重写iptables防火墙

优化nftables防火墙结构
This commit is contained in:
juewuy 2024-03-05 21:21:40 +08:00
parent 1cc516012c
commit 1285221f66
3 changed files with 358 additions and 509 deletions

View File

@ -2414,32 +2414,38 @@ testcommand(){
if [ "$firewall_mod" = "nftables" ];then
nft list table inet shellcrash
else
echo -------------------Redir---------------------
echo ----------------Redir+DNS---------------------
iptables -t nat -L PREROUTING --line-numbers
iptables -t nat -L shellcrash_dns --line-numbers
iptables -t nat -L shellcrash --line-numbers
[ "$redir_mod" = "Redir模式" ] && iptables -t nat -L shellcrash --line-numbers
[ -n "$(echo $redir_mod | grep -E 'Tproxy模式|混合模式|Tun模式')" ] && {
echo ----------------Tun/Tproxy-------------------
iptables -t mangle -L PREROUTING --line-numbers
iptables -t mangle -L shellcrash --line-numbers
iptables -t mangle -L shellcrash_mark --line-numbers
}
[ "$local_proxy" = "已开启" ] && [ "$local_type" = "iptables增强模式" ] && {
echo ----------------OUTPUT-------------------
[ "$firewall_area" = 2 -o "$firewall_area" = 3 ] && {
echo -------------OUTPUT-Redir+DNS----------------
iptables -t nat -L OUTPUT --line-numbers
iptables -t nat -L shellcrash_dns_out --line-numbers
iptables -t nat -L shellcrash_out --line-numbers
if [ "$redir_mod" = "Redir模式" ];then
iptables -t nat -L shellcrash_out --line-numbers
else
echo ------------OUTPUT-Tun/Tproxy---------------
iptables -t mangle -L OUTPUT --line-numbers
iptables -t mangle -L shellcrash_mark_out --line-numbers
fi
}
[ "$ipv6_redir" = "已开启" ] && {
[ -n "$(lsmod | grep 'ip6table_nat')" ] && {
echo -------------------Redir---------------------
ip6tables -t nat -L >/dev/null 2>&1 && {
echo -------------IPV6-Redir+DNS-------------------
ip6tables -t nat -L PREROUTING --line-numbers
ip6tables -t nat -L shellcrashv6_dns --line-numbers
ip6tables -t nat -L shellcrashv6 --line-numbers
[ "$redir_mod" = "Redir模式" ] && ip6tables -t nat -L shellcrashv6 --line-numbers
}
[ -n "$(echo $redir_mod | grep -E 'Tproxy模式|混合模式|Tun模式')" ] && {
echo ----------------Tun/Tproxy-------------------
echo -------------IPV6-Tun/Tproxy------------------
ip6tables -t mangle -L PREROUTING --line-numbers
ip6tables -t mangle -L shellcrashv6 --line-numbers
ip6tables -t mangle -L shellcrashv6_mark --line-numbers
}
}
fi

View File

@ -688,7 +688,7 @@ setipv6(){ #ipv6设置
setconfig ipv6_redir $ipv6_redir
setconfig ipv6_support $ipv6_support
fi
if [ -n "$(ipset -v 2>/dev/null)" -o -n "$(echo $redir_mod | grep Nft)" ];then
if [ -n "$(ipset -v 2>/dev/null)" -o "$firewall_mod" = 'nftables' ];then
[ "$cn_ipv6_route" = "未开启" ] && cn_ipv6_route=已开启 || cn_ipv6_route=未开启
setconfig cn_ipv6_route $cn_ipv6_route
else
@ -1168,7 +1168,7 @@ set_redir_mod(){
if [ -f /etc/init.d/qca-nss-ecm -a "$systype" = "mi_snapshot" ] ;then
read -p "xiaomi设备的QOS服务与本模式冲突是否禁用相关功能(1/0) > " res
[ "$res" = '1' ] && ${CRASHDIR}/misnap_init.sh tproxyfix && redir_mod=Tproxy模式
elif [ -n "$(iptables -j TPROXY 2>&1 | grep 'on-port')" ] ;then
elif [ -n "$(grep -E '^TPROXY$' /proc/net/ip_tables_targets)" ] ;then
redir_mod=Tproxy模式
set_redir_config
else
@ -1475,7 +1475,7 @@ normal_set(){ #基础设置
normal_set
elif [ "$num" = 8 ]; then
if [ -n "$(ipset -v 2>/dev/null)" -o -n "$(echo $redir_mod | grep Nft)" ];then
if [ -n "$(ipset -v 2>/dev/null)" -o "$firewall_mod" = 'nftables' ];then
if [ "$cn_ip_route" = "未开启" ]; then
echo -e "\033[32m已开启CN_IP绕过内核功能\033[0m"
echo -e "\033[31m注意此功能会导致全局模式及一切CN相关规则失效\033[0m"

View File

@ -383,7 +383,7 @@ EOF
}
#域名嗅探配置
[ "$sniffer" = "已启用" ] && [ "$crashcore" = "meta" ] && sniffer_set="sniffer: {enable: true, parse-pure-ip: true, skip-domain: [Mijia Cloud], sniff: {tls: {ports: [443, 8443]}, http: {ports: [80, 8080-8880]}}}"
[ "$crashcore" = "clashpre" ] && [ "$dns_mod" = "redir_host" -o "$sniffer" = "已启用" ] && exper="experimental: {ignore-resolve-fail: true, interface-name: en0, sniff-tls-sni: true}"
[ "$crashcore" = "clashpre" ] && [ "$dns_mod" = "redir_host" -o "$sniffer" = "已启用" ] && exper="experimental: {ignore-resolve-fail: true, interface-name: en0,sniff-tls-sni: true}"
#生成set.yaml
cat > ${TMPDIR}/set.yaml <<EOF
mixed-port: $mix_port
@ -862,310 +862,75 @@ cn_ipv6_route(){ #CN-IPV6绕过
rm -rf cn6_$USER.ipset
}
}
start_redir(){ #iptables-redir
#获取局域网host地址
getlanip
#流量过滤
iptables -t nat -N shellcrash
for ip in $host_ipv4 $reserve_ipv4;do #跳过目标保留地址及目标本机网段
iptables -t nat -A shellcrash -d $ip -j RETURN
done
#绕过CN_IP
[ "$dns_mod" != "fake-ip" -a "$cn_ip_route" = "已开启" ] && \
iptables -t nat -A shellcrash -m set --match-set cn_ip dst -j RETURN 2>/dev/null
#局域网设备过滤
if [ "$macfilter_type" = "白名单" -a -n "$(cat ${CRASHDIR}/configs/mac)" ];then
for mac in $(cat ${CRASHDIR}/configs/mac); do #mac白名单
iptables -t nat -A shellcrash -p tcp -m mac --mac-source $mac -j REDIRECT --to-ports $redir_port
done
else
for mac in $(cat ${CRASHDIR}/configs/mac); do #mac黑名单
iptables -t nat -A shellcrash -m mac --mac-source $mac -j RETURN
done
#仅代理本机局域网网段流量
for ip in $host_ipv4;do
iptables -t nat -A shellcrash -p tcp -s $ip -j REDIRECT --to-ports $redir_port
done
fi
#将PREROUTING链指向shellcrash链
iptables -t nat -A PREROUTING -p tcp $ports -j shellcrash
[ "$dns_mod" != "redir_host" -a "$common_ports" = "已开启" ] && iptables -t nat -A PREROUTING -p tcp -d 198.18.0.0/16 -j shellcrash
#设置ipv6转发
if [ "$ipv6_redir" = "已开启" ] && ip6tables -t nat -L >/dev/null 2>&1;then
ip6tables -t nat -N shellcrashv6
for ip in $reserve_ipv6 $host_ipv6;do #跳过目标保留地址及目标本机网段
ip6tables -t nat -A shellcrashv6 -d $ip -j RETURN
done
#绕过CN_IPV6
[ "$dns_mod" != "fake-ip" -a "$cn_ipv6_route" = "已开启" ] && \
