From 030bd8423d0eca3afc38ee99d1ce86cb170f6489 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Tue, 19 Apr 2022 23:43:56 +0800 Subject: [PATCH] update 04-19 23:43:56 --- luci-app-fullconenat/Makefile | 14 + luci-app-fullconenat/README.md | 5 + .../luasrc/controller/fullconenat.lua | 12 + .../luasrc/model/cbi/fullconenat.lua | 65 ++++ luci-app-fullconenat/po/zh-cn/fullconenat.po | 45 +++ luci-app-fullconenat/po/zh_Hans | 1 + .../root/etc/config/fullconenat | 3 + .../root/etc/init.d/fullconenat | 70 +++++ .../root/etc/uci-defaults/fullconenat | 13 + .../rpcd/acl.d/luci-app-fullconenat.json | 11 + luci-app-passwall/Makefile | 3 +- .../model/cbi/passwall/client/rule_list.lua | 3 +- .../root/usr/share/passwall/0_default_config | 3 +- .../root/usr/share/passwall/iptables.sh | 294 ++++++++++-------- 14 files changed, 406 insertions(+), 136 deletions(-) create mode 100755 luci-app-fullconenat/Makefile create mode 100644 luci-app-fullconenat/README.md create mode 100755 luci-app-fullconenat/luasrc/controller/fullconenat.lua create mode 100755 luci-app-fullconenat/luasrc/model/cbi/fullconenat.lua create mode 100755 luci-app-fullconenat/po/zh-cn/fullconenat.po create mode 120000 luci-app-fullconenat/po/zh_Hans create mode 100755 luci-app-fullconenat/root/etc/config/fullconenat create mode 100755 luci-app-fullconenat/root/etc/init.d/fullconenat create mode 100755 luci-app-fullconenat/root/etc/uci-defaults/fullconenat create mode 100644 luci-app-fullconenat/root/usr/share/rpcd/acl.d/luci-app-fullconenat.json diff --git a/luci-app-fullconenat/Makefile b/luci-app-fullconenat/Makefile new file mode 100755 index 000000000..0fbbfaa66 --- /dev/null +++ b/luci-app-fullconenat/Makefile @@ -0,0 +1,14 @@ +#-- Copyright (C) 2018 dz + +include $(TOPDIR)/rules.mk + +LUCI_TITLE:=LuCI support for FullConeNat +LUCI_DEPENDS:=+iptables-mod-fullconenat +LUCI_PKGARCH:=all +PKG_VERSION:=1.3 +PKG_RELEASE:=3 + +include $(TOPDIR)/feeds/luci/luci.mk + +# call BuildPackage - OpenWrt buildroot signature + diff --git a/luci-app-fullconenat/README.md b/luci-app-fullconenat/README.md new file mode 100644 index 000000000..b260a82b8 --- /dev/null +++ b/luci-app-fullconenat/README.md @@ -0,0 +1,5 @@ +# luci-app-fullconenat + +本软件包是 [fullconenat]的 LuCI 控制界面 + +[fullconenat]: https://github.com/LGA1150/openwrt-fullconenat diff --git a/luci-app-fullconenat/luasrc/controller/fullconenat.lua b/luci-app-fullconenat/luasrc/controller/fullconenat.lua new file mode 100755 index 000000000..5325ef4ce --- /dev/null +++ b/luci-app-fullconenat/luasrc/controller/fullconenat.lua @@ -0,0 +1,12 @@ +module("luci.controller.fullconenat", package.seeall) + +function index() + if not nixio.fs.access("/etc/config/fullconenat") then + return + end + local page + page = entry({"admin", "network", "fullconenat"}, cbi("fullconenat"), _("fullconenat"), 101) + page.i18n = "fullconenat" + page.dependent = true + page.acl_depends = { "luci-app-fullconenat" } +end diff --git a/luci-app-fullconenat/luasrc/model/cbi/fullconenat.lua b/luci-app-fullconenat/luasrc/model/cbi/fullconenat.lua new file mode 100755 index 000000000..f68eed518 --- /dev/null +++ b/luci-app-fullconenat/luasrc/model/cbi/fullconenat.lua @@ -0,0 +1,65 @@ +#-- Copyright (C) 2018 dz + +local fwm = require "luci.model.firewall".init() +local def = fwm:get_defaults() +local zn = fwm:get_zone("wan") +local m, s, o, fw3_buildin, has_module, status, des + +local function testcmd (cmd) + return luci.sys.call(cmd) == 0 +end + +has_module = testcmd("modprobe -q xt_FULLCONENAT") +fw3_buildin = testcmd("strings `which fw3` | grep -q fullcone") + +m = Map("fullconenat", translate("Full cone NAT"), + translate("FullConeNat.")) +status="Not supported, Kernel module needed: xt_FULLCONENAT" +if has_module then +if testcmd("iptables -t nat -L -n --line-numbers | grep FULLCONENAT >/dev/null") then + status="Running" +else + status="Not Running" +end +end + +m = Map("fullconenat", translate("FullConeNat"), "%s - %s" %{translate("FULLCONENAT"), translate(status)}) + +des = fw3_buildin and "Build-in mode, set the `fullcone` option to firewall configure either." or "Manual mode, write to the firewall custom rules settings only." +s = m:section(TypedSection, "fullconenat", translate("Settings"), translate(des)) +s.anonymous = true + +o = s:option(ListValue, "mode", translate("Register modes"), translate("Warning!!! There is security risk if enabled.")) +o.widget = "radio" +o.orientation = "horizontal" +o.default = "disable" +o.rmempty = false +o:value("disable", translate("Disable")) +o:value("ips", translate("IP Address Only")) +o:value("all", translate("ALL Enabled")) +o.cfgvalue = function (self, sec) + local ret = "disable" + if fw3_buildin and def:get("fullcone") == "1" then + ret = "all" + else + ret = self.map:get(sec, self.option) + end + return has_module and ret or "disable" +end +o.write = function (self, sec, val) + val = has_module and val or "disable" + if fw3_buildin then + def:set("fullcone", val == "all" and 1 or 0) + zn:set("fullcone", val == "all" and 1 or 0) + end + fwm.commit() + return self.map:set(sec, self.option, val) +end + +o = s:option(Value, "fullconenat_ip", translate("FullConeNat IP"), translate("Enable FullConeNat for specified IP Address.") .. "
