xm/ShellCrash
1
0
Fork 0
mirror of https://github.com/juewuy/ShellCrash.git synced 2026-03-12 00:11:31 +00:00
Code Issues Packages Projects Releases Wiki Activity

~继续拆分脚本

Browse Source 
~重写公网防火墙功能
This commit is contained in:
juewuy
2025-12-22 19:30:29 +08:00
parent ada0ec70ea
commit 18a829c101
16 changed files with 902 additions and 1097 deletions
Download Patch File Download Diff File Expand all files Collapse all files

277
scripts/starts/fw_iptables.sh Normal file
View File

@@ -0,0 +1,277 @@
#!/bin/sh
# Copyright (C) Juewuy
start_ipt_route() { #iptables-route通用工具
#$1:iptables/ip6tables $2:所在的表(nat/mangle) $3:所在的链(OUTPUT/PREROUTING) $4:新创建的shellcrash链表 $5:tcp/udp/all
#区分ipv4/ipv6
[ "$1" = 'iptables' ] && {
RESERVED_IP=$reserve_ipv4
HOST_IP=$host_ipv4
[ "$3" = 'OUTPUT' ] && HOST_IP="127.0.0.0/8 $local_ipv4"
[ "$4" = 'shellcrash_vm' ] && HOST_IP="$vm_ipv4"
iptables -h | grep -q '\-w' && w='-w' || w=''
}
[ "$1" = 'ip6tables' ] && {
RESERVED_IP=$reserve_ipv6
HOST_IP=$host_ipv6
[ "$3" = 'OUTPUT' ] && HOST_IP="::1 $host_ipv6"
ip6tables -h | grep -q '\-w' && w='-w' || w=''
}
#创建新的shellcrash链表
"$1" $w -t "$2" -N "$4"
#过滤dns
"$1" $w -t "$2" -A "$4" -p tcp --dport 53 -j RETURN
"$1" $w -t "$2" -A "$4" -p udp --dport 53 -j RETURN
#防回环
"$1" $w -t "$2" -A "$4" -m mark --mark $routing_mark -j RETURN
[ "$3" = 'OUTPUT' ] && for gid in 453 7890; do
"$1" $w -t "$2" -A "$4" -m owner --gid-owner $gid -j RETURN
done
[ "$firewall_area" = 5 ] && "$1" $w -t "$2" -A "$4" -s $bypass_host -j RETURN
[ -z "$ports" ] && "$1" $w -t "$2" -A "$4" -p tcp -m multiport --dports "$mix_port,$redir_port,$tproxy_port" -j RETURN
#跳过目标保留地址及目标本机网段
for ip in $HOST_IP $RESERVED_IP; do
"$1" $w -t "$2" -A "$4" -d $ip -j RETURN
done
#绕过CN_IP
[ "$1" = iptables ] && [ "$dns_mod" != "fake-ip" ] && [ "$cn_ip_route" = "已开启" ] && [ -f "$BINDIR"/cn_ip.txt ] && "$1" $w -t "$2" -A "$4" -m set --match-set cn_ip dst -j RETURN 2>/dev/null
[ "$1" = ip6tables ] && [ "$dns_mod" != "fake-ip" ] && [ "$cn_ip_route" = "已开启" ] && [ -f "$BINDIR"/cn_ipv6.txt ] && "$1" $w -t "$2" -A "$4" -m set --match-set cn_ip6 dst -j RETURN 2>/dev/null
#局域网mac地址黑名单过滤
[ "$3" = 'PREROUTING' ] && [ "$macfilter_type" != "白名单" ] && {
[ -s "$CRASHDIR"/configs/mac ] &&
for mac in $(cat "$CRASHDIR"/configs/mac); do
"$1" $w -t "$2" -A "$4" -m mac --mac-source $mac -j RETURN
done
[ -s "$CRASHDIR"/configs/ip_filter ] && [ "$1" = 'iptables' ] &&
for ip in $(cat "$CRASHDIR"/configs/ip_filter); do
"$1" $w -t "$2" -A "$4" -s $ip -j RETURN
done
}
#tcp&udp分别进代理链
proxy_set() {
if [ "$3" = 'PREROUTING' ] && [ "$4" != 'shellcrash_vm' ] && [ "$macfilter_type" = "白名单" ] && [ -n "$(cat $CRASHDIR/configs/mac $CRASHDIR/configs/ip_filter 2>/dev/null)" ]; then
[ -s "$CRASHDIR"/configs/mac ] &&
for mac in $(cat "$CRASHDIR"/configs/mac); do
"$1" $w -t "$2" -A "$4" -p "$5" -m mac --mac-source $mac -j $JUMP
done
[ -s "$CRASHDIR"/configs/ip_filter ] && [ "$1" = 'iptables' ] &&
