mirror of
https://github.com/juewuy/ShellCrash.git
synced 2024-11-16 11:42:18 +08:00
~增加自定义保留地址段功能
~优化支持华硕设备本机代理 ~优化在线获取配置文件校验,正确处理未获取节点时的报错信息 ~修复自动获取配置文件失败超过4次后会无限重复的bug ~修复nftables模式下会错误拦截设备正常ipv6流量的bug
This commit is contained in:
parent
c6f9859e9a
commit
78808bee20
|
@ -771,6 +771,7 @@ setfirewall(){ #防火墙设置
|
||||||
echo -e " 1 公网访问Dashboard面板: \033[36m$public_support\033[0m"
|
echo -e " 1 公网访问Dashboard面板: \033[36m$public_support\033[0m"
|
||||||
echo -e " 2 公网访问Socks/Http代理: \033[36m$public_mixport\033[0m"
|
echo -e " 2 公网访问Socks/Http代理: \033[36m$public_mixport\033[0m"
|
||||||
echo -e " 3 自定义透明路由ipv4网段: 适合vlan等复杂网络环境"
|
echo -e " 3 自定义透明路由ipv4网段: 适合vlan等复杂网络环境"
|
||||||
|
echo -e " 4 自定义保留地址ipv4网段: 需要以保留地址为访问目标的环境"
|
||||||
echo -----------------------------------------------
|
echo -----------------------------------------------
|
||||||
read -p "请输入对应数字 > " num
|
read -p "请输入对应数字 > " num
|
||||||
case $num in
|
case $num in
|
||||||
|
@ -803,6 +804,20 @@ setfirewall(){ #防火墙设置
|
||||||
set_cust_host_ipv4
|
set_cust_host_ipv4
|
||||||
setfirewall
|
setfirewall
|
||||||
;;
|
;;
|
||||||
|
4)
|
||||||
|
[ -z "$reserve_ipv4" ] && reserve_ipv4="0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 100.64.0.0/10 169.254.0.0/16 172.16.0.0/12 192.168.0.0/16 224.0.0.0/4 240.0.0.0/4"
|
||||||
|
echo -e "当前网段:\033[36m$reserve_ipv4\033[0m"
|
||||||
|
echo -e "\033[33m地址必须是空格分隔,错误的设置可能导致网络回环或启动报错,请务必谨慎!\033[0m"
|
||||||
|
read -p "请输入 > " reserve_ipv4
|
||||||
|
if [ -n "$reserve_ipv4" ];then
|
||||||
|
echo -e "已将保留地址网段设为:\033[32m$reserve_ipv4\033[0m"
|
||||||
|
setconfig reserve_ipv4 "\'$reserve_ipv4\'"
|
||||||
|
else
|
||||||
|
echo -e "\033[31m操作已取消!\033[0m"
|
||||||
|
fi
|
||||||
|
sleep 1
|
||||||
|
setfirewall
|
||||||
|
;;
|
||||||
*)
|
*)
|
||||||
errornum
|
errornum
|
||||||
;;
|
;;
|
||||||
|
@ -1164,7 +1179,7 @@ setboot(){ #启动相关设置
|
||||||
esac
|
esac
|
||||||
|
|
||||||
}
|
}
|
||||||
set_firewall_area(){
|
set_firewall_area(){ #防火墙模式设置
|
||||||
[ -z "$vm_redir" ] && vm_redir='未开启'
|
[ -z "$vm_redir" ] && vm_redir='未开启'
|
||||||
echo -----------------------------------------------
|
echo -----------------------------------------------
|
||||||
echo -e "\033[31m注意:\033[0m基于桥接网卡的Docker/虚拟机流量,请单独启用6!"
|
echo -e "\033[31m注意:\033[0m基于桥接网卡的Docker/虚拟机流量,请单独启用6!"
