xm/ShellCrash
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

v1.6.6

Browse Source 
~新增Tproxy模式
~新增Nftables支持
This commit is contained in:
juewuy
2022-11-08 22:06:42 +08:00
parent 7b08547f16
commit d48402a101
2 changed files with 68 additions and 68 deletions
Download Patch File Download Diff File Expand all files Collapse all files

57
scripts/clash.sh
View File

@@ -522,6 +522,7 @@ localproxy(){
echo -e " 1 \033[36m$proxy_set本机代理\033[0m"
echo -e " 2 使用\033[32m环境变量\033[0m方式配置(部分应用可能无法使用)"
echo -e " 3 使用\033[32miptables增强模式\033[0m配置(支持docker)"
[ -n "$(type nft)" ] && echo -e " 4 使用\033[32mnftables增强模式\033[0m配置(支持docker)"
echo -e " 0 返回上级菜单"
echo -----------------------------------------------
read -p "请输入对应数字 > " num
@@ -572,7 +573,17 @@ localproxy(){
local_type="iptables增强模式"
setconfig local_type $local_type
else
echo -e "\033[31m当前设备无法使用增强模式\033[0m"
echo -e "\033[31m当前设备无法使用iptables增强模式!\033[0m"
sleep 1
fi
localproxy
elif [ "$num" = 4 ]; then
if [ -n "$(echo $redir_mod|grep Nft)" ];then
local_type="nftables增强模式"
setconfig local_type $local_type
else
echo -e "\033[31m请先启用任意nftable相关模式\033[0m"
sleep 1
fi
localproxy
@@ -594,20 +605,21 @@ clashcfg(){
echo -e "\033[36m已设为 $redir_mod \033[0m"
}
[ -n "$(iptables -j TPROXY 2>&1 | grep 'on-port')" ] && sup_tp=1
ip tuntap >/dev/null 2>&1 && sup_tun=1
type nftables >/dev/null 2>&1 && sup_nft=1
[ -n "$(lsmod | grep '^tun')" ] && sup_tun=1
[ -n "$(type nft)" ] && sup_nft=1
[ -n "$(type nft)" -a -n "$(lsmod | grep 'nft_tproxy')" ] && sup_nft=2
echo -----------------------------------------------
echo -e "当前代理模式为:\033[47;30m $redir_mod \033[0mClash核心为\033[47;30m $clashcore \033[0m"
echo -e "\033[33m切换模式后需要手动重启clash服务以生效\033[0m"
echo -----------------------------------------------
echo -e " 1 Redir模式 Redir转发TCP不转发UDP"
[ -n "$sup_tun" ] && echo -e " 2 混合模式: Redir转发TCPTun转发UDP"
[ -n "$sup_tp" ] && echo -e " 3 Tproxy混合 Redir转发TCPTproxy转发UDP"
[ -n "$sup_tun" ] && echo -e " 4 Tun模式 使用Tun转发TCP&UDP(占用高)"
[ -n "$sup_tp" ] && echo -e " 5 Tproxy模式 使用Tproxy转发TCP&UDP"
[ -n "$sup_nft" ] && echo -e " 6 Nft模式1 使用nftables转发TCP不转发UDP"
[ -n "$sup_nft" ] && echo -e " 7 Nft模式2 使用nftables转发TCP&UDP"
echo -e " 8 纯净模式: 不设置流量转发"
echo -e " 1 \033[32mRedir模式\033[0m Redir转发TCP不转发UDP"
[ -n "$sup_tun" ] && echo -e " 2 \033[36m混合模式\033[0m Redir转发TCPTun转发UDP"
[ -n "$sup_tp" ] && echo -e " 3 \033[32mTproxy混合\033[0m Redir转发TCPTproxy转发UDP"
[ -n "$sup_tun" ] && echo -e " 4 \033[33mTun模式\033[0m 使用Tun转发TCP&UDP(占用高)"
[ -n "$sup_tp" ] && echo -e " 5 \033[32mTproxy模式\033[0m 使用Tproxy转发TCP&UDP"
[ -n "$sup_nft" ] && echo -e " 6 \033[36mNft基础\033[0m 使用nftables转发TCP不转发UDP"
[ "$sup_nft" = '2' ] && echo -e " 7 \033[32mNft混合\033[0m 使用nft_tproxy转发TCP&UDP"
echo -e " 8 \033[36m纯净模式\033[0m 不设置流量转发"
echo " 0 返回上级菜单"
read -p "请输入对应数字 > " num
if [ -z "$num" ]; then
@@ -637,11 +649,11 @@ clashcfg(){
set_redir_config
elif [ "$num" = 6 ]; then
redir_mod=Nft模式1
redir_mod=Nft基础
set_redir_config
elif [ "$num" = 7 ]; then
redir_mod=Nft模式2
redir_mod=Nft混合
set_redir_config
elif [ "$num" = 8 ]; then
@@ -863,7 +875,6 @@ clashadv(){
echo -----------------------------------------------
echo -e " 1 使用保守模式启动: \033[36m$start_old\033[0m ————切换时会停止clash服务"
echo -e " 2 启用ipv6支持: \033[36m$ipv6_support\033[0m ————实验性功能,可能不稳定"
echo -e " 3 Redir模式udp转发: \033[36m$tproxy_mod\033[0m ————依赖iptables-mod-tproxy"
echo -e " 4 启用小闪存模式: \033[36m$mini_clash\033[0m ————不保存核心及数据库文件"
echo -e " 5 允许公网访问: \033[36m$public_support\033[0m ————需要路由拨号+公网IP"
echo -e " 6 配置内置DNS服务 \033[36m$dns_no\033[0m"
@@ -915,24 +926,6 @@ clashadv(){
setconfig ipv6_support $ipv6_support
clashadv
elif [ "$num" = 3 ]; then
echo -----------------------------------------------
if [ "$tproxy_mod" = "未开启" ]; then
if [ -n "$(iptables -j TPROXY 2>&1 | grep 'on-port')" ];then
tproxy_mod=已开启
echo -e "\033[32m已经为Redir模式启用udp转发功能\033[0m"
else
tproxy_mod=未开启
echo -e "\033[31m您的设备不支持tproxy模式无法开启\033[0m"
fi
else
tproxy_mod=未开启
echo -e "\033[33m已经停止使用tproxy转发udp流量\033[0m"
fi
setconfig tproxy_mod $tproxy_mod
sleep 1
clashadv
elif [ "$num" = 4 ]; then
echo -----------------------------------------------
dir_size=$(df $clashdir | awk '{print $4}' | sed 1d)