for ip in $(cat "$CRASHDIR"/configs/ip_filter); do
"$1" $w -t "$2" -A "$4" -p "$5" -s $ip -j $JUMP
done
else
for ip in $HOST_IP; do #仅限指定网段流量
"$1" $w -t "$2" -A "$4" -p "$5" -s $ip -j $JUMP
done
fi
#将所在链指定流量指向shellcrash表
"$1" $w -t "$2" -I "$3" -p "$5" $ports -j "$4"
[ "$dns_mod" = "mix" -o "$dns_mod" = "fake-ip" ] && [ "$common_ports" = "已开启" ] && [ "$1" = iptables ] && "$1" $w -t "$2" -I "$3" -p "$5" -d 28.0.0.0/8 -j "$4"
[ "$dns_mod" = "mix" -o "$dns_mod" = "fake-ip" ] && [ "$common_ports" = "已开启" ] && [ "$1" = ip6tables ] && "$1" $w -t "$2" -I "$3" -p "$5" -d fc00::/16 -j "$4"
}
[ "$5" = "tcp" -o "$5" = "all" ] && proxy_set "$1" "$2" "$3" "$4" tcp
[ "$5" = "udp" -o "$5" = "all" ] && proxy_set "$1" "$2" "$3" "$4" udp
}
start_ipt_dns() { #iptables-dns通用工具
#$1:iptables/ip6tables $2:所在的表(OUTPUT/PREROUTING) $3:新创建的shellcrash表
#区分ipv4/ipv6
[ "$1" = 'iptables' ] && {
HOST_IP="$host_ipv4"
[ "$2" = 'OUTPUT' ] && HOST_IP="127.0.0.0/8 $local_ipv4"
[ "$3" = 'shellcrash_vm_dns' ] && HOST_IP="$vm_ipv4"
iptables -h | grep -q '\-w' && w='-w' || w=''
}
[ "$1" = 'ip6tables' ] && {
HOST_IP=$host_ipv6
ip6tables -h | grep -q '\-w' && w='-w' || w=''
}
"$1" $w -t nat -N "$3"
#防回环
"$1" $w -t nat -A "$3" -m mark --mark $routing_mark -j RETURN
[ "$2" = 'OUTPUT' ] && for gid in 453 7890; do
"$1" $w -t nat -A "$3" -m owner --gid-owner $gid -j RETURN
done
[ "$firewall_area" = 5 ] && {
"$1" $w -t nat -A "$3" -p tcp -s $bypass_host -j RETURN
"$1" $w -t nat -A "$3" -p udp -s $bypass_host -j RETURN
}
#局域网mac地址黑名单过滤
[ "$2" = 'PREROUTING' ] && [ "$macfilter_type" != "白名单" ] && {
[ -s "$CRASHDIR"/configs/mac ] &&
for mac in $(cat "$CRASHDIR"/configs/mac); do
"$1" $w -t nat -A "$3" -m mac --mac-source $mac -j RETURN
done
[ -s "$CRASHDIR"/configs/ip_filter ] && [ "$1" = 'iptables' ] &&
for ip in $(cat "$CRASHDIR"/configs/ip_filter); do
"$1" $w -t nat -A "$3" -s $ip -j RETURN
done
}
if [ "$2" = 'PREROUTING' ] && [ "$3" != 'shellcrash_vm_dns' ] && [ "$macfilter_type" = "白名单" ] && [ -n "$(cat $CRASHDIR/configs/mac $CRASHDIR/configs/ip_filter 2>/dev/null)" ]; then
[ -s "$CRASHDIR"/configs/mac ] &&
for mac in $(cat "$CRASHDIR"/configs/mac); do
"$1" $w -t nat -A "$3" -p tcp -m mac --mac-source $mac -j REDIRECT --to-ports $dns_port
"$1" $w -t nat -A "$3" -p udp -m mac --mac-source $mac -j REDIRECT --to-ports $dns_port
done
[ -s "$CRASHDIR"/configs/ip_filter ] && [ "$1" = 'iptables' ] &&
for ip in $(cat "$CRASHDIR"/configs/ip_filter); do
"$1" $w -t nat -A "$3" -p tcp -s $ip -j REDIRECT --to-ports $dns_port
"$1" $w -t nat -A "$3" -p udp -s $ip -j REDIRECT --to-ports $dns_port
done
else
for ip in $HOST_IP; do #仅限指定网段流量
"$1" $w -t nat -A "$3" -p tcp -s $ip -j REDIRECT --to-ports $dns_port
"$1" $w -t nat -A "$3" -p udp -s $ip -j REDIRECT --to-ports $dns_port
done
fi
[ "$1" = 'ip6tables' ] && { #屏蔽外部请求
"$1" $w -t nat -A "$3" -p tcp -j RETURN
"$1" $w -t nat -A "$3" -p udp -j RETURN
}
"$1" $w -t nat -I "$2" -p tcp --dport 53 -j "$3"
