74 lines
2.8 KiB
Lua
74 lines
2.8 KiB
Lua
#!/usr/bin/lua
|
|
local ucursor = require "luci.model.uci"
|
|
|
|
local flush = [[# firewall include file to stop transparent proxy
|
|
ip rule del fwmark 251 lookup 251
|
|
ip rule del fwmark 252 lookup 252
|
|
ip route del local default dev lo table 251
|
|
ip route del local default dev lo table 252
|
|
iptables-save -c | grep -v "TP_SPEC" | iptables-restore -c]]
|
|
local header = [[# firewall include file to start transparent proxy
|
|
ip rule add fwmark 251 lookup 251
|
|
ip rule add fwmark 252 lookup 252
|
|
ip route add local default dev lo table 251
|
|
ip route add local default dev lo table 252
|
|
iptables-restore -n <<-EOF
|
|
*nat
|
|
COMMIT
|
|
*mangle
|
|
:TP_SPEC_LAN_AC - [0:0]
|
|
:TP_SPEC_LAN_DG - [0:0]
|
|
:TP_SPEC_LAN_RE - [0:0]
|
|
:TP_SPEC_WAN_AC - [0:0]
|
|
:TP_SPEC_WAN_DG - [0:0]
|
|
:TP_SPEC_WAN_RE - [0:0]
|
|
:TP_SPEC_WAN_FW - [0:0]
|
|
-I PREROUTING 1 -m mark --mark 0xfc -j TP_SPEC_WAN_AC]]
|
|
local lan = "-I PREROUTING 1 -i %s -j TP_SPEC_LAN_DG"
|
|
local rules = [[-A OUTPUT -j TP_SPEC_WAN_DG
|
|
-A TP_SPEC_LAN_AC -m set --match-set tp_spec_src_bp src -j RETURN
|
|
-A TP_SPEC_LAN_AC -m set --match-set tp_spec_src_fw src -j TP_SPEC_WAN_FW
|
|
-A TP_SPEC_LAN_AC -m set --match-set tp_spec_src_ac src -j TP_SPEC_WAN_AC
|
|
-A TP_SPEC_LAN_AC -j TP_SPEC_WAN_AC
|
|
-A TP_SPEC_LAN_DG -m set --match-set tp_spec_dst_fw dst -j TP_SPEC_LAN_RE
|
|
-A TP_SPEC_LAN_DG -m set --match-set tp_spec_dst_sp dst -j RETURN
|
|
-A TP_SPEC_LAN_DG -m set --match-set tp_spec_dst_bp dst -j RETURN
|
|
-A TP_SPEC_LAN_DG -m set --match-set tp_spec_def_gw dst -j RETURN
|
|
-A TP_SPEC_LAN_DG -j TP_SPEC_LAN_RE
|
|
-A TP_SPEC_LAN_RE -p tcp -j TP_SPEC_LAN_AC
|
|
-A TP_SPEC_LAN_RE -p udp -j TP_SPEC_LAN_AC
|
|
-A TP_SPEC_WAN_AC -m set --match-set tp_spec_dst_fw dst -j TP_SPEC_WAN_FW
|
|
-A TP_SPEC_WAN_AC -m set --match-set tp_spec_dst_bp dst -j RETURN
|
|
-A TP_SPEC_WAN_AC -j TP_SPEC_WAN_FW
|
|
-A TP_SPEC_WAN_DG -m mark --mark 0x%x -j RETURN
|
|
-A TP_SPEC_WAN_DG -m set --match-set tp_spec_dst_fw dst -j TP_SPEC_WAN_RE
|
|
-A TP_SPEC_WAN_DG -m set --match-set tp_spec_dst_sp dst -j RETURN
|
|
-A TP_SPEC_WAN_DG -m set --match-set tp_spec_dst_bp dst -j RETURN
|
|
-A TP_SPEC_WAN_DG -m set --match-set tp_spec_def_gw dst -j RETURN
|
|
-A TP_SPEC_WAN_DG -j TP_SPEC_WAN_RE
|
|
-A TP_SPEC_WAN_RE -p tcp -j MARK --set-xmark 0xfc/0xffffffff
|
|
-A TP_SPEC_WAN_RE -p udp -j MARK --set-xmark 0xfc/0xffffffff
|
|
-A TP_SPEC_WAN_FW -p tcp -j TPROXY --on-port %d --on-ip 0.0.0.0 --tproxy-mark 0xfb/0xffffffff
|
|
-A TP_SPEC_WAN_FW -p udp -j TPROXY --on-port %d --on-ip 0.0.0.0 --tproxy-mark 0xfb/0xffffffff
|
|
COMMIT
|
|
*filter
|
|
COMMIT
|
|
EOF]]
|
|
|
|
local proxy_section = ucursor:get_first("xray_fw3", "general")
|
|
local proxy = ucursor:get_all("xray_fw3", proxy_section)
|
|
|
|
print(flush)
|
|
if proxy.transparent_proxy_enable ~= "1" then
|
|
do
|
|
return
|
|
end
|
|
end
|
|
if arg[1] == "enable" then
|
|
print(header)
|
|
print(string.format(lan, proxy.lan_ifaces))
|
|
print(string.format(rules, tonumber(proxy.mark), proxy.tproxy_port_tcp, proxy.tproxy_port_udp))
|
|
else
|
|
print("# arg[1] == " .. arg[1] .. ", not enable")
|
|
end
|