xm/ShellCrash
1
0
Fork 0
mirror of https://github.com/juewuy/ShellCrash.git synced 2026-03-10 23:41:22 +00:00
Code Issues Packages Projects Releases Wiki Activity

~继续拆分脚本

Browse Source 
~重写公网防火墙功能
This commit is contained in:
juewuy
2025-12-22 19:30:29 +08:00
parent ada0ec70ea
commit 18a829c101
16 changed files with 902 additions and 1097 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
scripts/libs/set_config.sh
View File

@@ -2,7 +2,7 @@
setconfig() {
[ -z "$3" ] && configpath="$CRASHDIR"/configs/ShellCrash.cfg || configpath="${3}"
if grep -q "^${1}=" "$configpath"; then
sed -i "s#^${1}=.*#^${1}=${2}#g" "$configpath"
sed -i "s#^${1}=.*#${1}=${2}#g" "$configpath"
else
printf '%s=%s\n' "$1" "$2" >>"$configpath"
fi

14
scripts/menu.sh
View File

@@ -331,7 +331,7 @@ main_menu() {
;;
2)
checkcfg=$(cat "$CFG_PATH")
. "$CRASHDIR"/menus/settings.sh && settings
. "$CRASHDIR"/menus/2-settings.sh && settings
if [ -n "$PID" ]; then
checkcfg_new=$(cat "$CFG_PATH")
[ "$checkcfg" != "$checkcfg_new" ] && checkrestart
@@ -346,22 +346,22 @@ main_menu() {
main_menu
;;
4)
. "$CRASHDIR"/menus/setboot.sh && setboot
. "$CRASHDIR"/menus/4-setboot.sh && setboot
main_menu
;;
5)
. "$CRASHDIR"/menus/task.sh && task_menu
. "$CRASHDIR"/menus/5-task.sh && task_menu
main_menu
;;
6)
. "$CRASHDIR"/menus/core_config.sh && set_core_config
. "$CRASHDIR"/menus/6-core_config.sh && set_core_config
main_menu
;;
7)
GT_CFG_PATH="$CRASHDIR"/configs/gateway.cfg
touch "$GT_CFG_PATH"
checkcfg=$(cat $GT_CFG_PATH)
. "$CRASHDIR"/menus/gateway.sh && gateway
. "$CRASHDIR"/menus/7-gateway.sh && gateway
if [ -n "$PID" ]; then
checkcfg_new=$(cat $GT_CFG_PATH)
[ "$checkcfg" != "$checkcfg_new" ] && checkrestart
@@ -369,12 +369,12 @@ main_menu() {
main_menu
;;
8)
. "$CRASHDIR"/menus/tools.sh && tools
. "$CRASHDIR"/menus/8-tools.sh && tools
main_menu
;;
9)
checkcfg=$(cat "$CFG_PATH")
. "$CRASHDIR"/menus/upgrade.sh && upgrade
. "$CRASHDIR"/menus/9-upgrade.sh && upgrade
if [ -n "$PID" ]; then
checkcfg_new=$(cat "$CFG_PATH")
[ "$checkcfg" != "$checkcfg_new" ] && checkrestart

31
scripts/menus/settings.sh → scripts/menus/2-settings.sh
View File

@@ -9,9 +9,9 @@ settings() { #功能设置
echo "-----------------------------------------------"
echo -e "\033[30;47m欢迎使用功能设置菜单\033[0m"
echo "-----------------------------------------------"
echo -e " 1 设置代理模式: \033[36m$redir_mod\033[0m"
echo -e " 2 设置DNS模式: \033[36m$dns_mod\033[0m"
echo -e " 3 设置各类流量过滤"
echo -e " 1 代理模式设置: \033[36m$redir_mod\033[0m"
echo -e " 2 DNS设置: \033[36m$dns_mod\033[0m"
echo -e " 3 透明路由流量过滤"
[ "$disoverride" != "1" ] && {
echo -e " 4 跳过证书验证: \033[36m$skip_cert\033[0m"
echo -e " 5 启用域名嗅探: \033[36m$sniffer\033[0m"
@@ -224,13 +224,12 @@ set_redir_mod() { #代理模式设置
set_redir_mod
;;
5)
redir_mod=TCP旁路转发
redir_mod='TCP旁路转发'
set_redir_config
set_redir_mod
;;
6)
redir_mod=T &
U旁路转发
redir_mod='T&U旁路转发'
set_redir_config
set_redir_mod
;;
@@ -915,17 +914,13 @@ set_firewall_vm(){
esac
setconfig vm_redir $vm_redir
setconfig vm_ipv4 "'$vm_ipv4'"
sleep 1
set_redir_mod
}
set_ipv6() { #ipv6设置
[ -z "$ipv6_redir" ] && ipv6_redir=未开启
[ -z "$ipv6_dns" ] && ipv6_dns=已开启
[ -z "$cn_ipv6_route" ] && cn_ipv6_route=未开启
echo "-----------------------------------------------"
echo -e " 1 ipv6透明代理: \033[36m$ipv6_redir\033[0m ——代理ipv6流量"
[ "$disoverride" != "1" ] && echo -e " 2 ipv6-DNS解析: \033[36m$ipv6_dns\033[0m ——决定内置DNS是否返回ipv6地址"
echo -e " 3 CNV6绕过内核: \033[36m$cn_ipv6_route\033[0m ——优化性能不兼容fake-ip"
echo -e " 0 返回上级菜单"
echo "-----------------------------------------------"
read -p "请输入对应数字 > " num
@@ -948,22 +943,6 @@ set_ipv6() { #ipv6设置
setconfig ipv6_dns $ipv6_dns
set_ipv6
;;
3)
if [ "$ipv6_redir" = "未开启" ]; then
ipv6_support=已开启
ipv6_redir=已开启
setconfig ipv6_redir $ipv6_redir
setconfig ipv6_support $ipv6_support
fi
if [ -n "$(ipset -v 2>/dev/null)" ] || [ "$firewall_mod" = nftables ]; then
[ "$cn_ipv6_route" = "未开启" ] && cn_ipv6_route=已开启 || cn_ipv6_route=未开启
setconfig cn_ipv6_route $cn_ipv6_route
else
echo -e "\033[31m当前设备缺少ipset模块或防火墙未使用nftables无法启用绕过功能\033[0m"
sleep 1
fi
set_ipv6
;;
*)
errornum
;;

0
scripts/menus/setboot.sh → scripts/menus/4-setboot.sh
View File

0
scripts/menus/task.sh → scripts/menus/5-task.sh
View File

0
scripts/menus/core_config.sh → scripts/menus/6-core_config.sh
View File

84
scripts/menus/gateway.sh → scripts/menus/7-gateway.sh
View File

@@ -1,6 +1,7 @@
#!/bin/sh
# Copyright (C) Juewuy
. "$GT_CFG_PATH"
. "$CRASHDIR"/menus/check_port.sh
gateway(){ #访问与控制主菜单
echo -----------------------------------------------
@@ -15,13 +16,13 @@ gateway(){ #访问与控制主菜单
echo -e " 6 配置\033[36mTailscale内网穿透\033[0m(限Singbox) \033[32m$ts_service\033[0m"
echo -e " 7 配置\033[36mWireguard客户端\033[0m(限Singbox) \033[32m$wg_service\033[0m"
}
echo -e " 0 返回上级菜单 \033[0m"
echo -e " 0 返回上级菜单"
echo -----------------------------------------------
read -p "请输入对应数字 > " num
case "$num" in
0) ;;
1)
set_pub_fw
set_fw_wan
gateway
;;
2)
@@ -61,43 +62,58 @@ gateway(){ #访问与控制主菜单
*) errornum ;;
esac
}
set_pub_fw() { #公网防火墙设置
[ -z "$public_support" ] && public_support=未开启
[ -z "$public_mixport" ] && public_mixport=未开启
set_fw_wan() { #公网防火墙设置
[ -z "$fw_wan" ] && fw_wan=ON
echo -----------------------------------------------
echo -e " 1 公网访问Dashboard面板: \033[36m$public_support\033[0m"
echo -e " 2 公网访问Socks/Http代理: \033[36m$public_mixport\033[0m"
echo -e "\033[31m注意\033[0m如在vps运行还需在vps安全策略对相关端口同时放行"
[ -n "$fw_wan_ports" ] &&
echo -e "当前放行端口:\033[36m$fw_wan_ports\033[0m"
echo -e "默认拦截端口:\033[33m$dns_port,$mix_port,$db_port\033[0m"
echo -----------------------------------------------
echo -e " 1 启用/关闭公网防火墙: \033[36m$fw_wan\033[0m"
echo -e " 2 添加放行端口(可包含默认拦截端口)"
echo -e " 3 移除指定放行端口"
echo -e " 0 返回上级菜单"
echo -----------------------------------------------
read -p "请输入对应数字 > " num
case $num in
1)
if [ "$public_support" = "未开启" ]; then
public_support=已开启
else
public_support=未开启
fi
setconfig public_support $public_support
setfirewall
;;
[ "$fw_wan" = ON ] && fw_wan=OFF || fw_wan=ON
setconfig ts_service "$ts_service"
set_fw_wan
;;
2)
if [ "$public_mixport" = "未开启" ]; then
if [ "$mix_port" = "7890" -o -z "$authentication" ]; then
echo -----------------------------------------------
echo -e "\033[33m为了安全考虑请先修改默认Socks/Http端口并设置代理密码\033[0m"
sleep 1
setport
port_count=$(echo "$fw_wan_ports" | awk -F',' '{print NF}' )
if [ "$port_count" -ge 10 ];then
echo -e "\033[31m最多支持设置放行10个端口请先减少一些\033[0m"
else
read -p "请输入要放行的端口号 > " port
if echo ",$fw_wan_ports," | grep -q ",$port,";then
echo -e "\033[31m输入错误请勿重复添加\033[0m"
elif [ "$port" -lt 1 ] || [ "$port" -gt 65535 ]; then
echo -e "\033[31m输入错误请输入正确的数值(1-65535)\033[0m"
else
public_mixport=已开启
fw_wan_ports=$(echo "$fw_wan_ports,$port" | sed "s/^,//")
setconfig fw_wan_ports "$fw_wan_ports"
fi
fi
sleep 1
set_fw_wan
;;
3)
read -p "请输入要移除的端口号 > " port
if echo ",$fw_wan_ports," | grep -q ",$port,";then
if [ "$port" -lt 1 ] || [ "$port" -gt 65535 ]; then
echo -e "\033[31m输入错误请输入正确的数值(1-65535)\033[0m"
else
fw_wan_ports=$(echo ",$fw_wan_ports," | sed "s/,$port//; s/^,//; s/,$//")
setconfig fw_wan_ports "$fw_wan_ports"
fi
else
public_mixport=未开启
echo -e "\033[31m输入错误请输入已添加过的端口\033[0m"
fi
setconfig public_mixport $public_mixport
setfirewall
;;
3)
set_cust_host_ipv4
setfirewall
sleep 1
set_fw_wan
;;
*)
errornum
@@ -192,7 +208,7 @@ set_bot_tg(){
}
set_vmess(){
echo -----------------------------------------------
echo -e "\033[31m注意\033[0m启动内核服务后会自动开放相应端口公网访问,请谨慎使用\n 脚本只提供基础功能,更多需求请使用自定义配置文件功能!"
echo -e "\033[31m注意\033[0m设置的端口会添加到公网访问防火墙并自动放行\n 脚本只提供基础功能,更多需求请用自定义配置文件功能!"
echo -----------------------------------------------
echo -e " 1 \033[32m启用/关闭\033[0mVmess入站 \033[32m$vms_service\033[0m"
echo -----------------------------------------------
@@ -218,10 +234,11 @@ set_vmess(){
2)
read -p "请输入端口号(输入0删除) > " text
[ "$text" = 0 ] && unset vms_port
. "$CRASHDIR"/menus/check_port.sh
if check_port "$text"; then
vms_port="$text"
setconfig vms_port "$text" "$CFG"
fw_wan_ports=$(echo "$fw_wan_ports,$vms_port" | sed "s/^,//")
setconfig fw_wan_ports "$fw_wan_ports"
else
sleep 1
fi
@@ -263,7 +280,7 @@ set_vmess(){
set_shadowsocks(){
[ -z "$sss_cipher" ] && sss_cipher='xchacha20-ietf-poly1305'
echo -----------------------------------------------
echo -e "\033[31m注意\033[0m启动内核服务后会自动开放相应端口公网访问,请谨慎使用\n 脚本只提供基础功能,更多需求请使用自定义配置文件功能!"
echo -e "\033[31m注意\033[0m设置的端口会添加到公网访问防火墙并自动放行\n 脚本只提供基础功能,更多需求请用自定义配置文件功能!"
echo -----------------------------------------------
echo -e " 1 \033[32m启用/关闭\033[0mShadowSocks入站 \033[32m$sss_service\033[0m"
echo -----------------------------------------------
@@ -288,10 +305,11 @@ set_shadowsocks(){
2)
read -p "请输入端口号(输入0删除) > " text
[ "$text" = 0 ] && unset sss_port
. "$CRASHDIR"/menus/check_port.sh
if check_port "$text"; then
sss_port="$text"
setconfig sss_port "$text" "$CFG"
fw_wan_ports=$(echo "$fw_wan_ports,$sss_port" | sed "s/^,//")
setconfig fw_wan_ports "$fw_wan_ports"
else
sleep 1
fi