ip6tables -t nat -A shellcrashv6 -m set --match-set cn_ip6 dst -j RETURN 2>/dev/null
#局域网设备过滤
if [ "$macfilter_type" = "白名单" -a -n "$(cat ${CRASHDIR}/configs/mac)" ];then
for mac in $(cat ${CRASHDIR}/configs/mac); do #mac白名单
ip6tables -t nat -A shellcrashv6 -p tcp -m mac --mac-source $mac -j REDIRECT --to-ports $redir_port
done
else
for mac in $(cat ${CRASHDIR}/configs/mac); do #mac黑名单
ip6tables -t nat -A shellcrashv6 -m mac --mac-source $mac -j RETURN
done
#仅代理本机局域网网段流量
for ip in $host_ipv6;do
ip6tables -t nat -A shellcrashv6 -p tcp -s $ip -j REDIRECT --to-ports $redir_port
done
fi
ip6tables -t nat -A PREROUTING -p tcp $ports -j shellcrashv6
fi
return 0
}
start_ipt_dns(){ #iptables-dns
#屏蔽OpenWrt内置53端口转发
[ "$(uci get dhcp.@dnsmasq[0].dns_redirect 2>/dev/null)" = 1 ] && {
uci del dhcp.@dnsmasq[0].dns_redirect
uci commit dhcp.@dnsmasq[0]
start_ipt_route(){ #iptables-route通用工具
#$1:iptables/ip6tables $2:所在的表(nat/mangle) $3:所在的链(OUTPUT/PREROUTING) $4:新创建的shellcrash链表 $5:tcp/udp/all
#区分ipv4/ipv6
[ "$1" = 'iptables' ] && {
RESERVED_IP=$reserve_ipv4
HOST_IP=$host_ipv4
[ "$4" = 'OUTPUT' ] && HOST_IP="127.0.0.0/8 $local_ipv4"
}
#设置dns转发
iptables -t nat -N shellcrash_dns
if [ "$macfilter_type" = "白名单" -a -n "$(cat ${CRASHDIR}/configs/mac)" ];then
for mac in $(cat ${CRASHDIR}/configs/mac); do #mac白名单
iptables -t nat -A shellcrash_dns -p udp -m mac --mac-source $mac -j REDIRECT --to $dns_port
done
else
for mac in $(cat ${CRASHDIR}/configs/mac); do #mac黑名单
iptables -t nat -A shellcrash_dns -m mac --mac-source $mac -j RETURN
done
iptables -t nat -A shellcrash_dns -p tcp -j REDIRECT --to $dns_port
iptables -t nat -A shellcrash_dns -p udp -j REDIRECT --to $dns_port
fi
iptables -t nat -I PREROUTING -p tcp --dport 53 -j shellcrash_dns
iptables -t nat -I PREROUTING -p udp --dport 53 -j shellcrash_dns
#ipv6DNS
if [ -n "$(lsmod | grep 'ip6table_nat')" -a -n "$(lsmod | grep 'xt_nat')" ];then
ip6tables -t nat -N shellcrashv6_dns > /dev/null 2>&1
if [ "$macfilter_type" = "白名单" -a -n "$(cat ${CRASHDIR}/configs/mac)" ];then
for mac in $(cat ${CRASHDIR}/configs/mac); do #mac白名单
ip6tables -t nat -A shellcrashv6_dns -p udp -m mac --mac-source $mac -j REDIRECT --to $dns_port
done
else
for mac in $(cat ${CRASHDIR}/configs/mac); do #mac黑名单
ip6tables -t nat -A shellcrashv6_dns -m mac --mac-source $mac -j RETURN
done
ip6tables -t nat -A shellcrashv6_dns -p tcp -j REDIRECT --to $dns_port
ip6tables -t nat -A shellcrashv6_dns -p udp -j REDIRECT --to $dns_port
fi
ip6tables -t nat -I PREROUTING -p tcp --dport 53 -j shellcrashv6_dns
ip6tables -t nat -I PREROUTING -p udp --dport 53 -j shellcrashv6_dns
else
ip6tables -I INPUT -p udp --dport 53 -m comment --comment "ShellCrash-IPV6_DNS-REJECT" -j REJECT 2>/dev/null
fi
return 0
}
start_tproxy(){ #iptables-tproxy
#获取局域网host地址
getlanip
modprobe xt_TPROXY >/dev/null 2>&1
ip rule add fwmark $fwmark table 100
ip route add local default dev lo table 100
iptables -t mangle -N shellcrash
iptables -t mangle -A shellcrash -p udp --dport 53 -j RETURN
for ip in $host_ipv4 $reserve_ipv4;do #跳过目标保留地址及目标本机网段
iptables -t mangle -A shellcrash -d $ip -j RETURN
[ "$1" = 'ip6tables' ] && {
RESERVED_IP=$reserve_ipv6
HOST_IP=$host_ipv6
}
#创建新的shellcrash链表
$1 -t $2 -N $4
#本机代理防回环
[ "$3" = 'OUTPUT' ] && for gid in 453 7890;do
$1 -t $2 -A $4 -m owner --gid-owner $gid -j RETURN
done
#跳过目标保留地址及目标本机网段
for ip in $HOST_IP $RESERVED_IP;do
$1 -t $2 -A $4 -d $ip -j RETURN
done
#绕过CN_IP
[ "$dns_mod" != "fake-ip" -a "$cn_ip_route" = "已开启" ] && \
iptables -t mangle -A shellcrash -m set --match-set cn_ip dst -j RETURN 2>/dev/null
$1 -t $2 -A $4 -m set --match-set cn_ip dst -j RETURN 2>/dev/null
#局域网mac地址黑名单过滤
[ -s "$(cat ${CRASHDIR}/configs/mac)" -a "$macfilter_type" != "白名单" ] && \
for mac in $(cat ${CRASHDIR}/configs/mac); do
$1 -t $2 -A $4 -m mac --mac-source $mac -j RETURN
done
#tcp&udp分别进代理链
tproxy_set(){
proxy_set(){
if [ "$macfilter_type" = "白名单" -a -n "$(cat ${CRASHDIR}/configs/mac)" ];then
for mac in $(cat ${CRASHDIR}/configs/mac); do #mac白名单
$1 -t $2 -A $4 -p $5 -m mac --mac-source $mac -j $JUMP
done
else
for ip in $HOST_IP;do #仅限指定网段流量
$1 -t $2 -A $4 -p $5 -s $ip -j $JUMP
done
fi
#将所在链指定流量指向shellcrash表
$1 -t $2 -I $3 -p $5 $ports -j $4
[ "$dns_mod" != "redir_host" ] && [ "$common_ports" = "已开启" ] && [ "$1" = iptables ] && $1 -t $2 -I $3 -p $5 -d 198.18.0.0/16 -j $4
}
[ "$5" = "tcp" -o "$5" = "all" ] && proxy_set $1 $2 $3 $4 tcp
[ "$5" = "udp" -o "$5" = "all" ] && proxy_set $1 $2 $3 $4 udp
}
start_ipt_dns(){ #iptables-dns通用工具
#$1:iptables/ip6tables $2:所在的表(OUTPUT/PREROUTING) $3:新创建的shellcrash表
$1 -t nat -N $3
#绕过本机dns应用
[ "$2" = 'OUTPUT' ] && for gid in 453 7890;do
$1 -t nat -A $3 -m owner --gid-owner $gid -j RETURN
done
if [ "$macfilter_type" = "白名单" -a -n "$(cat ${CRASHDIR}/configs/mac)" ];then
for mac in $(cat ${CRASHDIR}/configs/mac); do #mac白名单
iptables -t mangle -A shellcrash -p $1 -m mac --mac-source $mac -j TPROXY --on-port $tproxy_port --tproxy-mark $fwmark
$1 -t nat -A $3 -p tcp -m mac --mac-source $mac -j REDIRECT --to $dns_port
$1 -t nat -A $3 -p udp -m mac --mac-source $mac -j REDIRECT --to $dns_port
done
else
for mac in $(cat ${CRASHDIR}/configs/mac); do #mac黑名单
iptables -t mangle -A shellcrash -m mac --mac-source $mac -j RETURN
done
#仅代理本机局域网网段流量
for ip in $host_ipv4;do
iptables -t mangle -A shellcrash -p $1 -s $ip -j TPROXY --on-port $tproxy_port --tproxy-mark $fwmark
$1 -t nat -A $3 -m mac --mac-source $mac -j RETURN
done
$1 -t nat -A $3 -p tcp -j REDIRECT --to $dns_port
$1 -t nat -A $3 -p udp -j REDIRECT --to $dns_port
fi
