From e64bafeb0497763f2203f43ce1a39ad699f0046e Mon Sep 17 00:00:00 2001 From: juewuy Date: Sun, 25 Aug 2024 20:48:41 +0800 Subject: [PATCH] =?UTF-8?q?~=E6=96=B0=E5=A2=9E=E7=8B=AC=E7=AB=8B=E7=9A=84?= =?UTF-8?q?=E5=AE=B9=E5=99=A8/=E8=99=9A=E6=8B=9F=E6=9C=BA=E4=BB=A3?= =?UTF-8?q?=E7=90=86=E5=BC=80=E5=85=B3=EF=BC=8C=E4=BB=A5=E8=A7=A3=E5=86=B3?= =?UTF-8?q?=E4=BB=A3=E7=90=86=E5=A4=B1=E8=B4=A5=E7=9A=84=E9=97=AE=E9=A2=98?= =?UTF-8?q?=20~=E5=9B=9E=E9=80=80=E5=AF=B9singbox=E5=85=A5=E7=AB=99?= =?UTF-8?q?=E6=B7=BB=E5=8A=A0"domain=5Fstrategy":"prefer=5Fipv4"=E5=8F=82?= =?UTF-8?q?=E6=95=B0=E7=9A=84=E6=94=B9=E5=8A=A8?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- scripts/menu.sh | 46 +++++++++++++++++++++++++++++++++++++++- scripts/start.sh | 53 +++++++++++++++++++++++++++++------------------ scripts/update.sh | 7 ++++++- 3 files changed, 84 insertions(+), 22 deletions(-) diff --git a/scripts/menu.sh b/scripts/menu.sh index adaee91..cc05afc 100644 --- a/scripts/menu.sh +++ b/scripts/menu.sh @@ -1104,8 +1104,9 @@ setboot(){ #启动相关设置 } set_firewall_area(){ + [ -z "$vm_redir" ] && vm_redir='未开启' echo ----------------------------------------------- - echo -e "\033[31m注意:\033[0m基于桥接网卡的Docker/虚拟机流量,请使用1或3!" + echo -e "\033[31m注意:\033[0m基于桥接网卡的Docker/虚拟机流量,请单独启用6!" echo -e "\033[33m如你使用了第三方DNS如smartdns等,请勿启用本机代理或使用shellcrash用户执行!\033[0m" echo ----------------------------------------------- echo -e " 1 \033[32m仅劫持局域网流量\033[0m" @@ -1113,9 +1114,13 @@ set_firewall_area(){ echo -e " 3 \033[32m劫持局域网+本机流量\033[0m" echo -e " 4 不配置流量劫持(纯净模式)\033[0m" #echo -e " 5 \033[33m转发局域网流量到旁路由设备\033[0m" + echo -e " 6 劫持容器/虚拟机流量: \033[36m$vm_redir\033[0m" + echo -e " 0 返回上级菜单" echo ----------------------------------------------- read -p "请输入对应数字 > " num case $num in + 0) + ;; [1-4]) [ $firewall_area -ge 4 ] && { redir_mod=Redir模式 @@ -1145,6 +1150,45 @@ set_firewall_area(){ setconfig redir_mod $redir_mod } ;; + 6) + if [ -n "$vm_ipv4" ];then + vm_des='当前劫持' + else + vm_ipv4=$(ip a 2>&1 | grep -w 'inet' | grep 'global' | grep 'brd' | grep -E 'docker|podman|virbr|vnet|ovs|vmbr|veth|vmnic|vboxnet|lxcbr|xenbr|vEthernet' | sed 's/.*inet.//g' | sed 's/ br.*$//g' | sed 's/metric.*$//g' | tr '\n' ' ') + vm_des='当前获取到' + fi + echo ----------------------------------------------- + echo -e "$vm_des的容器/虚拟机网段为:\033[32m$vm_ipv4\033[0m" + echo -e "如未包含容器网段,请先运行容器再运行脚本或者手动设置网段" + echo ----------------------------------------------- + echo -e " 1 \033[32m启用劫持并使用默认网段\033[0m" + echo -e " 2 \033[36m启用劫持并自定义网段\033[0m" + echo -e " 3 \033[31m禁用劫持\033[0m" + echo -e " 0 返回上级菜单" + echo ----------------------------------------------- + read -p "请输入对应数字 > " num + case $num in + 1) + vm_redir=已开启 + ;; + 2) + echo -e "多个网段请用空格连接,可运行容器后使用【ip route】命令查看网段地址" + echo -e "示例:\033[32m10.88.0.0/16 172.17.0.0/16\033[0m" + read -p "请输入自定义网段 > " text + [ -n "$text" ] && vm_ipv4=$text + vm_redir=已开启 + ;; + 3) + vm_redir=未开启 + unset vm_ipv4 + ;; + *) + ;; + esac + setconfig vm_redir $vm_redir + setconfig vm_ipv4 "\'$vm_ipv4\'" + set_firewall_area + ;; *) errornum ;; esac sleep 1 diff --git a/scripts/start.sh b/scripts/start.sh index c2635f5..dfafc54 100644 --- a/scripts/start.sh +++ b/scripts/start.sh @@ -186,7 +186,7 @@ mark_time() { #时间戳 getlanip() { #获取局域网host地址 i=1 while [ "$i" -le "20" ]; do - host_ipv4=$(ip a 2>&1 | grep -w 'inet' | grep 'global' | grep 'brd' | grep -Ev 'utun|iot|peer' | grep -E ' 1(92|0|72)\.' | sed 's/.