354
scripts/menus/tools.sh → scripts/menus/8-tools.sh
View File

@@ -518,183 +518,6 @@ log_pusher() {
*) errornum ;;
esac
}
#新手引导
userguide(){
forwhat(){
echo "-----------------------------------------------"
echo -e "\033[30;46m 欢迎使用ShellCrash新手引导 \033[0m"
echo "-----------------------------------------------"
echo -e "\033[33m请先选择你的使用环境 \033[0m"
echo -e "\033[0m(你之后依然可以在设置中更改各种配置)\033[0m"
echo "-----------------------------------------------"
echo -e " 1 \033[32m路由设备配置局域网透明代理\033[0m"
echo -e " 2 \033[36mLinux设备仅配置本机代理\033[0m"
[ -f "$CFG_PATH.bak" ] && echo -e " 3 \033[33m还原之前备份的设置\033[0m"
echo "-----------------------------------------------"
read -p "请输入对应数字 > " num
case "$num" in
1)
#设置运行模式
redir_mod="混合模式"
[ -n "$(echo $cputype | grep -E "linux.*mips.*")" ] && {
if grep -qE '^TPROXY$' /proc/net/ip_tables_targets || modprobe xt_TPROXY >/dev/null 2>&1; then
redir_mod="Tproxy模式"
else
redir_mod="Redir模式"
fi
}
setconfig crashcore "meta"
setconfig redir_mod "$redir_mod"
setconfig dns_mod mix
setconfig firewall_area '1'
#默认启用绕过CN-IP
setconfig cn_ip_route 已开启
#自动识别IPV6
[ -n "$(ip a 2>&1 | grep -w 'inet6' | grep -E 'global' | sed 's/.*inet6.//g' | sed 's/scope.*$//g')" ] && {
setconfig ipv6_redir 已开启
setconfig ipv6_support 已开启
setconfig ipv6_dns 已开启
setconfig cn_ipv6_route 已开启
}
#设置开机启动
[ -f /etc/rc.common -a "$(cat /proc/1/comm)" = "procd" ] && /etc/init.d/shellcrash enable
ckcmd systemctl && [ "$(cat /proc/1/comm)" = "systemd" ] && systemctl enable shellcrash.service > /dev/null 2>&1
rm -rf "$CRASHDIR"/.dis_startup
autostart=enable
#检测IP转发
if [ "$(cat /proc/sys/net/ipv4/ip_forward)" = "0" ];then
echo "-----------------------------------------------"
echo -e "\033[33m检测到你的设备尚未开启ip转发局域网设备将无法正常连接网络是否立即开启\033[0m"
read -p "是否开启?(1/0) > " res
[ "$res" = 1 ] && {
echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf
sysctl -w net.ipv4.ip_forward=1
} && echo "已成功开启ipv4转发如未正常开启请手动重启设备" || echo "开启失败!请自行谷歌查找当前设备的开启方法!"
fi
#禁止docker启用的net.bridge.bridge-nf-call-iptables
sysctl -w net.bridge.bridge-nf-call-iptables=0 > /dev/null 2>&1
sysctl -w net.bridge.bridge-nf-call-ip6tables=0 > /dev/null 2>&1
;;
2)
setconfig redir_mod "Redir模式"
[ -n "$(echo $cputype | grep -E "linux.*mips.*")" ] && setconfig crashcore "clash"
setconfig common_ports "未开启"
setconfig firewall_area '2'
;;
3)
mv -f $CFG_PATH.bak $CFG_PATH
echo -e "\033[32m脚本设置已还原\033[0m"
echo -e "\033[33m请重新启动脚本\033[0m"
exit 0
;;
*)
errornum
forwhat
;;
esac
}
forwhat
#检测小内存模式
dir_size=$(dir_avail "$CRASHDIR")
if [ "$dir_size" -lt 10240 ];then
echo "-----------------------------------------------"
echo -e "\033[33m检测到你的安装目录空间不足10M是否开启小闪存模式\033[0m"
echo -e "\033[0m开启后核心及数据库文件将被下载到内存中这将占用一部分内存空间\033[0m"
echo -e "\033[0m每次开机后首次运行服务时都会自动的重新下载相关文件\033[0m"
echo "-----------------------------------------------"
read -p "是否开启?(1/0) > " res
[ "$res" = 1 ] && {
BINDIR=/tmp/ShellCrash
setconfig BINDIR /tmp/ShellCrash "$CRASHDIR"/configs/command.env
}
fi
#检测及下载根证书
openssldir="$(openssl version -d 2>&1 | awk -F '"' '{print $2}')"
[ ! -d "$openssldir/certs" ] && openssldir=/etc/ssl
if [ -d $openssldir/certs -a ! -f $openssldir/certs/ca-certificates.crt ];then
echo "-----------------------------------------------"
echo -e "\033[33m当前设备未找到根证书文件\033[0m"
echo "-----------------------------------------------"
read -p "是否下载并安装根证书?(1/0) > " res
[ "$res" = 1 ] && checkupdate && getcrt
fi
#设置加密DNS
if [ -s $openssldir/certs/ca-certificates.crt ];then
dns_nameserver='https://dns.alidns.com/dns-query, https://doh.pub/dns-query'
dns_fallback='https://cloudflare-dns.com/dns-query, https://dns.google/dns-query, https://doh.opendns.com/dns-query'
dns_resolver='https://223.5.5.5/dns-query, 2400:3200::1'
setconfig dns_nameserver "'$dns_nameserver'"
setconfig dns_fallback "'$dns_fallback'"
setconfig dns_resolver "'$dns_resolver'"
fi
#开启公网访问
sethost(){
read -p "请输入你的公网IP地址 > " host
echo $host | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
if [ -z "$host" ];then
echo -e "\033[31m请输入正确的IP地址\033[0m"
sethost
fi
}
if ckcmd systemctl;then
echo "-----------------------------------------------"
echo -e "\033[32m是否开启公网访问Dashboard面板及socks服务\033[0m"
echo -e "注意当前设备必须有公网IP才能从公网正常访问"
echo -e "\033[31m此功能会增加暴露风险请谨慎使用\033[0m"
echo -e "vps设备可能还需要额外在服务商后台开启相关端口"
read -p "现在开启?(1/0) > " res
if [ "$res" = 1 ];then
read -p "请先设置面板访问秘钥 > " secret
read -p "请先修改Socks服务端口(1-65535) > " mix_port
read -p "请先设置Socks服务密码(账号默认为crash) > " sec
[ -z "$sec" ] && authentication=crash:$sec
host=$(curl ip.sb 2>/dev/null | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}')
if [ -z "$host" ];then
sethost
fi
public_support=已开启
setconfig secret $secret
setconfig mix_port $mix_port
setconfig host $host
setconfig public_support $public_support
setconfig authentication "'$authentication'"
fi
fi
#启用推荐的自动任务配置
. "$CRASHDIR"/task/task.sh && task_recom
#小米设备软固化
if [ "$systype" = "mi_snapshot" ];then
echo "-----------------------------------------------"
echo -e "\033[33m检测到为小米路由设备启用软固化可防止路由升级后丢失SSH\033[0m"
read -p "是否启用软固化功能?(1/0) > " res
[ "$res" = 1 ] && mi_autoSSH
fi
#提示导入订阅或者配置文件
[ ! -s "$CRASHDIR"/yamls/config.yaml -a ! -s "$CRASHDIR"/jsons/config.json ] && {
echo "-----------------------------------------------"
echo -e "\033[32m是否导入配置文件\033[0m(这是运行前的最后一步)"
echo -e "\033[0m你必须拥有一份配置文件才能运行服务\033[0m"
echo "-----------------------------------------------"
read -p "现在开始导入?(1/0) > " res
[ "$res" = 1 ] && inuserguide=1 && {
if [ -f "$CRASHDIR"/v2b_api.sh ];then
. "$CRASHDIR"/v2b_api.sh
else
set_core_config
fi
set_core_config
inuserguide=""
}
}
#回到主界面
echo "-----------------------------------------------"
echo -e "\033[36m很好现在只需要执行启动就可以愉快的使用了\033[0m"
echo "-----------------------------------------------"
read -p "立即启动服务?(1/0) > " res
[ "$res" = 1 ] && start_core && sleep 2
main_menu
}
#测试菜单
testcommand(){
echo "$crashcore" | grep -q 'singbox' && config_path=${JSONSDIR}/config.json || config_path=${YAMLSDIR}/config.yaml
@@ -882,3 +705,180 @@ debug(){
esac
}
#新手引导
userguide(){
forwhat(){
echo "-----------------------------------------------"
echo -e "\033[30;46m 欢迎使用ShellCrash新手引导 \033[0m"
echo "-----------------------------------------------"
echo -e "\033[33m请先选择你的使用环境 \033[0m"
echo -e "\033[0m(你之后依然可以在设置中更改各种配置)\033[0m"
echo "-----------------------------------------------"
echo -e " 1 \033[32m路由设备配置局域网透明代理\033[0m"
echo -e " 2 \033[36mLinux设备仅配置本机代理\033[0m"
[ -f "$CFG_PATH.bak" ] && echo -e " 3 \033[33m还原之前备份的设置\033[0m"
echo "-----------------------------------------------"
read -p "请输入对应数字 > " num
case "$num" in
1)
#设置运行模式
redir_mod="混合模式"
[ -n "$(echo $cputype | grep -E "linux.*mips.*")" ] && {
if grep -qE '^TPROXY$' /proc/net/ip_tables_targets || modprobe xt_TPROXY >/dev/null 2>&1; then
redir_mod="Tproxy模式"
else
redir_mod="Redir模式"
fi
}
setconfig crashcore "meta"
setconfig redir_mod "$redir_mod"
setconfig dns_mod mix
setconfig firewall_area '1'
#默认启用绕过CN-IP
setconfig cn_ip_route 已开启
#自动识别IPV6
[ -n "$(ip a 2>&1 | grep -w 'inet6' | grep -E 'global' | sed 's/.*inet6.//g' | sed 's/scope.*$//g')" ] && {
setconfig ipv6_redir 已开启
setconfig ipv6_support 已开启
setconfig ipv6_dns 已开启
setconfig cn_ipv6_route 已开启
}
#设置开机启动
[ -f /etc/rc.common -a "$(cat /proc/1/comm)" = "procd" ] && /etc/init.d/shellcrash enable
ckcmd systemctl && [ "$(cat /proc/1/comm)" = "systemd" ] && systemctl enable shellcrash.service > /dev/null 2>&1
rm -rf "$CRASHDIR"/.dis_startup
autostart=enable
#检测IP转发
if [ "$(cat /proc/sys/net/ipv4/ip_forward)" = "0" ];then
echo "-----------------------------------------------"
echo -e "\033[33m检测到你的设备尚未开启ip转发局域网设备将无法正常连接网络是否立即开启\033[0m"
read -p "是否开启?(1/0) > " res
[ "$res" = 1 ] && {
echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf
sysctl -w net.ipv4.ip_forward=1
} && echo "已成功开启ipv4转发如未正常开启请手动重启设备" || echo "开启失败!请自行谷歌查找当前设备的开启方法!"
fi
#禁止docker启用的net.bridge.bridge-nf-call-iptables
sysctl -w net.bridge.bridge-nf-call-iptables=0 > /dev/null 2>&1
sysctl -w net.bridge.bridge-nf-call-ip6tables=0 > /dev/null 2>&1
;;
2)
setconfig redir_mod "Redir模式"
[ -n "$(echo $cputype | grep -E "linux.*mips.*")" ] && setconfig crashcore "clash"
setconfig common_ports "未开启"
setconfig firewall_area '2'
;;
3)
mv -f $CFG_PATH.bak $CFG_PATH
echo -e "\033[32m脚本设置已还原\033[0m"
echo -e "\033[33m请重新启动脚本\033[0m"
exit 0
;;
*)
errornum
forwhat
;;
esac
}
forwhat
#检测小内存模式
dir_size=$(dir_avail "$CRASHDIR")
if [ "$dir_size" -lt 10240 ];then
echo "-----------------------------------------------"
echo -e "\033[33m检测到你的安装目录空间不足10M是否开启小闪存模式\033[0m"
echo -e "\033[0m开启后核心及数据库文件将被下载到内存中这将占用一部分内存空间\033[0m"
echo -e "\033[0m每次开机后首次运行服务时都会自动的重新下载相关文件\033[0m"
echo "-----------------------------------------------"
read -p "是否开启?(1/0) > " res
[ "$res" = 1 ] && {
BINDIR=/tmp/ShellCrash
setconfig BINDIR /tmp/ShellCrash "$CRASHDIR"/configs/command.env
}
fi
#检测及下载根证书
openssldir="$(openssl version -d 2>&1 | awk -F '"' '{print $2}')"
[ ! -d "$openssldir/certs" ] && openssldir=/etc/ssl
if [ -d $openssldir/certs -a ! -f $openssldir/certs/ca-certificates.crt ];then
echo "-----------------------------------------------"
echo -e "\033[33m当前设备未找到根证书文件\033[0m"
echo "-----------------------------------------------"
read -p "是否下载并安装根证书?(1/0) > " res
[ "$res" = 1 ] && checkupdate && getcrt
fi
#设置加密DNS
if [ -s $openssldir/certs/ca-certificates.crt ];then
dns_nameserver='https://dns.alidns.com/dns-query, https://doh.pub/dns-query'
dns_fallback='https://cloudflare-dns.com/dns-query, https://dns.google/dns-query, https://doh.opendns.com/dns-query'
dns_resolver='https://223.5.5.5/dns-query, 2400:3200::1'
setconfig dns_nameserver "'$dns_nameserver'"
setconfig dns_fallback "'$dns_fallback'"
setconfig dns_resolver "'$dns_resolver'"
fi
#开启公网访问
sethost(){
read -p "请输入你的公网IP地址 > " host
echo $host | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
if [ -z "$host" ];then
echo -e "\033[31m请输入正确的IP地址\033[0m"
sethost
fi
}
if ckcmd systemctl;then
echo "-----------------------------------------------"
echo -e "\033[32m是否开启公网访问Dashboard面板及socks服务\033[0m"
echo -e "注意当前设备必须有公网IP才能从公网正常访问"
echo -e "\033[31m此功能会增加暴露风险请谨慎使用\033[0m"
echo -e "vps设备可能还需要额外在服务商后台开启相关端口"
read -p "现在开启?(1/0) > " res
if [ "$res" = 1 ];then
read -p "请先设置面板访问秘钥 > " secret
read -p "请先修改Socks服务端口(1-65535) > " mix_port
read -p "请先设置Socks服务密码(账号默认为crash) > " sec
[ -z "$sec" ] && authentication=crash:$sec
host=$(curl ip.sb 2>/dev/null | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}')
if [ -z "$host" ];then
sethost
fi
public_support=已开启
setconfig secret $secret
setconfig mix_port $mix_port
setconfig host $host
setconfig public_support $public_support
setconfig authentication "'$authentication'"
fi
fi
#启用推荐的自动任务配置
. "$CRASHDIR"/task/task.sh && task_recom
#小米设备软固化
if [ "$systype" = "mi_snapshot" ];then
echo "-----------------------------------------------"
echo -e "\033[33m检测到为小米路由设备启用软固化可防止路由升级后丢失SSH\033[0m"
read -p "是否启用软固化功能?(1/0) > " res
[ "$res" = 1 ] && mi_autoSSH
fi
#提示导入订阅或者配置文件
[ ! -s "$CRASHDIR"/yamls/config.yaml -a ! -s "$CRASHDIR"/jsons/config.json ] && {
echo "-----------------------------------------------"
echo -e "\033[32m是否导入配置文件\033[0m(这是运行前的最后一步)"
echo -e "\033[0m你必须拥有一份配置文件才能运行服务\033[0m"
echo "-----------------------------------------------"
read -p "现在开始导入?(1/0) > " res
[ "$res" = 1 ] && inuserguide=1 && {
if [ -f "$CRASHDIR"/v2b_api.sh ];then
. "$CRASHDIR"/v2b_api.sh
else
set_core_config
fi
set_core_config
inuserguide=""
}
}
#回到主界面
echo "-----------------------------------------------"
echo -e "\033[36m很好现在只需要执行启动就可以愉快的使用了\033[0m"
echo "-----------------------------------------------"
read -p "立即启动服务?(1/0) > " res
[ "$res" = 1 ] && start_core && sleep 2
main_menu
}

