From 18a829c1011efa33660450d560fffbd04afb0ea5 Mon Sep 17 00:00:00 2001 From: juewuy Date: Mon, 22 Dec 2025 19:30:29 +0800 Subject: [PATCH] =?UTF-8?q?~=E7=BB=A7=E7=BB=AD=E6=8B=86=E5=88=86=E8=84=9A?= =?UTF-8?q?=E6=9C=AC=20~=E9=87=8D=E5=86=99=E5=85=AC=E7=BD=91=E9=98=B2?= =?UTF-8?q?=E7=81=AB=E5=A2=99=E5=8A=9F=E8=83=BD?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- scripts/libs/set_config.sh | 2 +- scripts/menu.sh | 14 +- scripts/menus/{settings.sh => 2-settings.sh} | 31 +- scripts/menus/{setboot.sh => 4-setboot.sh} | 0 scripts/menus/{task.sh => 5-task.sh} | 0 .../{core_config.sh => 6-core_config.sh} | 0 scripts/menus/{gateway.sh => 7-gateway.sh} | 84 ++- scripts/menus/{tools.sh => 8-tools.sh} | 354 ++++----- scripts/menus/{upgrade.sh => 9-upgrade.sh} | 0 scripts/menus/ddns_op.sh | 178 ----- scripts/menus/dns.sh | 1 - scripts/start.sh | 678 +----------------- scripts/starts/fw_iptables.sh | 277 +++++++ scripts/starts/fw_nftables.sh | 208 ++++++ scripts/starts/fw_start.sh | 42 ++ scripts/starts/fw_stop.sh | 130 ++++ 16 files changed, 902 insertions(+), 1097 deletions(-) rename scripts/menus/{settings.sh => 2-settings.sh} (97%) rename scripts/menus/{setboot.sh => 4-setboot.sh} (100%) rename scripts/menus/{task.sh => 5-task.sh} (100%) rename scripts/menus/{core_config.sh => 6-core_config.sh} (100%) rename scripts/menus/{gateway.sh => 7-gateway.sh} (85%) rename scripts/menus/{tools.sh => 8-tools.sh} (100%) rename scripts/menus/{upgrade.sh => 9-upgrade.sh} (100%) delete mode 100644 scripts/menus/ddns_op.sh create mode 100644 scripts/starts/fw_iptables.sh create mode 100644 scripts/starts/fw_nftables.sh create mode 100644 scripts/starts/fw_start.sh create mode 100644 scripts/starts/fw_stop.sh diff --git a/scripts/libs/set_config.sh b/scripts/libs/set_config.sh index bdb069da..c0e0d82f 100644 --- a/scripts/libs/set_config.sh +++ b/scripts/libs/set_config.sh @@ -2,7 +2,7 @@ setconfig() { [ -z "$3" ] && configpath="$CRASHDIR"/configs/ShellCrash.cfg || configpath="${3}" if grep -q "^${1}=" "$configpath"; then - sed -i "s#^${1}=.*#^${1}=${2}#g" "$configpath" + sed -i "s#^${1}=.*#${1}=${2}#g" "$configpath" else printf '%s=%s\n' "$1" "$2" >>"$configpath" fi diff --git a/scripts/menu.sh b/scripts/menu.sh index 3becad57..610c80ce 100644 --- a/scripts/menu.sh +++ b/scripts/menu.sh @@ -331,7 +331,7 @@ main_menu() { ;; 2) checkcfg=$(cat "$CFG_PATH") - . "$CRASHDIR"/menus/settings.sh && settings + . "$CRASHDIR"/menus/2-settings.sh && settings if [ -n "$PID" ]; then checkcfg_new=$(cat "$CFG_PATH") [ "$checkcfg" != "$checkcfg_new" ] && checkrestart @@ -346,22 +346,22 @@ main_menu() { main_menu ;; 4) - . "$CRASHDIR"/menus/setboot.sh && setboot + . "$CRASHDIR"/menus/4-setboot.sh && setboot main_menu ;; 5) - . "$CRASHDIR"/menus/task.sh && task_menu + . "$CRASHDIR"/menus/5-task.sh && task_menu main_menu ;; 6) - . "$CRASHDIR"/menus/core_config.sh && set_core_config + . "$CRASHDIR"/menus/6-core_config.sh && set_core_config main_menu ;; 7) GT_CFG_PATH="$CRASHDIR"/configs/gateway.cfg touch "$GT_CFG_PATH" checkcfg=$(cat $GT_CFG_PATH) - . "$CRASHDIR"/menus/gateway.sh && gateway + . "$CRASHDIR"/menus/7-gateway.sh && gateway if [ -n "$PID" ]; then checkcfg_new=$(cat $GT_CFG_PATH) [ "$checkcfg" != "$checkcfg_new" ] && checkrestart @@ -369,12 +369,12 @@ main_menu() { main_menu ;; 8) - . "$CRASHDIR"/menus/tools.sh && tools + . "$CRASHDIR"/menus/8-tools.sh && tools main_menu ;; 9) checkcfg=$(cat "$CFG_PATH") - . "$CRASHDIR"/menus/upgrade.sh && upgrade + . "$CRASHDIR"/menus/9-upgrade.sh && upgrade if [ -n "$PID" ]; then checkcfg_new=$(cat "$CFG_PATH") [ "$checkcfg" != "$checkcfg_new" ] && checkrestart diff --git a/scripts/menus/settings.sh b/scripts/menus/2-settings.sh similarity index 97% rename from scripts/menus/settings.sh rename to scripts/menus/2-settings.sh index 7f83ca33..5b9fe0c8 100644 --- a/scripts/menus/settings.sh +++ b/scripts/menus/2-settings.sh @@ -9,9 +9,9 @@ settings() { #功能设置 echo "-----------------------------------------------" echo -e "\033[30;47m欢迎使用功能设置菜单:\033[0m" echo "-----------------------------------------------" - echo -e " 1 设置代理模式: \033[36m$redir_mod\033[0m" - echo -e " 2 设置DNS模式: \033[36m$dns_mod\033[0m" - echo -e " 3 设置各类流量过滤" + echo -e " 1 代理模式设置: \033[36m$redir_mod\033[0m" + echo -e " 2 DNS设置: \033[36m$dns_mod\033[0m" + echo -e " 3 透明路由流量过滤" [ "$disoverride" != "1" ] && { echo -e " 4 跳过证书验证: \033[36m$skip_cert\033[0m" echo -e " 5 启用域名嗅探: \033[36m$sniffer\033[0m" @@ -224,13 +224,12 @@ set_redir_mod() { #代理模式设置 set_redir_mod ;; 5) - redir_mod=TCP旁路转发 + redir_mod='TCP旁路转发' set_redir_config set_redir_mod ;; 6) - redir_mod=T & - U旁路转发 + redir_mod='T&U旁路转发' set_redir_config set_redir_mod ;; @@ -915,17 +914,13 @@ set_firewall_vm(){ esac setconfig vm_redir $vm_redir setconfig vm_ipv4 "'$vm_ipv4'" - sleep 1 - set_redir_mod } set_ipv6() { #ipv6设置 [ -z "$ipv6_redir" ] && ipv6_redir=未开启 [ -z "$ipv6_dns" ] && ipv6_dns=已开启 - [ -z "$cn_ipv6_route" ] && cn_ipv6_route=未开启 echo "-----------------------------------------------" echo -e " 1 ipv6透明代理: \033[36m$ipv6_redir\033[0m ——代理ipv6流量" [ "$disoverride" != "1" ] && echo -e " 2 ipv6-DNS解析: \033[36m$ipv6_dns\033[0m ——决定内置DNS是否返回ipv6地址" - echo -e " 3 CNV6绕过内核: \033[36m$cn_ipv6_route\033[0m ——优化性能,不兼容fake-ip" echo -e " 0 返回上级菜单" echo "-----------------------------------------------" read -p "请输入对应数字 > " num @@ -948,22 +943,6 @@ set_ipv6() { #ipv6设置 setconfig ipv6_dns $ipv6_dns set_ipv6 ;; - 3) - if [ "$ipv6_redir" = "未开启" ]; then - ipv6_support=已开启 - ipv6_redir=已开启 - setconfig ipv6_redir $ipv6_redir - setconfig ipv6_support $ipv6_support - fi - if [ -n "$(ipset -v 2>/dev/null)" ] || [ "$firewall_mod" = nftables ]; then - [ "$cn_ipv6_route" = "未开启" ] && cn_ipv6_route=已开启 || cn_ipv6_route=未开启 - setconfig cn_ipv6_route $cn_ipv6_route - else - echo -e "\033[31m当前设备缺少ipset模块或防火墙未使用nftables,无法启用绕过功能!!\033[0m" - sleep 1 - fi - set_ipv6 - ;; *) errornum ;; diff --git a/scripts/menus/setboot.sh b/scripts/menus/4-setboot.sh similarity index 100% rename from scripts/menus/setboot.sh rename to scripts/menus/4-setboot.sh diff --git a/scripts/menus/task.sh b/scripts/menus/5-task.sh similarity index 100% rename from scripts/menus/task.sh rename to scripts/menus/5-task.sh diff --git a/scripts/menus/core_config.sh b/scripts/menus/6-core_config.sh similarity index 100% rename from scripts/menus/core_config.sh rename to scripts/menus/6-core_config.sh diff --git a/scripts/menus/gateway.sh b/scripts/menus/7-gateway.sh similarity index 85% rename from scripts/menus/gateway.sh rename to scripts/menus/7-gateway.sh index 9aa583a0..a0c5c25b 100644 --- a/scripts/menus/gateway.sh +++ b/scripts/menus/7-gateway.sh @@ -1,6 +1,7 @@ #!/bin/sh # Copyright (C) Juewuy . "$GT_CFG_PATH" +. "$CRASHDIR"/menus/check_port.sh gateway(){ #访问与控制主菜单 echo ----------------------------------------------- @@ -15,13 +16,13 @@ gateway(){ #访问与控制主菜单 echo -e " 6 配置\033[36mTailscale内网穿透\033[0m(限Singbox) \033[32m$ts_service\033[0m" echo -e " 7 配置\033[36mWireguard客户端\033[0m(限Singbox) \033[32m$wg_service\033[0m" } - echo -e " 0 返回上级菜单 \033[0m" + echo -e " 0 返回上级菜单" echo ----------------------------------------------- read -p "请输入对应数字 > " num case "$num" in 0) ;; 1) - set_pub_fw + set_fw_wan gateway ;; 2) @@ -61,43 +62,58 @@ gateway(){ #访问与控制主菜单 *) errornum ;; esac } -set_pub_fw() { #公网防火墙设置 - [ -z "$public_support" ] && public_support=未开启 - [ -z "$public_mixport" ] && public_mixport=未开启 +set_fw_wan() { #公网防火墙设置 + [ -z "$fw_wan" ] && fw_wan=ON echo ----------------------------------------------- - echo -e " 1 公网访问Dashboard面板: \033[36m$public_support\033[0m" - echo -e " 2 公网访问Socks/Http代理: \033[36m$public_mixport\033[0m" + echo -e "\033[31m注意:\033[0m如在vps运行,还需在vps安全策略对相关端口同时放行" + [ -n "$fw_wan_ports" ] && + echo -e "当前放行端口:\033[36m$fw_wan_ports\033[0m" + echo -e "默认拦截端口:\033[33m$dns_port,$mix_port,$db_port\033[0m" + echo ----------------------------------------------- + echo -e " 1 启用/关闭公网防火墙: \033[36m$fw_wan\033[0m" + echo -e " 2 添加放行端口(可包含默认拦截端口)" + echo -e " 3 移除指定放行端口" + echo -e " 0 返回上级菜单" echo ----------------------------------------------- read -p "请输入对应数字 > " num case $num in 1) - if [ "$public_support" = "未开启" ]; then - public_support=已开启 - else - public_support=未开启 - fi - setconfig public_support $public_support - setfirewall - ;; + [ "$fw_wan" = ON ] && fw_wan=OFF || fw_wan=ON + setconfig ts_service "$ts_service" + set_fw_wan + ;; 2) - if [ "$public_mixport" = "未开启" ]; then - if [ "$mix_port" = "7890" -o -z "$authentication" ]; then - echo ----------------------------------------------- - echo -e "\033[33m为了安全考虑,请先修改默认Socks/Http端口并设置代理密码\033[0m" - sleep 1 - setport + port_count=$(echo "$fw_wan_ports" | awk -F',' '{print NF}' ) + if [ "$port_count" -ge 10 ];then + echo -e "\033[31m最多支持设置放行10个端口,请先减少一些!\033[0m" + else + read -p "请输入要放行的端口号 > " port + if echo ",$fw_wan_ports," | grep -q ",$port,";then + echo -e "\033[31m输入错误!请勿重复添加!\033[0m" + elif [ "$port" -lt 1 ] || [ "$port" -gt 65535 ]; then + echo -e "\033[31m输入错误!请输入正确的数值(1-65535)!\033[0m" else - public_mixport=已开启 + fw_wan_ports=$(echo "$fw_wan_ports,$port" | sed "s/^,//") + setconfig fw_wan_ports "$fw_wan_ports" + fi + fi + sleep 1 + set_fw_wan + ;; + 3) + read -p "请输入要移除的端口号 > " port + if echo ",$fw_wan_ports," | grep -q ",$port,";then + if [ "$port" -lt 1 ] || [ "$port" -gt 65535 ]; then + echo -e "\033[31m输入错误!请输入正确的数值(1-65535)!\033[0m" + else + fw_wan_ports=$(echo ",$fw_wan_ports," | sed "s/,$port//; s/^,//; s/,$//") + setconfig fw_wan_ports "$fw_wan_ports" fi else - public_mixport=未开启 + echo -e "\033[31m输入错误!请输入已添加过的端口!\033[0m" fi - setconfig public_mixport $public_mixport - setfirewall - ;; - 3) - set_cust_host_ipv4 - setfirewall + sleep 1 + set_fw_wan ;; *) errornum @@ -192,7 +208,7 @@ set_bot_tg(){ } set_vmess(){ echo ----------------------------------------------- - echo -e "\033[31m注意:\033[0m启动内核服务后会自动开放相应端口公网访问,请谨慎使用!\n 脚本只提供基础功能,更多需求请使用自定义配置文件功能!" + echo -e "\033[31m注意:\033[0m设置的端口会添加到公网访问防火墙并自动放行!\n 脚本只提供基础功能,更多需求请用自定义配置文件功能!" echo ----------------------------------------------- echo -e " 1 \033[32m启用/关闭\033[0mVmess入站 \033[32m$vms_service\033[0m" echo ----------------------------------------------- @@ -218,10 +234,11 @@ set_vmess(){ 2) read -p "请输入端口号(输入0删除) > " text [ "$text" = 0 ] && unset vms_port - . "$CRASHDIR"/menus/check_port.sh if check_port "$text"; then vms_port="$text" setconfig vms_port "$text" "$CFG" + fw_wan_ports=$(echo "$fw_wan_ports,$vms_port" | sed "s/^,//") + setconfig fw_wan_ports "$fw_wan_ports" else sleep 1 fi @@ -263,7 +280,7 @@ set_vmess(){ set_shadowsocks(){ [ -z "$sss_cipher" ] && sss_cipher='xchacha20-ietf-poly1305' echo ----------------------------------------------- - echo -e "\033[31m注意:\033[0m启动内核服务后会自动开放相应端口公网访问,请谨慎使用!\n 脚本只提供基础功能,更多需求请使用自定义配置文件功能!" + echo -e "\033[31m注意:\033[0m设置的端口会添加到公网访问防火墙并自动放行!\n 脚本只提供基础功能,更多需求请用自定义配置文件功能!" echo ----------------------------------------------- echo -e " 1 \033[32m启用/关闭\033[0mShadowSocks入站 \033[32m$sss_service\033[0m" echo ----------------------------------------------- @@ -288,10 +305,11 @@ set_shadowsocks(){ 2) read -p "请输入端口号(输入0删除) > " text [ "$text" = 0 ] && unset sss_port - . "$CRASHDIR"/menus/check_port.sh if check_port "$text"; then sss_port="$text" setconfig sss_port "$text" "$CFG" + fw_wan_ports=$(echo "$fw_wan_ports,$sss_port" | sed "s/^,//") + setconfig fw_wan_ports "$fw_wan_ports" else sleep 1 fi diff --git a/scripts/menus/tools.sh b/scripts/menus/8-tools.sh similarity index 100% rename from scripts/menus/tools.sh rename to scripts/menus/8-tools.sh index 4a392f01..a52faa95 100644 --- a/scripts/menus/tools.sh +++ b/scripts/menus/8-tools.sh @@ -518,183 +518,6 @@ log_pusher() { *) errornum ;; esac } -#新手引导 -userguide(){ - - forwhat(){ - echo "-----------------------------------------------" - echo -e "\033[30;46m 欢迎使用ShellCrash新手引导! \033[0m" - echo "-----------------------------------------------" - echo -e "\033[33m请先选择你的使用环境: \033[0m" - echo -e "\033[0m(你之后依然可以在设置中更改各种配置)\033[0m" - echo "-----------------------------------------------" - echo -e " 1 \033[32m路由设备配置局域网透明代理\033[0m" - echo -e " 2 \033[36mLinux设备仅配置本机代理\033[0m" - [ -f "$CFG_PATH.bak" ] && echo -e " 3 \033[33m还原之前备份的设置\033[0m" - echo "-----------------------------------------------" - read -p "请输入对应数字 > " num - case "$num" in - 1) - #设置运行模式 - redir_mod="混合模式" - [ -n "$(echo $cputype | grep -E "linux.