mirror of
https://github.com/juewuy/ShellCrash.git
synced 2024-11-16 11:42:18 +08:00
重写iptables防火墙
优化nftables防火墙结构
This commit is contained in:
parent
1cc516012c
commit
1285221f66
|
@ -2414,32 +2414,38 @@ testcommand(){
|
||||||
if [ "$firewall_mod" = "nftables" ];then
|
if [ "$firewall_mod" = "nftables" ];then
|
||||||
nft list table inet shellcrash
|
nft list table inet shellcrash
|
||||||
else
|
else
|
||||||
echo -------------------Redir---------------------
|
echo ----------------Redir+DNS---------------------
|
||||||
iptables -t nat -L PREROUTING --line-numbers
|
iptables -t nat -L PREROUTING --line-numbers
|
||||||
iptables -t nat -L shellcrash_dns --line-numbers
|
iptables -t nat -L shellcrash_dns --line-numbers
|
||||||
iptables -t nat -L shellcrash --line-numbers
|
[ "$redir_mod" = "Redir模式" ] && iptables -t nat -L shellcrash --line-numbers
|
||||||
[ -n "$(echo $redir_mod | grep -E 'Tproxy模式|混合模式|Tun模式')" ] && {
|
[ -n "$(echo $redir_mod | grep -E 'Tproxy模式|混合模式|Tun模式')" ] && {
|
||||||
echo ----------------Tun/Tproxy-------------------
|
echo ----------------Tun/Tproxy-------------------
|
||||||
iptables -t mangle -L PREROUTING --line-numbers
|
iptables -t mangle -L PREROUTING --line-numbers
|
||||||
iptables -t mangle -L shellcrash --line-numbers
|
iptables -t mangle -L shellcrash_mark --line-numbers
|
||||||
}
|
}
|
||||||
[ "$local_proxy" = "已开启" ] && [ "$local_type" = "iptables增强模式" ] && {
|
[ "$firewall_area" = 2 -o "$firewall_area" = 3 ] && {
|
||||||
echo ----------------OUTPUT-------------------
|
echo -------------OUTPUT-Redir+DNS----------------
|
||||||
iptables -t nat -L OUTPUT --line-numbers
|
iptables -t nat -L OUTPUT --line-numbers
|
||||||
iptables -t nat -L shellcrash_dns_out --line-numbers
|
iptables -t nat -L shellcrash_dns_out --line-numbers
|
||||||
iptables -t nat -L shellcrash_out --line-numbers
|
if [ "$redir_mod" = "Redir模式" ];then
|
||||||
|
iptables -t nat -L shellcrash_out --line-numbers
|
||||||
|
else
|
||||||
|
echo ------------OUTPUT-Tun/Tproxy---------------
|
||||||
|
iptables -t mangle -L OUTPUT --line-numbers
|
||||||
|
iptables -t mangle -L shellcrash_mark_out --line-numbers
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
[ "$ipv6_redir" = "已开启" ] && {
|
[ "$ipv6_redir" = "已开启" ] && {
|
||||||
[ -n "$(lsmod | grep 'ip6table_nat')" ] && {
|
ip6tables -t nat -L >/dev/null 2>&1 && {
|
||||||
echo -------------------Redir---------------------
|
echo -------------IPV6-Redir+DNS-------------------
|
||||||
ip6tables -t nat -L PREROUTING --line-numbers
|
ip6tables -t nat -L PREROUTING --line-numbers
|
||||||
ip6tables -t nat -L shellcrashv6_dns --line-numbers
|
ip6tables -t nat -L shellcrashv6_dns --line-numbers
|
||||||
ip6tables -t nat -L shellcrashv6 --line-numbers
|
[ "$redir_mod" = "Redir模式" ] && ip6tables -t nat -L shellcrashv6 --line-numbers
|
||||||
}
|
}
|
||||||
[ -n "$(echo $redir_mod | grep -E 'Tproxy模式|混合模式|Tun模式')" ] && {
|
[ -n "$(echo $redir_mod | grep -E 'Tproxy模式|混合模式|Tun模式')" ] && {
|
||||||
echo ----------------Tun/Tproxy-------------------
|
echo -------------IPV6-Tun/Tproxy------------------
|
||||||
ip6tables -t mangle -L PREROUTING --line-numbers
|
ip6tables -t mangle -L PREROUTING --line-numbers
|
||||||
ip6tables -t mangle -L shellcrashv6 --line-numbers
|
ip6tables -t mangle -L shellcrashv6_mark --line-numbers
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
fi
|
fi
|
||||||
|
|
|
@ -688,7 +688,7 @@ setipv6(){ #ipv6设置
|
||||||
setconfig ipv6_redir $ipv6_redir
|
setconfig ipv6_redir $ipv6_redir
|
||||||
setconfig ipv6_support $ipv6_support
|
setconfig ipv6_support $ipv6_support
|
||||||
fi
|
fi
|
||||||
if [ -n "$(ipset -v 2>/dev/null)" -o -n "$(echo $redir_mod | grep Nft)" ];then
|
if [ -n "$(ipset -v 2>/dev/null)" -o "$firewall_mod" = 'nftables' ];then
|
||||||
[ "$cn_ipv6_route" = "未开启" ] && cn_ipv6_route=已开启 || cn_ipv6_route=未开启
|
[ "$cn_ipv6_route" = "未开启" ] && cn_ipv6_route=已开启 || cn_ipv6_route=未开启
|
||||||
setconfig cn_ipv6_route $cn_ipv6_route
|
setconfig cn_ipv6_route $cn_ipv6_route
|
||||||
else
|
else
|
||||||
|
@ -1168,7 +1168,7 @@ set_redir_mod(){
|
||||||
if [ -f /etc/init.d/qca-nss-ecm -a "$systype" = "mi_snapshot" ] ;then
|
if [ -f /etc/init.d/qca-nss-ecm -a "$systype" = "mi_snapshot" ] ;then
|
||||||
read -p "xiaomi设备的QOS服务与本模式冲突,是否禁用相关功能?(1/0) > " res
|
read -p "xiaomi设备的QOS服务与本模式冲突,是否禁用相关功能?(1/0) > " res
|
||||||
[ "$res" = '1' ] && ${CRASHDIR}/misnap_init.sh tproxyfix && redir_mod=Tproxy模式
|
[ "$res" = '1' ] && ${CRASHDIR}/misnap_init.sh tproxyfix && redir_mod=Tproxy模式
|
||||||
elif [ -n "$(iptables -j TPROXY 2>&1 | grep 'on-port')" ] ;then
|
elif [ -n "$(grep -E '^TPROXY$' /proc/net/ip_tables_targets)" ] ;then
|
||||||
redir_mod=Tproxy模式
|
redir_mod=Tproxy模式
|
||||||
set_redir_config
|
set_redir_config
|
||||||
else
|
else
|
||||||
|
@ -1475,7 +1475,7 @@ normal_set(){ #基础设置
|
||||||
normal_set
|
normal_set
|
||||||
|
|
||||||
elif [ "$num" = 8 ]; then
|
elif [ "$num" = 8 ]; then
|
||||||
if [ -n "$(ipset -v 2>/dev/null)" -o -n "$(echo $redir_mod | grep Nft)" ];then
|
if [ -n "$(ipset -v 2>/dev/null)" -o "$firewall_mod" = 'nftables' ];then
|
||||||
if [ "$cn_ip_route" = "未开启" ]; then
|
if [ "$cn_ip_route" = "未开启" ]; then
|
||||||
echo -e "\033[32m已开启CN_IP绕过内核功能!!\033[0m"
|
echo -e "\033[32m已开启CN_IP绕过内核功能!!\033[0m"
|
||||||
echo -e "\033[31m注意!!!此功能会导致全局模式及一切CN相关规则失效!!!\033[0m"
|
echo -e "\033[31m注意!!!此功能会导致全局模式及一切CN相关规则失效!!!\033[0m"
|
||||||
|
|
829
scripts/start.sh
829
scripts/start.sh
|
@ -383,7 +383,7 @@ EOF
|
||||||
}
|
}
|
||||||
#域名嗅探配置
|
#域名嗅探配置
|
||||||
[ "$sniffer" = "已启用" ] && [ "$crashcore" = "meta" ] && sniffer_set="sniffer: {enable: true, parse-pure-ip: true, skip-domain: [Mijia Cloud], sniff: {tls: {ports: [443, 8443]}, http: {ports: [80, 8080-8880]}}}"
|
[ "$sniffer" = "已启用" ] && [ "$crashcore" = "meta" ] && sniffer_set="sniffer: {enable: true, parse-pure-ip: true, skip-domain: [Mijia Cloud], sniff: {tls: {ports: [443, 8443]}, http: {ports: [80, 8080-8880]}}}"
|
||||||
[ "$crashcore" = "clashpre" ] && [ "$dns_mod" = "redir_host" -o "$sniffer" = "已启用" ] && exper="experimental: {ignore-resolve-fail: true, interface-name: en0, sniff-tls-sni: true}"
|
[ "$crashcore" = "clashpre" ] && [ "$dns_mod" = "redir_host" -o "$sniffer" = "已启用" ] && exper="experimental: {ignore-resolve-fail: true, interface-name: en0,sniff-tls-sni: true}"
|
||||||
#生成set.yaml
|
#生成set.yaml
|
||||||
cat > ${TMPDIR}/set.yaml <<EOF
|
cat > ${TMPDIR}/set.yaml <<EOF
|
||||||
mixed-port: $mix_port
|
mixed-port: $mix_port
|
||||||
|
@ -862,310 +862,75 @@ cn_ipv6_route(){ #CN-IPV6绕过
|
||||||
rm -rf cn6_$USER.ipset
|
rm -rf cn6_$USER.ipset
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
start_redir(){ #iptables-redir
|
start_ipt_route(){ #iptables-route通用工具
|
||||||
#获取局域网host地址
|
#$1:iptables/ip6tables $2:所在的表(nat/mangle) $3:所在的链(OUTPUT/PREROUTING) $4:新创建的shellcrash链表 $5:tcp/udp/all
|
||||||
getlanip
|
#区分ipv4/ipv6
|
||||||
#流量过滤
|
[ "$1" = 'iptables' ] && {
|
||||||
iptables -t nat -N shellcrash
|
RESERVED_IP=$reserve_ipv4
|
||||||
for ip in $host_ipv4 $reserve_ipv4;do #跳过目标保留地址及目标本机网段
|
HOST_IP=$host_ipv4
|
||||||
iptables -t nat -A shellcrash -d $ip -j RETURN
|
[ "$4" = 'OUTPUT' ] && HOST_IP="127.0.0.0/8 $local_ipv4"
|
||||||
done
|
|
||||||
#绕过CN_IP
|
|
||||||
[ "$dns_mod" != "fake-ip" -a "$cn_ip_route" = "已开启" ] && \
|
|
||||||
