From 23d10a8be6112dc52c6ea8045a18d186bbaacd30 Mon Sep 17 00:00:00 2001 From: jelly21fish <131505153+jelly21fish@users.noreply.github.com> Date: Sun, 23 Jun 2024 18:58:03 +0800 Subject: [PATCH 1/6] ipv6 local proxy --- scripts/start.sh | 55 ++++++++++++++++++++++++++++++++++++++++++------ 1 file changed, 48 insertions(+), 7 deletions(-) diff --git a/scripts/start.sh b/scripts/start.sh index 2b5a458..8faeec2 100644 --- a/scripts/start.sh +++ b/scripts/start.sh @@ -893,6 +893,7 @@ start_ipt_route() { #iptables-route通用工具 [ "$1" = 'ip6tables' ] && { RESERVED_IP=$reserve_ipv6 HOST_IP=$host_ipv6 + [ "$3" = 'OUTPUT' ] && HOST_IP="::1 $host_ipv6" } #创建新的shellcrash链表 $1 -t $2 -N $4 @@ -1018,7 +1019,15 @@ start_iptables() { #iptables配置总入口 fi } } - [ "$local_proxy" = true ] && start_ipt_route iptables nat OUTPUT shellcrash_out tcp #ipv4-本机tcp转发 + [ "$local_proxy" = true ] && { + start_ipt_route iptables nat OUTPUT shellcrash_out tcp #ipv4-本机tcp转发 + [ "$ipv6_redir" = "已开启" ] && { + if ip6tables -j REDIRECT -h 2>/dev/null | grep -q '\--to-ports'; then + start_ipt_route ip6tables nat OUTPUT shellcrashv6_out tcp #ipv6-本机tcp转发 + else + logger "当前设备内核缺少ip6tables_REDIRECT模块支持,已放弃启动相关规则!" 31 + fi + } } [ "$redir_mod" = "Tproxy模式" ] && { JUMP="TPROXY --on-port $tproxy_port --tproxy-mark $fwmark" #跳转劫持的具体命令 @@ -1037,10 +1046,20 @@ start_iptables() { #iptables配置总入口 else logger "当前设备内核可能缺少kmod_ipt_tproxy模块支持,已放弃启动相关规则!" 31 fi - [ "$ipv6_redir" = "已开启" ] && [ "$lan_proxy" = true ] && { + [ "$ipv6_redir" = "已开启" ] && { if ip6tables -j TPROXY -h 2>/dev/null | grep -q '\--on-port'; then JUMP="TPROXY --on-port $tproxy_port --tproxy-mark $fwmark" #跳转劫持的具体命令 - start_ipt_route ip6tables mangle PREROUTING shellcrashv6_mark all + [ "$lan_proxy" = true ] && start_ipt_route ip6tables mangle PREROUTING shellcrashv6_mark all + [ "$local_proxy" = true ] && { + if [ -n "$(grep -E '^MARK$' /proc/net/ip6_tables_targets)" ]; then + JUMP="MARK --set-mark $fwmark" #跳转劫持的具体命令 + start_ipt_route ip6tables mangle OUTPUT shellcrashv6_mark_out all + ip6tables -t mangle -A PREROUTING -m mark --mark $fwmark -p tcp -j TPROXY --on-port $tproxy_port + ip6tables -t mangle -A PREROUTING -m mark --mark $fwmark -p udp -j TPROXY --on-port $tproxy_port + else + logger "当前设备内核可能缺少xt_mark模块支持,已放弃启动本机代理相关规则!" 31 + fi + } else logger "当前设备内核可能缺少kmod_ipt_tproxy或者xt_mark模块支持,已放弃启动相关规则!" 31 fi @@ -1060,10 +1079,13 @@ start_iptables() { #iptables配置总入口 else logger "当前设备内核可能缺少x_mark模块支持,已放弃启动相关规则!" 31 fi - [ "$ipv6_redir" = "已开启" ] && [ "$lan_proxy" = true ] && [ "$crashcore" != clashpre ] && { + [ "$ipv6_redir" = "已开启" ] && [ "$crashcore" != clashpre ] && { if ip6tables -j MARK -h 2>/dev/null | grep -q '\--set-mark'; then - [ "$redir_mod" = "Tun模式" -o "$redir_mod" = "混合模式" ] && ip6tables -I FORWARD -o utun -j ACCEPT - start_ipt_route ip6tables mangle PREROUTING shellcrashv6_mark $protocol + [ "$lan_proxy" = true ] && { + [ "$redir_mod" = "Tun模式" -o "$redir_mod" = "混合模式" ] && ip6tables -I FORWARD -o utun -j ACCEPT + start_ipt_route ip6tables mangle PREROUTING shellcrashv6_mark $protocol + } + [ "$local_proxy" = true ] && start_ipt_route ip6tables mangle OUTPUT shellcrashv6_mark_out $protocol else logger "当前设备内核可能缺少xt_mark模块支持,已放弃启动相关规则!" 