0
scripts/menus/upgrade.sh → scripts/menus/9-upgrade.sh
View File

178
scripts/menus/ddns_op.sh
View File

@@ -1,178 +0,0 @@
#! /bin/bash
# Copyright (C) Juewuy
ddns_dir=/etc/config/ddns
tmp_dir=/tmp/ddns_$USER
[ ! -f $ddns_dir ] && echo -e "本脚本依赖OpenWrt内置的DDNS服务,当前设备无法运行,已退出!" && exit 1
echo -----------------------------------------------
echo -e "\033[30;46m欢迎使用ShellDDNS\033[0m"
echo -e "TG群\033[36;4mhttps://t.me/ShellCrash\033[0m"
add_ddns() {
cat >>$ddns_dir <<EOF
config service '$service'
option enabled '1'
option force_unit 'hours'
option lookup_host '$domain'
option service_name '$service_name'
option domain '$domain'
option username '$username'
option use_https '0'
option use_ipv6 '$use_ipv6'
option password '$password'
option ip_source 'web'
option ip_url 'http://ip.sb'
option check_unit 'minutes'
option check_interval '$check_interval'
option force_interval '$force_interval'
option interface 'wan'
option bind_network 'wan'
EOF
/usr/lib/ddns/dynamic_dns_updater.sh -S $service start >/dev/null 2>&1 &
sleep 3
echo 服务已经添加!
}
set_ddns() {
echo -----------------------------------------------
read -p "请输入你的域名 > " str
[ -z "$str" ] && domain=$domain || domain=$str
echo -----------------------------------------------
read -p "请输入用户名或邮箱 > " str
[ -z "$str" ] && username=$username || username=$str
echo -----------------------------------------------
read -p "请输入密码或令牌秘钥 > " str
[ -z "$str" ] && password=$password || password=$str
echo -----------------------------------------------
read -p "请输入检测更新间隔(单位:分钟;默认为10) > " check_interval
[ -z "$check_interval" ] || [ "$check_interval" -lt 1 -o "$check_interval" -gt 1440 ] && check_interval=10
echo -----------------------------------------------
read -p "请输入强制更新间隔(单位:小时;默认为24) > " force_interval
[ -z "$force_interval" ] || [ "$force_interval" -lt 1 -o "$force_interval" -gt 240 ] && force_interval=24
echo -----------------------------------------------
echo -e "请核对如下信息:"
echo -e "服务商: \033[32m$service\033[0m"
echo -e "域名: \033[32m$domain\033[0m"
echo -e "用户名: \033[32m$username\033[0m"
echo -e "检测间隔: \033[32m$check_interval\033[0m"
echo -----------------------------------------------
read -p "确认添加?(1/0) > " res
[ "$res" = 1 ] && add_ddns || set_ddns
}
set_service() {
services_dir=/etc/ddns/$serv
[ -s $services_dir ] || services_dir=/usr/share/ddns/list
echo -----------------------------------------------
echo -e "\033[32m请选择服务提供商\033[0m"
cat $services_dir | grep -v '^#' | awk '{print " "NR" " $1}'
nr=$(cat $services_dir | grep -v '^#' | wc -l)
read -p "请输入对应数字 > " num
if [ -z "$num" ]; then
i=
elif [ "$num" -gt 0 -a "$num" -lt $nr ]; then
service_name=$(cat $services_dir | grep -v '^#' | awk '{print $1}' | sed -n "$num"p | sed 's/"//g')
service=$(echo $service_name | sed 's/\./_/g')
set_ddns
else
echo "输入错误,请重新输入!"
sleep 1
set_service
fi
}
network_type() {
echo -----------------------------------------------
echo -e "\033[32m请选择网络模式\033[0m"
echo -e " 1 \033[36mIPV4\033[0m"
echo -e " 2 \033[36mIPV6\033[0m"
read -p "请输入对应数字 > " num
if [ -z "$num" ]; then
i=
elif [ "$num" = 1 ]; then
use_ipv6=0
serv=services
set_service
elif [ "$num" = 2 ]; then
use_ipv6=1
serv=services_ipv6
set_service
else
echo "输入错误,请重新输入!"
sleep 1
network_type
fi
}
rev_service() {
enabled=$(uci show ddns.$service | grep 'enabled' | awk -F "=" '{print $2}' | tr -d "'\"")
[ "$enabled" = 1 ] && enabled_b="停用" || enabled_b="启用"
echo -----------------------------------------------
echo -e " 1 \033[32m立即更新\033[0m"
echo -e " 2 编辑当前服务\033[0m"
echo -e " 3 $enabled_b当前服务"
echo -e " 4 移除当前服务"
echo -e " 5 查看运行日志"
echo -e " 0 返回上级菜单"
echo -----------------------------------------------
read -p "请输入对应数字 > " num
if [ -z "$num" -o "$num" = 0 ]; then
i=
elif [ "$num" = 1 ]; then
/usr/lib/ddns/dynamic_dns_updater.sh -S $service start >/dev/null 2>&1 &
sleep 3
elif [ "$num" = 2 ]; then
domain=$(uci show ddns.$service | grep 'domain' | awk -F "=" '{print $2}' | tr -d "'\"")
username=$(uci show ddns.$service | grep 'username' | awk -F "=" '{print $2}' | tr -d "'\"")
password=$(uci show ddns.$service | grep 'password' | awk -F "=" '{print $2}' | tr -d "'\"")
service_name=$(uci show ddns.$service | grep 'service_name' | awk -F "=" '{print $2}' | tr -d "'\"")
uci delete ddns.$service
set_ddns
elif [ "$num" = 3 ]; then
[ "$enabled" = 1 ] && uci set ddns.$service.enabled='0' || uci set ddns.$service.enabled='1' && sleep 3
uci commit ddns.$service
elif [ "$num" = 4 ]; then
uci delete ddns.$service
uci commit ddns.$service
elif [ "$num" = 5 ]; then
echo -----------------------------------------------
cat /var/log/ddns/$service.log 2>/dev/null
sleep 1
fi
}
load_ddns() {
nr=0
cat $ddns_dir | grep 'config service' | awk '{print $3}' | sed "s/\'//g" | sed "s/\"//g" >$tmp_dir
echo -----------------------------------------------
echo -e "列表 域名 启用 IP地址"
echo -----------------------------------------------
for service in $(cat $tmp_dir); do
#echo $service >>$tmp_dir
nr=$((nr + 1))
enabled=$(uci show ddns.$service 2>/dev/null | grep 'enabled' | awk -F "=" '{print $2}' | tr -d "'\"")
domain=$(uci show ddns.$service 2>/dev/null | grep 'domain' | awk -F "=" '{print $2}' | tr -d "'\"")
local_ip=$(sed '1!G;h;$!d' /var/log/ddns/$service.log 2>/dev/null | grep -E 'Registered IP' | tail -1 | awk -F "'" '{print $2}' | tr -d "'\"")
echo -e " $nr $domain $enabled $local_ip"
done
echo -e " $((nr + 1)) 添加DDNS服务"
echo -e " 0 退出"
echo -----------------------------------------------
read -p "请输入对应序号 > " num
if [ -z "$num" -o "$num" = 0 ]; then
i=
elif [ "$num" -gt $nr ]; then
network_type
load_ddns
elif [ "$num" -gt 0 -a "$num" -le $nr ]; then
service=$(cat $tmp_dir | sed -n "$num"p)
rev_service
load_ddns
else
echo "请输入正确数字!" && load_ddns
fi
}
load_ddns
rm -rf $tmp_dir

1
scripts/menus/dns.sh
View File

@@ -129,7 +129,6 @@ set_dns_adv() { #DNS详细设置
echo -e " 3 修改\033[33m解析DNS\033[0m(必须是IP,用于解析其他DNS)"
echo -e " 4 DNS防泄漏 \033[36m$dns_protect\033[0m ———启用时少量网站可能连接卡顿"
echo -e " 5 hosts优化 \033[36m$hosts_opt\033[0m ———调用本机hosts并劫持NTP服务"
#echo -e " 6 Dnsmasq转发\033[36m$dns_redir\033[0m ———不推荐使用"
echo -e " 7 禁用DNS劫持\033[36m$dns_no\033[0m ———搭配第三方DNS使用"
echo -e " 8 一键配置\033[32m加密DNS\033[0m"
echo -e " 9 \033[33m重置\033[0m默认DNS配置"

