From 384cd7c33911ec0b91dc4a02ca623ecf1d2032fa Mon Sep 17 00:00:00 2001
From: juewuy <juewuy@gmail.com>
Date: Sun, 28 Apr 2024 20:54:18 +0800
Subject: [PATCH] =?UTF-8?q?~=E4=BF=AE=E5=A4=8Dnftables=E2=80=94tproxy?=
 =?UTF-8?q?=E6=A8=A1=E5=BC=8F=E6=97=A0=E6=B3=95=E5=8A=AB=E6=8C=81=E6=B5=81?=
 =?UTF-8?q?=E9=87=8F=E7=9A=84bug?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 scripts/menu.sh  |  2 +-
 scripts/start.sh | 32 ++++++++++++++++----------------
 2 files changed, 17 insertions(+), 17 deletions(-)

diff --git a/scripts/menu.sh b/scripts/menu.sh
index 9c63b57..851ff93 100644
--- a/scripts/menu.sh
+++ b/scripts/menu.sh
@@ -1097,7 +1097,7 @@ set_firewall_area(){
 	echo -e " 2 \033[36m仅劫持本机流量\033[0m"
 	echo -e " 3 \033[32m劫持局域网+本机流量\033[0m"
 	echo -e " 4 不配置流量劫持(纯净模式)\033[0m"
-	echo -e " 5 \033[33m转发局域网流量到旁路由设备\033[0m"
+	#echo -e " 5 \033[33m转发局域网流量到旁路由设备\033[0m"
 	echo -----------------------------------------------
 	read -p "请输入对应数字 > " num	
 	case $num in
diff --git a/scripts/start.sh b/scripts/start.sh
index 70dfe55..e8e6fad 100644
--- a/scripts/start.sh
+++ b/scripts/start.sh
@@ -1005,18 +1005,6 @@ start_ipt_wan() { #iptables公网防火墙
 start_iptables() { #iptables配置总入口
 	#启动公网访问防火墙
 	start_ipt_wan
-	#启动DNS劫持
-	[ "$dns_no" != "已禁用" -a "$dns_redir" != "已开启" -a "$firewall_area" -le 3 ] && {
-		[ "$lan_proxy" = true ] && {
-			start_ipt_dns iptables PREROUTING shellcrash_dns #ipv4-局域网dns转发
-			if ip6tables -j REDIRECT -h 2>/dev/null | grep -q '\--to-ports'; then
-				start_ipt_dns ip6tables PREROUTING shellcrashv6_dns #ipv6-局域网dns转发
-			else
-				ip6tables -I INPUT -p udp --dport 53 -m comment --comment "ShellCrash-IPV6_DNS-REJECT" -j REJECT
-			fi
-		}
-		[ "$local_proxy" = true ] && start_ipt_dns iptables OUTPUT shellcrash_dns_out #ipv4-本机dns转发
-	}
 	#分模式设置流量劫持
 	[ "$redir_mod" = "Redir模式" -o "$redir_mod" = "混合模式" ] && {
 		JUMP="REDIRECT --to-ports $redir_port" #跳转劫持的具体命令
@@ -1081,6 +1069,18 @@ start_iptables() { #iptables配置总入口
 			fi
 		}
 	}
+	#启动DNS劫持
+	[ "$dns_no" != "已禁用" -a "$dns_redir" != "已开启" -a "$firewall_area" -le 3 ] && {
+		[ "$lan_proxy" = true ] && {
+			start_ipt_dns iptables PREROUTING shellcrash_dns #ipv4-局域网dns转发
+			if ip6tables -j REDIRECT -h 2>/dev/null | grep -q '\--to-ports'; then
+				start_ipt_dns ip6tables PREROUTING shellcrashv6_dns #ipv6-局域网dns转发
+			else
+				ip6tables -I INPUT -p udp --dport 53 -m comment --comment "ShellCrash-IPV6_DNS-REJECT" -j REJECT
+			fi
+		}
+		[ "$local_proxy" = true ] && start_ipt_dns iptables OUTPUT shellcrash_dns_out #ipv4-本机dns转发
+	}
 	#屏蔽QUIC
 	[ "$quic_rj" = '已启用' -a "$lan_proxy" = true -a "$redir_mod" != "Redir模式" ] && {
 		[ "$dns_mod" != "fake-ip" -a "$cn_ip_route" = "已开启" ] && {
@@ -1102,7 +1102,7 @@ start_nft_route() { #nftables-route通用工具
 	#防回环
 	nft add rule inet shellcrash $1 meta mark $routing_mark return
 	nft add rule inet shellcrash $1 meta skgid 7890 return
-	nft add rule inet shellcrash $1 ip saddr 198.18.0.0/16 return
+	#nft add rule inet shellcrash $1 ip saddr 198.18.0.0/16 return
 	[ "$firewall_area" = 5 ] && nft add rule inet shellcrash $1 ip saddr $bypass_host return
 	#过滤局域网设备
 	[ -n "$(cat "$CRASHDIR"/configs/mac)" ] && {
@@ -1208,7 +1208,7 @@ start_nftables() { #nftables配置总入口
 	}
 	[ "$redir_mod" = "Tproxy模式" ] && modprobe nft_tproxy >/dev/null 2>&1 && {
 		JUMP="meta l4proto {tcp, udp} mark set $fwmark tproxy to :$tproxy_port" #跳转劫持的具体命令
-		[ "$lan_proxy" = true ] && start_nft_route prerouting prerouting nat -150
+		[ "$lan_proxy" = true ] && start_nft_route prerouting prerouting filter -150
 		[ "$local_proxy" = true ] && {
 			JUMP="meta l4proto {tcp, udp} mark set $fwmark" #跳转劫持的具体命令
 			start_nft_route output output route -150
@@ -1220,7 +1220,7 @@ start_nftables() { #nftables配置总入口
 		[ "$redir_mod" = "Tun模式" ] && JUMP="meta l4proto {tcp, udp} mark set $fwmark" #跳转劫持的具体命令
 		[ "$redir_mod" = "混合模式" ] && JUMP="meta l4proto udp mark set $fwmark"         #跳转劫持的具体命令
 		[ "$lan_proxy" = true ] && {
-			start_nft_route prerouting prerouting nat -150
+			start_nft_route prerouting prerouting filter -150
 			#放行流量
 			nft add chain inet shellcrash forward { type filter hook forward priority -150 \; }
 			nft add rule inet shellcrash forward oifname "utun" accept
@@ -1230,7 +1230,7 @@ start_nftables() { #nftables配置总入口
 	[ "$firewall_area" = 5 ] && {
 		[ "$redir_mod" = "T&U旁路转发" ] && JUMP="meta l4proto {tcp, udp} mark set $fwmark" #跳转劫持的具体命令
 		[ "$redir_mod" = "TCP旁路转发" ] && JUMP="meta l4proto tcp mark set $fwmark"        #跳转劫持的具体命令
-		[ "$lan_proxy" = true ] && start_nft_route prerouting prerouting nat -150
+		[ "$lan_proxy" = true ] && start_nft_route prerouting prerouting filter -150
 		[ "$local_proxy" = true ] && start_nft_route output output route -150
 	}
 	#屏蔽QUIC