*mips.*")" ] && { - if grep -qE '^TPROXY$' /proc/net/ip_tables_targets || modprobe xt_TPROXY >/dev/null 2>&1; then - redir_mod="Tproxy模式" - else - redir_mod="Redir模式" - fi - } - setconfig crashcore "meta" - setconfig redir_mod "$redir_mod" - setconfig dns_mod mix - setconfig firewall_area '1' - #默认启用绕过CN-IP - setconfig cn_ip_route 已开启 - #自动识别IPV6 - [ -n "$(ip a 2>&1 | grep -w 'inet6' | grep -E 'global' | sed 's/.*inet6.//g' | sed 's/scope.*$//g')" ] && { - setconfig ipv6_redir 已开启 - setconfig ipv6_support 已开启 - setconfig ipv6_dns 已开启 - setconfig cn_ipv6_route 已开启 - } - #设置开机启动 - [ -f /etc/rc.common -a "$(cat /proc/1/comm)" = "procd" ] && /etc/init.d/shellcrash enable - ckcmd systemctl && [ "$(cat /proc/1/comm)" = "systemd" ] && systemctl enable shellcrash.service > /dev/null 2>&1 - rm -rf "$CRASHDIR"/.dis_startup - autostart=enable - #检测IP转发 - if [ "$(cat /proc/sys/net/ipv4/ip_forward)" = "0" ];then - echo "-----------------------------------------------" - echo -e "\033[33m检测到你的设备尚未开启ip转发,局域网设备将无法正常连接网络,是否立即开启?\033[0m" - read -p "是否开启?(1/0) > " res - [ "$res" = 1 ] && { - echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf - sysctl -w net.ipv4.ip_forward=1 - } && echo "已成功开启ipv4转发,如未正常开启,请手动重启设备!" || echo "开启失败!请自行谷歌查找当前设备的开启方法!" - fi - #禁止docker启用的net.bridge.bridge-nf-call-iptables - sysctl -w net.bridge.bridge-nf-call-iptables=0 > /dev/null 2>&1 - sysctl -w net.bridge.bridge-nf-call-ip6tables=0 > /dev/null 2>&1 - ;; - 2) - setconfig redir_mod "Redir模式" - [ -n "$(echo $cputype | grep -E "linux.*mips.*")" ] && setconfig crashcore "clash" - setconfig common_ports "未开启" - setconfig firewall_area '2' - ;; - 3) - mv -f $CFG_PATH.bak $CFG_PATH - echo -e "\033[32m脚本设置已还原!\033[0m" - echo -e "\033[33m请重新启动脚本!\033[0m" - exit 0 - ;; - *) - errornum - forwhat - ;; - esac - } - forwhat - #检测小内存模式 - dir_size=$(dir_avail "$CRASHDIR") - if [ "$dir_size" -lt 10240 ];then - echo "-----------------------------------------------" - echo -e "\033[33m检测到你的安装目录空间不足10M,是否开启小闪存模式?\033[0m" - echo -e "\033[0m开启后核心及数据库文件将被下载到内存中,这将占用一部分内存空间\033[0m" - echo -e "\033[0m每次开机后首次运行服务时都会自动的重新下载相关文件\033[0m" - echo "-----------------------------------------------" - read -p "是否开启?(1/0) > " res - [ "$res" = 1 ] && { - BINDIR=/tmp/ShellCrash - setconfig BINDIR /tmp/ShellCrash "$CRASHDIR"/configs/command.env - } - fi - #检测及下载根证书 - openssldir="$(openssl version -d 2>&1 | awk -F '"' '{print $2}')" - [ ! -d "$openssldir/certs" ] && openssldir=/etc/ssl - if [ -d $openssldir/certs -a ! -f $openssldir/certs/ca-certificates.crt ];then - echo "-----------------------------------------------" - echo -e "\033[33m当前设备未找到根证书文件\033[0m" - echo "-----------------------------------------------" - read -p "是否下载并安装根证书?(1/0) > " res - [ "$res" = 1 ] && checkupdate && getcrt - fi - #设置加密DNS - if [ -s $openssldir/certs/ca-certificates.crt ];then - dns_nameserver='https://dns.alidns.com/dns-query, https://doh.pub/dns-query' - dns_fallback='https://cloudflare-dns.com/dns-query, https://dns.google/dns-query, https://doh.opendns.com/dns-query' - dns_resolver='https://223.5.5.5/dns-query, 2400:3200::1' - setconfig dns_nameserver "'$dns_nameserver'" - setconfig dns_fallback "'$dns_fallback'" - setconfig dns_resolver "'$dns_resolver'" - fi - #开启公网访问 - sethost(){ - read -p "请输入你的公网IP地址 > " host - echo $host | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' - if [ -z "$host" ];then - echo -e "\033[31m请输入正确的IP地址!\033[0m" - sethost - fi - } - if ckcmd systemctl;then - echo "-----------------------------------------------" - echo -e "\033[32m是否开启公网访问Dashboard面板及socks服务?\033[0m" - echo -e "注意当前设备必须有公网IP才能从公网正常访问" - echo -e "\033[31m此功能会增加暴露风险请谨慎使用!\033[0m" - echo -e "vps设备可能还需要额外在服务商后台开启相关端口" - read -p "现在开启?(1/0) > " res - if [ "$res" = 1 ];then - read -p "请先设置面板访问秘钥 > " secret - read -p "请先修改Socks服务端口(1-65535) > " mix_port - read -p "请先设置Socks服务密码(账号默认为crash) > " sec - [ -z "$sec" ] && authentication=crash:$sec - host=$(curl ip.sb 2>/dev/null | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}') - if [ -z "$host" ];then - sethost - fi - public_support=已开启 - setconfig secret $secret - setconfig mix_port $mix_port - setconfig host $host - setconfig public_support $public_support - setconfig authentication "'$authentication'" - fi - fi - #启用推荐的自动任务配置 - . "$CRASHDIR"/task/task.sh && task_recom - #小米设备软固化 - if [ "$systype" = "mi_snapshot" ];then - echo "-----------------------------------------------" - echo -e "\033[33m检测到为小米路由设备,启用软固化可防止路由升级后丢失SSH\033[0m" - read -p "是否启用软固化功能?(1/0) > " res - [ "$res" = 1 ] && mi_autoSSH - fi - #提示导入订阅或者配置文件 - [ ! -s "$CRASHDIR"/yamls/config.yaml -a ! -s "$CRASHDIR"/jsons/config.json ] && { - echo "-----------------------------------------------" - echo -e "\033[32m是否导入配置文件?\033[0m(这是运行前的最后一步)" - echo -e "\033[0m你必须拥有一份配置文件才能运行服务!\033[0m" - echo "-----------------------------------------------" - read -p "现在开始导入?(1/0) > " res - [ "$res" = 1 ] && inuserguide=1 && { - if [ -f "$CRASHDIR"/v2b_api.sh ];then - . "$CRASHDIR"/v2b_api.sh - else - set_core_config - fi - set_core_config - inuserguide="" - } - } - #回到主界面 - echo "-----------------------------------------------" - echo -e "\033[36m很好!现在只需要执行启动就可以愉快的使用了!\033[0m" - echo "-----------------------------------------------" - read -p "立即启动服务?(1/0) > " res - [ "$res" = 1 ] && start_core && sleep 2 - main_menu -} #测试菜单 testcommand(){ echo "$crashcore" | grep -q 'singbox' && config_path=${JSONSDIR}/config.json || config_path=${YAMLSDIR}/config.yaml @@ -882,3 +705,180 @@ debug(){ esac } +#新手引导 +userguide(){ + + forwhat(){ + echo "-----------------------------------------------" + echo -e "\033[30;46m 欢迎使用ShellCrash新手引导! \033[0m" + echo "-----------------------------------------------" + echo -e "\033[33m请先选择你的使用环境: \033[0m" + echo -e "\033[0m(你之后依然可以在设置中更改各种配置)\033[0m" + echo "-----------------------------------------------" + echo -e " 1 \033[32m路由设备配置局域网透明代理\033[0m" + echo -e " 2 \033[36mLinux设备仅配置本机代理\033[0m" + [ -f "$CFG_PATH.bak" ] && echo -e " 3 \033[33m还原之前备份的设置\033[0m" + echo "-----------------------------------------------" + read -p "请输入对应数字 > " num + case "$num" in + 1) + #设置运行模式 + redir_mod="混合模式" + [ -n "$(echo $cputype | grep -E "linux.*mips.*")" ] && { + if grep -qE '^TPROXY$' /proc/net/ip_tables_targets || modprobe xt_TPROXY >/dev/null 2>&1; then + redir_mod="Tproxy模式" + else + redir_mod="Redir模式" + fi + } + setconfig crashcore "meta" + setconfig redir_mod "$redir_mod" + setconfig dns_mod mix + setconfig firewall_area '1' + #默认启用绕过CN-IP + setconfig cn_ip_route 已开启 + #自动识别IPV6 + [ -n "$(ip a 2>&1 | grep -w 'inet6' | grep -E 'global' | sed 's/.*inet6.//g' | sed 's/scope.*$//g')" ] && { + setconfig ipv6_redir 已开启 + setconfig ipv6_support 已开启 + setconfig ipv6_dns 已开启 + setconfig cn_ipv6_route 已开启 + } + #设置开机启动 + [ -f /etc/rc.common -a "$(cat /proc/1/comm)" = "procd" ] && /etc/init.d/shellcrash enable + ckcmd systemctl && [ "$(cat /proc/1/comm)" = "systemd" ] && systemctl enable shellcrash.service > /dev/null 2>&1 + rm -rf "$CRASHDIR"/.dis_startup + autostart=enable + #检测IP转发 + if [ "$(cat /proc/sys/net/ipv4/ip_forward)" = "0" ];then + echo "-----------------------------------------------" + echo -e "\033[33m检测到你的设备尚未开启ip转发,局域网设备将无法正常连接网络,是否立即开启?\033[0m" + read -p "是否开启?(1/0) > " res + [ "$res" = 1 ] && { + echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf + sysctl -w net.ipv4.ip_forward=1 + } && echo "已成功开启ipv4转发,如未正常开启,请手动重启设备!" || echo "开启失败!请自行谷歌查找当前设备的开启方法!" + fi + #禁止docker启用的net.bridge.bridge-nf-call-iptables + sysctl -w net.bridge.bridge-nf-call-iptables=0 > /dev/null 2>&1 + sysctl -w net.bridge.bridge-nf-call-ip6tables=0 > /dev/null 2>&1 + ;; + 2) + setconfig redir_mod "Redir模式" + [ -n "$(echo $cputype | grep -E "linux.*mips.*")" ] && setconfig crashcore "clash" + setconfig common_ports "未开启" + setconfig firewall_area '2' + ;; + 3) + mv -f $CFG_PATH.bak $CFG_PATH + echo -e "\033[32m脚本设置已还原!\033[0m" + echo -e "\033[33m请重新启动脚本!\033[0m" + exit 0 + ;; + *) + errornum + forwhat + ;; + esac + } + forwhat + #检测小内存模式 + dir_size=$(dir_avail "$CRASHDIR") + if [ "$dir_size" -lt 10240 ];then + echo "-----------------------------------------------" + echo -e "\033[33m检测到你的安装目录空间不足10M,是否开启小闪存模式?\033[0m" + echo -e "\033[0m开启后核心及数据库文件将被下载到内存中,这将占用一部分内存空间\033[0m" + echo -e "\033[0m每次开机后首次运行服务时都会自动的重新下载相关文件\033[0m" + echo "-----------------------------------------------" + read -p "是否开启?(1/0) > " res + [ "$res" = 1 ] && { + BINDIR=/tmp/ShellCrash + setconfig BINDIR /tmp/ShellCrash "$CRASHDIR"/configs/command.env + } + fi + #检测及下载根证书 + openssldir="$(openssl version -d 2>&1 | awk -F '"' '{print $2}')" + [ ! -d "$openssldir/certs" ] && openssldir=/etc/ssl + if [ -d $openssldir/certs -a ! -f $openssldir/certs/ca-certificates.crt ];then + echo "-----------------------------------------------" + echo -e "\033[33m当前设备未找到根证书文件\033[0m" + echo "-----------------------------------------------" + read -p "是否下载并安装根证书?(1/0) > " res + [ "$res" = 1 ] && checkupdate && getcrt + fi + #设置加密DNS + if [ -s $openssldir/certs/ca-certificates.crt ];then + dns_nameserver='https://dns.alidns.com/dns-query, https://doh.pub/dns-query' + dns_fallback='https://cloudflare-dns.com/dns-query, https://dns.google/dns-query, https://doh.opendns.com/dns-query' + dns_resolver='https://223.5.5.5/dns-query, 2400:3200::1' + setconfig dns_nameserver "'$dns_nameserver'" + setconfig dns_fallback "'$dns_fallback'" + setconfig dns_resolver "'$dns_resolver'" + fi + #开启公网访问 + sethost(){ + read -p "请输入你的公网IP地址 > " host + echo $host | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' + if [ -z "$host" ];then + echo -e "\033[31m请输入正确的IP地址!\033[0m" + sethost + fi + } + if ckcmd systemctl;then + echo "-----------------------------------------------" + echo -e "\033[32m是否开启公网访问Dashboard面板及socks服务?\033[0m" + echo -e "注意当前设备必须有公网IP才能从公网正常访问" + echo -e "\033[31m此功能会增加暴露风险请谨慎使用!\033[0m" + echo -e "vps设备可能还需要额外在服务商后台开启相关端口" + read -p "现在开启?(1/0) > " res + if [ "$res" = 1 ];then + read -p "请先设置面板访问秘钥 > " secret + read -p "请先修改Socks服务端口(1-65535) > " mix_port + read -p "请先设置Socks服务密码(账号默认为crash) > " sec + [ -z "$sec" ] && authentication=crash:$sec + host=$(curl ip.sb 2>/dev/null | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}') + if [ -z "$host" ];then + sethost + fi + public_support=已开启 + setconfig secret $secret + setconfig mix_port $mix_port + setconfig host $host + setconfig public_support $public_support + setconfig authentication "'$authentication'" + fi + fi + #启用推荐的自动任务配置 + . "$CRASHDIR"/task/task.sh && task_recom + #小米设备软固化 + if [ "$systype" = "mi_snapshot" ];then + echo "-----------------------------------------------" + echo -e "\033[33m检测到为小米路由设备,启用软固化可防止路由升级后丢失SSH\033[0m" + read -p "是否启用软固化功能?(1/0) > " res + [ "$res" = 1 ] && mi_autoSSH + fi + #提示导入订阅或者配置文件 + [ ! -s "$CRASHDIR"/yamls/config.yaml -a ! -s "$CRASHDIR"/jsons/config.json ] && { + echo "-----------------------------------------------" + echo -e "\033[32m是否导入配置文件?\033[0m(这是运行前的最后一步)" + echo -e "\033[0m你必须拥有一份配置文件才能运行服务!\033[0m" + echo "-----------------------------------------------" + read -p "现在开始导入?(1/0) > " res + [ "$res" = 1 ] && inuserguide=1 && { + if [ -f "$CRASHDIR"/v2b_api.sh ];then + . "$CRASHDIR"/v2b_api.sh + else + set_core_config + fi + set_core_config + inuserguide="" + } + } + #回到主界面 + echo "-----------------------------------------------" + echo -e "\033[36m很好!现在只需要执行启动就可以愉快的使用了!\033[0m" + echo "-----------------------------------------------" + read -p "立即启动服务?