*inet.//g' | sed 's/br.*$//g' | sed 's/metric.*$//g') #ipv4局域网网段 + host_ipv4=$(ip a 2>&1 | grep -w 'inet' | grep 'global' | grep 'brd' | grep -Ev 'utun|iot|peer|docker|podman|virbr|vnet|ovs|vmbr|veth|vmnic|vboxnet|lxcbr|xenbr|vEthernet' | grep -E ' 1(92|0|72)\.' | sed 's/.*inet.//g' | sed 's/br.*$//g' | sed 's/metric.*$//g') #ipv4局域网网段 [ "$ipv6_redir" = "已开启" ] && host_ipv6=$(ip a 2>&1 | grep -w 'inet6' | grep -E 'global' | sed 's/.*inet6.//g' | sed 's/scope.*$//g') #ipv6公网地址段 [ -f "$TMPDIR"/ShellCrash.log ] && break [ -n "$host_ipv4" -a "$ipv6_redir" != "已开启" ] && break @@ -711,7 +711,6 @@ EOF "listen": "::", "listen_port": $mix_port, $userpass - "domain_strategy":"prefer_ipv4", "sniff": false }, { "type": "direct", @@ -723,7 +722,6 @@ EOF "tag": "redirect-in", "listen": "::", "listen_port": $redir_port, - "domain_strategy":"prefer_ipv4", "sniff": true, "sniff_override_destination": $sniffer }, { @@ -731,7 +729,6 @@ EOF "tag": "tproxy-in", "listen": "::", "listen_port": $tproxy_port, - "domain_strategy":"prefer_ipv4", "sniff": true, "sniff_override_destination": $sniffer } @@ -749,7 +746,6 @@ EOF "inet4_address": "172.19.0.1/30", "auto_route": false, "stack": "system", - "domain_strategy":"prefer_ipv4", "sniff": true, "sniff_override_destination": $sniffer } @@ -897,6 +893,7 @@ start_ipt_route() { #iptables-route通用工具 RESERVED_IP=$reserve_ipv4 HOST_IP=$host_ipv4 [ "$3" = 'OUTPUT' ] && HOST_IP="127.0.0.0/8 $local_ipv4" + [ "$4" = 'shellcrash_vm' ] && HOST_IP="$vm_ipv4" } [ "$1" = 'ip6tables' ] && { RESERVED_IP=$reserve_ipv6 @@ -929,7 +926,7 @@ start_ipt_route() { #iptables-route通用工具 } #tcp&udp分别进代理链 proxy_set() { - if [ "$3" = 'PREROUTING' ] && [ "$macfilter_type" = "白名单" ] && [ -s "$CRASHDIR"/configs/mac ]; then + if [ "$3" = 'PREROUTING' ] && [ "$4" != 'shellcrash_vm' ] && [ "$macfilter_type" = "白名单" ] && [ -s "$CRASHDIR"/configs/mac ];then for mac in $(cat "$CRASHDIR"/configs/mac); do $1 -t $2 -A $4 -p $5 -m mac --mac-source $mac -j $JUMP done @@ -949,8 +946,9 @@ start_ipt_dns() { #iptables-dns通用工具 #$1:iptables/ip6tables $2:所在的表(OUTPUT/PREROUTING) $3:新创建的shellcrash表 #区分ipv4/ipv6 [ "$1" = 'iptables' ] && { - HOST_IP=$host_ipv4 + HOST_IP="$host_ipv4" [ "$2" = 'OUTPUT' ] && HOST_IP="127.0.0.0/8 $local_ipv4" + [ "$3" = 'shellcrash_vm_dns' ] && HOST_IP="$vm_ipv4" } [ "$1" = 'ip6tables' ] && HOST_IP=$host_ipv6 $1 -t nat -N $3 @@ -969,7 +967,7 @@ start_ipt_dns() { #iptables-dns通用工具 $1 -t nat -A $3 -m mac --mac-source $mac -j RETURN done } - if [ "$2" = 'PREROUTING' ] && [ -s "$CRASHDIR"/configs/mac ] && [ "$macfilter_type" = "白名单" ]; then + if [ "$2" = 'PREROUTING' ] && [ "$3" != 'shellcrash_vm_dns' ] && [ -s "$CRASHDIR"/configs/mac ] && [ "$macfilter_type" = "白名单" ]; then