678
scripts/start.sh
View File

@@ -13,6 +13,8 @@ CRASHDIR=$(
#加载工具
. "$CRASHDIR"/libs/set_config.sh
. "$CRASHDIR"/libs/check_cmd.sh
. "$CRASHDIR"/starts/fw_start.sh
. "$CRASHDIR"/starts/fw_stop.sh
#脚本内部工具
getconfig() { #读取配置及全局变量
@@ -25,7 +27,6 @@ getconfig() { #读取配置及全局变量
[ -z "$dns_mod" ] && dns_mod=fake-ip
[ -z "$ipv6_redir" ] && ipv6_redir=未开启
[ -z "$ipv6_dns" ] && ipv6_dns=已开启
[ -z "$cn_ipv6_route" ] && cn_ipv6_route=未开启
[ -z "$macfilter_type" ] && macfilter_type=黑名单
[ -z "$mix_port" ] && mix_port=7890
[ -z "$redir_port" ] && redir_port=7892
@@ -1043,677 +1044,6 @@ cn_ipv6_route() { #CN-IPV6绕过
rm -rf "$TMPDIR"/cn_ipv6.ipset
}
}
start_ipt_route() { #iptables-route通用工具
#$1:iptables/ip6tables $2:所在的表(nat/mangle) $3:所在的链(OUTPUT/PREROUTING) $4:新创建的shellcrash链表 $5:tcp/udp/all
#区分ipv4/ipv6
[ "$1" = 'iptables' ] && {
RESERVED_IP=$reserve_ipv4
HOST_IP=$host_ipv4
[ "$3" = 'OUTPUT' ] && HOST_IP="127.0.0.0/8 $local_ipv4"
[ "$4" = 'shellcrash_vm' ] && HOST_IP="$vm_ipv4"
iptables -h | grep -q '\-w' && w='-w' || w=''
}
[ "$1" = 'ip6tables' ] && {
RESERVED_IP=$reserve_ipv6
HOST_IP=$host_ipv6
[ "$3" = 'OUTPUT' ] && HOST_IP="::1 $host_ipv6"
ip6tables -h | grep -q '\-w' && w='-w' || w=''
}
#创建新的shellcrash链表
$1 $w -t $2 -N $4
#过滤dns
$1 $w -t $2 -A $4 -p tcp --dport 53 -j RETURN
$1 $w -t $2 -A $4 -p udp --dport 53 -j RETURN
#防回环
$1 $w -t $2 -A $4 -m mark --mark $routing_mark -j RETURN
[ "$3" = 'OUTPUT' ] && for gid in 453 7890; do
$1 $w -t $2 -A $4 -m owner --gid-owner $gid -j RETURN
done
[ "$firewall_area" = 5 ] && $1 $w -t $2 -A $4 -s $bypass_host -j RETURN
[ -z "$ports" ] && $1 $w -t $2 -A $4 -p tcp -m multiport --dports "$mix_port,$redir_port,$tproxy_port" -j RETURN
#跳过目标保留地址及目标本机网段
for ip in $HOST_IP $RESERVED_IP; do
$1 $w -t $2 -A $4 -d $ip -j RETURN
done
#绕过CN_IP
[ "$1" = iptables ] && [ "$dns_mod" != "fake-ip" ] && [ "$cn_ip_route" = "已开启" ] && [ -f "$BINDIR"/cn_ip.txt ] && $1 $w -t $2 -A $4 -m set --match-set cn_ip dst -j RETURN 2>/dev/null
[ "$1" = ip6tables ] && [ "$dns_mod" != "fake-ip" ] && [ "$cn_ipv6_route" = "已开启" ] && [ -f "$BINDIR"/cn_ipv6.txt ] && $1 $w -t $2 -A $4 -m set --match-set cn_ip6 dst -j RETURN 2>/dev/null
#局域网mac地址黑名单过滤
[ "$3" = 'PREROUTING' ] && [ "$macfilter_type" != "白名单" ] && {
[ -s "$CRASHDIR"/configs/mac ] &&
for mac in $(cat "$CRASHDIR"/configs/mac); do
$1 $w -t $2 -A $4 -m mac --mac-source $mac -j RETURN
done
[ -s "$CRASHDIR"/configs/ip_filter ] && [ "$1" = 'iptables' ] &&
for ip in $(cat "$CRASHDIR"/configs/ip_filter); do
$1 $w -t $2 -A $4 -s $ip -j RETURN
done
}
#tcp&udp分别进代理链
proxy_set() {
if [ "$3" = 'PREROUTING' ] && [ "$4" != 'shellcrash_vm' ] && [ "$macfilter_type" = "白名单" ] && [ -n "$(cat $CRASHDIR/configs/mac $CRASHDIR/configs/ip_filter 2>/dev/null)" ]; then
[ -s "$CRASHDIR"/configs/mac ] &&
for mac in $(cat "$CRASHDIR"/configs/mac); do
$1 $w -t $2 -A $4 -p $5 -m mac --mac-source $mac -j $JUMP
done
[ -s "$CRASHDIR"/configs/ip_filter ] && [ "$1" = 'iptables' ] &&
for ip in $(cat "$CRASHDIR"/configs/ip_filter); do
$1 $w -t $2 -A $4 -p $5 -s $ip -j $JUMP
done
else
for ip in $HOST_IP; do #仅限指定网段流量
$1 $w -t $2 -A $4 -p $5 -s $ip -j $JUMP
done
fi
#将所在链指定流量指向shellcrash表
$1 $w -t $2 -I $3 -p $5 $ports -j $4
[ "$dns_mod" = "mix" -o "$dns_mod" = "fake-ip" ] && [ "$common_ports" = "已开启" ] && [ "$1" = iptables ] && $1 $w -t $2 -I $3 -p $5 -d 28.0.0.0/8 -j $4
[ "$dns_mod" = "mix" -o "$dns_mod" = "fake-ip" ] && [ "$common_ports" = "已开启" ] && [ "$1" = ip6tables ] && $1 $w -t $2 -I $3 -p $5 -d fc00::/16 -j $4
}
[ "$5" = "tcp" -o "$5" = "all" ] && proxy_set $1 $2 $3 $4 tcp
[ "$5" = "udp" -o "$5" = "all" ] && proxy_set $1 $2 $3 $4 udp
}
start_ipt_dns() { #iptables-dns通用工具
#$1:iptables/ip6tables $2:所在的表(OUTPUT/PREROUTING) $3:新创建的shellcrash表
#区分ipv4/ipv6
[ "$1" = 'iptables' ] && {
HOST_IP="$host_ipv4"
[ "$2" = 'OUTPUT' ] && HOST_IP="127.0.0.0/8 $local_ipv4"
[ "$3" = 'shellcrash_vm_dns' ] && HOST_IP="$vm_ipv4"
iptables -h | grep -q '\-w' && w='-w' || w=''
}
[ "$1" = 'ip6tables' ] && {
HOST_IP=$host_ipv6
ip6tables -h | grep -q '\-w' && w='-w' || w=''
}
$1 $w -t nat -N $3
#防回环
$1 $w -t nat -A $3 -m mark --mark $routing_mark -j RETURN
[ "$2" = 'OUTPUT' ] && for gid in 453 7890; do
$1 $w -t nat -A $3 -m owner --gid-owner $gid -j RETURN
done
[ "$firewall_area" = 5 ] && {
$1 $w -t nat -A $3 -p tcp -s $bypass_host -j RETURN
$1 $w -t nat -A $3 -p udp -s $bypass_host -j RETURN
}
#局域网mac地址黑名单过滤
[ "$2" = 'PREROUTING' ] && [ "$macfilter_type" != "白名单" ] && {
[ -s "$CRASHDIR"/configs/mac ] &&
for mac in $(cat "$CRASHDIR"/configs/mac); do
$1 $w -t nat -A $3 -m mac --mac-source $mac -j RETURN
done
[ -s "$CRASHDIR"/configs/ip_filter ] && [ "$1" = 'iptables' ] &&
for ip in $(cat "$CRASHDIR"/configs/ip_filter); do
$1 $w -t nat -A $3 -s $ip -j RETURN
done
}
if [ "$2" = 'PREROUTING' ] && [ "$3" != 'shellcrash_vm_dns' ] && [ "$macfilter_type" = "白名单" ] && [ -n "$(cat $CRASHDIR/configs/mac $CRASHDIR/configs/ip_filter 2>/dev/null)" ]; then
[ -s "$CRASHDIR"/configs/mac ] &&
for mac in $(cat "$CRASHDIR"/configs/mac); do
$1 $w -t nat -A $3 -p tcp -m mac --mac-source $mac -j REDIRECT --to-ports $dns_port
$1 $w -t nat -A $3 -p udp -m mac --mac-source $mac -j REDIRECT --to-ports $dns_port
done
[ -s "$CRASHDIR"/configs/ip_filter ] && [ "$1" = 'iptables' ] &&
for ip in $(cat "$CRASHDIR"/configs/ip_filter); do
$1 $w -t nat -A $3 -p tcp -s $ip -j REDIRECT --to-ports $dns_port
$1 $w -t nat -A $3 -p udp -s $ip -j REDIRECT --to-ports $dns_port
done
else
for ip in $HOST_IP; do #仅限指定网段流量
$1 $w -t nat -A $3 -p tcp -s $ip -j REDIRECT --to-ports $dns_port
$1 $w -t nat -A $3 -p udp -s $ip -j REDIRECT --to-ports $dns_port
done
fi
[ "$1" = 'ip6tables' ] && { #屏蔽外部请求
$1 $w -t nat -A $3 -p tcp -j RETURN
$1 $w -t nat -A $3 -p udp -j RETURN
}
$1 $w -t nat -I $2 -p tcp --dport 53 -j $3
$1 $w -t nat -I $2 -p udp --dport 53 -j $3
}
start_ipt_wan() { #iptables公网防火墙
#获取局域网host地址
getlanip
if [ "$public_support" = "已开启" ]; then
$iptable -I INPUT -p tcp --dport $db_port -j ACCEPT
ckcmd ip6tables && $ip6table -I INPUT -p tcp --dport $db_port -j ACCEPT
else
#仅允许非公网设备访问面板
for ip in $reserve_ipv4; do
$iptable -A INPUT -p tcp -s $ip --dport $db_port -j ACCEPT
done
$iptable -A INPUT -p tcp --dport $db_port -j REJECT
ckcmd ip6tables && $ip6table -A INPUT -p tcp --dport $db_port -j REJECT
fi
if [ "$public_mixport" = "已开启" ]; then
$iptable -I INPUT -p tcp --dport $mix_port -j ACCEPT
ckcmd ip6tables && $ip6table -I INPUT -p tcp --dport $mix_port -j ACCEPT
else
#仅允许局域网设备访问混合端口
for ip in $reserve_ipv4; do
$iptable -A INPUT -p tcp -s $ip --dport $mix_port -j ACCEPT
done
$iptable -A INPUT -p tcp --dport $mix_port -j REJECT
ckcmd ip6tables && $ip6table -A INPUT -p tcp --dport $mix_port -j REJECT
fi
$iptable -I INPUT -p tcp -d 127.0.0.1 -j ACCEPT #本机请求全放行
}
start_iptables() { #iptables配置总入口
#启动公网访问防火墙
start_ipt_wan
#分模式设置流量劫持
[ "$redir_mod" = "Redir模式" -o "$redir_mod" = "混合模式" ] && {
JUMP="REDIRECT --to-ports $redir_port" #跳转劫持的具体命令
[ "$lan_proxy" = true ] && {
start_ipt_route iptables nat PREROUTING shellcrash tcp #ipv4-局域网tcp转发
[ "$ipv6_redir" = "已开启" ] && {
if $ip6table -j REDIRECT -h 2>/dev/null | grep -q '\--to-ports'; then
start_ipt_route ip6tables nat PREROUTING shellcrashv6 tcp #ipv6-局域网tcp转发
else
logger "当前设备内核缺少ip6tables_REDIRECT模块支持已放弃启动相关规则" 31
fi
}
}
[ "$local_proxy" = true ] && {
start_ipt_route iptables nat OUTPUT shellcrash_out tcp #ipv4-本机tcp转发
[ "$ipv6_redir" = "已开启" ] && {
if $ip6table -j REDIRECT -h 2>/dev/null | grep -q '\--to-ports'; then
start_ipt_route ip6tables nat OUTPUT shellcrashv6_out tcp #ipv6-本机tcp转发
else
logger "当前设备内核缺少ip6tables_REDIRECT模块支持已放弃启动相关规则" 31
fi
}
}
}
[ "$redir_mod" = "Tproxy模式" ] && {
modprobe xt_TPROXY >/dev/null 2>&1
JUMP="TPROXY --on-port $tproxy_port --tproxy-mark $fwmark" #跳转劫持的具体命令
if $iptable -j TPROXY -h 2>/dev/null | grep -q '\--on-port'; then
[ "$lan_proxy" = true ] && start_ipt_route iptables mangle PREROUTING shellcrash_mark all
[ "$local_proxy" = true ] && {
if [ -n "$(grep -E '^MARK$' /proc/net/ip_tables_targets)" ]; then
JUMP="MARK --set-mark $fwmark" #跳转劫持的具体命令
start_ipt_route iptables mangle OUTPUT shellcrash_mark_out all
$iptable -t mangle -A PREROUTING -m mark --mark $fwmark -p tcp -j TPROXY --on-port $tproxy_port
$iptable -t mangle -A PREROUTING -m mark --mark $fwmark -p udp -j TPROXY --on-port $tproxy_port
else
logger "当前设备内核可能缺少xt_mark模块支持已放弃启动本机代理相关规则" 31
fi
}
else
logger "当前设备内核可能缺少kmod_ipt_tproxy模块支持已放弃启动相关规则" 31
fi
[ "$ipv6_redir" = "已开启" ] && {
if $ip6table -j TPROXY -h 2>/dev/null | grep -q '\--on-port'; then
JUMP="TPROXY --on-port $tproxy_port --tproxy-mark $fwmark" #跳转劫持的具体命令
[ "$lan_proxy" = true ] && start_ipt_route ip6tables mangle PREROUTING shellcrashv6_mark all
[ "$local_proxy" = true ] && {
if [ -n "$(grep -E '^MARK$' /proc/net/ip6_tables_targets)" ]; then
JUMP="MARK --set-mark $fwmark" #跳转劫持的具体命令
start_ipt_route ip6tables mangle OUTPUT shellcrashv6_mark_out all
$ip6table -t mangle -A PREROUTING -m mark --mark $fwmark -p tcp -j TPROXY --on-port $tproxy_port
$ip6table -t mangle -A PREROUTING -m mark --mark $fwmark -p udp -j TPROXY --on-port $tproxy_port
else
logger "当前设备内核可能缺少xt_mark模块支持已放弃启动本机代理相关规则" 31
fi
}
else
logger "当前设备内核可能缺少kmod_ipt_tproxy或者xt_mark模块支持已放弃启动相关规则" 31
fi
}
}
[ "$redir_mod" = "Tun模式" -o "$redir_mod" = "混合模式" -o "$redir_mod" = "T&U旁路转发" -o "$redir_mod" = "TCP旁路转发" ] && {
JUMP="MARK --set-mark $fwmark" #跳转劫持的具体命令
[ "$redir_mod" = "Tun模式" -o "$redir_mod" = "T&U旁路转发" ] && protocol=all
[ "$redir_mod" = "混合模式" ] && protocol=udp
[ "$redir_mod" = "TCP旁路转发" ] && protocol=tcp
if $iptable -j MARK -h 2>/dev/null | grep -q '\--set-mark'; then
[ "$lan_proxy" = true ] && {
[ "$redir_mod" = "Tun模式" -o "$redir_mod" = "混合模式" ] && $iptable -I FORWARD -o utun -j ACCEPT
start_ipt_route iptables mangle PREROUTING shellcrash_mark $protocol
}
[ "$local_proxy" = true ] && start_ipt_route iptables mangle OUTPUT shellcrash_mark_out $protocol
else
logger "当前设备内核可能缺少x_mark模块支持已放弃启动相关规则" 31
fi
[ "$ipv6_redir" = "已开启" ] && [ "$crashcore" != clashpre ] && {
if $ip6table -j MARK -h 2>/dev/null | grep -q '\--set-mark'; then
[ "$lan_proxy" = true ] && {
[ "$redir_mod" = "Tun模式" -o "$redir_mod" = "混合模式" ] && $ip6table -I FORWARD -o utun -j ACCEPT
start_ipt_route ip6tables mangle PREROUTING shellcrashv6_mark $protocol
}
[ "$local_proxy" = true ] && start_ipt_route ip6tables mangle OUTPUT shellcrashv6_mark_out $protocol
else
logger "当前设备内核可能缺少xt_mark模块支持已放弃启动相关规则" 31
fi
}
}
[ "$vm_redir" = "已开启" ] && [ -n "$$vm_ipv4" ] && {
JUMP="REDIRECT --to-ports $redir_port" #跳转劫持的具体命令
start_ipt_dns iptables PREROUTING shellcrash_vm_dns #ipv4-局域网dns转发
start_ipt_route iptables nat PREROUTING shellcrash_vm tcp #ipv4-局域网tcp转发
}
#启动DNS劫持
[ "$dns_no" != "已禁用" -a "$dns_redir" != "已开启" -a "$firewall_area" -le 3 ] && {
[ "$lan_proxy" = true ] && {
start_ipt_dns iptables PREROUTING shellcrash_dns #ipv4-局域网dns转发
if $ip6table -j REDIRECT -h 2>/dev/null | grep -q '\--to-ports'; then
start_ipt_dns ip6tables PREROUTING shellcrashv6_dns #ipv6-局域网dns转发
else
$ip6table -I INPUT -p tcp --dport 53 -j REJECT >/dev/null 2>&1
$ip6table -I INPUT -p udp --dport 53 -j REJECT >/dev/null 2>&1
fi
}
[ "$local_proxy" = true ] && start_ipt_dns iptables OUTPUT shellcrash_dns_out #ipv4-本机dns转发
}
#屏蔽QUIC
[ "$quic_rj" = '已启用' -a "$lan_proxy" = true -a "$redir_mod" != "Redir模式" ] && {
[ "$dns_mod" != "fake-ip" -a "$cn_ip_route" = "已开启" ] && {
set_cn_ip='-m set ! --match-set cn_ip dst'
set_cn_ip6='-m set ! --match-set cn_ip6 dst'
}
[ "$redir_mod" = "Tun模式" -o "$redir_mod" = "混合模式" ] && {
$iptable -I FORWARD -p udp --dport 443 -o utun $set_cn_ip -j REJECT >/dev/null 2>&1
$ip6table -I FORWARD -p udp --dport 443 -o utun $set_cn_ip6 -j REJECT >/dev/null 2>&1
}
[ "$redir_mod" = "Tproxy模式" ] && {
$iptable -I INPUT -p udp --dport 443 $set_cn_ip -j REJECT >/dev/null 2>&1
$ip6table -I INPUT -p udp --dport 443 $set_cn_ip6 -j REJECT >/dev/null 2>&1
}
}
}
start_nft_route() { #nftables-route通用工具
#$1:name $2:hook(prerouting/output) $3:type(nat/mangle/filter) $4:priority(-100/-150)
[ "$common_ports" = "已开启" ] && PORTS=$(echo $multiport | sed 's/,/, /g')
RESERVED_IP=$(echo $reserve_ipv4 | sed 's/ /, /g')
HOST_IP=$(echo $host_ipv4 | sed 's/ /, /g')
[ "$1" = 'output' ] && HOST_IP="127.0.0.0/8, $(echo $local_ipv4 | sed 's/ /, /g')"
[ "$1" = 'prerouting_vm' ] && HOST_IP="$(echo $vm_ipv4 | sed 's/ /, /g')"
#添加新链
nft add chain inet shellcrash $1 { type $3 hook $2 priority $4 \; }
[ "$1" = 'prerouting_vm' ] && nft add rule inet shellcrash $1 ip saddr != {$HOST_IP} return #仅代理虚拟机流量
#过滤dns
nft add rule inet shellcrash $1 tcp dport 53 return
nft add rule inet shellcrash $1 udp dport 53 return
#防回环
nft add rule inet shellcrash $1 meta mark $routing_mark return
nft add rule inet shellcrash $1 meta skgid 7890 return
[ "$firewall_area" = 5 ] && nft add rule inet shellcrash $1 ip saddr $bypass_host return
[ -z "$ports" ] && nft add rule inet shellcrash $1 tcp dport {"$mix_port, $redir_port, $tproxy_port"} return
#过滤常用端口
[ -n "$PORTS" ] && {
nft add rule inet shellcrash $1 ip daddr != {28.0.0.0/8} tcp dport != {$PORTS} return
nft add rule inet shellcrash $1 ip daddr != {28.0.0.0/8} udp dport != {$PORTS} return
nft add rule inet shellcrash $1 ip6 daddr != {fc00::/16} tcp dport != {$PORTS} return
nft add rule inet shellcrash $1 ip6 daddr != {fc00::/16} udp dport != {$PORTS} return
}
#nft add rule inet shellcrash $1 ip saddr 28.0.0.0/8 return
nft add rule inet shellcrash $1 ip daddr {$RESERVED_IP} return #过滤保留地址
#过滤局域网设备
[ "$1" = 'prerouting' ] && {
[ "$macfilter_type" != "白名单" ] && {
[ -s "$CRASHDIR"/configs/mac ] && {
MAC=$(awk '{printf "%s, ",$1}' "$CRASHDIR"/configs/mac)
nft add rule inet shellcrash $1 ether saddr {$MAC} return
}
[ -s "$CRASHDIR"/configs/ip_filter ] && {
FL_IP=$(awk '{printf "%s, ",$1}' "$CRASHDIR"/configs/ip_filter)
nft add rule inet shellcrash $1 ip saddr {$FL_IP} return
}
nft add rule inet shellcrash $1 ip saddr != {$HOST_IP} return #仅代理本机局域网网段流量
}
[ "$macfilter_type" = "白名单" ] && {
[ -s "$CRASHDIR"/configs/mac ] && MAC=$(awk '{printf "%s, ",$1}' "$CRASHDIR"/configs/mac)
[ -s "$CRASHDIR"/configs/ip_filter ] && FL_IP=$(awk '{printf "%s, ",$1}' "$CRASHDIR"/configs/ip_filter)
if [ -n "$MAC" ] && [ -n "$FL_IP" ]; then
nft add rule inet shellcrash $1 ether saddr != {$MAC} ip saddr != {$FL_IP} return
elif [ -n "$MAC" ]; then
nft add rule inet shellcrash $1 ether saddr != {$MAC} return
elif [ -n "$FL_IP" ]; then
nft add rule inet shellcrash $1 ip saddr != {$FL_IP} return
else
nft add rule inet shellcrash $1 ip saddr != {$HOST_IP} return #仅代理本机局域网网段流量
fi
}
}
#绕过CN-IP
[ "$dns_mod" != "fake-ip" -a "$cn_ip_route" = "已开启" -a -f "$BINDIR"/cn_ip.txt ] && {
CN_IP=$(awk '{printf "%s, ",$1}' "$BINDIR"/cn_ip.txt)
[ -n "$CN_IP" ] && nft add rule inet shellcrash $1 ip daddr {$CN_IP} return
}
#局域网ipv6支持
if [ "$ipv6_redir" = "已开启" -a "$1" = 'prerouting' -a "$firewall_area" != 5 ]; then
RESERVED_IP6="$(echo "$reserve_ipv6 $host_ipv6" | sed 's/ /, /g')"
HOST_IP6="$(echo $host_ipv6 | sed 's/ /, /g')"
#过滤保留地址及本机地址
nft add rule inet shellcrash $1 ip6 daddr {$RESERVED_IP6} return
#仅代理本机局域网网段流量
nft add rule inet shellcrash $1 ip6 saddr != {$HOST_IP6} return
#绕过CN_IPV6
[ "$dns_mod" != "fake-ip" -a "$cn_ipv6_route" = "已开启" -a -f "$BINDIR"/cn_ipv6.txt ] && {
CN_IP6=$(awk '{printf "%s, ",$1}' "$BINDIR"/cn_ipv6.txt)
[ -n "$CN_IP6" ] && nft add rule inet shellcrash $1 ip6 daddr {$CN_IP6} return
}
elif [ "$ipv6_redir" = "已开启" -a "$1" = 'output' -a \( "$firewall_area" = 2 -o "$firewall_area" = 3 \) ]; then
RESERVED_IP6="$(echo "$reserve_ipv6 $host_ipv6" | sed 's/ /, /g')"
HOST_IP6="::1, $(echo $host_ipv6 | sed 's/ /, /g')"
#过滤保留地址及本机地址
nft add rule inet shellcrash $1 ip6 daddr {$RESERVED_IP6} return
#仅代理本机局域网网段流量
nft add rule inet shellcrash $1 ip6 saddr != {$HOST_IP6} return
#绕过CN_IPV6
[ "$dns_mod" != "fake-ip" -a "$cn_ipv6_route" = "已开启" -a -f "$BINDIR"/cn_ipv6.txt ] && {
CN_IP6=$(awk '{printf "%s, ",$1}' "$BINDIR"/cn_ipv6.txt)
