From 5ad7785eaeb49d4a68084a2b2006730baf5a91ee Mon Sep 17 00:00:00 2001 From: juewuy Date: Sun, 11 Dec 2022 22:01:30 +0800 Subject: [PATCH] =?UTF-8?q?v1.6.13c=20~Tun=E7=BD=91=E5=8D=A1Redir-host?= =?UTF-8?q?=E5=8F=8AIPV6=E6=94=AF=E6=8C=81=20~=E6=97=A5=E5=BF=97=E6=8E=A8?= =?UTF-8?q?=E9=80=81=E9=80=82=E9=85=8DPashDeer=20~=E5=A2=9E=E5=8A=A0ipv6?= =?UTF-8?q?=E5=87=BA=E5=8F=A3=E6=9C=AC=E6=9C=BAIP=E5=B1=8F=E8=94=BD=20~?= =?UTF-8?q?=E5=AE=89=E8=A3=85=E8=84=9A=E6=9C=AC=E4=BC=98=E5=8C=96=EF=BC=8C?= =?UTF-8?q?=E5=85=BC=E5=AE=B9zsh?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- install.sh | 10 +++++++--- scripts/getdate.sh | 2 +- scripts/start.sh | 29 +++++++++++++++++++---------- 3 files changed, 27 insertions(+), 14 deletions(-) diff --git a/install.sh b/install.sh index a18fd17..9b31220 100644 --- a/install.sh +++ b/install.sh @@ -74,7 +74,7 @@ elif [ "$num" = "1" ];then release_new=$(cat /tmp/clashrelease | head -1) url_dl="$url_cdn/$release_new" else - echo "无法获取稳定版安装地址,将尝试安装公测版!" + $echo "\033[33m无法获取稳定版安装地址,将尝试安装公测版!\033[0m" fi fi [ -z "$url_dl" ] && url_dl=$url @@ -87,7 +87,11 @@ tarurl=$url_dl/bin/clashfm.tar.gz gettar(){ webget /tmp/clashfm.tar.gz $tarurl - [ "$result" != "200" ] && echo "文件下载失败,请尝试使用其他安装源!" && exit 1 + [ "$result" != "200" ] && { + $echo "\033[33m文件下载失败,请参考 \033[32mhttps://github.com/juewuy/ShellClash/blob/master/README_CN.md" + $echo "\033[33m使用其他安装源重新安装!\033[0m" + exit 1 + } $clashdir/start.sh stop 2>/dev/null #解压 echo ----------------------------------------------- @@ -138,7 +142,7 @@ gettar(){ echo "export clashdir=\"$clashdir\"" >> ~/.zshrc } else - echo 无法写入环境变量!请检查安装权限! + $echo "\033[33m无法写入环境变量!请检查安装权限!\033[0m" exit 1 fi #梅林/Padavan额外设置 diff --git a/scripts/getdate.sh b/scripts/getdate.sh index c259568..97c49db 100644 --- a/scripts/getdate.sh +++ b/scripts/getdate.sh @@ -194,7 +194,7 @@ getlink2(){ read -p "请输入完整链接 > " link test=$(echo $link | grep -iE "tp.*://" ) link=`echo ${link/\ \(*\)/''}` #删除恶心的超链接内容 - link=`echo ${link//\&/\%26}` #将分隔符 & 替换成urlcode:%26 + link=`echo ${link//\&/\\\&}` #处理分隔符 if [ -n "$link" -a -n "$test" ];then echo ----------------------------------------------- echo -e 请检查输入的链接是否正确: diff --git a/scripts/start.sh b/scripts/start.sh index 2ba09af..896b46f 100644 --- a/scripts/start.sh +++ b/scripts/start.sh @@ -414,11 +414,6 @@ EOF sed -i "/^proxy-groups:/a\\$line #自定义策略组" $tmpdir/config.yaml done fi - - #tun/fake-ip防止流量回环 - if [ "$redir_mod" = "混合模式" -o "$redir_mod" = "Tun模式" -o "$dns_mod" = "fake-ip" ];then - sed -i "/^rules:/a\\$space_rules- SRC-IP-CIDR,198.18.0.0/16,REJECT #自定义规则(防止回环)" $tmpdir/config.yaml - fi #如果没有使用小闪存模式 if [ "$tmpdir" != "$bindir" ];then cmp -s $tmpdir/config.yaml $yaml >/dev/null 2>&1 @@ -464,6 +459,7 @@ start_redir(){ [ -n "$host_lan" ] && iptables -t nat -A clash -d $host_lan -j RETURN #绕过CN_IP [ "$dns_mod" = "redir_host" -a "$cn_ip_route" = "已开启" ] && iptables -t nat -A clash -m set --match-set cn_ip dst -j RETURN 2>/dev/null + [ "$dns_mod" = "fake-ip" ] && iptables -t nat -A clash -s 198.18.0.0/16 -j RETURN if [ "$macfilter_type" = "白名单" -a -n "$(cat $clashdir/mac)" ];then #mac白名单 for mac in $(cat $clashdir/mac); do @@ -497,7 +493,9 @@ start_redir(){ for mac in $(cat $clashdir/mac); do ip6tables -t nat -A clashv6 -m mac --mac-source $mac -j RETURN done - [ -n "$wan_mac" ] && ip6tables -t nat -A clashv6 -m mac --mac-source $wan_mac -j RETURN #屏蔽本机出口网卡 + for ip in $ipv6_wan ;do + ip6tables -t nat -A clashv6 -p tcp -s $ip -j RETURN #屏蔽本机ipv6地址 + done ip6tables -t nat -A clashv6 -p tcp $ports -j REDIRECT --to-ports $redir_port fi ip6tables -t nat -A