79
scripts/start.sh
View File

@@ -341,6 +341,7 @@ modify_yaml(){
cat > $tmpdir/set.yaml <<EOF
mixed-port: $mix_port
redir-port: $redir_port
tproxy-port: 7893
authentication: ["$authentication"]
$lan
mode: $mode
@@ -629,48 +630,50 @@ start_tun(){
start_nft(){
#设置策略路由
ip rule add fwmark 1 table 100
ip route add local 0.0.0.0/0 dev lo table 100
#IPV6
ip route add local default dev lo table 100
[ "$ipv6_support" = "已开启" ] && {
ip -6 rule add fwmark 1 table 101
ip -6 route add local ::/0 dev lo table 101
}
#初始化nftables
nft add table shellclash
nft add chain shellclash prerouting { type filter hook prerouting priority 0 \; }
#保留地址
nft define RESERVED_IP = {0.0.0.0/8, 10.0.0.0/8, 127.0.0.0/8, 100.64.0.0/10, 169.254.0.0/16, 172.16.0.0/12, 192.168.0.0/16, 224.0.0.0/4, 240.0.0.0/4}
#创建nft表和链
nft add chain shellclash prerouting { type filter hook prerouting priority 0 \; }
nft add rule shellclash prerouting ip daddr $RESERVED_IP return
#过滤CN-IP
[ "$dns_mod" = "redir_host" -a "$cn_ip_route" = "已开启" -a -f $bindir/cn_ip.txt ] && {
CN_IP=$(awk '{printf "%s, ",$1}' $bindir/cn_ip.txt)
nft define CN_IP = $CN_IP
nft add rule shellclash prerouting ip daddr $CN_IP return
}
#过滤常用端口
[ "$common_ports" = "已开启" ] && {
ports=$(echo $multiport | sed 's/,/, /g')
nft add rule shellclash prerouting tcp dport != {$ports} return
}
nft add chain shellclash prerouting { type nat hook prerouting priority -100 \; }
#过滤局域网设备 ether saddr
[ -n "$(cat $clashdir/mac)" ] && {
MAC=$(awk '{printf "%s, ",$1}' $clashdir/mac)
nft define MAC = $MAC
[ "$macfilter_type" = "名单" ] && nft add rule shellclash prerouting ether saddr {$MAC} return
[ "$macfilter_type" = "白名单" ] && nft add rule shellclash prerouting ether saddr != {$MAC} return
[ "$macfilter_type" = "黑名单" ] && nft add rule shellclash prerouting ether saddr {${MAC}} return
[ "$macfilter_type" = "名单" ] && nft add rule shellclash prerouting ether saddr != {${MAC}} return
}
#设置DNS转发
nft add rule shellclash prerouting udp dport 53 redirect to ${dns_port}
nft add rule shellclash prerouting tcp dport 53 redirect to ${dns_port}
#过滤保留地址
RESERVED_IP="{0.0.0.0/8, 10.0.0.0/8, 127.0.0.0/8, 100.64.0.0/10, 169.254.0.0/16, 172.16.0.0/12, 192.168.0.0/16, 224.0.0.0/4, 240.0.0.0/4}"
nft add rule shellclash prerouting ip daddr {${RESERVED_IP}} return
#过滤CN-IP
[ "$dns_mod" = "redir_host" -a "$cn_ip_route" = "已开启" -a -f $bindir/cn_ip.txt ] && {
CN_IP=$(awk '{printf "%s, ",$1}' $bindir/cn_ip.txt)
[ -n "$CN_IP" ] && nft add rule shellclash prerouting ip daddr {${CN_IP}} return
}
#过滤常用端口
[ "$common_ports" = "已开启" ] && {
PORTS=$(echo $multiport | sed 's/,/, /g')
nft add rule shellclash prerouting tcp dport != {${PORTS}} return
}
#代理局域网设备
nft add rule shellclash prerouting udp dport 53 redirect to :$dns_port accept
nft add rule shellclash prerouting tcp dport 53 redirect to :$dns_port accept
nft add rule shellclash prerouting meta l4proto {$1} mark set 1 tproxy to :$redir_port accept
