proxy $mix_port $db_port [ "$local_proxy" = "已开启" ] && [ "$local_type" = "iptables增强模式" ] && start_output + [ "$local_proxy" = "已开启" ] && [ "$local_type" = "nftables增强模式" ] && [ "$redir_mod" = "纯净模式" ] && start_nft type iptables >/dev/null 2>&1 && start_wan #标记启动时间 mark_time - #设置本机代理 - [ "$local_proxy" = "已开启" ] && $0 set_proxy $mix_port $db_port #加载定时任务 [ -f $clashdir/cron ] && croncmd $clashdir/cron #启用面板配置自动保存