xm/ShellCrash
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

v1.6.6

Browse Source 
~新增Tproxy模式
  ·tcp
  ·MAC过滤
  ·常用端口过滤
  ·屏蔽QUIC
  ·ipv6支持(未测试)
~新增Nftables支持
  ·tcp&udp
  ·MAC过滤
  ·常用端口过滤
  ·屏蔽QUIC
  ·ipv6支持(未测试)
  ·本机代理
~修复部分Linux设备grep命令报错的问题
This commit is contained in:
juewuy
2022-11-13 18:11:22 +08:00
parent 7bd23131a3
commit 13fbc6923f
3 changed files with 103 additions and 73 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
scripts/clash.sh
View File

@@ -516,13 +516,15 @@ localproxy(){
[ -z "$local_proxy" ] && local_proxy='未开启' [ -z "$local_proxy" ] && local_proxy='未开启'
[ -z "$local_type" ] && local_type='环境变量' [ -z "$local_type" ] && local_type='环境变量'
[ "$local_proxy" = "已开启" ] && proxy_set='禁用' || proxy_set='启用' [ "$local_proxy" = "已开启" ] && proxy_set='禁用' || proxy_set='启用'
[ -w /etc/systemd/system/clash.service -o -w /usr/lib/systemd/system/clash.service -o -x /bin/su ] && local_enh=1
[ -f /etc/rc.common -a -w /etc/passwd ] && local_enh=1
echo ----------------------------------------------- echo -----------------------------------------------
echo -e "\033[33m当前本机代理配置方式为\033[32m$local_type\033[0m" echo -e "\033[33m当前本机代理配置方式为\033[32m$local_type\033[0m"
echo ----------------------------------------------- echo -----------------------------------------------
echo -e " 1 \033[36m$proxy_set本机代理\033[0m" echo -e " 1 \033[36m$proxy_set本机代理\033[0m"
echo -e " 2 使用\033[32m环境变量\033[0m方式配置(部分应用可能无法使用)" echo -e " 2 使用\033[32m环境变量\033[0m方式配置(部分应用可能无法使用)"
[ -n "$(lsmod | grep ^xt_owner)" ] && echo -e " 3 使用\033[32miptables增强模式\033[0m配置(支持docker)" [ -n "$(lsmod | grep ^xt_owner)" ] && echo -e " 3 使用\033[32miptables增强模式\033[0m配置(支持docker)"
[ -n "$(type nft)" ] && echo -e " 4 使用\033[32mnftables增强模式\033[0m配置(支持docker)" type nft 2> /dev/null && echo -e " 4 使用\033[32mnftables增强模式\033[0m配置(支持docker)"
echo -e " 0 返回上级菜单" echo -e " 0 返回上级菜单"
echo ----------------------------------------------- echo -----------------------------------------------
read -p "请输入对应数字 > " num read -p "请输入对应数字 > " num
@@ -566,26 +568,23 @@ localproxy(){
setconfig local_type $local_type setconfig local_type $local_type
localproxy localproxy
elif [ "$num" = 3 ]; then elif [ "$num" = 3 ]; then
if [ -w /etc/systemd/system/clash.service -o -w /usr/lib/systemd/system/clash.service -o -x /bin/su ];then if [ -n "$local_enh" ];then
local_type="iptables增强模式"
setconfig local_type $local_type
elif [ -f /etc/rc.common -a -w /etc/passwd ]; then
local_type="iptables增强模式" local_type="iptables增强模式"
setconfig local_type $local_type setconfig local_type $local_type
else else
echo -e "\033[31m当前设备无法使用iptables增强模式\033[0m" echo -e "\033[31m当前设备无法使用iptables增强模式\033[0m"
sleep 1
fi fi
sleep 1
localproxy localproxy
elif [ "$num" = 4 ]; then elif [ "$num" = 4 ]; then
if [ -n "$(echo $redir_mod|grep Nft)" ];then if [ -n "$local_enh" ];then
local_type="nftables增强模式" local_type="nftables增强模式"
setconfig local_type $local_type setconfig local_type $local_type
else else
echo -e "\033[31m请先启用任意nftable相关模式!\033[0m" echo -e "\033[31m当前设备无法使用nftables增强模式!\033[0m"
sleep 1
fi fi
sleep 1
localproxy localproxy
else else
errornum errornum
@@ -606,8 +605,8 @@ clashcfg(){
} }