|
||||||
|
|
|
@ -209,20 +209,16 @@ getlanip() { #获取局域网host地址
|
||||||
local_ipv4=$(ip route 2>&1 | grep -Ev 'utun|iot|docker|linkdown' | grep -Eo 'src.*' | grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | sort -u)
|
local_ipv4=$(ip route 2>&1 | grep -Ev 'utun|iot|docker|linkdown' | grep -Eo 'src.*' | grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | sort -u)
|
||||||
[ -z "$local_ipv4" ] && local_ipv4=$(ip route 2>&1 | grep -Eo 'src.*' | grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | sort -u)
|
[ -z "$local_ipv4" ] && local_ipv4=$(ip route 2>&1 | grep -Eo 'src.*' | grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | sort -u)
|
||||||
#保留地址
|
#保留地址
|
||||||
reserve_ipv4="0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 100.64.0.0/10 169.254.0.0/16 172.16.0.0/12 192.168.0.0/16 224.0.0.0/4 240.0.0.0/4"
|
[ -z "$reserve_ipv4" ] && reserve_ipv4="0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 100.64.0.0/10 169.254.0.0/16 172.16.0.0/12 192.168.0.0/16 224.0.0.0/4 240.0.0.0/4"
|
||||||
reserve_ipv6="::/128 ::1/128 ::ffff:0:0/96 64:ff9b::/96 100::/64 2001::/32 2001:20::/28 2001:db8::/32 2002::/16 fc00::/7 fe80::/10 ff00::/8"
|
[ -z "$reserve_ipv6" ] && reserve_ipv6="::/128 ::1/128 ::ffff:0:0/96 64:ff9b::/96 100::/64 2001::/32 2001:20::/28 2001:db8::/32 2002::/16 fc00::/7 fe80::/10 ff00::/8"
|
||||||
}
|
}
|
||||||
#配置文件相关
|
#配置文件相关
|
||||||
check_clash_config() { #检查clash配置文件
|
check_clash_config() { #检查clash配置文件
|
||||||
#检测节点或providers
|
#检测节点或providers
|
||||||
if [ -z "$(cat $core_config_new | grep -E 'server|proxy-providers' | grep -v 'nameserver' | head -n 1)" ]; then
|
if [ -z "$(cat $core_config_new | grep -E 'password:|proxy-providers:' | grep -v 'nameserver' | head -n 1)" ]; then
|
||||||
echo -----------------------------------------------
|
|
||||||
logger "获取到了配置文件,但似乎并不包含正确的节点信息!" 31
|
|
||||||
echo -----------------------------------------------
|
|
||||||
sed -n '1,30p' $core_config_new
|
|
||||||
echo -----------------------------------------------
|
|
||||||
echo -e "\033[33m请检查如上配置文件信息:\033[0m"
|
|
||||||
echo -----------------------------------------------
|
echo -----------------------------------------------
|
||||||
|
logger "获取到了配置文件【$core_config_new】,但似乎并不包含正确的节点信息!" 31
|
||||||
|
echo "请尝试使用其他生成方式!"
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
#检测旧格式
|
#检测旧格式
|
||||||
|
@ -252,9 +248,10 @@ check_clash_config() { #检查clash配置文件
|
||||||
}
|
}
|
||||||
check_singbox_config() { #检查singbox配置文件
|
check_singbox_config() { #检查singbox配置文件
|
||||||
#检测节点或providers
|
#检测节点或providers
|
||||||
if [ -z "$(cat $core_config_new | grep -Eo 'server|outbound_providers')" ]; then
|
if [ -z "$(cat $core_config_new | grep -Eo '"password"|outbound_providers')" ]; then
|
||||||
echo -----------------------------------------------
|
echo -----------------------------------------------
|
||||||
logger "获取到了配置文件【$core_config_new】,但似乎并不包含正确的节点信息!" 31
|
logger "获取到了配置文件【$core_config_new】,但似乎并不包含正确的节点信息!" 31
|
||||||
|
echo "请尝试使用其他生成方式!"
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
#检测并去除无效策略组
|
#检测并去除无效策略组
|
||||||
|
@ -303,11 +300,11 @@ get_core_config() { #下载内核配置文件
|
||||||
echo -----------------------------------------------
|
echo -----------------------------------------------
|
||||||
exit 1
|
exit 1
|
||||||
else
|
else
|
||||||
if [ "$retry" = 3 ]; then
|
if [ "$retry" -ge 4 ]; then
|
||||||