iptables -t nat -A shellcrash -m set --match-set cn_ip dst -j RETURN 2>/dev/null
|
|
||||||
#局域网设备过滤
|
|
||||||
if [ "$macfilter_type" = "白名单" -a -n "$(cat ${CRASHDIR}/configs/mac)" ];then
|
|
||||||
for mac in $(cat ${CRASHDIR}/configs/mac); do #mac白名单
|
|
||||||
iptables -t nat -A shellcrash -p tcp -m mac --mac-source $mac -j REDIRECT --to-ports $redir_port
|
|
||||||
done
|
|
||||||
else
|
|
||||||
for mac in $(cat ${CRASHDIR}/configs/mac); do #mac黑名单
|
|
||||||
iptables -t nat -A shellcrash -m mac --mac-source $mac -j RETURN
|
|
||||||
done
|
|
||||||
#仅代理本机局域网网段流量
|
|
||||||
for ip in $host_ipv4;do
|
|
||||||
iptables -t nat -A shellcrash -p tcp -s $ip -j REDIRECT --to-ports $redir_port
|
|
||||||
done
|
|
||||||
fi
|
|
||||||
#将PREROUTING链指向shellcrash链
|
|
||||||
iptables -t nat -A PREROUTING -p tcp $ports -j shellcrash
|
|
||||||
[ "$dns_mod" != "redir_host" -a "$common_ports" = "已开启" ] && iptables -t nat -A PREROUTING -p tcp -d 198.18.0.0/16 -j shellcrash
|
|
||||||
#设置ipv6转发
|
|
||||||
if [ "$ipv6_redir" = "已开启" ] && ip6tables -t nat -L >/dev/null 2>&1;then
|
|
||||||
ip6tables -t nat -N shellcrashv6
|
|
||||||
for ip in $reserve_ipv6 $host_ipv6;do #跳过目标保留地址及目标本机网段
|
|
||||||
ip6tables -t nat -A shellcrashv6 -d $ip -j RETURN
|
|
||||||
done
|
|
||||||
#绕过CN_IPV6
|
|
||||||
[ "$dns_mod" != "fake-ip" -a "$cn_ipv6_route" = "已开启" ] && \
|
|
||||||
ip6tables -t nat -A shellcrashv6 -m set --match-set cn_ip6 dst -j RETURN 2>/dev/null
|
|
||||||
#局域网设备过滤
|
|
||||||
if [ "$macfilter_type" = "白名单" -a -n "$(cat ${CRASHDIR}/configs/mac)" ];then
|
|
||||||
for mac in $(cat ${CRASHDIR}/configs/mac); do #mac白名单
|
|
||||||
ip6tables -t nat -A shellcrashv6 -p tcp -m mac --mac-source $mac -j REDIRECT --to-ports $redir_port
|
|
||||||
done
|
|
||||||
else
|
|
||||||
for mac in $(cat ${CRASHDIR}/configs/mac); do #mac黑名单
|
|
||||||
ip6tables -t nat -A shellcrashv6 -m mac --mac-source $mac -j RETURN
|
|
||||||
done
|
|
||||||
#仅代理本机局域网网段流量
|
|
||||||
for ip in $host_ipv6;do
|
|
||||||
ip6tables -t nat -A shellcrashv6 -p tcp -s $ip -j REDIRECT --to-ports $redir_port
|
|
||||||
done
|
|
||||||
fi
|
|
||||||
ip6tables -t nat -A PREROUTING -p tcp $ports -j shellcrashv6
|
|
||||||
fi
|
|
||||||
return 0
|
|
||||||
}
|
|
||||||
start_ipt_dns(){ #iptables-dns
|
|
||||||
#屏蔽OpenWrt内置53端口转发
|
|
||||||
[ "$(uci get dhcp.@dnsmasq[0].dns_redirect 2>/dev/null)" = 1 ] && {
|
|
||||||
uci del dhcp.@dnsmasq[0].dns_redirect
|
|
||||||
uci commit dhcp.@dnsmasq[0]
|
|
||||||
}
|
}
|
||||||
#设置dns转发
|
[ "$1" = 'ip6tables' ] && {
|
||||||
iptables -t nat -N shellcrash_dns
|
RESERVED_IP=$reserve_ipv6
|
||||||
if [ "$macfilter_type" = "白名单" -a -n "$(cat ${CRASHDIR}/configs/mac)" ];then
|
HOST_IP=$host_ipv6
|
||||||
for mac in $(cat ${CRASHDIR}/configs/mac); do #mac白名单
|
}
|
||||||
iptables -t nat -A shellcrash_dns -p udp -m mac --mac-source $mac -j REDIRECT --to $dns_port
|
#创建新的shellcrash链表
|
||||||
done
|
$1 -t $2 -N $4
|
||||||
else
|
#本机代理防回环
|
||||||
for mac in $(cat ${CRASHDIR}/configs/mac); do #mac黑名单
|
[ "$3" = 'OUTPUT' ] && for gid in 453 7890;do
|
||||||
iptables -t nat -A shellcrash_dns -m mac --mac-source $mac -j RETURN
|
$1 -t $2 -A $4 -m owner --gid-owner $gid -j RETURN
|
||||||
done
|
done
|
||||||
iptables -t nat -A shellcrash_dns -p tcp -j REDIRECT --to $dns_port
|
#跳过目标保留地址及目标本机网段
|
||||||
iptables -t nat -A shellcrash_dns -p udp -j REDIRECT --to $dns_port
|
for ip in $HOST_IP $RESERVED_IP;do
|
||||||
fi
|
$1 -t $2 -A $4 -d $ip -j RETURN
|
||||||
iptables -t nat -I PREROUTING -p tcp --dport 53 -j shellcrash_dns
|
|
||||||
iptables -t nat -I PREROUTING -p udp --dport 53 -j shellcrash_dns
|
|
||||||
#ipv6DNS
|
|
||||||
if [ -n "$(lsmod | grep 'ip6table_nat')" -a -n "$(lsmod | grep 'xt_nat')" ];then
|
|
||||||
ip6tables -t nat -N shellcrashv6_dns > /dev/null 2>&1
|
|
||||||
if [ "$macfilter_type" = "白名单" -a -n "$(cat ${CRASHDIR}/configs/mac)" ];then
|
|
||||||
for mac in $(cat ${CRASHDIR}/configs/mac); do #mac白名单
|
|
||||||
ip6tables -t nat -A shellcrashv6_dns -p udp -m mac --mac-source $mac -j REDIRECT --to $dns_port
|
|
||||||
done
|
|
||||||
else
|
|
||||||
for mac in $(cat ${CRASHDIR}/configs/mac); do #mac黑名单
|
|
||||||
ip6tables -t nat -A shellcrashv6_dns -m mac --mac-source $mac -j RETURN
|
|
||||||
done
|
|
||||||
ip6tables -t nat -A shellcrashv6_dns -p tcp -j REDIRECT --to $dns_port
|
|
||||||
ip6tables -t nat -A shellcrashv6_dns -p udp -j REDIRECT --to $dns_port
|
|
||||||
fi
|
|
||||||
ip6tables -t nat -I PREROUTING -p tcp --dport 53 -j shellcrashv6_dns
|
|
||||||
ip6tables -t nat -I PREROUTING -p udp --dport 53 -j shellcrashv6_dns
|
|
||||||
else
|
|
||||||
ip6tables -I INPUT -p udp --dport 53 -m comment --comment "ShellCrash-IPV6_DNS-REJECT" -j REJECT 2>/dev/null
|
|
||||||
fi
|
|
||||||
return 0
|
|
||||||
|
|
||||||
}
|
|
||||||
start_tproxy(){ #iptables-tproxy
|
|
||||||
#获取局域网host地址
|
|
||||||
getlanip
|
|
||||||
modprobe xt_TPROXY >/dev/null 2>&1
|
|
||||||
ip rule add fwmark $fwmark table 100
|
|
||||||
ip route add local default dev lo table 100
|
|
||||||
iptables -t mangle -N shellcrash
|
|
||||||
iptables -t mangle -A shellcrash -p udp --dport 53 -j RETURN
|
|
||||||
for ip in $host_ipv4 $reserve_ipv4;do #跳过目标保留地址及目标本机网段
|
|
||||||
iptables -t mangle -A shellcrash -d $ip -j RETURN
|
|
||||||
done
|
done
|
||||||
#绕过CN_IP
|
#绕过CN_IP
|
||||||
[ "$dns_mod" != "fake-ip" -a "$cn_ip_route" = "已开启" ] && \
|
[ "$dns_mod" != "fake-ip" -a "$cn_ip_route" = "已开启" ] && \
|
||||||
iptables -t mangle -A shellcrash -m set --match-set cn_ip dst -j RETURN 2>/dev/null
|
$1 -t $2 -A $4 -m set --match-set cn_ip dst -j RETURN 2>/dev/null
|
||||||
|
#局域网mac地址黑名单过滤
|
||||||
|
[ -s "$(cat ${CRASHDIR}/configs/mac)" -a "$macfilter_type" != "白名单" ] && \
|
||||||
|
for mac in $(cat ${CRASHDIR}/configs/mac); do
|
||||||
|
$1 -t $2 -A $4 -m mac --mac-source $mac -j RETURN
|
||||||
|
done
|
||||||
#tcp&udp分别进代理链
|
#tcp&udp分别进代理链
|
||||||
tproxy_set(){
|
proxy_set(){
|
||||||
|
if [ "$macfilter_type" = "白名单" -a -n "$(cat ${CRASHDIR}/configs/mac)" ];then
|
||||||
|
for mac in $(cat ${CRASHDIR}/configs/mac); do #mac白名单
|
||||||
|
$1 -t $2 -A $4 -p $5 -m mac --mac-source $mac -j $JUMP
|
||||||
|
done
|
||||||
|
else
|
||||||
|
for ip in $HOST_IP;do #仅限指定网段流量
|
||||||
|
$1 -t $2 -A $4 -p $5 -s $ip -j $JUMP
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
#将所在链指定流量指向shellcrash表
|
||||||
|
$1 -t $2 -I $3 -p $5 $ports -j $4
|
||||||
|
[ "$dns_mod" != "redir_host" ] && [ "$common_ports" = "已开启" ] && [ "$1" = iptables ] && $1 -t $2 -I $3 -p $5 -d 198.18.0.0/16 -j $4
|
||||||
|
}
|
||||||
|
[ "$5" = "tcp" -o "$5" = "all" ] && proxy_set $1 $2 $3 $4 tcp
|
||||||
|
[ "$5" = "udp" -o "$5" = "all" ] && proxy_set $1 $2 $3 $4 udp
|
||||||
|
}
|
||||||
|
start_ipt_dns(){ #iptables-dns通用工具
|
||||||
|
#$1:iptables/ip6tables $2:所在的表(OUTPUT/PREROUTING) $3:新创建的shellcrash表
|
||||||
|
$1 -t nat -N $3
|
||||||
|
#绕过本机dns应用
|
||||||
|
[ "$2" = 'OUTPUT' ] && for gid in 453 7890;do
|
||||||
|
$1 -t nat -A $3 -m owner --gid-owner $gid -j RETURN
|
||||||
|
done
|
||||||
if [ "$macfilter_type" = "白名单" -a -n "$(cat ${CRASHDIR}/configs/mac)" ];then
|
if [ "$macfilter_type" = "白名单" -a -n "$(cat ${CRASHDIR}/configs/mac)" ];then
|
||||||
for mac in $(cat ${CRASHDIR}/configs/mac); do #mac白名单
|
for mac in $(cat ${CRASHDIR}/configs/mac); do #mac白名单
|
||||||
iptables -t mangle -A shellcrash -p $1 -m mac --mac-source $mac -j TPROXY --on-port $tproxy_port --tproxy-mark $fwmark