" .. (fw3_buildin and translate("Manual mode, write to the firewall custom rules settings only.") or "")) +o.placeholder="192.168.1.100,192.168.1.101,192.168.1.102" +o.rempty = true +o.optional = false +o:depends("mode", "ips") + +return m diff --git a/luci-app-fullconenat/po/zh-cn/fullconenat.po b/luci-app-fullconenat/po/zh-cn/fullconenat.po new file mode 100755 index 000000000..e629c3405 --- /dev/null +++ b/luci-app-fullconenat/po/zh-cn/fullconenat.po @@ -0,0 +1,45 @@ +msgid "fullconenat" +msgstr "全端口映射" + +msgid "FULLCONENAT" +msgstr "Fullcone NAT" + +msgid "Running" +msgstr "正在运行" + +msgid "Not Running" +msgstr "未运行" + +msgid "Not supported, Kernel module needed: xt_FULLCONENAT" +msgstr "不支持,缺少 xt_FULLCONENAT 内核组件" + +msgid "Settings" +msgstr "设置" + +msgid "Build-in mode, set the `fullcone` option to firewall configure either." +msgstr "防火墙内置模式,同时配置防火墙(firewall)中对应的选项。" + +msgid "Manual mode, write to the firewall custom rules settings only." +msgstr "手动模式,仅将配置写入到防火墙(firewall)自定义规则中。" + +msgid "Register modes" +msgstr "运行模式" + +msgid "Disable" +msgstr "停用" + +msgid "IP Address Only" +msgstr "限指定IP" + +msgid "ALL Enabled" +msgstr "全网开启" + +msgid "Warning!!! There is security risk if enabled." +msgstr "警告!!!开启后存在安全风险。" + +msgid "FullConeNat IP" +msgstr "映射IP" + +msgid "Enable FullConeNat for specified IP Address." +msgstr "多IP映射用英文逗号分隔。" + diff --git a/luci-app-fullconenat/po/zh_Hans b/luci-app-fullconenat/po/zh_Hans new file mode 120000 index 000000000..41451e4a1 --- /dev/null +++ b/luci-app-fullconenat/po/zh_Hans @@ -0,0 +1 @@ +zh-cn \ No newline at end of file diff --git a/luci-app-fullconenat/root/etc/config/fullconenat b/luci-app-fullconenat/root/etc/config/fullconenat new file mode 100755 index 000000000..919a8ad8c --- /dev/null +++ b/luci-app-fullconenat/root/etc/config/fullconenat @@ -0,0 +1,3 @@ +config fullconenat 'config' + option mode 'disable' + option fullconenat_ip '192.168.1.100' diff --git a/luci-app-fullconenat/root/etc/init.d/fullconenat b/luci-app-fullconenat/root/etc/init.d/fullconenat new file mode 100755 index 000000000..4c843c5bc --- /dev/null +++ b/luci-app-fullconenat/root/etc/init.d/fullconenat @@ -0,0 +1,70 @@ +#!/bin/sh /etc/rc.common +#-- Copyright (C) 2018 dz + +START=99 + +re=0 + +start(){ + local fw3_buildin mode fullconenat_ip fullcone masq + strings `which fw3` | grep -q "fullcone" + fw3_buildin=$? + mode=$(uci get fullconenat.config.mode 2>/dev/null) + if modprobe -q "xt_FULLCONENAT"; then + [ $fw3_buildin -eq 0 ] && echo -n "fw3 build-in, change settings in /etc/config/firewall either. " + echo "$mode." + else + echo "not supported." + return 1 + fi + fullcone=0 + fullconenat_ip=$(uci get fullconenat.config.fullconenat_ip 2>/dev/null) + if [ "$mode" == "ips" ]; then + sed -i '/FULLCONENAT/d' /etc/firewall.user + echo "iptables -t nat -A zone_wan_prerouting -j FULLCONENAT" >> /etc/firewall.user + echo "iptables -t nat -A zone_wan_postrouting -s $fullconenat_ip -j FULLCONENAT" >> /etc/firewall.user + echo "iptables -t nat -A zone_wan_postrouting -j MASQUERADE" >> /etc/firewall.user + elif [ "$mode" == "all" ]; then + if [ $fw3_buildin -ne 0 ]; then + iptables -t nat -D zone_wan_postrouting -s $fullconenat_ip -j FULLCONENAT + iptables -t nat -D zone_wan_postrouting -j MASQUERADE + sed -i '/zone_wan_postrouting -j MASQUERADE/d' /etc/firewall.user + sed -i '/FULLCONENAT/d' /etc/firewall.user + echo "iptables -t nat -A zone_wan_prerouting -j FULLCONENAT" >> /etc/firewall.user + echo "iptables -t nat -A zone_wan_postrouting -j FULLCONENAT" >> /etc/firewall.user + else + fullcone=1 + fi + fi + [ $fw3_buildin -eq 0 ] && { + uci set firewall.@defaults[0].fullcone=$fullcone + uci set firewall.@zone[1].fullcone=$fullcone + } + uci commit firewall + /etc/init.d/firewall restart +} + +stop(){ + fullconenat_ip=$(uci get fullconenat.config.fullconenat_ip 2>/dev/null) + mode=$(uci get fullconenat.config.mode 2>/dev/null) + echo "$mode, $fullconenat_ip" + iptables -t nat -D zone_wan_prerouting -j FULLCONENAT + iptables -t nat -D zone_wan_postrouting -s $fullconenat_ip -j FULLCONENAT + iptables -t nat -D zone_wan_postrouting -j MASQUERADE + iptables -t nat -D zone_wan_postrouting -j FULLCONENAT + sed -i '/zone_wan_postrouting -j MASQUERADE/d' /etc/firewall.user + sed -i '/FULLCONENAT/d' /etc/firewall.user + [ $re -eq 0 ] && { + uci set firewall.@defaults[0].fullcone=0 + uci set firewall.@zone[1].fullcone=0 + uci commit firewall + /etc/init.d/firewall restart + } +} + + +restart(){ + re=1 + stop + start +} diff --git a/luci-app-fullconenat/root/etc/uci-defaults/fullconenat b/luci-app-fullconenat/root/etc/uci-defaults/fullconenat new file mode 100755 index 000000000..58ced1f02 --- /dev/null +++ b/luci-app-fullconenat/root/etc/uci-defaults/fullconenat @@ -0,0 +1,13 @@ +#!/bin/sh + +uci -q batch <<-EOF >/dev/null + delete ucitrack.