(1/0) > " res + [ "$res" = 1 ] && start_core && sleep 2 + main_menu +} diff --git a/scripts/menus/upgrade.sh b/scripts/menus/9-upgrade.sh similarity index 100% rename from scripts/menus/upgrade.sh rename to scripts/menus/9-upgrade.sh diff --git a/scripts/menus/ddns_op.sh b/scripts/menus/ddns_op.sh deleted file mode 100644 index a51d3afb..00000000 --- a/scripts/menus/ddns_op.sh +++ /dev/null @@ -1,178 +0,0 @@ -#! /bin/bash -# Copyright (C) Juewuy - -ddns_dir=/etc/config/ddns -tmp_dir=/tmp/ddns_$USER - -[ ! -f $ddns_dir ] && echo -e "本脚本依赖OpenWrt内置的DDNS服务,当前设备无法运行,已退出!" && exit 1 -echo ----------------------------------------------- -echo -e "\033[30;46m欢迎使用ShellDDNS!\033[0m" -echo -e "TG群:\033[36;4mhttps://t.me/ShellCrash\033[0m" - -add_ddns() { - cat >>$ddns_dir </dev/null 2>&1 & - sleep 3 - echo 服务已经添加! -} -set_ddns() { - echo ----------------------------------------------- - read -p "请输入你的域名 > " str - [ -z "$str" ] && domain=$domain || domain=$str - echo ----------------------------------------------- - read -p "请输入用户名或邮箱 > " str - [ -z "$str" ] && username=$username || username=$str - echo ----------------------------------------------- - read -p "请输入密码或令牌秘钥 > " str - [ -z "$str" ] && password=$password || password=$str - echo ----------------------------------------------- - read -p "请输入检测更新间隔(单位:分钟;默认为10) > " check_interval - [ -z "$check_interval" ] || [ "$check_interval" -lt 1 -o "$check_interval" -gt 1440 ] && check_interval=10 - echo ----------------------------------------------- - read -p "请输入强制更新间隔(单位:小时;默认为24) > " force_interval - [ -z "$force_interval" ] || [ "$force_interval" -lt 1 -o "$force_interval" -gt 240 ] && force_interval=24 - echo ----------------------------------------------- - echo -e "请核对如下信息:" - echo -e "服务商: \033[32m$service\033[0m" - echo -e "域名: \033[32m$domain\033[0m" - echo -e "用户名: \033[32m$username\033[0m" - echo -e "检测间隔: \033[32m$check_interval\033[0m" - echo ----------------------------------------------- - read -p "确认添加?(1/0) > " res - [ "$res" = 1 ] && add_ddns || set_ddns -} - -set_service() { - services_dir=/etc/ddns/$serv - [ -s $services_dir ] || services_dir=/usr/share/ddns/list - echo ----------------------------------------------- - echo -e "\033[32m请选择服务提供商\033[0m" - cat $services_dir | grep -v '^#' | awk '{print " "NR" " $1}' - nr=$(cat $services_dir | grep -v '^#' | wc -l) - read -p "请输入对应数字 > " num - if [ -z "$num" ]; then - i= - elif [ "$num" -gt 0 -a "$num" -lt $nr ]; then - service_name=$(cat $services_dir | grep -v '^#' | awk '{print $1}' | sed -n "$num"p | sed 's/"//g') - service=$(echo $service_name | sed 's/\./_/g') - set_ddns - else - echo "输入错误,请重新输入!" - sleep 1 - set_service - fi -} - -network_type() { - echo ----------------------------------------------- - echo -e "\033[32m请选择网络模式\033[0m" - echo -e " 1 \033[36mIPV4\033[0m" - echo -e " 2 \033[36mIPV6\033[0m" - read -p "请输入对应数字 > " num - if [ -z "$num" ]; then - i= - elif [ "$num" = 1 ]; then - use_ipv6=0 - serv=services - set_service - elif [ "$num" = 2 ]; then - use_ipv6=1 - serv=services_ipv6 - set_service - else - echo "输入错误,请重新输入!" - sleep 1 - network_type - fi -} - -rev_service() { - enabled=$(uci show ddns.$service | grep 'enabled' | awk -F "=" '{print $2}' | tr -d "'\"") - [ "$enabled" = 1 ] && enabled_b="停用" || enabled_b="启用" - echo ----------------------------------------------- - echo -e " 1 \033[32m立即更新\033[0m" - echo -e " 2 编辑当前服务\033[0m" - echo -e " 3 $enabled_b当前服务" - echo -e " 4 移除当前服务" - echo -e " 5 查看运行日志" - echo -e " 0 返回上级菜单" - echo ----------------------------------------------- - read -p "请输入对应数字 > " num - if [ -z "$num" -o "$num" = 0 ]; then - i= - elif [ "$num" = 1 ]; then - /usr/lib/ddns/dynamic_dns_updater.sh -S $service start >/dev/null 2>&1 & - sleep 3 - elif [ "$num" = 2 ]; then - domain=$(uci show ddns.$service | grep 'domain' | awk -F "=" '{print $2}' | tr -d "'\"") - username=$(uci show ddns.$service | grep 'username' | awk -F "=" '{print $2}' | tr -d "'\"") - password=$(uci show ddns.$service | grep 'password' | awk -F "=" '{print $2}' | tr -d "'\"") - service_name=$(uci show ddns.$service | grep 'service_name' | awk -F "=" '{print $2}' | tr -d "'\"") - uci delete ddns.$service - set_ddns - elif [ "$num" = 3 ]; then - [ "$enabled" = 1 ] && uci set ddns.$service.enabled='0' || uci set ddns.$service.enabled='1' && sleep 3 - uci commit ddns.$service - elif [ "$num" = 4 ]; then - uci delete ddns.$service - uci commit ddns.$service - elif [ "$num" = 5 ]; then - echo ----------------------------------------------- - cat /var/log/ddns/$service.log 2>/dev/null - sleep 1 - fi -} - -load_ddns() { - nr=0 - cat $ddns_dir | grep 'config service' | awk '{print $3}' | sed "s/\'//g" | sed "s/\"//g" >$tmp_dir - echo ----------------------------------------------- - echo -e "列表 域名 启用 IP地址" - echo ----------------------------------------------- - for service in $(cat $tmp_dir); do - #echo $service >>$tmp_dir - nr=$((nr + 1)) - enabled=$(uci show ddns.$service 2>/dev/null | grep 'enabled' | awk -F "=" '{print $2}' | tr -d "'\"") - domain=$(uci show ddns.$service 2>/dev/null | grep 'domain' | awk -F "=" '{print $2}' | tr -d "'\"") - local_ip=$(sed '1!G;h;$!d' /var/log/ddns/$service.log 2>/dev/null | grep -E 'Registered IP' | tail -1 | awk -F "'" '{print $2}' | tr -d "'\"") - echo -e " $nr $domain $enabled $local_ip" - done - echo -e " $((nr + 1)) 添加DDNS服务" - echo -e " 0 退出" - echo ----------------------------------------------- - read -p "请输入对应序号 > " num - if [ -z "$num" -o "$num" = 0 ]; then - i= - elif [ "$num" -gt $nr ]; then - network_type - load_ddns - elif [ "$num" -gt 0 -a "$num" -le $nr ]; then - service=$(cat $tmp_dir | sed -n "$num"p) - rev_service - load_ddns - else - echo "请输入正确数字!" && load_ddns - fi -} - -load_ddns -rm -rf $tmp_dir diff --git a/scripts/menus/dns.sh b/scripts/menus/dns.sh index 64d3a0c1..ae89dc70 100644 --- a/scripts/menus/dns.sh +++ b/scripts/menus/dns.sh @@ -129,7 +129,6 @@ set_dns_adv() { #DNS详细设置 echo -e " 3 修改\033[33m解析DNS\033[0m(必须是IP,用于解析其他DNS)" echo -e " 4 DNS防泄漏: \033[36m$dns_protect\033[0m ———启用时少量网站可能连接卡顿" echo -e " 5 hosts优化: \033[36m$hosts_opt\033[0m ———调用本机hosts并劫持NTP服务" - #echo -e " 6 Dnsmasq转发:\033[36m$dns_redir\033[0m ———不推荐使用" echo -e " 7 禁用DNS劫持:\033[36m$dns_no\033[0m ———搭配第三方DNS使用" echo -e " 8 一键配置\033[32m加密DNS\033[0m" echo -e " 9 \033[33m重置\033[0m默认DNS配置" diff --git a/scripts/start.sh b/scripts/start.sh index 1a956bba..e5904b76 100644 --- a/scripts/start.sh +++ b/scripts/start.sh @@ -13,6 +13,8 @@ CRASHDIR=$( #加载工具 . "$CRASHDIR"/libs/set_config.sh . "$CRASHDIR"/libs/check_cmd.sh +. "$CRASHDIR"/starts/fw_start.sh +. "$CRASHDIR"/starts/fw_stop.sh #脚本内部工具 getconfig() { #读取配置及全局变量 @@ -25,7 +27,6 @@ getconfig() { #读取配置及全局变量 [ -z "$dns_mod" ] && dns_mod=fake-ip [ -z "$ipv6_redir" ] && ipv6_redir=未开启 [ -z "$ipv6_dns" ] && ipv6_dns=已开启 - [ -z "$cn_ipv6_route" ] && cn_ipv6_route=未开启 [ -z "$macfilter_type" ] && macfilter_type=黑名单 [ -z "$mix_port" ] && mix_port=7890 [ -z "$redir_port" ] && redir_port=7892 @@ -1043,677 +1044,6 @@ cn_ipv6_route() { #CN-IPV6绕过 rm -rf "$TMPDIR"/cn_ipv6.ipset } } -start_ipt_route() { #iptables-route通用工具 - #$1:iptables/ip6tables $2:所在的表(nat/mangle) $3:所在的链(OUTPUT/PREROUTING) $4:新创建的shellcrash链表 $5:tcp/udp/all - #区分ipv4/ipv6 - [ "$1" = 'iptables' ] && { - RESERVED_IP=$reserve_ipv4 - HOST_IP=$host_ipv4 - [ "$3" = 'OUTPUT' ] && HOST_IP="127.0.0.0/8 $local_ipv4" - [ "$4" = 'shellcrash_vm' ] && HOST_IP="$vm_ipv4" - iptables -h | grep -q '\-w' && w='-w' || w='' - } - [ "$1" = 'ip6tables' ] && { - RESERVED_IP=$reserve_ipv6 - HOST_IP=$host_ipv6 - [ "$3" = 'OUTPUT' ] && HOST_IP="::1 $host_ipv6" - ip6tables -h | grep -q '\-w' && w='-w' || w='' - } - #创建新的shellcrash链表 - $1 $w -t $2 -N $4 - #过滤dns - $1 $w -t $2 -A $4 -p tcp --dport 53 -j RETURN - $1 $w -t $2 -A $4 -p udp --dport 53 -j RETURN - #防回环 - $1 $w -t $2 -A $4 -m mark --mark $routing_mark -j RETURN - [ "$3" = 'OUTPUT' ] && for gid in 453 7890; do - $1 $w -t $2 -A $4 -m owner --gid-owner $gid -j RETURN - done - [ "$firewall_area" = 5 ] && $1 $w -t $2 -A $4 -s $bypass_host -j RETURN - [ -z "$ports" ] && $1 $w -t $2 -A $4 -p tcp -m multiport --dports "$mix_port,$redir_port,$tproxy_port" -j RETURN - #跳过目标保留地址及目标本机网段 - for ip in $HOST_IP $RESERVED_IP; do - $1 $w -t $2 -A $4 -d $ip -j RETURN - done - #绕过CN_IP - [ "$1" = iptables ] && [ "$dns_mod" != "fake-ip" ] && [ "$cn_ip_route" = "已开启" ] && [ -f "$BINDIR"/cn_ip.txt ] && $1 $w -t $2 -A $4 -m set --match-set cn_ip dst -j RETURN 2>/dev/null - [ "$1" = ip6tables ] && [ "$dns_mod" != "fake-ip" ] && [ "$cn_ipv6_route" = "已开启" ] && [ -f "$BINDIR"/cn_ipv6.txt ] && $1 $w -t $2 -A $4 -m set --match-set cn_ip6 dst -j RETURN 2>/dev/null - #局域网mac地址黑名单过滤 - [ "$3" = 'PREROUTING' ] && [ "$macfilter_type" != "白名单" ] && { - [ -s "$CRASHDIR"/configs/mac ] && - for mac in $(cat "$CRASHDIR"/configs/mac); do - $1 $w -t $2 -A $4 -m mac --mac-source $mac -j RETURN - done - [ -s "$CRASHDIR"/configs/ip_filter ] && [ "$1" = 'iptables' ] && - for ip in $(cat "$CRASHDIR"/configs/ip_filter); do - $1 $w -t $2 -A $4 -s $ip -j RETURN - done - } - #tcp&udp分别进代理链 - proxy_set() { - if [ "$3" = 'PREROUTING' ] && [ "$4" != 'shellcrash_vm' ] && [ "$macfilter_type" = "白名单" ] && [ -n "$(cat $CRASHDIR/configs/mac $CRASHDIR/configs/ip_filter 2>/dev/null)" ]; then - [ -s "$CRASHDIR"/configs/mac ] && - for mac in $(cat "$CRASHDIR"/configs/mac); do - $1 $w -t $2 -A $4 -p $5 -m mac --mac-source $mac -j $JUMP - done - [ -s "$CRASHDIR"/configs/ip_filter ] && [ "$1" = 'iptables' ] && - for ip in $(cat "$CRASHDIR"/configs/ip_filter); do - $1 $w -t $2 -A $4 -p $5 -s $ip -j $JUMP - done - else - for ip in $HOST_IP; do #仅限指定网段流量 - $1 $w -t $2 -A $4 -p $5 -s $ip -j $JUMP - done - fi - #将所在链指定流量指向shellcrash表 - $1 $w -t $2 -I $3 -p $5 $ports -j $4 - [ "$dns_mod" = "mix" -o "$dns_mod" = "fake-ip" ] && [ "$common_ports" = "已开启" ] && [ "$1" = iptables ] && $1 $w -t $2 -I $3 -p $5 -d 28.0.0.0/8 -j $4 - [ "$dns_mod" = "mix" -o "$dns_mod" = "fake-ip" ] && [ "$common_ports" = "已开启" ] && [ "$1" = ip6tables ] && $1 $w -t $2 -I $3 -p $5 -d fc00::/16 -j $4 - } - [ "$5" = "tcp" -o "$5" = "all" ] && proxy_set $1 $2 $3 $4 tcp - [ "$5" = "udp" -o "$5" = "all" ] && proxy_set $1 $2 $3 $4 udp -} -start_ipt_dns() { #iptables-dns通用工具 - #$1:iptables/ip6tables $2:所在的表(OUTPUT/PREROUTING) $3:新创建的shellcrash表 - #区分ipv4/ipv6 - [ "$1" = 'iptables' ] && { - HOST_IP="$host_ipv4" - [ "$2" = 'OUTPUT' ] && HOST_IP="127.0.0.0/8 $local_ipv4" - [ "$3" = 'shellcrash_vm_dns' ] && HOST_IP="$vm_ipv4" - iptables -h | grep -q '\-w' && w='-w' || w='' - } - [ "$1" = 'ip6tables' ] && { - HOST_IP=$host_ipv6 - ip6tables -h | grep -q '\-w' && w='-w' || w='' - } - $1 $w -t nat -N $3 - #防回环 - $1 $w -t nat -A $3 -m mark --mark $routing_mark -j RETURN - [ "$2" = 'OUTPUT' ] && for gid in 453 7890; do - $1 $w -t nat -A $3 -m owner --gid-owner $gid -j RETURN - done - [ "$firewall_area" = 5 ] && { - $1 $w -t nat -A $3 -p tcp -s $bypass_host -j RETURN - $1 $w -t nat -A $3 -p udp -s $bypass_host -j RETURN - } - #局域网mac地址黑名单过滤 - [ "$2" = 'PREROUTING' ] && [ "$macfilter_type" != "白名单" ] && { - [ -s "$CRASHDIR"/configs/mac ] && - for mac in $(cat "$CRASHDIR"/configs/mac); do - $1 $w -t nat -A $3 -m mac --mac-source $mac -j RETURN - done - [ -s "$CRASHDIR"/configs/ip_filter ] && [ "$1" = 'iptables' ] && - for ip in $(cat "$CRASHDIR"/configs/ip_filter); do - $1 $w -t nat -A $3 -s $ip -j RETURN - done - } - if [ "$2" = 'PREROUTING' ] && [ "$3" != 'shellcrash_vm_dns' ] && [ "$macfilter_type" = "白名单" ] && [ -n "$(cat $CRASHDIR/configs/mac $CRASHDIR/configs/ip_filter 2>/dev/null)" ]; then - [ -s "$CRASHDIR"/configs/mac ] && - for mac in $(cat "$CRASHDIR"/configs/mac); do - $1 $w -t nat -A $3 -p tcp -m mac --mac-source $mac -j REDIRECT --to-ports $dns_port - $1 $w -t nat -A $3 -p udp -m mac --mac-source $mac -j REDIRECT --to-ports $dns_port - done - [ -s "$CRASHDIR"/configs/ip_filter ] && [ "$1" = 'iptables' ] && - for ip in $(cat "$CRASHDIR"/configs/ip_filter); do - $1 $w -t nat -A $3 -p tcp -s $ip -j REDIRECT --to-ports $dns_port - $1 $w -t nat -A $3 -p udp -s $ip -j REDIRECT --to-ports $dns_port - done - else - for ip in $HOST_IP; do #仅限指定网段流量 - $1 $w -t nat -A $3 -p tcp -s $ip -j REDIRECT --to-ports $dns_port - $1 $w -t nat -A $3 -p udp -s $ip -j REDIRECT --to-ports $dns_port - done - fi - [ "$1" = 'ip6tables' ] && { #屏蔽外部请求 - $1 $w -t nat -A $3 -p tcp -j RETURN - $1 $w -t nat -A $3 -p udp -j RETURN - } - $1 $w -t nat -I $2 -p tcp --dport 53 -j $3 - $1 $w -t nat -I $2 -p udp --dport 53 -j $3 -} -start_ipt_wan() { #iptables公网防火墙 - #获取局域网host地址 - getlanip - if [ "$public_support" = "已开启" ]; then - $iptable -I INPUT -p tcp --dport $db_port -j ACCEPT - ckcmd ip6tables && $ip6table -I INPUT -p tcp --dport $db_port -j ACCEPT - else - #仅允许非公网设备访问面板 - for ip in $reserve_ipv4; do - $iptable -A INPUT -p tcp -s $ip --dport $db_port -j ACCEPT - done - $iptable -A INPUT -p tcp --dport $db_port -j REJECT - ckcmd ip6tables && $ip6table -A INPUT -p tcp --dport $db_port -j REJECT - fi - if [ "$public_mixport" = "已开启" ]; then - $iptable -I INPUT -p tcp --dport $mix_port -j ACCEPT - ckcmd ip6tables && $ip6table -I INPUT -p tcp --dport $mix_port -j ACCEPT - else - #仅允许局域网设备访问混合端口 - for ip in $reserve_ipv4; do - $iptable -A INPUT -p tcp -s $ip --dport $mix_port -j ACCEPT - done - $iptable -A INPUT -p tcp --dport $mix_port -j REJECT - ckcmd ip6tables && $ip6table -A INPUT -p tcp --dport $mix_port -j REJECT - fi - $iptable -I INPUT -p tcp -d 127.0.0.1 -j ACCEPT #本机请求全放行 -} -start_iptables() { #iptables配置总入口 - #启动公网访问防火墙 - start_ipt_wan - #分模式设置流量劫持 - [ "$redir_mod" = "Redir模式" -o "$redir_mod" = "混合模式" ] && { - JUMP="REDIRECT --to-ports $redir_port" #跳转劫持的具体命令 - [ "$lan_proxy" = true ] && { - start_ipt_route iptables nat PREROUTING shellcrash tcp #ipv4-局域网tcp转发 - [ "$ipv6_redir" = "已开启" ] && { - if $ip6table -j REDIRECT -h 2>/dev/null | grep -q '\--to-ports'; then - start_ipt_route ip6tables nat PREROUTING shellcrashv6 tcp #ipv6-局域网tcp转发 - else - logger "当前设备内核缺少ip6tables_REDIRECT模块支持,已放弃启动相关规则!" 31 - fi - } - } - [ "$local_proxy" = true ] && { - start_ipt_route iptables nat OUTPUT shellcrash_out tcp #ipv4-本机tcp转发 - [ "$ipv6_redir" = "已开启" ] && { - if $ip6table -j REDIRECT -h 2>/dev/null | grep -q '\--to-ports'; then - start_ipt_route ip6tables nat OUTPUT shellcrashv6_out tcp #ipv6-本机tcp转发 - else - logger "当前设备内核缺少ip6tables_REDIRECT模块支持,已放弃启动相关规则!" 31 - fi - } - } - } - [ "$redir_mod" = "Tproxy模式" ] && { - modprobe xt_TPROXY >/dev/null 2>&1 - JUMP="TPROXY --on-port $tproxy_port --tproxy-mark $fwmark" #跳转劫持的具体命令 - if $iptable -j TPROXY -h 2>/dev/null | grep -q '\--on-port'; then - [ "$lan_proxy" = true ] && start_ipt_route iptables mangle PREROUTING shellcrash_mark all - [ "$local_proxy" = true ] && { - if [ -n "$(grep -E '^MARK$' /proc/net/ip_tables_targets)" ]; then - JUMP="MARK --set-mark $fwmark" #跳转劫持的具体命令 - start_ipt_route iptables mangle OUTPUT shellcrash_mark_out all - $iptable -t mangle -A PREROUTING -m mark --mark $fwmark -p tcp -j TPROXY --on-port $tproxy_port - $iptable -t mangle -A PREROUTING -m mark --mark $fwmark -p udp -j TPROXY --on-port $tproxy_port - else - logger "当前设备内核可能缺少xt_mark模块支持,已放弃启动本机代理相关规则!" 31 - fi - } - else - logger "当前设备内核可能缺少kmod_ipt_tproxy模块支持,已放弃启动相关规则!" 31 - fi - [ "$ipv6_redir" = "已开启" ] && { - if $ip6table -j TPROXY -h 2>/dev/null | grep -q '\--on-port'; then - JUMP="TPROXY --on-port $tproxy_port --tproxy-mark $fwmark" #跳转劫持的具体命令 - [ "$lan_proxy" = true ] && start_ipt_route ip6tables mangle PREROUTING shellcrashv6_mark all - [ "$local_proxy" = true ] && { - if [ -n "$(grep -E '^MARK$' /proc/net/ip6_tables_targets)" ]; then - JUMP="MARK --set-mark $fwmark" #跳转劫持的具体命令 - start_ipt_route ip6tables mangle OUTPUT shellcrashv6_mark_out all - $ip6table -t mangle -A PREROUTING -m mark --mark $fwmark -p tcp -j TPROXY --on-port $tproxy_port - $ip6table -t mangle -A PREROUTING -m mark --mark $fwmark -p udp -j TPROXY --on-port $tproxy_port - else - logger "当前设备内核可能缺少xt_mark模块支持,已放弃启动本机代理相关规则!" 31 - fi - } - else - logger "当前设备内核可能缺少kmod_ipt_tproxy或者xt_mark模块支持,已放弃启动相关规则!" 31 - fi - } - } - [ "$redir_mod" = "Tun模式" -o "$redir_mod" = "混合模式" -o "$redir_mod" = "T&U旁路转发" -o "$redir_mod" = "TCP旁路转发" ] && { - JUMP="MARK --set-mark $fwmark" #跳转劫持的具体命令 - [ "$redir_mod" = "Tun模式" -o "$redir_mod" = "T&U旁路转发" ] && protocol=all - [ "$redir_mod" = "混合模式" ] && protocol=udp - [ "$redir_mod" = "TCP旁路转发" ] && protocol=tcp - if $iptable -j MARK -h 2>/dev/null | grep -q '\--set-mark'; then - [ "$lan_proxy" = true ] && { - [ "$redir_mod" = "Tun模式" -o "$redir_mod" = "混合模式" ] && $iptable -I FORWARD -o utun -j ACCEPT - start_ipt_route iptables mangle PREROUTING shellcrash_mark $protocol - } - [ "$local_proxy" = true ] && start_ipt_route iptables mangle OUTPUT shellcrash_mark_out $protocol - else - logger "当前设备内核可能缺少x_mark模块支持,已放弃启动相关规则!" 31 - fi - [ "$ipv6_redir" = "已开启" ] && [ "$crashcore" != clashpre ] && { - if $ip6table -j MARK -h 2>/dev/null | grep -q '\--set-mark'; then - [ "$lan_proxy" = true ] && { - [ "$redir_mod" = "Tun模式" -o "$redir_mod" = "混合模式" ] && $ip6table -I FORWARD -o utun -j ACCEPT - start_ipt_route ip6tables mangle PREROUTING shellcrashv6_mark $protocol - } - [ "$local_proxy" = true ] && start_ipt_route ip6tables mangle OUTPUT shellcrashv6_mark_out $protocol - else - logger "当前设备内核可能缺少xt_mark模块支持,已放弃启动相关规则!" 31 - fi - } - } - [ "$vm_redir" = "已开启" ] && [ -n "$$vm_ipv4" ] && { - JUMP="REDIRECT --to-ports $redir_port" #跳转劫持的具体命令 - start_ipt_dns iptables PREROUTING shellcrash_vm_dns #ipv4-局域网dns转发 - start_ipt_route iptables nat PREROUTING shellcrash_vm tcp #ipv4-局域网tcp转发 - } - #启动DNS劫持 - [ "$dns_no" != "已禁用" -a "$dns_redir" != "已开启" -a "$firewall_area" -le 3 ] && { - [ "$lan_proxy" = true ] && { - start_ipt_dns iptables PREROUTING shellcrash_dns #ipv4-局域网dns转发 - if $ip6table -j REDIRECT -h 2>/dev/null | grep -q '\--to-ports'; then - start_ipt_dns ip6tables PREROUTING shellcrashv6_dns #ipv6-局域网dns转发 - else - $ip6table -I INPUT -p tcp --dport 53 -j REJECT >/dev/null 2>&1 - $ip6table -I INPUT -p udp --dport 53 -j REJECT >/dev/null 2>&1 - fi - } - [ "$local_proxy" = true ] && start_ipt_dns iptables OUTPUT shellcrash_dns_out #ipv4-本机dns转发 - } - #屏蔽QUIC - [ "$quic_rj" = '已启用' -a "$lan_proxy" = true -a "$redir_mod" != "Redir模式" ] && { - [ "$dns_mod" != "fake-ip" -a "$cn_ip_route" = "已开启" ] && { - set_cn_ip='-m set ! --match-set cn_ip dst' - set_cn_ip6='-m set ! --match-set cn_ip6 dst' - } - [ "$redir_mod" = "Tun模式" -o "$redir_mod" = "混合模式" ] && { - $iptable -I FORWARD -p udp --dport 443 -o utun $set_cn_ip -j REJECT >/dev/null 2>&1 - $ip6table -I FORWARD -p udp --dport 443 -o utun $set_cn_ip6 -j REJECT >/dev/null 2>&1 - } - [ "$redir_mod" = "Tproxy模式" ] && { - $iptable -I INPUT -p udp --dport 443 $set_cn_ip -j REJECT >/dev/null 2>&1 - $ip6table -I INPUT -p udp --dport 443 $set_cn_ip6 -j REJECT >/dev/null 2>&1 - } - } -} -start_nft_route() { #nftables-route通用工具 - #$1:name $2:hook(prerouting/output) $3:type(nat/mangle/filter) $4:priority(-100/-150) - [ "$common_ports" = "已开启" ] && PORTS=$(echo $multiport | sed 's/,/, /g') - RESERVED_IP=$(echo $reserve_ipv4 | sed 's/ /, /g') - HOST_IP=$(echo $host_ipv4 | sed 's/ /, /g') - [ "$1" = 'output' ] && HOST_IP="127.0.0.0/8, $(echo $local_ipv4 | sed 's/ /, /g')" - [ "$1" = 'prerouting_vm' ] && HOST_IP="$(echo $vm_ipv4 | sed 's/ /, /g')" - #添加新链 - nft add chain inet shellcrash $1 { type $3 hook $2 priority $4 \; } - [ "$1" = 'prerouting_vm' ] && nft add rule inet shellcrash $1 ip saddr != {$HOST_IP} return #仅代理虚拟机流量 - #过滤dns - nft add rule inet shellcrash $1 tcp dport 53 return - nft add rule inet shellcrash $1 udp dport 53 return - #防回环 - nft add rule inet shellcrash $1 meta mark $routing_mark return - nft add rule inet shellcrash $1 meta skgid 7890 return - [ "$firewall_area" = 5 ] && nft add rule inet shellcrash $1 ip saddr $bypass_host return - [ -z "$ports" ] && nft add rule inet shellcrash $1 tcp dport {"$mix_port, $redir_port, $tproxy_port"} return - #过滤常用端口 - [ -n "$PORTS" ] && { - nft add rule inet shellcrash $1 ip daddr != {28.0.0.0/8} tcp dport != {$PORTS} return - nft add rule inet shellcrash $1 ip daddr != {28.0.0.0/8} udp dport != {$PORTS} return - nft add rule inet shellcrash $1 ip6 daddr != {fc00::/16} tcp dport != {$PORTS} return - nft add rule inet shellcrash $1 ip6 daddr != {fc00::/16} udp dport != {$PORTS} return - } - #nft add rule inet shellcrash $1 ip saddr 28.0.0.0/8 return - nft add rule inet shellcrash $1 ip daddr {$RESERVED_IP} return #过滤保留地址 - #过滤局域网设备 - [ "$1" = 'prerouting' ] && { - [ "$macfilter_type" != "白名单" ] && { - [ -s "$CRASHDIR"/configs/mac ] && { - MAC=$(awk '{printf "%s, ",$1}' "$CRASHDIR"/configs/mac) - nft add rule inet shellcrash $1 ether saddr {$MAC} return - } - [ -s "$CRASHDIR"/configs/ip_filter ] && { - FL_IP=$(awk '{printf "%s, ",$1}' "$CRASHDIR"/configs/ip_filter) - nft add rule inet shellcrash $1 ip saddr {$FL_IP} return - } - nft add rule inet shellcrash $1 ip saddr != {$HOST_IP} return #仅代理本机局域网网段流量 - } - [ "$macfilter_type" = "白名单" ] && { - [ -s "$CRASHDIR"/configs/mac ] && MAC=$(awk '{printf "%s, ",$1}' "$CRASHDIR"/configs/mac) - [ -s "$CRASHDIR"/configs/ip_filter ] && FL_IP=$(awk '{printf "%s, ",$1}' "$CRASHDIR"/configs/ip_filter) - if [ -n "$MAC" ] && [ -n "$FL_IP" ]; then - nft add rule inet shellcrash $1 ether saddr != {$MAC} ip saddr != {$FL_IP} return - elif [ -n "$MAC" ]; then - nft add rule inet shellcrash $1 ether saddr != {$MAC} return - elif [ -n "$FL_IP" ]; then - nft add rule inet shellcrash $1 ip saddr != {$FL_IP} return - else - nft add rule inet shellcrash $1 ip saddr != {$HOST_IP} return #仅代理本机局域网网段流量 - fi - } - } - #绕过CN-IP - [ "$dns_mod" != "fake-ip" -a "$cn_ip_route" = "已开启" -a -f "$BINDIR"/cn_ip.txt ] && { - CN_IP=$(awk '{printf "%s, ",$1}' "$BINDIR"/cn_ip.txt) - [ -n "$CN_IP" ] && nft add rule inet shellcrash $1 ip daddr {$CN_IP} return - } - #局域网ipv6支持 - if [ "$ipv6_redir" = "已开启" -a "$1" = 'prerouting' -a "$firewall_area" != 5 ]; then - RESERVED_IP6="$(echo "$reserve_ipv6 $host_ipv6" | sed 's/ /, /g')" - HOST_IP6="$(echo $host_ipv6 | sed 's/ /, /g')" - #过滤保留地址及本机地址 - nft add rule inet shellcrash $1 ip6 daddr {$RESERVED_IP6} return - #仅代理本机局域网网段流量 - nft add rule inet shellcrash $1 ip6 saddr != {$HOST_IP6} return - #绕过CN_IPV6 - [ "$dns_mod" != "fake-ip" -a "$cn_ipv6_route" = "已开启" -a -f "$BINDIR"/cn_ipv6.txt ] && { - CN_IP6=$(awk '{printf "%s, ",$1}' "$BINDIR"/cn_ipv6.txt) - [ -n "$CN_IP6" ] && nft add rule inet shellcrash $1 ip6 daddr {$CN_IP6} return - } - elif [ "$ipv6_redir" = "已开启" -a "$1" = 'output' -a \( "$firewall_area" = 2 -o "$firewall_area" = 3 \) ]; then - RESERVED_IP6="$(echo "$reserve_ipv6 $host_ipv6" | sed 's/ /, /g')" - HOST_IP6="::1, $(echo $host_ipv6 | sed 's/ /, /g')" - #过滤保留地址及本机地址 - nft add rule inet shellcrash $1 ip6 daddr {$RESERVED_IP6} return - #仅代理本机局域网网段流量 - nft add rule inet shellcrash $1 ip6 saddr != {$HOST_IP6} return - #绕过CN_IPV6 - [ "$dns_mod" != "fake-ip" -a "$cn_ipv6_route" = "已开启" -a -f "$BINDIR"/cn_ipv6.txt ] && { - CN_IP6=$(awk '{printf "%s, ",$1}' "$BINDIR"/cn_ipv6.txt) - [ -n "$CN_IP6" ] && nft add rule inet shellcrash $1 ip6 daddr {$CN_IP6} return - } - else - nft add rule inet shellcrash $1 meta nfproto ipv6 return - fi - #添加通用路由 - nft add rule inet shellcrash "$1" "$JUMP" - #处理特殊路由 - [ "$redir_mod" = "混合模式" ] && { - nft add rule inet shellcrash $1 meta l4proto tcp mark set $((fwmark + 1)) - nft add chain inet shellcrash "$1"_mixtcp { type nat hook $2 priority -100 \; } - nft add rule inet shellcrash "$1"_mixtcp mark $((fwmark + 1)) meta l4proto tcp redirect to $redir_port - } - #nft add rule inet shellcrash local_tproxy log prefix \"pre\" level debug -} -start_nft_dns() { #nftables-dns - HOST_IP=$(echo $host_ipv4 | sed 's/ /, /g') - HOST_IP6=$(echo $host_ipv6 | sed 's/ /, /g') - [ "$1" = 