OpenWrt
/
small-package
mirror of https://github.com/kenzok8/small-package
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

update 04-19 23:43:56

This commit is contained in:
github-actions[bot] 2022-04-19 23:43:56 +08:00
parent db1f1f9ffa
commit 030bd8423d
14 changed files with 406 additions and 136 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
luci-app-fullconenat/Makefile Executable file
View File

@ -0,0 +1,14 @@
#-- Copyright (C) 2018 dz <dingzhong110@gmail.com>
include $(TOPDIR)/rules.mk
LUCI_TITLE:=LuCI support for FullConeNat
LUCI_DEPENDS:=+iptables-mod-fullconenat
LUCI_PKGARCH:=all
PKG_VERSION:=1.3
PKG_RELEASE:=3
include $(TOPDIR)/feeds/luci/luci.mk
# call BuildPackage - OpenWrt buildroot signature

5
luci-app-fullconenat/README.md Normal file
View File

@ -0,0 +1,5 @@
# luci-app-fullconenat
本软件包是 [fullconenat]的 LuCI 控制界面
[fullconenat]: https://github.com/LGA1150/openwrt-fullconenat

12
luci-app-fullconenat/luasrc/controller/fullconenat.lua Executable file
View File

@ -0,0 +1,12 @@
module("luci.controller.fullconenat", package.seeall)
function index()
if not nixio.fs.access("/etc/config/fullconenat") then
return
end
local page
page = entry({"admin", "network", "fullconenat"}, cbi("fullconenat"), _("fullconenat"), 101)
page.i18n = "fullconenat"
page.dependent = true
page.acl_depends = { "luci-app-fullconenat" }
end

65
luci-app-fullconenat/luasrc/model/cbi/fullconenat.lua Executable file
View File

@ -0,0 +1,65 @@
#-- Copyright (C) 2018 dz <dingzhong110@gmail.com>
local fwm = require "luci.model.firewall".init()
local def = fwm:get_defaults()
local zn = fwm:get_zone("wan")
local m, s, o, fw3_buildin, has_module, status, des
local function testcmd (cmd)
return luci.sys.call(cmd) == 0
end
has_module = testcmd("modprobe -q xt_FULLCONENAT")
fw3_buildin = testcmd("strings `which fw3` | grep -q fullcone")
m = Map("fullconenat", translate("Full cone NAT"),
translate("FullConeNat."))
status="<strong><font color=\"red\">Not supported, Kernel module needed: xt_FULLCONENAT</font></strong>"
if has_module then
if testcmd("iptables -t nat -L -n --line-numbers | grep FULLCONENAT >/dev/null") then
status="<strong><font color=\"green\">Running</font></strong>"
else
status="<strong><font color=\"red\">Not Running</font></strong>"
end
end
m = Map("fullconenat", translate("FullConeNat"), "%s - %s" %{translate("FULLCONENAT"), translate(status)})
des = fw3_buildin and "Build-in mode, set the `fullcone` option to firewall configure either." or "Manual mode, write to the firewall custom rules settings only."
s = m:section(TypedSection, "fullconenat", translate("Settings"), translate(des))
s.anonymous = true
o = s:option(ListValue, "mode", translate("Register modes"), translate("<strong><font color=\"red\">Warning!!! There is security risk if enabled.</font></strong>"))
o.widget = "radio"
o.orientation = "horizontal"
o.default = "disable"
o.rmempty = false
o:value("disable", translate("Disable"))
o:value("ips", translate("IP Address Only"))
o:value("all", translate("ALL Enabled"))
o.cfgvalue = function (self, sec)
local ret = "disable"
if fw3_buildin and def:get("fullcone") == "1" then
ret = "all"
else
ret = self.map:get(sec, self.option)
end
return has_module and ret or "disable"
end
o.write = function (self, sec, val)
val = has_module and val or "disable"
if fw3_buildin then
def:set("fullcone", val == "all" and 1 or 0)
zn:set("fullcone", val == "all" and 1 or 0)
end
fwm.commit()
return self.map:set(sec, self.option, val)
end
o = s:option(Value, "fullconenat_ip", translate("FullConeNat IP"), translate("Enable FullConeNat for specified IP Address.") .. "<br />" .. (fw3_buildin and translate("Manual mode, write to the firewall custom rules settings only.") or ""))
o.placeholder="192.168.1.100,192.168.1.101,192.168.1.102"
o.rempty = true
o.optional = false
o:depends("mode", "ips")
return m

45
luci-app-fullconenat/po/zh-cn/fullconenat.po Executable file
View File

@ -0,0 +1,45 @@
msgid "fullconenat"
msgstr "全端口映射"
msgid "FULLCONENAT"
msgstr "Fullcone NAT"
msgid "<strong><font color=\"green\">Running</font></strong>"
msgstr "<strong><font color=\"green\">正在运行</font></strong>"
msgid "<strong><font color=\"red\">Not Running</font></strong>"
msgstr "<strong><font color=\"red\">未运行</font></strong>"
msgid "<strong><font color=\"red\">Not supported, Kernel module needed: xt_FULLCONENAT</font></strong>"
msgstr "<strong><font color=\"red\">不支持,缺少 xt_FULLCONENAT 内核组件</font></strong>"
msgid "Settings"
msgstr "设置"
msgid "Build-in mode, set the `fullcone` option to firewall configure either."
msgstr "防火墙内置模式,同时配置防火墙(firewall)中对应的选项。"
msgid "Manual mode, write to the firewall custom rules settings only."
msgstr "手动模式,仅将配置写入到防火墙(firewall)自定义规则中。"
msgid "Register modes"
msgstr "运行模式"
msgid "Disable"
msgstr "停用"
msgid "IP Address Only"
msgstr "限指定IP"
msgid "ALL Enabled"
msgstr "全网开启"
msgid "<strong><font color=\"red\">Warning!!! There is security risk if enabled.</font></strong>"
msgstr "<strong><font color=\"red\">警告!!!开启后存在安全风险。</font></strong>"
msgid "FullConeNat IP"
msgstr "映射IP"
msgid "Enable FullConeNat for specified IP Address."
msgstr "多IP映射用英文逗号分隔。"

1
luci-app-fullconenat/po/zh_Hans Symbolic link
View File

@ -0,0 +1 @@
zh-cn

3
luci-app-fullconenat/root/etc/config/fullconenat Executable file
View File

@ -0,0 +1,3 @@
config fullconenat 'config'
option mode 'disable'
option fullconenat_ip '192.168.1.100'