@fullconenat[-1] + add ucitrack fullconenat + set ucitrack.@fullconenat[-1].init=fullconenat + commit ucitrack +EOF + +/etc/init.d/fullconenat enable + +rm -f /tmp/luci-indexcache +exit 0 diff --git a/luci-app-fullconenat/root/usr/share/rpcd/acl.d/luci-app-fullconenat.json b/luci-app-fullconenat/root/usr/share/rpcd/acl.d/luci-app-fullconenat.json new file mode 100644 index 000000000..2a1c373e7 --- /dev/null +++ b/luci-app-fullconenat/root/usr/share/rpcd/acl.d/luci-app-fullconenat.json @@ -0,0 +1,11 @@ +{ + "luci-app-fullconenat": { + "description": "Grant UCI access for luci-app-fullconenat", + "read": { + "uci": [ "fullconenat" ] + }, + "write": { + "uci": [ "fullconenat" ] + } + } +} diff --git a/luci-app-passwall/Makefile b/luci-app-passwall/Makefile index e46b789ee..d6197b16a 100644 --- a/luci-app-passwall/Makefile +++ b/luci-app-passwall/Makefile @@ -7,7 +7,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=luci-app-passwall PKG_VERSION:=4.53 -PKG_RELEASE:=4 +PKG_RELEASE:=5 PKG_CONFIG_DEPENDS:= \ CONFIG_PACKAGE_$(PKG_NAME)_Transparent_Proxy \ @@ -69,6 +69,7 @@ config PACKAGE_$(PKG_NAME)_Transparent_Proxy select PACKAGE_ipt2socks select PACKAGE_iptables select PACKAGE_iptables-legacy + select PACKAGE_iptables-mod-conntrack-extra select PACKAGE_iptables-mod-iprange select PACKAGE_iptables-mod-socket select PACKAGE_iptables-mod-tproxy diff --git a/luci-app-passwall/luasrc/model/cbi/passwall/client/rule_list.lua b/luci-app-passwall/luasrc/model/cbi/passwall/client/rule_list.lua index 60ba9b3ff..2e5ca60ec 100644 --- a/luci-app-passwall/luasrc/model/cbi/passwall/client/rule_list.lua +++ b/luci-app-passwall/luasrc/model/cbi/passwall/client/rule_list.lua @@ -6,8 +6,7 @@ local datatypes = api.datatypes local path = string.format("/usr/share/%s/rules/", appname) local route_hosts_path = "/etc/" -m = SimpleForm(appname) -m.uci = api.uci +m = Map(appname) -- [[ Rule List Settings ]]-- s = m:section(TypedSection, "global_rules") diff --git a/luci-app-passwall/root/usr/share/passwall/0_default_config b/luci-app-passwall/root/usr/share/passwall/0_default_config index 2f0da5e6e..f8d11bbf3 100644 --- a/luci-app-passwall/root/usr/share/passwall/0_default_config +++ b/luci-app-passwall/root/usr/share/passwall/0_default_config @@ -25,9 +25,8 @@ config global_delay option start_delay '1' config global_forwarding - option process '0' option tcp_no_redir_ports 'disable' - option udp_no_redir_ports '53' + option udp_no_redir_ports 'disable' option tcp_proxy_drop_ports 'disable' option udp_proxy_drop_ports '80,443' option tcp_redir_ports '22,25,53,143,465,587,853,993,995,80,443' diff --git a/luci-app-passwall/root/usr/share/passwall/iptables.sh b/luci-app-passwall/root/usr/share/passwall/iptables.sh index cd5fcc636..412684103 100755 --- a/luci-app-passwall/root/usr/share/passwall/iptables.sh +++ b/luci-app-passwall/root/usr/share/passwall/iptables.sh @@ -105,8 +105,11 @@ REDIRECT() { local s="-j REDIRECT" [ -n "$1" ] && { local s="$s --to-ports $1" - [ "$2" == "TPROXY" ] && s="-j TPROXY --tproxy-mark 0x1/0x1 --on-port $1" [ "$2" == "MARK" ] && s="-j MARK --set-mark $1" + [ "$2" == "TPROXY" ] && { + local mark="-m mark --mark 1" + s="${mark} -j TPROXY --tproxy-mark 0x1/0x1 --on-port $1" + } } echo $s } @@ -125,6 +128,20 @@ get_ipset_ipt() { esac } +get_ipset_ip6t() { + case "$1" in + gfwlist) + echo "$(dst $IPSET_GFW6)" + ;; + chnroute) + echo "$(dst $IPSET_CHN6 !)" + ;; + returnhome) + echo "$(dst $IPSET_CHN6)" + ;; + esac +} + get_redirect_ipt() { case "$1" in disable) @@ -446,6 +463,19 @@ load_acl() { msg2="${msg2}(REDIRECT:${tcp_port})代理" fi + [ "$accept_icmp" = "1" ] && { + $ipt_n -A PSW $(comment "$remarks") -p icmp ${_ipt_source} -d $FAKE_IP $(REDIRECT) + $ipt_n -A PSW $(comment "$remarks") -p icmp ${_ipt_source} $(dst $IPSET_SHUNTLIST) $(REDIRECT) + $ipt_n -A PSW $(comment "$remarks") -p icmp ${_ipt_source} $(dst $IPSET_BLACKLIST) $(REDIRECT) + $ipt_n -A PSW $(comment "$remarks") -p icmp ${_ipt_source} $(get_redirect_ipt $tcp_proxy_mode) + } + + [ "$accept_icmpv6" = "1" ] && [ "$PROXY_IPV6" == "1" ] && { + $ip6t_n -A PSW $(comment "$remarks") -p ipv6-icmp ${_ipt_source} $(dst $IPSET_SHUNTLIST6) $(REDIRECT) 2>/dev/null + $ip6t_n -A PSW $(comment "$remarks") -p ipv6-icmp ${_ipt_source} $(dst $IPSET_BLACKLIST6) $(REDIRECT) 2>/dev/null + $ip6t_n -A PSW $(comment "$remarks") -p ipv6-icmp ${_ipt_source} $(get_redirect_ip6t $tcp_proxy_mode) 2>/dev/null + } + [ "$tcp_no_redir_ports" != "disable" ] && { $ipt_tmp -A PSW $(comment "$remarks") ${_ipt_source} -p tcp -m multiport --dport $tcp_no_redir_ports -j RETURN $ip6t_m -A PSW $(comment "$remarks") ${_ipt_source} -p tcp -m multiport --dport $tcp_no_redir_ports -j RETURN 2>/dev/null @@ -461,28 +491,24 @@ load_acl() { msg2="${msg2}[$?],屏蔽代理TCP 端口:${tcp_proxy_drop_ports}" } - $ipt_tmp -A PSW $(comment "$remarks") -p tcp ${_ipt_source} -d $FAKE_IP $(REDIRECT $tcp_port $is_tproxy) - $ipt_tmp -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") $(dst $IPSET_SHUNTLIST) $(REDIRECT $tcp_port $is_tproxy) - $ipt_tmp -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") $(dst $IPSET_BLACKLIST) $(REDIRECT $tcp_port $is_tproxy) - $ipt_tmp -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") $(get_redirect_ipt $tcp_proxy_mode $tcp_port $is_tproxy) - - [ "$accept_icmp" = "1" ] && { - $ipt_n -A PSW $(comment "$remarks") -p icmp ${_ipt_source} -d $FAKE_IP $(REDIRECT) - $ipt_n -A PSW $(comment "$remarks") -p icmp ${_ipt_source} $(dst $IPSET_SHUNTLIST) $(REDIRECT) - $ipt_n -A PSW $(comment "$remarks") -p icmp ${_ipt_source} $(dst $IPSET_BLACKLIST) $(REDIRECT) - $ipt_n -A PSW $(comment "$remarks") -p icmp ${_ipt_source} $(get_redirect_ipt $tcp_proxy_mode) - } - - if [ "$PROXY_IPV6" == "1" ]; then - $ip6t_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") $(dst $IPSET_SHUNTLIST6) $(REDIRECT $tcp_port TPROXY) 2>/dev/null - $ip6t_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") $(dst $IPSET_BLACKLIST6) $(REDIRECT $tcp_port TPROXY) 2>/dev/null - $ip6t_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") $(get_redirect_ip6t $tcp_proxy_mode $tcp_port TPROXY) 2>/dev/null - [ "$accept_icmpv6" = "1" ] && { - $ip6t_n -A PSW $(comment "$remarks") -p ipv6-icmp ${_ipt_source} $(dst $IPSET_SHUNTLIST6) $(REDIRECT) 2>/dev/null - $ip6t_n -A PSW $(comment "$remarks") -p ipv6-icmp ${_ipt_source} $(dst $IPSET_BLACKLIST6) $(REDIRECT) 2>/dev/null - $ip6t_n -A PSW $(comment "$remarks") -p ipv6-icmp ${_ipt_source} $(get_redirect_ip6t $tcp_proxy_mode) 2>/dev/null - } + if [ "${ipt_tmp}" = "${ipt_n}" ]; then + $ipt_n -A PSW $(comment "$remarks") -p tcp ${_ipt_source} -d $FAKE_IP $(REDIRECT $tcp_port) + $ipt_n -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") $(dst $IPSET_SHUNTLIST) $(REDIRECT $tcp_port) + $ipt_n -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") $(dst $IPSET_BLACKLIST) $(REDIRECT $tcp_port) + $ipt_n -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") $(get_redirect_ipt $tcp_proxy_mode $tcp_port) + else + $ipt_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} -d $FAKE_IP -j PSW_RULE + $ipt_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") $(dst $IPSET_SHUNTLIST) -j PSW_RULE + $ipt_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") $(dst $IPSET_BLACKLIST) -j PSW_RULE + $ipt_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") $(get_ipset_ipt $tcp_proxy_mode) -j PSW_RULE + $ipt_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(REDIRECT $tcp_port TPROXY) fi + [ "$PROXY_IPV6" == "1" ] && { + $ip6t_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") $(dst $IPSET_SHUNTLIST6) -j PSW_RULE 2>/dev/null + $ip6t_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") $(dst $IPSET_BLACKLIST6) -j PSW_RULE 2>/dev/null + $ip6t_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") $(get_ipset_ip6t $tcp_proxy_mode) -j PSW_RULE 2>/dev/null + $ip6t_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(REDIRECT $tcp_port TPROXY) 2>/dev/null + } else msg2="${msg}不代理TCP" fi @@ -510,17 +536,19 @@ load_acl() { msg2="${msg2}[$?]除${udp_no_redir_ports}外的" } msg2="${msg2}所有端口" - - $ipt_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} -d $FAKE_IP $(REDIRECT $udp_port TPROXY) - $ipt_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_redir_ports "-m multiport --dport") $(dst $IPSET_SHUNTLIST) $(REDIRECT $udp_port TPROXY) - $ipt_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_redir_ports "-m multiport --dport") $(dst $IPSET_BLACKLIST) $(REDIRECT $udp_port TPROXY) - $ipt_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_redir_ports "-m multiport --dport") $(get_redirect_ipt $udp_proxy_mode $udp_port TPROXY) - if [ "$PROXY_IPV6_UDP" == "1" ]; then - $ip6t_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_redir_ports "-m multiport --dport") $(dst $IPSET_SHUNTLIST6) $(REDIRECT $udp_port TPROXY) 2>/dev/null - $ip6t_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_redir_ports "-m multiport --dport") $(dst $IPSET_BLACKLIST6) $(REDIRECT $udp_port TPROXY) 2>/dev/null - $ip6t_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_redir_ports "-m multiport --dport") $(get_redirect_ip6t $udp_proxy_mode $udp_port TPROXY) 2>/dev/null - fi + $ipt_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} -d $FAKE_IP -j PSW_RULE + $ipt_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_redir_ports "-m multiport --dport") $(dst $IPSET_SHUNTLIST) -j PSW_RULE + $ipt_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_redir_ports "-m multiport --dport") $(dst $IPSET_BLACKLIST) -j PSW_RULE + $ipt_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_redir_ports "-m multiport --dport") $(get_ipset_ipt $udp_proxy_mode) -j PSW_RULE + $ipt_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(REDIRECT $udp_port TPROXY) + + [ "$PROXY_IPV6" == "1" ] && [ "$PROXY_IPV6_UDP" == "1" ] && { + $ip6t_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_redir_ports "-m multiport --dport") $(dst $IPSET_SHUNTLIST6) -j PSW_RULE 2>/dev/null + $ip6t_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_redir_ports "-m multiport --dport") $(dst $IPSET_BLACKLIST6) -j PSW_RULE 2>/dev/null + $ip6t_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_redir_ports "-m multiport --dport") $(get_ipset_ip6t $udp_proxy_mode) -j PSW_RULE 2>/dev/null + $ip6t_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(REDIRECT $udp_port TPROXY) 2>/dev/null + } else msg2="${msg}不代理UDP" fi @@ -545,19 +573,17 @@ load_acl() { $ipt_m -A PSW $(comment "默认") -p tcp $(factor $TCP_PROXY_DROP_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST) -j DROP [ "$TCP_PROXY_MODE" != "direct/proxy" ] && $ipt_m -A PSW $(comment "默认") -p tcp $(factor $TCP_PROXY_DROP_PORTS "-m multiport --dport") $(get_ipset_ipt $TCP_PROXY_MODE) -j DROP } - local ipt_tmp=$ipt_n + if [ "$TCP_PROXY_MODE" != "disable" ]; then + local ipt_tmp=$ipt_n + [ -n "${is_tproxy}" ] && ipt_tmp=$ipt_m [ "$TCP_NO_REDIR_PORTS" != "disable" ] && { - [ -n "${is_tproxy}" ] && ipt_tmp=$ipt_m $ipt_tmp -A PSW $(comment "默认") -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN $ip6t_m -A PSW $(comment "默认") -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN } - - ipt_tmp=$ipt_n [ "$TCP_NODE" != "nil" ] && { msg="TCP默认代理:使用TCP节点[$(config_n_get $TCP_NODE remarks)] [$(get_action_chain_name $TCP_PROXY_MODE)]" if [ -n "${is_tproxy}" ]; then - ipt_tmp=$ipt_m msg="${msg}(TPROXY:${TCP_REDIR_PORT})代理" else msg="${msg}(REDIRECT:${TCP_REDIR_PORT})代理" @@ -566,29 +592,39 @@ load_acl() { [ "$TCP_NO_REDIR_PORTS" != "disable" ] && msg="${msg}除${TCP_NO_REDIR_PORTS}外的" msg="${msg}所有端口" - $ipt_tmp -A PSW $(comment "默认") -p tcp -d $FAKE_IP $(REDIRECT $TCP_REDIR_PORT $is_tproxy) - $ipt_tmp -A PSW $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST) $(REDIRECT $TCP_REDIR_PORT $is_tproxy) - $ipt_tmp -A PSW $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST) $(REDIRECT $TCP_REDIR_PORT $is_tproxy) - $ipt_tmp -A PSW $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(get_redirect_ipt $TCP_PROXY_MODE $TCP_REDIR_PORT $is_tproxy) - [ "$accept_icmp" = "1" ] && { $ipt_n -A PSW $(comment "默认") -p icmp -d $FAKE_IP $(REDIRECT) $ipt_n -A PSW $(comment "默认") -p icmp $(dst $IPSET_SHUNTLIST) $(REDIRECT) $ipt_n -A PSW $(comment "默认") -p icmp $(dst $IPSET_BLACKLIST) $(REDIRECT) $ipt_n -A PSW $(comment "默认") -p icmp $(get_redirect_ipt $TCP_PROXY_MODE) } - - if [ "$PROXY_IPV6" == "1" ]; then - $ip6t_m -A PSW $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST6) $(REDIRECT $TCP_REDIR_PORT TPROXY) - $ip6t_m -A PSW $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST6) $(REDIRECT $TCP_REDIR_PORT TPROXY) - $ip6t_m -A PSW $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(get_redirect_ip6t $TCP_PROXY_MODE $TCP_REDIR_PORT TPROXY) - [ "$accept_icmpv6" = "1" ] && { - $ip6t_n -A PSW $(comment "默认") -p ipv6-icmp $(dst $IPSET_SHUNTLIST6) $(REDIRECT) - $ip6t_n -A PSW $(comment "默认") -p ipv6-icmp $(dst $IPSET_BLACKLIST6) $(REDIRECT) - $ip6t_n -A PSW $(comment "默认") -p ipv6-icmp $(get_redirect_ip6t $TCP_PROXY_MODE) - } + + [ "$accept_icmpv6" = "1" ] && [ "$PROXY_IPV6" == "1" ] && { + $ip6t_n -A PSW $(comment "默认") -p ipv6-icmp $(dst $IPSET_SHUNTLIST6) $(REDIRECT) + $ip6t_n -A PSW $(comment "默认") -p ipv6-icmp $(dst $IPSET_BLACKLIST6) $(REDIRECT) + $ip6t_n -A PSW $(comment "默认") -p ipv6-icmp $(get_redirect_ip6t $TCP_PROXY_MODE) + } + + if [ "${ipt_tmp}" = "${ipt_n}" ]; then + $ipt_n -A PSW $(comment "默认") -p tcp -d $FAKE_IP $(REDIRECT $TCP_REDIR_PORT) + $ipt_n -A PSW $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST) $(REDIRECT $TCP_REDIR_PORT) + $ipt_n -A PSW $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST) $(REDIRECT $TCP_REDIR_PORT) + $ipt_n -A PSW $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(get_redirect_ipt $TCP_PROXY_MODE $TCP_REDIR_PORT) + else + $ipt_m -A PSW $(comment "默认") -p tcp -d $FAKE_IP -j PSW_RULE + $ipt_m -A PSW $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST) -j PSW_RULE + $ipt_m -A PSW $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST) -j PSW_RULE + $ipt_m -A PSW $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(get_ipset_ipt $TCP_PROXY_MODE) -j PSW_RULE + $ipt_m -A PSW $(comment "默认") -p tcp $(REDIRECT $TCP_REDIR_PORT TPROXY) fi + [ "$PROXY_IPV6" == "1" ] && { + $ip6t_m -A PSW $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST6) -j PSW_RULE + $ip6t_m -A PSW $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST6) -j PSW_RULE + $ip6t_m -A PSW $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(get_ipset_ip6t $TCP_PROXY_MODE) -j PSW_RULE + $ip6t_m -A PSW $(comment "默认") -p tcp $(REDIRECT $TCP_REDIR_PORT TPROXY) + } + echolog "${msg}" } fi @@ -612,20 +648,22 @@ load_acl() { [ "$UDP_NODE" != "nil" -o "$TCP_UDP" = "1" ] && { [ "$TCP_UDP" = "1" ] && [ "$UDP_NODE" = "nil" ] && UDP_NODE=$TCP_NODE msg="UDP默认代理:使用UDP节点[$(config_n_get $UDP_NODE remarks)] [$(get_action_chain_name $UDP_PROXY_MODE)](TPROXY:${UDP_REDIR_PORT})代理" - + [ "$UDP_NO_REDIR_PORTS" != "disable" ] && msg="${msg}除${UDP_NO_REDIR_PORTS}外的" msg="${msg}所有端口" - - $ipt_m -A PSW $(comment "默认") -p udp -d $FAKE_IP $(REDIRECT $UDP_REDIR_PORT TPROXY) - $ipt_m -A PSW $(comment "默认") -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST) $(REDIRECT $UDP_REDIR_PORT TPROXY) - $ipt_m -A PSW $(comment "默认") -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST) $(REDIRECT $UDP_REDIR_PORT TPROXY) - $ipt_m -A PSW $(comment "默认") -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(get_redirect_ipt $UDP_PROXY_MODE $UDP_REDIR_PORT TPROXY) - if [ "$PROXY_IPV6_UDP" == "1" ]; then - $ip6t_m -A PSW $(comment "默认") -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST6) $(REDIRECT $UDP_REDIR_PORT TPROXY) - $ip6t_m -A PSW $(comment "默认") -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST6) $(REDIRECT $UDP_REDIR_PORT TPROXY) - $ip6t_m -A PSW $(comment "默认") -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(get_redirect_ip6t $UDP_PROXY_MODE $UDP_REDIR_PORT TPROXY) - fi + $ipt_m -A PSW $(comment "默认") -p udp -d $FAKE_IP -j PSW_RULE + $ipt_m -A PSW $(comment "默认") -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST) -j PSW_RULE + $ipt_m -A PSW $(comment "默认") -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST) -j PSW_RULE + $ipt_m -A PSW $(comment "默认") -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(get_ipset_ipt $UDP_PROXY_MODE) -j PSW_RULE + $ipt_m -A PSW $(comment "默认") -p udp $(REDIRECT $UDP_REDIR_PORT TPROXY) + + [ "$PROXY_IPV6" == "1" ] && [ "$PROXY_IPV6_UDP" == "1" ] && { + $ip6t_m -A PSW $(comment "默认") -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST6) -j PSW_RULE + $ip6t_m -A PSW $(comment "默认") -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST6) -j PSW_RULE + $ip6t_m -A PSW $(comment "默认") -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(get_ipset_ip6t $UDP_PROXY_MODE) -j PSW_RULE + $ip6t_m -A PSW $(comment "默认") -p udp $(REDIRECT $UDP_REDIR_PORT TPROXY) + } echolog "${msg}" udp_flag=1 @@ -686,14 +724,14 @@ filter_node() { $_ipt -n -L PSW_OUTPUT | grep -q "${address}:${port}" if [ $? -ne 0 ]; then unset dst_rule - local dst_rule=$(REDIRECT 1 MARK) + local dst_rule="-j PSW_RULE" msg2="按规则路由(${msg})" [ "$_ipt" == "$ipt_m" -o "$_ipt" == "$ip6t_m" ] || { dst_rule=$(REDIRECT $_port) msg2="套娃使用(${msg}:${port} -> ${_port})" } [ -n "$_proxy" ] && [ "$_proxy" == "1" ] && [ -n "$_port" ] || { - ADD_INDEX=$(RULE_LAST_INDEX "$_ipt" PSW_OUT_PUT "$IPSET_VPSIPLIST" $FORCE_INDEX) + ADD_INDEX=$(RULE_LAST_INDEX "$_ipt" PSW_OUTPUT "$IPSET_VPSIPLIST" $FORCE_INDEX) dst_rule=" -j RETURN" msg2="直连代理" } @@ -860,7 +898,6 @@ add_firewall_rule() { $ipt_n -A PSW $(dst $IPSET_LANIPLIST) -j RETURN $ipt_n -A PSW $(dst $IPSET_VPSIPLIST) -j RETURN $ipt_n -A PSW $(dst $IPSET_WHITELIST) -j RETURN - $ipt_n -A PSW -m mark --mark 0xff -j RETURN WAN_IP=$(get_wan_ip) [ ! -z "${WAN_IP}" ] && $ipt_n -A PSW $(comment "WAN_IP_RETURN") -d "${WAN_IP}" -j RETURN @@ -881,11 +918,17 @@ add_firewall_rule() { $ipt_m -A PSW_DIVERT -j MARK --set-mark 1 $ipt_m -A PSW_DIVERT -j ACCEPT + $ipt_m -N PSW_RULE + $ipt_m -A PSW_RULE -j CONNMARK --restore-mark + $ipt_m -A PSW_RULE -m mark --mark 0x1 -j RETURN + $ipt_m -A PSW_RULE -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j MARK --set-xmark 1 + $ipt_m -A PSW_RULE -p udp -m conntrack --ctstate NEW -j MARK --set-xmark 1 + $ipt_m -A PSW_RULE -j CONNMARK --save-mark + $ipt_m -N PSW $ipt_m -A PSW $(dst $IPSET_LANIPLIST) -j RETURN $ipt_m -A PSW $(dst $IPSET_VPSIPLIST) -j RETURN $ipt_m -A PSW $(dst $IPSET_WHITELIST) -j RETURN - $ipt_m -A PSW -m mark --mark 0xff -j RETURN $ipt_m -A PSW $(dst $IPSET_BLOCKLIST) -j DROP [ ! -z "${WAN_IP}" ] && $ipt_m -A PSW $(comment "WAN_IP_RETURN") -d "${WAN_IP}" -j RETURN @@ -900,7 +943,6 @@ add_firewall_rule() { $ipt_m -A PSW_OUTPUT $(dst $IPSET_WHITELIST) -j RETURN $ipt_m -A PSW_OUTPUT -m mark --mark 0xff -j RETURN $ipt_m -A PSW_OUTPUT $(dst $IPSET_BLOCKLIST) -j DROP - $ipt_m -A OUTPUT -j PSW_OUTPUT ip rule add fwmark 1 lookup 100 ip route add local 0.0.0.0/0 dev lo table 100 @@ -910,7 +952,6 @@ add_firewall_rule() { $ip6t_n -A PSW $(dst $IPSET_LANIPLIST6) -j RETURN $ip6t_n -A PSW $(dst $IPSET_VPSIPLIST6) -j RETURN $ip6t_n -A PSW $(dst $IPSET_WHITELIST6) -j RETURN - $ip6t_n -A PSW -m mark --mark 0xff -j RETURN $ip6t_n -A PREROUTING -p ipv6-icmp -j PSW $ip6t_n -N PSW_OUTPUT @@ -924,11 +965,17 @@ add_firewall_rule() { $ip6t_m -A PSW_DIVERT -j MARK --set-mark 1 $ip6t_m -A PSW_DIVERT -j ACCEPT + $ip6t_m -N PSW_RULE + $ip6t_m -A PSW_RULE -j CONNMARK --restore-mark + $ip6t_m -A PSW_RULE -m mark --mark 0x1 -j RETURN + $ip6t_m -A PSW_RULE -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j MARK --set-xmark 1 + $ip6t_m -A PSW_RULE -p udp -m conntrack --ctstate NEW -j MARK --set-xmark 1 + $ip6t_m -A PSW_RULE -j CONNMARK --save-mark + $ip6t_m -N PSW $ip6t_m -A PSW $(dst $IPSET_LANIPLIST6) -j RETURN $ip6t_m -A PSW $(dst $IPSET_VPSIPLIST6) -j RETURN $ip6t_m -A PSW $(dst $IPSET_WHITELIST6) -j RETURN - $ip6t_m -A PSW -m mark --mark 0xff -j RETURN $ip6t_m -A PSW $(dst $IPSET_BLOCKLIST6) -j DROP WAN6_IP=$(get_wan6_ip) @@ -939,32 +986,19 @@ add_firewall_rule() { insert_rule_before "$ip6t_m" "PREROUTING" "PSW" "-p