|
$1 -t nat -A $3 -p tcp -m mac --mac-source $mac -j REDIRECT --to $dns_port
|
||||||
|
$1 -t nat -A $3 -p udp -m mac --mac-source $mac -j REDIRECT --to $dns_port
|
||||||
done
|
done
|
||||||
else
|
else
|
||||||
for mac in $(cat ${CRASHDIR}/configs/mac); do #mac黑名单
|
for mac in $(cat ${CRASHDIR}/configs/mac); do #mac黑名单
|
||||||
iptables -t mangle -A shellcrash -m mac --mac-source $mac -j RETURN
|
$1 -t nat -A $3 -m mac --mac-source $mac -j RETURN
|
||||||
done
|
|
||||||
#仅代理本机局域网网段流量
|
|
||||||
for ip in $host_ipv4;do
|
|
||||||
iptables -t mangle -A shellcrash -p $1 -s $ip -j TPROXY --on-port $tproxy_port --tproxy-mark $fwmark
|
|
||||||
done
|
done
|
||||||
|
$1 -t nat -A $3 -p tcp -j REDIRECT --to $dns_port
|
||||||
|
$1 -t nat -A $3 -p udp -j REDIRECT --to $dns_port
|
||||||
fi
|
fi
|
||||||
iptables -t mangle -A PREROUTING -p $1 $ports -j shellcrash
|
$1 -t nat -I $2 -p tcp --dport 53 -j $3
|
||||||
[ "$dns_mod" != "redir_host" -a "$common_ports" = "已开启" ] && iptables -t mangle -A PREROUTING -p $1 -d 198.18.0.0/16 -j shellcrash
|
$1 -t nat -I $2 -p udp --dport 53 -j $3
|
||||||
}
|
|
||||||
[ "$1" = "all" ] && tproxy_set tcp
|
|
||||||
tproxy_set udp
|
|
||||||
|
|
||||||
#屏蔽QUIC
|
|
||||||
[ "$quic_rj" = 已启用 ] && {
|
|
||||||
[ "$dns_mod" != "fake-ip" -a "$cn_ip_route" = "已开启" ] && set_cn_ip='-m set ! --match-set cn_ip dst'
|
|
||||||
iptables -I INPUT -p udp --dport 443 -m comment --comment "ShellCrash-QUIC-REJECT" $set_cn_ip -j REJECT >/dev/null 2>&1
|
|
||||||
}
|
|
||||||
#设置ipv6转发
|
|
||||||
[ "$ipv6_redir" = "已开启" ] && ip6tables -t nat -L >/dev/null 2>&1 && {
|
|
||||||
ip -6 rule add fwmark $fwmark table 101
|
|
||||||
ip -6 route add local ::/0 dev lo table 101
|
|
||||||
ip6tables -t mangle -N shellcrashv6
|
|
||||||
ip6tables -t mangle -A shellcrashv6 -p udp --dport 53 -j RETURN
|
|
||||||
for ip in $host_ipv6 $reserve_ipv6;do #跳过目标保留地址及目标本机网段
|
|
||||||
ip6tables -t mangle -A shellcrashv6 -d $ip -j RETURN
|
|
||||||
done
|
|
||||||
#绕过CN_IPV6
|
|
||||||
[ "$dns_mod" != "fake-ip" -a "$cn_ipv6_route" = "已开启" ] && \
|
|
||||||
ip6tables -t mangle -A shellcrashv6 -m set --match-set cn_ip6 dst -j RETURN 2>/dev/null
|
|
||||||
#tcp&udp分别进代理链
|
|
||||||
tproxy_set6(){
|
|
||||||
if [ "$macfilter_type" = "白名单" -a -n "$(cat ${CRASHDIR}/configs/mac)" ];then
|
|
||||||
#mac白名单
|
|
||||||
for mac in $(cat ${CRASHDIR}/configs/mac); do
|
|
||||||
ip6tables -t mangle -A shellcrashv6 -p $1 -m mac --mac-source $mac -j TPROXY --on-port $tproxy_port --tproxy-mark $fwmark
|
|
||||||
done
|
|
||||||
else
|
|
||||||
#mac黑名单
|
|
||||||
for mac in $(cat ${CRASHDIR}/configs/mac); do
|
|
||||||
ip6tables -t mangle -A shellcrashv6 -m mac --mac-source $mac -j RETURN
|
|
||||||
done
|
|
||||||
#仅代理本机局域网网段流量
|
|
||||||
for ip in $host_ipv6;do
|
|
||||||
ip6tables -t mangle -A shellcrashv6 -p $1 -s $ip -j TPROXY --on-port $tproxy_port --tproxy-mark $fwmark
|
|
||||||
done
|
|
||||||
fi
|
|
||||||
ip6tables -t mangle -A PREROUTING -p $1 $ports -j shellcrashv6
|
|
||||||
}
|
|
||||||
[ "$1" = "all" ] && tproxy_set6 tcp
|
|
||||||
tproxy_set6 udp
|
|
||||||
|
|
||||||
#屏蔽QUIC
|
|
||||||
[ "$quic_rj" = 已启用 ] && {
|
|
||||||
[ "$dns_mod" != "fake-ip" -a "$cn_ipv6_route" = "已开启" ] && set_cn_ip6='-m set ! --match-set cn_ip6 dst'
|
|
||||||
ip6tables -I INPUT -p udp --dport 443 -m comment --comment "ShellCrash-QUIC-REJECT" $set_cn_ip6 -j REJECT 2>/dev/null
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
start_output(){ #iptables本机代理
|
|
||||||
#获取局域网host地址
|
|
||||||
getlanip
|
|
||||||
#流量过滤
|
|
||||||
iptables -t nat -N shellcrash_out
|
|
||||||
iptables -t nat -A shellcrash_out -m owner --gid-owner 7890 -j RETURN
|
|
||||||
for ip in $local_ipv4 $reserve_ipv4;do #跳过目标保留地址及目标本机网段
|
|
||||||
iptables -t nat -A shellcrash_out -d $ip -j RETURN
|
|
||||||
done
|
|
||||||
#绕过CN_IP
|
|
||||||
[ "$dns_mod" != "fake-ip" -a "$cn_ip_route" = "已开启" ] && \
|
|
||||||
iptables -t nat -A shellcrash_out -m set --match-set cn_ip dst -j RETURN >/dev/null 2>&1
|
|
||||||
#仅允许本机流量
|
|
||||||
for ip in 127.0.0.0/8 $local_ipv4;do
|
|
||||||
iptables -t nat -A shellcrash_out -p tcp -s $ip -j REDIRECT --to-ports $redir_port
|
|
||||||
done
|
|
||||||
iptables -t nat -A OUTPUT -p tcp $ports -j shellcrash_out
|
|
||||||
#设置dns转发
|
|
||||||
[ "$dns_no" != "已禁用" ] && {
|
|
||||||
[ -z "$(grep 'nameserver 127.0.0.1' /etc/resolv.conf 2>/dev/null)" ] && echo 'nameserver 127.0.0.1' >> /etc/resolv.conf #修复部分虚拟机dns查询失败的问题
|
|
||||||
iptables -t nat -N shellcrash_dns_out
|
|
||||||
iptables -t nat -A shellcrash_dns_out -m owner --gid-owner 453 -j RETURN #绕过本机dnsmasq
|
|
||||||
iptables -t nat -A shellcrash_dns_out -m owner --gid-owner 7890 -j RETURN
|
|
||||||
iptables -t nat -A shellcrash_dns_out -p udp -j REDIRECT --to $dns_port
|
|
||||||
iptables -t nat -A OUTPUT -p udp --dport 53 -j shellcrash_dns_out
|
|
||||||
}
|
|
||||||
#Docker转发
|
|
||||||
ckcmd docker && {
|
|
||||||
iptables -t nat -N shellcrash_docker
|
|
||||||
for ip in $host_ipv4 $reserve_ipv4;do #跳过目标保留地址及目标本机网段
|
|
||||||
iptables -t nat -A shellcrash_docker -d $ip -j RETURN
|
|
||||||
done
|
|
||||||
iptables -t nat -A shellcrash_docker -p tcp -j REDIRECT --to-ports $redir_port
|
|
||||||
iptables -t nat -A PREROUTING -p tcp -s 172.16.0.0/12 -j shellcrash_docker
|
|
||||||
[ "$dns_no" != "已禁用" ] && iptables -t nat -A PREROUTING -p udp --dport 53 -s 172.16.0.0/12 -j REDIRECT --to $dns_port
|
|
||||||
}
|
|
||||||
}
|
|
||||||
start_tun(){ #iptables-tun
|
|
||||||
modprobe tun >/dev/null 2>&1
|
|
||||||
#允许流量
|
|
||||||
iptables -I FORWARD -o utun -j ACCEPT
|
|
||||||
iptables -I FORWARD -s 198.18.0.0/16 -o utun -j RETURN #防止回环
|
|
||||||
ip6tables -I FORWARD -o utun -j ACCEPT > /dev/null 2>&1
|
|
||||||
#屏蔽QUIC
|
|
||||||
if [ "$quic_rj" = 已启用 ];then
|
|
||||||
[ "$dns_mod" != "fake-ip" -a "$cn_ip_route" = "已开启" ] && {
|
|
||||||
set_cn_ip='-m set ! --match-set cn_ip dst'
|
|
||||||
set_cn_ip6='-m set ! --match-set cn_ip6 dst'
|
|
||||||
}
|
|
||||||
iptables -I FORWARD -p udp --dport 443 -o utun -m comment --comment "ShellCrash-QUIC-REJECT" $set_cn_ip -j REJECT >/dev/null 2>&1
|
|
||||||
ip6tables -I FORWARD -p udp --dport 443 -o utun -m comment --comment "ShellCrash-QUIC-REJECT" $set_cn_ip6 -j REJECT >/dev/null 2>&1
|
|
||||||
fi
|
|
||||||
if [ -n "$(iptables -j MARK 2>&1 | grep 'mark')" ];then
|
|
||||||
i=1
|
|
||||||
while [ -z "$(ip route list |grep utun)" -a "$i" -le 29 ];do
|
|
||||||
sleep 1
|
|
||||||
i=$((i+1))
|
|
||||||
done
|
|
||||||
if [ -z "$(ip route list |grep utun)" ];then
|
|
||||||
logger "找不到tun模块,放弃启动tun相关防火墙规则!" 31
|
|
||||||
else
|
|
||||||
ip route add default dev utun table 100
|
|
||||||
ip rule add fwmark $fwmark table 100
|
|
||||||
#获取局域网host地址
|
|
||||||
getlanip
|
|
||||||
iptables -t mangle -N shellcrash
|
|
||||||
iptables -t mangle -A shellcrash -p udp --dport 53 -j RETURN
|
|
||||||
for ip in $host_ipv4 $reserve_ipv4;do #跳过目标保留地址及目标本机网段
|
|
||||||
iptables -t mangle -A shellcrash -d $ip -j RETURN
|
|
||||||
done
|
|
||||||
#防止回环
|
|
||||||
iptables -t mangle -A shellcrash -s 198.18.0.0/16 -j RETURN
|
|
||||||
#绕过CN_IP
|
|
||||||
[ "$dns_mod" != "fake-ip" -a "$cn_ip_route" = "已开启" ] && \
|
|
||||||
iptables -t mangle -A shellcrash -m set --match-set cn_ip dst -j RETURN 2>/dev/null
|
|
||||||
#局域网设备过滤
|
|
||||||