PREROUTING -p tcp -j clashv6 @@ -566,7 +564,7 @@ start_tproxy(){ iptables -t mangle -A clash -d 240.0.0.0/4 -j RETURN [ -n "$host_lan" ] && iptables -t mangle -A clash -d $host_lan -j RETURN [ "$dns_mod" = "redir_host" -a "$cn_ip_route" = "已开启" ] && iptables -t mangle -A clash -m set --match-set cn_ip dst -j RETURN 2>/dev/null - + [ "$dns_mod" = "fake-ip" ] && iptables -t mangle -A clash -s 198.18.0.0/16 -j RETURN tproxy_set(){ if [ "$macfilter_type" = "白名单" -a -n "$(cat $clashdir/mac)" ];then #mac白名单 @@ -612,7 +610,9 @@ start_tproxy(){ for mac in $(cat $clashdir/mac); do ip6tables -t mangle -A clashv6 -m mac --mac-source $mac -j RETURN done - [ -n "$wan_mac" ] && ip6tables -t mangle -A clashv6 -m mac --mac-source $wan_mac -j RETURN #屏蔽本机出口网卡 + for ip in $ipv6_wan ;do + ip6tables -t mangle -A clashv6 -p $1 -s $ip -j RETURN #屏蔽本机ipv6地址 + done ip6tables -t mangle -A clashv6 -p $1 -j TPROXY --on-port $tproxy_port --tproxy-mark 1 fi ip6tables -t mangle -A PREROUTING -p $1 $ports -j clashv6 @@ -666,6 +666,7 @@ start_tun(){ modprobe tun &> /dev/null && { #允许流量 iptables -I FORWARD -o utun -j ACCEPT + iptables -I FORWARD -s 198.18.0.0/16 -o utun -j RETURN #ip6tables -I FORWARD -o utun -j ACCEPT > /dev/null 2>&1 #屏蔽QUIC if [ "$quic_rj" = 已启用 ];then @@ -695,6 +696,7 @@ start_tun(){ iptables -t mangle -A clash -d 192.168.0.0/16 -j RETURN iptables -t mangle -A clash -d 224.0.0.0/4 -j RETURN iptables -t mangle -A clash -d 240.0.0.0/4 -j RETURN + iptables -t mangle -A clash -s 198.18.0.0/16 -j RETURN [ -n "$host_lan" ] && iptables -t mangle -A clash -d $host_lan -j RETURN [ "$dns_mod" = "redir_host" -a "$cn_ip_route" = "已开启" ] && iptables -t mangle -A clash -m set --match-set cn_ip dst -j RETURN 2>/dev/null if [ "$macfilter_type" = "白名单" -a -n "$(cat $clashdir/mac)" ];then @@ -733,6 +735,9 @@ start_tun(){ for mac in $(cat $clashdir/mac); do ip6tables -t mangle -A clashv6 -m mac --mac-source $mac -j RETURN done + for ip in $ipv6_wan ;do + ip6tables -t mangle -A clashv6 -s $ip -j RETURN #屏蔽本机ipv6地址 + done ip6tables -t mangle -A clashv6 -j MARK --set-mark 1 fi ip6tables -t mangle -A PREROUTING -p udp $ports -j clashv6 @@ -776,7 +781,10 @@ start_nft(){ ip -6 rule add fwmark 1 table 101 2> /dev/null ip -6 route add local ::/0 dev lo table 101 2> /dev/null nft add rule inet shellclash prerouting ip6 daddr {${RESERVED_IP6}} return - [ -n "$wan_mac" ] && nft add rule inet shellclash prerouting ether saddr {${wan_mac}} return #屏蔽本机出口网卡 + [ -n "$ipv6_wan" ] && { + LOCAL_IP6="{$(echo $ipv6_wan | sed s/\ /\,\ /g)}" + nft add rule inet shellclash prerouting ip6 daddr {${LOCAL_IP6}} return #屏蔽本机ipv6地址 + } else nft add rule inet shellclash prerouting meta nfproto ipv6 return fi @@ -853,6 +861,7 @@ stop_firewall(){ iptables -t nat -X clash_dns 2> /dev/null #tun iptables -D FORWARD -o utun -j ACCEPT 2> /dev/null + iptables -D FORWARD -s 198.18.0.0/16 -o utun -j RETURN 2> /dev/null #屏蔽QUIC [ "$dns_mod" = "redir_host" -a "$cn_ip_route" = "已开启" ] && set_cn_ip='-m set ! --match-set cn_ip dst' iptables -D INPUT -p udp --dport 443 -m comment --comment "ShellClash-QUIC-REJECT" $set_cn_ip -j REJECT 2> /dev/null @@ -1142,7 +1151,7 @@ afstart(){ fi } #设置路由规则 - wan_mac=$(ifconfig wan | grep -o -E '([[:xdigit:]]{1,2}:){5}[[:xdigit:]]{1,2}') + [ "$ipv6_redir" = "已开启" ] && ipv6_wan=$(ip addr show|grep -A1 'inet6 [^f:]'|grep -oE 'inet6 ([a-f0-9:]+)/'|sed s#inet6\ ##g|sed s#/##g) [ "$redir_mod" = "Redir模式" ] && start_dns && start_redir [ "$redir_mod" = "混合模式" ] && start_dns && start_redir && start_tun udp [ "$redir_mod" = "Tproxy混合" ] && start_dns && start_redir && start_tproxy udp