[ -n "$(iptables -j TPROXY 2>&1 | grep 'on-port')" ] && sup_tp=1 [ -n "$(iptables -j TPROXY 2>&1 | grep 'on-port')" ] && sup_tp=1
[ -n "$(lsmod | grep '^tun')" ] && sup_tun=1 [ -n "$(lsmod | grep '^tun')" ] && sup_tun=1
[ -n "$(type nft)" ] && sup_nft=1 type nft 2> /dev/null && sup_nft=1
[ -n "$(type nft)" -a -n "$(lsmod | grep 'nft_tproxy')" ] && sup_nft=2 [ -n "$sup_nft" -a -n "$(lsmod | grep 'nft_tproxy')" ] && sup_nft=2
echo ----------------------------------------------- echo -----------------------------------------------
echo -e "当前代理模式为:\033[47;30m $redir_mod \033[0mClash核心为\033[47;30m $clashcore \033[0m" echo -e "当前代理模式为:\033[47;30m $redir_mod \033[0mClash核心为\033[47;30m $clashcore \033[0m"
echo -e "\033[33m切换模式后需要手动重启clash服务以生效\033[0m" echo -e "\033[33m切换模式后需要手动重启clash服务以生效\033[0m"
@@ -817,7 +816,7 @@ clashcfg(){
elif [ "$num" = 7 ]; then elif [ "$num" = 7 ]; then
echo ----------------------------------------------- echo -----------------------------------------------
if [ "$redir_mod" = "混合模式" -o "$redir_mod" = "Tun模式" -o "$tproxy_mod" = "已开启" ];then if [ -n "$(echo "$redir_mod" | grep -oE '混合|Tproxy|Tun')" ];then
if [ "$quic_rj" = "未开启" ]; then if [ "$quic_rj" = "未开启" ]; then
echo -e "\033[33m已禁止QUCI流量通过clash内核\033[0m" echo -e "\033[33m已禁止QUCI流量通过clash内核\033[0m"
quic_rj=已启用 quic_rj=已启用
@@ -829,6 +828,7 @@ clashcfg(){
else else
echo -e "\033[33m当前模式默认不会代理UDP流量无需设置\033[0m" echo -e "\033[33m当前模式默认不会代理UDP流量无需设置\033[0m"
fi fi
sleep 1
clashcfg clashcfg
elif [ "$num" = 8 ]; then elif [ "$num" = 8 ]; then
@@ -837,10 +837,7 @@ clashcfg(){
fake_ip_filter fake_ip_filter
clashcfg clashcfg
else else
if ! ipset -v >/dev/null 2>&1;then if [ -n "$(ipset -v 2>/dev/null)" -o -n "$(echo $redir_mod | grep Nft)" ];then
echo -e "\033[31m当前设备缺少ipset模块无法启用绕过功能\033[0m"
sleep 1
else
if [ "$cn_ip_route" = "未开启" ]; then if [ "$cn_ip_route" = "未开启" ]; then
echo -e "\033[32m已开启CN_IP绕过内核功能\033[0m" echo -e "\033[32m已开启CN_IP绕过内核功能\033[0m"
cn_ip_route=已开启 cn_ip_route=已开启
@@ -850,6 +847,9 @@ clashcfg(){
cn_ip_route=未开启 cn_ip_route=未开启
fi fi
setconfig cn_ip_route $cn_ip_route setconfig cn_ip_route $cn_ip_route
else
echo -e "\033[31m当前设备缺少ipset模块或未使用Nft模式无法启用绕过功能\033[0m"
sleep 1
fi fi
fi fi
clashcfg clashcfg

41
scripts/getdate.sh
View File

@@ -1097,7 +1097,7 @@ testcommand(){
echo " 1 查看Clash运行时的报错信息(会停止clash服务)" echo " 1 查看Clash运行时的报错信息(会停止clash服务)"
echo " 2 查看系统DNS端口(:53)占用 " echo " 2 查看系统DNS端口(:53)占用 "
echo " 3 测试ssl加密(aes-128-gcm)跑分" echo " 3 测试ssl加密(aes-128-gcm)跑分"
echo " 4 查看iptables端口转发详情" echo " 4 查看clash相关路由规则"
echo " 5 查看config.yaml前40行" echo " 5 查看config.yaml前40行"
echo " 6 测试代理服务器连通性google.tw)" echo " 6 测试代理服务器连通性google.tw)"
echo " 7 重新进入新手引导" echo " 7 重新进入新手引导"
@@ -1129,20 +1129,31 @@ testcommand(){
echo ----------------------------------------------- echo -----------------------------------------------
exit; exit;
elif [ "$num" = 4 ]; then elif [ "$num" = 4 ]; then
echo -----------------------------------------------
iptables -t nat -L PREROUTING --line-numbers if [ -n "$(echo $redir_mod | grep 'Nft')" ];then
echo ----------------------------------------------- nft list table shellclash
iptables -t nat -L clash --line-numbers else
echo ----------------------------------------------- echo -------------------Redir---------------------
