xm/ShellCrash
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

v1.6.6

Browse Source 
~新增Tproxy模式
~新增Nftables支持
This commit is contained in:
juewuy
2022-11-08 22:06:42 +08:00
parent 7b08547f16
commit d48402a101
2 changed files with 68 additions and 68 deletions
Download Patch File Download Diff File Expand all files Collapse all files

79
scripts/start.sh
View File

@@ -341,6 +341,7 @@ modify_yaml(){
cat > $tmpdir/set.yaml <<EOF
mixed-port: $mix_port
redir-port: $redir_port
tproxy-port: 7893
authentication: ["$authentication"]
$lan
mode: $mode
@@ -629,48 +630,50 @@ start_tun(){
start_nft(){
#设置策略路由
ip rule add fwmark 1 table 100
ip route add local 0.0.0.0/0 dev lo table 100
#IPV6
ip route add local default dev lo table 100
[ "$ipv6_support" = "已开启" ] && {
ip -6 rule add fwmark 1 table 101
ip -6 route add local ::/0 dev lo table 101
}
#初始化nftables
nft add table shellclash
nft add chain shellclash prerouting { type filter hook prerouting priority 0 \; }
#保留地址
nft define RESERVED_IP = {0.0.0.0/8, 10.0.0.0/8, 127.0.0.0/8, 100.64.0.0/10, 169.254.0.0/16, 172.16.0.0/12, 192.168.0.0/16, 224.0.0.0/4, 240.0.0.0/4}
#创建nft表和链
nft add chain shellclash prerouting { type filter hook prerouting priority 0 \; }
nft add rule shellclash prerouting ip daddr $RESERVED_IP return
#过滤CN-IP
[ "$dns_mod" = "redir_host" -a "$cn_ip_route" = "已开启" -a -f $bindir/cn_ip.txt ] && {
CN_IP=$(awk '{printf "%s, ",$1}' $bindir/cn_ip.txt)
nft define CN_IP = $CN_IP
nft add rule shellclash prerouting ip daddr $CN_IP return
}
#过滤常用端口
[ "$common_ports" = "已开启" ] && {
ports=$(echo $multiport | sed 's/,/, /g')
nft add rule shellclash prerouting tcp dport != {$ports} return
}
nft add chain shellclash prerouting { type nat hook prerouting priority -100 \; }
#过滤局域网设备 ether saddr
[ -n "$(cat $clashdir/mac)" ] && {
MAC=$(awk '{printf "%s, ",$1}' $clashdir/mac)
nft define MAC = $MAC
[ "$macfilter_type" = "名单" ] && nft add rule shellclash prerouting ether saddr {$MAC} return
[ "$macfilter_type" = "白名单" ] && nft add rule shellclash prerouting ether saddr != {$MAC} return
[ "$macfilter_type" = "黑名单" ] && nft add rule shellclash prerouting ether saddr {${MAC}} return
[ "$macfilter_type" = "名单" ] && nft add rule shellclash prerouting ether saddr != {${MAC}} return
}
#设置DNS转发
nft add rule shellclash prerouting udp dport 53 redirect to ${dns_port}
nft add rule shellclash prerouting tcp dport 53 redirect to ${dns_port}
#过滤保留地址
RESERVED_IP="{0.0.0.0/8, 10.0.0.0/8, 127.0.0.0/8, 100.64.0.0/10, 169.254.0.0/16, 172.16.0.0/12, 192.168.0.0/16, 224.0.0.0/4, 240.0.0.0/4}"
nft add rule shellclash prerouting ip daddr {${RESERVED_IP}} return
#过滤CN-IP
[ "$dns_mod" = "redir_host" -a "$cn_ip_route" = "已开启" -a -f $bindir/cn_ip.txt ] && {
CN_IP=$(awk '{printf "%s, ",$1}' $bindir/cn_ip.txt)
[ -n "$CN_IP" ] && nft add rule shellclash prerouting ip daddr {${CN_IP}} return
}
#过滤常用端口
[ "$common_ports" = "已开启" ] && {
PORTS=$(echo $multiport | sed 's/,/, /g')
nft add rule shellclash prerouting tcp dport != {${PORTS}} return
}
#代理局域网设备
nft add rule shellclash prerouting udp dport 53 redirect to :$dns_port accept