70
luci-app-fullconenat/root/etc/init.d/fullconenat Executable file
View File

@ -0,0 +1,70 @@
#!/bin/sh /etc/rc.common
#-- Copyright (C) 2018 dz <dingzhong110@gmail.com>
START=99
re=0
start(){
local fw3_buildin mode fullconenat_ip fullcone masq
strings `which fw3` | grep -q "fullcone"
fw3_buildin=$?
mode=$(uci get fullconenat.config.mode 2>/dev/null)
if modprobe -q "xt_FULLCONENAT"; then
[ $fw3_buildin -eq 0 ] && echo -n "fw3 build-in, change settings in /etc/config/firewall either. "
echo "$mode."
else
echo "not supported."
return 1
fi
fullcone=0
fullconenat_ip=$(uci get fullconenat.config.fullconenat_ip 2>/dev/null)
if [ "$mode" == "ips" ]; then
sed -i '/FULLCONENAT/d' /etc/firewall.user
echo "iptables -t nat -A zone_wan_prerouting -j FULLCONENAT" >> /etc/firewall.user
echo "iptables -t nat -A zone_wan_postrouting -s $fullconenat_ip -j FULLCONENAT" >> /etc/firewall.user
echo "iptables -t nat -A zone_wan_postrouting -j MASQUERADE" >> /etc/firewall.user
elif [ "$mode" == "all" ]; then
if [ $fw3_buildin -ne 0 ]; then
iptables -t nat -D zone_wan_postrouting -s $fullconenat_ip -j FULLCONENAT
iptables -t nat -D zone_wan_postrouting -j MASQUERADE
sed -i '/zone_wan_postrouting -j MASQUERADE/d' /etc/firewall.user
sed -i '/FULLCONENAT/d' /etc/firewall.user
echo "iptables -t nat -A zone_wan_prerouting -j FULLCONENAT" >> /etc/firewall.user
echo "iptables -t nat -A zone_wan_postrouting -j FULLCONENAT" >> /etc/firewall.user
else
fullcone=1
fi
fi
[ $fw3_buildin -eq 0 ] && {
uci set firewall.@defaults[0].fullcone=$fullcone
uci set firewall.@zone[1].fullcone=$fullcone
}
uci commit firewall
/etc/init.d/firewall restart
}
stop(){
fullconenat_ip=$(uci get fullconenat.config.fullconenat_ip 2>/dev/null)
mode=$(uci get fullconenat.config.mode 2>/dev/null)
echo "$mode, $fullconenat_ip"
iptables -t nat -D zone_wan_prerouting -j FULLCONENAT
iptables -t nat -D zone_wan_postrouting -s $fullconenat_ip -j FULLCONENAT
iptables -t nat -D zone_wan_postrouting -j MASQUERADE
iptables -t nat -D zone_wan_postrouting -j FULLCONENAT
sed -i '/zone_wan_postrouting -j MASQUERADE/d' /etc/firewall.user
sed -i '/FULLCONENAT/d' /etc/firewall.user
[ $re -eq 0 ] && {
uci set firewall.@defaults[0].fullcone=0
uci set firewall.@zone[1].fullcone=0
uci commit firewall
/etc/init.d/firewall restart
}
}
restart(){
re=1
stop
start
}

13
luci-app-fullconenat/root/etc/uci-defaults/fullconenat Executable file
View File

@ -0,0 +1,13 @@
#!/bin/sh
uci -q batch <<-EOF >/dev/null
delete ucitrack.@fullconenat[-1]
add ucitrack fullconenat
set ucitrack.@fullconenat[-1].init=fullconenat
commit ucitrack
EOF
/etc/init.d/fullconenat enable
rm -f /tmp/luci-indexcache
exit 0

11
luci-app-fullconenat/root/usr/share/rpcd/acl.d/luci-app-fullconenat.json Normal file
View File

@ -0,0 +1,11 @@
{
"luci-app-fullconenat": {
"description": "Grant UCI access for luci-app-fullconenat",
"read": {
"uci": [ "fullconenat" ]
},
"write": {
"uci": [ "fullconenat" ]
}
}
}

3
luci-app-passwall/Makefile
View File

@ -7,7 +7,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=luci-app-passwall PKG_NAME:=luci-app-passwall
PKG_VERSION:=4.53 PKG_VERSION:=4.53
PKG_RELEASE:=4 PKG_RELEASE:=5
PKG_CONFIG_DEPENDS:= \ PKG_CONFIG_DEPENDS:= \
CONFIG_PACKAGE_$(PKG_NAME)_Transparent_Proxy \ CONFIG_PACKAGE_$(PKG_NAME)_Transparent_Proxy \
@ -69,6 +69,7 @@ config PACKAGE_$(PKG_NAME)_Transparent_Proxy
select PACKAGE_ipt2socks select PACKAGE_ipt2socks
select PACKAGE_iptables select PACKAGE_iptables
select PACKAGE_iptables-legacy select PACKAGE_iptables-legacy
select PACKAGE_iptables-mod-conntrack-extra
select PACKAGE_iptables-mod-iprange select PACKAGE_iptables-mod-iprange
select PACKAGE_iptables-mod-socket select PACKAGE_iptables-mod-socket
select PACKAGE_iptables-mod-tproxy select PACKAGE_iptables-mod-tproxy

3
luci-app-passwall/luasrc/model/cbi/passwall/client/rule_list.lua
View File

@ -6,8 +6,7 @@ local datatypes = api.datatypes
local path = string.format("/usr/share/%s/rules/", appname) local path = string.format("/usr/share/%s/rules/", appname)
local route_hosts_path = "/etc/" local route_hosts_path = "/etc/"
m = SimpleForm(appname) m = Map(appname)
m.uci = api.uci
-- [[ Rule List Settings ]]-- -- [[ Rule List Settings ]]--
s = m:section(TypedSection, "global_rules") s = m:section(TypedSection, "global_rules")

3
luci-app-passwall/root/usr/share/passwall/0_default_config
View File

@ -25,9 +25,8 @@ config global_delay
option start_delay '1' option start_delay '1'
config global_forwarding config global_forwarding
option process '0'
option tcp_no_redir_ports 'disable' option tcp_no_redir_ports 'disable'
option udp_no_redir_ports '53' option udp_no_redir_ports 'disable'
option tcp_proxy_drop_ports 'disable' option tcp_proxy_drop_ports 'disable'
option udp_proxy_drop_ports '80,443' option udp_proxy_drop_ports '80,443'
option tcp_redir_ports '22,25,53,143,465,587,853,993,995,80,443' option tcp_redir_ports '22,25,53,143,465,587,853,993,995,80,443'