31 fi @@ -1134,6 +1156,18 @@ start_nft_route() { #nftables-route通用工具 CN_IP6=$(awk '{printf "%s, ",$1}' "$BINDIR"/cn_ipv6.txt) [ -n "$CN_IP6" ] && nft add rule inet shellcrash $1 ip6 daddr {$CN_IP6} return } + elif [ "$ipv6_redir" = "已开启" -a "$1" = 'output' -a \( "$firewall_area" = 2 -o "$firewall_area" = 3 \) ]; then + RESERVED_IP6="$(echo "$reserve_ipv6 $host_ipv6" | sed 's/ /, /g')" + HOST_IP6="$(::1, echo $local_ipv6 | sed 's/ /, /g')" + #过滤保留地址及本机地址 + nft add rule inet shellcrash $1 ip6 daddr {$RESERVED_IP6} return + #仅代理本机局域网网段流量 + nft add rule inet shellcrash $1 ip6 saddr != {$HOST_IP6} return + #绕过CN_IPV6 + [ "$dns_mod" != "fake-ip" -a "$cn_ipv6_route" = "已开启" -a -f "$BINDIR"/cn_ipv6.txt ] && { + CN_IP6=$(awk '{printf "%s, ",$1}' "$BINDIR"/cn_ipv6.txt) + [ -n "$CN_IP6" ] && nft add rule inet shellcrash $1 ip6 daddr {$CN_IP6} return + } else nft add rule inet shellcrash $1 meta nfproto ipv6 return fi @@ -1352,10 +1386,14 @@ stop_firewall() { #还原防火墙配置 #重置ipv6规则 ckcmd ip6tables && { #清理shellcrash自建表 - for table in shellcrashv6_dns shellcrashv6; do + for table in shellcrashv6_dns shellcrashv6 shellcrashv6_out; do ip6tables -t nat -F $table 2>/dev/null ip6tables -t nat -X $table 2>/dev/null done + for table in shellcrashv6_mark shellcrashv6_mark_out; do + ip6tables -t mangle -F $table 2>/dev/null + ip6tables -t mangle -X $table 2>/dev/null + done ip6tables -t mangle -F shellcrashv6_mark 2>/dev/null ip6tables -t mangle -X shellcrashv6_mark 2>/dev/null #dns @@ -1363,10 +1401,13 @@ stop_firewall() { #还原防火墙配置 ip6tables -t nat -D PREROUTING -p udp --dport 53 -j shellcrashv6_dns 2>/dev/null #redir ip6tables -t nat -D PREROUTING -p tcp $ports -j shellcrashv6 2>/dev/null + ip6tables -t nat -D OUTPUT -p tcp $ports -j shellcrashv6_out 2>/dev/null ip6tables -D INPUT -p udp --dport 53 -j REJECT 2>/dev/null #mark ip6tables -t mangle -D PREROUTING -p tcp $ports -j shellcrashv6_mark 2>/dev/null ip6tables -t mangle -D PREROUTING -p udp $ports -j shellcrashv6_mark 2>/dev/null + ip6tables -t mangle -D OUTPUT -p tcp $ports -j shellcrashv6_mark_out 2>/dev/null + ip6tables -t mangle -D OUTPUT -p udp $ports -j shellcrashv6_mark_out 2>/dev/null ip6tables -D INPUT -p udp --dport 443 $set_cn_ip -j REJECT 2>/dev/null #tun ip6tables -D FORWARD -o utun -j ACCEPT 2>/dev/null From 9124d0fadeb2a52e8848184ef897988252baa35e Mon Sep 17 00:00:00 2001 From: jelly21fish <131505153+jelly21fish@users.noreply.github.com> Date: Mon, 24 Jun 2024 00:31:39 +0800 Subject: [PATCH 2/6] fix typo --- scripts/start.sh | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/scripts/start.sh b/scripts/start.sh index 8faeec2..f945e59 100644 --- a/scripts/start.sh +++ b/scripts/start.sh @@ -1028,6 +1028,7 @@ start_iptables() { #iptables配置总入口 logger "当前设备内核缺少ip6tables_REDIRECT模块支持,已放弃启动相关规则!" 