iptables -t mangle -A PREROUTING -p $1 $ports -j shellcrash
[ "$dns_mod" != "redir_host" -a "$common_ports" = "已开启" ] && iptables -t mangle -A PREROUTING -p $1 -d 198.18.0.0/16 -j shellcrash
}
[ "$1" = "all" ] && tproxy_set tcp
tproxy_set udp
#屏蔽QUIC
[ "$quic_rj" = 已启用 ] && {
[ "$dns_mod" != "fake-ip" -a "$cn_ip_route" = "已开启" ] && set_cn_ip='-m set ! --match-set cn_ip dst'
iptables -I INPUT -p udp --dport 443 -m comment --comment "ShellCrash-QUIC-REJECT" $set_cn_ip -j REJECT >/dev/null 2>&1
}
#设置ipv6转发
[ "$ipv6_redir" = "已开启" ] && ip6tables -t nat -L >/dev/null 2>&1 && {
ip -6 rule add fwmark $fwmark table 101
ip -6 route add local ::/0 dev lo table 101
ip6tables -t mangle -N shellcrashv6
ip6tables -t mangle -A shellcrashv6 -p udp --dport 53 -j RETURN
for ip in $host_ipv6 $reserve_ipv6;do #跳过目标保留地址及目标本机网段
ip6tables -t mangle -A shellcrashv6 -d $ip -j RETURN
done
#绕过CN_IPV6
[ "$dns_mod" != "fake-ip" -a "$cn_ipv6_route" = "已开启" ] && \
ip6tables -t mangle -A shellcrashv6 -m set --match-set cn_ip6 dst -j RETURN 2>/dev/null
#tcp&udp分别进代理链
tproxy_set6(){
if [ "$macfilter_type" = "白名单" -a -n "$(cat ${CRASHDIR}/configs/mac)" ];then
#mac白名单
for mac in $(cat ${CRASHDIR}/configs/mac); do
ip6tables -t mangle -A shellcrashv6 -p $1 -m mac --mac-source $mac -j TPROXY --on-port $tproxy_port --tproxy-mark $fwmark
done
else
#mac黑名单
for mac in $(cat ${CRASHDIR}/configs/mac); do
ip6tables -t mangle -A shellcrashv6 -m mac --mac-source $mac -j RETURN
done
#仅代理本机局域网网段流量
for ip in $host_ipv6;do
ip6tables -t mangle -A shellcrashv6 -p $1 -s $ip -j TPROXY --on-port $tproxy_port --tproxy-mark $fwmark
done
fi
ip6tables -t mangle -A PREROUTING -p $1 $ports -j shellcrashv6
}
[ "$1" = "all" ] && tproxy_set6 tcp
tproxy_set6 udp
#屏蔽QUIC
[ "$quic_rj" = 已启用 ] && {
[ "$dns_mod" != "fake-ip" -a "$cn_ipv6_route" = "已开启" ] && set_cn_ip6='-m set ! --match-set cn_ip6 dst'
ip6tables -I INPUT -p udp --dport 443 -m comment --comment "ShellCrash-QUIC-REJECT" $set_cn_ip6 -j REJECT 2>/dev/null
}
}
}
start_output(){ #iptables本机代理
#获取局域网host地址
getlanip
#流量过滤
iptables -t nat -N shellcrash_out
iptables -t nat -A shellcrash_out -m owner --gid-owner 7890 -j RETURN
for ip in $local_ipv4 $reserve_ipv4;do #跳过目标保留地址及目标本机网段
iptables -t nat -A shellcrash_out -d $ip -j RETURN
done
#绕过CN_IP
[ "$dns_mod" != "fake-ip" -a "$cn_ip_route" = "已开启" ] && \
iptables -t nat -A shellcrash_out -m set --match-set cn_ip dst -j RETURN >/dev/null 2>&1
#仅允许本机流量
for ip in 127.0.0.0/8 $local_ipv4;do
iptables -t nat -A shellcrash_out -p tcp -s $ip -j REDIRECT --to-ports $redir_port
done
iptables -t nat -A OUTPUT -p tcp $ports -j shellcrash_out
#设置dns转发
[ "$dns_no" != "已禁用" ] && {
[ -z "$(grep 'nameserver 127.0.0.1' /etc/resolv.conf 2>/dev/null)" ] && echo 'nameserver 127.0.0.1' >> /etc/resolv.conf #修复部分虚拟机dns查询失败的问题
iptables -t nat -N shellcrash_dns_out
iptables -t nat -A shellcrash_dns_out -m owner --gid-owner 453 -j RETURN #绕过本机dnsmasq
iptables -t nat -A shellcrash_dns_out -m owner --gid-owner 7890 -j RETURN
iptables -t nat -A shellcrash_dns_out -p udp -j REDIRECT --to $dns_port
iptables -t nat -A OUTPUT -p udp --dport 53 -j shellcrash_dns_out
}
#Docker转发
ckcmd docker && {
iptables -t nat -N shellcrash_docker
for ip in $host_ipv4 $reserve_ipv4;do #跳过目标保留地址及目标本机网段
iptables -t nat -A shellcrash_docker -d $ip -j RETURN
done
iptables -t nat -A shellcrash_docker -p tcp -j REDIRECT --to-ports $redir_port
iptables -t nat -A PREROUTING -p tcp -s 172.16.0.0/12 -j shellcrash_docker
[ "$dns_no" != "已禁用" ] && iptables -t nat -A PREROUTING -p udp --dport 53 -s 172.16.0.0/12 -j REDIRECT --to $dns_port
}
}
start_tun(){ #iptables-tun
modprobe tun >/dev/null 2>&1
#允许流量
iptables -I FORWARD -o utun -j ACCEPT
iptables -I FORWARD -s 198.18.0.0/16 -o utun -j RETURN #防止回环
ip6tables -I FORWARD -o utun -j ACCEPT > /dev/null 2>&1
#屏蔽QUIC
if [ "$quic_rj" = 已启用 ];then
[ "$dns_mod" != "fake-ip" -a "$cn_ip_route" = "已开启" ] && {
set_cn_ip='-m set ! --match-set cn_ip dst'
set_cn_ip6='-m set ! --match-set cn_ip6 dst'
}
iptables -I FORWARD -p udp --dport 443 -o utun -m comment --comment "ShellCrash-QUIC-REJECT" $set_cn_ip -j REJECT >/dev/null 2>&1
ip6tables -I FORWARD -p udp --dport 443 -o utun -m comment --comment "ShellCrash-QUIC-REJECT" $set_cn_ip6 -j REJECT >/dev/null 2>&1
fi
if [ -n "$(iptables -j MARK 2>&1 | grep 'mark')" ];then
i=1
while [ -z "$(ip route list |grep utun)" -a "$i" -le 29 ];do
sleep 1
i=$((i+1))
done
if [ -z "$(ip route list |grep utun)" ];then
logger "找不到tun模块放弃启动tun相关防火墙规则" 31
else
ip route add default dev utun table 100
ip rule add fwmark $fwmark table 100
#获取局域网host地址
getlanip
iptables -t mangle -N shellcrash
iptables -t mangle -A shellcrash -p udp --dport 53 -j RETURN
for ip in $host_ipv4 $reserve_ipv4;do #跳过目标保留地址及目标本机网段
iptables -t mangle -A shellcrash -d $ip -j RETURN
done
#防止回环
iptables -t mangle -A shellcrash -s 198.18.0.0/16 -j RETURN
#绕过CN_IP
[ "$dns_mod" != "fake-ip" -a "$cn_ip_route" = "已开启" ] && \
iptables -t mangle -A shellcrash -m set --match-set cn_ip dst -j RETURN 2>/dev/null
#局域网设备过滤
if [ "$macfilter_type" = "白名单" -a -n "$(cat ${CRASHDIR}/configs/mac)" ];then
for mac in $(cat ${CRASHDIR}/configs/mac); do #mac白名单
iptables -t mangle -A shellcrash -m mac --mac-source $mac -j MARK --set-mark $fwmark
done
else
for mac in $(cat ${CRASHDIR}/configs/mac); do #mac黑名单
iptables -t mangle -A shellcrash -m mac --mac-source $mac -j RETURN
done
#仅代理本机局域网网段流量
for ip in $host_ipv4;do
iptables -t mangle -A shellcrash -s $ip -j MARK --set-mark $fwmark
done
fi
iptables -t mangle -A PREROUTING -p udp $ports -j shellcrash