294
luci-app-passwall/root/usr/share/passwall/iptables.sh
View File

@ -105,8 +105,11 @@ REDIRECT() {
local s="-j REDIRECT" local s="-j REDIRECT"
[ -n "$1" ] && { [ -n "$1" ] && {
local s="$s --to-ports $1" local s="$s --to-ports $1"
[ "$2" == "TPROXY" ] && s="-j TPROXY --tproxy-mark 0x1/0x1 --on-port $1"
[ "$2" == "MARK" ] && s="-j MARK --set-mark $1" [ "$2" == "MARK" ] && s="-j MARK --set-mark $1"
[ "$2" == "TPROXY" ] && {
local mark="-m mark --mark 1"
s="${mark} -j TPROXY --tproxy-mark 0x1/0x1 --on-port $1"
}
} }
echo $s echo $s
} }
@ -125,6 +128,20 @@ get_ipset_ipt() {
esac esac
} }
get_ipset_ip6t() {
case "$1" in
gfwlist)
echo "$(dst $IPSET_GFW6)"
;;
chnroute)
echo "$(dst $IPSET_CHN6 !)"
;;
returnhome)
echo "$(dst $IPSET_CHN6)"
;;
esac
}
get_redirect_ipt() { get_redirect_ipt() {
case "$1" in case "$1" in
disable) disable)
@ -446,6 +463,19 @@ load_acl() {
msg2="${msg2}(REDIRECT:${tcp_port})代理" msg2="${msg2}(REDIRECT:${tcp_port})代理"
fi fi
[ "$accept_icmp" = "1" ] && {
$ipt_n -A PSW $(comment "$remarks") -p icmp ${_ipt_source} -d $FAKE_IP $(REDIRECT)
$ipt_n -A PSW $(comment "$remarks") -p icmp ${_ipt_source} $(dst $IPSET_SHUNTLIST) $(REDIRECT)
$ipt_n -A PSW $(comment "$remarks") -p icmp ${_ipt_source} $(dst $IPSET_BLACKLIST) $(REDIRECT)
$ipt_n -A PSW $(comment "$remarks") -p icmp ${_ipt_source} $(get_redirect_ipt $tcp_proxy_mode)
}
[ "$accept_icmpv6" = "1" ] && [ "$PROXY_IPV6" == "1" ] && {
$ip6t_n -A PSW $(comment "$remarks") -p ipv6-icmp ${_ipt_source} $(dst $IPSET_SHUNTLIST6) $(REDIRECT) 2>/dev/null
$ip6t_n -A PSW $(comment "$remarks") -p ipv6-icmp ${_ipt_source} $(dst $IPSET_BLACKLIST6) $(REDIRECT) 2>/dev/null
$ip6t_n -A PSW $(comment "$remarks") -p ipv6-icmp ${_ipt_source} $(get_redirect_ip6t $tcp_proxy_mode) 2>/dev/null
}
[ "$tcp_no_redir_ports" != "disable" ] && { [ "$tcp_no_redir_ports" != "disable" ] && {
$ipt_tmp -A PSW $(comment "$remarks") ${_ipt_source} -p tcp -m multiport --dport $tcp_no_redir_ports -j RETURN $ipt_tmp -A PSW $(comment "$remarks") ${_ipt_source} -p tcp -m multiport --dport $tcp_no_redir_ports -j RETURN
$ip6t_m -A PSW $(comment "$remarks") ${_ipt_source} -p tcp -m multiport --dport $tcp_no_redir_ports -j RETURN 2>/dev/null $ip6t_m -A PSW $(comment "$remarks") ${_ipt_source} -p tcp -m multiport --dport $tcp_no_redir_ports -j RETURN 2>/dev/null
@ -461,28 +491,24 @@ load_acl() {
msg2="${msg2}[$?]屏蔽代理TCP 端口:${tcp_proxy_drop_ports}" msg2="${msg2}[$?]屏蔽代理TCP 端口:${tcp_proxy_drop_ports}"
} }
$ipt_tmp -A PSW $(comment "$remarks") -p tcp ${_ipt_source} -d $FAKE_IP $(REDIRECT $tcp_port $is_tproxy) if [ "${ipt_tmp}" = "${ipt_n}" ]; then
$ipt_tmp -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") $(dst $IPSET_SHUNTLIST) $(REDIRECT $tcp_port $is_tproxy) $ipt_n -A PSW $(comment "$remarks") -p tcp ${_ipt_source} -d $FAKE_IP $(REDIRECT $tcp_port)
$ipt_tmp -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") $(dst $IPSET_BLACKLIST) $(REDIRECT $tcp_port $is_tproxy) $ipt_n -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") $(dst $IPSET_SHUNTLIST) $(REDIRECT $tcp_port)
$ipt_tmp -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") $(get_redirect_ipt $tcp_proxy_mode $tcp_port $is_tproxy) $ipt_n -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") $(dst $IPSET_BLACKLIST) $(REDIRECT $tcp_port)
$ipt_n -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") $(get_redirect_ipt $tcp_proxy_mode $tcp_port)
[ "$accept_icmp" = "1" ] && { else
$ipt_n -A PSW $(comment "$remarks") -p icmp ${_ipt_source} -d $FAKE_IP $(REDIRECT) $ipt_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} -d $FAKE_IP -j PSW_RULE
$ipt_n -A PSW $(comment "$remarks") -p icmp ${_ipt_source} $(dst $IPSET_SHUNTLIST) $(REDIRECT) $ipt_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") $(dst $IPSET_SHUNTLIST) -j PSW_RULE
$ipt_n -A PSW $(comment "$remarks") -p icmp ${_ipt_source} $(dst $IPSET_BLACKLIST) $(REDIRECT) $ipt_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") $(dst $IPSET_BLACKLIST) -j PSW_RULE
$ipt_n -A PSW $(comment "$remarks") -p icmp ${_ipt_source} $(get_redirect_ipt $tcp_proxy_mode) $ipt_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") $(get_ipset_ipt $tcp_proxy_mode) -j PSW_RULE
} $ipt_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(REDIRECT $tcp_port TPROXY)
if [ "$PROXY_IPV6" == "1" ]; then
$ip6t_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") $(dst $IPSET_SHUNTLIST6) $(REDIRECT $tcp_port TPROXY) 2>/dev/null
$ip6t_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") $(dst $IPSET_BLACKLIST6) $(REDIRECT $tcp_port TPROXY) 2>/dev/null
$ip6t_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") $(get_redirect_ip6t $tcp_proxy_mode $tcp_port TPROXY) 2>/dev/null
[ "$accept_icmpv6" = "1" ] && {
$ip6t_n -A PSW $(comment "$remarks") -p ipv6-icmp ${_ipt_source} $(dst $IPSET_SHUNTLIST6) $(REDIRECT) 2>/dev/null
$ip6t_n -A PSW $(comment "$remarks") -p ipv6-icmp ${_ipt_source} $(dst $IPSET_BLACKLIST6) $(REDIRECT) 2>/dev/null
$ip6t_n -A PSW $(comment "$remarks") -p ipv6-icmp ${_ipt_source} $(get_redirect_ip6t $tcp_proxy_mode) 2>/dev/null
}
fi fi
[ "$PROXY_IPV6" == "1" ] && {
$ip6t_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") $(dst $IPSET_SHUNTLIST6) -j PSW_RULE 2>/dev/null
$ip6t_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") $(dst $IPSET_BLACKLIST6) -j PSW_RULE 2>/dev/null
$ip6t_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") $(get_ipset_ip6t $tcp_proxy_mode) -j PSW_RULE 2>/dev/null
$ip6t_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(REDIRECT $tcp_port TPROXY) 2>/dev/null