tcp -m socket -j PSW_DIVERT" $ip6t_m -N PSW_OUTPUT + $ip6t_m -A PSW_OUTPUT -m mark --mark 0xff -j RETURN $ip6t_m -A PSW_OUTPUT $(dst $IPSET_LANIPLIST6) -j RETURN $ip6t_m -A PSW_OUTPUT $(dst $IPSET_VPSIPLIST6) -j RETURN $ip6t_m -A PSW_OUTPUT $(dst $IPSET_WHITELIST6) -j RETURN - $ip6t_m -A PSW_OUTPUT -m mark --mark 0xff -j RETURN $ip6t_m -A PSW_OUTPUT $(dst $IPSET_BLOCKLIST6) -j DROP - $ip6t_m -A OUTPUT -j PSW_OUTPUT ip -6 rule add fwmark 1 table 100 ip -6 route add local ::/0 dev lo table 100 # 加载路由器自身代理 TCP if [ "$TCP_NODE" != "nil" ]; then - local ipt_tmp=$ipt_n - local blist_r=$(REDIRECT $TCP_REDIR_PORT) - local p_r=$(get_redirect_ipt $LOCALHOST_TCP_PROXY_MODE $TCP_REDIR_PORT) echolog "加载路由器自身 TCP 代理..." - if [ -n "${is_tproxy}" ]; then - echolog " - 启用 TPROXY 模式" - ipt_tmp=$ipt_m - blist_r=$(REDIRECT 1 MARK) - p_r=$(get_redirect_ipt $LOCALHOST_TCP_PROXY_MODE 1 MARK) - else - $ipt_n -A OUTPUT -p tcp -j PSW_OUTPUT - fi - [ "$accept_icmp" = "1" ] && { $ipt_n -A OUTPUT -p icmp -j PSW_OUTPUT $ipt_n -A PSW_OUTPUT -p icmp -d $FAKE_IP $(REDIRECT) @@ -980,6 +1014,12 @@ add_firewall_rule() { $ip6t_n -A PSW_OUTPUT -p ipv6-icmp $(get_redirect_ip6t $TCP_PROXY_MODE) } + local ipt_tmp=$ipt_n + [ -n "${is_tproxy}" ] && { + echolog " - 启用 TPROXY 模式" + ipt_tmp=$ipt_m + } + _proxy_tcp_access() { [ -n "${2}" ] || return 0 ipset -q test $IPSET_LANIPLIST ${2} @@ -987,11 +1027,11 @@ add_firewall_rule() { echolog " - 上游 DNS 服务器 ${2} 已在直接访问的列表中,不强制向 TCP 代理转发对该服务器 TCP/${3} 端口的访问" return 0 } - if [ -n "${is_tproxy}" ]; then - $ipt_m -I PSW_OUTPUT -p tcp -d ${2} --dport ${3} $(REDIRECT 1 MARK) - $ipt_m -I PSW $(comment "本机") -p tcp -i lo -d ${2} --dport ${3} $(REDIRECT $TCP_REDIR_PORT TPROXY) - else + if [ "${ipt_tmp}" = "${ipt_n}" ]; then $ipt_n -I PSW_OUTPUT -p tcp -d ${2} --dport ${3} $(REDIRECT $TCP_REDIR_PORT) + else + $ipt_m -I PSW_OUTPUT -p tcp -d ${2} --dport ${3} -j PSW_RULE + $ipt_m -I PSW $(comment "本机") -p tcp -i lo -d ${2} --dport ${3} $(REDIRECT $TCP_REDIR_PORT TPROXY) fi echolog " - [$?]将上游 DNS 服务器 ${2}:${3} 加入到路由器自身代理的 TCP 转发链" } @@ -999,9 +1039,7 @@ add_firewall_rule() { [ "$use_tcp_node_resolve_dns" == 1 ] && hosts_foreach DNS_FORWARD _proxy_tcp_access 53 [ "$TCP_NO_REDIR_PORTS" != "disable" ] && { $ipt_tmp -A PSW_OUTPUT -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN - $ipt_tmp -A PSW_OUTPUT -p tcp -m multiport --sport $TCP_NO_REDIR_PORTS -j RETURN $ip6t_m -A PSW_OUTPUT -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN - $ip6t_m -A PSW_OUTPUT -p tcp -m multiport --sport $TCP_NO_REDIR_PORTS -j RETURN echolog " - [$?]不代理TCP 端口:$TCP_NO_REDIR_PORTS" } [ "$TCP_PROXY_DROP_PORTS" != "disable" ] && { @@ -1012,29 +1050,30 @@ add_firewall_rule() { echolog " - [$?],屏蔽代理TCP 端口:$TCP_PROXY_DROP_PORTS" } - $ipt_tmp -A PSW_OUTPUT -p tcp -d $FAKE_IP $blist_r - $ipt_tmp -A PSW_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST) $blist_r - $ipt_tmp -A PSW_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST) $blist_r - $ipt_tmp -A PSW_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $p_r - - if [ -n "${is_tproxy}" ]; then - $ipt_m -A PSW $(comment "本机") -p tcp -i lo -d $FAKE_IP $(REDIRECT $TCP_REDIR_PORT TPROXY) - $ipt_m -A PSW $(comment "本机") -p tcp -i lo $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST) $(REDIRECT $TCP_REDIR_PORT TPROXY) - $ipt_m -A PSW $(comment "本机") -p tcp -i lo $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST) $(REDIRECT $TCP_REDIR_PORT TPROXY) - $ipt_m -A PSW $(comment "本机") -p tcp -i lo $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(get_redirect_ipt $LOCALHOST_TCP_PROXY_MODE $TCP_REDIR_PORT TPROXY) + if [ "${ipt_tmp}" = "${ipt_n}" ]; then + $ipt_n -A PSW_OUTPUT -p tcp -d $FAKE_IP $(REDIRECT $TCP_REDIR_PORT) + $ipt_n -A PSW_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST) $(REDIRECT $TCP_REDIR_PORT) + $ipt_n -A PSW_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST) $(REDIRECT $TCP_REDIR_PORT) + $ipt_n -A PSW_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(get_redirect_ipt $LOCALHOST_TCP_PROXY_MODE $TCP_REDIR_PORT) + $ipt_n -A OUTPUT -p tcp -j PSW_OUTPUT + else + $ipt_m -A PSW_OUTPUT -p tcp -d $FAKE_IP -j PSW_RULE + $ipt_m -A PSW_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST) -j PSW_RULE + $ipt_m -A PSW_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST) -j PSW_RULE + $ipt_m -A PSW_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(get_ipset_ipt $LOCALHOST_TCP_PROXY_MODE) -j PSW_RULE + $ipt_m -A PSW $(comment "本机") -p tcp -i lo $(REDIRECT $TCP_REDIR_PORT TPROXY) $ipt_m -A PSW $(comment "本机") -p tcp -i lo -j RETURN + $ipt_m -A OUTPUT -p tcp -j PSW_OUTPUT fi - if [ "$PROXY_IPV6" == "1" ]; then - $ip6t_m -A PSW_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST6) $(REDIRECT 1 MARK) - $ip6t_m -A PSW_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST6) $(REDIRECT 1 MARK) - $ip6t_m -A PSW_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(get_redirect_ip6t $LOCALHOST_TCP_PROXY_MODE 1 MARK) - - $ip6t_m -A PSW $(comment "本机") -p tcp -i