[ "$1" = "all" ] && iptables -t mangle -A PREROUTING -p tcp $ports -j shellcrash
#设置ipv6转发
[ "$ipv6_redir" = "已开启" ] && ip6tables -t nat -L >/dev/null 2>&1 && [ "$crashcore" != clash ] && {
ip -6 route add default dev utun table 101
ip -6 rule add fwmark $fwmark table 101
ip6tables -t mangle -N shellcrashv6
ip6tables -t mangle -A shellcrashv6 -p udp --dport 53 -j RETURN
for ip in $host_ipv6 $reserve_ipv6;do #跳过目标保留地址及目标本机网段
ip6tables -t mangle -A shellcrashv6 -d $ip -j RETURN
done
#绕过CN_IPV6
[ "$dns_mod" != "fake-ip" -a "$cn_ipv6_route" = "已开启" ] && \
ip6tables -t mangle -A shellcrashv6 -m set --match-set cn_ip6 dst -j RETURN 2>/dev/null
#局域网设备过滤
if [ "$macfilter_type" = "白名单" -a -n "$(cat ${CRASHDIR}/configs/mac)" ];then
for mac in $(cat ${CRASHDIR}/configs/mac); do #mac白名单
ip6tables -t mangle -A shellcrashv6 -m mac --mac-source $mac -j MARK --set-mark $fwmark
done
else
for mac in $(cat ${CRASHDIR}/configs/mac); do #mac黑名单
ip6tables -t mangle -A shellcrashv6 -m mac --mac-source $mac -j RETURN
done
#仅代理本机局域网网段流量
for ip in $host_ipv6;do
ip6tables -t mangle -A shellcrashv6 -s $ip -j MARK --set-mark $fwmark
done
fi
ip6tables -t mangle -A PREROUTING -p udp $ports -j shellcrashv6
[ "$1" = "all" ] && ip6tables -t mangle -A PREROUTING -p tcp $ports -j shellcrashv6
}
fi
else
logger "iptables缺少-J MARK功能放弃启动tun相关防火墙规则" 31
fi
$1 -t nat -I $2 -p tcp --dport 53 -j $3
$1 -t nat -I $2 -p udp --dport 53 -j $3
}
start_ipt_wan(){ #iptables公网防火墙
#获取局域网host地址
@ -1194,110 +959,151 @@ start_ipt_wan(){ #iptables公网防火墙
fi
iptables -I INPUT -p tcp -d 127.0.0.1 -j ACCEPT #本机请求全放行
}
start_nft(){ #nftables-all-in-one
table_type=$1
[ -n "$2" ] && table=$2 || table=$1
start_iptables(){ #iptables配置总入口
#启动公网访问防火墙
start_ipt_wan
#启动DNS劫持
[ "$dns_no" != "已禁用" -a "$dns_redir" != "已开启" -a "$firewall_area" -le 3 ] && {
[ "$lan_proxy" = true ] && {
start_ipt_dns iptables PREROUTING shellcrash_dns #ipv4-局域网dns转发
if ip6tables -t nat -L >/dev/null 2>&1;then
start_ipt_dns ip6tables PREROUTING shellcrashv6_dns #ipv6-局域网dns转发
else
ip6tables -I INPUT -p udp --dport 53 -m comment --comment "ShellCrash-IPV6_DNS-REJECT" -j REJECT 2>/dev/null
fi
}
[ "$local_proxy" = true ] && start_ipt_dns iptables OUTPUT shellcrash_dns_out #ipv4-本机dns转发
}
#分模式设置流量劫持
[ "$redir_mod" = "Redir模式" -o "$redir_mod" = "混合模式" ] && {
JUMP="REDIRECT --to-ports $redir_port" #跳转劫持的具体命令
[ "$lan_proxy" = true ] && {
start_ipt_route iptables nat PREROUTING shellcrash tcp #ipv4-局域网tcp转发
[ "$ipv6_redir" = "已开启" ] && {
if ip6tables -t nat -L >/dev/null 2>&1;then
start_ipt_route ip6tables nat PREROUTING shellcrashv6 tcp #ipv6-局域网tcp转发
else
logger "当前设备内核缺少ip6tables-nat模块支持已放弃启动相关规则" 31
fi
}
}
[ "$local_proxy" = true ] && start_ipt_route iptables nat OUTPUT shellcrash_out tcp #ipv4-本机tcp转发
}
[ "$redir_mod" = "Tproxy模式" ] && {
JUMP="TPROXY --on-port $tproxy_port --tproxy-mark $fwmark" #跳转劫持的具体命令
if [ -n "$(grep -E '^TPROXY$' /proc/net/ip_tables_targets)" ];then
[ "$lan_proxy" = true ] && start_ipt_route iptables mangle PREROUTING shellcrash_mark all
[ "$local_proxy" = true ] && start_ipt_route iptables mangle OUTPUT shellcrash_mark_out all
else
logger "当前设备内核可能缺少kmod-ipt-tproxy模块支持已放弃启动相关规则" 31
fi
[ "$ipv6_redir" = "已开启" ] && [ "$lan_proxy" = true ] && {
if [ -n "$(grep -E '^TPROXY$' /proc/net/ip6_tables_targets)" ];then
start_ipt_route ip6tables mangle PREROUTING shellcrashv6_mark all
else
logger "当前设备内核可能缺少kmod-ipt-tproxy模块支持已放弃启动相关规则" 31
fi
}
}
[ "$redir_mod" = "Tun模式" -o "$redir_mod" = "混合模式" -o "$redir_mod" = "T&U旁路转发" -o "$redir_mod" = "TCP旁路转发" ] && {
JUMP="MARK --set-mark $fwmark" #跳转劫持的具体命令
[ "$redir_mod" = "Tun模式" -o "$redir_mod" = "T&U旁路转发" ] && protocol=all
[ "$redir_mod" = "混合模式" ] && protocol=udp
[ "$redir_mod" = "TCP旁路转发" ] && protocol=tcp
if [ -n "$(grep -E '^MARK$' /proc/net/ip_tables_targets)" ];then
[ "$lan_proxy" = true ] && start_ipt_route iptables mangle PREROUTING shellcrash_mark $protocol
[ "$local_proxy" = true ] && start_ipt_route iptables mangle OUTPUT shellcrash_mark_out $protocol
else
logger "当前设备内核可能缺少xt-mark模块支持已放弃启动相关规则" 31
fi
[ "$ipv6_redir" = "已开启" ] && [ "$lan_proxy" = true ] && {
if [ -n "$(grep -E '^MARK$' /proc/net/ip6_tables_targets)" ];then
start_ipt_route ip6tables mangle PREROUTING shellcrashv6_mark $protocol
else
logger "当前设备内核可能缺少xt-mark模块支持已放弃启动相关规则" 31
fi
}
}
#屏蔽QUIC
[ "$quic_rj" = '已启用' -a "$lan_proxy" = true -a "$redir_mod" != "Redir模式" ] && {
[ "$dns_mod" != "fake-ip" -a "$cn_ip_route" = "已开启" ] && {
set_cn_ip='-m set ! --match-set cn_ip dst'
set_cn_ip6='-m set ! --match-set cn_ip6 dst'
}
iptables -I FORWARD -p udp --dport 443 -o utun -m comment --comment "ShellCrash-QUIC-REJECT" $set_cn_ip -j REJECT >/dev/null 2>&1
ip6tables -I FORWARD -p udp --dport 443 -o utun -m comment --comment "ShellCrash-QUIC-REJECT" $set_cn_ip6 -j REJECT >/dev/null 2>&1
}
}
start_nft_route(){ #nftables-route通用工具
#$1:name $2:hook(prerouting/output) $3:type(nat/mangle/filter) $4:priority(-100/-150)
[ "$common_ports" = "已开启" ] && PORTS=$(echo $multiport | sed 's/,/, /g')
RESERVED_IP=$(echo $reserve_ipv4 | sed 's/ /, /g')
if [ "$1" = 'output' ];then
HOST_IP="127.0.0.0/8, $(echo $local_ipv4 | sed 's/ /, /g')"
chain_type=route
else
HOST_IP=$(echo $host_ipv4 | sed 's/ /, /g')
chain_type=nat
fi
#不同模式调整
[ "$redir_mod" = "Redir模式" ] && \
nft add chain inet shellcrash $table { type nat hook $table_type priority -100 \; }
[ "$redir_mod" = "Tproxy模式" ] && {
modprobe nft_tproxy >/dev/null 2>&1
nft add chain inet shellcrash $table { type $chain_type hook $table_type priority mangle \; }
}
[ "$redir_mod" = "Tun模式" -o "$redir_mod" = "混合模式" ] && {