[ -n "$CN_IP6" ] && nft add rule inet shellcrash $1 ip6 daddr {$CN_IP6} return
}
else
nft add rule inet shellcrash $1 meta nfproto ipv6 return
fi
#添加通用路由
nft add rule inet shellcrash "$1" "$JUMP"
#处理特殊路由
[ "$redir_mod" = "混合模式" ] && {
nft add rule inet shellcrash $1 meta l4proto tcp mark set $((fwmark + 1))
nft add chain inet shellcrash "$1"_mixtcp { type nat hook $2 priority -100 \; }
nft add rule inet shellcrash "$1"_mixtcp mark $((fwmark + 1)) meta l4proto tcp redirect to $redir_port
}
#nft add rule inet shellcrash local_tproxy log prefix \"pre\" level debug
}
start_nft_dns() { #nftables-dns
HOST_IP=$(echo $host_ipv4 | sed 's/ /, /g')
HOST_IP6=$(echo $host_ipv6 | sed 's/ /, /g')
[ "$1" = 'output' ] && HOST_IP="127.0.0.0/8, $(echo $local_ipv4 | sed 's/ /, /g')"
[ "$1" = 'prerouting_vm' ] && HOST_IP="$(echo $vm_ipv4 | sed 's/ /, /g')"
nft add chain inet shellcrash "$1"_dns { type nat hook $2 priority -100 \; }
#过滤非dns请求
nft add rule inet shellcrash "$1"_dns udp dport != 53 return
nft add rule inet shellcrash "$1"_dns tcp dport != 53 return
#防回环
nft add rule inet shellcrash "$1"_dns meta mark $routing_mark return
nft add rule inet shellcrash "$1"_dns meta skgid { 453, 7890 } return
[ "$firewall_area" = 5 ] && nft add rule inet shellcrash "$1"_dns ip saddr $bypass_host return
nft add rule inet shellcrash "$1"_dns ip saddr != {$HOST_IP} return #屏蔽外部请求
[ "$1" = 'prerouting' ] && nft add rule inet shellcrash "$1"_dns ip6 saddr != {$HOST_IP6} return #屏蔽外部请求
#过滤局域网设备
[ "$1" = 'prerouting' ] && [ -s "$CRASHDIR"/configs/mac ] && {
MAC=$(awk '{printf "%s, ",$1}' "$CRASHDIR"/configs/mac)
if [ "$macfilter_type" = "黑名单" ]; then
nft add rule inet shellcrash "$1"_dns ether saddr {$MAC} return
else
nft add rule inet shellcrash "$1"_dns ether saddr != {$MAC} return
fi
}
nft add rule inet shellcrash "$1"_dns udp dport 53 redirect to ${dns_port}
nft add rule inet shellcrash "$1"_dns tcp dport 53 redirect to ${dns_port}
}
start_nft_wan() { #nftables公网防火墙
#获取局域网host地址
getlanip
HOST_IP=$(echo $host_ipv4 | sed 's/ /, /g')
nft add chain inet shellcrash input { type filter hook input priority -100 \; }
nft add rule inet shellcrash input ip daddr 127.0.0.1 accept
if [ "$public_support" = "已开启" ]; then
nft add rule inet shellcrash input tcp dport $db_port accept
else
#仅允许非公网设备访问面板
nft add rule inet shellcrash input tcp dport $db_port ip saddr {$HOST_IP} accept
nft add rule inet shellcrash input tcp dport $db_port reject
fi
if [ "$public_mixport" = "已开启" ]; then
nft add rule inet shellcrash input tcp dport $mix_port accept
else
#仅允许局域网设备访问混合端口
nft add rule inet shellcrash input tcp dport $mix_port ip saddr {$HOST_IP} accept
nft add rule inet shellcrash input tcp dport $mix_port reject
fi
}
start_nftables() { #nftables配置总入口
#初始化nftables
nft add table inet shellcrash 2>/dev/null
nft flush table inet shellcrash 2>/dev/null
#公网访问防火墙
[ "$systype" != 'container' ] && start_nft_wan
#启动DNS劫持
[ "$dns_no" != "已禁用" -a "$dns_redir" != "已开启" -a "$firewall_area" -le 3 ] && {
[ "$lan_proxy" = true ] && start_nft_dns prerouting prerouting #局域网dns转发
[ "$local_proxy" = true ] && start_nft_dns output output #本机dns转发
}
#分模式设置流量劫持
[ "$redir_mod" = "Redir模式" ] && {
JUMP="meta l4proto tcp redirect to $redir_port" #跳转劫持的具体命令
[ "$lan_proxy" = true ] && start_nft_route prerouting prerouting nat -100
[ "$local_proxy" = true ] && start_nft_route output output nat -100
}
[ "$redir_mod" = "Tproxy模式" ] && (modprobe nft_tproxy >/dev/null 2>&1 || lsmod 2>/dev/null | grep -q nft_tproxy) && {
JUMP="meta l4proto {tcp, udp} mark set $fwmark tproxy to :$tproxy_port" #跳转劫持的具体命令
[ "$lan_proxy" = true ] && start_nft_route prerouting prerouting filter -150
[ "$local_proxy" = true ] && {
JUMP="meta l4proto {tcp, udp} mark set $fwmark" #跳转劫持的具体命令
start_nft_route output output route -150
nft add chain inet shellcrash mark_out { type filter hook prerouting priority -100 \; }
nft add rule inet shellcrash mark_out meta mark $fwmark meta l4proto {tcp, udp} tproxy to :$tproxy_port
}
}
[ "$tun_statu" = true ] && {
[ "$redir_mod" = "Tun模式" ] && JUMP="meta l4proto {tcp, udp} mark set $fwmark" #跳转劫持的具体命令
[ "$redir_mod" = "混合模式" ] && JUMP="meta l4proto udp mark set $fwmark" #跳转劫持的具体命令
[ "$lan_proxy" = true ] && {
start_nft_route prerouting prerouting filter -150
#放行流量
nft list table inet fw4 >/dev/null 2>&1 || nft add table inet fw4
nft list chain inet fw4 forward >/dev/null 2>&1 || nft add chain inet fw4 forward { type filter hook forward priority filter \; } 2>/dev/null
nft list chain inet fw4 input >/dev/null 2>&1 || nft add chain inet fw4 input { type filter hook input priority filter \; } 2>/dev/null
nft list chain inet fw4 forward | grep -q 'oifname "utun" accept' || nft insert rule inet fw4 forward oifname "utun" accept
nft list chain inet fw4 input | grep -q 'iifname "utun" accept' || nft insert rule inet fw4 input iifname "utun" accept
}
[ "$local_proxy" = true ] && start_nft_route output output route -150
}
[ "$firewall_area" = 5 ] && {
[ "$redir_mod" = "T&U旁路转发" ] && JUMP="meta l4proto {tcp, udp} mark set $fwmark" #跳转劫持的具体命令
[ "$redir_mod" = "TCP旁路转发" ] && JUMP="meta l4proto tcp mark set $fwmark" #跳转劫持的具体命令
[ "$lan_proxy" = true ] && start_nft_route prerouting prerouting filter -150
[ "$local_proxy" = true ] && start_nft_route output output route -150
}
[ "$vm_redir" = "已开启" ] && [ -n "$$vm_ipv4" ] && {
start_nft_dns prerouting_vm prerouting
JUMP="meta l4proto tcp redirect to $redir_port" #跳转劫持的具体命令
start_nft_route prerouting_vm prerouting nat -100
}
#屏蔽QUIC
[ "$quic_rj" = '已启用' -a "$lan_proxy" = true ] && {
[ "$redir_mod" = "Tproxy模式" ] && {
nft add chain inet shellcrash quic_rj { type filter hook input priority 0 \; }
[ -n "$CN_IP" ] && nft add rule inet shellcrash quic_rj ip daddr {$CN_IP} return
[ -n "$CN_IP6" ] && nft add rule inet shellcrash quic_rj ip6 daddr {$CN_IP6} return
nft add rule inet shellcrash quic_rj udp dport {443, 8443} reject comment 'ShellCrash-QUIC-REJECT'
}
[ "$redir_mod" = "Tun模式" -o "$redir_mod" = "混合模式" ] && {
nft insert rule inet fw4 forward oifname "utun" udp dport {443, 8443} reject comment 'ShellCrash-QUIC-REJECT'
[ -n "$CN_IP" ] && nft insert rule inet fw4 forward oifname "utun" ip daddr {$CN_IP} return
[ -n "$CN_IP6" ] && nft insert rule inet fw4 forward oifname "utun" ip6 daddr {$CN_IP6} return
}
}
}
start_firewall() { #路由规则总入口
getlanip #获取局域网host地址
#设置策略路由
[ "$firewall_area" != 4 ] && {
[ "$redir_mod" = "Tproxy模式" ] && ip route add local default dev lo table $table 2>/dev/null
[ "$redir_mod" = "Tun模式" -o "$redir_mod" = "混合模式" ] && {
i=1
while [ -z "$(ip route list | grep utun)" -a "$i" -le 29 ]; do
sleep 1
i=$((i + 1))
done
if [ -z "$(ip route list | grep utun)" ]; then
logger "找不到tun模块放弃启动tun相关防火墙规则" 31
else
ip route add default dev utun table $table && tun_statu=true
fi
}
[ "$firewall_area" = 5 ] && ip route add default via $bypass_host table $table 2>/dev/null
[ "$redir_mod" != "Redir模式" ] && ip rule add fwmark $fwmark table $table 2>/dev/null
}
#添加ipv6路由
[ "$ipv6_redir" = "已开启" -a "$firewall_area" -le 3 ] && {
[ "$redir_mod" = "Tproxy模式" ] && ip -6 route add local default dev lo table $((table + 1)) 2>/dev/null
[ -n "$(ip route list | grep utun)" ] && ip -6 route add default dev utun table $((table + 1)) 2>/dev/null
[ "$redir_mod" != "Redir模式" ] && ip -6 rule add fwmark $fwmark table $((table + 1)) 2>/dev/null
}
#判断代理用途
[ "$firewall_area" = 2 -o "$firewall_area" = 3 ] && local_proxy=true
[ "$firewall_area" = 1 -o "$firewall_area" = 3 -o "$firewall_area" = 5 ] && lan_proxy=true
#防火墙配置
[ "$firewall_mod" = 'iptables' ] && start_iptables
[ "$firewall_mod" = 'nftables' ] && start_nftables
#修复部分虚拟机dns查询失败的问题
[ "$firewall_area" = 2 -o "$firewall_area" = 3 ] && [ -z "$(grep '127.0.0.1' /etc/resolv.conf 2>/dev/null)" ] && [ "$systype" != 'container' ] && {
line=$(grep -n 'nameserver' /etc/resolv.conf | awk -F: 'FNR==1{print $1}')
sed -i "$line i\nameserver 127.0.0.1 #shellcrash-dns-repair" /etc/resolv.conf >/dev/null 2>&1
}
#openwrt使用dnsmasq转发DNS
if [ "$dns_redir" = "已开启" -a "$firewall_area" -le 3 -a "$dns_no" != "已禁用" ]; then
uci del dhcp.@dnsmasq[-1].server >/dev/null 2>&1
uci delete dhcp.@dnsmasq[0].resolvfile 2>/dev/null
uci add_list dhcp.@dnsmasq[0].server=127.0.0.1#$dns_port >/dev/null 2>&1
uci set dhcp.@dnsmasq[0].noresolv=1 2>/dev/null
uci commit dhcp >/dev/null 2>&1
/etc/init.d/dnsmasq restart >/dev/null 2>&1
elif [ "$(uci get dhcp.@dnsmasq[0].dns_redirect 2>/dev/null)" = 1 ]; then
uci del dhcp.@dnsmasq[0].dns_redirect
uci commit dhcp.@dnsmasq[0]
fi
}
stop_firewall() { #还原防火墙配置
#获取局域网host地址
getlanip
#重置iptables相关规则
ckcmd iptables && {
#dns
$iptable -t nat -D PREROUTING -p tcp --dport 53 -j shellcrash_dns 2>/dev/null
$iptable -t nat -D PREROUTING -p udp --dport 53 -j shellcrash_dns 2>/dev/null
$iptable -t nat -D OUTPUT -p udp --dport 53 -j shellcrash_dns_out 2>/dev/null
$iptable -t nat -D OUTPUT -p tcp --dport 53 -j shellcrash_dns_out 2>/dev/null
#redir
$iptable -t nat -D PREROUTING -p tcp $ports -j shellcrash 2>/dev/null
$iptable -t nat -D PREROUTING -p tcp -d 28.0.0.0/8 -j shellcrash 2>/dev/null
$iptable -t nat -D OUTPUT -p tcp $ports -j shellcrash_out 2>/dev/null
$iptable -t nat -D OUTPUT -p tcp -d 28.0.0.0/8 -j shellcrash_out 2>/dev/null
#vm_dns
$iptable -t nat -D PREROUTING -p tcp --dport 53 -j shellcrash_vm_dns 2>/dev/null
$iptable -t nat -D PREROUTING -p udp --dport 53 -j shellcrash_vm_dns 2>/dev/null
#vm_redir
$iptable -t nat -D PREROUTING -p tcp $ports -j shellcrash_vm 2>/dev/null
$iptable -t nat -D PREROUTING -p tcp -d 28.0.0.0/8 -j shellcrash_vm 2>/dev/null
#TPROXY&tun
$iptable -t mangle -D PREROUTING -p tcp $ports -j shellcrash_mark 2>/dev/null
$iptable -t mangle -D PREROUTING -p udp $ports -j shellcrash_mark 2>/dev/null
$iptable -t mangle -D PREROUTING -p tcp -d 28.0.0.0/8 -j shellcrash_mark 2>/dev/null
$iptable -t mangle -D PREROUTING -p udp -d 28.0.0.0/8 -j shellcrash_mark 2>/dev/null
$iptable -t mangle -D OUTPUT -p tcp $ports -j shellcrash_mark_out 2>/dev/null
$iptable -t mangle -D OUTPUT -p udp $ports -j shellcrash_mark_out 2>/dev/null
$iptable -t mangle -D OUTPUT -p tcp -d 28.0.0.0/8 -j shellcrash_mark_out 2>/dev/null
$iptable -t mangle -D OUTPUT -p udp -d 28.0.0.0/8 -j shellcrash_mark_out 2>/dev/null
$iptable -t mangle -D PREROUTING -m mark --mark $fwmark -p tcp -j TPROXY --on-port $tproxy_port 2>/dev/null
$iptable -t mangle -D PREROUTING -m mark --mark $fwmark -p udp -j TPROXY --on-port $tproxy_port 2>/dev/null
#tun
$iptable -D FORWARD -o utun -j ACCEPT 2>/dev/null
#屏蔽QUIC
[ "$dns_mod" != "fake-ip" -a "$cn_ip_route" = "已开启" ] && set_cn_ip='-m set ! --match-set cn_ip dst'
$iptable -D INPUT -p udp --dport 443 $set_cn_ip -j REJECT 2>/dev/null
$iptable -D FORWARD -p udp --dport 443 -o utun $set_cn_ip -j REJECT 2>/dev/null
#公网访问
for ip in $host_ipv4 $local_ipv4 $reserve_ipv4; do
$iptable -D INPUT -p tcp -s $ip --dport $mix_port -j ACCEPT 2>/dev/null
$iptable -D INPUT -p tcp -s $ip --dport $db_port -j ACCEPT 2>/dev/null
done
$iptable -D INPUT -p tcp -d 127.0.0.1 -j ACCEPT 2>/dev/null
$iptable -D INPUT -p tcp --dport $mix_port -j REJECT 2>/dev/null
$iptable -D INPUT -p tcp --dport $mix_port -j ACCEPT 2>/dev/null
$iptable -D INPUT -p tcp --dport $db_port -j REJECT 2>/dev/null
$iptable -D INPUT -p tcp --dport $db_port -j ACCEPT 2>/dev/null
#清理shellcrash自建表
for words in shellcrash_dns shellcrash shellcrash_out shellcrash_dns_out shellcrash_vm shellcrash_vm_dns; do
$iptable -t nat -F $words 2>/dev/null
$iptable -t nat -X $words 2>/dev/null
done
for words in shellcrash_mark shellcrash_mark_out; do
$iptable -t mangle -F $words 2>/dev/null
$iptable -t mangle -X $words 2>/dev/null
done
}
#重置ipv6规则
ckcmd ip6tables && {
#dns
$ip6table -t nat -D PREROUTING -p tcp --dport 53 -j shellcrashv6_dns 2>/dev/null
$ip6table -t nat -D PREROUTING -p udp --dport 53 -j shellcrashv6_dns 2>/dev/null
#redir
$ip6table -t nat -D PREROUTING -p tcp $ports -j shellcrashv6 2>/dev/null
$ip6table -t nat -D PREROUTING -p tcp -d fc00::/16 -j shellcrashv6 2>/dev/null
$ip6table -t nat -D OUTPUT -p tcp $ports -j shellcrashv6_out 2>/dev/null
$ip6table -t nat -D OUTPUT -p tcp -d fc00::/16 -j shellcrashv6_out 2>/dev/null
$ip6table -D INPUT -p tcp --dport 53 -j REJECT 2>/dev/null
$ip6table -D INPUT -p udp --dport 53 -j REJECT 2>/dev/null
#mark
$ip6table -t mangle -D PREROUTING -p tcp $ports -j shellcrashv6_mark 2>/dev/null
$ip6table -t mangle -D PREROUTING -p udp $ports -j shellcrashv6_mark 2>/dev/null
$ip6table -t mangle -D PREROUTING -p tcp -d fc00::/16 -j shellcrashv6_mark 2>/dev/null
$ip6table -t mangle -D PREROUTING -p udp -d fc00::/16 -j shellcrashv6_mark 2>/dev/null
$ip6table -t mangle -D OUTPUT -p tcp $ports -j shellcrashv6_mark_out 2>/dev/null
$ip6table -t mangle -D OUTPUT -p udp $ports -j shellcrashv6_mark_out 2>/dev/null
$ip6table -t mangle -D OUTPUT -p tcp -d fc00::/16 -j shellcrashv6_mark_out 2>/dev/null
$ip6table -t mangle -D OUTPUT -p udp -d fc00::/16 -j shellcrashv6_mark_out 2>/dev/null
$ip6table -D INPUT -p udp --dport 443 $set_cn_ip -j REJECT 2>/dev/null
$ip6table -t mangle -D PREROUTING -m mark --mark $fwmark -p tcp -j TPROXY --on-port $tproxy_port 2>/dev/null
$ip6table -t mangle -D PREROUTING -m mark --mark $fwmark -p udp -j TPROXY --on-port $tproxy_port 2>/dev/null
#tun
$ip6table -D FORWARD -o utun -j ACCEPT 2>/dev/null
#屏蔽QUIC
[ "$dns_mod" != "fake-ip" -a "$cn_ipv6_route" = "已开启" ] && set_cn_ip6='-m set ! --match-set cn_ip6 dst'
$ip6table -D INPUT -p udp --dport 443 $set_cn_ip6 -j REJECT 2>/dev/null
$ip6table -D FORWARD -p udp --dport 443 -o utun $set_cn_ip6 -j REJECT 2>/dev/null
#公网访问
$ip6table -D INPUT -p tcp --dport $mix_port -j REJECT 2>/dev/null
$ip6table -D INPUT -p tcp --dport $mix_port -j ACCEPT 2>/dev/null
$ip6table -D INPUT -p tcp --dport $db_port -j REJECT 2>/dev/null
$ip6table -D INPUT -p tcp --dport $db_port -j ACCEPT 2>/dev/null
#清理shellcrash自建表
for words in shellcrashv6_dns shellcrashv6 shellcrashv6_out; do
$ip6table -t nat -F $words 2>/dev/null
$ip6table -t nat -X $words 2>/dev/null
done
for words in shellcrashv6_mark shellcrashv6_mark_out; do
$ip6table -t mangle -F $words 2>/dev/null
$ip6table -t mangle -X $words 2>/dev/null
done
$ip6table -t mangle -F shellcrashv6_mark 2>/dev/null
$ip6table -t mangle -X shellcrashv6_mark 2>/dev/null
}
#清理ipset规则
ipset destroy cn_ip >/dev/null 2>&1
ipset destroy cn_ip6 >/dev/null 2>&1
#移除dnsmasq转发规则
[ "$dns_redir" = "已开启" ] && {
uci del dhcp.@dnsmasq[-1].server >/dev/null 2>&1
uci set dhcp.@dnsmasq[0].noresolv=0 2>/dev/null
uci commit dhcp >/dev/null 2>&1
/etc/init.d/dnsmasq restart >/dev/null 2>&1
}
#清理路由规则
ip rule del fwmark $fwmark table $table 2>/dev/null
ip route flush table $table 2>/dev/null
ip -6 rule del fwmark $fwmark table $((table + 1)) 2>/dev/null
ip -6 route flush table $((table + 1)) 2>/dev/null
#重置nftables相关规则
ckcmd nft && {
nft flush table inet shellcrash >/dev/null 2>&1
nft delete table inet shellcrash >/dev/null 2>&1
}
#还原防火墙文件
[ -s /etc/init.d/firewall.bak ] && mv -f /etc/init.d/firewall.bak /etc/init.d/firewall
#others
[ "$systype" != 'container' ] && sed -i '/shellcrash-dns-repair/d' /etc/resolv.conf >/dev/null 2>&1
}
#启动相关
web_save() { #最小化保存面板节点选择
#使用get_save获取面板节点设置
@@ -1943,7 +1273,7 @@ bfstart() { #启动前
#检查下载cnip绕过相关文件
[ "$firewall_mod" = nftables ] || ckcmd ipset && [ "$dns_mod" != "fake-ip" ] && {
[ "$cn_ip_route" = "已开启" ] && cn_ip_route
[ "$ipv6_redir" = "已开启" ] && [ "$cn_ipv6_route" = "已开启" ] && cn_ipv6_route
[ "$ipv6_redir" = "已开启" ] && [ "$cn_ip_route" = "已开启" ] && cn_ipv6_route
}
#添加shellcrash用户
[ "$firewall_area" = 2 ] || [ "$firewall_area" = 3 ] || [ "$(cat /proc/1/comm)" = "systemd" ] &&
@@ -1984,7 +1314,7 @@ afstart() { #启动后
done
if [ -n "$test" -o -n "$(pidof CrashCore)" ]; then
[ "$start_old" = "已开启" ] && rm -rf "$TMPDIR"/CrashCore #删除缓存目录内核文件
start_firewall #配置防火墙流量劫持
start_firewall #配置防火墙流量劫持
mark_time #标记启动时间
[ -s "$CRASHDIR"/configs/web_save ] && web_restore >/dev/null 2>&1 & #后台还原面板配置
{