if [ "$redir_mod" = "Nft混合" ];then
nft add chain shellclash prerouting { type filter hook prerouting priority 0 \; }
nft add rule shellclash prerouting meta l4proto {tcp, udp} mark set 1 tproxy to 127.0.0.1:7893
else
nft add rule shellclash prerouting meta l4proto tcp mark set 1 redirect to ${redir_port}
fi
#代理本机
[ "$local_proxy" = "已开启" ] && [ "$local_type" = "nftables增强模式" ] && {
nft add chain shellclash output { type filter hook prerouting priority 0 \; }
nft add chain shellclash output { type filter hook output priority 0 \; }
nft add rule shellclash output meta skuid clash return
[ "$common_ports" = "已开启" ] && nft add rule shellclash output tcp dport != {$ports} return
nft add rule shellclash output ip daddr $RESERVED_IP return
nft add rule shellclash output meta l4proto {$1} mark set 1 accept # 重路由至 prerouting
[ "$common_ports" = "已开启" ] && nft add rule shellclash output tcp dport != {${PORTS}} return
nft add rule shellclash output ip daddr {${RESERVED_IP}} return
nft add rule shellclash output meta l4proto tcp mark set 1 # 重路由至 prerouting
}
}
start_wan(){
@@ -691,10 +694,8 @@ start_wan(){
type ip6tables >/dev/null 2>&1 && ip6tables -I INPUT -p tcp --dport $db_port -j ACCEPT 2> /dev/null
fi
}
stop_iptables(){
stop_firewall(){
#重置iptables规则
ip rule del fwmark 1 table 100 2> /dev/null
ip route del local default dev lo table 100 2> /dev/null
iptables -t nat -D PREROUTING -p tcp $ports -j clash 2> /dev/null
iptables -D INPUT -p tcp --dport $mix_port -j ACCEPT 2> /dev/null
iptables -D INPUT -p tcp --dport $db_port -j ACCEPT 2> /dev/null
@@ -756,6 +757,12 @@ stop_iptables(){
uci commit dhcp >/dev/null 2>&1
/etc/init.d/dnsmasq restart >/dev/null 2>&1
}
#清理路由
ip rule del fwmark 1 table 100 2> /dev/null
ip route del local default dev lo table 100 2> /dev/null
#重置nftables相关规则
nft flush table shellclash >/dev/null 2>&1
nft delete table shellclash >/dev/null 2>&1
}
#面板配置保存相关
web_save(){
@@ -951,8 +958,8 @@ afstart(){
[ "$redir_mod" = "Tproxy混合" ] && start_dns && start_redir && start_tproxy udp
[ "$redir_mod" = "Tun模式" ] && start_dns && start_tun
[ "$redir_mod" = "Tproxy模式" ] && start_dns && start_tproxy all
[ "$redir_mod" = "Nft模式1" ] && start_nft 'tcp, icmp'
[ "$redir_mod" = "Nft模式2" ] && start_nft 'tcp, udp, icmp'
[ "$redir_mod" = "Nft基础" ] && start_nft 'tcp'
[ "$redir_mod" = "Nft混合" ] && start_nft '{tcp, udp}'
[ "$local_proxy" = "已开启" ] && [ "$local_type" = "iptables增强模式" ] && start_output
type iptables >/dev/null 2>&1 && start_wan
#标记启动时间
@@ -1005,7 +1012,7 @@ start)
getconfig
#检测必须文件并下载
bfstart
stop_iptables #清理iptables
stop_firewall #清理路由策略
#使用内置规则强行覆盖config配置文件
[ "$modify_yaml" != "已开启" ] && modify_yaml
#使用不同方式启动clash服务
@@ -1033,7 +1040,7 @@ stop)
systemctl stop clash.service >/dev/null 2>&1
fi
PID=$(pidof clash) && [ -n "$PID" ] && kill -9 $PID >/dev/null 2>&1
stop_iptables #清理iptables
stop_firewall #清理路由策略
$0 unset_proxy #禁用本机代理
;;
restart)