modprobe tun >/dev/null 2>&1
i=1
while [ -z "$(ip route list |grep utun)" -a "$i" -le 29 ];do
sleep 1
i=$((i+1))
done
if [ -z "$(ip route list |grep utun)" ];then
logger "找不到tun模块放弃启动tun相关防火墙规则" 31
exit 1
else
nft add chain inet shellcrash $table { type $chain_type hook $table_type priority mangle \; }
nft add rule inet shellcrash $table ip saddr 198.18.0.0/16 return #防止回环
fi
}
[ "$firewall_area" = 5 ] && {
nft add chain inet shellcrash $table { type $chain_type hook $table_type priority mangle \; }
nft add rule inet shellcrash $table ip daddr {$bypass_host} return
}
#本机流量防回环
[ "$table_type" = 'output' ] && nft add rule inet shellcrash $table meta skgid 7890 return
HOST_IP=$(echo $host_ipv4 | sed 's/ /, /g')
[ "$1" = 'output' ] && HOST_IP="127.0.0.0/8, $(echo $local_ipv4 | sed 's/ /, /g')"
#添加新链
nft add chain inet shellcrash $1 { type $3 hook $2 priority $4 \; }
#防回环
nft add rule inet shellcrash $1 meta skgid 7890 return
nft add rule inet shellcrash $1 ip saddr 198.18.0.0/16 return
[ "$firewall_area" = 5 ] && nft add rule inet shellcrash $1 ip daddr $bypass_host return
#过滤局域网设备
[ -n "$(cat ${CRASHDIR}/configs/mac)" ] && {
MAC=$(awk '{printf "%s, ",$1}' ${CRASHDIR}/configs/mac)
[ "$macfilter_type" = "黑名单" ] && \
nft add rule inet shellcrash $table ether saddr {$MAC} return || \
nft add rule inet shellcrash $table ether saddr != {$MAC} return
if [ "$macfilter_type" = "黑名单" ];then
nft add rule inet shellcrash $1 ether saddr {$MAC} return
else
nft add rule inet shellcrash $1 ether saddr != {$MAC} return
fi
}
#过滤保留地址
nft add rule inet shellcrash $table ip daddr {$RESERVED_IP} return
#仅代理本机局域网网段流量
nft add rule inet shellcrash $table ip saddr != {$HOST_IP} return
nft add rule inet shellcrash $1 ip daddr {$RESERVED_IP} return #过滤保留地址
nft add rule inet shellcrash $1 ip saddr != {$HOST_IP} return #仅代理本机局域网网段流量
#绕过CN-IP
[ "$dns_mod" != "fake-ip" -a "$cn_ip_route" = "已开启" -a -f ${BINDIR}/cn_ip.txt ] && {
CN_IP=$(awk '{printf "%s, ",$1}' ${BINDIR}/cn_ip.txt)
[ -n "$CN_IP" ] && nft add rule inet shellcrash $table ip daddr {$CN_IP} return
[ -n "$CN_IP" ] && nft add rule inet shellcrash $1 ip daddr {$CN_IP} return
}
#过滤常用端口
[ -n "$PORTS" ] && nft add rule inet shellcrash $table tcp dport != {$PORTS} ip daddr != {198.18.0.0/16} return
[ -n "$PORTS" ] && nft add rule inet shellcrash $1 tcp dport != {$PORTS} ip daddr != {198.18.0.0/16} return #过滤常用端口
#局域网ipv6支持
if [ "$ipv6_redir" = "已开启" -a "$table_type" = 'prerouting' -a "$firewall_area" != 5 ];then
if [ "$ipv6_redir" = "已开启" -a "$1" = 'prerouting' -a "$firewall_area" != 5 ];then
RESERVED_IP6="$(echo "$reserve_ipv6 $host_ipv6" | sed 's/ /, /g')"
HOST_IP6="$(echo $host_ipv6 | sed 's/ /, /g')"
ip -6 rule add fwmark $fwmark table 101 2> /dev/null
ip -6 route add local ::/0 dev lo table 101 2> /dev/null
#过滤保留地址及本机地址
nft add rule inet shellcrash $table ip6 daddr {$RESERVED_IP6} return
nft add rule inet shellcrash $1 ip6 daddr {$RESERVED_IP6} return
#仅代理本机局域网网段流量
nft add rule inet shellcrash $table ip6 saddr != {$HOST_IP6} return
nft add rule inet shellcrash $1 ip6 saddr != {$HOST_IP6} return
#绕过CN_IPV6
[ "$dns_mod" != "fake-ip" -a "$cn_ipv6_route" = "已开启" -a -f ${BINDIR}/cn_ipv6.txt ] && {
CN_IP6=$(awk '{printf "%s, ",$1}' ${BINDIR}/cn_ipv6.txt)
[ -n "$CN_IP6" ] && nft add rule inet shellcrash $table ip6 daddr {$CN_IP6} return
[ -n "$CN_IP6" ] && nft add rule inet shellcrash $1 ip6 daddr {$CN_IP6} return
}
else
nft add rule inet shellcrash $table meta nfproto ipv6 return
nft add rule inet shellcrash $1 meta nfproto ipv6 return
fi
# nft add rule inet shellcrash local_tproxy log prefix \"pre\" level debug
[ "$redir_mod" = "Redir模式" ] && nft add rule inet shellcrash $table meta l4proto tcp redirect to $redir_port
[ "$redir_mod" = "混合模式" ] && {
nft add rule inet shellcrash $table meta l4proto udp mark set $fwmark
nft add rule inet shellcrash $table meta l4proto tcp mark set $((fwmark + 1))
nft add chain inet shellcrash ${table}_mixtcp { type nat hook $table_type priority -100 \; }
nft add rule inet shellcrash ${table}_mixtcp mark == $((fwmark + 1)) meta l4proto tcp redirect to $redir_port
}
#添加通用路由
nft add rule inet shellcrash $1 $JUMP
#处理特殊路由
[ "$redir_mod" = "Tproxy模式" ] && {
nft add rule inet shellcrash $table meta l4proto {tcp, udp} mark set $fwmark
nft add chain inet shellcrash ${table}_tproxy { type filter hook $table_type priority -100 \; }
nft add rule inet shellcrash ${table}_tproxy meta mark == $fwmark meta l4proto {tcp, udp} tproxy to :$tproxy_port
nft add chain inet shellcrash ${1}_tproxy { type filter hook $2 priority -100 \; }
nft add rule inet shellcrash ${1}_tproxy meta mark == $fwmark meta l4proto {tcp, udp} tproxy to :$tproxy_port
}
[ "$redir_mod" = "Tun模式" ] && nft add rule inet shellcrash $table meta l4proto {tcp, udp} mark set $fwmark
[ "$redir_mod" = "TCP旁路转发" ] && nft add rule inet shellcrash $table meta l4proto tcp mark set $fwmark
[ "$redir_mod" = "T&U旁路转发" ] && nft add rule inet shellcrash $table meta l4proto {tcp, udp} mark set $fwmark
[ "$redir_mod" = "混合模式" ] && {
nft add rule inet shellcrash $1 meta l4proto tcp mark set $((fwmark + 1))
nft add chain inet shellcrash ${1}_mixtcp { type nat hook $2 priority -100 \; }
nft add rule inet shellcrash ${1}_mixtcp mark == $((fwmark + 1)) meta l4proto tcp redirect to $redir_port
}
#nft add rule inet shellcrash local_tproxy log prefix \"pre\" level debug
}
start_nft_dns(){ #nftables-dns
nft add chain inet shellcrash ${1}_dns { type nat hook $1 priority -100 \; }
nft add rule inet shellcrash ${1}_dns meta skgid { 453, 7890 } return
#过滤局域网设备
[ -n "$(cat ${CRASHDIR}/configs/mac)" ] && {