}
else else
msg2="${msg}不代理TCP" msg2="${msg}不代理TCP"
fi fi
@ -510,17 +536,19 @@ load_acl() {
msg2="${msg2}[$?]除${udp_no_redir_ports}外的" msg2="${msg2}[$?]除${udp_no_redir_ports}外的"
} }
msg2="${msg2}所有端口" msg2="${msg2}所有端口"
$ipt_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} -d $FAKE_IP $(REDIRECT $udp_port TPROXY)
$ipt_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_redir_ports "-m multiport --dport") $(dst $IPSET_SHUNTLIST) $(REDIRECT $udp_port TPROXY)
$ipt_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_redir_ports "-m multiport --dport") $(dst $IPSET_BLACKLIST) $(REDIRECT $udp_port TPROXY)
$ipt_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_redir_ports "-m multiport --dport") $(get_redirect_ipt $udp_proxy_mode $udp_port TPROXY)
if [ "$PROXY_IPV6_UDP" == "1" ]; then $ipt_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} -d $FAKE_IP -j PSW_RULE
$ip6t_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_redir_ports "-m multiport --dport") $(dst $IPSET_SHUNTLIST6) $(REDIRECT $udp_port TPROXY) 2>/dev/null $ipt_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_redir_ports "-m multiport --dport") $(dst $IPSET_SHUNTLIST) -j PSW_RULE
$ip6t_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_redir_ports "-m multiport --dport") $(dst $IPSET_BLACKLIST6) $(REDIRECT $udp_port TPROXY) 2>/dev/null $ipt_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_redir_ports "-m multiport --dport") $(dst $IPSET_BLACKLIST) -j PSW_RULE
$ip6t_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_redir_ports "-m multiport --dport") $(get_redirect_ip6t $udp_proxy_mode $udp_port TPROXY) 2>/dev/null $ipt_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_redir_ports "-m multiport --dport") $(get_ipset_ipt $udp_proxy_mode) -j PSW_RULE
fi $ipt_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(REDIRECT $udp_port TPROXY)
[ "$PROXY_IPV6" == "1" ] && [ "$PROXY_IPV6_UDP" == "1" ] && {
$ip6t_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_redir_ports "-m multiport --dport") $(dst $IPSET_SHUNTLIST6) -j PSW_RULE 2>/dev/null
$ip6t_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_redir_ports "-m multiport --dport") $(dst $IPSET_BLACKLIST6) -j PSW_RULE 2>/dev/null
$ip6t_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_redir_ports "-m multiport --dport") $(get_ipset_ip6t $udp_proxy_mode) -j PSW_RULE 2>/dev/null
$ip6t_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(REDIRECT $udp_port TPROXY) 2>/dev/null
}
else else
msg2="${msg}不代理UDP" msg2="${msg}不代理UDP"
fi fi
@ -545,19 +573,17 @@ load_acl() {
$ipt_m -A PSW $(comment "默认") -p tcp $(factor $TCP_PROXY_DROP_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST) -j DROP $ipt_m -A PSW $(comment "默认") -p tcp $(factor $TCP_PROXY_DROP_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST) -j DROP
[ "$TCP_PROXY_MODE" != "direct/proxy" ] && $ipt_m -A PSW $(comment "默认") -p tcp $(factor $TCP_PROXY_DROP_PORTS "-m multiport --dport") $(get_ipset_ipt $TCP_PROXY_MODE) -j DROP [ "$TCP_PROXY_MODE" != "direct/proxy" ] && $ipt_m -A PSW $(comment "默认") -p tcp $(factor $TCP_PROXY_DROP_PORTS "-m multiport --dport") $(get_ipset_ipt $TCP_PROXY_MODE) -j DROP
} }
local ipt_tmp=$ipt_n
if [ "$TCP_PROXY_MODE" != "disable" ]; then if [ "$TCP_PROXY_MODE" != "disable" ]; then
local ipt_tmp=$ipt_n
[ -n "${is_tproxy}" ] && ipt_tmp=$ipt_m
[ "$TCP_NO_REDIR_PORTS" != "disable" ] && { [ "$TCP_NO_REDIR_PORTS" != "disable" ] && {
[ -n "${is_tproxy}" ] && ipt_tmp=$ipt_m
$ipt_tmp -A PSW $(comment "默认") -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN $ipt_tmp -A PSW $(comment "默认") -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN
$ip6t_m -A PSW $(comment "默认") -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN $ip6t_m -A PSW $(comment "默认") -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN
} }
ipt_tmp=$ipt_n
[ "$TCP_NODE" != "nil" ] && { [ "$TCP_NODE" != "nil" ] && {
msg="TCP默认代理使用TCP节点[$(config_n_get $TCP_NODE remarks)] [$(get_action_chain_name $TCP_PROXY_MODE)]" msg="TCP默认代理使用TCP节点[$(config_n_get $TCP_NODE remarks)] [$(get_action_chain_name $TCP_PROXY_MODE)]"
if [ -n "${is_tproxy}" ]; then if [ -n "${is_tproxy}" ]; then
ipt_tmp=$ipt_m
msg="${msg}(TPROXY:${TCP_REDIR_PORT})代理" msg="${msg}(TPROXY:${TCP_REDIR_PORT})代理"
else else
msg="${msg}(REDIRECT:${TCP_REDIR_PORT})代理" msg="${msg}(REDIRECT:${TCP_REDIR_PORT})代理"
@ -566,29 +592,39 @@ load_acl() {
[ "$TCP_NO_REDIR_PORTS" != "disable" ] && msg="${msg}${TCP_NO_REDIR_PORTS}外的" [ "$TCP_NO_REDIR_PORTS" != "disable" ] && msg="${msg}${TCP_NO_REDIR_PORTS}外的"
msg="${msg}所有端口" msg="${msg}所有端口"
$ipt_tmp -A PSW $(comment "默认") -p tcp -d $FAKE_IP $(REDIRECT $TCP_REDIR_PORT $is_tproxy)
$ipt_tmp -A PSW $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST) $(REDIRECT $TCP_REDIR_PORT $is_tproxy)
$ipt_tmp -A PSW $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST) $(REDIRECT $TCP_REDIR_PORT $is_tproxy)
$ipt_tmp -A PSW $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(get_redirect_ipt $TCP_PROXY_MODE $TCP_REDIR_PORT $is_tproxy)
[ "$accept_icmp" = "1" ] && { [ "$accept_icmp" = "1" ] && {
$ipt_n -A PSW $(comment "默认") -p icmp -d $FAKE_IP $(REDIRECT) $ipt_n -A PSW $(comment "默认") -p icmp -d $FAKE_IP $(REDIRECT)
$ipt_n -A PSW $(comment "默认") -p icmp $(dst $IPSET_SHUNTLIST) $(REDIRECT) $ipt_n -A PSW $(comment "默认") -p icmp $(dst $IPSET_SHUNTLIST) $(REDIRECT)
$ipt_n -A PSW $(comment "默认") -p icmp $(dst $IPSET_BLACKLIST) $(REDIRECT) $ipt_n -A PSW $(comment "默认") -p icmp $(dst $IPSET_BLACKLIST) $(REDIRECT)