if [ "$macfilter_type" = "白名单" -a -n "$(cat ${CRASHDIR}/configs/mac)" ];then
|
|
||||||
for mac in $(cat ${CRASHDIR}/configs/mac); do #mac白名单
|
|
||||||
iptables -t mangle -A shellcrash -m mac --mac-source $mac -j MARK --set-mark $fwmark
|
|
||||||
done
|
|
||||||
else
|
|
||||||
for mac in $(cat ${CRASHDIR}/configs/mac); do #mac黑名单
|
|
||||||
iptables -t mangle -A shellcrash -m mac --mac-source $mac -j RETURN
|
|
||||||
done
|
|
||||||
#仅代理本机局域网网段流量
|
|
||||||
for ip in $host_ipv4;do
|
|
||||||
iptables -t mangle -A shellcrash -s $ip -j MARK --set-mark $fwmark
|
|
||||||
done
|
|
||||||
fi
|
|
||||||
iptables -t mangle -A PREROUTING -p udp $ports -j shellcrash
|
|
||||||
[ "$1" = "all" ] && iptables -t mangle -A PREROUTING -p tcp $ports -j shellcrash
|
|
||||||
|
|
||||||
#设置ipv6转发
|
|
||||||
[ "$ipv6_redir" = "已开启" ] && ip6tables -t nat -L >/dev/null 2>&1 && [ "$crashcore" != clash ] && {
|
|
||||||
ip -6 route add default dev utun table 101
|
|
||||||
ip -6 rule add fwmark $fwmark table 101
|
|
||||||
ip6tables -t mangle -N shellcrashv6
|
|
||||||
ip6tables -t mangle -A shellcrashv6 -p udp --dport 53 -j RETURN
|
|
||||||
for ip in $host_ipv6 $reserve_ipv6;do #跳过目标保留地址及目标本机网段
|
|
||||||
ip6tables -t mangle -A shellcrashv6 -d $ip -j RETURN
|
|
||||||
done
|
|
||||||
#绕过CN_IPV6
|
|
||||||
[ "$dns_mod" != "fake-ip" -a "$cn_ipv6_route" = "已开启" ] && \
|
|
||||||
ip6tables -t mangle -A shellcrashv6 -m set --match-set cn_ip6 dst -j RETURN 2>/dev/null
|
|
||||||
#局域网设备过滤
|
|
||||||
if [ "$macfilter_type" = "白名单" -a -n "$(cat ${CRASHDIR}/configs/mac)" ];then
|
|
||||||
for mac in $(cat ${CRASHDIR}/configs/mac); do #mac白名单
|
|
||||||
ip6tables -t mangle -A shellcrashv6 -m mac --mac-source $mac -j MARK --set-mark $fwmark
|
|
||||||
done
|
|
||||||
else
|
|
||||||
for mac in $(cat ${CRASHDIR}/configs/mac); do #mac黑名单
|
|
||||||
ip6tables -t mangle -A shellcrashv6 -m mac --mac-source $mac -j RETURN
|
|
||||||
done
|
|
||||||
#仅代理本机局域网网段流量
|
|
||||||
for ip in $host_ipv6;do
|
|
||||||
ip6tables -t mangle -A shellcrashv6 -s $ip -j MARK --set-mark $fwmark
|
|
||||||
done
|
|
||||||
fi
|
|
||||||
ip6tables -t mangle -A PREROUTING -p udp $ports -j shellcrashv6
|
|
||||||
[ "$1" = "all" ] && ip6tables -t mangle -A PREROUTING -p tcp $ports -j shellcrashv6
|
|
||||||
}
|
|
||||||
fi
|
|
||||||
else
|
|
||||||
logger "iptables缺少-J MARK功能,放弃启动tun相关防火墙规则!" 31
|
|
||||||
fi
|
|
||||||
}
|
}
|
||||||
start_ipt_wan(){ #iptables公网防火墙
|
start_ipt_wan(){ #iptables公网防火墙
|
||||||
#获取局域网host地址
|
#获取局域网host地址
|
||||||
|
@ -1194,110 +959,151 @@ start_ipt_wan(){ #iptables公网防火墙
|
||||||
fi
|
fi
|
||||||
iptables -I INPUT -p tcp -d 127.0.0.1 -j ACCEPT #本机请求全放行
|
iptables -I INPUT -p tcp -d 127.0.0.1 -j ACCEPT #本机请求全放行
|
||||||
}
|
}
|
||||||
start_nft(){ #nftables-all-in-one
|
start_iptables(){ #iptables配置总入口
|
||||||
table_type=$1
|
#启动公网访问防火墙
|
||||||
[ -n "$2" ] && table=$2 || table=$1
|
start_ipt_wan
|
||||||
|
#启动DNS劫持
|
||||||
|
[ "$dns_no" != "已禁用" -a "$dns_redir" != "已开启" -a "$firewall_area" -le 3 ] && {
|
||||||
|
[ "$lan_proxy" = true ] && {
|
||||||
|
start_ipt_dns iptables PREROUTING shellcrash_dns #ipv4-局域网dns转发
|
||||||
|
if ip6tables -t nat -L >/dev/null 2>&1;then
|
||||||
|
start_ipt_dns ip6tables PREROUTING shellcrashv6_dns #ipv6-局域网dns转发
|
||||||
|
else
|
||||||
|
ip6tables -I INPUT -p udp --dport 53 -m comment --comment "ShellCrash-IPV6_DNS-REJECT" -j REJECT 2>/dev/null
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
[ "$local_proxy" = true ] && start_ipt_dns iptables OUTPUT shellcrash_dns_out #ipv4-本机dns转发
|
||||||
|
}
|
||||||
|
#分模式设置流量劫持
|
||||||
|
[ "$redir_mod" = "Redir模式" -o "$redir_mod" = "混合模式" ] && {
|
||||||
|
JUMP="REDIRECT --to-ports $redir_port" #跳转劫持的具体命令
|
||||||
|
[ "$lan_proxy" = true ] && {
|
||||||
|
start_ipt_route iptables nat PREROUTING shellcrash tcp #ipv4-局域网tcp转发
|
||||||
|
[ "$ipv6_redir" = "已开启" ] && {
|
||||||
|
if ip6tables -t nat -L >/dev/null 2>&1;then
|
||||||
|
start_ipt_route ip6tables nat PREROUTING shellcrashv6 tcp #ipv6-局域网tcp转发
|
||||||
|
else
|
||||||
|
logger "当前设备内核缺少ip6tables-nat模块支持,已放弃启动相关规则!" 31
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
}
|
||||||
|
[ "$local_proxy" = true ] && start_ipt_route iptables nat OUTPUT shellcrash_out tcp #ipv4-本机tcp转发
|
||||||
|
}
|
||||||
|
[ "$redir_mod" = "Tproxy模式" ] && {
|
||||||
|
JUMP="TPROXY --on-port $tproxy_port --tproxy-mark $fwmark" #跳转劫持的具体命令
|
||||||
|
if [ -n "$(grep -E '^TPROXY$' /proc/net/ip_tables_targets)" ];then
|
||||||
|
[ "$lan_proxy" = true ] && start_ipt_route iptables mangle PREROUTING shellcrash_mark all
|
||||||
|
[ "$local_proxy" = true ] && start_ipt_route iptables mangle OUTPUT shellcrash_mark_out all
|
||||||
|
else
|
||||||
|
logger "当前设备内核可能缺少kmod-ipt-tproxy模块支持,已放弃启动相关规则!" 31
|
||||||
|
fi
|
||||||
|
[ "$ipv6_redir" = "已开启" ] && [ "$lan_proxy" = true ] && {
|
||||||
|
if [ -n "$(grep -E '^TPROXY$' /proc/net/ip6_tables_targets)" ];then
|
||||||
|
start_ipt_route ip6tables mangle PREROUTING shellcrashv6_mark all
|
||||||
|
else
|
||||||
|
logger "当前设备内核可能缺少kmod-ipt-tproxy模块支持,已放弃启动相关规则!" 31
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
}
|
||||||
|
[ "$redir_mod" = "Tun模式" -o "$redir_mod" = "混合模式" -o "$redir_mod" = "T&U旁路转发" -o "$redir_mod" = "TCP旁路转发" ] && {
|
||||||
|
JUMP="MARK --set-mark $fwmark" #跳转劫持的具体命令
|
||||||
|
[ "$redir_mod" = "Tun模式" -o "$redir_mod" = "T&U旁路转发" ] && protocol=all
|
||||||
|
[ "$redir_mod" = "混合模式" ] && protocol=udp
|
||||||
|
[ "$redir_mod" = "TCP旁路转发" ] && protocol=tcp
|
||||||
|
if [ -n "$(grep -E '^MARK$' /proc/net/ip_tables_targets)" ];then
|
||||||
|
[ "$lan_proxy" = true ] && start_ipt_route iptables mangle PREROUTING shellcrash_mark $protocol
|
||||||
|
[ "$local_proxy" = true ] && start_ipt_route iptables mangle OUTPUT shellcrash_mark_out $protocol
|
||||||
|
else
|
||||||
|
logger "当前设备内核可能缺少xt-mark模块支持,已放弃启动相关规则!" 31
|
||||||
|
fi
|
||||||
|
[ "$ipv6_redir" = "已开启" ] && [ "$lan_proxy" = true ] && {
|
||||||
|
if [ -n "$(grep -E '^MARK$' /proc/net/ip6_tables_targets)" ];then
|
||||||
|
start_ipt_route ip6tables mangle PREROUTING shellcrashv6_mark $protocol
|
||||||
|
else
|
||||||
|
logger "当前设备内核可能缺少xt-mark模块支持,已放弃启动相关规则!" 31
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
}
|
||||||
|
#屏蔽QUIC
|
||||||
|
[ "$quic_rj" = '已启用' -a "$lan_proxy" = true -a "$redir_mod" != "Redir模式" ] && {
|
||||||
|
[ "$dns_mod" != "fake-ip" -a "$cn_ip_route" = "已开启" ] && {
|
||||||
|
set_cn_ip='-m set ! --match-set cn_ip dst'
|
||||||
|
set_cn_ip6='-m set ! --match-set cn_ip6 dst'
|
||||||
|
}
|
||||||
|
iptables -I FORWARD -p udp --dport 443 -o utun -m comment --comment "ShellCrash-QUIC-REJECT" $set_cn_ip -j REJECT >/dev/null 2>&1
|
||||||
|
ip6tables -I FORWARD -p udp --dport 443 -o utun -m comment --comment "ShellCrash-QUIC-REJECT" $set_cn_ip6 -j REJECT >/dev/null 2>&1
|
||||||
|
}
|
||||||
|
}
|
||||||
|
start_nft_route(){ #nftables-route通用工具
|
||||||
|
#$1:name $2:hook(prerouting/output) $3:type(nat/mangle/filter) $4:priority(-100/-150)
|
||||||
[ "$common_ports" = "已开启" ] && PORTS=$(echo $multiport | sed 's/,/, /g')
|
[ "$common_ports" = "已开启" ] && PORTS=$(echo $multiport | sed 's/,/, /g')
|
||||||
RESERVED_IP=$(echo $reserve_ipv4 | sed 's/ /, /g')
|
RESERVED_IP=$(echo $reserve_ipv4 | sed 's/ /, /g')
|
||||||
if [ "$1" = 'output' ];then
|
HOST_IP=$(echo $host_ipv4 | sed 's/ /, /g')
|
||||||