iptables -t mangle -L clash --line-numbers iptables -t nat -L PREROUTING --line-numbers
echo ----------------------------------------------- iptables -t nat -L clash_dns --line-numbers
iptables -t nat -L clash_dns --line-numbers iptables -t nat -L clash --line-numbers
echo ----------------------------------------------- [ -n "$(echo $redir_mod | grep 'Tproxy')" ] && {
ip6tables -t nat -L PREROUTING --line-numbers echo -------------------Tproxy--------------------
echo ----------------------------------------------- iptables -t mangle -L PREROUTING --line-numbers
ip6tables -t nat -L clashv6 --line-numbers iptables -t mangle -L clash --line-numbers
echo ----------------------------------------------- }
ip6tables -t nat -L clashv6_dns --line-numbers [ -n "$(ip6tables -t nat -L 2>&1 | grep -o 'Chain')" -a "$ipv6_support" = "已开启" ] && {
echo -------------------Redir---------------------
ip6tables -t nat -L PREROUTING --line-numbers
ip6tables -t nat -L clashv6_dns --line-numbers
ip6tables -t nat -L clashv6 --line-numbers
[ -n "$(echo $redir_mod | grep 'Tproxy')" ] && {
echo -------------------Tproxy--------------------
ip6tables -t mangle -L PREROUTING --line-numbers
ip6tables -t mangle -L clashv6 --line-numbers
}
}
fi
exit; exit;
elif [ "$num" = 5 ]; then elif [ "$num" = 5 ]; then
echo ----------------------------------------------- echo -----------------------------------------------

103
scripts/start.sh
View File

@@ -660,6 +660,8 @@ start_tun(){
#ip6tables -A FORWARD -o utun -j ACCEPT > /dev/null 2>&1 #ip6tables -A FORWARD -o utun -j ACCEPT > /dev/null 2>&1
} }
start_nft(){ start_nft(){
[ "$common_ports" = "已开启" ] && PORTS=$(echo $multiport | sed 's/,/, /g')
RESERVED_IP="{0.0.0.0/8, 10.0.0.0/8, 127.0.0.0/8, 100.64.0.0/10, 169.254.0.0/16, 172.16.0.0/12, 192.168.0.0/16, 224.0.0.0/4, 240.0.0.0/4}"
#设置策略路由 #设置策略路由
ip rule add fwmark 1 table 100 2> /dev/null ip rule add fwmark 1 table 100 2> /dev/null
ip route add local default dev lo table 100 2> /dev/null ip route add local default dev lo table 100 2> /dev/null
@@ -670,49 +672,62 @@ start_nft(){
#初始化nftables #初始化nftables
nft add table shellclash 2> /dev/null nft add table shellclash 2> /dev/null
nft flush table shellclash 2> /dev/null nft flush table shellclash 2> /dev/null
nft add chain shellclash prerouting { type nat hook prerouting priority -100 \; } [ "$redir_mod" = "Nft基础" ] && nft add chain shellclash prerouting { type nat hook prerouting priority -100 \; }
#过滤局域网设备 ether saddr [ "$redir_mod" = "Nft混合" ] && nft add chain shellclash prerouting { type filter hook prerouting priority 0 \; }
[ -n "$(cat $clashdir/mac)" ] && { [ -n "$(echo $redir_mod|grep Nft)" ] && {
MAC=$(awk '{printf "%s, ",$1}' $clashdir/mac) #设置DNS转发
[ "$macfilter_type" = "黑名单" ] && nft add rule shellclash prerouting ether saddr {${MAC}} return nft add chain shellclash dns { type nat hook prerouting priority -100 \; }
[ "$macfilter_type" = "白名单" ] && nft add rule shellclash prerouting ether saddr != {${MAC}} return nft add rule shellclash dns udp dport 53 redirect to ${dns_port}
} nft add rule shellclash dns tcp dport 53 redirect to ${dns_port}
#设置DNS转发 #过滤局域网设备
nft add rule shellclash prerouting udp dport 53 redirect to ${dns_port} [ -n "$(cat $clashdir/mac)" ] && {