277
scripts/starts/fw_iptables.sh Normal file
View File

@@ -0,0 +1,277 @@
#!/bin/sh
# Copyright (C) Juewuy
start_ipt_route() { #iptables-route通用工具
#$1:iptables/ip6tables $2:所在的表(nat/mangle) $3:所在的链(OUTPUT/PREROUTING) $4:新创建的shellcrash链表 $5:tcp/udp/all
#区分ipv4/ipv6
[ "$1" = 'iptables' ] && {
RESERVED_IP=$reserve_ipv4
HOST_IP=$host_ipv4
[ "$3" = 'OUTPUT' ] && HOST_IP="127.0.0.0/8 $local_ipv4"
[ "$4" = 'shellcrash_vm' ] && HOST_IP="$vm_ipv4"
iptables -h | grep -q '\-w' && w='-w' || w=''
}
[ "$1" = 'ip6tables' ] && {
RESERVED_IP=$reserve_ipv6
HOST_IP=$host_ipv6
[ "$3" = 'OUTPUT' ] && HOST_IP="::1 $host_ipv6"
ip6tables -h | grep -q '\-w' && w='-w' || w=''
}
#创建新的shellcrash链表
"$1" $w -t "$2" -N "$4"
#过滤dns
"$1" $w -t "$2" -A "$4" -p tcp --dport 53 -j RETURN
"$1" $w -t "$2" -A "$4" -p udp --dport 53 -j RETURN
#防回环
"$1" $w -t "$2" -A "$4" -m mark --mark $routing_mark -j RETURN
[ "$3" = 'OUTPUT' ] && for gid in 453 7890; do
"$1" $w -t "$2" -A "$4" -m owner --gid-owner $gid -j RETURN
done
[ "$firewall_area" = 5 ] && "$1" $w -t "$2" -A "$4" -s $bypass_host -j RETURN
[ -z "$ports" ] && "$1" $w -t "$2" -A "$4" -p tcp -m multiport --dports "$mix_port,$redir_port,$tproxy_port" -j RETURN
#跳过目标保留地址及目标本机网段
for ip in $HOST_IP $RESERVED_IP; do
"$1" $w -t "$2" -A "$4" -d $ip -j RETURN
done
#绕过CN_IP
[ "$1" = iptables ] && [ "$dns_mod" != "fake-ip" ] && [ "$cn_ip_route" = "已开启" ] && [ -f "$BINDIR"/cn_ip.txt ] && "$1" $w -t "$2" -A "$4" -m set --match-set cn_ip dst -j RETURN 2>/dev/null
[ "$1" = ip6tables ] && [ "$dns_mod" != "fake-ip" ] && [ "$cn_ip_route" = "已开启" ] && [ -f "$BINDIR"/cn_ipv6.txt ] && "$1" $w -t "$2" -A "$4" -m set --match-set cn_ip6 dst -j RETURN 2>/dev/null
#局域网mac地址黑名单过滤
[ "$3" = 'PREROUTING' ] && [ "$macfilter_type" != "白名单" ] && {
[ -s "$CRASHDIR"/configs/mac ] &&
for mac in $(cat "$CRASHDIR"/configs/mac); do
"$1" $w -t "$2" -A "$4" -m mac --mac-source $mac -j RETURN
done
[ -s "$CRASHDIR"/configs/ip_filter ] && [ "$1" = 'iptables' ] &&
for ip in $(cat "$CRASHDIR"/configs/ip_filter); do
"$1" $w -t "$2" -A "$4" -s $ip -j RETURN
done
}
#tcp&udp分别进代理链
proxy_set() {
if [ "$3" = 'PREROUTING' ] && [ "$4" != 'shellcrash_vm' ] && [ "$macfilter_type" = "白名单" ] && [ -n "$(cat $CRASHDIR/configs/mac $CRASHDIR/configs/ip_filter 2>/dev/null)" ]; then
[ -s "$CRASHDIR"/configs/mac ] &&
for mac in $(cat "$CRASHDIR"/configs/mac); do
"$1" $w -t "$2" -A "$4" -p "$5" -m mac --mac-source $mac -j $JUMP
done
[ -s "$CRASHDIR"/configs/ip_filter ] && [ "$1" = 'iptables' ] &&
for ip in $(cat "$CRASHDIR"/configs/ip_filter); do
"$1" $w -t "$2" -A "$4" -p "$5" -s $ip -j $JUMP
done
else
for ip in $HOST_IP; do #仅限指定网段流量
"$1" $w -t "$2" -A "$4" -p "$5" -s $ip -j $JUMP
done
fi
#将所在链指定流量指向shellcrash表
"$1" $w -t "$2" -I "$3" -p "$5" $ports -j "$4"
[ "$dns_mod" = "mix" -o "$dns_mod" = "fake-ip" ] && [ "$common_ports" = "已开启" ] && [ "$1" = iptables ] && "$1" $w -t "$2" -I "$3" -p "$5" -d 28.0.0.0/8 -j "$4"
[ "$dns_mod" = "mix" -o "$dns_mod" = "fake-ip" ] && [ "$common_ports" = "已开启" ] && [ "$1" = ip6tables ] && "$1" $w -t "$2" -I "$3" -p "$5" -d fc00::/16 -j "$4"
}
[ "$5" = "tcp" -o "$5" = "all" ] && proxy_set "$1" "$2" "$3" "$4" tcp
[ "$5" = "udp" -o "$5" = "all" ] && proxy_set "$1" "$2" "$3" "$4" udp
}
start_ipt_dns() { #iptables-dns通用工具
#$1:iptables/ip6tables $2:所在的表(OUTPUT/PREROUTING) $3:新创建的shellcrash表
#区分ipv4/ipv6
[ "$1" = 'iptables' ] && {
HOST_IP="$host_ipv4"
[ "$2" = 'OUTPUT' ] && HOST_IP="127.0.0.0/8 $local_ipv4"
[ "$3" = 'shellcrash_vm_dns' ] && HOST_IP="$vm_ipv4"
iptables -h | grep -q '\-w' && w='-w' || w=''
}
[ "$1" = 'ip6tables' ] && {
HOST_IP=$host_ipv6
ip6tables -h | grep -q '\-w' && w='-w' || w=''
}
"$1" $w -t nat -N "$3"
#防回环
"$1" $w -t nat -A "$3" -m mark --mark $routing_mark -j RETURN
[ "$2" = 'OUTPUT' ] && for gid in 453 7890; do
"$1" $w -t nat -A "$3" -m owner --gid-owner $gid -j RETURN
done
[ "$firewall_area" = 5 ] && {
"$1" $w -t nat -A "$3" -p tcp -s $bypass_host -j RETURN
"$1" $w -t nat -A "$3" -p udp -s $bypass_host -j RETURN
}
#局域网mac地址黑名单过滤
[ "$2" = 'PREROUTING' ] && [ "$macfilter_type" != "白名单" ] && {
[ -s "$CRASHDIR"/configs/mac ] &&
for mac in $(cat "$CRASHDIR"/configs/mac); do
"$1" $w -t nat -A "$3" -m mac --mac-source $mac -j RETURN
done
[ -s "$CRASHDIR"/configs/ip_filter ] && [ "$1" = 'iptables' ] &&
for ip in $(cat "$CRASHDIR"/configs/ip_filter); do
"$1" $w -t nat -A "$3" -s $ip -j RETURN
done
}
if [ "$2" = 'PREROUTING' ] && [ "$3" != 'shellcrash_vm_dns' ] && [ "$macfilter_type" = "白名单" ] && [ -n "$(cat $CRASHDIR/configs/mac $CRASHDIR/configs/ip_filter 2>/dev/null)" ]; then
[ -s "$CRASHDIR"/configs/mac ] &&
for mac in $(cat "$CRASHDIR"/configs/mac); do
"$1" $w -t nat -A "$3" -p tcp -m mac --mac-source $mac -j REDIRECT --to-ports $dns_port
"$1" $w -t nat -A "$3" -p udp -m mac --mac-source $mac -j REDIRECT --to-ports $dns_port
done
[ -s "$CRASHDIR"/configs/ip_filter ] && [ "$1" = 'iptables' ] &&
for ip in $(cat "$CRASHDIR"/configs/ip_filter); do
"$1" $w -t nat -A "$3" -p tcp -s $ip -j REDIRECT --to-ports $dns_port
"$1" $w -t nat -A "$3" -p udp -s $ip -j REDIRECT --to-ports $dns_port
done
else
for ip in $HOST_IP; do #仅限指定网段流量
"$1" $w -t nat -A "$3" -p tcp -s $ip -j REDIRECT --to-ports $dns_port
"$1" $w -t nat -A "$3" -p udp -s $ip -j REDIRECT --to-ports $dns_port
done
fi
[ "$1" = 'ip6tables' ] && { #屏蔽外部请求
"$1" $w -t nat -A "$3" -p tcp -j RETURN
"$1" $w -t nat -A "$3" -p udp -j RETURN
}
"$1" $w -t nat -I "$2" -p tcp --dport 53 -j "$3"
"$1" $w -t nat -I "$2" -p udp --dport 53 -j "$3"
}
start_ipt_wan() { #iptables公网防火墙
ipt_wan_accept(){
$iptable -I INPUT -p "$1" -m multiport --dports "$fw_wan_ports" -j ACCEPT
ckcmd ip6tables && $ip6table -I INPUT -p "$1" -m multiport --dports "$fw_wan_ports" -j ACCEPT
}
ipt_wan_reject(){
$iptable -I INPUT -p "$1" -m multiport --dports "$reject_ports" -j REJECT
ckcmd ip6tables && $ip6table -I INPUT -p "$1" -m multiport --dports "$reject_ports" -j REJECT
}
#端口拦截
reject_ports="$mix_port,$db_port,$dns_port"
ipt_wan_reject tcp
ipt_wan_reject udp
#端口放行
[ -n "$fw_wan_ports" ] && {
ipt_wan_accept tcp
ipt_wan_accept udp
}
#本机请求全放行
$iptable -I INPUT -i lo -j ACCEPT
ckcmd ip6tables && $ip6table -I INPUT -i lo -j ACCEPT
}
start_iptables() { #iptables配置总入口
#启动公网访问防火墙
[ "$fw_wan" != OFF ] && start_ipt_wan
#分模式设置流量劫持
[ "$redir_mod" = "Redir模式" -o "$redir_mod" = "混合模式" ] && {
JUMP="REDIRECT --to-ports $redir_port" #跳转劫持的具体命令
[ "$lan_proxy" = true ] && {
start_ipt_route iptables nat PREROUTING shellcrash tcp #ipv4-局域网tcp转发
[ "$ipv6_redir" = "已开启" ] && {
if $ip6table -j REDIRECT -h 2>/dev/null | grep -q '\--to-ports'; then
start_ipt_route ip6tables nat PREROUTING shellcrashv6 tcp #ipv6-局域网tcp转发
else
logger "当前设备内核缺少ip6tables_REDIRECT模块支持已放弃启动相关规则" 31
fi
}
}
[ "$local_proxy" = true ] && {
start_ipt_route iptables nat OUTPUT shellcrash_out tcp #ipv4-本机tcp转发
[ "$ipv6_redir" = "已开启" ] && {
if $ip6table -j REDIRECT -h 2>/dev/null | grep -q '\--to-ports'; then
start_ipt_route ip6tables nat OUTPUT shellcrashv6_out tcp #ipv6-本机tcp转发
else
logger "当前设备内核缺少ip6tables_REDIRECT模块支持已放弃启动相关规则" 31
fi
}
}
}
[ "$redir_mod" = "Tproxy模式" ] && {
modprobe xt_TPROXY >/dev/null 2>&1
JUMP="TPROXY --on-port $tproxy_port --tproxy-mark $fwmark" #跳转劫持的具体命令
if $iptable -j TPROXY -h 2>/dev/null | grep -q '\--on-port'; then
[ "$lan_proxy" = true ] && start_ipt_route iptables mangle PREROUTING shellcrash_mark all
[ "$local_proxy" = true ] && {
if [ -n "$(grep -E '^MARK$' /proc/net/ip_tables_targets)" ]; then
JUMP="MARK --set-mark $fwmark" #跳转劫持的具体命令
start_ipt_route iptables mangle OUTPUT shellcrash_mark_out all
$iptable -t mangle -A PREROUTING -m mark --mark $fwmark -p tcp -j TPROXY --on-port $tproxy_port
$iptable -t mangle -A PREROUTING -m mark --mark $fwmark -p udp -j TPROXY --on-port $tproxy_port
else
logger "当前设备内核可能缺少xt_mark模块支持已放弃启动本机代理相关规则" 31
fi
}
else
logger "当前设备内核可能缺少kmod_ipt_tproxy模块支持已放弃启动相关规则" 31
fi
[ "$ipv6_redir" = "已开启" ] && {
if $ip6table -j TPROXY -h 2>/dev/null | grep -q '\--on-port'; then
JUMP="TPROXY --on-port $tproxy_port --tproxy-mark $fwmark" #跳转劫持的具体命令
[ "$lan_proxy" = true ] && start_ipt_route ip6tables mangle PREROUTING shellcrashv6_mark all
[ "$local_proxy" = true ] && {
if [ -n "$(grep -E '^MARK$' /proc/net/ip6_tables_targets)" ]; then
JUMP="MARK --set-mark $fwmark" #跳转劫持的具体命令
start_ipt_route ip6tables mangle OUTPUT shellcrashv6_mark_out all
$ip6table -t mangle -A PREROUTING -m mark --mark $fwmark -p tcp -j TPROXY --on-port $tproxy_port
$ip6table -t mangle -A PREROUTING -m mark --mark $fwmark -p udp -j TPROXY --on-port $tproxy_port
else
logger "当前设备内核可能缺少xt_mark模块支持已放弃启动本机代理相关规则" 31
fi
}
else
logger "当前设备内核可能缺少kmod_ipt_tproxy或者xt_mark模块支持已放弃启动相关规则" 31
fi
}
}
[ "$redir_mod" = "Tun模式" -o "$redir_mod" = "混合模式" -o "$redir_mod" = "T&U旁路转发" -o "$redir_mod" = "TCP旁路转发" ] && {
JUMP="MARK --set-mark $fwmark" #跳转劫持的具体命令
[ "$redir_mod" = "Tun模式" -o "$redir_mod" = "T&U旁路转发" ] && protocol=all
[ "$redir_mod" = "混合模式" ] && protocol=udp
[ "$redir_mod" = "TCP旁路转发" ] && protocol=tcp
if $iptable -j MARK -h 2>/dev/null | grep -q '\--set-mark'; then
[ "$lan_proxy" = true ] && {
[ "$redir_mod" = "Tun模式" -o "$redir_mod" = "混合模式" ] && $iptable -I FORWARD -o utun -j ACCEPT
start_ipt_route iptables mangle PREROUTING shellcrash_mark $protocol
}
[ "$local_proxy" = true ] && start_ipt_route iptables mangle OUTPUT shellcrash_mark_out $protocol
else
logger "当前设备内核可能缺少x_mark模块支持已放弃启动相关规则" 31
fi
[ "$ipv6_redir" = "已开启" ] && [ "$crashcore" != clashpre ] && {
if $ip6table -j MARK -h 2>/dev/null | grep -q '\--set-mark'; then
[ "$lan_proxy" = true ] && {
[ "$redir_mod" = "Tun模式" -o "$redir_mod" = "混合模式" ] && $ip6table -I FORWARD -o utun -j ACCEPT
start_ipt_route ip6tables mangle PREROUTING shellcrashv6_mark $protocol
}
[ "$local_proxy" = true ] && start_ipt_route ip6tables mangle OUTPUT shellcrashv6_mark_out $protocol
else
logger "当前设备内核可能缺少xt_mark模块支持已放弃启动相关规则" 31
fi
}
}
[ "$vm_redir" = "已开启" ] && [ -n "$$vm_ipv4" ] && {
JUMP="REDIRECT --to-ports $redir_port" #跳转劫持的具体命令
start_ipt_dns iptables PREROUTING shellcrash_vm_dns #ipv4-局域网dns转发
start_ipt_route iptables nat PREROUTING shellcrash_vm tcp #ipv4-局域网tcp转发
}
#启动DNS劫持
[ "$dns_no" != "已禁用" -a "$dns_redir" != "已开启" -a "$firewall_area" -le 3 ] && {
[ "$lan_proxy" = true ] && {
start_ipt_dns iptables PREROUTING shellcrash_dns #ipv4-局域网dns转发
if $ip6table -j REDIRECT -h 2>/dev/null | grep -q '\--to-ports'; then
start_ipt_dns ip6tables PREROUTING shellcrashv6_dns #ipv6-局域网dns转发
else
$ip6table -I INPUT -p tcp --dport 53 -j REJECT >/dev/null 2>&1
$ip6table -I INPUT -p udp --dport 53 -j REJECT >/dev/null 2>&1
fi
}
[ "$local_proxy" = true ] && start_ipt_dns iptables OUTPUT shellcrash_dns_out #ipv4-本机dns转发
}
#屏蔽QUIC
[ "$quic_rj" = '已启用' -a "$lan_proxy" = true -a "$redir_mod" != "Redir模式" ] && {
[ "$dns_mod" != "fake-ip" -a "$cn_ip_route" = "已开启" ] && {
set_cn_ip='-m set ! --match-set cn_ip dst'
set_cn_ip6='-m set ! --match-set cn_ip6 dst'
}
[ "$redir_mod" = "Tun模式" -o "$redir_mod" = "混合模式" ] && {
$iptable -I FORWARD -p udp --dport 443 -o utun $set_cn_ip -j REJECT >/dev/null 2>&1
$ip6table -I FORWARD -p udp --dport 443 -o utun $set_cn_ip6 -j REJECT >/dev/null 2>&1
}
[ "$redir_mod" = "Tproxy模式" ] && {
$iptable -I INPUT -p udp --dport 443 $set_cn_ip -j REJECT >/dev/null 2>&1
$ip6table -I INPUT -p udp --dport 443 $set_cn_ip6 -j REJECT >/dev/null 2>&1
}
}
}