'output' ] && HOST_IP="127.0.0.0/8, $(echo $local_ipv4 | sed 's/ /, /g')" - [ "$1" = 'prerouting_vm' ] && HOST_IP="$(echo $vm_ipv4 | sed 's/ /, /g')" - nft add chain inet shellcrash "$1"_dns { type nat hook $2 priority -100 \; } - #过滤非dns请求 - nft add rule inet shellcrash "$1"_dns udp dport != 53 return - nft add rule inet shellcrash "$1"_dns tcp dport != 53 return - #防回环 - nft add rule inet shellcrash "$1"_dns meta mark $routing_mark return - nft add rule inet shellcrash "$1"_dns meta skgid { 453, 7890 } return - [ "$firewall_area" = 5 ] && nft add rule inet shellcrash "$1"_dns ip saddr $bypass_host return - nft add rule inet shellcrash "$1"_dns ip saddr != {$HOST_IP} return #屏蔽外部请求 - [ "$1" = 'prerouting' ] && nft add rule inet shellcrash "$1"_dns ip6 saddr != {$HOST_IP6} return #屏蔽外部请求 - #过滤局域网设备 - [ "$1" = 'prerouting' ] && [ -s "$CRASHDIR"/configs/mac ] && { - MAC=$(awk '{printf "%s, ",$1}' "$CRASHDIR"/configs/mac) - if [ "$macfilter_type" = "黑名单" ]; then - nft add rule inet shellcrash "$1"_dns ether saddr {$MAC} return - else - nft add rule inet shellcrash "$1"_dns ether saddr != {$MAC} return - fi - } - nft add rule inet shellcrash "$1"_dns udp dport 53 redirect to ${dns_port} - nft add rule inet shellcrash "$1"_dns tcp dport 53 redirect to ${dns_port} -} -start_nft_wan() { #nftables公网防火墙 - #获取局域网host地址 - getlanip - HOST_IP=$(echo $host_ipv4 | sed 's/ /, /g') - nft add chain inet shellcrash input { type filter hook input priority -100 \; } - nft add rule inet shellcrash input ip daddr 127.0.0.1 accept - if [ "$public_support" = "已开启" ]; then - nft add rule inet shellcrash input tcp dport $db_port accept - else - #仅允许非公网设备访问面板 - nft add rule inet shellcrash input tcp dport $db_port ip saddr {$HOST_IP} accept - nft add rule inet shellcrash input tcp dport $db_port reject - fi - if [ "$public_mixport" = "已开启" ]; then - nft add rule inet shellcrash input tcp dport $mix_port accept - else - #仅允许局域网设备访问混合端口 - nft add rule inet shellcrash input tcp dport $mix_port ip saddr {$HOST_IP} accept - nft add rule inet shellcrash input tcp dport $mix_port reject - fi -} -start_nftables() { #nftables配置总入口 - #初始化nftables - nft add table inet shellcrash 2>/dev/null - nft flush table inet shellcrash 2>/dev/null - #公网访问防火墙 - [ "$systype" != 'container' ] && start_nft_wan - #启动DNS劫持 - [ "$dns_no" != "已禁用" -a "$dns_redir" != "已开启" -a "$firewall_area" -le 3 ] && { - [ "$lan_proxy" = true ] && start_nft_dns prerouting prerouting #局域网dns转发 - [ "$local_proxy" = true ] && start_nft_dns output output #本机dns转发 - } - #分模式设置流量劫持 - [ "$redir_mod" = "Redir模式" ] && { - JUMP="meta l4proto tcp redirect to $redir_port" #跳转劫持的具体命令 - [ "$lan_proxy" = true ] && start_nft_route prerouting prerouting nat -100 - [ "$local_proxy" = true ] && start_nft_route output output nat -100 - } - [ "$redir_mod" = "Tproxy模式" ] && (modprobe nft_tproxy >/dev/null 2>&1 || lsmod 2>/dev/null | grep -q nft_tproxy) && { - JUMP="meta l4proto {tcp, udp} mark set $fwmark tproxy to :$tproxy_port" #跳转劫持的具体命令 - [ "$lan_proxy" = true ] && start_nft_route prerouting prerouting filter -150 - [ "$local_proxy" = true ] && { - JUMP="meta l4proto {tcp, udp} mark set $fwmark" #跳转劫持的具体命令 - start_nft_route output output route -150 - nft add chain inet shellcrash mark_out { type filter hook prerouting priority -100 \; } - nft add rule inet shellcrash mark_out meta mark $fwmark meta l4proto {tcp, udp} tproxy to :$tproxy_port - } - } - [ "$tun_statu" = true ] && { - [ "$redir_mod" = "Tun模式" ] && JUMP="meta l4proto {tcp, udp} mark set $fwmark" #跳转劫持的具体命令 - [ "$redir_mod" = "混合模式" ] && JUMP="meta l4proto udp mark set $fwmark" #跳转劫持的具体命令 - [ "$lan_proxy" = true ] && { - start_nft_route prerouting prerouting filter -150 - #放行流量 - nft list table inet fw4 >/dev/null 2>&1 || nft add table inet fw4 - nft list chain inet fw4 forward >/dev/null 2>&1 || nft add chain inet fw4 forward { type filter hook forward priority filter \; } 2>/dev/null - nft list chain inet fw4 input >/dev/null 2>&1 || nft add chain inet fw4 input { type filter hook input priority filter \; } 2>/dev/null - nft list chain inet fw4 forward | grep -q 'oifname "utun" accept' || nft insert rule inet fw4 forward oifname "utun" accept - nft list chain inet fw4 input | grep -q 'iifname "utun" accept' || nft insert rule inet fw4 input iifname "utun" accept - } - [ "$local_proxy" = true ] && start_nft_route output output route -150 - } - [ "$firewall_area" = 5 ] && { - [ "$redir_mod" = "T&U旁路转发" ] && JUMP="meta l4proto {tcp, udp} mark set $fwmark" #跳转劫持的具体命令 - [ "$redir_mod" = "TCP旁路转发" ] && JUMP="meta l4proto tcp mark set $fwmark" #跳转劫持的具体命令 - [ "$lan_proxy" = true ] && start_nft_route prerouting prerouting filter -150 - [ "$local_proxy" = true ] && start_nft_route output output route -150 - } - [ "$vm_redir" = "已开启" ] && [ -n "$$vm_ipv4" ] && { - start_nft_dns prerouting_vm prerouting - JUMP="meta l4proto tcp redirect to $redir_port" #跳转劫持的具体命令 - start_nft_route prerouting_vm prerouting nat -100 - } - #屏蔽QUIC - [ "$quic_rj" = '已启用' -a "$lan_proxy" = true ] && { - [ "$redir_mod" = "Tproxy模式" ] && { - nft add chain inet shellcrash quic_rj { type filter hook input priority 0 \; } - [ -n "$CN_IP" ] && nft add rule inet shellcrash quic_rj ip daddr {$CN_IP} return - [ -n "$CN_IP6" ] && nft add rule inet shellcrash quic_rj ip6 daddr {$CN_IP6} return - nft add rule inet shellcrash quic_rj udp dport {443, 8443} reject comment 'ShellCrash-QUIC-REJECT' - } - [ "$redir_mod" = "Tun模式" -o "$redir_mod" = "混合模式" ] && { - nft insert rule inet fw4 forward oifname "utun" udp dport {443, 8443} reject comment 'ShellCrash-QUIC-REJECT' - [ -n "$CN_IP" ] && nft insert rule inet fw4 forward oifname "utun" ip daddr {$CN_IP} return - [ -n "$CN_IP6" ] && nft insert rule inet fw4 forward oifname "utun" ip6 daddr {$CN_IP6} return - } - } -} -start_firewall() { #路由规则总入口 - getlanip #获取局域网host地址 - #设置策略路由 - [ "$firewall_area" != 4 ] && { - [ "$redir_mod" = "Tproxy模式" ] && ip route add local default dev lo table $table 2>/dev/null - [ "$redir_mod" = "Tun模式" -o "$redir_mod" = "混合模式" ] && { - i=1 - while [ -z "$(ip route list | grep utun)" -a "$i" -le 29 ]; do - sleep 1 - i=$((i + 1)) - done - if [ -z "$(ip route list | grep utun)" ]; then - logger "找不到tun模块,放弃启动tun相关防火墙规则!" 31 - else - ip route add default dev utun table $table && tun_statu=true - fi - } - [ "$firewall_area" = 5 ] && ip route add default via $bypass_host table $table 2>/dev/null - [ "$redir_mod" != "Redir模式" ] && ip rule add fwmark $fwmark table $table 2>/dev/null - } - #添加ipv6路由 - [ "$ipv6_redir" = "已开启" -a "$firewall_area" -le 3 ] && { - [ "$redir_mod" = "Tproxy模式" ] && ip -6 route add local default dev lo table $((table + 1)) 2>/dev/null - [ -n "$(ip route list | grep utun)" ] && ip -6 route add default dev utun table $((table + 1)) 2>/dev/null - [ "$redir_mod" != "Redir模式" ] && ip -6 rule add fwmark $fwmark table $((table + 1)) 2>/dev/null - } - #判断代理用途 - [ "$firewall_area" = 2 -o "$firewall_area" = 3 ] && local_proxy=true - [ "$firewall_area" = 1 -o "$firewall_area" = 3 -o "$firewall_area" = 5 ] && lan_proxy=true - #防火墙配置 - [ "$firewall_mod" = 'iptables' ] && start_iptables - [ "$firewall_mod" = 'nftables' ] && start_nftables - #修复部分虚拟机dns查询失败的问题 - [ "$firewall_area" = 2 -o "$firewall_area" = 3 ] && [ -z "$(grep '127.0.0.1' /etc/resolv.conf 2>/dev/null)" ] && [ "$systype" != 'container' ] && { - line=$(grep -n 'nameserver' /etc/resolv.conf | awk -F: 'FNR==1{print $1}') - sed -i "$line i\nameserver 127.0.0.1 #shellcrash-dns-repair" /etc/resolv.conf >/dev/null 2>&1 - } - #openwrt使用dnsmasq转发DNS - if [ "$dns_redir" = "已开启" -a "$firewall_area" -le 3 -a "$dns_no" != "已禁用" ]; then - uci del dhcp.@dnsmasq[-1].server >/dev/null 2>&1 - uci delete dhcp.@dnsmasq[0].resolvfile 2>/dev/null - uci add_list dhcp.@dnsmasq[0].server=127.0.0.1#$dns_port >/dev/null 2>&1 - uci set dhcp.@dnsmasq[0].noresolv=1 2>/dev/null - uci commit dhcp >/dev/null 2>&1 - /etc/init.d/dnsmasq restart >/dev/null 2>&1 - elif [ "$(uci get dhcp.@dnsmasq[0].dns_redirect 2>/dev/null)" = 1 ]; then - uci del dhcp.@dnsmasq[0].dns_redirect - uci commit dhcp.@dnsmasq[0] - fi -} -stop_firewall() { #还原防火墙配置 - #获取局域网host地址 - getlanip - #重置iptables相关规则 - ckcmd iptables && { - #dns - $iptable -t nat -D PREROUTING -p tcp --dport 53 -j shellcrash_dns 2>/dev/null - $iptable -t nat -D PREROUTING -p udp --dport 53 -j shellcrash_dns 2>/dev/null - $iptable -t nat -D OUTPUT -p udp --dport 53 -j shellcrash_dns_out 2>/dev/null - $iptable -t nat -D OUTPUT -p tcp --dport 53 -j shellcrash_dns_out 2>/dev/null - #redir - $iptable -t nat -D PREROUTING -p tcp $ports -j shellcrash 2>/dev/null - $iptable -t nat -D PREROUTING -p tcp -d 28.0.0.0/8 -j shellcrash 2>/dev/null - $iptable -t nat -D OUTPUT -p tcp $ports -j shellcrash_out 2>/dev/null - $iptable -t nat -D OUTPUT -p tcp -d 28.0.0.0/8 -j shellcrash_out 2>/dev/null - #vm_dns - $iptable -t nat -D PREROUTING -p tcp --dport 53 -j shellcrash_vm_dns 2>/dev/null - $iptable -t nat -D PREROUTING -p udp --dport 53 -j shellcrash_vm_dns 2>/dev/null - #vm_redir - $iptable -t nat -D PREROUTING -p tcp $ports -j shellcrash_vm 2>/dev/null - $iptable -t nat -D PREROUTING -p tcp -d 28.0.0.0/8 -j shellcrash_vm 2>/dev/null - #TPROXY&tun - $iptable -t mangle -D PREROUTING -p tcp $ports -j shellcrash_mark 2>/dev/null - $iptable -t mangle -D PREROUTING -p udp $ports -j shellcrash_mark 2>/dev/null - $iptable -t mangle -D PREROUTING -p tcp -d 28.0.0.0/8 -j shellcrash_mark 2>/dev/null - $iptable -t mangle -D PREROUTING -p udp -d 28.0.0.0/8 -j shellcrash_mark 2>/dev/null - $iptable -t mangle -D OUTPUT -p tcp $ports -j shellcrash_mark_out 2>/dev/null - $iptable -t mangle -D OUTPUT -p udp $ports -j shellcrash_mark_out 2>/dev/null - $iptable -t mangle -D OUTPUT -p tcp -d 28.0.0.0/8 -j shellcrash_mark_out 2>/dev/null - $iptable -t mangle -D OUTPUT -p udp -d 28.0.0.0/8 -j shellcrash_mark_out 2>/dev/null - $iptable -t mangle -D PREROUTING -m mark --mark $fwmark -p tcp -j TPROXY --on-port $tproxy_port 2>/dev/null - $iptable -t mangle -D PREROUTING -m mark --mark $fwmark -p udp -j TPROXY --on-port $tproxy_port 2>/dev/null - #tun - $iptable -D FORWARD -o utun -j ACCEPT 2>/dev/null - #屏蔽QUIC - [ "$dns_mod" != "fake-ip" -a "$cn_ip_route" = "已开启" ] && set_cn_ip='-m set ! --match-set cn_ip dst' - $iptable -D INPUT -p udp --dport 443 $set_cn_ip -j REJECT 2>/dev/null - $iptable -D FORWARD -p udp --dport 443 -o utun $set_cn_ip -j REJECT 2>/dev/null - #公网访问 - for ip in $host_ipv4 $local_ipv4 $reserve_ipv4; do - $iptable -D INPUT -p tcp -s $ip --dport $mix_port -j ACCEPT 2>/dev/null - $iptable -D INPUT -p tcp -s $ip --dport $db_port -j ACCEPT 2>/dev/null - done - $iptable -D INPUT -p tcp -d 127.0.0.1 -j ACCEPT 2>/dev/null - $iptable -D INPUT -p tcp --dport $mix_port -j REJECT 2>/dev/null - $iptable -D INPUT -p tcp --dport $mix_port -j ACCEPT 2>/dev/null - $iptable -D INPUT -p tcp --dport $db_port -j REJECT 2>/dev/null - $iptable -D INPUT -p tcp --dport $db_port -j ACCEPT 2>/dev/null - #清理shellcrash自建表 - for words in shellcrash_dns shellcrash shellcrash_out shellcrash_dns_out shellcrash_vm shellcrash_vm_dns; do - $iptable -t nat -F $words 2>/dev/null - $iptable -t nat -X $words 2>/dev/null - done - for words in shellcrash_mark shellcrash_mark_out; do - $iptable -t mangle -F $words 2>/dev/null - $iptable -t mangle -X $words 2>/dev/null - done - } - #重置ipv6规则 - ckcmd ip6tables && { - #dns - $ip6table -t nat -D PREROUTING -p tcp --dport 53 -j shellcrashv6_dns 2>/dev/null - $ip6table -t nat -D PREROUTING -p udp --dport 53 -j shellcrashv6_dns 2>/dev/null - #redir - $ip6table -t nat -D PREROUTING -p tcp $ports -j shellcrashv6 2>/dev/null - $ip6table -t nat -D PREROUTING -p tcp -d fc00::/16 -j shellcrashv6 2>/dev/null - $ip6table -t nat -D OUTPUT -p tcp $ports -j shellcrashv6_out 2>/dev/null - $ip6table -t nat -D OUTPUT -p tcp -d fc00::/16 -j shellcrashv6_out 2>/dev/null - $ip6table -D INPUT -p tcp --dport 53 -j REJECT 