From e080e6acf8fbf637087526d698696bdff80e68e2 Mon Sep 17 00:00:00 2001
From: Lemoe <liukangdev@gmail.com>
Date: Tue, 31 May 2022 12:58:37 +0800
Subject: [PATCH] =?UTF-8?q?=E9=80=82=E9=85=8Dax6s=E5=B0=8F=E7=B1=B3?=
 =?UTF-8?q?=E9=95=9C=E5=83=8F=E5=8C=96=E7=B3=BB=E7=BB=9F=E8=AE=BE=E5=A4=87?=
 =?UTF-8?q?=E4=BD=BF=E7=94=A8iptables=E5=A2=9E=E5=BC=BA=E6=A8=A1=E5=BC=8F?=
 =?UTF-8?q?=E5=BC=80=E5=90=AF=E6=9C=AC=E6=9C=BA=E4=BB=A3=E7=90=86?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 scripts/clash.sh |  3 +++
 scripts/start.sh | 53 +++++++++++++++++++++++++++++++++---------------
 2 files changed, 40 insertions(+), 16 deletions(-)

diff --git a/scripts/clash.sh b/scripts/clash.sh
index f2c09bf..715aae3 100644
--- a/scripts/clash.sh
+++ b/scripts/clash.sh
@@ -562,6 +562,9 @@ localproxy(){
 		if [ -w /etc/systemd/system/clash.service -o -w /usr/lib/systemd/system/clash.service -o -x /bin/su ];then
 			local_type="iptables增强模式"
 			setconfig local_type $local_type
+		elif [ -f /etc/rc.common -a -w /etc/passwd ]; then
+			local_type="iptables增强模式"
+			setconfig local_type $local_type
 		else
 			echo -e "\033[31m当前设备无法使用增强模式！\033[0m"
 			sleep 1
diff --git a/scripts/start.sh b/scripts/start.sh
index cff7d74..3dcfe9b 100644
--- a/scripts/start.sh
+++ b/scripts/start.sh
@@ -550,19 +550,27 @@ start_output(){
 	#流量过滤规则
 	iptables -t nat -N clash_out
 	iptables -t nat -A clash_out -m owner --gid-owner 7890 -j RETURN
+	iptables -t nat -A clash_out -d 0.0.0.0/8 -j RETURN
+	iptables -t nat -A clash_out -d 10.0.0.0/8 -j RETURN
+	iptables -t nat -A clash_out -d 100.64.0.0/10 -j RETURN
 	iptables -t nat -A clash_out -d 127.0.0.0/8 -j RETURN
+	iptables -t nat -A clash_out -d 169.254.0.0/16 -j RETURN
 	iptables -t nat -A clash_out -d 172.16.0.0/12 -j RETURN
+	iptables -t nat -A clash_out -d 192.0.0.0/24 -j RETURN
+	iptables -t nat -A clash_out -d 192.168.0.0/16 -j RETURN
+	iptables -t nat -A clash_out -d 224.0.0.0/4 -j RETURN
+	iptables -t nat -A clash_out -d 240.0.0.0/4 -j RETURN
+	iptables -t nat -A clash_out -d 255.255.255.255/32 -j RETURN
 	[ "$dns_mod" = "redir_host" -a "$cn_ip_route" = "已开启" ] && iptables -t nat -A clash_out -m set --match-set cn_ip dst -j RETURN >/dev/null 2>&1 #绕过大陆IP
 	iptables -t nat -A clash_out -p tcp -j REDIRECT --to-ports $redir_port
-	iptables -t nat -A OUTPUT -p tcp -s 127.0.0.0/8 -j clash_out
-	iptables -t nat -A OUTPUT -p tcp -s 172.16.0.0/12 -j clash_out
-	iptables -t nat -A OUTPUT -p tcp -d 198.18.0.0/16 -j clash_out
+	iptables -t nat -A OUTPUT -p tcp -j clash_out
 	#设置dns转发
-	iptables -t nat -N clash_dns_out
-	iptables -t nat -A clash_dns_out -m owner --gid-owner 7890 -j RETURN
-	iptables -t nat -A clash_dns_out -p udp -j REDIRECT --to $dns_port
-	iptables -t nat -A OUTPUT -p udp --dport 53 -s 127.0.0.0/8 -j clash_dns_out
-	iptables -t nat -A OUTPUT -p udp --dport 53 -s 172.16.0.0/12 -j clash_dns_out