208
scripts/starts/fw_nftables.sh Normal file
View File

@@ -0,0 +1,208 @@
#!/bin/sh
# Copyright (C) Juewuy
start_nft_route() { #nftables-route通用工具
#$1:name $2:hook(prerouting/output) $3:type(nat/mangle/filter) $4:priority(-100/-150)
[ "$common_ports" = "已开启" ] && PORTS=$(echo $multiport | sed 's/,/, /g')
RESERVED_IP=$(echo $reserve_ipv4 | sed 's/ /, /g')
HOST_IP=$(echo $host_ipv4 | sed 's/ /, /g')
[ "$1" = 'output' ] && HOST_IP="127.0.0.0/8, $(echo $local_ipv4 | sed 's/ /, /g')"
[ "$1" = 'prerouting_vm' ] && HOST_IP="$(echo $vm_ipv4 | sed 's/ /, /g')"
#添加新链
nft add chain inet shellcrash $1 { type $3 hook $2 priority $4 \; }
[ "$1" = 'prerouting_vm' ] && nft add rule inet shellcrash $1 ip saddr != {$HOST_IP} return #仅代理虚拟机流量
#过滤dns
nft add rule inet shellcrash $1 tcp dport 53 return
nft add rule inet shellcrash $1 udp dport 53 return
#防回环
nft add rule inet shellcrash $1 meta mark $routing_mark return
nft add rule inet shellcrash $1 meta skgid 7890 return
[ "$firewall_area" = 5 ] && nft add rule inet shellcrash $1 ip saddr $bypass_host return
[ -z "$ports" ] && nft add rule inet shellcrash $1 tcp dport {"$mix_port, $redir_port, $tproxy_port"} return
#过滤常用端口
[ -n "$PORTS" ] && {
nft add rule inet shellcrash $1 ip daddr != {28.0.0.0/8} tcp dport != {$PORTS} return
nft add rule inet shellcrash $1 ip daddr != {28.0.0.0/8} udp dport != {$PORTS} return
nft add rule inet shellcrash $1 ip6 daddr != {fc00::/16} tcp dport != {$PORTS} return
nft add rule inet shellcrash $1 ip6 daddr != {fc00::/16} udp dport != {$PORTS} return
}
#nft add rule inet shellcrash $1 ip saddr 28.0.0.0/8 return
nft add rule inet shellcrash $1 ip daddr {$RESERVED_IP} return #过滤保留地址
#过滤局域网设备
[ "$1" = 'prerouting' ] && {
[ "$macfilter_type" != "白名单" ] && {
[ -s "$CRASHDIR"/configs/mac ] && {
MAC=$(awk '{printf "%s, ",$1}' "$CRASHDIR"/configs/mac)
nft add rule inet shellcrash $1 ether saddr {$MAC} return
}
[ -s "$CRASHDIR"/configs/ip_filter ] && {
FL_IP=$(awk '{printf "%s, ",$1}' "$CRASHDIR"/configs/ip_filter)
nft add rule inet shellcrash $1 ip saddr {$FL_IP} return
}
nft add rule inet shellcrash $1 ip saddr != {$HOST_IP} return #仅代理本机局域网网段流量
}
[ "$macfilter_type" = "白名单" ] && {
[ -s "$CRASHDIR"/configs/mac ] && MAC=$(awk '{printf "%s, ",$1}' "$CRASHDIR"/configs/mac)
[ -s "$CRASHDIR"/configs/ip_filter ] && FL_IP=$(awk '{printf "%s, ",$1}' "$CRASHDIR"/configs/ip_filter)
if [ -n "$MAC" ] && [ -n "$FL_IP" ]; then
nft add rule inet shellcrash $1 ether saddr != {$MAC} ip saddr != {$FL_IP} return
elif [ -n "$MAC" ]; then
nft add rule inet shellcrash $1 ether saddr != {$MAC} return
elif [ -n "$FL_IP" ]; then
nft add rule inet shellcrash $1 ip saddr != {$FL_IP} return
else
nft add rule inet shellcrash $1 ip saddr != {$HOST_IP} return #仅代理本机局域网网段流量
fi
}
}
#绕过CN-IP
[ "$dns_mod" != "fake-ip" -a "$cn_ip_route" = "已开启" -a -f "$BINDIR"/cn_ip.txt ] && {
CN_IP=$(awk '{printf "%s, ",$1}' "$BINDIR"/cn_ip.txt)
[ -n "$CN_IP" ] && nft add rule inet shellcrash $1 ip daddr {$CN_IP} return
}
#局域网ipv6支持
if [ "$ipv6_redir" = "已开启" -a "$1" = 'prerouting' -a "$firewall_area" != 5 ]; then
RESERVED_IP6="$(echo "$reserve_ipv6 $host_ipv6" | sed 's/ /, /g')"
HOST_IP6="$(echo $host_ipv6 | sed 's/ /, /g')"
#过滤保留地址及本机地址
nft add rule inet shellcrash $1 ip6 daddr {$RESERVED_IP6} return
#仅代理本机局域网网段流量
nft add rule inet shellcrash $1 ip6 saddr != {$HOST_IP6} return
#绕过CN_IPV6
[ "$dns_mod" != "fake-ip" -a "$cn_ip_route" = "已开启" -a -f "$BINDIR"/cn_ipv6.txt ] && {
CN_IP6=$(awk '{printf "%s, ",$1}' "$BINDIR"/cn_ipv6.txt)
[ -n "$CN_IP6" ] && nft add rule inet shellcrash $1 ip6 daddr {$CN_IP6} return
}
elif [ "$ipv6_redir" = "已开启" -a "$1" = 'output' -a \( "$firewall_area" = 2 -o "$firewall_area" = 3 \) ]; then
RESERVED_IP6="$(echo "$reserve_ipv6 $host_ipv6" | sed 's/ /, /g')"
HOST_IP6="::1, $(echo $host_ipv6 | sed 's/ /, /g')"
#过滤保留地址及本机地址
nft add rule inet shellcrash $1 ip6 daddr {$RESERVED_IP6} return
#仅代理本机局域网网段流量
nft add rule inet shellcrash $1 ip6 saddr != {$HOST_IP6} return
#绕过CN_IPV6
[ "$dns_mod" != "fake-ip" -a "$cn_ip_route" = "已开启" -a -f "$BINDIR"/cn_ipv6.txt ] && {
CN_IP6=$(awk '{printf "%s, ",$1}' "$BINDIR"/cn_ipv6.txt)
[ -n "$CN_IP6" ] && nft add rule inet shellcrash $1 ip6 daddr {$CN_IP6} return
}
else
nft add rule inet shellcrash $1 meta nfproto ipv6 return
fi
#添加通用路由
nft add rule inet shellcrash "$1" "$JUMP"
#处理特殊路由
[ "$redir_mod" = "混合模式" ] && {
nft add rule inet shellcrash $1 meta l4proto tcp mark set $((fwmark + 1))
nft add chain inet shellcrash "$1"_mixtcp { type nat hook $2 priority -100 \; }
nft add rule inet shellcrash "$1"_mixtcp mark $((fwmark + 1)) meta l4proto tcp redirect to $redir_port
}
#nft add rule inet shellcrash local_tproxy log prefix \"pre\" level debug
}
start_nft_dns() { #nftables-dns
HOST_IP=$(echo $host_ipv4 | sed 's/ /, /g')
HOST_IP6=$(echo $host_ipv6 | sed 's/ /, /g')
[ "$1" = 'output' ] && HOST_IP="127.0.0.0/8, $(echo $local_ipv4 | sed 's/ /, /g')"
[ "$1" = 'prerouting_vm' ] && HOST_IP="$(echo $vm_ipv4 | sed 's/ /, /g')"
nft add chain inet shellcrash "$1"_dns { type nat hook $2 priority -100 \; }
#过滤非dns请求
nft add rule inet shellcrash "$1"_dns udp dport != 53 return
nft add rule inet shellcrash "$1"_dns tcp dport != 53 return
#防回环
nft add rule inet shellcrash "$1"_dns meta mark $routing_mark return
nft add rule inet shellcrash "$1"_dns meta skgid { 453, 7890 } return
[ "$firewall_area" = 5 ] && nft add rule inet shellcrash "$1"_dns ip saddr $bypass_host return
nft add rule inet shellcrash "$1"_dns ip saddr != {$HOST_IP} return #屏蔽外部请求
[ "$1" = 'prerouting' ] && nft add rule inet shellcrash "$1"_dns ip6 saddr != {$HOST_IP6} return #屏蔽外部请求
#过滤局域网设备
[ "$1" = 'prerouting' ] && [ -s "$CRASHDIR"/configs/mac ] && {
MAC=$(awk '{printf "%s, ",$1}' "$CRASHDIR"/configs/mac)
if [ "$macfilter_type" = "黑名单" ]; then
nft add rule inet shellcrash "$1"_dns ether saddr {$MAC} return
else
nft add rule inet shellcrash "$1"_dns ether saddr != {$MAC} return
fi
}
nft add rule inet shellcrash "$1"_dns udp dport 53 redirect to ${dns_port}
nft add rule inet shellcrash "$1"_dns tcp dport 53 redirect to ${dns_port}
}
start_nft_wan() { #nftables公网防火墙
nft add chain inet shellcrash input { type filter hook input priority -100 \; }
nft add rule inet shellcrash input iif lo accept #本机请求全放行
#端口放行
[ -n "$fw_wan_ports" ] && {
fw_wan_nfports="{ $(echo "$fw_wan_ports" | sed 's/,/, /g') }"
nft add rule inet shellcrash input tcp dport $fw_wan_nfports accept
nft add rule inet shellcrash input udp dport $fw_wan_nfports accept
}
#端口拦截
reject_ports="{ $mix_port, $db_port, $dns_port }"
nft add rule inet shellcrash input tcp dport $reject_ports reject
nft add rule inet shellcrash input udp dport $reject_ports reject
}
start_nftables() { #nftables配置总入口
#初始化nftables
nft add table inet shellcrash 2>/dev/null
nft flush table inet shellcrash 2>/dev/null
#公网访问防火墙
[ "$fw_wan" != OFF ] && [ "$systype" != 'container' ] && start_nft_wan
#启动DNS劫持
[ "$dns_no" != "已禁用" -a "$dns_redir" != "已开启" -a "$firewall_area" -le 3 ] && {
[ "$lan_proxy" = true ] && start_nft_dns prerouting prerouting #局域网dns转发
[ "$local_proxy" = true ] && start_nft_dns output output #本机dns转发
}
#分模式设置流量劫持
[ "$redir_mod" = "Redir模式" ] && {
JUMP="meta l4proto tcp redirect to $redir_port" #跳转劫持的具体命令
[ "$lan_proxy" = true ] && start_nft_route prerouting prerouting nat -100
[ "$local_proxy" = true ] && start_nft_route output output nat -100
}
[ "$redir_mod" = "Tproxy模式" ] && (modprobe nft_tproxy >/dev/null 2>&1 || lsmod 2>/dev/null | grep -q nft_tproxy) && {
JUMP="meta l4proto {tcp, udp} mark set $fwmark tproxy to :$tproxy_port" #跳转劫持的具体命令
[ "$lan_proxy" = true ] && start_nft_route prerouting prerouting filter -150
[ "$local_proxy" = true ] && {
JUMP="meta l4proto {tcp, udp} mark set $fwmark" #跳转劫持的具体命令
start_nft_route output output route -150
nft add chain inet shellcrash mark_out { type filter hook prerouting priority -100 \; }
nft add rule inet shellcrash mark_out meta mark $fwmark meta l4proto {tcp, udp} tproxy to :$tproxy_port
}
}
[ "$tun_statu" = true ] && {
[ "$redir_mod" = "Tun模式" ] && JUMP="meta l4proto {tcp, udp} mark set $fwmark" #跳转劫持的具体命令
[ "$redir_mod" = "混合模式" ] && JUMP="meta l4proto udp mark set $fwmark" #跳转劫持的具体命令
[ "$lan_proxy" = true ] && {
start_nft_route prerouting prerouting filter -150
#放行流量
nft list table inet fw4 >/dev/null 2>&1 || nft add table inet fw4
nft list chain inet fw4 forward >/dev/null 2>&1 || nft add chain inet fw4 forward { type filter hook forward priority filter \; } 2>/dev/null
nft list chain inet fw4 input >/dev/null 2>&1 || nft add chain inet fw4 input { type filter hook input priority filter \; } 2>/dev/null
nft list chain inet fw4 forward | grep -q 'oifname "utun" accept' || nft insert rule inet fw4 forward oifname "utun" accept
nft list chain inet fw4 input | grep -q 'iifname "utun" accept' || nft insert rule inet fw4 input iifname "utun" accept
}
[ "$local_proxy" = true ] && start_nft_route output output route -150
}
[ "$firewall_area" = 5 ] && {
[ "$redir_mod" = "T&U旁路转发" ] && JUMP="meta l4proto {tcp, udp} mark set $fwmark" #跳转劫持的具体命令
[ "$redir_mod" = "TCP旁路转发" ] && JUMP="meta l4proto tcp mark set $fwmark" #跳转劫持的具体命令
[ "$lan_proxy" = true ] && start_nft_route prerouting prerouting filter -150
[ "$local_proxy" = true ] && start_nft_route output output route -150
}
[ "$vm_redir" = "已开启" ] && [ -n "$$vm_ipv4" ] && {
start_nft_dns prerouting_vm prerouting
JUMP="meta l4proto tcp redirect to $redir_port" #跳转劫持的具体命令
start_nft_route prerouting_vm prerouting nat -100
}
#屏蔽QUIC
[ "$quic_rj" = '已启用' -a "$lan_proxy" = true ] && {
[ "$redir_mod" = "Tproxy模式" ] && {
nft add chain inet shellcrash quic_rj { type filter hook input priority 0 \; }
[ -n "$CN_IP" ] && nft add rule inet shellcrash quic_rj ip daddr {$CN_IP} return
[ -n "$CN_IP6" ] && nft add rule inet shellcrash quic_rj ip6 daddr {$CN_IP6} return
nft add rule inet shellcrash quic_rj udp dport {443, 8443} reject comment 'ShellCrash-QUIC-REJECT'
}
[ "$redir_mod" = "Tun模式" -o "$redir_mod" = "混合模式" ] && {
nft insert rule inet fw4 forward oifname "utun" udp dport {443, 8443} reject comment 'ShellCrash-QUIC-REJECT'
[ -n "$CN_IP" ] && nft insert rule inet fw4 forward oifname "utun" ip daddr {$CN_IP} return
[ -n "$CN_IP6" ] && nft insert rule inet fw4 forward oifname "utun" ip6 daddr {$CN_IP6} return
}
}
}