MAC=$(awk '{printf "%s, ",$1}' ${CRASHDIR}/configs/mac)
[ "$macfilter_type" = "黑名单" ] && \
nft add rule inet shellcrash ${1}_dns ether saddr {$MAC} return || \
if [ "$macfilter_type" = "黑名单" ];then
nft add rule inet shellcrash ${1}_dns ether saddr {$MAC} return
else
nft add rule inet shellcrash ${1}_dns ether saddr != {$MAC} return
}
[ "$1" = 'output' ] && {
nft add rule inet shellcrash ${1}_dns meta skgid { 453, 7890 } return
fi
}
nft add rule inet shellcrash ${1}_dns udp dport 53 redirect to ${dns_port}
nft add rule inet shellcrash ${1}_dns tcp dport 53 redirect to ${dns_port}
@ -1323,89 +1129,188 @@ start_nft_wan(){ #nftables公网防火墙
nft add rule inet shellcrash input tcp dport $mix_port reject
fi
}
start_nftables(){ #nftables配置总入口
#初始化nftables
nft add table inet shellcrash
nft flush table inet shellcrash
#公网访问防火墙
start_nft_wan
#启动DNS劫持
[ "$dns_no" != "已禁用" -a "$dns_redir" != "已开启" -a "$firewall_area" -le 3 ] && {
[ "$lan_proxy" = true ] && start_nft_dns prerouting #局域网dns转发
[ "$local_proxy" = true ] && start_nft_dns output #本机dns转发
}
#分模式设置流量劫持
[ "$redir_mod" = "Redir模式" ] && {
JUMP="meta l4proto tcp redirect to $redir_port" #跳转劫持的具体命令
[ "$lan_proxy" = true ] && start_nft_route prerouting prerouting nat -100
[ "$local_proxy" = true ] && start_nft_route output output nat -100
}
[ "$redir_mod" = "Tproxy模式" ] && modprobe nft_tproxy >/dev/null 2>&1 && {
JUMP="meta l4proto {tcp, udp} mark set $fwmark" #跳转劫持的具体命令
[ "$lan_proxy" = true ] && start_nft_route prerouting prerouting nat -150
[ "$local_proxy" = true ] && start_nft_route output output route -150
}
[ "$redir_mod" = "Tun模式" ] && [ "$tun_statu" != false ] && {
JUMP="meta l4proto {tcp, udp} mark set $fwmark" #跳转劫持的具体命令
[ "$lan_proxy" = true ] && start_nft_route prerouting prerouting nat -150
[ "$local_proxy" = true ] && start_nft_route output output route -150
}
[ "$redir_mod" = "混合模式" ] && [ "$tun_statu" != false ] && {
JUMP="meta l4proto udp mark set $fwmark" #跳转劫持的具体命令
[ "$lan_proxy" = true ] && start_nft_route prerouting prerouting nat -150
[ "$local_proxy" = true ] && start_nft_route output output route -150
}
[ "$firewall_area" = 5 ] && {
[ "$redir_mod" = "T&U旁路转发" ] && JUMP="meta l4proto {tcp, udp} mark set $fwmark" #跳转劫持的具体命令
[ "$redir_mod" = "TCP旁路转发" ] && JUMP="meta l4proto tcp mark set $fwmark" #跳转劫持的具体命令
[ "$lan_proxy" = true ] && start_nft_route prerouting prerouting nat -150
[ "$local_proxy" = true ] && start_nft_route output output route -150
}
#屏蔽QUIC
[ "$quic_rj" = '已启用' -a "$lan_proxy" = true -a "$redir_mod" != "Redir模式" ] && {
nft add chain inet shellcrash quic_rj { type filter hook input priority 0 \; }
[ -n "$CN_IP" ] && nft add rule inet shellcrash quic_rj ip daddr {$CN_IP} return
[ -n "$CN_IP6" ] && nft add rule inet shellcrash quic_rj ip6 daddr {$CN_IP6} return
nft add rule inet shellcrash quic_rj udp dport {443, 8443} reject comment 'ShellCrash-QUIC-REJECT'
}
}
start_firewall(){ #路由规则总入口
getlanip #获取局域网host地址
#设置策略路由
[ "$firewall_area" != 4 ] && {
local table=100
[ "$redir_mod" = "Tproxy模式" ] && ip route add local default dev lo table $table
[ "$redir_mod" = "Tun模式" -o "$redir_mod" = "混合模式" ] && {
i=1
while [ -z "$(ip route list |grep utun)" -a "$i" -le 29 ];do
sleep 1
i=$((i+1))
done
if [ -z "$(ip route list |grep utun)" ];then
tun_statu=false
logger "找不到tun模块放弃启动tun相关防火墙规则" 31
else
ip route add default dev utun table $table
#iptables -I FORWARD -o utun -j ACCEPT
fi
}
[ "$firewall_area" = 5 ] && ip route add default via $bypass_host table $table
[ "$redir_mod" != "Redir模式" ] && ip rule add fwmark $fwmark table $table
}
#添加ipv6路由
[ "$ipv6_redir" = "已开启" -a "$firewall_area" -le 3 ] && {
[ "$redir_mod" = "Tproxy模式" ] && ip -6 route add local default dev lo table $((table + 1))
[ -n "$(ip route list |grep utun)" ] && ip -6 route add default dev utun table $((table + 1))
[ "$redir_mod" != "Redir模式" ] && ip -6 rule add fwmark $fwmark table $((table + 1))
}
#判断代理用途
[ "$firewall_area" = 2 -o "$firewall_area" = 3 ] && [ -n "$(grep '0:7890' /etc/passwd)" ] && local_proxy=true
[ "$firewall_area" = 1 -o "$firewall_area" = 3 -o "$firewall_area" = 5 ] && lan_proxy=true
#防火墙配置
[ "$firewall_mod" = 'iptables' ] && start_iptables
[ "$firewall_mod" = 'nftables' ] && start_nftables
#修复部分虚拟机dns查询失败的问题
[ "$firewall_area" = 2 -o "$firewall_area" = 3 ] && [ -z "$(grep 'nameserver 127.0.0.1' /etc/resolv.conf 2>/dev/null)" ] && {
line=$(grep -n 'nameserver' /etc/resolv.conf | awk -F: 'FNR==1{print $1}')
sed -i "$line i\nameserver 127.0.0.1 #shellcrash-dns-repair" /etc/resolv.conf
}
#openwrt使用dnsmasq转发DNS
if [ "$dns_redir" = "已开启" -a "$firewall_area" -le 3 -a "$dns_no" != "已禁用" ];then
uci del dhcp.@dnsmasq[-1].server >/dev/null 2>&1
uci delete dhcp.@dnsmasq[0].resolvfile 2>/dev/null
uci add_list dhcp.@dnsmasq[0].server=127.0.0.1#$dns_port > /dev/null 2>&1
uci set dhcp.@dnsmasq[0].noresolv=1 2>/dev/null
uci commit dhcp >/dev/null 2>&1
/etc/init.d/dnsmasq restart >/dev/null 2>&1
elif [ "$(uci get dhcp.@dnsmasq[0].dns_redirect 2>/dev/null)" = 1 ];then
uci del dhcp.@dnsmasq[0].dns_redirect
uci commit dhcp.@dnsmasq[0]
fi
}
stop_firewall(){ #还原防火墙配置
getconfig
#获取局域网host地址
getlanip
#重置iptables相关规则
ckcmd iptables && {
#redir
iptables -t nat -D PREROUTING -p tcp $ports -j shellcrash 2> /dev/null
iptables -t nat -D PREROUTING -p tcp -d 198.18.0.0/16 -j shellcrash 2> /dev/null
iptables -t nat -F shellcrash 2> /dev/null
iptables -t nat -X shellcrash 2> /dev/null
#清理shellcrash自建表
for table in shellcrash_dns shellcrash shellcrash_out shellcrash_dns_out;do
iptables -t nat -F $table 2>/dev/null
