From d796947688c2b93af7f52c35d15caedd2355fb85 Mon Sep 17 00:00:00 2001 From: juewuy Date: Thu, 4 Apr 2024 14:45:35 +0800 Subject: [PATCH] =?UTF-8?q?~singbox=E7=9A=84tun=E5=85=A5=E7=AB=99=E9=BB=98?= =?UTF-8?q?=E8=AE=A4=E5=90=AF=E7=94=A8sniff=E4=BB=A5=E8=A7=A3=E5=86=B3?= =?UTF-8?q?=E7=9B=AE=E6=A0=87=E5=9C=B0=E5=9D=80=E9=94=99=E8=AF=AF=E7=9A=84?= =?UTF-8?q?=E9=97=AE=E9=A2=98=20~=E9=98=B2=E7=81=AB=E5=A2=99=E4=B8=AD?= =?UTF-8?q?=EF=BC=8C=E5=A2=9E=E5=8A=A0=E8=BF=87=E6=BB=A4=E5=A4=96=E9=83=A8?= =?UTF-8?q?dns=E8=AF=B7=E6=B1=82=E7=9A=84=E5=8A=9F=E8=83=BD?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- scripts/start.sh | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/scripts/start.sh b/scripts/start.sh index b3859c6..c3f1804 100644 --- a/scripts/start.sh +++ b/scripts/start.sh @@ -743,7 +743,7 @@ EOF "stack": "system", $always_resolve_udp "sniff": true, - "sniff_override_destination": $sniffer + "sniff_override_destination": true } ] } @@ -932,6 +932,12 @@ start_ipt_route(){ #iptables-route通用工具 } start_ipt_dns(){ #iptables-dns通用工具 #$1:iptables/ip6tables $2:所在的表(OUTPUT/PREROUTING) $3:新创建的shellcrash表 + #区分ipv4/ipv6 + [ "$1" = 'iptables' ] && { + HOST_IP=$host_ipv4 + [ "$2" = 'OUTPUT' ] && HOST_IP="127.0.0.0/8 $local_ipv4" + } + [ "$1" = 'ip6tables' ] && HOST_IP=$host_ipv6 $1 -t nat -N $3 #防回环 $1 -t nat -A $3 -m mark --mark $routing_mark -j RETURN @@ -954,8 +960,10 @@ start_ipt_dns(){ #iptables-dns通用工具 $1 -t nat -A $3 -p udp -m mac --mac-source $mac -j REDIRECT --to-ports $dns_port done else - $1 -t nat -A $3 -p tcp -j REDIRECT --to-ports $dns_port - $1 -t nat -A $3 -p udp -j REDIRECT --to-ports $dns_port + for ip in $HOST_IP;do #仅限指定网段流量 + $1 -t nat -A $3 -p tcp -s $ip -j REDIRECT --to-ports $dns_port + $1 -t nat -A $3 -p udp -s $ip -j REDIRECT --to-ports $dns_port + done fi $1 -t nat -I $2 -p tcp --dport 53 -j $3 $1 -t nat -I $2 -p udp --dport 53 -j $3 @@ -1133,11 +1141,14 @@ start_nft_route(){ #nftables-route通用工具 #nft add rule inet shellcrash local_tproxy log prefix \"pre\" level debug } start_nft_dns(){ #nftables-dns + HOST_IP=$(echo $host_ipv4 | sed 's/ /, /g') + [ "$1" = 'output' ] && HOST_IP="127.0.0.0/8, $(echo $local_ipv4 | sed 's/ /, /g')" nft add chain inet shellcrash ${1}_dns { type nat hook $1 priority -100 \; } #防回环 nft add rule inet shellcrash ${1}_dns meta mark $routing_mark return nft add rule inet shellcrash ${1}_dns meta skgid { 453, 7890 } return [ "$firewall_area" = 5 ] && nft add rule inet shellcrash ${1}_dns ip saddr $bypass_host return + nft add rule inet shellcrash ${1}_dns ip saddr != {$HOST_IP} return #屏蔽外部请求 #过滤局域网设备 [ -n "$(cat ${CRASHDIR}/configs/mac)" ] && { MAC=$(awk '{printf "%s, ",$1}' ${CRASHDIR}/configs/mac)