nft add rule shellclash prerouting tcp dport 53 redirect to ${dns_port} MAC=$(awk '{printf "%s, ",$1}' $clashdir/mac)
#过滤保留地址 [ "$macfilter_type" = "黑名单" ] && {
RESERVED_IP="{0.0.0.0/8, 10.0.0.0/8, 127.0.0.0/8, 100.64.0.0/10, 169.254.0.0/16, 172.16.0.0/12, 192.168.0.0/16, 224.0.0.0/4, 240.0.0.0/4}" nft add rule shellclash dns ether saddr {${MAC}} return
nft add rule shellclash prerouting ip daddr {${RESERVED_IP}} return nft add rule shellclash prerouting ether saddr {${MAC}} return
#过滤CN-IP }
[ "$dns_mod" = "redir_host" -a "$cn_ip_route" = "已开启" -a -f $bindir/cn_ip.txt ] && { [ "$macfilter_type" = "白名单" ] && {
CN_IP=$(awk '{printf "%s, ",$1}' $bindir/cn_ip.txt) nft add rule shellclash dns ether saddr != {${MAC}} return
[ -n "$CN_IP" ] && nft add rule shellclash prerouting ip daddr {${CN_IP}} return nft add rule shellclash prerouting ether saddr != {${MAC}} return
} }
#过滤常用端口 }
[ "$common_ports" = "已开启" ] && { #过滤保留地址
PORTS=$(echo $multiport | sed 's/,/, /g') nft add rule shellclash prerouting ip daddr {${RESERVED_IP}} return
nft add rule shellclash prerouting tcp dport != {${PORTS}} return #过滤CN-IP
[ "$dns_mod" = "redir_host" -a "$cn_ip_route" = "已开启" -a -f $bindir/cn_ip.txt ] && {
CN_IP=$(awk '{printf "%s, ",$1}' $bindir/cn_ip.txt)
[ -n "$CN_IP" ] && nft add rule shellclash prerouting ip daddr {${CN_IP}} return
}
#过滤常用端口
[ -n "$PORTS" ] && nft add rule shellclash prerouting tcp dport != {${PORTS}} return
#透明路由
[ "$redir_mod" = "Nft基础" ] && nft add rule shellclash prerouting meta l4proto tcp mark set 1 redirect to ${redir_port}
[ "$redir_mod" = "Nft混合" ] && nft add rule shellclash prerouting meta l4proto {tcp, udp} mark set 1 tproxy to 127.0.0.1:${tproxy_port}
} }
#屏蔽QUIC #屏蔽QUIC
[ "$quic_rj" = 已启用 ] && { [ "$quic_rj" = 已启用 ] && {
nft add chain shellclash input { type filter hook input priority 0 \; } nft add chain shellclash input { type filter hook input priority 0 \; }
nft add rule shellclash input udp dport 443 reject comment "ShellClash QUIC REJECT" nft add rule shellclash input udp dport 443 reject comment 'ShellClash-QUIC-REJECT'
} }
#代理局域网设备
if [ "$redir_mod" = "Nft混合" ];then
nft add chain shellclash prerouting { type filter hook prerouting priority 0 \; }
nft add rule shellclash prerouting meta l4proto {tcp, udp} mark set 1 tproxy to 127.0.0.1:${tproxy_port}
else
nft add rule shellclash prerouting meta l4proto tcp mark set 1 redirect to ${redir_port}
fi
#代理本机 #代理本机
[ "$local_proxy" = "已开启" ] && [ "$local_type" = "nftables增强模式" ] && { [ "$local_proxy" = "已开启" ] && [ "$local_type" = "nftables增强模式" ] && {
nft add chain shellclash output { type route hook output priority 0 \; } #dns
nft add rule shellclash output meta skgid 7890 return nft add chain shellclash dns_out { type nat hook output priority -100 \; }
#[ "$common_ports" = "已开启" ] && nft add rule shellclash output tcp dport != {${PORTS}} return nft add rule shellclash dns_out meta skgid 7890 return && {
#nft add rule shellclash output ip daddr {${RESERVED_IP}} return nft add rule shellclash dns_out udp dport 53 redirect to ${dns_port}
nft add rule shellclash output meta l4proto udp dport 53 mark set 1 redirect to ${dns_port} }
nft add rule shellclash output meta l4proto tcp mark set 1 #output