iptables -t nat -X $table 2>/dev/null
done
for table in shellcrash_mark shellcrash_mark_out;do
iptables -t mangle -F $table 2>/dev/null
iptables -t mangle -X $table 2>/dev/null
done
#dns
iptables -t nat -D PREROUTING -p tcp --dport 53 -j shellcrash_dns 2> /dev/null
iptables -t nat -D PREROUTING -p udp --dport 53 -j shellcrash_dns 2> /dev/null
iptables -t nat -F shellcrash_dns 2> /dev/null
iptables -t nat -X shellcrash_dns 2> /dev/null
iptables -t nat -D PREROUTING -p tcp --dport 53 -j shellcrash_dns 2>/dev/null
iptables -t nat -D PREROUTING -p udp --dport 53 -j shellcrash_dns 2>/dev/null
iptables -t nat -D OUTPUT -p udp --dport 53 -j shellcrash_dns_out 2>/dev/null
iptables -t nat -D OUTPUT -p tcp --dport 53 -j shellcrash_dns_out 2>/dev/null
#redir
iptables -t nat -D PREROUTING -p tcp $ports -j shellcrash 2>/dev/null
iptables -t nat -D PREROUTING -p tcp -d 198.18.0.0/16 -j shellcrash 2>/dev/null
iptables -t nat -D OUTPUT -p tcp $ports -j shellcrash_out 2>/dev/null
iptables -t nat -D OUTPUT -p tcp -d 198.18.0.0/16 -j shellcrash_out 2>/dev/null
#TPROXY&tun
iptables -t mangle -D PREROUTING -p tcp $ports -j shellcrash_mark 2>/dev/null
iptables -t mangle -D PREROUTING -p udp $ports -j shellcrash_mark 2>/dev/null
iptables -t mangle -D PREROUTING -p tcp -d 198.18.0.0/16 -j shellcrash_mark 2>/dev/null
iptables -t mangle -D PREROUTING -p udp -d 198.18.0.0/16 -j shellcrash_mark 2>/dev/null
iptables -t mangle -D OUTPUT -p tcp $ports -j shellcrash_mark_out 2>/dev/null
iptables -t mangle -D OUTPUT -p udp $ports -j shellcrash_mark_out 2>/dev/null
iptables -t mangle -D OUTPUT -p tcp -d 198.18.0.0/16 -j shellcrash_mark_out 2>/dev/null
iptables -t mangle -D OUTPUT -p udp -d 198.18.0.0/16 -j shellcrash_mark_out 2>/dev/null
#tun
iptables -D FORWARD -o utun -j ACCEPT 2> /dev/null
iptables -D FORWARD -s 198.18.0.0/16 -o utun -j RETURN 2> /dev/null
iptables -D FORWARD -o utun -j ACCEPT 2>/dev/null
iptables -D FORWARD -s 198.18.0.0/16 -o utun -j RETURN 2>/dev/null
#屏蔽QUIC
[ "$dns_mod" != "fake-ip" -a "$cn_ip_route" = "已开启" ] && set_cn_ip='-m set ! --match-set cn_ip dst'
iptables -D INPUT -p udp --dport 443 -m comment --comment "ShellCrash-QUIC-REJECT" $set_cn_ip -j REJECT 2> /dev/null
iptables -D FORWARD -p udp --dport 443 -o utun -m comment --comment "ShellCrash-QUIC-REJECT" $set_cn_ip -j REJECT 2> /dev/null
#本机代理
iptables -t nat -D OUTPUT -p tcp $ports -j shellcrash_out 2> /dev/null
iptables -t nat -F shellcrash_out 2> /dev/null
iptables -t nat -X shellcrash_out 2> /dev/null
iptables -t nat -D OUTPUT -p udp --dport 53 -j shellcrash_dns_out 2> /dev/null
iptables -t nat -F shellcrash_dns_out 2> /dev/null
iptables -t nat -X shellcrash_dns_out 2> /dev/null
#docker
iptables -t nat -F shellcrash_docker 2> /dev/null
iptables -t nat -X shellcrash_docker 2> /dev/null
iptables -t nat -D PREROUTING -p tcp -s 172.16.0.0/12 -j shellcrash_docker 2> /dev/null
iptables -t nat -D PREROUTING -p udp --dport 53 -s 172.16.0.0/12 -j REDIRECT --to $dns_port 2> /dev/null
#TPROXY&tun
iptables -t mangle -D PREROUTING -p tcp $ports -j shellcrash 2> /dev/null
iptables -t mangle -D PREROUTING -p udp $ports -j shellcrash 2> /dev/null
iptables -t mangle -D PREROUTING -p tcp -d 198.18.0.0/16 -j shellcrash 2> /dev/null
iptables -t mangle -D PREROUTING -p udp -d 198.18.0.0/16 -j shellcrash 2> /dev/null
iptables -t mangle -F shellcrash 2> /dev/null
iptables -t mangle -X shellcrash 2> /dev/null
iptables -D INPUT -p udp --dport 443 -m comment --comment "ShellCrash-QUIC-REJECT" $set_cn_ip -j REJECT 2>/dev/null
iptables -D FORWARD -p udp --dport 443 -o utun -m comment --comment "ShellCrash-QUIC-REJECT" $set_cn_ip -j REJECT 2>/dev/null
#公网访问
for ip in $host_ipv4 $local_ipv4 $reserve_ipv4;do
iptables -D INPUT -p tcp -s $ip --dport $mix_port -j ACCEPT 2> /dev/null
iptables -D INPUT -p tcp -s $ip --dport $db_port -j ACCEPT 2> /dev/null
iptables -D INPUT -p tcp -s $ip --dport $mix_port -j ACCEPT 2>/dev/null
iptables -D INPUT -p tcp -s $ip --dport $db_port -j ACCEPT 2>/dev/null
done
iptables -D INPUT -p tcp -d 127.0.0.1 -j ACCEPT 2> /dev/null
iptables -D INPUT -p tcp --dport $mix_port -j REJECT 2> /dev/null
iptables -D INPUT -p tcp --dport $mix_port -j ACCEPT 2> /dev/null
iptables -D INPUT -p tcp --dport $db_port -j REJECT 2> /dev/null
iptables -D INPUT -p tcp --dport $db_port -j ACCEPT 2> /dev/null
iptables -D INPUT -p tcp -d 127.0.0.1 -j ACCEPT 2>/dev/null
iptables -D INPUT -p tcp --dport $mix_port -j REJECT 2>/dev/null
iptables -D INPUT -p tcp --dport $mix_port -j ACCEPT 2>/dev/null
iptables -D INPUT -p tcp --dport $db_port -j REJECT 2>/dev/null
iptables -D INPUT -p tcp --dport $db_port -j ACCEPT 2>/dev/null
}
#重置ipv6规则
ckcmd ip6tables && {
#redir
ip6tables -t nat -D PREROUTING -p tcp $ports -j shellcrashv6 2> /dev/null
ip6tables -D INPUT -p udp --dport 53 -m comment --comment "ShellCrash-IPV6_DNS-REJECT" -j REJECT 2> /dev/null
ip6tables -t nat -F shellcrashv6 2> /dev/null
ip6tables -t nat -X shellcrashv6 2> /dev/null
#清理shellcrash自建表
for table in shellcrashv6_dns shellcrashv6;do
ip6tables -t nat -F $table 2>/dev/null
ip6tables -t nat -X $table 2>/dev/null
done
ip6tables -t mangle -F shellcrashv6_mark 2>/dev/null
ip6tables -t mangle -X shellcrashv6_mark 2>/dev/null
#dns
ip6tables -t nat -D PREROUTING -p tcp --dport 53 -j shellcrashv6_dns 2>/dev/null
ip6tables -t nat -D PREROUTING -p udp --dport 53 -j shellcrashv6_dns 2>/dev/null
ip6tables -t nat -F shellcrashv6_dns 2> /dev/null
ip6tables -t nat -X shellcrashv6_dns 2> /dev/null
#redir
ip6tables -t nat -D PREROUTING -p tcp $ports -j shellcrashv6 2>/dev/null