HOST_IP="127.0.0.0/8, $(echo $local_ipv4 | sed 's/ /, /g')"
|
[ "$1" = 'output' ] && HOST_IP="127.0.0.0/8, $(echo $local_ipv4 | sed 's/ /, /g')"
|
||||||
chain_type=route
|
#添加新链
|
||||||
else
|
nft add chain inet shellcrash $1 { type $3 hook $2 priority $4 \; }
|
||||||
HOST_IP=$(echo $host_ipv4 | sed 's/ /, /g')
|
#防回环
|
||||||
chain_type=nat
|
nft add rule inet shellcrash $1 meta skgid 7890 return
|
||||||
fi
|
nft add rule inet shellcrash $1 ip saddr 198.18.0.0/16 return
|
||||||
#不同模式调整
|
[ "$firewall_area" = 5 ] && nft add rule inet shellcrash $1 ip daddr $bypass_host return
|
||||||
[ "$redir_mod" = "Redir模式" ] && \
|
|
||||||
nft add chain inet shellcrash $table { type nat hook $table_type priority -100 \; }
|
|
||||||
[ "$redir_mod" = "Tproxy模式" ] && {
|
|
||||||
modprobe nft_tproxy >/dev/null 2>&1
|
|
||||||
nft add chain inet shellcrash $table { type $chain_type hook $table_type priority mangle \; }
|
|
||||||
}
|
|
||||||
[ "$redir_mod" = "Tun模式" -o "$redir_mod" = "混合模式" ] && {
|
|
||||||
modprobe tun >/dev/null 2>&1
|
|
||||||
i=1
|
|
||||||
while [ -z "$(ip route list |grep utun)" -a "$i" -le 29 ];do
|
|
||||||
sleep 1
|
|
||||||
i=$((i+1))
|
|
||||||
done
|
|
||||||
if [ -z "$(ip route list |grep utun)" ];then
|
|
||||||
logger "找不到tun模块,放弃启动tun相关防火墙规则!" 31
|
|
||||||
exit 1
|
|
||||||
else
|
|
||||||
nft add chain inet shellcrash $table { type $chain_type hook $table_type priority mangle \; }
|
|
||||||
nft add rule inet shellcrash $table ip saddr 198.18.0.0/16 return #防止回环
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
[ "$firewall_area" = 5 ] && {
|
|
||||||
nft add chain inet shellcrash $table { type $chain_type hook $table_type priority mangle \; }
|
|
||||||
nft add rule inet shellcrash $table ip daddr {$bypass_host} return
|
|
||||||
}
|
|
||||||
#本机流量防回环
|
|
||||||
[ "$table_type" = 'output' ] && nft add rule inet shellcrash $table meta skgid 7890 return
|
|
||||||
#过滤局域网设备
|
#过滤局域网设备
|
||||||
[ -n "$(cat ${CRASHDIR}/configs/mac)" ] && {
|
[ -n "$(cat ${CRASHDIR}/configs/mac)" ] && {
|
||||||
MAC=$(awk '{printf "%s, ",$1}' ${CRASHDIR}/configs/mac)
|
MAC=$(awk '{printf "%s, ",$1}' ${CRASHDIR}/configs/mac)
|
||||||
[ "$macfilter_type" = "黑名单" ] && \
|
if [ "$macfilter_type" = "黑名单" ];then
|
||||||
nft add rule inet shellcrash $table ether saddr {$MAC} return || \
|
nft add rule inet shellcrash $1 ether saddr {$MAC} return
|
||||||
nft add rule inet shellcrash $table ether saddr != {$MAC} return
|
else
|
||||||
|
nft add rule inet shellcrash $1 ether saddr != {$MAC} return
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
#过滤保留地址
|
nft add rule inet shellcrash $1 ip daddr {$RESERVED_IP} return #过滤保留地址
|
||||||
nft add rule inet shellcrash $table ip daddr {$RESERVED_IP} return
|
nft add rule inet shellcrash $1 ip saddr != {$HOST_IP} return #仅代理本机局域网网段流量
|
||||||
#仅代理本机局域网网段流量
|
|
||||||
nft add rule inet shellcrash $table ip saddr != {$HOST_IP} return
|
|
||||||
#绕过CN-IP
|
#绕过CN-IP
|
||||||
[ "$dns_mod" != "fake-ip" -a "$cn_ip_route" = "已开启" -a -f ${BINDIR}/cn_ip.txt ] && {
|
[ "$dns_mod" != "fake-ip" -a "$cn_ip_route" = "已开启" -a -f ${BINDIR}/cn_ip.txt ] && {
|
||||||
CN_IP=$(awk '{printf "%s, ",$1}' ${BINDIR}/cn_ip.txt)
|
CN_IP=$(awk '{printf "%s, ",$1}' ${BINDIR}/cn_ip.txt)
|
||||||
[ -n "$CN_IP" ] && nft add rule inet shellcrash $table ip daddr {$CN_IP} return
|
[ -n "$CN_IP" ] && nft add rule inet shellcrash $1 ip daddr {$CN_IP} return
|
||||||
}
|
}
|
||||||
#过滤常用端口
|
[ -n "$PORTS" ] && nft add rule inet shellcrash $1 tcp dport != {$PORTS} ip daddr != {198.18.0.0/16} return #过滤常用端口
|
||||||
[ -n "$PORTS" ] && nft add rule inet shellcrash $table tcp dport != {$PORTS} ip daddr != {198.18.0.0/16} return
|
|
||||||
#局域网ipv6支持
|
#局域网ipv6支持
|
||||||
if [ "$ipv6_redir" = "已开启" -a "$table_type" = 'prerouting' -a "$firewall_area" != 5 ];then
|
if [ "$ipv6_redir" = "已开启" -a "$1" = 'prerouting' -a "$firewall_area" != 5 ];then
|
||||||
RESERVED_IP6="$(echo "$reserve_ipv6 $host_ipv6" | sed 's/ /, /g')"
|
RESERVED_IP6="$(echo "$reserve_ipv6 $host_ipv6" | sed 's/ /, /g')"
|
||||||
HOST_IP6="$(echo $host_ipv6 | sed 's/ /, /g')"
|
HOST_IP6="$(echo $host_ipv6 | sed 's/ /, /g')"
|
||||||
ip -6 rule add fwmark $fwmark table 101 2> /dev/null
|
|
||||||
ip -6 route add local ::/0 dev lo table 101 2> /dev/null
|
|
||||||
#过滤保留地址及本机地址
|
#过滤保留地址及本机地址
|
||||||
nft add rule inet shellcrash $table ip6 daddr {$RESERVED_IP6} return
|
nft add rule inet shellcrash $1 ip6 daddr {$RESERVED_IP6} return
|
||||||
#仅代理本机局域网网段流量
|
#仅代理本机局域网网段流量
|
||||||
nft add rule inet shellcrash $table ip6 saddr != {$HOST_IP6} return
|
nft add rule inet shellcrash $1 ip6 saddr != {$HOST_IP6} return
|
||||||
#绕过CN_IPV6
|
#绕过CN_IPV6
|
||||||
[ "$dns_mod" != "fake-ip" -a "$cn_ipv6_route" = "已开启" -a -f ${BINDIR}/cn_ipv6.txt ] && {
|
[ "$dns_mod" != "fake-ip" -a "$cn_ipv6_route" = "已开启" -a -f ${BINDIR}/cn_ipv6.txt ] && {
|
||||||
CN_IP6=$(awk '{printf "%s, ",$1}' ${BINDIR}/cn_ipv6.txt)
|
CN_IP6=$(awk '{printf "%s, ",$1}' ${BINDIR}/cn_ipv6.txt)
|
||||||
[ -n "$CN_IP6" ] && nft add rule inet shellcrash $table ip6 daddr {$CN_IP6} return
|
[ -n "$CN_IP6" ] && nft add rule inet shellcrash $1 ip6 daddr {$CN_IP6} return
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
nft add rule inet shellcrash $table meta nfproto ipv6 return
|
nft add rule inet shellcrash $1 meta nfproto ipv6 return
|
||||||
fi
|
fi
|
||||||
# nft add rule inet shellcrash local_tproxy log prefix \"pre\" level debug
|
#添加通用路由
|
||||||
[ "$redir_mod" = "Redir模式" ] && nft add rule inet shellcrash $table meta l4proto tcp redirect to $redir_port
|
nft add rule inet shellcrash $1 $JUMP
|
||||||
[ "$redir_mod" = "混合模式" ] && {
|
#处理特殊路由
|
||||||
nft add rule inet shellcrash $table meta l4proto udp mark set $fwmark
|
|
||||||
nft add rule inet shellcrash $table meta l4proto tcp mark set $((fwmark + 1))
|
|
||||||
nft add chain inet shellcrash ${table}_mixtcp { type nat hook $table_type priority -100 \; }
|
|
||||||
nft add rule inet shellcrash ${table}_mixtcp mark == $((fwmark + 1)) meta l4proto tcp redirect to $redir_port
|
|
||||||
}
|
|
||||||
[ "$redir_mod" = "Tproxy模式" ] && {
|
[ "$redir_mod" = "Tproxy模式" ] && {
|
||||||
nft add rule inet shellcrash $table meta l4proto {tcp, udp} mark set $fwmark
|
nft add chain inet shellcrash ${1}_tproxy { type filter hook $2 priority -100 \; }
|
||||||
nft add chain inet shellcrash ${table}_tproxy { type filter hook $table_type priority -100 \; }
|
nft add rule inet shellcrash ${1}_tproxy meta mark == $fwmark meta l4proto {tcp, udp} tproxy to :$tproxy_port
|
||||||
nft add rule inet shellcrash ${table}_tproxy meta mark == $fwmark meta l4proto {tcp, udp} tproxy to :$tproxy_port
|
|
||||||
}
|
}
|
||||||
[ "$redir_mod" = "Tun模式" ] && nft add rule inet shellcrash $table meta l4proto {tcp, udp} mark set $fwmark
|
[ "$redir_mod" = "混合模式" ] && {
|
||||||
[ "$redir_mod" = "TCP旁路转发" ] && nft add rule inet shellcrash $table meta l4proto tcp mark set $fwmark
|
nft add rule inet shellcrash $1 meta l4proto tcp mark set $((fwmark + 1))
|
||||||
[ "$redir_mod" = "T&U旁路转发" ] && nft add rule inet shellcrash $table meta l4proto {tcp, udp} mark set $fwmark
|
nft add chain inet shellcrash ${1}_mixtcp { type nat hook $2 priority -100 \; }
|
||||||
|
nft add rule inet shellcrash ${1}_mixtcp mark == $((fwmark + 1)) meta l4proto tcp redirect to $redir_port
|
||||||
|
}
|
||||||
|