31 fi } + } } [ "$redir_mod" = "Tproxy模式" ] && { JUMP="TPROXY --on-port $tproxy_port --tproxy-mark $fwmark" #跳转劫持的具体命令 @@ -1050,7 +1051,7 @@ start_iptables() { #iptables配置总入口 if ip6tables -j TPROXY -h 2>/dev/null | grep -q '\--on-port'; then JUMP="TPROXY --on-port $tproxy_port --tproxy-mark $fwmark" #跳转劫持的具体命令 [ "$lan_proxy" = true ] && start_ipt_route ip6tables mangle PREROUTING shellcrashv6_mark all - [ "$local_proxy" = true ] && { + [ "$local_proxy" = true ] && { if [ -n "$(grep -E '^MARK$' /proc/net/ip6_tables_targets)" ]; then JUMP="MARK --set-mark $fwmark" #跳转劫持的具体命令 start_ipt_route ip6tables mangle OUTPUT shellcrashv6_mark_out all @@ -1081,10 +1082,10 @@ start_iptables() { #iptables配置总入口 fi [ "$ipv6_redir" = "已开启" ] && [ "$crashcore" != clashpre ] && { if ip6tables -j MARK -h 2>/dev/null | grep -q '\--set-mark'; then - [ "$lan_proxy" = true ] && { + [ "$lan_proxy" = true ] && { [ "$redir_mod" = "Tun模式" -o "$redir_mod" = "混合模式" ] && ip6tables -I FORWARD -o utun -j ACCEPT start_ipt_route ip6tables mangle PREROUTING shellcrashv6_mark $protocol - } + } [ "$local_proxy" = true ] && start_ipt_route ip6tables mangle OUTPUT shellcrashv6_mark_out $protocol else logger "当前设备内核可能缺少xt_mark模块支持,已放弃启动相关规则!" 31 @@ -1156,7 +1157,7 @@ start_nft_route() { #nftables-route通用工具 CN_IP6=$(awk '{printf "%s, ",$1}' "$BINDIR"/cn_ipv6.txt) [ -n "$CN_IP6" ] && nft add rule inet shellcrash $1 ip6 daddr {$CN_IP6} return } - elif [ "$ipv6_redir" = "已开启" -a "$1" = 'output' -a \( "$firewall_area" = 2 -o "$firewall_area" = 3 \) ]; then + elif [ "$ipv6_redir" = "已开启" -a "$1" = 'output' -a \( "$firewall_area" = 2 -o "$firewall_area" = 3 \) ]; then RESERVED_IP6="$(echo "$reserve_ipv6 $host_ipv6" | sed 's/ /, /g')" HOST_IP6="$(::1, echo $local_ipv6 | sed 's/ /, /g')" #过滤保留地址及本机地址 @@ -1390,7 +1391,7 @@ stop_firewall() { #还原防火墙配置 ip6tables -t nat -F $table 2>/dev/null ip6tables -t nat -X $table 2>/dev/null done - for table in shellcrashv6_mark shellcrashv6_mark_out; do + for table in shellcrashv6_mark shellcrashv6_mark_out; do ip6tables -t mangle -F $table 2>/dev/null ip6tables -t mangle -X $table 2>/dev/null done From d8f1cf245b22666c404790d8fdf55538960b0404 Mon Sep 17 00:00:00 2001 From: jelly21fish <131505153+jelly21fish@users.noreply.github.com> Date: Mon, 24 Jun 2024 00:37:47 +0800 Subject: [PATCH 3/6] fix typo --- scripts/start.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/scripts/start.sh b/scripts/start.sh index f945e59..63f8249 100644 --- a/scripts/start.sh +++ b/scripts/start.sh @@ -1020,15 +1020,15 @@ start_iptables() { #iptables配置总入口 } } [ "$local_proxy" = true ] && { - start_ipt_route iptables nat OUTPUT shellcrash_out tcp #ipv4-本机tcp转发 - [ "$ipv6_redir" = "已开启" ] && { + start_ipt_route iptables nat OUTPUT shellcrash_out tcp #ipv4-本机tcp转发 + [ "$ipv6_redir" = "已开启" ] && { if ip6tables -j REDIRECT -h 2>/dev/null | grep -q '\--to-ports'; then start_ipt_route ip6tables nat OUTPUT shellcrashv6_out tcp #ipv6-本机tcp转发 else logger "当前设备内核缺少ip6tables_REDIRECT模块支持,已放弃启动相关规则!" 