+	[ "$dns_no" != "已禁用" ] && {
+		iptables -t nat -N clash_dns_out
+		iptables -t nat -A clash_dns_out -m owner --gid-owner 7890 -j RETURN
+		iptables -t nat -A clash_dns_out -p udp -j REDIRECT --to $dns_port
+		iptables -t nat -A OUTPUT -p udp --dport 53 -j clash_dns_out
+	}
 }
 start_tun(){
 	if [ "$quic_rj" = 已启用 ];then
@@ -612,10 +620,12 @@ stop_iptables(){
 	iptables -t nat -D OUTPUT -p tcp -s 127.0.0.0/8 -j clash_out 2> /dev/null
 	iptables -t nat -D OUTPUT -p tcp -s 172.16.0.0/12 -j clash_out 2> /dev/null
 	iptables -t nat -D OUTPUT -p tcp -d 198.18.0.0/16 -j clash_out 2> /dev/null
+	iptables -t nat -D OUTPUT -p tcp -j clash_out 2> /dev/null
 	iptables -t nat -F clash_out 2> /dev/null
 	iptables -t nat -X clash_out 2> /dev/null	
 	iptables -t nat -D OUTPUT -p udp --dport 53 -s 127.0.0.0/8 -j clash_dns_out 2> /dev/null
 	iptables -t nat -D OUTPUT -p udp --dport 53 -s 172.16.0.0/12 -j clash_dns_out 2> /dev/null
+	iptables -t nat -D OUTPUT -p udp --dport 53 -j clash_dns_out 2> /dev/null
 	iptables -t nat -F clash_dns_out 2> /dev/null
 	iptables -t nat -X clash_dns_out 2> /dev/null
 	#重置udp规则
@@ -806,16 +816,27 @@ bfstart(){
 	#本机代理准备
 	if [ "$local_proxy" = "已开启" -a "$local_type" = "iptables增强模式" ];then
 		if [ -z "$(id shellclash 2>/dev/null | grep 'root')" ];then
-			userdel shellclash 2>/dev/null
-			useradd shellclash -u 7890
-			groupmod shellclash -g 7890
-			sed -Ei s/7890:7890/0:7890/g /etc/passwd
+			if [ -z "$(command -v useradd 2>/dev/null)" -o -z "$(command -v groupmod 2>/dev/null)" ]; then
+				grep -qw shellclash /etc/passwd || echo "shellclash:x:0:7890:::" >> /etc/passwd
+			else
+				userdel shellclash 2>/dev/null
+				useradd shellclash -u 7890
+				groupmod shellclash -g 7890
+				sed -Ei s/7890:7890/0:7890/g /etc/passwd
+			fi
 		fi
 		if [ "$start_old" != "已开启" ];then
-			[ -w /etc/systemd/system/clash.service ] && servdir=/etc/systemd/system/clash.service
-			[ -w /usr/lib/systemd/system/clash.service ] && servdir=/usr/lib/systemd/system/clash.service
-			setconfig ExecStart "/bin/su\ shellclash\ -c\ \"$bindir/clash\ -d\ $bindir\"" $servdir
-			systemctl daemon-reload >/dev/null
+			if [ -w /etc/init.d/clash ]; then
+				[ "$systype" = "mi_snapshot" ] && servdir=$clashdir/clashservice || servdir=/etc/init.d/clash
+				[ -z "$(grep 'procd_set_param user shellclash' $servdir)" ] && {
+    				sed -i '/procd_close_instance/i\\t\tprocd_set_param user shellclash' $servdir
+				}
+			else
+				[ -w /etc/systemd/system/clash.service ] && servdir=/etc/systemd/system/clash.service
+				[ -w /usr/lib/systemd/system/clash.service ] && servdir=/usr/lib/systemd/system/clash.service
+				setconfig ExecStart "/bin/su\ shellclash\ -c\ \"$bindir/clash\ -d\ $bindir\"" $servdir
+				systemctl daemon-reload >/dev/null
+			fi
 		fi
 	fi
 }