2>/dev/null - $ip6table -D INPUT -p udp --dport 53 -j REJECT 2>/dev/null - #mark - $ip6table -t mangle -D PREROUTING -p tcp $ports -j shellcrashv6_mark 2>/dev/null - $ip6table -t mangle -D PREROUTING -p udp $ports -j shellcrashv6_mark 2>/dev/null - $ip6table -t mangle -D PREROUTING -p tcp -d fc00::/16 -j shellcrashv6_mark 2>/dev/null - $ip6table -t mangle -D PREROUTING -p udp -d fc00::/16 -j shellcrashv6_mark 2>/dev/null - $ip6table -t mangle -D OUTPUT -p tcp $ports -j shellcrashv6_mark_out 2>/dev/null - $ip6table -t mangle -D OUTPUT -p udp $ports -j shellcrashv6_mark_out 2>/dev/null - $ip6table -t mangle -D OUTPUT -p tcp -d fc00::/16 -j shellcrashv6_mark_out 2>/dev/null - $ip6table -t mangle -D OUTPUT -p udp -d fc00::/16 -j shellcrashv6_mark_out 2>/dev/null - $ip6table -D INPUT -p udp --dport 443 $set_cn_ip -j REJECT 2>/dev/null - $ip6table -t mangle -D PREROUTING -m mark --mark $fwmark -p tcp -j TPROXY --on-port $tproxy_port 2>/dev/null - $ip6table -t mangle -D PREROUTING -m mark --mark $fwmark -p udp -j TPROXY --on-port $tproxy_port 2>/dev/null - #tun - $ip6table -D FORWARD -o utun -j ACCEPT 2>/dev/null - #屏蔽QUIC - [ "$dns_mod" != "fake-ip" -a "$cn_ipv6_route" = "已开启" ] && set_cn_ip6='-m set ! --match-set cn_ip6 dst' - $ip6table -D INPUT -p udp --dport 443 $set_cn_ip6 -j REJECT 2>/dev/null - $ip6table -D FORWARD -p udp --dport 443 -o utun $set_cn_ip6 -j REJECT 2>/dev/null - #公网访问 - $ip6table -D INPUT -p tcp --dport $mix_port -j REJECT 2>/dev/null - $ip6table -D INPUT -p tcp --dport $mix_port -j ACCEPT 2>/dev/null - $ip6table -D INPUT -p tcp --dport $db_port -j REJECT 2>/dev/null - $ip6table -D INPUT -p tcp --dport $db_port -j ACCEPT 2>/dev/null - #清理shellcrash自建表 - for words in shellcrashv6_dns shellcrashv6 shellcrashv6_out; do - $ip6table -t nat -F $words 2>/dev/null - $ip6table -t nat -X $words 2>/dev/null - done - for words in shellcrashv6_mark shellcrashv6_mark_out; do - $ip6table -t mangle -F $words 2>/dev/null - $ip6table -t mangle -X $words 2>/dev/null - done - $ip6table -t mangle -F shellcrashv6_mark 2>/dev/null - $ip6table -t mangle -X shellcrashv6_mark 2>/dev/null - } - #清理ipset规则 - ipset destroy cn_ip >/dev/null 2>&1 - ipset destroy cn_ip6 >/dev/null 2>&1 - #移除dnsmasq转发规则 - [ "$dns_redir" = "已开启" ] && { - uci del dhcp.@dnsmasq[-1].server >/dev/null 2>&1 - uci set dhcp.@dnsmasq[0].noresolv=0 2>/dev/null - uci commit dhcp >/dev/null 2>&1 - /etc/init.d/dnsmasq restart >/dev/null 2>&1 - } - #清理路由规则 - ip rule del fwmark $fwmark table $table 2>/dev/null - ip route flush table $table 2>/dev/null - ip -6 rule del fwmark $fwmark table $((table + 1)) 2>/dev/null - ip -6 route flush table $((table + 1)) 2>/dev/null - #重置nftables相关规则 - ckcmd nft && { - nft flush table inet shellcrash >/dev/null 2>&1 - nft delete table inet shellcrash >/dev/null 2>&1 - } - #还原防火墙文件 - [ -s /etc/init.d/firewall.bak ] && mv -f /etc/init.d/firewall.bak /etc/init.d/firewall - #others - [ "$systype" != 'container' ] && sed -i '/shellcrash-dns-repair/d' /etc/resolv.conf >/dev/null 2>&1 -} #启动相关 web_save() { #最小化保存面板节点选择 #使用get_save获取面板节点设置 @@ -1943,7 +1273,7 @@ bfstart() { #启动前 #检查下载cnip绕过相关文件 [ "$firewall_mod" = nftables ] || ckcmd ipset && [ "$dns_mod" != "fake-ip" ] && { [ "$cn_ip_route" = "已开启" ] && cn_ip_route - [ "$ipv6_redir" = "已开启" ] && [ "$cn_ipv6_route" = "已开启" ] && cn_ipv6_route + [ "$ipv6_redir" = "已开启" ] && [ "$cn_ip_route" = "已开启" ] && cn_ipv6_route } #添加shellcrash用户 [ "$firewall_area" = 2 ] || [ "$firewall_area" = 3 ] || [ "$(cat /proc/1/comm)" = "systemd" ] && @@ -1984,7 +1314,7 @@ afstart() { #启动后 done if [ -n "$test" -o -n "$(pidof CrashCore)" ]; then [ "$start_old" = "已开启" ] && rm -rf "$TMPDIR"/CrashCore #删除缓存目录内核文件 - start_firewall #配置防火墙流量劫持 + start_firewall #配置防火墙流量劫持 mark_time #标记启动时间 [ -s "$CRASHDIR"/configs/web_save ] && web_restore >/dev/null 2>&1 & #后台还原面板配置 { diff --git a/scripts/starts/fw_iptables.sh b/scripts/starts/fw_iptables.sh new file mode 100644 index 00000000..763a4cec --- /dev/null +++ b/scripts/starts/fw_iptables.sh @@ -0,0 +1,277 @@ +#!/bin/sh +# Copyright (C) Juewuy + +start_ipt_route() { #iptables-route通用工具 + #$1:iptables/ip6tables $2:所在的表(nat/mangle) $3:所在的链(OUTPUT/PREROUTING) $4:新创建的shellcrash链表 $5:tcp/udp/all + #区分ipv4/ipv6 + [ "$1" = 'iptables' ] && { + RESERVED_IP=$reserve_ipv4 + HOST_IP=$host_ipv4 + [ "$3" = 'OUTPUT' ] && HOST_IP="127.0.0.0/8 $local_ipv4" + [ "$4" = 'shellcrash_vm' ] && HOST_IP="$vm_ipv4" + iptables -h | grep -q '\-w' && w='-w' || w='' + } + [ "$1" = 'ip6tables' ] && { + RESERVED_IP=$reserve_ipv6 + HOST_IP=$host_ipv6 + [ "$3" = 'OUTPUT' ] && HOST_IP="::1 $host_ipv6" + ip6tables -h | grep -q '\-w' && w='-w' || w='' + } + #创建新的shellcrash链表 + "$1" $w -t "$2" -N "$4" + #过滤dns + "$1" $w -t "$2" -A "$4" -p tcp --dport 53 -j RETURN + "$1" $w -t "$2" -A "$4" -p udp --dport 53 -j RETURN + #防回环 + "$1" $w -t "$2" -A "$4" -m mark --mark $routing_mark -j RETURN + [ "$3" = 'OUTPUT' ] && for gid in 453 7890; do + "$1" $w -t "$2" -A "$4" -m owner --gid-owner $gid -j RETURN + done + [ "$firewall_area" = 5 ] && "$1" $w -t "$2" -A "$4" -s $bypass_host -j RETURN + [ -z "$ports" ] && "$1" $w -t "$2" -A "$4" -p tcp -m multiport --dports "$mix_port,$redir_port,$tproxy_port" -j RETURN + #跳过目标保留地址及目标本机网段 + for ip in $HOST_IP $RESERVED_IP; do + "$1" $w -t "$2" -A "$4" -d $ip -j RETURN + done + #绕过CN_IP + [ "$1" = iptables ] && [ "$dns_mod" != "fake-ip" ] && [ "$cn_ip_route" = "已开启" ] && [ -f "$BINDIR"/cn_ip.txt ] && "$1" $w -t "$2" -A "$4" -m set --match-set cn_ip dst -j RETURN 2>/dev/null + [ "$1" = ip6tables ] && [ "$dns_mod" != "fake-ip" ] && [ "$cn_ip_route" = "已开启" ] && [ -f "$BINDIR"/cn_ipv6.txt ] && "$1" $w -t "$2" -A "$4" -m set --match-set cn_ip6 dst -j RETURN 2>/dev/null + #局域网mac地址黑名单过滤 + [ "$3" = 'PREROUTING' ] && [ "$macfilter_type" != "白名单" ] && { + [ -s "$CRASHDIR"/configs/mac ] && + for mac in $(cat "$CRASHDIR"/configs/mac); do + "$1" $w -t "$2" -A "$4" -m mac --mac-source $mac -j RETURN + done + [ -s "$CRASHDIR"/configs/ip_filter ] && [ "$1" = 'iptables' ] && + for ip in $(cat "$CRASHDIR"/configs/ip_filter); do + "$1" $w -t "$2" -A "$4" -s $ip -j RETURN + done + } + #tcp&udp分别进代理链 + proxy_set() { + if [ "$3" = 'PREROUTING' ] && [ "$4" != 'shellcrash_vm' ] && [ "$macfilter_type" = "白名单" ] && [ -n "$(cat $CRASHDIR/configs/mac $CRASHDIR/configs/ip_filter 2>/dev/null)" ]; then + [ -s "$CRASHDIR"/configs/mac ] && + for mac in $(cat "$CRASHDIR"/configs/mac); do + "$1" $w -t "$2" -A "$4" -p "$5" -m mac --mac-source $mac -j $JUMP + done + [ -s "$CRASHDIR"/configs/ip_filter ] && [ "$1" = 'iptables' ] && + for ip in $(cat "$CRASHDIR"/configs/ip_filter); do + "$1" $w -t "$2" -A "$4" -p "$5" -s $ip -j $JUMP + done + else + for ip in $HOST_IP; do #仅限指定网段流量 + "$1" $w -t "$2" -A "$4" -p "$5" -s $ip -j $JUMP + done + fi + #将所在链指定流量指向shellcrash表 + "$1" $w -t "$2" -I "$3" -p "$5" $ports -j "$4" + [ "$dns_mod" = "mix" -o "$dns_mod" = "fake-ip" ] && [ "$common_ports" = "已开启" ] && [ "$1" = iptables ] && "$1" $w -t "$2" -I "$3" -p "$5" -d 28.0.0.0/8 -j "$4" + [ "$dns_mod" = "mix" -o "$dns_mod" = "fake-ip" ] && [ "$common_ports" = "已开启" ] && [ "$1" = ip6tables ] && "$1" $w -t "$2" -I "$3" -p "$5" -d fc00::/16 -j "$4" + } + [ "$5" = "tcp" -o "$5" = "all" ] && proxy_set "$1" "$2" "$3" "$4" tcp + [ "$5" = "udp" -o "$5" = "all" ] && proxy_set "$1" "$2" "$3" "$4" udp +} +start_ipt_dns() { #iptables-dns通用工具 + #$1:iptables/ip6tables $2:所在的表(OUTPUT/PREROUTING) $3:新创建的shellcrash表 + #区分ipv4/ipv6 + [ "$1" = 'iptables' ] && { + HOST_IP="$host_ipv4" + [ "$2" = 'OUTPUT' ] && HOST_IP="127.0.0.0/8 $local_ipv4" + [ "$3" = 'shellcrash_vm_dns' ] && HOST_IP="$vm_ipv4" + iptables -h | grep -q '\-w' && w='-w' || w='' + } + [ "$1" = 'ip6tables' ] && { + HOST_IP=$host_ipv6 + ip6tables -h | grep -q '\-w' && w='-w' || w='' + } + "$1" $w -t nat -N "$3" + #防回环 + "$1" $w -t nat -A "$3" -m mark --mark $routing_mark -j RETURN + [ "$2" = 'OUTPUT' ] && for gid in 453 7890; do + "$1" $w -t nat -A "$3" -m owner --gid-owner $gid -j RETURN + done + [ "$firewall_area" = 5 ] && { + "$1" $w -t nat -A "$3" -p tcp -s $bypass_host -j RETURN + "$1" $w -t nat -A "$3" -p udp -s $bypass_host -j RETURN + } + #局域网mac地址黑名单过滤 + [ "$2" = 'PREROUTING' ] && [ "$macfilter_type" != "白名单" ] && { + [ -s "$CRASHDIR"/configs/mac ] && + for mac in $(cat "$CRASHDIR"/configs/mac); do + "$1" $w -t nat -A "$3" -m mac --mac-source $mac -j RETURN + done + [ -s "$CRASHDIR"/configs/ip_filter ] && [ "$1" = 'iptables' ] && + for ip in $(cat "$CRASHDIR"/configs/ip_filter); do + "$1" $w -t nat -A "$3" -s $ip -j RETURN + done + } + if [ "$2" = 'PREROUTING' ] && [ "$3" != 'shellcrash_vm_dns' ] && [ "$macfilter_type" = "白名单" ] && [ -n "$(cat $CRASHDIR/configs/mac $CRASHDIR/configs/ip_filter 2>/dev/null)" ]; then + [ -s "$CRASHDIR"/configs/mac ] && + for mac in $(cat "$CRASHDIR"/configs/mac); do + "$1" $w -t nat -A "$3" -p tcp -m mac --mac-source $mac -j REDIRECT --to-ports $dns_port + "$1" $w -t nat -A "$3" -p udp -m mac --mac-source $mac -j REDIRECT --to-ports $dns_port + done + [ -s "$CRASHDIR"/configs/ip_filter ] && [ "$1" = 'iptables' ] && + for ip in $(cat "$CRASHDIR"/configs/ip_filter); do + "$1" $w -t nat -A "$3" -p tcp -s $ip -j REDIRECT --to-ports $dns_port + "$1" $w -t nat -A "$3" -p udp -s $ip -j REDIRECT --to-ports $dns_port + done + else + for ip in $HOST_IP; do #仅限指定网段流量 + "$1" $w -t nat -A "$3" -p tcp -s $ip -j REDIRECT --to-ports $dns_port + "$1" $w -t nat -A "$3" -p udp -s $ip -j REDIRECT --to-ports $dns_port + done + fi + [ "$1" = 'ip6tables' ] && { #屏蔽外部请求 + "$1" $w -t nat -A "$3" -p tcp -j RETURN + "$1" $w -t nat -A "$3" -p udp -j RETURN + } + "$1" $w -t nat -I "$2" -p tcp --dport 53 -j "$3" + "$1" $w -t nat -I "$2" -p udp --dport 53 -j "$3" +} +start_ipt_wan() { #iptables公网防火墙 + ipt_wan_accept(){ + $iptable -I INPUT -p "$1" -m multiport --dports "$fw_wan_ports" -j ACCEPT + ckcmd ip6tables && $ip6table -I INPUT -p "$1" -m multiport --dports "$fw_wan_ports" -j ACCEPT + } + ipt_wan_reject(){ + $iptable -I INPUT -p "$1" -m multiport --dports "$reject_ports" -j REJECT + ckcmd ip6tables && $ip6table -I INPUT -p "$1" -m multiport --dports "$reject_ports" -j REJECT + } + #端口拦截 + reject_ports="$mix_port,$db_port,$dns_port" + ipt_wan_reject tcp + ipt_wan_reject udp + #端口放行 + [ -n "$fw_wan_ports" ] && { + ipt_wan_accept tcp + ipt_wan_accept udp + } + #本机请求全放行 + $iptable -I INPUT -i lo -j ACCEPT + ckcmd ip6tables && $ip6table -I INPUT -i lo -j ACCEPT +} +start_iptables() { #iptables配置总入口 + #启动公网访问防火墙 + [ "$fw_wan" != OFF ] && start_ipt_wan + #分模式设置流量劫持 + [ "$redir_mod" = "Redir模式" -o "$redir_mod" = "混合模式" ] && { + JUMP="REDIRECT --to-ports $redir_port" #跳转劫持的具体命令 + [ "$lan_proxy" = true ] && { + start_ipt_route iptables nat PREROUTING shellcrash tcp #ipv4-局域网tcp转发 + [ "$ipv6_redir" = "已开启" ] && { + if $ip6table -j REDIRECT -h 2>/dev/null | grep -q '\--to-ports'; then + start_ipt_route ip6tables nat PREROUTING shellcrashv6 tcp #ipv6-局域网tcp转发 + else + logger "当前设备内核缺少ip6tables_REDIRECT模块支持,已放弃启动相关规则!" 31 + fi + } + } + [ "$local_proxy" = true ] && { + start_ipt_route iptables nat OUTPUT shellcrash_out tcp #ipv4-本机tcp转发 + [ "$ipv6_redir" = "已开启" ] && { + if $ip6table -j REDIRECT -h 2>/dev/null | grep -q '\--to-ports'; then + start_ipt_route ip6tables nat OUTPUT shellcrashv6_out tcp #ipv6-本机tcp转发 + else + logger "当前设备内核缺少ip6tables_REDIRECT模块支持,已放弃启动相关规则!" 31 + fi + } + } + } + [ "$redir_mod" = "Tproxy模式" ] && { + modprobe xt_TPROXY >/dev/null 2>&1 + JUMP="TPROXY --on-port $tproxy_port --tproxy-mark $fwmark" #跳转劫持的具体命令 + if $iptable -j TPROXY -h 2>/dev/null | grep -q '\--on-port'; then + [ "$lan_proxy" = true ] && start_ipt_route iptables mangle PREROUTING shellcrash_mark all + [ "$local_proxy" = true ] && { + if [ -n "$(grep -E '^MARK$' /proc/net/ip_tables_targets)" ]; then + JUMP="MARK --set-mark $fwmark" #跳转劫持的具体命令 + start_ipt_route iptables mangle OUTPUT shellcrash_mark_out all + $iptable -t mangle -A PREROUTING -m mark --mark $fwmark -p tcp -j TPROXY --on-port $tproxy_port + $iptable -t mangle -A PREROUTING -m mark --mark $fwmark -p udp -j TPROXY --on-port $tproxy_port + else + logger "当前设备内核可能缺少xt_mark模块支持,已放弃启动本机代理相关规则!" 