$ipt_n -A PSW $(comment "默认") -p icmp $(get_redirect_ipt $TCP_PROXY_MODE) $ipt_n -A PSW $(comment "默认") -p icmp $(get_redirect_ipt $TCP_PROXY_MODE)
} }
if [ "$PROXY_IPV6" == "1" ]; then [ "$accept_icmpv6" = "1" ] && [ "$PROXY_IPV6" == "1" ] && {
$ip6t_m -A PSW $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST6) $(REDIRECT $TCP_REDIR_PORT TPROXY) $ip6t_n -A PSW $(comment "默认") -p ipv6-icmp $(dst $IPSET_SHUNTLIST6) $(REDIRECT)
$ip6t_m -A PSW $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST6) $(REDIRECT $TCP_REDIR_PORT TPROXY) $ip6t_n -A PSW $(comment "默认") -p ipv6-icmp $(dst $IPSET_BLACKLIST6) $(REDIRECT)
$ip6t_m -A PSW $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(get_redirect_ip6t $TCP_PROXY_MODE $TCP_REDIR_PORT TPROXY) $ip6t_n -A PSW $(comment "默认") -p ipv6-icmp $(get_redirect_ip6t $TCP_PROXY_MODE)
[ "$accept_icmpv6" = "1" ] && { }
$ip6t_n -A PSW $(comment "默认") -p ipv6-icmp $(dst $IPSET_SHUNTLIST6) $(REDIRECT)
$ip6t_n -A PSW $(comment "默认") -p ipv6-icmp $(dst $IPSET_BLACKLIST6) $(REDIRECT) if [ "${ipt_tmp}" = "${ipt_n}" ]; then
$ip6t_n -A PSW $(comment "默认") -p ipv6-icmp $(get_redirect_ip6t $TCP_PROXY_MODE) $ipt_n -A PSW $(comment "默认") -p tcp -d $FAKE_IP $(REDIRECT $TCP_REDIR_PORT)
} $ipt_n -A PSW $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST) $(REDIRECT $TCP_REDIR_PORT)
$ipt_n -A PSW $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST) $(REDIRECT $TCP_REDIR_PORT)
$ipt_n -A PSW $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(get_redirect_ipt $TCP_PROXY_MODE $TCP_REDIR_PORT)
else
$ipt_m -A PSW $(comment "默认") -p tcp -d $FAKE_IP -j PSW_RULE
$ipt_m -A PSW $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST) -j PSW_RULE
$ipt_m -A PSW $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST) -j PSW_RULE
$ipt_m -A PSW $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(get_ipset_ipt $TCP_PROXY_MODE) -j PSW_RULE
$ipt_m -A PSW $(comment "默认") -p tcp $(REDIRECT $TCP_REDIR_PORT TPROXY)
fi fi
[ "$PROXY_IPV6" == "1" ] && {
$ip6t_m -A PSW $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST6) -j PSW_RULE
$ip6t_m -A PSW $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST6) -j PSW_RULE
$ip6t_m -A PSW $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(get_ipset_ip6t $TCP_PROXY_MODE) -j PSW_RULE
$ip6t_m -A PSW $(comment "默认") -p tcp $(REDIRECT $TCP_REDIR_PORT TPROXY)
}
echolog "${msg}" echolog "${msg}"
} }
fi fi
@ -612,20 +648,22 @@ load_acl() {
[ "$UDP_NODE" != "nil" -o "$TCP_UDP" = "1" ] && { [ "$UDP_NODE" != "nil" -o "$TCP_UDP" = "1" ] && {
[ "$TCP_UDP" = "1" ] && [ "$UDP_NODE" = "nil" ] && UDP_NODE=$TCP_NODE [ "$TCP_UDP" = "1" ] && [ "$UDP_NODE" = "nil" ] && UDP_NODE=$TCP_NODE
msg="UDP默认代理使用UDP节点[$(config_n_get $UDP_NODE remarks)] [$(get_action_chain_name $UDP_PROXY_MODE)](TPROXY:${UDP_REDIR_PORT})代理" msg="UDP默认代理使用UDP节点[$(config_n_get $UDP_NODE remarks)] [$(get_action_chain_name $UDP_PROXY_MODE)](TPROXY:${UDP_REDIR_PORT})代理"
[ "$UDP_NO_REDIR_PORTS" != "disable" ] && msg="${msg}${UDP_NO_REDIR_PORTS}外的" [ "$UDP_NO_REDIR_PORTS" != "disable" ] && msg="${msg}${UDP_NO_REDIR_PORTS}外的"
msg="${msg}所有端口" msg="${msg}所有端口"
$ipt_m -A PSW $(comment "默认") -p udp -d $FAKE_IP $(REDIRECT $UDP_REDIR_PORT TPROXY)
$ipt_m -A PSW $(comment "默认") -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST) $(REDIRECT $UDP_REDIR_PORT TPROXY)
$ipt_m -A PSW $(comment "默认") -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST) $(REDIRECT $UDP_REDIR_PORT TPROXY)
$ipt_m -A PSW $(comment "默认") -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(get_redirect_ipt $UDP_PROXY_MODE $UDP_REDIR_PORT TPROXY)
if [ "$PROXY_IPV6_UDP" == "1" ]; then $ipt_m -A PSW $(comment "默认") -p udp -d $FAKE_IP -j PSW_RULE
$ip6t_m -A PSW $(comment "默认") -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST6) $(REDIRECT $UDP_REDIR_PORT TPROXY) $ipt_m -A PSW $(comment "默认") -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST) -j PSW_RULE
$ip6t_m -A PSW $(comment "默认") -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST6) $(REDIRECT $UDP_REDIR_PORT TPROXY) $ipt_m -A PSW $(comment "默认") -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST) -j PSW_RULE
$ip6t_m -A PSW $(comment "默认") -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(get_redirect_ip6t $UDP_PROXY_MODE $UDP_REDIR_PORT TPROXY) $ipt_m -A PSW $(comment "默认") -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(get_ipset_ipt $UDP_PROXY_MODE) -j PSW_RULE
fi $ipt_m -A PSW $(comment "默认") -p udp $(REDIRECT $UDP_REDIR_PORT TPROXY)
[ "$PROXY_IPV6" == "1" ] && [ "$PROXY_IPV6_UDP" == "1" ] && {
$ip6t_m -A PSW $(comment "默认") -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST6) -j PSW_RULE
$ip6t_m -A PSW $(comment "默认") -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST6) -j PSW_RULE
$ip6t_m -A PSW $(comment "默认") -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(get_ipset_ip6t $UDP_PROXY_MODE) -j PSW_RULE
$ip6t_m -A PSW $(comment "默认") -p udp $(REDIRECT $UDP_REDIR_PORT TPROXY)
}
echolog "${msg}" echolog "${msg}"
udp_flag=1 udp_flag=1
@ -686,14 +724,14 @@ filter_node() {
$_ipt -n -L PSW_OUTPUT | grep -q "${address}:${port}" $_ipt -n -L PSW_OUTPUT | grep -q "${address}:${port}"
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
unset dst_rule unset dst_rule
local dst_rule=$(REDIRECT 1 MARK) local dst_rule="-j PSW_RULE"
msg2="按规则路由(${msg})" msg2="按规则路由(${msg})"
[ "$_ipt" == "$ipt_m" -o "$_ipt" == "$ip6t_m" ] || { [ "$_ipt" == "$ipt_m" -o "$_ipt" == "$ip6t_m" ] || {
dst_rule=$(REDIRECT $_port) dst_rule=$(REDIRECT $_port)