nft add rule shellclash prerouting tcp dport 53 redirect to :$dns_port accept
nft add rule shellclash prerouting meta l4proto {$1} mark set 1 tproxy to :$redir_port accept
if [ "$redir_mod" = "Nft混合" ];then
nft add chain shellclash prerouting { type filter hook prerouting priority 0 \; }
nft add rule shellclash prerouting meta l4proto {tcp, udp} mark set 1 tproxy to 127.0.0.1:7893
else
nft add rule shellclash prerouting meta l4proto tcp mark set 1 redirect to ${redir_port}
fi
#代理本机
[ "$local_proxy" = "已开启" ] && [ "$local_type" = "nftables增强模式" ] && {
nft add chain shellclash output { type filter hook prerouting priority 0 \; }
nft add chain shellclash output { type filter hook output priority 0 \; }
nft add rule shellclash output meta skuid clash return
[ "$common_ports" = "已开启" ] && nft add rule shellclash output tcp dport != {$ports} return
nft add rule shellclash output ip daddr $RESERVED_IP return
nft add rule shellclash output meta l4proto {$1} mark set 1 accept # 重路由至 prerouting
[ "$common_ports" = "已开启" ] && nft add rule shellclash output tcp dport != {${PORTS}} return
nft add rule shellclash output ip daddr {${RESERVED_IP}} return
nft add rule shellclash output meta l4proto tcp mark set 1 # 重路由至 prerouting
}
}
start_wan(){
@@ -691,10 +694,8 @@ start_wan(){
type ip6tables >/dev/null 2>&1 && ip6tables -I INPUT -p tcp --dport $db_port -j ACCEPT 2> /dev/null
fi
}
stop_iptables(){
stop_firewall(){
#重置iptables规则
ip rule del fwmark 1 table 100 2> /dev/null
ip route del local default dev lo table 100 2> /dev/null
iptables -t nat -D PREROUTING -p tcp $ports -j clash 2> /dev/null
iptables -D INPUT -p tcp --dport $mix_port -j ACCEPT 2> /dev/null
iptables -D INPUT -p tcp --dport $db_port -j ACCEPT 2> /dev/null
@@ -756,6 +757,12 @@ stop_iptables(){
uci commit dhcp >/dev/null 2>&1
/etc/init.d/dnsmasq restart >/dev/null 2>&1
}
#清理路由
ip rule del fwmark 1 table 100 2> /dev/null
ip route del local default dev lo table 100 2> /dev/null
#重置nftables相关规则
nft flush table shellclash >/dev/null 2>&1
nft delete table shellclash >/dev/null 2>&1
}
#面板配置保存相关
web_save(){
@@ -951,8 +958,8 @@ afstart(){
[ "$redir_mod" = "Tproxy混合" ] && start_dns && start_redir && start_tproxy udp
[ "$redir_mod" = "Tun模式" ] && start_dns && start_tun
[ "$redir_mod" = "Tproxy模式" ] && start_dns && start_tproxy all
[ "$redir_mod" = "Nft模式1" ] && start_nft 'tcp, icmp'
[ "$redir_mod" = "Nft模式2" ] && start_nft 'tcp, udp, icmp'
[ "$redir_mod" = "Nft基础" ] && start_nft 'tcp'
[ "$redir_mod" = "Nft混合" ] && start_nft '{tcp, udp}'
[ "$local_proxy" = "已开启" ] && [ "$local_type" = "iptables增强模式" ] && start_output
type iptables >/dev/null 2>&1 && start_wan
#标记启动时间
@@ -1005,7 +1012,7 @@ start)
getconfig
#检测必须文件并下载
bfstart
stop_iptables #清理iptables
stop_firewall #清理路由策略
#使用内置规则强行覆盖config配置文件
[ "$modify_yaml" != "已开启" ] && modify_yaml
#使用不同方式启动clash服务
@@ -1033,7 +1040,7 @@ stop)
systemctl stop clash.service >/dev/null 2>&1
fi
PID=$(pidof clash) && [ -n "$PID" ] && kill -9 $PID >/dev/null 2>&1
stop_iptables #清理iptables
stop_firewall #清理路由策略
$0 unset_proxy #禁用本机代理
;;
restart)