31 + fi + } + else + logger "当前设备内核可能缺少kmod_ipt_tproxy模块支持,已放弃启动相关规则!" 31 + fi + [ "$ipv6_redir" = "已开启" ] && { + if $ip6table -j TPROXY -h 2>/dev/null | grep -q '\--on-port'; then + JUMP="TPROXY --on-port $tproxy_port --tproxy-mark $fwmark" #跳转劫持的具体命令 + [ "$lan_proxy" = true ] && start_ipt_route ip6tables mangle PREROUTING shellcrashv6_mark all + [ "$local_proxy" = true ] && { + if [ -n "$(grep -E '^MARK$' /proc/net/ip6_tables_targets)" ]; then + JUMP="MARK --set-mark $fwmark" #跳转劫持的具体命令 + start_ipt_route ip6tables mangle OUTPUT shellcrashv6_mark_out all + $ip6table -t mangle -A PREROUTING -m mark --mark $fwmark -p tcp -j TPROXY --on-port $tproxy_port + $ip6table -t mangle -A PREROUTING -m mark --mark $fwmark -p udp -j TPROXY --on-port $tproxy_port + else + logger "当前设备内核可能缺少xt_mark模块支持,已放弃启动本机代理相关规则!" 31 + fi + } + else + logger "当前设备内核可能缺少kmod_ipt_tproxy或者xt_mark模块支持,已放弃启动相关规则!" 31 + fi + } + } + [ "$redir_mod" = "Tun模式" -o "$redir_mod" = "混合模式" -o "$redir_mod" = "T&U旁路转发" -o "$redir_mod" = "TCP旁路转发" ] && { + JUMP="MARK --set-mark $fwmark" #跳转劫持的具体命令 + [ "$redir_mod" = "Tun模式" -o "$redir_mod" = "T&U旁路转发" ] && protocol=all + [ "$redir_mod" = "混合模式" ] && protocol=udp + [ "$redir_mod" = "TCP旁路转发" ] && protocol=tcp + if $iptable -j MARK -h 2>/dev/null | grep -q '\--set-mark'; then + [ "$lan_proxy" = true ] && { + [ "$redir_mod" = "Tun模式" -o "$redir_mod" = "混合模式" ] && $iptable -I FORWARD -o utun -j ACCEPT + start_ipt_route iptables mangle PREROUTING shellcrash_mark $protocol + } + [ "$local_proxy" = true ] && start_ipt_route iptables mangle OUTPUT shellcrash_mark_out $protocol + else + logger "当前设备内核可能缺少x_mark模块支持,已放弃启动相关规则!" 31 + fi + [ "$ipv6_redir" = "已开启" ] && [ "$crashcore" != clashpre ] && { + if $ip6table -j MARK -h 2>/dev/null | grep -q '\--set-mark'; then + [ "$lan_proxy" = true ] && { + [ "$redir_mod" = "Tun模式" -o "$redir_mod" = "混合模式" ] && $ip6table -I FORWARD -o utun -j ACCEPT + start_ipt_route ip6tables mangle PREROUTING shellcrashv6_mark $protocol + } + [ "$local_proxy" = true ] && start_ipt_route ip6tables mangle OUTPUT shellcrashv6_mark_out $protocol + else + logger "当前设备内核可能缺少xt_mark模块支持,已放弃启动相关规则!" 31 + fi + } + } + [ "$vm_redir" = "已开启" ] && [ -n "$$vm_ipv4" ] && { + JUMP="REDIRECT --to-ports $redir_port" #跳转劫持的具体命令 + start_ipt_dns iptables PREROUTING shellcrash_vm_dns #ipv4-局域网dns转发 + start_ipt_route iptables nat PREROUTING shellcrash_vm tcp #ipv4-局域网tcp转发 + } + #启动DNS劫持 + [ "$dns_no" != "已禁用" -a "$dns_redir" != "已开启" -a "$firewall_area" -le 3 ] && { + [ "$lan_proxy" = true ] && { + start_ipt_dns iptables PREROUTING shellcrash_dns #ipv4-局域网dns转发 + if $ip6table -j REDIRECT -h 2>/dev/null | grep -q '\--to-ports'; then + start_ipt_dns ip6tables PREROUTING shellcrashv6_dns #ipv6-局域网dns转发 + else + $ip6table -I INPUT -p tcp --dport 53 -j REJECT >/dev/null 2>&1 + $ip6table -I INPUT -p udp --dport 53 -j REJECT >/dev/null 2>&1 + fi + } + [ "$local_proxy" = true ] && start_ipt_dns iptables OUTPUT shellcrash_dns_out #ipv4-本机dns转发 + } + #屏蔽QUIC + [ "$quic_rj" = '已启用' -a "$lan_proxy" = true -a "$redir_mod" != "Redir模式" ] && { + [ "$dns_mod" != "fake-ip" -a "$cn_ip_route" = "已开启" ] && { + set_cn_ip='-m set ! --match-set cn_ip dst' + set_cn_ip6='-m set ! --match-set cn_ip6 dst' + } + [ "$redir_mod" = "Tun模式" -o "$redir_mod" = "混合模式" ] && { + $iptable -I FORWARD -p udp --dport 443 -o utun $set_cn_ip -j REJECT >/dev/null 2>&1 + $ip6table -I FORWARD -p udp --dport 443 -o utun $set_cn_ip6 -j REJECT >/dev/null 2>&1 + } + [ "$redir_mod" = "Tproxy模式" ] && { + $iptable -I INPUT -p udp --dport 443 $set_cn_ip -j REJECT >/dev/null 2>&1 + $ip6table -I INPUT -p udp --dport 443 $set_cn_ip6 -j REJECT >/dev/null 2>&1 + } + } +} diff --git a/scripts/starts/fw_nftables.sh b/scripts/starts/fw_nftables.sh new file mode 100644 index 00000000..e4c084e5 --- /dev/null +++ b/scripts/starts/fw_nftables.sh @@ -0,0 +1,208 @@ +#!/bin/sh +# Copyright (C) Juewuy + +start_nft_route() { #nftables-route通用工具 + #$1:name $2:hook(prerouting/output) $3:type(nat/mangle/filter) $4:priority(-100/-150) + [ "$common_ports" = "已开启" ] && PORTS=$(echo $multiport | sed 's/,/, /g') + RESERVED_IP=$(echo $reserve_ipv4 | sed 's/ /, /g') + HOST_IP=$(echo $host_ipv4 | sed 's/ /, /g') + [ "$1" = 'output' ] && HOST_IP="127.0.0.0/8, $(echo $local_ipv4 | sed 's/ /, /g')" + [ "$1" = 'prerouting_vm' ] && HOST_IP="$(echo $vm_ipv4 | sed 's/ /, /g')" + #添加新链 + nft add chain inet shellcrash $1 { type $3 hook $2 priority $4 \; } + [ "$1" = 'prerouting_vm' ] && nft add rule inet shellcrash $1 ip saddr != {$HOST_IP} return #仅代理虚拟机流量 + #过滤dns + nft add rule inet shellcrash $1 tcp dport 53 return + nft add rule inet shellcrash $1 udp dport 53 return + #防回环 + nft add rule inet shellcrash $1 meta mark $routing_mark return + nft add rule inet shellcrash $1 meta skgid 7890 return + [ "$firewall_area" = 5 ] && nft add rule inet shellcrash $1 ip saddr $bypass_host return + [ -z "$ports" ] && nft add rule inet shellcrash $1 tcp dport {"$mix_port, $redir_port, $tproxy_port"} return + #过滤常用端口 + [ -n "$PORTS" ] && { + nft add rule inet shellcrash $1 ip daddr != {28.0.0.0/8} tcp dport != {$PORTS} return + nft add rule inet shellcrash $1 ip daddr != {28.0.0.0/8} udp dport != {$PORTS} return + nft add rule inet shellcrash $1 ip6 daddr != {fc00::/16} tcp dport != {$PORTS} return + nft add rule inet shellcrash $1 ip6 daddr != {fc00::/16} udp dport != {$PORTS} return + } + #nft add rule inet shellcrash $1 ip saddr 28.0.0.0/8 return + nft add rule inet shellcrash $1 ip daddr {$RESERVED_IP} return #过滤保留地址 + #过滤局域网设备 + [ "$1" = 'prerouting' ] && { + [ "$macfilter_type" != "白名单" ] && { + [ -s "$CRASHDIR"/configs/mac ] && { + MAC=$(awk '{printf "%s, ",$1}' "$CRASHDIR"/configs/mac) + nft add rule inet shellcrash $1 ether saddr {$MAC} return + } + [ -s "$CRASHDIR"/configs/ip_filter ] && { + FL_IP=$(awk '{printf "%s, ",$1}' "$CRASHDIR"/configs/ip_filter) + nft add rule inet shellcrash $1 ip saddr {$FL_IP} return + } + nft add rule inet shellcrash $1 ip saddr != {$HOST_IP} return #仅代理本机局域网网段流量 + } + [ "$macfilter_type" = "白名单" ] && { + [ -s "$CRASHDIR"/configs/mac ] && MAC=$(awk '{printf "%s, ",$1}' "$CRASHDIR"/configs/mac) + [ -s "$CRASHDIR"/configs/ip_filter ] && FL_IP=$(awk '{printf "%s, ",$1}' "$CRASHDIR"/configs/ip_filter) + if [ -n "$MAC" ] && [ -n "$FL_IP" ]; then + nft add rule inet shellcrash $1 ether saddr != {$MAC} ip saddr != {$FL_IP} return + elif [ -n "$MAC" ]; then + nft add rule inet shellcrash $1 ether saddr != {$MAC} return + elif [ -n "$FL_IP" ]; then + nft add rule inet shellcrash $1 ip saddr != {$FL_IP} return + else + nft add rule inet shellcrash $1 ip saddr != {$HOST_IP} return #仅代理本机局域网网段流量 + fi + } + } + #绕过CN-IP + [ "$dns_mod" != "fake-ip" -a "$cn_ip_route" = "已开启" -a -f "$BINDIR"/cn_ip.txt ] && { + CN_IP=$(awk '{printf "%s, ",$1}' "$BINDIR"/cn_ip.txt) + [ -n "$CN_IP" ] && nft add rule inet shellcrash $1 ip daddr {$CN_IP} return + } + #局域网ipv6支持 + if [ "$ipv6_redir" = "已开启" -a "$1" = 'prerouting' -a "$firewall_area" != 5 ]; then + RESERVED_IP6="$(echo "$reserve_ipv6 $host_ipv6" | sed 's/ /, /g')" + HOST_IP6="$(echo $host_ipv6 | sed 's/ /, /g')" + #过滤保留地址及本机地址 + nft add rule inet shellcrash $1 ip6 daddr {$RESERVED_IP6} return + #仅代理本机局域网网段流量 + nft add rule inet shellcrash $1 ip6 saddr != {$HOST_IP6} return + #绕过CN_IPV6 + [ "$dns_mod" != "fake-ip" -a "$cn_ip_route" = "已开启" -a -f "$BINDIR"/cn_ipv6.txt ] && { + CN_IP6=$(awk '{printf "%s, ",$1}' "$BINDIR"/cn_ipv6.txt) + [ -n "$CN_IP6" ] && nft add rule inet shellcrash $1 ip6 daddr {$CN_IP6} return + } + elif [ "$ipv6_redir" = "已开启" -a "$1" = 'output' -a \( "$firewall_area" = 2 -o "$firewall_area" = 3 \) ]; then + RESERVED_IP6="$(echo "$reserve_ipv6 $host_ipv6" | sed 's/ /, /g')" + HOST_IP6="::1, $(echo $host_ipv6 | sed 's/ /, /g')" + #过滤保留地址及本机地址 + nft add rule inet shellcrash $1 ip6 daddr {$RESERVED_IP6} return + #仅代理本机局域网网段流量 + nft add rule inet shellcrash $1 ip6 saddr != {$HOST_IP6} return + #绕过CN_IPV6 + [ "$dns_mod" != "fake-ip" -a "$cn_ip_route" = "已开启" -a -f "$BINDIR"/cn_ipv6.txt ] && { + CN_IP6=$(awk '{printf "%s, ",$1}' "$BINDIR"/cn_ipv6.txt) + [ -n "$CN_IP6" ] && nft add rule inet shellcrash $1 ip6 daddr {$CN_IP6} return + } + else + nft add rule inet shellcrash $1 meta nfproto ipv6 return + fi + #添加通用路由 + nft add rule inet shellcrash "$1" "$JUMP" + #处理特殊路由 + [ "$redir_mod" = "混合模式" ] && { + nft add rule inet shellcrash $1 meta l4proto tcp mark set $((fwmark + 1)) + nft add chain inet shellcrash "$1"_mixtcp { type nat hook $2 priority -100 \; } + nft add rule inet shellcrash "$1"_mixtcp mark $((fwmark + 1)) meta l4proto tcp redirect to $redir_port + } + #nft add rule inet shellcrash local_tproxy log prefix \"pre\" level debug +} +start_nft_dns() { #nftables-dns + HOST_IP=$(echo $host_ipv4 | sed 's/ /, /g') + HOST_IP6=$(echo $host_ipv6 | sed 's/ /, /g') + [ "$1" = 'output' ] && HOST_IP="127.0.0.0/8, $(echo $local_ipv4 | sed 's/ /, /g')" + [ "$1" = 'prerouting_vm' ] && HOST_IP="$(echo $vm_ipv4 | sed 's/ /, /g')" + nft add chain inet shellcrash "$1"_dns { type nat hook $2 priority -100 \; } + #过滤非dns请求 + nft add rule inet shellcrash "$1"_dns udp dport != 53 return + nft add rule inet shellcrash "$1"_dns tcp dport != 53 return + #防回环 + nft add rule inet shellcrash "$1"_dns meta mark $routing_mark return + nft add rule inet shellcrash "$1"_dns meta skgid { 453, 7890 } return + [ "$firewall_area" = 5 ] && nft add rule inet shellcrash "$1"_dns ip saddr $bypass_host return + nft add rule inet shellcrash "$1"_dns ip saddr != {$HOST_IP} return #屏蔽外部请求 + [ "$1" = 'prerouting' ] && nft add rule inet shellcrash "$1"_dns ip6 saddr != {$HOST_IP6} return #屏蔽外部请求 + #过滤局域网设备 + [ "$1" = 'prerouting' ] && [ -s "$CRASHDIR"/configs/mac ] && { + MAC=$(awk '{printf "%s, ",$1}' "$CRASHDIR"/configs/mac) + if [ "$macfilter_type" = "黑名单" ]; then + nft add rule inet shellcrash "$1"_dns ether saddr {$MAC} return + else + nft add rule inet shellcrash "$1"_dns ether saddr != {$MAC} return + fi + } + nft add rule inet shellcrash "$1"_dns udp dport 53 redirect to ${dns_port} + nft add rule inet shellcrash "$1"_dns tcp dport 53 redirect to ${dns_port} +} +start_nft_wan() { #nftables公网防火墙 + nft add chain inet shellcrash input { type filter hook input priority -100 \; } + nft add rule inet shellcrash input iif lo accept #本机请求全放行 + #端口放行 + [ -n "$fw_wan_ports" ] && { + fw_wan_nfports="{ $(echo "$fw_wan_ports" | sed 's/,/, /g') }" + nft add rule inet shellcrash input tcp dport $fw_wan_nfports accept + nft add rule inet shellcrash input udp dport $fw_wan_nfports accept + } + #端口拦截 + reject_ports="{ $mix_port, $db_port, $dns_port }" + nft add rule inet shellcrash input tcp dport $reject_ports reject + nft add rule inet shellcrash input udp dport $reject_ports reject +} +start_nftables() { #nftables配置总入口 + #初始化nftables + nft add table inet shellcrash 2>/dev/null + nft flush table inet shellcrash 2>/dev/null + #公网访问防火墙 + [ "$fw_wan" != OFF ] && [ "$systype" != 'container' ] && start_nft_wan + #启动DNS劫持 + [ "$dns_no" != "已禁用" -a "$dns_redir" != "已开启" -a "$firewall_area" -le 3 ] && { + [ "$lan_proxy" = true ] && start_nft_dns prerouting prerouting #局域网dns转发 + [ "$local_proxy" = true ] && start_nft_dns output output #本机dns转发 + } + #分模式设置流量劫持 + [ "$redir_mod" = "Redir模式" ] && { + JUMP="meta l4proto tcp redirect to $redir_port" #跳转劫持的具体命令 + [ "$lan_proxy" = true ] && start_nft_route prerouting prerouting nat -100 + [ "$local_proxy" = true ] && start_nft_route output output nat -100 + } + [ "$redir_mod" = "Tproxy模式" ] && (modprobe nft_tproxy >/dev/null 2>&1 || lsmod 2>/dev/null | grep -q nft_tproxy) && { + JUMP="meta l4proto {tcp, udp} mark set $fwmark tproxy to :$tproxy_port" #跳转劫持的具体命令 + [ "$lan_proxy" = true ] && start_nft_route prerouting prerouting filter -150 + [ "$local_proxy" = true ] && { + JUMP="meta l4proto {tcp, udp} mark set $fwmark" #跳转劫持的具体命令 + start_nft_route output output route -150 + nft add chain inet shellcrash mark_out { type filter hook prerouting priority -100 \; } + nft add rule inet shellcrash mark_out meta mark $fwmark meta l4proto {tcp, udp} tproxy to :$tproxy_port + } + } + [ "$tun_statu" = true ] && { + [ "$redir_mod" = "Tun模式" ] && JUMP="meta l4proto {tcp, udp} mark set $fwmark" #跳转劫持的具体命令 + [ "$redir_mod" = "混合模式" ] && JUMP="meta l4proto udp mark set $fwmark" #跳转劫持的具体命令 + [ "$lan_proxy" = true ] && { + start_nft_route prerouting prerouting filter -150 + #放行流量 + nft list table inet fw4 >/dev/null 2>&1 || nft add table inet fw4 + nft list chain inet fw4 forward >/dev/null 2>&1 || nft add chain inet fw4 forward { type filter hook forward priority filter \; } 2>/dev/null + nft list chain inet fw4 input >/dev/null 2>&1 || nft add chain inet fw4 input { type filter hook input priority filter \; } 2>/dev/null + nft list chain inet fw4 forward | grep -q 'oifname "utun" accept' || nft insert rule inet fw4 forward oifname "utun" accept + nft list chain inet fw4 input | grep -q 'iifname "utun" accept' || nft insert rule inet fw4 input iifname "utun" accept + } + [ "$local_proxy" = true ] && start_nft_route output output route -150 + } + [ "$firewall_area" = 5 ] && { + [ "$redir_mod" = "T&U旁路转发" ] && JUMP="meta l4proto {tcp, udp} mark set $fwmark" #跳转劫持的具体命令 + [ "$redir_mod" = "TCP旁路转发" ] && JUMP="meta l4proto tcp mark set $fwmark" #跳转劫持的具体命令 + [ "$lan_proxy" = true ] && start_nft_route prerouting prerouting filter -150 + [ "$local_proxy" = true ] && start_nft_route output output route -150 + } + [ "$vm_redir" = "已开启" ] && [ -n "$$vm_ipv4" ] && { + start_nft_dns prerouting_vm prerouting + JUMP="meta l4proto tcp redirect to $redir_port" #跳转劫持的具体命令 + start_nft_route prerouting_vm prerouting nat -100 + } + #屏蔽QUIC + [ "$quic_rj" = '已启用' -a "$lan_proxy" = true ] && { + [ "$redir_mod" = "Tproxy模式" ] && { + nft add chain inet shellcrash quic_rj { type filter hook input priority 0 \; } + [ -n "$CN_IP" ] && nft add rule inet shellcrash quic_rj ip daddr {$CN_IP} return + [ -n "$CN_IP6" ] && nft add rule inet shellcrash quic_rj ip6 daddr {$CN_IP6} return + nft add rule inet shellcrash quic_rj udp dport {443, 8443} reject comment 'ShellCrash-QUIC-REJECT' + } + [ "$redir_mod" = "Tun模式" -o "$redir_mod" = "混合模式" ] && { + nft insert rule inet fw4 forward oifname "utun" udp dport {443, 8443} reject comment 'ShellCrash-QUIC-REJECT' + [ -n "$CN_IP" ] && nft insert rule inet fw4 forward oifname "utun" ip daddr {$CN_IP} return + [ -n "$CN_IP6" ] && nft insert rule inet fw4 forward oifname "utun" ip6 daddr {$CN_IP6} return + } + } +} diff --git a/scripts/starts/fw_start.sh b/scripts/starts/fw_start.sh new file mode 100644 index 00000000..8c06c82e --- /dev/null +++ b/scripts/starts/fw_start.sh @@ -0,0 +1,42 @@ +#!/bin/sh +# Copyright (C) Juewuy + +#路由规则总入口 +start_firewall() { + getlanip #获取局域网host地址 + #设置策略路由 + [ "$firewall_area" != 4 ] && { + [ "$redir_mod" = "Tproxy模式" ] && ip route add local default dev lo table $table 2>/dev/null + [ "$redir_mod" = "Tun模式" -o "$redir_mod" = "混合模式" ] && { + i=1 + while [ -z "$(ip route list | grep utun)" -a "$i" -le 29 ]; do + sleep 1 + i=$((i + 1)) + done + if [ -z "$(ip route list | grep utun)" ]; then + logger "找不到tun模块,放弃启动tun相关防火墙规则!" 31 + else + ip route add default dev utun table $table && tun_statu=true + fi + } + [ "$firewall_area" = 5 ] && ip route add default via $bypass_host table $table 2>/dev/null + [ "$redir_mod" != "Redir模式" ] && ip rule add fwmark $fwmark table $table 2>/dev/null + } + #添加ipv6路由 + [ "$ipv6_redir" = "已开启" -a "$firewall_area" -le 3 ] && { + [ "$redir_mod" = "Tproxy模式" ] && ip -6 route add local default dev lo table $((table + 1)) 2>/dev/null + [ -n "$(ip route list | grep utun)" ] && ip -6 route add default dev utun table $((table + 1)) 2>/dev/null + [ "$redir_mod" != "Redir模式" ] && ip -6 rule add fwmark $fwmark table $((table + 1)) 2>/dev/null + } + #判断代理用途 + [ "$firewall_area" = 2 -o "$firewall_area" = 3 ] && local_proxy=true + [ "$firewall_area" = 1 -o "$firewall_area" = 3 -o "$firewall_area" = 5 ] && lan_proxy=true + #防火墙配置 + [ "$firewall_mod" = 'iptables' ] && . "$CRASHDIR"/starts/fw_iptables.sh && start_iptables + [ "$firewall_mod" = 'nftables' ] && . "$CRASHDIR"/starts/fw_nftables.sh && start_nftables + #修复部分虚拟机dns查询失败的问题 + [ "$firewall_area" = 2 -o "$firewall_area" = 3 ] && [ -z "$(grep '127.0.0.1' /etc/resolv.conf 2>/dev/null)" ] && [ "$systype" != 'container' ] && { + line=$(grep -n 'nameserver' /etc/resolv.conf | awk -F: 'FNR==1{print $1}') + sed -i "$line i\nameserver 127.0.0.1 #shellcrash-dns-repair" /etc/resolv.conf >/dev/null 2>&1 + } +} diff --git a/scripts/starts/fw_stop.sh b/scripts/starts/fw_stop.sh new file mode 100644 index 00000000..7152bca7 --- /dev/null +++ b/scripts/starts/fw_stop.sh @@ -0,0 +1,130 @@ +#!/bin/sh +# Copyright (C) Juewuy +#还原防火墙配置 +stop_firewall() { + #获取局域网host地址 + getlanip + #重置iptables相关规则 + ckcmd iptables && { + #dns + $iptable -t nat -D PREROUTING -p tcp --dport 53 -j shellcrash_dns 2>/dev/null + $iptable -t nat -D PREROUTING -p udp --dport 53 -j shellcrash_dns 2>/dev/null + $iptable -t nat -D OUTPUT -p udp --dport 53 -j shellcrash_dns_out 2>/dev/null + $iptable -t nat -D OUTPUT -p tcp --dport 53 -j shellcrash_dns_out 2>/dev/null + #redir + $iptable -t nat -D PREROUTING -p tcp $ports -j shellcrash 2>/dev/null + $iptable -t nat -D PREROUTING -p tcp -d 28.0.0.0/8 -j shellcrash 2>/dev/null + $iptable -t nat -D OUTPUT -p tcp $ports -j shellcrash_out 2>/dev/null + $iptable -t nat -D OUTPUT -p tcp -d 28.0.0.0/8 -j shellcrash_out 2>/dev/null + #vm_dns + $iptable -t nat -D PREROUTING -p tcp --dport 53 -j shellcrash_vm_dns 2>/dev/null + $iptable -t nat -D PREROUTING -p udp --dport 53 -j shellcrash_vm_dns 2>/dev/null + #vm_redir + $iptable -t nat -D PREROUTING -p tcp $ports -j shellcrash_vm 2>/dev/null + $iptable -t nat -D PREROUTING -p tcp -d 28.0.0.0/8 -j shellcrash_vm 2>/dev/null + #TPROXY&tun + $iptable -t mangle -D PREROUTING -p tcp $ports -j shellcrash_mark 2>/dev/null + $iptable -t mangle -D PREROUTING -p udp $ports -j shellcrash_mark 2>/dev/null + $iptable -t mangle -D PREROUTING -p tcp -d 28.0.0.0/8 -j shellcrash_mark 2>/dev/null + $iptable -t mangle -D PREROUTING -p udp -d 28.0.0.0/8 -j shellcrash_mark 2>/dev/null + $iptable -t mangle -D OUTPUT -p tcp $ports -j shellcrash_mark_out 2>/dev/null + $iptable -t mangle -D OUTPUT -p udp $ports -j shellcrash_mark_out 2>/dev/null + $iptable -t mangle -D OUTPUT -p tcp -d 28.0.0.0/8 -j shellcrash_mark_out 2>/dev/null + $iptable -t mangle -D OUTPUT -p udp -d 28.0.0.0/8 -j shellcrash_mark_out 2>/dev/null + $iptable -t mangle -D PREROUTING -m mark --mark $fwmark -p tcp -j TPROXY --on-port $tproxy_port 2>/dev/null + $iptable -t mangle -D PREROUTING -m mark --mark $fwmark -p udp -j TPROXY --on-port $tproxy_port 2>/dev/null + #tun + $iptable -D FORWARD -o utun -j ACCEPT 2>/dev/null + #屏蔽QUIC + [ "$dns_mod" != "fake-ip" -a "$cn_ip_route" = "已开启" ] && set_cn_ip='-m set ! --match-set cn_ip dst' + $iptable -D INPUT -p udp --dport 443 $set_cn_ip -j REJECT 2>/dev/null + $iptable -D FORWARD -p udp --dport 443 -o utun $set_cn_ip -j REJECT 2>/dev/null + #公网访问 + $iptable -D INPUT -i lo -j ACCEPT 2>/dev/null + $iptable -D INPUT -p tcp -m multiport --dports "$fw_wan_ports" -j ACCEPT 2>/dev/null + $iptable -D INPUT -p udp -m multiport --dports "$fw_wan_ports" -j ACCEPT 2>/dev/null + $iptable -D INPUT -p tcp -m multiport --dports "$mix_port,$db_port,$dns_port" -j REJECT 2>/dev/null + $iptable -D INPUT -p udp -m multiport --dports "$mix_port,$db_port,$dns_port" -j REJECT 2>/dev/null + #清理shellcrash自建表 + for words in shellcrash_dns shellcrash shellcrash_out shellcrash_dns_out shellcrash_vm shellcrash_vm_dns; do + $iptable -t nat -F $words 2>/dev/null + $iptable -t nat -X $words 2>/dev/null + done + for words in shellcrash_mark shellcrash_mark_out; do + $iptable -t mangle -F $words 2>/dev/null + $iptable -t mangle -X $words 2>/dev/null + done + } + #重置ipv6规则 + ckcmd ip6tables && { + #dns + $ip6table -t nat -D PREROUTING -p tcp --dport 53 -j shellcrashv6_dns 2>/dev/null + $ip6table -t nat -D PREROUTING -p udp --dport 53 -j shellcrashv6_dns 2>/dev/null + #redir + $ip6table -t nat -D PREROUTING -p tcp $ports -j shellcrashv6 2>/dev/null + $ip6table -t nat -D PREROUTING -p tcp -d fc00::/16 -j shellcrashv6 2>/dev/null + $ip6table -t nat -D OUTPUT -p tcp $ports -j shellcrashv6_out 2>/dev/null + $ip6table -t nat -D OUTPUT -p tcp -d fc00::/16 -j shellcrashv6_out 2>/dev/null + $ip6table -D INPUT -p tcp --dport 53 -j REJECT 2>/dev/null + $ip6table -D INPUT -p udp --dport 53 -j REJECT 2>/dev/null + #mark + $ip6table -t mangle -D PREROUTING -p tcp $ports -j shellcrashv6_mark 2>/dev/null + $ip6table -t mangle -D PREROUTING -p udp $ports -j shellcrashv6_mark 2>/dev/null + $ip6table -t mangle -D PREROUTING -p tcp -d fc00::/16 -j shellcrashv6_mark 2>/dev/null + $ip6table -t mangle -D PREROUTING -p udp -d fc00::/16 -j shellcrashv6_mark 2>/dev/null + $ip6table -t mangle -D OUTPUT -p tcp $ports -j shellcrashv6_mark_out 2>/dev/null + $ip6table -t mangle -D OUTPUT -p udp $ports -j shellcrashv6_mark_out 2>/dev/null + $ip6table -t mangle -D OUTPUT -p tcp -d fc00::/16 -j shellcrashv6_mark_out 2>/dev/null + $ip6table -t mangle -D OUTPUT -p udp -d fc00::/16 -j shellcrashv6_mark_out 2>/dev/null + $ip6table -D INPUT -p udp --dport 443 $set_cn_ip -j REJECT 2>/dev/null + $ip6table -t mangle -D PREROUTING -m mark --mark $fwmark -p tcp -j TPROXY --on-port $tproxy_port 2>/dev/null + $ip6table -t mangle -D PREROUTING -m mark --mark $fwmark -p udp -j TPROXY --on-port $tproxy_port 2>/dev/null + #tun + $ip6table -D FORWARD -o utun -j ACCEPT 2>/dev/null + #屏蔽QUIC + [ "$dns_mod" != "fake-ip" -a "$cn_ip_route" = "已开启" ] && set_cn_ip6='-m set ! --match-set cn_ip6 dst' + $ip6table -D INPUT -p udp --dport 443 $set_cn_ip6 -j REJECT 2>/dev/null + $ip6table -D FORWARD -p udp --dport 443 -o utun $set_cn_ip6 -j REJECT 2>/dev/null + #公网访问 + $ip6table -D INPUT -i lo -j ACCEPT 2>/dev/null + $ip6table -D INPUT -p tcp -m multiport --dports "$fw_wan_ports" -j ACCEPT 2>/dev/null + $ip6table -D INPUT -p udp -m multiport --dports "$fw_wan_ports" -j ACCEPT 2>/dev/null + $ip6table -D INPUT -p tcp -m multiport --dports "$mix_port,$db_port,$dns_port" -j REJECT 2>/dev/null + $ip6table -D INPUT -p udp -m multiport --dports "$mix_port,$db_port,$dns_port" -j REJECT 2>/dev/null + #清理shellcrash自建表 + for words in shellcrashv6_dns shellcrashv6 shellcrashv6_out; do + $ip6table -t nat -F $words 2>/dev/null + $ip6table -t nat -X $words 2>/dev/null + done + for words in shellcrashv6_mark shellcrashv6_mark_out; do + $ip6table -t mangle -F $words 2>/dev/null + $ip6table -t mangle -X $words 2>/dev/null + done + $ip6table -t mangle -F shellcrashv6_mark 2>/dev/null + $ip6table -t mangle -X shellcrashv6_mark 2>/dev/null + } + #清理ipset规则 + ipset destroy cn_ip >/dev/null 2>&1 + ipset destroy cn_ip6 >/dev/null 2>&1 + #移除dnsmasq转发规则 + [ "$dns_redir" = "已开启" ] && { + uci del dhcp.@dnsmasq[-1].server >/dev/null 2>&1 + uci set dhcp.@dnsmasq[0].noresolv=0 2>/dev/null + uci commit dhcp >/dev/null 2>&1 + /etc/init.d/dnsmasq restart >/dev/null 2>&1 + } + #清理路由规则 + ip rule del fwmark $fwmark table $table 2>/dev/null + ip route flush table $table 2>/dev/null + ip -6 rule del fwmark $fwmark table $((table + 1)) 2>/dev/null + ip -6 route flush table $((table + 1)) 2>/dev/null + #重置nftables相关规则 + ckcmd nft && { + nft flush table inet shellcrash >/dev/null 2>&1 + nft delete table inet shellcrash >/dev/null 2>&1 + } + #还原防火墙文件 + [ -s /etc/init.d/firewall.bak ] && mv -f /etc/init.d/firewall.bak /etc/init.d/firewall + #others + [ "$systype" != 'container' ] && sed -i '/shellcrash-dns-repair/d' /etc/resolv.conf >/dev/null 2>&1 +}