msg2="套娃使用(${msg}:${port} -> ${_port})" msg2="套娃使用(${msg}:${port} -> ${_port})"
} }
[ -n "$_proxy" ] && [ "$_proxy" == "1" ] && [ -n "$_port" ] || { [ -n "$_proxy" ] && [ "$_proxy" == "1" ] && [ -n "$_port" ] || {
ADD_INDEX=$(RULE_LAST_INDEX "$_ipt" PSW_OUT_PUT "$IPSET_VPSIPLIST" $FORCE_INDEX) ADD_INDEX=$(RULE_LAST_INDEX "$_ipt" PSW_OUTPUT "$IPSET_VPSIPLIST" $FORCE_INDEX)
dst_rule=" -j RETURN" dst_rule=" -j RETURN"
msg2="直连代理" msg2="直连代理"
} }
@ -860,7 +898,6 @@ add_firewall_rule() {
$ipt_n -A PSW $(dst $IPSET_LANIPLIST) -j RETURN $ipt_n -A PSW $(dst $IPSET_LANIPLIST) -j RETURN
$ipt_n -A PSW $(dst $IPSET_VPSIPLIST) -j RETURN $ipt_n -A PSW $(dst $IPSET_VPSIPLIST) -j RETURN
$ipt_n -A PSW $(dst $IPSET_WHITELIST) -j RETURN $ipt_n -A PSW $(dst $IPSET_WHITELIST) -j RETURN
$ipt_n -A PSW -m mark --mark 0xff -j RETURN
WAN_IP=$(get_wan_ip) WAN_IP=$(get_wan_ip)
[ ! -z "${WAN_IP}" ] && $ipt_n -A PSW $(comment "WAN_IP_RETURN") -d "${WAN_IP}" -j RETURN [ ! -z "${WAN_IP}" ] && $ipt_n -A PSW $(comment "WAN_IP_RETURN") -d "${WAN_IP}" -j RETURN
@ -881,11 +918,17 @@ add_firewall_rule() {
$ipt_m -A PSW_DIVERT -j MARK --set-mark 1 $ipt_m -A PSW_DIVERT -j MARK --set-mark 1
$ipt_m -A PSW_DIVERT -j ACCEPT $ipt_m -A PSW_DIVERT -j ACCEPT
$ipt_m -N PSW_RULE
$ipt_m -A PSW_RULE -j CONNMARK --restore-mark
$ipt_m -A PSW_RULE -m mark --mark 0x1 -j RETURN
$ipt_m -A PSW_RULE -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j MARK --set-xmark 1
$ipt_m -A PSW_RULE -p udp -m conntrack --ctstate NEW -j MARK --set-xmark 1
$ipt_m -A PSW_RULE -j CONNMARK --save-mark
$ipt_m -N PSW $ipt_m -N PSW
$ipt_m -A PSW $(dst $IPSET_LANIPLIST) -j RETURN $ipt_m -A PSW $(dst $IPSET_LANIPLIST) -j RETURN
$ipt_m -A PSW $(dst $IPSET_VPSIPLIST) -j RETURN $ipt_m -A PSW $(dst $IPSET_VPSIPLIST) -j RETURN
$ipt_m -A PSW $(dst $IPSET_WHITELIST) -j RETURN $ipt_m -A PSW $(dst $IPSET_WHITELIST) -j RETURN
$ipt_m -A PSW -m mark --mark 0xff -j RETURN
$ipt_m -A PSW $(dst $IPSET_BLOCKLIST) -j DROP $ipt_m -A PSW $(dst $IPSET_BLOCKLIST) -j DROP
[ ! -z "${WAN_IP}" ] && $ipt_m -A PSW $(comment "WAN_IP_RETURN") -d "${WAN_IP}" -j RETURN [ ! -z "${WAN_IP}" ] && $ipt_m -A PSW $(comment "WAN_IP_RETURN") -d "${WAN_IP}" -j RETURN
@ -900,7 +943,6 @@ add_firewall_rule() {
$ipt_m -A PSW_OUTPUT $(dst $IPSET_WHITELIST) -j RETURN $ipt_m -A PSW_OUTPUT $(dst $IPSET_WHITELIST) -j RETURN
$ipt_m -A PSW_OUTPUT -m mark --mark 0xff -j RETURN $ipt_m -A PSW_OUTPUT -m mark --mark 0xff -j RETURN
$ipt_m -A PSW_OUTPUT $(dst $IPSET_BLOCKLIST) -j DROP $ipt_m -A PSW_OUTPUT $(dst $IPSET_BLOCKLIST) -j DROP
$ipt_m -A OUTPUT -j PSW_OUTPUT
ip rule add fwmark 1 lookup 100 ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100 ip route add local 0.0.0.0/0 dev lo table 100
@ -910,7 +952,6 @@ add_firewall_rule() {
$ip6t_n -A PSW $(dst $IPSET_LANIPLIST6) -j RETURN $ip6t_n -A PSW $(dst $IPSET_LANIPLIST6) -j RETURN
$ip6t_n -A PSW $(dst $IPSET_VPSIPLIST6) -j RETURN $ip6t_n -A PSW $(dst $IPSET_VPSIPLIST6) -j RETURN
$ip6t_n -A PSW $(dst $IPSET_WHITELIST6) -j RETURN $ip6t_n -A PSW $(dst $IPSET_WHITELIST6) -j RETURN
$ip6t_n -A PSW -m mark --mark 0xff -j RETURN
$ip6t_n -A PREROUTING -p ipv6-icmp -j PSW $ip6t_n -A PREROUTING -p ipv6-icmp -j PSW
$ip6t_n -N PSW_OUTPUT $ip6t_n -N PSW_OUTPUT
@ -924,11 +965,17 @@ add_firewall_rule() {
$ip6t_m -A PSW_DIVERT -j MARK --set-mark 1 $ip6t_m -A PSW_DIVERT -j MARK --set-mark 1
$ip6t_m -A PSW_DIVERT -j ACCEPT $ip6t_m -A PSW_DIVERT -j ACCEPT
$ip6t_m -N PSW_RULE
$ip6t_m -A PSW_RULE -j CONNMARK --restore-mark
$ip6t_m -A PSW_RULE -m mark --mark 0x1 -j RETURN
$ip6t_m -A PSW_RULE -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j MARK --set-xmark 1
$ip6t_m -A PSW_RULE -p udp -m conntrack --ctstate NEW -j MARK --set-xmark 1
$ip6t_m -A PSW_RULE -j CONNMARK --save-mark
$ip6t_m -N PSW $ip6t_m -N PSW
$ip6t_m -A PSW $(dst $IPSET_LANIPLIST6) -j RETURN $ip6t_m -A PSW $(dst $IPSET_LANIPLIST6) -j RETURN
$ip6t_m -A PSW $(dst $IPSET_VPSIPLIST6) -j RETURN $ip6t_m -A PSW $(dst $IPSET_VPSIPLIST6) -j RETURN
$ip6t_m -A PSW $(dst $IPSET_WHITELIST6) -j RETURN $ip6t_m -A PSW $(dst $IPSET_WHITELIST6) -j RETURN
$ip6t_m -A PSW -m mark --mark 0xff -j RETURN
$ip6t_m -A PSW $(dst $IPSET_BLOCKLIST6) -j DROP $ip6t_m -A PSW $(dst $IPSET_BLOCKLIST6) -j DROP
WAN6_IP=$(get_wan6_ip) WAN6_IP=$(get_wan6_ip)
@ -939,32 +986,19 @@ add_firewall_rule() {
insert_rule_before "$ip6t_m" "PREROUTING" "PSW" "-p tcp -m socket -j PSW_DIVERT" insert_rule_before "$ip6t_m" "PREROUTING" "PSW" "-p tcp -m socket -j PSW_DIVERT"
$ip6t_m -N PSW_OUTPUT $ip6t_m -N PSW_OUTPUT
$ip6t_m -A PSW_OUTPUT -m mark --mark 0xff -j RETURN
$ip6t_m -A PSW_OUTPUT $(dst $IPSET_LANIPLIST6) -j RETURN $ip6t_m -A PSW_OUTPUT $(dst $IPSET_LANIPLIST6) -j RETURN
$ip6t_m -A PSW_OUTPUT $(dst $IPSET_VPSIPLIST6) -j RETURN $ip6t_m -A PSW_OUTPUT $(dst $IPSET_VPSIPLIST6) -j RETURN
$ip6t_m -A PSW_OUTPUT $(dst $IPSET_WHITELIST6) -j RETURN $ip6t_m -A PSW_OUTPUT $(dst $IPSET_WHITELIST6) -j RETURN
$ip6t_m -A PSW_OUTPUT -m mark --mark 0xff -j RETURN
$ip6t_m -A PSW_OUTPUT $(dst $IPSET_BLOCKLIST6) -j DROP $ip6t_m -A PSW_OUTPUT $(dst $IPSET_BLOCKLIST6) -j DROP
$ip6t_m -A OUTPUT -j PSW_OUTPUT
ip -6 rule add fwmark 1 table 100 ip -6 rule add fwmark 1 table 100
ip -6 route add local ::/0 dev lo table 100 ip -6 route add local ::/0 dev lo table 100
# 加载路由器自身代理 TCP # 加载路由器自身代理 TCP
if [ "$TCP_NODE" != "nil" ]; then if [ "$TCP_NODE" != "nil" ]; then
local ipt_tmp=$ipt_n
local blist_r=$(REDIRECT $TCP_REDIR_PORT)
local p_r=$(get_redirect_ipt $LOCALHOST_TCP_PROXY_MODE $TCP_REDIR_PORT)