nft add chain shellclash output { type nat hook output priority -100 \; }
nft add rule shellclash output meta skgid 7890 return && {
[ -n "$PORTS" ] && nft add rule shellclash output tcp dport != {${PORTS}} return
nft add rule shellclash output ip daddr {${RESERVED_IP}} return
nft add rule shellclash output meta l4proto tcp mark set 1 redirect to ${redir_port}
}
#Docker
type docker &>/dev/null && {
ip rule add fwmark 1 table 102 2> /dev/null
ip route add local 172.16.0.0/12 dev lo table 102 2> /dev/null
}
} }
} }
start_wan(){ start_wan(){
@@ -811,6 +826,8 @@ stop_firewall(){
ip route del local default dev lo table 100 2> /dev/null ip route del local default dev lo table 100 2> /dev/null
ip -6 rule del fwmark 1 table 101 2> /dev/null ip -6 rule del fwmark 1 table 101 2> /dev/null
ip -6 route del local ::/0 dev lo table 101 2> /dev/null ip -6 route del local ::/0 dev lo table 101 2> /dev/null
ip rule del fwmark 1 table 102 2> /dev/null
ip route del local 172.16.0.0/12 dev lo table 102 2> /dev/null
#重置nftables相关规则 #重置nftables相关规则
type nft >/dev/null 2>&1 && { type nft >/dev/null 2>&1 && {
nft flush table shellclash >/dev/null 2>&1 nft flush table shellclash >/dev/null 2>&1
@@ -989,7 +1006,7 @@ afstart(){
getconfig getconfig
$bindir/clash -t -d $bindir >/dev/null $bindir/clash -t -d $bindir >/dev/null
if [ "$?" = 0 ];then if [ "$?" = 0 ];then
#设置iptables转发规则 #设置DNS转发
start_dns(){ start_dns(){
[ "$dns_mod" = "redir_host" ] && [ "$cn_ip_route" = "已开启" ] && cn_ip_route [ "$dns_mod" = "redir_host" ] && [ "$cn_ip_route" = "已开启" ] && cn_ip_route
if [ "$dns_no" != "已禁用" ];then if [ "$dns_no" != "已禁用" ];then
@@ -1006,19 +1023,21 @@ afstart(){
fi fi
fi fi
} }
#设置路由规则
[ "$redir_mod" = "Redir模式" ] && start_dns && start_redir [ "$redir_mod" = "Redir模式" ] && start_dns && start_redir
[ "$redir_mod" = "混合模式" ] && start_dns && start_redir && start_tun [ "$redir_mod" = "混合模式" ] && start_dns && start_redir && start_tun
[ "$redir_mod" = "Tproxy混合" ] && start_dns && start_redir && start_tproxy udp [ "$redir_mod" = "Tproxy混合" ] && start_dns && start_redir && start_tproxy udp
[ "$redir_mod" = "Tun模式" ] && start_dns && start_tun [ "$redir_mod" = "Tun模式" ] && start_dns && start_tun
[ "$redir_mod" = "Tproxy模式" ] && start_dns && start_tproxy all [ "$redir_mod" = "Tproxy模式" ] && start_dns && start_tproxy all
[ "$redir_mod" = "Nft基础" ] && start_nft 'tcp' [ "$redir_mod" = "Nft基础" ] && start_nft
[ "$redir_mod" = "Nft混合" ] && start_nft '{tcp, udp}' [ "$redir_mod" = "Nft混合" ] && start_nft
#设置本机代理
[ "$local_proxy" = "已开启" ] && [ "$local_type" = "环境变量" ] && $0 set_proxy $mix_port $db_port
[ "$local_proxy" = "已开启" ] && [ "$local_type" = "iptables增强模式" ] && start_output [ "$local_proxy" = "已开启" ] && [ "$local_type" = "iptables增强模式" ] && start_output
[ "$local_proxy" = "已开启" ] && [ "$local_type" = "nftables增强模式" ] && [ "$redir_mod" = "纯净模式" ] && start_nft
type iptables >/dev/null 2>&1 && start_wan type iptables >/dev/null 2>&1 && start_wan
#标记启动时间 #标记启动时间
mark_time mark_time
#设置本机代理
[ "$local_proxy" = "已开启" ] && $0 set_proxy $mix_port $db_port
#加载定时任务 #加载定时任务
[ -f $clashdir/cron ] && croncmd $clashdir/cron [ -f $clashdir/cron ] && croncmd $clashdir/cron
#启用面板配置自动保存 #启用面板配置自动保存