#nft add rule inet shellcrash local_tproxy log prefix \"pre\" level debug
|
||||||
}
|
}
|
||||||
start_nft_dns(){ #nftables-dns
|
start_nft_dns(){ #nftables-dns
|
||||||
nft add chain inet shellcrash ${1}_dns { type nat hook $1 priority -100 \; }
|
nft add chain inet shellcrash ${1}_dns { type nat hook $1 priority -100 \; }
|
||||||
|
nft add rule inet shellcrash ${1}_dns meta skgid { 453, 7890 } return
|
||||||
#过滤局域网设备
|
#过滤局域网设备
|
||||||
[ -n "$(cat ${CRASHDIR}/configs/mac)" ] && {
|
[ -n "$(cat ${CRASHDIR}/configs/mac)" ] && {
|
||||||
MAC=$(awk '{printf "%s, ",$1}' ${CRASHDIR}/configs/mac)
|
MAC=$(awk '{printf "%s, ",$1}' ${CRASHDIR}/configs/mac)
|
||||||
[ "$macfilter_type" = "黑名单" ] && \
|
if [ "$macfilter_type" = "黑名单" ];then
|
||||||
nft add rule inet shellcrash ${1}_dns ether saddr {$MAC} return || \
|
nft add rule inet shellcrash ${1}_dns ether saddr {$MAC} return
|
||||||
|
else
|
||||||
nft add rule inet shellcrash ${1}_dns ether saddr != {$MAC} return
|
nft add rule inet shellcrash ${1}_dns ether saddr != {$MAC} return
|
||||||
}
|
fi
|
||||||
[ "$1" = 'output' ] && {
|
|
||||||
nft add rule inet shellcrash ${1}_dns meta skgid { 453, 7890 } return
|
|
||||||
}
|
}
|
||||||
nft add rule inet shellcrash ${1}_dns udp dport 53 redirect to ${dns_port}
|
nft add rule inet shellcrash ${1}_dns udp dport 53 redirect to ${dns_port}
|
||||||
nft add rule inet shellcrash ${1}_dns tcp dport 53 redirect to ${dns_port}
|
nft add rule inet shellcrash ${1}_dns tcp dport 53 redirect to ${dns_port}
|
||||||
|
@ -1323,89 +1129,188 @@ start_nft_wan(){ #nftables公网防火墙
|
||||||
nft add rule inet shellcrash input tcp dport $mix_port reject
|
nft add rule inet shellcrash input tcp dport $mix_port reject
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
start_nftables(){ #nftables配置总入口
|
||||||
|
#初始化nftables
|
||||||
|
nft add table inet shellcrash
|
||||||
|
nft flush table inet shellcrash
|
||||||
|
#公网访问防火墙
|
||||||
|
start_nft_wan
|
||||||
|
#启动DNS劫持
|
||||||
|
[ "$dns_no" != "已禁用" -a "$dns_redir" != "已开启" -a "$firewall_area" -le 3 ] && {
|
||||||
|
[ "$lan_proxy" = true ] && start_nft_dns prerouting #局域网dns转发
|
||||||
|
[ "$local_proxy" = true ] && start_nft_dns output #本机dns转发
|
||||||
|
}
|
||||||
|
#分模式设置流量劫持
|
||||||
|
[ "$redir_mod" = "Redir模式" ] && {
|
||||||
|
JUMP="meta l4proto tcp redirect to $redir_port" #跳转劫持的具体命令
|
||||||
|
[ "$lan_proxy" = true ] && start_nft_route prerouting prerouting nat -100
|
||||||
|
[ "$local_proxy" = true ] && start_nft_route output output nat -100
|
||||||
|
}
|
||||||
|
[ "$redir_mod" = "Tproxy模式" ] && modprobe nft_tproxy >/dev/null 2>&1 && {
|
||||||
|
JUMP="meta l4proto {tcp, udp} mark set $fwmark" #跳转劫持的具体命令
|
||||||
|
[ "$lan_proxy" = true ] && start_nft_route prerouting prerouting nat -150
|
||||||
|
[ "$local_proxy" = true ] && start_nft_route output output route -150
|
||||||
|
}
|
||||||
|
[ "$redir_mod" = "Tun模式" ] && [ "$tun_statu" != false ] && {
|
||||||
|
JUMP="meta l4proto {tcp, udp} mark set $fwmark" #跳转劫持的具体命令
|
||||||
|
[ "$lan_proxy" = true ] && start_nft_route prerouting prerouting nat -150
|
||||||
|
[ "$local_proxy" = true ] && start_nft_route output output route -150
|
||||||
|
}
|
||||||
|
[ "$redir_mod" = "混合模式" ] && [ "$tun_statu" != false ] && {
|
||||||
|
JUMP="meta l4proto udp mark set $fwmark" #跳转劫持的具体命令
|
||||||
|
[ "$lan_proxy" = true ] && start_nft_route prerouting prerouting nat -150
|
||||||
|
[ "$local_proxy" = true ] && start_nft_route output output route -150
|
||||||
|
}
|
||||||
|
[ "$firewall_area" = 5 ] && {
|
||||||
|
[ "$redir_mod" = "T&U旁路转发" ] && JUMP="meta l4proto {tcp, udp} mark set $fwmark" #跳转劫持的具体命令
|
||||||
|
[ "$redir_mod" = "TCP旁路转发" ] && JUMP="meta l4proto tcp mark set $fwmark" #跳转劫持的具体命令
|
||||||
|
[ "$lan_proxy" = true ] && start_nft_route prerouting prerouting nat -150
|
||||||
|
[ "$local_proxy" = true ] && start_nft_route output output route -150
|
||||||
|
}
|
||||||
|
#屏蔽QUIC
|
||||||
|
[ "$quic_rj" = '已启用' -a "$lan_proxy" = true -a "$redir_mod" != "Redir模式" ] && {
|
||||||
|
nft add chain inet shellcrash quic_rj { type filter hook input priority 0 \; }
|
||||||
|
[ -n "$CN_IP" ] && nft add rule inet shellcrash quic_rj ip daddr {$CN_IP} return
|
||||||
|
[ -n "$CN_IP6" ] && nft add rule inet shellcrash quic_rj ip6 daddr {$CN_IP6} return
|
||||||
|
nft add rule inet shellcrash quic_rj udp dport {443, 8443} reject comment 'ShellCrash-QUIC-REJECT'
|
||||||
|
}
|
||||||
|
}
|
||||||
|
start_firewall(){ #路由规则总入口
|
||||||
|
getlanip #获取局域网host地址
|
||||||
|
#设置策略路由
|
||||||
|
[ "$firewall_area" != 4 ] && {
|
||||||
|
local table=100
|
||||||
|
[ "$redir_mod" = "Tproxy模式" ] && ip route add local default dev lo table $table
|
||||||
|
[ "$redir_mod" = "Tun模式" -o "$redir_mod" = "混合模式" ] && {
|
||||||
|
i=1
|
||||||
|
while [ -z "$(ip route list |grep utun)" -a "$i" -le 29 ];do
|
||||||
|
sleep 1
|
||||||
|
i=$((i+1))
|
||||||
|
done
|
||||||
|
if [ -z "$(ip route list |grep utun)" ];then
|
||||||
|
tun_statu=false
|
||||||
|
logger "找不到tun模块,放弃启动tun相关防火墙规则!" 31
|
||||||
|
else
|
||||||
|
ip route add default dev utun table $table
|
||||||
|
#iptables -I FORWARD -o utun -j ACCEPT
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
[ "$firewall_area" = 5 ] && ip route add default via $bypass_host table $table
|
||||||
|
[ "$redir_mod" != "Redir模式" ] && ip rule add fwmark $fwmark table $table
|
||||||
|
}
|
||||||
|
#添加ipv6路由
|
||||||
|
[ "$ipv6_redir" = "已开启" -a "$firewall_area" -le 3 ] && {
|
||||||
|
[ "$redir_mod" = "Tproxy模式" ] && ip -6 route add local default dev lo table $((table + 1))
|
||||||
|
[ -n "$(ip route list |grep utun)" ] && ip -6 route add default dev utun table $((table + 1))
|
||||||
|
[ "$redir_mod" != "Redir模式" ] && ip -6 rule add fwmark $fwmark table $((table + 1))
|
||||||
|
}
|
||||||
|
#判断代理用途
|
||||||
|
[ "$firewall_area" = 2 -o "$firewall_area" = 3 ] && [ -n "$(grep '0:7890' /etc/passwd)" ] && local_proxy=true
|
||||||
|
[ "$firewall_area" = 1 -o "$firewall_area" = 3 -o "$firewall_area" = 5 ] && lan_proxy=true
|
||||||
|
#防火墙配置
|
||||||
|
[ "$firewall_mod" = 'iptables' ] && start_iptables
|
||||||
|
[ "$firewall_mod" = 'nftables' ] && start_nftables
|
||||||
|
#修复部分虚拟机dns查询失败的问题
|
||||||
|
[ "$firewall_area" = 2 -o "$firewall_area" = 3 ] && [ -z "$(grep 'nameserver 127.0.0.1' /etc/resolv.conf 2>/dev/null)" ] && {
|
||||||
|
line=$(grep -n 'nameserver' /etc/resolv.conf | awk -F: 'FNR==1{print $1}')
|
||||||
|
sed -i "$line i\nameserver 127.0.0.1 #shellcrash-dns-repair" /etc/resolv.conf
|
||||||
|
}
|
||||||
|
#openwrt使用dnsmasq转发DNS
|
||||||
|
if [ "$dns_redir" = "已开启" -a "$firewall_area" -le 3 -a "$dns_no" != "已禁用" ];then
|
||||||
|
uci del dhcp.@dnsmasq[-1].server >/dev/null 2>&1
|
||||||
|
uci delete dhcp.@dnsmasq[0].resolvfile 2>/dev/null
|
||||||
|
uci add_list dhcp.@dnsmasq[0].server=127.0.0.1#$dns_port > /dev/null 2>&1
|
||||||
|
uci set dhcp.@dnsmasq[0].noresolv=1 2>/dev/null
|
||||||
|
uci commit dhcp >/dev/null 2>&1
|
||||||
|
/etc/init.d/dnsmasq restart >/dev/null 2>&1
|
||||||
|
elif [ "$(uci get dhcp.@dnsmasq[0].dns_redirect 2>/dev/null)" = 1 ];then
|
||||||
|
uci del dhcp.@dnsmasq[0].dns_redirect
|
||||||
|
uci commit dhcp.@dnsmasq[0]
|
||||||
|
fi
|
||||||
|
}
|
||||||
stop_firewall(){ #还原防火墙配置
|
stop_firewall(){ #还原防火墙配置
|
||||||
getconfig
|
getconfig
|
||||||
#获取局域网host地址
|
#获取局域网host地址
|
||||||
getlanip
|
getlanip
|
||||||