echolog "加载路由器自身 TCP 代理..." echolog "加载路由器自身 TCP 代理..."
if [ -n "${is_tproxy}" ]; then
echolog " - 启用 TPROXY 模式"
ipt_tmp=$ipt_m
blist_r=$(REDIRECT 1 MARK)
p_r=$(get_redirect_ipt $LOCALHOST_TCP_PROXY_MODE 1 MARK)
else
$ipt_n -A OUTPUT -p tcp -j PSW_OUTPUT
fi
[ "$accept_icmp" = "1" ] && { [ "$accept_icmp" = "1" ] && {
$ipt_n -A OUTPUT -p icmp -j PSW_OUTPUT $ipt_n -A OUTPUT -p icmp -j PSW_OUTPUT
$ipt_n -A PSW_OUTPUT -p icmp -d $FAKE_IP $(REDIRECT) $ipt_n -A PSW_OUTPUT -p icmp -d $FAKE_IP $(REDIRECT)
@ -980,6 +1014,12 @@ add_firewall_rule() {
$ip6t_n -A PSW_OUTPUT -p ipv6-icmp $(get_redirect_ip6t $TCP_PROXY_MODE) $ip6t_n -A PSW_OUTPUT -p ipv6-icmp $(get_redirect_ip6t $TCP_PROXY_MODE)
} }
local ipt_tmp=$ipt_n
[ -n "${is_tproxy}" ] && {
echolog " - 启用 TPROXY 模式"
ipt_tmp=$ipt_m
}
_proxy_tcp_access() { _proxy_tcp_access() {
[ -n "${2}" ] || return 0 [ -n "${2}" ] || return 0
ipset -q test $IPSET_LANIPLIST ${2} ipset -q test $IPSET_LANIPLIST ${2}
@ -987,11 +1027,11 @@ add_firewall_rule() {
echolog " - 上游 DNS 服务器 ${2} 已在直接访问的列表中,不强制向 TCP 代理转发对该服务器 TCP/${3} 端口的访问" echolog " - 上游 DNS 服务器 ${2} 已在直接访问的列表中,不强制向 TCP 代理转发对该服务器 TCP/${3} 端口的访问"
return 0 return 0
} }
if [ -n "${is_tproxy}" ]; then if [ "${ipt_tmp}" = "${ipt_n}" ]; then
$ipt_m -I PSW_OUTPUT -p tcp -d ${2} --dport ${3} $(REDIRECT 1 MARK)
$ipt_m -I PSW $(comment "本机") -p tcp -i lo -d ${2} --dport ${3} $(REDIRECT $TCP_REDIR_PORT TPROXY)
else
$ipt_n -I PSW_OUTPUT -p tcp -d ${2} --dport ${3} $(REDIRECT $TCP_REDIR_PORT) $ipt_n -I PSW_OUTPUT -p tcp -d ${2} --dport ${3} $(REDIRECT $TCP_REDIR_PORT)
else
$ipt_m -I PSW_OUTPUT -p tcp -d ${2} --dport ${3} -j PSW_RULE
$ipt_m -I PSW $(comment "本机") -p tcp -i lo -d ${2} --dport ${3} $(REDIRECT $TCP_REDIR_PORT TPROXY)
fi fi
echolog " - [$?]将上游 DNS 服务器 ${2}:${3} 加入到路由器自身代理的 TCP 转发链" echolog " - [$?]将上游 DNS 服务器 ${2}:${3} 加入到路由器自身代理的 TCP 转发链"
} }
@ -999,9 +1039,7 @@ add_firewall_rule() {
[ "$use_tcp_node_resolve_dns" == 1 ] && hosts_foreach DNS_FORWARD _proxy_tcp_access 53 [ "$use_tcp_node_resolve_dns" == 1 ] && hosts_foreach DNS_FORWARD _proxy_tcp_access 53
[ "$TCP_NO_REDIR_PORTS" != "disable" ] && { [ "$TCP_NO_REDIR_PORTS" != "disable" ] && {
$ipt_tmp -A PSW_OUTPUT -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN $ipt_tmp -A PSW_OUTPUT -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN
$ipt_tmp -A PSW_OUTPUT -p tcp -m multiport --sport $TCP_NO_REDIR_PORTS -j RETURN
$ip6t_m -A PSW_OUTPUT -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN $ip6t_m -A PSW_OUTPUT -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN
$ip6t_m -A PSW_OUTPUT -p tcp -m multiport --sport $TCP_NO_REDIR_PORTS -j RETURN
echolog " - [$?]不代理TCP 端口:$TCP_NO_REDIR_PORTS" echolog " - [$?]不代理TCP 端口:$TCP_NO_REDIR_PORTS"
} }
[ "$TCP_PROXY_DROP_PORTS" != "disable" ] && { [ "$TCP_PROXY_DROP_PORTS" != "disable" ] && {
@ -1012,29 +1050,30 @@ add_firewall_rule() {
echolog " - [$?]屏蔽代理TCP 端口:$TCP_PROXY_DROP_PORTS" echolog " - [$?]屏蔽代理TCP 端口:$TCP_PROXY_DROP_PORTS"
} }
$ipt_tmp -A PSW_OUTPUT -p tcp -d $FAKE_IP $blist_r if [ "${ipt_tmp}" = "${ipt_n}" ]; then
$ipt_tmp -A PSW_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST) $blist_r $ipt_n -A PSW_OUTPUT -p tcp -d $FAKE_IP $(REDIRECT $TCP_REDIR_PORT)
$ipt_tmp -A PSW_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST) $blist_r $ipt_n -A PSW_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST) $(REDIRECT $TCP_REDIR_PORT)
$ipt_tmp -A PSW_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $p_r $ipt_n -A PSW_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST) $(REDIRECT $TCP_REDIR_PORT)
$ipt_n -A PSW_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(get_redirect_ipt $LOCALHOST_TCP_PROXY_MODE $TCP_REDIR_PORT)
if [ -n "${is_tproxy}" ]; then $ipt_n -A OUTPUT -p tcp -j PSW_OUTPUT
$ipt_m -A PSW $(comment "本机") -p tcp -i lo -d $FAKE_IP $(REDIRECT $TCP_REDIR_PORT TPROXY) else
$ipt_m -A PSW $(comment "本机") -p tcp -i lo $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST) $(REDIRECT $TCP_REDIR_PORT TPROXY) $ipt_m -A PSW_OUTPUT -p tcp -d $FAKE_IP -j PSW_RULE
$ipt_m -A PSW $(comment "本机") -p tcp -i lo $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST) $(REDIRECT $TCP_REDIR_PORT TPROXY) $ipt_m -A PSW_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST) -j PSW_RULE
$ipt_m -A PSW $(comment "本机") -p tcp -i lo $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(get_redirect_ipt $LOCALHOST_TCP_PROXY_MODE $TCP_REDIR_PORT TPROXY) $ipt_m -A PSW_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST) -j PSW_RULE
$ipt_m -A PSW_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(get_ipset_ipt $LOCALHOST_TCP_PROXY_MODE) -j PSW_RULE
$ipt_m -A PSW $(comment "本机") -p tcp -i lo $(REDIRECT $TCP_REDIR_PORT TPROXY)
$ipt_m -A PSW $(comment "本机") -p tcp -i lo -j RETURN $ipt_m -A PSW $(comment "本机") -p tcp -i lo -j RETURN
$ipt_m -A OUTPUT -p tcp -j PSW_OUTPUT
fi fi
if [ "$PROXY_IPV6" == "1" ]; then [ "$PROXY_IPV6" == "1" ] && {
$ip6t_m -A PSW_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST6) $(REDIRECT 1 MARK) $ip6t_m -A PSW_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST6) -j PSW_RULE
$ip6t_m -A PSW_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST6) $(REDIRECT 1 MARK) $ip6t_m -A PSW_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST6) -j PSW_RULE
$ip6t_m -A PSW_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(get_redirect_ip6t $LOCALHOST_TCP_PROXY_MODE 1 MARK) $ip6t_m -A PSW_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(get_ipset_ip6t $LOCALHOST_TCP_PROXY_MODE) -j PSW_RULE