ip6tables -D INPUT -p udp --dport 53 -m comment --comment "ShellCrash-IPV6_DNS-REJECT" -j REJECT 2>/dev/null
#mark
ip6tables -t mangle -D PREROUTING -p tcp $ports -j shellcrashv6_mark 2>/dev/null
ip6tables -t mangle -D PREROUTING -p udp $ports -j shellcrashv6_mark 2>/dev/null
ip6tables -D INPUT -p udp --dport 443 -m comment --comment "ShellCrash-QUIC-REJECT" $set_cn_ip -j REJECT 2>/dev/null
#tun
ip6tables -D FORWARD -o utun -j ACCEPT 2> /dev/null
ip6tables -D FORWARD -o utun -j ACCEPT 2>/dev/null
ip6tables -D FORWARD -p udp --dport 443 -o utun -m comment --comment "ShellCrash-QUIC-REJECT" -j REJECT >/dev/null 2>&1
#屏蔽QUIC
[ "$dns_mod" != "fake-ip" -a "$cn_ipv6_route" = "已开启" ] && set_cn_ip6='-m set ! --match-set cn_ip6 dst'
iptables -D INPUT -p udp --dport 443 -m comment --comment "ShellCrash-QUIC-REJECT" $set_cn_ip6 -j REJECT 2> /dev/null
iptables -D FORWARD -p udp --dport 443 -o utun -m comment --comment "ShellCrash-QUIC-REJECT" $set_cn_ip6 -j REJECT 2> /dev/null
iptables -D INPUT -p udp --dport 443 -m comment --comment "ShellCrash-QUIC-REJECT" $set_cn_ip6 -j REJECT 2>/dev/null
iptables -D FORWARD -p udp --dport 443 -o utun -m comment --comment "ShellCrash-QUIC-REJECT" $set_cn_ip6 -j REJECT 2>/dev/null
#公网访问
ip6tables -D INPUT -p tcp --dport $mix_port -j REJECT 2> /dev/null
ip6tables -D INPUT -p tcp --dport $mix_port -j ACCEPT 2> /dev/null
ip6tables -D INPUT -p tcp --dport $db_port -j REJECT 2> /dev/null
ip6tables -D INPUT -p tcp --dport $db_port -j ACCEPT 2> /dev/null
#tproxy&tun
ip6tables -t mangle -D PREROUTING -p tcp $ports -j shellcrashv6 2> /dev/null
ip6tables -t mangle -D PREROUTING -p udp $ports -j shellcrashv6 2> /dev/null
ip6tables -t mangle -F shellcrashv6 2> /dev/null
ip6tables -t mangle -X shellcrashv6 2> /dev/null
ip6tables -D INPUT -p udp --dport 443 -m comment --comment "ShellCrash-QUIC-REJECT" $set_cn_ip -j REJECT 2> /dev/null
ip6tables -D INPUT -p tcp --dport $mix_port -j REJECT 2>/dev/null
ip6tables -D INPUT -p tcp --dport $mix_port -j ACCEPT 2>/dev/null
ip6tables -D INPUT -p tcp --dport $db_port -j REJECT 2>/dev/null
ip6tables -D INPUT -p tcp --dport $db_port -j ACCEPT 2>/dev/null
}
#清理ipset规则
ipset destroy cn_ip >/dev/null 2>&1
@ -1418,10 +1323,10 @@ stop_firewall(){ #还原防火墙配置
/etc/init.d/dnsmasq restart >/dev/null 2>&1
}
#清理路由规则
ip rule del fwmark $fwmark table 100 2> /dev/null
ip route del local default dev lo table 100 2> /dev/null
ip -6 rule del fwmark $fwmark table 101 2> /dev/null
ip -6 route del local ::/0 dev lo table 101 2> /dev/null
ip rule del fwmark $fwmark table 100 2>/dev/null
ip route flush table 100 2>/dev/null
ip -6 rule del fwmark $fwmark table 101 2>/dev/null
ip -6 route flush table 101 2>/dev/null
#重置nftables相关规则
ckcmd nft && {
nft flush table inet shellcrash >/dev/null 2>&1
@ -1711,69 +1616,7 @@ afstart(){ #启动后
done
if [ -n "$test" -o -n "$(pidof CrashCore)" ];then
rm -rf ${TMPDIR}/CrashCore #删除缓存目录内核文件
#设置DNS转发
start_dns(){
if [ "$dns_no" != "已禁用" ];then
if [ "$dns_redir" != "已开启" ];then
[ "$firewall_mod" = 'iptables' ] && start_ipt_dns
[ "$firewall_mod" = 'nftables' ] && start_nft_dns prerouting
else
#openwrt使用dnsmasq转发
uci del dhcp.@dnsmasq[-1].server >/dev/null 2>&1
uci delete dhcp.@dnsmasq[0].resolvfile 2>/dev/null
uci add_list dhcp.@dnsmasq[0].server=127.0.0.1#$dns_port > /dev/null 2>&1
uci set dhcp.@dnsmasq[0].noresolv=1 2>/dev/null
uci commit dhcp >/dev/null 2>&1
/etc/init.d/dnsmasq restart >/dev/null 2>&1
fi
fi
return 0
}
#设置路由规则
[ "$firewall_area" != 4 ] && {
getlanip #获取局域网host地址
#设置策略路由
[ "$redir_mod" = "Tproxy模式" ] && ip route add local default dev lo table 100
[ "$redir_mod" = "Tun模式" -o "$redir_mod" = "混合模式" ] && ip route add default dev utun table 100
[ "$firewall_area" = 5 ] && ip route add default via $bypass_host table 100
[ "$redir_mod" != "纯净模式" -a "$redir_mod" != "Redir模式" ] && ip rule add fwmark $fwmark table 100
[ "$firewall_mod" = 'iptables' ] && {
[ "$redir_mod" = "Redir模式" ] && start_dns && start_redir
[ "$redir_mod" = "混合模式" ] && start_dns && start_redir && start_tun udp
[ "$redir_mod" = "Tun模式" ] && start_dns && start_tun all
[ "$redir_mod" = "Tproxy模式" ] && start_dns && start_tproxy all
[ "$firewall_area" = 2 -o "$firewall_area" = 3 ] && [ -n "$(grep '0:7890' /etc/passwd)" ] && start_output #设置本机代理
}
[ "$firewall_mod" = 'nftables' ] && {
nft add table inet shellcrash #初始化nftables
nft flush table inet shellcrash
#局域网代理
[ "$firewall_area" = 1 -o "$firewall_area" = 3 -o "$firewall_area" = 5 ] && {
start_dns
start_nft prerouting
#屏蔽QUIC
[ "$quic_rj" = 已启用 ] && {
nft add chain inet shellcrash input { type filter hook input priority 0 \; }
[ -n "$CN_IP" ] && nft add rule inet shellcrash input ip daddr {$CN_IP} return
[ -n "$CN_IP6" ] && nft add rule inet shellcrash input ip6 daddr {$CN_IP6} return
nft add rule inet shellcrash input udp dport 443 reject comment 'ShellCrash-QUIC-REJECT'
}
}
#设置本机代理
[ "$firewall_area" = 2 -o "$firewall_area" = 3 ] && [ -n "$(grep '0:7890' /etc/passwd)" ] && {
start_nft_dns output
start_nft output
#修复部分虚拟机dns查询失败的问题
[ -z "$(grep 'nameserver 127.0.0.1' /etc/resolv.conf 2>/dev/null)" ] && {
line=$(grep -n 'nameserver' /etc/resolv.conf | awk -F: 'FNR==1{print $1}')
sed -i "$line i\nameserver 127.0.0.1 #shellcrash-dns-repair" /etc/resolv.conf
}
}
}
}
#启用公网访问防火墙
[ "$firewall_mod" = 'iptables' ] && start_ipt_wan
[ "$firewall_mod" = 'nftables' ] && start_nft_wan
start_firewall #配置防火墙流量劫持
mark_time #标记启动时间
[ -s ${CRASHDIR}/configs/web_save -o -s ${CRASHDIR}/configs/web_configs ] && web_restore >/dev/null 2>&1 & #后台还原面板配置
{ sleep 5;logger ShellCrash服务已启动;} & #推送日志