for mac in $(cat "$CRASHDIR"/configs/mac); do $1 -t nat -A $3 -p tcp -m mac --mac-source $mac -j REDIRECT --to-ports $dns_port $1 -t nat -A $3 -p udp -m mac --mac-source $mac -j REDIRECT --to-ports $dns_port @@ -1103,6 +1101,11 @@ start_iptables() { #iptables配置总入口 fi } } + [ "$vm_redir" = "已开启" ] && { + JUMP="REDIRECT --to-ports $redir_port" #跳转劫持的具体命令 + start_ipt_dns iptables PREROUTING shellcrash_vm_dns #ipv4-局域网dns转发 + start_ipt_route iptables nat PREROUTING shellcrash_vm tcp #ipv4-局域网tcp转发 + } #启动DNS劫持 [ "$dns_no" != "已禁用" -a "$dns_redir" != "已开启" -a "$firewall_area" -le 3 ] && { [ "$lan_proxy" = true ] && { @@ -1131,6 +1134,7 @@ start_nft_route() { #nftables-route通用工具 RESERVED_IP=$(echo $reserve_ipv4 | sed 's/ /, /g') HOST_IP=$(echo $host_ipv4 | sed 's/ /, /g') [ "$1" = 'output' ] && HOST_IP="127.0.0.0/8, $(echo $local_ipv4 | sed 's/ /, /g')" + [ "$1" = 'prerouting_vm' ] && HOST_IP="$(echo $vm_ipv4 | sed 's/ /, /g')" #添加新链 nft add chain inet shellcrash $1 { type $3 hook $2 priority $4 \; } #过滤dns @@ -1142,7 +1146,7 @@ start_nft_route() { #nftables-route通用工具 #nft add rule inet shellcrash $1 ip saddr 198.18.0.0/16 return [ "$firewall_area" = 5 ] && nft add rule inet shellcrash $1 ip saddr $bypass_host return #过滤局域网设备 - [ -s "$CRASHDIR"/configs/mac ] && { + [ "$1" = 'prerouting' ] && [ -s "$CRASHDIR"/configs/mac ] && { MAC=$(awk '{printf "%s, ",$1}' "$CRASHDIR"/configs/mac) if [ "$macfilter_type" = "黑名单" ]; then nft add rule inet shellcrash $1 ether saddr {$MAC} return @@ -1200,7 +1204,8 @@ start_nft_dns() { #nftables-dns HOST_IP=$(echo $host_ipv4 | sed 's/ /, /g') HOST_IP6=$(echo $host_ipv6 | sed 's/ /, /g') [ "$1" = 'output' ] && HOST_IP="127.0.0.0/8, $(echo $local_ipv4 | sed 's/ /, /g')" - nft add chain inet shellcrash "$1"_dns { type nat hook $1 priority -100 \; } + [ "$1" = 'prerouting_vm' ] && HOST_IP="$(echo $vm_ipv4 | sed 's/ /, /g')" + nft add chain inet shellcrash "$1"_dns { type nat hook $2 priority -100 \; } #防回环 nft add rule inet shellcrash "$1"_dns meta mark $routing_mark return nft add rule inet shellcrash "$1"_dns meta skgid { 453, 7890 } return @@ -1208,7 +1213,7 @@ start_nft_dns() { #nftables-dns nft add rule inet shellcrash "$1"_dns ip saddr != {$HOST_IP} return #屏蔽外部请求 [ "$1" = 'prerouting' ] && nft add rule inet shellcrash "$1"_dns ip6 saddr != {$HOST_IP6} return #屏蔽外部请求 #过滤局域网设备 - [ -s "$CRASHDIR"/configs/mac ] && { + [ "$1" = 'prerouting' ] && [ -s "$CRASHDIR"/configs/mac ] && { MAC=$(awk '{printf "%s, ",$1}' "$CRASHDIR"/configs/mac) if [ "$macfilter_type" = "黑名单" ]; then nft add rule inet shellcrash "$1"_dns ether saddr {$MAC} return @@ -1248,8 +1253,8 @@ start_nftables() { #nftables配置总入口 start_nft_wan #启动DNS劫持 [ "$dns_no" != "已禁用" -a "$dns_redir" != "已开启" -a "$firewall_area" -le 3 ] && { - [ "$lan_proxy" = true ] && start_nft_dns prerouting #局域网dns转发 - [ "$local_proxy" = true ] && start_nft_dns output #本机dns转发 + [ "$lan_proxy" = true ] && start_nft_dns prerouting prerouting #局域网dns转发 + [ "$local_proxy" = true ] && start_nft_dns output output #本机dns转发 } #分模式设置流量劫持 [ "$redir_mod" = "Redir模式" ] && { @@ -1287,6 +1292,11 @@ start_nftables() { #nftables配置总入口 [ "$lan_proxy" = true ] && start_nft_route prerouting prerouting filter -150 [ "$local_proxy" = true ] && start_nft_route output output route -150 } + [ "$vm_redir" = "已开启" ] && { + start_nft_dns prerouting_vm prerouting + JUMP="meta l4proto tcp redirect to $redir_port" #跳转劫持的具体命令 + start_nft_route prerouting_vm prerouting nat -100 + } #屏蔽QUIC [ "$quic_rj" = '已启用' -a "$lan_proxy" = true -a "$redir_mod" != "Redir模式" ] && { nft add chain inet shellcrash quic_rj { type filter hook input priority 0 \; } @@ -1352,7 +1362,7 @@ stop_firewall() { #还原防火墙配置 #重置iptables相关规则 ckcmd iptables && { #清理shellcrash自建表 - for table in shellcrash_dns shellcrash shellcrash_out shellcrash_dns_out; do + for table in shellcrash_dns shellcrash shellcrash_out shellcrash_dns_out shellcrash_vm shellcrash_vm_dns; do iptables -t nat -F $table 2>/dev/null iptables -t nat -X $table 2>/dev/null done @@ -1370,6 +1380,12 @@ stop_firewall() { #还原防火墙配置 iptables -t nat -D PREROUTING -p tcp -d 198.18.0.0/16 -j shellcrash 2>/dev/null iptables -t nat -D OUTPUT -p tcp $ports -j shellcrash_out 2>/dev/null iptables -t nat -D OUTPUT -p tcp -d 198.18.0.0/16 -j shellcrash_out 2>/dev/null + #vm_dns + iptables -t nat -D PREROUTING -p tcp --dport 53 -j shellcrash_vm_dns 2>/dev/null + iptables -t nat -D PREROUTING -p udp --dport 53 -j shellcrash_vm_dns 2>/dev/null + #vm_redir + iptables -t nat -D PREROUTING -p tcp $ports -j shellcrash_vm 2>/dev/null + iptables -t nat -D PREROUTING -p tcp -d 198.18.0.0/16 -j shellcrash_vm 2>/dev/null #TPROXY&tun iptables -t mangle -D PREROUTING -p tcp $ports -j shellcrash_mark 2>/dev/null iptables -t mangle -D PREROUTING -p udp $ports -j shellcrash_mark 2>/dev/null @@ -1653,16 +1669,13 @@ network_check() { #检查是否联网 ping -c 3 $host >/dev/null 2>&1 && return 0 sleep 2 done - logger "当前设备无法连接网络,已取消开机启动!" 33 + logger "当前设备无法连接网络,已停止启动!" 33 exit 1 } bfstart() { #启动前 routing_mark=$((fwmark + 2)) - #启动前等待 - [ ! -f "$TMPDIR"/crash_start_time ] && { - #检测网络连接 - network_check - } + #检测网络连接 + [ ! -f "$TMPDIR"/crash_start_time ] && ckcmd ping && network_check [ ! -d "$BINDIR"/ui ] && mkdir -p "$BINDIR"/ui [ -z "$crashcore" ] && crashcore=clash #执行条件任务 diff --git a/scripts/update.sh b/scripts/update.sh index 1a3e4a4..bbef0e5 100644 --- a/scripts/update.sh +++ b/scripts/update.sh @@ -2472,7 +2472,7 @@ testcommand(){ if [ "$firewall_mod" = "nftables" ];then nft list table inet shellcrash else - [ "$firewall_area" = 1 -o "$firewall_area" = 3 -o "$firewall_area" = 5 ] && { + [ "$firewall_area" = 1 -o "$firewall_area" = 3 -o "$firewall_area" = 5 -o "$vm_redir" = "已开启" ] && { echo ----------------Redir+DNS--------------------- iptables -t nat -L PREROUTING --line-numbers iptables -t nat -L shellcrash_dns --line-numbers @@ -2509,6 +2509,11 @@ testcommand(){ } } } + [ "$vm_redir" = "已开启" ] && { + echo -------------vm-Redir------------------- + iptables -t nat -L shellcrash_vm --line-numbers + iptables -t nat -L shellcrash_vm_dns --line-numbers + } fi exit; elif [ "$num" = 5 ]; then