"$1" $w -t nat -I "$2" -p udp --dport 53 -j "$3"
}
start_ipt_wan() { #iptables公网防火墙
ipt_wan_accept(){
$iptable -I INPUT -p "$1" -m multiport --dports "$fw_wan_ports" -j ACCEPT
ckcmd ip6tables && $ip6table -I INPUT -p "$1" -m multiport --dports "$fw_wan_ports" -j ACCEPT
}
ipt_wan_reject(){
$iptable -I INPUT -p "$1" -m multiport --dports "$reject_ports" -j REJECT
ckcmd ip6tables && $ip6table -I INPUT -p "$1" -m multiport --dports "$reject_ports" -j REJECT
}
#端口拦截
reject_ports="$mix_port,$db_port,$dns_port"
ipt_wan_reject tcp
ipt_wan_reject udp
#端口放行
[ -n "$fw_wan_ports" ] && {
ipt_wan_accept tcp
ipt_wan_accept udp
}
#本机请求全放行
$iptable -I INPUT -i lo -j ACCEPT
ckcmd ip6tables && $ip6table -I INPUT -i lo -j ACCEPT
}
start_iptables() { #iptables配置总入口
#启动公网访问防火墙
[ "$fw_wan" != OFF ] && start_ipt_wan
#分模式设置流量劫持
[ "$redir_mod" = "Redir模式" -o "$redir_mod" = "混合模式" ] && {
JUMP="REDIRECT --to-ports $redir_port" #跳转劫持的具体命令
[ "$lan_proxy" = true ] && {
start_ipt_route iptables nat PREROUTING shellcrash tcp #ipv4-局域网tcp转发
[ "$ipv6_redir" = "已开启" ] && {
if $ip6table -j REDIRECT -h 2>/dev/null | grep -q '\--to-ports'; then
start_ipt_route ip6tables nat PREROUTING shellcrashv6 tcp #ipv6-局域网tcp转发
else
logger "当前设备内核缺少ip6tables_REDIRECT模块支持已放弃启动相关规则" 31
fi
}
}
[ "$local_proxy" = true ] && {
start_ipt_route iptables nat OUTPUT shellcrash_out tcp #ipv4-本机tcp转发
[ "$ipv6_redir" = "已开启" ] && {
if $ip6table -j REDIRECT -h 2>/dev/null | grep -q '\--to-ports'; then
start_ipt_route ip6tables nat OUTPUT shellcrashv6_out tcp #ipv6-本机tcp转发
else
logger "当前设备内核缺少ip6tables_REDIRECT模块支持已放弃启动相关规则" 31
fi
}
}
}
[ "$redir_mod" = "Tproxy模式" ] && {
modprobe xt_TPROXY >/dev/null 2>&1
JUMP="TPROXY --on-port $tproxy_port --tproxy-mark $fwmark" #跳转劫持的具体命令
if $iptable -j TPROXY -h 2>/dev/null | grep -q '\--on-port'; then
[ "$lan_proxy" = true ] && start_ipt_route iptables mangle PREROUTING shellcrash_mark all
[ "$local_proxy" = true ] && {
if [ -n "$(grep -E '^MARK$' /proc/net/ip_tables_targets)" ]; then
JUMP="MARK --set-mark $fwmark" #跳转劫持的具体命令
start_ipt_route iptables mangle OUTPUT shellcrash_mark_out all
$iptable -t mangle -A PREROUTING -m mark --mark $fwmark -p tcp -j TPROXY --on-port $tproxy_port
$iptable -t mangle -A PREROUTING -m mark --mark $fwmark -p udp -j TPROXY --on-port $tproxy_port
else
logger "当前设备内核可能缺少xt_mark模块支持已放弃启动本机代理相关规则" 31
fi
}
else
logger "当前设备内核可能缺少kmod_ipt_tproxy模块支持已放弃启动相关规则" 31
fi
[ "$ipv6_redir" = "已开启" ] && {
if $ip6table -j TPROXY -h 2>/dev/null | grep -q '\--on-port'; then
JUMP="TPROXY --on-port $tproxy_port --tproxy-mark $fwmark" #跳转劫持的具体命令
[ "$lan_proxy" = true ] && start_ipt_route ip6tables mangle PREROUTING shellcrashv6_mark all
[ "$local_proxy" = true ] && {
if [ -n "$(grep -E '^MARK$' /proc/net/ip6_tables_targets)" ]; then
JUMP="MARK --set-mark $fwmark" #跳转劫持的具体命令
start_ipt_route ip6tables mangle OUTPUT shellcrashv6_mark_out all