#重置iptables相关规则
|
#重置iptables相关规则
|
||||||
ckcmd iptables && {
|
ckcmd iptables && {
|
||||||
#redir
|
#清理shellcrash自建表
|
||||||
iptables -t nat -D PREROUTING -p tcp $ports -j shellcrash 2> /dev/null
|
for table in shellcrash_dns shellcrash shellcrash_out shellcrash_dns_out;do
|
||||||
iptables -t nat -D PREROUTING -p tcp -d 198.18.0.0/16 -j shellcrash 2> /dev/null
|
iptables -t nat -F $table 2>/dev/null
|
||||||
iptables -t nat -F shellcrash 2> /dev/null
|
iptables -t nat -X $table 2>/dev/null
|
||||||
iptables -t nat -X shellcrash 2> /dev/null
|
done
|
||||||
|
for table in shellcrash_mark shellcrash_mark_out;do
|
||||||
|
iptables -t mangle -F $table 2>/dev/null
|
||||||
|
iptables -t mangle -X $table 2>/dev/null
|
||||||
|
done
|
||||||
#dns
|
#dns
|
||||||
iptables -t nat -D PREROUTING -p tcp --dport 53 -j shellcrash_dns 2> /dev/null
|
iptables -t nat -D PREROUTING -p tcp --dport 53 -j shellcrash_dns 2>/dev/null
|
||||||
iptables -t nat -D PREROUTING -p udp --dport 53 -j shellcrash_dns 2> /dev/null
|
iptables -t nat -D PREROUTING -p udp --dport 53 -j shellcrash_dns 2>/dev/null
|
||||||
iptables -t nat -F shellcrash_dns 2> /dev/null
|
iptables -t nat -D OUTPUT -p udp --dport 53 -j shellcrash_dns_out 2>/dev/null
|
||||||
iptables -t nat -X shellcrash_dns 2> /dev/null
|
iptables -t nat -D OUTPUT -p tcp --dport 53 -j shellcrash_dns_out 2>/dev/null
|
||||||
|
#redir
|
||||||
|
iptables -t nat -D PREROUTING -p tcp $ports -j shellcrash 2>/dev/null
|
||||||
|
iptables -t nat -D PREROUTING -p tcp -d 198.18.0.0/16 -j shellcrash 2>/dev/null
|
||||||
|
iptables -t nat -D OUTPUT -p tcp $ports -j shellcrash_out 2>/dev/null
|
||||||
|
iptables -t nat -D OUTPUT -p tcp -d 198.18.0.0/16 -j shellcrash_out 2>/dev/null
|
||||||
|
#TPROXY&tun
|
||||||
|
iptables -t mangle -D PREROUTING -p tcp $ports -j shellcrash_mark 2>/dev/null
|
||||||
|
iptables -t mangle -D PREROUTING -p udp $ports -j shellcrash_mark 2>/dev/null
|
||||||
|
iptables -t mangle -D PREROUTING -p tcp -d 198.18.0.0/16 -j shellcrash_mark 2>/dev/null
|
||||||
|
iptables -t mangle -D PREROUTING -p udp -d 198.18.0.0/16 -j shellcrash_mark 2>/dev/null
|
||||||
|
iptables -t mangle -D OUTPUT -p tcp $ports -j shellcrash_mark_out 2>/dev/null
|
||||||
|
iptables -t mangle -D OUTPUT -p udp $ports -j shellcrash_mark_out 2>/dev/null
|
||||||
|
iptables -t mangle -D OUTPUT -p tcp -d 198.18.0.0/16 -j shellcrash_mark_out 2>/dev/null
|
||||||
|
iptables -t mangle -D OUTPUT -p udp -d 198.18.0.0/16 -j shellcrash_mark_out 2>/dev/null
|
||||||
#tun
|
#tun
|
||||||
iptables -D FORWARD -o utun -j ACCEPT 2> /dev/null
|
iptables -D FORWARD -o utun -j ACCEPT 2>/dev/null
|
||||||
iptables -D FORWARD -s 198.18.0.0/16 -o utun -j RETURN 2> /dev/null
|
iptables -D FORWARD -s 198.18.0.0/16 -o utun -j RETURN 2>/dev/null
|
||||||
#屏蔽QUIC
|
#屏蔽QUIC
|
||||||
[ "$dns_mod" != "fake-ip" -a "$cn_ip_route" = "已开启" ] && set_cn_ip='-m set ! --match-set cn_ip dst'
|
[ "$dns_mod" != "fake-ip" -a "$cn_ip_route" = "已开启" ] && set_cn_ip='-m set ! --match-set cn_ip dst'
|
||||||
iptables -D INPUT -p udp --dport 443 -m comment --comment "ShellCrash-QUIC-REJECT" $set_cn_ip -j REJECT 2> /dev/null
|
iptables -D INPUT -p udp --dport 443 -m comment --comment "ShellCrash-QUIC-REJECT" $set_cn_ip -j REJECT 2>/dev/null
|
||||||
iptables -D FORWARD -p udp --dport 443 -o utun -m comment --comment "ShellCrash-QUIC-REJECT" $set_cn_ip -j REJECT 2> /dev/null
|
iptables -D FORWARD -p udp --dport 443 -o utun -m comment --comment "ShellCrash-QUIC-REJECT" $set_cn_ip -j REJECT 2>/dev/null
|
||||||
#本机代理
|
|
||||||
iptables -t nat -D OUTPUT -p tcp $ports -j shellcrash_out 2> /dev/null
|
|
||||||
iptables -t nat -F shellcrash_out 2> /dev/null
|
|
||||||
iptables -t nat -X shellcrash_out 2> /dev/null
|
|
||||||
iptables -t nat -D OUTPUT -p udp --dport 53 -j shellcrash_dns_out 2> /dev/null
|
|
||||||
iptables -t nat -F shellcrash_dns_out 2> /dev/null
|
|
||||||
iptables -t nat -X shellcrash_dns_out 2> /dev/null
|
|
||||||
#docker
|
|
||||||
iptables -t nat -F shellcrash_docker 2> /dev/null
|
|
||||||
iptables -t nat -X shellcrash_docker 2> /dev/null
|
|
||||||
iptables -t nat -D PREROUTING -p tcp -s 172.16.0.0/12 -j shellcrash_docker 2> /dev/null
|
|
||||||
iptables -t nat -D PREROUTING -p udp --dport 53 -s 172.16.0.0/12 -j REDIRECT --to $dns_port 2> /dev/null
|
|
||||||
#TPROXY&tun
|
|
||||||
iptables -t mangle -D PREROUTING -p tcp $ports -j shellcrash 2> /dev/null
|
|
||||||
iptables -t mangle -D PREROUTING -p udp $ports -j shellcrash 2> /dev/null
|
|
||||||
iptables -t mangle -D PREROUTING -p tcp -d 198.18.0.0/16 -j shellcrash 2> /dev/null
|
|
||||||
iptables -t mangle -D PREROUTING -p udp -d 198.18.0.0/16 -j shellcrash 2> /dev/null
|
|
||||||
iptables -t mangle -F shellcrash 2> /dev/null
|
|
||||||
iptables -t mangle -X shellcrash 2> /dev/null
|
|
||||||
#公网访问
|
#公网访问
|
||||||
for ip in $host_ipv4 $local_ipv4 $reserve_ipv4;do
|
for ip in $host_ipv4 $local_ipv4 $reserve_ipv4;do
|
||||||
iptables -D INPUT -p tcp -s $ip --dport $mix_port -j ACCEPT 2> /dev/null
|
iptables -D INPUT -p tcp -s $ip --dport $mix_port -j ACCEPT 2>/dev/null
|
||||||
iptables -D INPUT -p tcp -s $ip --dport $db_port -j ACCEPT 2> /dev/null
|
iptables -D INPUT -p tcp -s $ip --dport $db_port -j ACCEPT 2>/dev/null
|
||||||
done
|
done
|
||||||
iptables -D INPUT -p tcp -d 127.0.0.1 -j ACCEPT 2> /dev/null
|
iptables -D INPUT -p tcp -d 127.0.0.1 -j ACCEPT 2>/dev/null
|
||||||
iptables -D INPUT -p tcp --dport $mix_port -j REJECT 2> /dev/null
|
iptables -D INPUT -p tcp --dport $mix_port -j REJECT 2>/dev/null
|
||||||
iptables -D INPUT -p tcp --dport $mix_port -j ACCEPT 2> /dev/null
|
iptables -D INPUT -p tcp --dport $mix_port -j ACCEPT 2>/dev/null
|
||||||
iptables -D INPUT -p tcp --dport $db_port -j REJECT 2> /dev/null
|
iptables -D INPUT -p tcp --dport $db_port -j REJECT 2>/dev/null
|
||||||
iptables -D INPUT -p tcp --dport $db_port -j ACCEPT 2> /dev/null
|
iptables -D INPUT -p tcp --dport $db_port -j ACCEPT 2>/dev/null
|
||||||
}
|
}
|
||||||
#重置ipv6规则
|
#重置ipv6规则
|
||||||
ckcmd ip6tables && {
|
ckcmd ip6tables && {
|
||||||
#redir
|
#清理shellcrash自建表
|
||||||
ip6tables -t nat -D PREROUTING -p tcp $ports -j shellcrashv6 2> /dev/null
|
for table in shellcrashv6_dns shellcrashv6;do
|
||||||
ip6tables -D INPUT -p udp --dport 53 -m comment --comment "ShellCrash-IPV6_DNS-REJECT" -j REJECT 2> /dev/null
|
ip6tables -t nat -F $table 2>/dev/null
|
||||||
ip6tables -t nat -F shellcrashv6 2> /dev/null
|
ip6tables -t nat -X $table 2>/dev/null
|
||||||
ip6tables -t nat -X shellcrashv6 2> /dev/null
|
done
|
||||||
|
ip6tables -t mangle -F shellcrashv6_mark 2>/dev/null
|
||||||
|
ip6tables -t mangle -X shellcrashv6_mark 2>/dev/null
|
||||||
#dns
|
#dns
|
||||||
ip6tables -t nat -D PREROUTING -p tcp --dport 53 -j shellcrashv6_dns 2>/dev/null
|
ip6tables -t nat -D PREROUTING -p tcp --dport 53 -j shellcrashv6_dns 2>/dev/null
|
||||||
ip6tables -t nat -D PREROUTING -p udp --dport 53 -j shellcrashv6_dns 2>/dev/null
|
ip6tables -t nat -D PREROUTING -p udp --dport 53 -j shellcrashv6_dns 2>/dev/null
|
||||||
ip6tables -t nat -F shellcrashv6_dns 2> /dev/null
|
#redir
|
||||||
ip6tables -t nat -X shellcrashv6_dns 2> /dev/null
|
ip6tables -t nat -D PREROUTING -p tcp $ports -j shellcrashv6 2>/dev/null
|
||||||
|
ip6tables -D INPUT -p udp --dport 53 -m comment --comment "ShellCrash-IPV6_DNS-REJECT" -j REJECT 2>/dev/null