42
scripts/starts/fw_start.sh Normal file
View File

@@ -0,0 +1,42 @@
#!/bin/sh
# Copyright (C) Juewuy
#路由规则总入口
start_firewall() {
getlanip #获取局域网host地址
#设置策略路由
[ "$firewall_area" != 4 ] && {
[ "$redir_mod" = "Tproxy模式" ] && ip route add local default dev lo table $table 2>/dev/null
[ "$redir_mod" = "Tun模式" -o "$redir_mod" = "混合模式" ] && {
i=1
while [ -z "$(ip route list | grep utun)" -a "$i" -le 29 ]; do
sleep 1
i=$((i + 1))
done
if [ -z "$(ip route list | grep utun)" ]; then
logger "找不到tun模块放弃启动tun相关防火墙规则" 31
else
ip route add default dev utun table $table && tun_statu=true
fi
}
[ "$firewall_area" = 5 ] && ip route add default via $bypass_host table $table 2>/dev/null
[ "$redir_mod" != "Redir模式" ] && ip rule add fwmark $fwmark table $table 2>/dev/null
}
#添加ipv6路由
[ "$ipv6_redir" = "已开启" -a "$firewall_area" -le 3 ] && {
[ "$redir_mod" = "Tproxy模式" ] && ip -6 route add local default dev lo table $((table + 1)) 2>/dev/null
[ -n "$(ip route list | grep utun)" ] && ip -6 route add default dev utun table $((table + 1)) 2>/dev/null
[ "$redir_mod" != "Redir模式" ] && ip -6 rule add fwmark $fwmark table $((table + 1)) 2>/dev/null
}
#判断代理用途
[ "$firewall_area" = 2 -o "$firewall_area" = 3 ] && local_proxy=true
[ "$firewall_area" = 1 -o "$firewall_area" = 3 -o "$firewall_area" = 5 ] && lan_proxy=true
#防火墙配置
[ "$firewall_mod" = 'iptables' ] && . "$CRASHDIR"/starts/fw_iptables.sh && start_iptables
[ "$firewall_mod" = 'nftables' ] && . "$CRASHDIR"/starts/fw_nftables.sh && start_nftables
#修复部分虚拟机dns查询失败的问题
[ "$firewall_area" = 2 -o "$firewall_area" = 3 ] && [ -z "$(grep '127.0.0.1' /etc/resolv.conf 2>/dev/null)" ] && [ "$systype" != 'container' ] && {
line=$(grep -n 'nameserver' /etc/resolv.conf | awk -F: 'FNR==1{print $1}')
sed -i "$line i\nameserver 127.0.0.1 #shellcrash-dns-repair" /etc/resolv.conf >/dev/null 2>&1
}
}

130
scripts/starts/fw_stop.sh Normal file
View File

@@ -0,0 +1,130 @@
#!/bin/sh
# Copyright (C) Juewuy
#还原防火墙配置
stop_firewall() {
#获取局域网host地址
getlanip
#重置iptables相关规则
ckcmd iptables && {
#dns
$iptable -t nat -D PREROUTING -p tcp --dport 53 -j shellcrash_dns 2>/dev/null
$iptable -t nat -D PREROUTING -p udp --dport 53 -j shellcrash_dns 2>/dev/null
$iptable -t nat -D OUTPUT -p udp --dport 53 -j shellcrash_dns_out 2>/dev/null
$iptable -t nat -D OUTPUT -p tcp --dport 53 -j shellcrash_dns_out 2>/dev/null
#redir
$iptable -t nat -D PREROUTING -p tcp $ports -j shellcrash 2>/dev/null
$iptable -t nat -D PREROUTING -p tcp -d 28.0.0.0/8 -j shellcrash 2>/dev/null
$iptable -t nat -D OUTPUT -p tcp $ports -j shellcrash_out 2>/dev/null
$iptable -t nat -D OUTPUT -p tcp -d 28.0.0.0/8 -j shellcrash_out 2>/dev/null
#vm_dns
$iptable -t nat -D PREROUTING -p tcp --dport 53 -j shellcrash_vm_dns 2>/dev/null
$iptable -t nat -D PREROUTING -p udp --dport 53 -j shellcrash_vm_dns 2>/dev/null
#vm_redir
$iptable -t nat -D PREROUTING -p tcp $ports -j shellcrash_vm 2>/dev/null
$iptable -t nat -D PREROUTING -p tcp -d 28.0.0.0/8 -j shellcrash_vm 2>/dev/null
#TPROXY&tun
$iptable -t mangle -D PREROUTING -p tcp $ports -j shellcrash_mark 2>/dev/null
$iptable -t mangle -D PREROUTING -p udp $ports -j shellcrash_mark 2>/dev/null
$iptable -t mangle -D PREROUTING -p tcp -d 28.0.0.0/8 -j shellcrash_mark 2>/dev/null
$iptable -t mangle -D PREROUTING -p udp -d 28.0.0.0/8 -j shellcrash_mark 2>/dev/null
$iptable -t mangle -D OUTPUT -p tcp $ports -j shellcrash_mark_out 2>/dev/null
$iptable -t mangle -D OUTPUT -p udp $ports -j shellcrash_mark_out 2>/dev/null
$iptable -t mangle -D OUTPUT -p tcp -d 28.0.0.0/8 -j shellcrash_mark_out 2>/dev/null
$iptable -t mangle -D OUTPUT -p udp -d 28.0.0.0/8 -j shellcrash_mark_out 2>/dev/null
$iptable -t mangle -D PREROUTING -m mark --mark $fwmark -p tcp -j TPROXY --on-port $tproxy_port 2>/dev/null
$iptable -t mangle -D PREROUTING -m mark --mark $fwmark -p udp -j TPROXY --on-port $tproxy_port 2>/dev/null
#tun
$iptable -D FORWARD -o utun -j ACCEPT 2>/dev/null
#屏蔽QUIC
[ "$dns_mod" != "fake-ip" -a "$cn_ip_route" = "已开启" ] && set_cn_ip='-m set ! --match-set cn_ip dst'
$iptable -D INPUT -p udp --dport 443 $set_cn_ip -j REJECT 2>/dev/null
$iptable -D FORWARD -p udp --dport 443 -o utun $set_cn_ip -j REJECT 2>/dev/null
#公网访问
$iptable -D INPUT -i lo -j ACCEPT 2>/dev/null
$iptable -D INPUT -p tcp -m multiport --dports "$fw_wan_ports" -j ACCEPT 2>/dev/null
$iptable -D INPUT -p udp -m multiport --dports "$fw_wan_ports" -j ACCEPT 2>/dev/null
$iptable -D INPUT -p tcp -m multiport --dports "$mix_port,$db_port,$dns_port" -j REJECT 2>/dev/null
$iptable -D INPUT -p udp -m multiport --dports "$mix_port,$db_port,$dns_port" -j REJECT 2>/dev/null
#清理shellcrash自建表
for words in shellcrash_dns shellcrash shellcrash_out shellcrash_dns_out shellcrash_vm shellcrash_vm_dns; do
$iptable -t nat -F $words 2>/dev/null
$iptable -t nat -X $words 2>/dev/null
done
for words in shellcrash_mark shellcrash_mark_out; do
$iptable -t mangle -F $words 2>/dev/null
$iptable -t mangle -X $words 2>/dev/null
done
}
#重置ipv6规则
ckcmd ip6tables && {
#dns
$ip6table -t nat -D PREROUTING -p tcp --dport 53 -j shellcrashv6_dns 2>/dev/null
$ip6table -t nat -D PREROUTING -p udp --dport 53 -j shellcrashv6_dns 2>/dev/null
#redir
$ip6table -t nat -D PREROUTING -p tcp $ports -j shellcrashv6 2>/dev/null
$ip6table -t nat -D PREROUTING -p tcp -d fc00::/16 -j shellcrashv6 2>/dev/null
$ip6table -t nat -D OUTPUT -p tcp $ports -j shellcrashv6_out 2>/dev/null
$ip6table -t nat -D OUTPUT -p tcp -d fc00::/16 -j shellcrashv6_out 2>/dev/null
$ip6table -D INPUT -p tcp --dport 53 -j REJECT 2>/dev/null
$ip6table -D INPUT -p udp --dport 53 -j REJECT 2>/dev/null
#mark
$ip6table -t mangle -D PREROUTING -p tcp $ports -j shellcrashv6_mark 2>/dev/null
$ip6table -t mangle -D PREROUTING -p udp $ports -j shellcrashv6_mark 2>/dev/null
$ip6table -t mangle -D PREROUTING -p tcp -d fc00::/16 -j shellcrashv6_mark 2>/dev/null
$ip6table -t mangle -D PREROUTING -p udp -d fc00::/16 -j shellcrashv6_mark 2>/dev/null
$ip6table -t mangle -D OUTPUT -p tcp $ports -j shellcrashv6_mark_out 2>/dev/null
$ip6table -t mangle -D OUTPUT -p udp $ports -j shellcrashv6_mark_out 2>/dev/null
$ip6table -t mangle -D OUTPUT -p tcp -d fc00::/16 -j shellcrashv6_mark_out 2>/dev/null
$ip6table -t mangle -D OUTPUT -p udp -d fc00::/16 -j shellcrashv6_mark_out 2>/dev/null
$ip6table -D INPUT -p udp --dport 443 $set_cn_ip -j REJECT 2>/dev/null
$ip6table -t mangle -D PREROUTING -m mark --mark $fwmark -p tcp -j TPROXY --on-port $tproxy_port 2>/dev/null
$ip6table -t mangle -D PREROUTING -m mark --mark $fwmark -p udp -j TPROXY --on-port $tproxy_port 2>/dev/null
#tun
$ip6table -D FORWARD -o utun -j ACCEPT 2>/dev/null
#屏蔽QUIC
[ "$dns_mod" != "fake-ip" -a "$cn_ip_route" = "已开启" ] && set_cn_ip6='-m set ! --match-set cn_ip6 dst'
$ip6table -D INPUT -p udp --dport 443 $set_cn_ip6 -j REJECT 2>/dev/null
$ip6table -D FORWARD -p udp --dport 443 -o utun $set_cn_ip6 -j REJECT 2>/dev/null
#公网访问
$ip6table -D INPUT -i lo -j ACCEPT 2>/dev/null
$ip6table -D INPUT -p tcp -m multiport --dports "$fw_wan_ports" -j ACCEPT 2>/dev/null
$ip6table -D INPUT -p udp -m multiport --dports "$fw_wan_ports" -j ACCEPT 2>/dev/null
$ip6table -D INPUT -p tcp -m multiport --dports "$mix_port,$db_port,$dns_port" -j REJECT 2>/dev/null
$ip6table -D INPUT -p udp -m multiport --dports "$mix_port,$db_port,$dns_port" -j REJECT 2>/dev/null
#清理shellcrash自建表
for words in shellcrashv6_dns shellcrashv6 shellcrashv6_out; do
$ip6table -t nat -F $words 2>/dev/null
$ip6table -t nat -X $words 2>/dev/null
done
for words in shellcrashv6_mark shellcrashv6_mark_out; do
$ip6table -t mangle -F $words 2>/dev/null
$ip6table -t mangle -X $words 2>/dev/null
done
$ip6table -t mangle -F shellcrashv6_mark 2>/dev/null
$ip6table -t mangle -X shellcrashv6_mark 2>/dev/null
}
#清理ipset规则
ipset destroy cn_ip >/dev/null 2>&1
ipset destroy cn_ip6 >/dev/null 2>&1
#移除dnsmasq转发规则
[ "$dns_redir" = "已开启" ] && {
uci del dhcp.@dnsmasq[-1].server >/dev/null 2>&1
uci set dhcp.@dnsmasq[0].noresolv=0 2>/dev/null
uci commit dhcp >/dev/null 2>&1
/etc/init.d/dnsmasq restart >/dev/null 2>&1
}
#清理路由规则
ip rule del fwmark $fwmark table $table 2>/dev/null
ip route flush table $table 2>/dev/null
ip -6 rule del fwmark $fwmark table $((table + 1)) 2>/dev/null
ip -6 route flush table $((table + 1)) 2>/dev/null
#重置nftables相关规则
ckcmd nft && {
nft flush table inet shellcrash >/dev/null 2>&1
nft delete table inet shellcrash >/dev/null 2>&1
}
#还原防火墙文件
[ -s /etc/init.d/firewall.bak ] && mv -f /etc/init.d/firewall.bak /etc/init.d/firewall
#others
[ "$systype" != 'container' ] && sed -i '/shellcrash-dns-repair/d' /etc/resolv.conf >/dev/null 2>&1
}