31 fi } - } + } } [ "$redir_mod" = "Tproxy模式" ] && { JUMP="TPROXY --on-port $tproxy_port --tproxy-mark $fwmark" #跳转劫持的具体命令 From 47b66859b0497b44492422ab79037e9bb6cee1c7 Mon Sep 17 00:00:00 2001 From: jelly21fish <131505153+jelly21fish@users.noreply.github.com> Date: Mon, 24 Jun 2024 00:45:12 +0800 Subject: [PATCH 4/6] fix typo --- scripts/start.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/start.sh b/scripts/start.sh index 63f8249..2512287 100644 --- a/scripts/start.sh +++ b/scripts/start.sh @@ -1159,7 +1159,7 @@ start_nft_route() { #nftables-route通用工具 } elif [ "$ipv6_redir" = "已开启" -a "$1" = 'output' -a \( "$firewall_area" = 2 -o "$firewall_area" = 3 \) ]; then RESERVED_IP6="$(echo "$reserve_ipv6 $host_ipv6" | sed 's/ /, /g')" - HOST_IP6="$(::1, echo $local_ipv6 | sed 's/ /, /g')" + HOST_IP6="::1, $(echo $local_ipv6 | sed 's/ /, /g')" #过滤保留地址及本机地址 nft add rule inet shellcrash $1 ip6 daddr {$RESERVED_IP6} return #仅代理本机局域网网段流量 From 759c36783738c4b9d432c69332eb90423a491fb8 Mon Sep 17 00:00:00 2001 From: jelly21fish <131505153+jelly21fish@users.noreply.github.com> Date: Mon, 24 Jun 2024 00:49:03 +0800 Subject: [PATCH 5/6] fix --- scripts/start.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/start.sh b/scripts/start.sh index 2512287..8fa8b91 100644 --- a/scripts/start.sh +++ b/scripts/start.sh @@ -1159,7 +1159,7 @@ start_nft_route() { #nftables-route通用工具 } elif [ "$ipv6_redir" = "已开启" -a "$1" = 'output' -a \( "$firewall_area" = 2 -o "$firewall_area" = 3 \) ]; then RESERVED_IP6="$(echo "$reserve_ipv6 $host_ipv6" | sed 's/ /, /g')" - HOST_IP6="::1, $(echo $local_ipv6 | sed 's/ /, /g')" + HOST_IP6="::1, $(echo $host_ipv6 | sed 's/ /, /g')" #过滤保留地址及本机地址 nft add rule inet shellcrash $1 ip6 daddr {$RESERVED_IP6} return #仅代理本机局域网网段流量 From 58d3cda5b6470021a5ef0b9ff5628ba5e89d314a Mon Sep 17 00:00:00 2001 From: jelly21fish <131505153+jelly21fish@users.noreply.github.com> Date: Wed, 26 Jun 2024 13:04:04 +0800 Subject: [PATCH 6/6] fix typo --- scripts/start.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/start.sh b/scripts/start.sh index 8fa8b91..646e079 100644 --- a/scripts/start.sh +++ b/scripts/start.sh @@ -1402,12 +1402,12 @@ stop_firewall() { #还原防火墙配置 ip6tables -t nat -D PREROUTING -p udp --dport 53 -j shellcrashv6_dns 2>/dev/null #redir ip6tables -t nat -D PREROUTING -p tcp $ports -j shellcrashv6 2>/dev/null - ip6tables -t nat -D OUTPUT -p tcp $ports -j shellcrashv6_out 2>/dev/null + ip6tables -t nat -D OUTPUT -p tcp $ports -j shellcrashv6_out 2>/dev/null ip6tables -D INPUT -p udp --dport 53 -j REJECT 2>/dev/null #mark ip6tables -t mangle -D PREROUTING -p tcp $ports -j shellcrashv6_mark 2>/dev/null ip6tables -t mangle -D PREROUTING -p udp $ports -j shellcrashv6_mark 2>/dev/null - ip6tables -t mangle -D OUTPUT -p tcp $ports -j shellcrashv6_mark_out 2>/dev/null + ip6tables -t mangle -D OUTPUT -p tcp $ports -j shellcrashv6_mark_out 2>/dev/null ip6tables -t mangle -D OUTPUT -p udp $ports -j shellcrashv6_mark_out 2>/dev/null ip6tables -D INPUT -p udp --dport 443 $set_cn_ip -j REJECT 2>/dev/null #tun