lo $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST6) $(REDIRECT $TCP_REDIR_PORT TPROXY) - $ip6t_m -A PSW $(comment "本机") -p tcp -i lo $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST6) $(REDIRECT $TCP_REDIR_PORT TPROXY) - $ip6t_m -A PSW $(comment "本机") -p tcp -i lo $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(get_redirect_ip6t $LOCALHOST_TCP_PROXY_MODE $TCP_REDIR_PORT TPROXY) + [ "$PROXY_IPV6" == "1" ] && { + $ip6t_m -A PSW_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST6) -j PSW_RULE + $ip6t_m -A PSW_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST6) -j PSW_RULE + $ip6t_m -A PSW_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(get_ipset_ip6t $LOCALHOST_TCP_PROXY_MODE) -j PSW_RULE + $ip6t_m -A PSW $(comment "本机") -p tcp -i lo $(REDIRECT $TCP_REDIR_PORT TPROXY) $ip6t_m -A PSW $(comment "本机") -p tcp -i lo -j RETURN - fi + $ip6t_m -A OUTPUT -p tcp -j PSW_OUTPUT + } fi # 过滤Socks节点 @@ -1094,40 +1133,33 @@ add_firewall_rule() { echolog " - 上游 DNS 服务器 ${2} 已在直接访问的列表中,不强制向 UDP 代理转发对该服务器 UDP/${3} 端口的访问" return 0 } - $ipt_m -I PSW_OUTPUT -p udp -d ${2} --dport ${3} $(REDIRECT 1 MARK) + $ipt_m -I PSW_OUTPUT -p udp -d ${2} --dport ${3} -j PSW_RULE $ipt_m -I PSW $(comment "本机") -p udp -i lo -d ${2} --dport ${3} $(REDIRECT $UDP_REDIR_PORT TPROXY) echolog " - [$?]将上游 DNS 服务器 ${2}:${3} 加入到路由器自身代理的 UDP 转发链" } [ "$use_udp_node_resolve_dns" == 1 ] && hosts_foreach DNS_FORWARD _proxy_udp_access 53 [ "$UDP_NO_REDIR_PORTS" != "disable" ] && { $ipt_m -A PSW_OUTPUT -p udp -m multiport --dport $UDP_NO_REDIR_PORTS -j RETURN - $ipt_m -A PSW_OUTPUT -p udp -m multiport --sport $UDP_NO_REDIR_PORTS -j RETURN $ip6t_m -A PSW_OUTPUT -p udp -m multiport --dport $UDP_NO_REDIR_PORTS -j RETURN - $ip6t_m -A PSW_OUTPUT -p udp -m multiport --sport $UDP_NO_REDIR_PORTS -j RETURN echolog " - [$?]不代理 UDP 端口:$UDP_NO_REDIR_PORTS" } - - $ipt_m -A PSW_OUTPUT -p udp -d $FAKE_IP $(REDIRECT 1 MARK) - $ipt_m -A PSW_OUTPUT -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST) $(REDIRECT 1 MARK) - $ipt_m -A PSW_OUTPUT -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST) $(REDIRECT 1 MARK) - $ipt_m -A PSW_OUTPUT -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(get_redirect_ipt $LOCALHOST_UDP_PROXY_MODE 1 MARK) - $ipt_m -A PSW $(comment "本机") -p udp -i lo -d $FAKE_IP $(REDIRECT $UDP_REDIR_PORT TPROXY) - $ipt_m -A PSW $(comment "本机") -p udp -i lo $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST) $(REDIRECT $UDP_REDIR_PORT TPROXY) - $ipt_m -A PSW $(comment "本机") -p udp -i lo $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST) $(REDIRECT $UDP_REDIR_PORT TPROXY) - $ipt_m -A PSW $(comment "本机") -p udp -i lo $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(get_redirect_ipt $LOCALHOST_UDP_PROXY_MODE $UDP_REDIR_PORT TPROXY) + $ipt_m -A PSW_OUTPUT -p udp -d $FAKE_IP -j PSW_RULE + $ipt_m -A PSW_OUTPUT -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST) -j PSW_RULE + $ipt_m -A PSW_OUTPUT -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST) -j PSW_RULE + $ipt_m -A PSW_OUTPUT -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(get_ipset_ipt $LOCALHOST_UDP_PROXY_MODE) -j PSW_RULE + $ipt_m -A PSW $(comment "本机") -p udp -i lo $(REDIRECT $UDP_REDIR_PORT TPROXY) $ipt_m -A PSW $(comment "本机") -p udp -i lo -j RETURN + $ipt_m -A OUTPUT -p udp -j PSW_OUTPUT - if [ "$PROXY_IPV6_UDP" == "1" ]; then - $ip6t_m -A PSW_OUTPUT -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST6) $(REDIRECT 1 MARK) - $ip6t_m -A PSW_OUTPUT -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST6) $(REDIRECT 1 MARK) - $ip6t_m -A PSW_OUTPUT -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(get_redirect_ip6t $LOCALHOST_UDP_PROXY_MODE 1 MARK) - - $ip6t_m -A PSW $(comment "本机") -p udp -i lo $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST6) $(REDIRECT $UDP_REDIR_PORT TPROXY) - $ip6t_m -A PSW $(comment "本机") -p udp -i lo $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST6) $(REDIRECT $UDP_REDIR_PORT TPROXY) - $ip6t_m -A PSW $(comment "本机") -p udp -i lo $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(get_redirect_ip6t $LOCALHOST_UDP_PROXY_MODE $UDP_REDIR_PORT TPROXY) + [ "$PROXY_IPV6" == "1" ] && [ "$PROXY_IPV6_UDP" == "1" ] && { + $ip6t_m -A PSW_OUTPUT -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST6) -j PSW_RULE + $ip6t_m -A PSW_OUTPUT -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST6) -j PSW_RULE + $ip6t_m -A PSW_OUTPUT -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(get_ipset_ip6t $LOCALHOST_UDP_PROXY_MODE) -j PSW_RULE + $ip6t_m -A PSW $(comment "本机") -p udp -i lo $(REDIRECT $UDP_REDIR_PORT TPROXY) $ip6t_m -A PSW $(comment "本机") -p udp -i lo -j RETURN - fi + $ip6t_m -A OUTPUT -p udp -j PSW_OUTPUT + } fi # 加载ACLS @@ -1150,7 +1182,7 @@ del_firewall_rule() { $ipt -D $chain $index 2>/dev/null done done - for chain in "PSW" "PSW_OUTPUT" "PSW_DIVERT" "PSW_REDIRECT"; do + for chain in "PSW" "PSW_OUTPUT" "PSW_DIVERT" "PSW_REDIRECT" "PSW_RULE"; do $ipt -F $chain 2>/dev/null $ipt -X $chain 2>/dev/null done