$ip6t_m -A PSW $(comment "本机") -p tcp -i lo $(REDIRECT $TCP_REDIR_PORT TPROXY)
$ip6t_m -A PSW $(comment "本机") -p tcp -i lo $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST6) $(REDIRECT $TCP_REDIR_PORT TPROXY)
$ip6t_m -A PSW $(comment "本机") -p tcp -i lo $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST6) $(REDIRECT $TCP_REDIR_PORT TPROXY)
$ip6t_m -A PSW $(comment "本机") -p tcp -i lo $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(get_redirect_ip6t $LOCALHOST_TCP_PROXY_MODE $TCP_REDIR_PORT TPROXY)
$ip6t_m -A PSW $(comment "本机") -p tcp -i lo -j RETURN $ip6t_m -A PSW $(comment "本机") -p tcp -i lo -j RETURN
fi $ip6t_m -A OUTPUT -p tcp -j PSW_OUTPUT
}
fi fi
# 过滤Socks节点 # 过滤Socks节点
@ -1094,40 +1133,33 @@ add_firewall_rule() {
echolog " - 上游 DNS 服务器 ${2} 已在直接访问的列表中,不强制向 UDP 代理转发对该服务器 UDP/${3} 端口的访问" echolog " - 上游 DNS 服务器 ${2} 已在直接访问的列表中,不强制向 UDP 代理转发对该服务器 UDP/${3} 端口的访问"
return 0 return 0
} }
$ipt_m -I PSW_OUTPUT -p udp -d ${2} --dport ${3} $(REDIRECT 1 MARK) $ipt_m -I PSW_OUTPUT -p udp -d ${2} --dport ${3} -j PSW_RULE
$ipt_m -I PSW $(comment "本机") -p udp -i lo -d ${2} --dport ${3} $(REDIRECT $UDP_REDIR_PORT TPROXY) $ipt_m -I PSW $(comment "本机") -p udp -i lo -d ${2} --dport ${3} $(REDIRECT $UDP_REDIR_PORT TPROXY)
echolog " - [$?]将上游 DNS 服务器 ${2}:${3} 加入到路由器自身代理的 UDP 转发链" echolog " - [$?]将上游 DNS 服务器 ${2}:${3} 加入到路由器自身代理的 UDP 转发链"
} }
[ "$use_udp_node_resolve_dns" == 1 ] && hosts_foreach DNS_FORWARD _proxy_udp_access 53 [ "$use_udp_node_resolve_dns" == 1 ] && hosts_foreach DNS_FORWARD _proxy_udp_access 53
[ "$UDP_NO_REDIR_PORTS" != "disable" ] && { [ "$UDP_NO_REDIR_PORTS" != "disable" ] && {
$ipt_m -A PSW_OUTPUT -p udp -m multiport --dport $UDP_NO_REDIR_PORTS -j RETURN $ipt_m -A PSW_OUTPUT -p udp -m multiport --dport $UDP_NO_REDIR_PORTS -j RETURN
$ipt_m -A PSW_OUTPUT -p udp -m multiport --sport $UDP_NO_REDIR_PORTS -j RETURN
$ip6t_m -A PSW_OUTPUT -p udp -m multiport --dport $UDP_NO_REDIR_PORTS -j RETURN $ip6t_m -A PSW_OUTPUT -p udp -m multiport --dport $UDP_NO_REDIR_PORTS -j RETURN
$ip6t_m -A PSW_OUTPUT -p udp -m multiport --sport $UDP_NO_REDIR_PORTS -j RETURN
echolog " - [$?]不代理 UDP 端口:$UDP_NO_REDIR_PORTS" echolog " - [$?]不代理 UDP 端口:$UDP_NO_REDIR_PORTS"
} }
$ipt_m -A PSW_OUTPUT -p udp -d $FAKE_IP $(REDIRECT 1 MARK)
$ipt_m -A PSW_OUTPUT -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST) $(REDIRECT 1 MARK)
$ipt_m -A PSW_OUTPUT -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST) $(REDIRECT 1 MARK)
$ipt_m -A PSW_OUTPUT -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(get_redirect_ipt $LOCALHOST_UDP_PROXY_MODE 1 MARK)
$ipt_m -A PSW $(comment "本机") -p udp -i lo -d $FAKE_IP $(REDIRECT $UDP_REDIR_PORT TPROXY) $ipt_m -A PSW_OUTPUT -p udp -d $FAKE_IP -j PSW_RULE
$ipt_m -A PSW $(comment "本机") -p udp -i lo $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST) $(REDIRECT $UDP_REDIR_PORT TPROXY) $ipt_m -A PSW_OUTPUT -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST) -j PSW_RULE
$ipt_m -A PSW $(comment "本机") -p udp -i lo $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST) $(REDIRECT $UDP_REDIR_PORT TPROXY) $ipt_m -A PSW_OUTPUT -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST) -j PSW_RULE
$ipt_m -A PSW $(comment "本机") -p udp -i lo $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(get_redirect_ipt $LOCALHOST_UDP_PROXY_MODE $UDP_REDIR_PORT TPROXY) $ipt_m -A PSW_OUTPUT -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(get_ipset_ipt $LOCALHOST_UDP_PROXY_MODE) -j PSW_RULE
$ipt_m -A PSW $(comment "本机") -p udp -i lo $(REDIRECT $UDP_REDIR_PORT TPROXY)
$ipt_m -A PSW $(comment "本机") -p udp -i lo -j RETURN $ipt_m -A PSW $(comment "本机") -p udp -i lo -j RETURN
$ipt_m -A OUTPUT -p udp -j PSW_OUTPUT
if [ "$PROXY_IPV6_UDP" == "1" ]; then [ "$PROXY_IPV6" == "1" ] && [ "$PROXY_IPV6_UDP" == "1" ] && {
$ip6t_m -A PSW_OUTPUT -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST6) $(REDIRECT 1 MARK) $ip6t_m -A PSW_OUTPUT -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST6) -j PSW_RULE
$ip6t_m -A PSW_OUTPUT -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST6) $(REDIRECT 1 MARK) $ip6t_m -A PSW_OUTPUT -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST6) -j PSW_RULE
$ip6t_m -A PSW_OUTPUT -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(get_redirect_ip6t $LOCALHOST_UDP_PROXY_MODE 1 MARK) $ip6t_m -A PSW_OUTPUT -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(get_ipset_ip6t $LOCALHOST_UDP_PROXY_MODE) -j PSW_RULE
$ip6t_m -A PSW $(comment "本机") -p udp -i lo $(REDIRECT $UDP_REDIR_PORT TPROXY)
$ip6t_m -A PSW $(comment "本机") -p udp -i lo $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST6) $(REDIRECT $UDP_REDIR_PORT TPROXY)
$ip6t_m -A PSW $(comment "本机") -p udp -i lo $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST6) $(REDIRECT $UDP_REDIR_PORT TPROXY)
$ip6t_m -A PSW $(comment "本机") -p udp -i lo $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(get_redirect_ip6t $LOCALHOST_UDP_PROXY_MODE $UDP_REDIR_PORT TPROXY)
$ip6t_m -A PSW $(comment "本机") -p udp -i lo -j RETURN $ip6t_m -A PSW $(comment "本机") -p udp -i lo -j RETURN
fi $ip6t_m -A OUTPUT -p udp -j PSW_OUTPUT
}
fi fi
# 加载ACLS # 加载ACLS
@ -1150,7 +1182,7 @@ del_firewall_rule() {
$ipt -D $chain $index 2>/dev/null $ipt -D $chain $index 2>/dev/null
done done
done done
for chain in "PSW" "PSW_OUTPUT" "PSW_DIVERT" "PSW_REDIRECT"; do for chain in "PSW" "PSW_OUTPUT" "PSW_DIVERT" "PSW_REDIRECT" "PSW_RULE"; do
$ipt -F $chain 2>/dev/null $ipt -F $chain 2>/dev/null
$ipt -X $chain 2>/dev/null $ipt -X $chain 2>/dev/null
done done