|
||||||
|
#mark
|
||||||
|
ip6tables -t mangle -D PREROUTING -p tcp $ports -j shellcrashv6_mark 2>/dev/null
|
||||||
|
ip6tables -t mangle -D PREROUTING -p udp $ports -j shellcrashv6_mark 2>/dev/null
|
||||||
|
ip6tables -D INPUT -p udp --dport 443 -m comment --comment "ShellCrash-QUIC-REJECT" $set_cn_ip -j REJECT 2>/dev/null
|
||||||
#tun
|
#tun
|
||||||
ip6tables -D FORWARD -o utun -j ACCEPT 2> /dev/null
|
ip6tables -D FORWARD -o utun -j ACCEPT 2>/dev/null
|
||||||
ip6tables -D FORWARD -p udp --dport 443 -o utun -m comment --comment "ShellCrash-QUIC-REJECT" -j REJECT >/dev/null 2>&1
|
ip6tables -D FORWARD -p udp --dport 443 -o utun -m comment --comment "ShellCrash-QUIC-REJECT" -j REJECT >/dev/null 2>&1
|
||||||
#屏蔽QUIC
|
#屏蔽QUIC
|
||||||
[ "$dns_mod" != "fake-ip" -a "$cn_ipv6_route" = "已开启" ] && set_cn_ip6='-m set ! --match-set cn_ip6 dst'
|
[ "$dns_mod" != "fake-ip" -a "$cn_ipv6_route" = "已开启" ] && set_cn_ip6='-m set ! --match-set cn_ip6 dst'
|
||||||
iptables -D INPUT -p udp --dport 443 -m comment --comment "ShellCrash-QUIC-REJECT" $set_cn_ip6 -j REJECT 2> /dev/null
|
iptables -D INPUT -p udp --dport 443 -m comment --comment "ShellCrash-QUIC-REJECT" $set_cn_ip6 -j REJECT 2>/dev/null
|
||||||
iptables -D FORWARD -p udp --dport 443 -o utun -m comment --comment "ShellCrash-QUIC-REJECT" $set_cn_ip6 -j REJECT 2> /dev/null
|
iptables -D FORWARD -p udp --dport 443 -o utun -m comment --comment "ShellCrash-QUIC-REJECT" $set_cn_ip6 -j REJECT 2>/dev/null
|
||||||
#公网访问
|
#公网访问
|
||||||
ip6tables -D INPUT -p tcp --dport $mix_port -j REJECT 2> /dev/null
|
ip6tables -D INPUT -p tcp --dport $mix_port -j REJECT 2>/dev/null
|
||||||
ip6tables -D INPUT -p tcp --dport $mix_port -j ACCEPT 2> /dev/null
|
ip6tables -D INPUT -p tcp --dport $mix_port -j ACCEPT 2>/dev/null
|
||||||
ip6tables -D INPUT -p tcp --dport $db_port -j REJECT 2> /dev/null
|
ip6tables -D INPUT -p tcp --dport $db_port -j REJECT 2>/dev/null
|
||||||
ip6tables -D INPUT -p tcp --dport $db_port -j ACCEPT 2> /dev/null
|
ip6tables -D INPUT -p tcp --dport $db_port -j ACCEPT 2>/dev/null
|
||||||
#tproxy&tun
|
|
||||||
ip6tables -t mangle -D PREROUTING -p tcp $ports -j shellcrashv6 2> /dev/null
|
|
||||||
ip6tables -t mangle -D PREROUTING -p udp $ports -j shellcrashv6 2> /dev/null
|
|
||||||
ip6tables -t mangle -F shellcrashv6 2> /dev/null
|
|
||||||
ip6tables -t mangle -X shellcrashv6 2> /dev/null
|
|
||||||
ip6tables -D INPUT -p udp --dport 443 -m comment --comment "ShellCrash-QUIC-REJECT" $set_cn_ip -j REJECT 2> /dev/null
|
|
||||||
}
|
}
|
||||||
#清理ipset规则
|
#清理ipset规则
|
||||||
ipset destroy cn_ip >/dev/null 2>&1
|
ipset destroy cn_ip >/dev/null 2>&1
|
||||||
|
@ -1418,10 +1323,10 @@ stop_firewall(){ #还原防火墙配置
|
||||||
/etc/init.d/dnsmasq restart >/dev/null 2>&1
|
/etc/init.d/dnsmasq restart >/dev/null 2>&1
|
||||||
}
|
}
|
||||||
#清理路由规则
|
#清理路由规则
|
||||||
ip rule del fwmark $fwmark table 100 2> /dev/null
|
ip rule del fwmark $fwmark table 100 2>/dev/null
|
||||||
ip route del local default dev lo table 100 2> /dev/null
|
ip route flush table 100 2>/dev/null
|
||||||
ip -6 rule del fwmark $fwmark table 101 2> /dev/null
|
ip -6 rule del fwmark $fwmark table 101 2>/dev/null
|
||||||
ip -6 route del local ::/0 dev lo table 101 2> /dev/null
|
ip -6 route flush table 101 2>/dev/null
|
||||||
#重置nftables相关规则
|
#重置nftables相关规则
|
||||||
ckcmd nft && {
|
ckcmd nft && {
|
||||||
nft flush table inet shellcrash >/dev/null 2>&1
|
nft flush table inet shellcrash >/dev/null 2>&1
|
||||||
|
@ -1711,69 +1616,7 @@ afstart(){ #启动后
|
||||||
done
|
done
|
||||||
if [ -n "$test" -o -n "$(pidof CrashCore)" ];then
|
if [ -n "$test" -o -n "$(pidof CrashCore)" ];then
|
||||||
rm -rf ${TMPDIR}/CrashCore #删除缓存目录内核文件
|
rm -rf ${TMPDIR}/CrashCore #删除缓存目录内核文件
|
||||||
#设置DNS转发
|
start_firewall #配置防火墙流量劫持
|
||||||
start_dns(){
|
|
||||||
if [ "$dns_no" != "已禁用" ];then
|
|
||||||
if [ "$dns_redir" != "已开启" ];then
|
|
||||||
[ "$firewall_mod" = 'iptables' ] && start_ipt_dns
|
|
||||||
[ "$firewall_mod" = 'nftables' ] && start_nft_dns prerouting
|
|
||||||
else
|
|
||||||
#openwrt使用dnsmasq转发
|
|
||||||
uci del dhcp.@dnsmasq[-1].server >/dev/null 2>&1
|
|
||||||
uci delete dhcp.@dnsmasq[0].resolvfile 2>/dev/null
|
|
||||||
uci add_list dhcp.@dnsmasq[0].server=127.0.0.1#$dns_port > /dev/null 2>&1
|
|
||||||
uci set dhcp.@dnsmasq[0].noresolv=1 2>/dev/null
|
|
||||||
uci commit dhcp >/dev/null 2>&1
|
|
||||||
/etc/init.d/dnsmasq restart >/dev/null 2>&1
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
return 0
|
|
||||||
}
|
|
||||||
#设置路由规则
|
|
||||||
[ "$firewall_area" != 4 ] && {
|
|
||||||
getlanip #获取局域网host地址
|
|
||||||
#设置策略路由
|
|
||||||
[ "$redir_mod" = "Tproxy模式" ] && ip route add local default dev lo table 100
|
|
||||||
[ "$redir_mod" = "Tun模式" -o "$redir_mod" = "混合模式" ] && ip route add default dev utun table 100
|
|
||||||
[ "$firewall_area" = 5 ] && ip route add default via $bypass_host table 100
|
|
||||||
[ "$redir_mod" != "纯净模式" -a "$redir_mod" != "Redir模式" ] && ip rule add fwmark $fwmark table 100
|
|
||||||
[ "$firewall_mod" = 'iptables' ] && {
|
|
||||||
[ "$redir_mod" = "Redir模式" ] && start_dns && start_redir
|
|
||||||
[ "$redir_mod" = "混合模式" ] && start_dns && start_redir && start_tun udp
|
|
||||||
[ "$redir_mod" = "Tun模式" ] && start_dns && start_tun all
|
|
||||||
[ "$redir_mod" = "Tproxy模式" ] && start_dns && start_tproxy all
|
|
||||||
[ "$firewall_area" = 2 -o "$firewall_area" = 3 ] && [ -n "$(grep '0:7890' /etc/passwd)" ] && start_output #设置本机代理
|
|
||||||
}
|
|
||||||
[ "$firewall_mod" = 'nftables' ] && {
|
|
||||||
nft add table inet shellcrash #初始化nftables
|
|
||||||
nft flush table inet shellcrash
|
|
||||||
#局域网代理
|
|
||||||
[ "$firewall_area" = 1 -o "$firewall_area" = 3 -o "$firewall_area" = 5 ] && {
|
|
||||||
start_dns
|
|
||||||
start_nft prerouting
|
|
||||||
#屏蔽QUIC
|
|
||||||
[ "$quic_rj" = 已启用 ] && {
|
|
||||||
nft add chain inet shellcrash input { type filter hook input priority 0 \; }
|
|
||||||
[ -n "$CN_IP" ] && nft add rule inet shellcrash input ip daddr {$CN_IP} return
|
|
||||||
[ -n "$CN_IP6" ] && nft add rule inet shellcrash input ip6 daddr {$CN_IP6} return
|
|
||||||
nft add rule inet shellcrash input udp dport 443 reject comment 'ShellCrash-QUIC-REJECT'
|
|
||||||
}
|
|
||||||
}
|
|
||||||
#设置本机代理
|
|
||||||
[ "$firewall_area" = 2 -o "$firewall_area" = 3 ] && [ -n "$(grep '0:7890' /etc/passwd)" ] && {
|
|
||||||
start_nft_dns output
|
|
||||||
start_nft output
|
|
||||||
#修复部分虚拟机dns查询失败的问题
|
|
||||||
[ -z "$(grep 'nameserver 127.0.0.1' /etc/resolv.conf 2>/dev/null)" ] && {
|
|
||||||
line=$(grep -n 'nameserver' /etc/resolv.conf | awk -F: 'FNR==1{print $1}')
|
|
||||||
sed -i "$line i\nameserver 127.0.0.1 #shellcrash-dns-repair" /etc/resolv.conf
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
#启用公网访问防火墙
|
|
||||||
[ "$firewall_mod" = 'iptables' ] && start_ipt_wan
|
|
||||||
[ "$firewall_mod" = 'nftables' ] && start_nft_wan
|
|
||||||
mark_time #标记启动时间
|
mark_time #标记启动时间
|
||||||
[ -s ${CRASHDIR}/configs/web_save -o -s ${CRASHDIR}/configs/web_configs ] && web_restore >/dev/null 2>&1 & #后台还原面板配置
|
[ -s ${CRASHDIR}/configs/web_save -o -s ${CRASHDIR}/configs/web_configs ] && web_restore >/dev/null 2>&1 & #后台还原面板配置
|
||||||
{ sleep 5;logger ShellCrash服务已启动!;} & #推送日志
|
{ sleep 5;logger ShellCrash服务已启动!;} & #推送日志
|
||||||
|
|
Loading…
Reference in New Issue
Block a user