$ip6table -t mangle -A PREROUTING -m mark --mark $fwmark -p tcp -j TPROXY --on-port $tproxy_port
$ip6table -t mangle -A PREROUTING -m mark --mark $fwmark -p udp -j TPROXY --on-port $tproxy_port
else
logger "当前设备内核可能缺少xt_mark模块支持已放弃启动本机代理相关规则" 31
fi
}
else
logger "当前设备内核可能缺少kmod_ipt_tproxy或者xt_mark模块支持已放弃启动相关规则" 31
fi
}
}
[ "$redir_mod" = "Tun模式" -o "$redir_mod" = "混合模式" -o "$redir_mod" = "T&U旁路转发" -o "$redir_mod" = "TCP旁路转发" ] && {
JUMP="MARK --set-mark $fwmark" #跳转劫持的具体命令
[ "$redir_mod" = "Tun模式" -o "$redir_mod" = "T&U旁路转发" ] && protocol=all
[ "$redir_mod" = "混合模式" ] && protocol=udp
[ "$redir_mod" = "TCP旁路转发" ] && protocol=tcp
if $iptable -j MARK -h 2>/dev/null | grep -q '\--set-mark'; then
[ "$lan_proxy" = true ] && {
[ "$redir_mod" = "Tun模式" -o "$redir_mod" = "混合模式" ] && $iptable -I FORWARD -o utun -j ACCEPT
start_ipt_route iptables mangle PREROUTING shellcrash_mark $protocol
}
[ "$local_proxy" = true ] && start_ipt_route iptables mangle OUTPUT shellcrash_mark_out $protocol
else
logger "当前设备内核可能缺少x_mark模块支持已放弃启动相关规则" 31
fi
[ "$ipv6_redir" = "已开启" ] && [ "$crashcore" != clashpre ] && {
if $ip6table -j MARK -h 2>/dev/null | grep -q '\--set-mark'; then
[ "$lan_proxy" = true ] && {
[ "$redir_mod" = "Tun模式" -o "$redir_mod" = "混合模式" ] && $ip6table -I FORWARD -o utun -j ACCEPT
start_ipt_route ip6tables mangle PREROUTING shellcrashv6_mark $protocol
}
[ "$local_proxy" = true ] && start_ipt_route ip6tables mangle OUTPUT shellcrashv6_mark_out $protocol
else
logger "当前设备内核可能缺少xt_mark模块支持已放弃启动相关规则" 31
fi
}
}
[ "$vm_redir" = "已开启" ] && [ -n "$$vm_ipv4" ] && {
JUMP="REDIRECT --to-ports $redir_port" #跳转劫持的具体命令
start_ipt_dns iptables PREROUTING shellcrash_vm_dns #ipv4-局域网dns转发
start_ipt_route iptables nat PREROUTING shellcrash_vm tcp #ipv4-局域网tcp转发
}
#启动DNS劫持
[ "$dns_no" != "已禁用" -a "$dns_redir" != "已开启" -a "$firewall_area" -le 3 ] && {
[ "$lan_proxy" = true ] && {
start_ipt_dns iptables PREROUTING shellcrash_dns #ipv4-局域网dns转发
if $ip6table -j REDIRECT -h 2>/dev/null | grep -q '\--to-ports'; then
start_ipt_dns ip6tables PREROUTING shellcrashv6_dns #ipv6-局域网dns转发
else
$ip6table -I INPUT -p tcp --dport 53 -j REJECT >/dev/null 2>&1
$ip6table -I INPUT -p udp --dport 53 -j REJECT >/dev/null 2>&1
fi
}
[ "$local_proxy" = true ] && start_ipt_dns iptables OUTPUT shellcrash_dns_out #ipv4-本机dns转发
}
#屏蔽QUIC
[ "$quic_rj" = '已启用' -a "$lan_proxy" = true -a "$redir_mod" != "Redir模式" ] && {
[ "$dns_mod" != "fake-ip" -a "$cn_ip_route" = "已开启" ] && {
set_cn_ip='-m set ! --match-set cn_ip dst'
set_cn_ip6='-m set ! --match-set cn_ip6 dst'
}
[ "$redir_mod" = "Tun模式" -o "$redir_mod" = "混合模式" ] && {
$iptable -I FORWARD -p udp --dport 443 -o utun $set_cn_ip -j REJECT >/dev/null 2>&1
$ip6table -I FORWARD -p udp --dport 443 -o utun $set_cn_ip6 -j REJECT >/dev/null 2>&1
}
[ "$redir_mod" = "Tproxy模式" ] && {
$iptable -I INPUT -p udp --dport 443 $set_cn_ip -j REJECT >/dev/null 2>&1
$ip6table -I INPUT -p udp --dport 443 $set_cn_ip6 -j REJECT >/dev/null 2>&1
}
}
}