logger "无法获取配置文件,请检查链接格式以及网络连接状态!" 31
|
logger "无法获取配置文件,请检查链接格式以及网络连接状态!" 31
|
||||||
echo -e "\033[32m也可用浏览器下载以上链接后,使用WinSCP手动上传到/tmp目录后执行crash命令本地导入!\033[0m"
|
echo -e "\033[32m也可用浏览器下载以上链接后,使用WinSCP手动上传到/tmp目录后执行crash命令本地导入!\033[0m"
|
||||||
exit 1
|
exit 1
|
||||||
elif [ "$retry" = 2 ]; then
|
elif [ "$retry" = 3 ]; then
|
||||||
retry=4
|
retry=4
|
||||||
logger "配置文件获取失败!将尝试使用http协议备用服务器获取!" 31
|
logger "配置文件获取失败!将尝试使用http协议备用服务器获取!" 31
|
||||||
echo -e "\033[32m如担心数据安全,请在3s内使用【Ctrl+c】退出!\033[0m"
|
echo -e "\033[32m如担心数据安全,请在3s内使用【Ctrl+c】退出!\033[0m"
|
||||||
|
@ -318,7 +315,7 @@ get_core_config() { #下载内核配置文件
|
||||||
retry=$((retry + 1))
|
retry=$((retry + 1))
|
||||||
logger "配置文件获取失败!" 31
|
logger "配置文件获取失败!" 31
|
||||||
echo -e "\033[32m尝试使用其他服务器获取配置!\033[0m"
|
echo -e "\033[32m尝试使用其他服务器获取配置!\033[0m"
|
||||||
logger "正在重试第$retry次/共3次!" 33
|
logger "正在重试第$retry次/共4次!" 33
|
||||||
if [ "$server_link" -ge 4 ]; then
|
if [ "$server_link" -ge 4 ]; then
|
||||||
server_link=0
|
server_link=0
|
||||||
fi
|
fi
|
||||||
|
@ -1145,6 +1142,7 @@ start_iptables() { #iptables配置总入口
|
||||||
if $ip6table -j REDIRECT -h 2>/dev/null | grep -q '\--to-ports'; then
|
if $ip6table -j REDIRECT -h 2>/dev/null | grep -q '\--to-ports'; then
|
||||||
start_ipt_dns ip6tables PREROUTING shellcrashv6_dns #ipv6-局域网dns转发
|
start_ipt_dns ip6tables PREROUTING shellcrashv6_dns #ipv6-局域网dns转发
|
||||||
else
|
else
|
||||||
|
$ip6table -I INPUT -p tcp --dport 53 -j REJECT
|
||||||
$ip6table -I INPUT -p udp --dport 53 -j REJECT
|
$ip6table -I INPUT -p udp --dport 53 -j REJECT
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
@ -1178,6 +1176,8 @@ start_nft_route() { #nftables-route通用工具
|
||||||
#过滤dns
|
#过滤dns
|
||||||
nft add rule inet shellcrash $1 tcp dport 53 return
|
nft add rule inet shellcrash $1 tcp dport 53 return
|
||||||
nft add rule inet shellcrash $1 udp dport 53 return
|
nft add rule inet shellcrash $1 udp dport 53 return
|
||||||
|
#过滤常用端口
|
||||||
|
[ -n "$PORTS" ] && nft add rule inet shellcrash $1 tcp dport != {$PORTS} ip daddr != {198.18.0.0/16} return
|
||||||
#防回环
|
#防回环
|
||||||
nft add rule inet shellcrash $1 meta mark $routing_mark return
|
nft add rule inet shellcrash $1 meta mark $routing_mark return
|
||||||
nft add rule inet shellcrash $1 meta skgid 7890 return
|
nft add rule inet shellcrash $1 meta skgid 7890 return
|
||||||
|
@ -1213,7 +1213,6 @@ start_nft_route() { #nftables-route通用工具
|
||||||
CN_IP=$(awk '{printf "%s, ",$1}' "$BINDIR"/cn_ip.txt)
|
CN_IP=$(awk '{printf "%s, ",$1}' "$BINDIR"/cn_ip.txt)
|
||||||
[ -n "$CN_IP" ] && nft add rule inet shellcrash $1 ip daddr {$CN_IP} return
|
[ -n "$CN_IP" ] && nft add rule inet shellcrash $1 ip daddr {$CN_IP} return
|
||||||
}
|
}
|
||||||
[ -n "$PORTS" ] && nft add rule inet shellcrash $1 tcp dport != {$PORTS} ip daddr != {198.18.0.0/16} return #过滤常用端口
|
|
||||||
#局域网ipv6支持
|
#局域网ipv6支持
|
||||||
if [ "$ipv6_redir" = "已开启" -a "$1" = 'prerouting' -a "$firewall_area" != 5 ]; then
|
if [ "$ipv6_redir" = "已开启" -a "$1" = 'prerouting' -a "$firewall_area" != 5 ]; then
|
||||||
RESERVED_IP6="$(echo "$reserve_ipv6 $host_ipv6" | sed 's/ /, /g')"
|
RESERVED_IP6="$(echo "$reserve_ipv6 $host_ipv6" | sed 's/ /, /g')"
|
||||||
|
@ -1258,6 +1257,9 @@ start_nft_dns() { #nftables-dns
|
||||||
[ "$1" = 'output' ] && HOST_IP="127.0.0.0/8, $(echo $local_ipv4 | sed 's/ /, /g')"
|
[ "$1" = 'output' ] && HOST_IP="127.0.0.0/8, $(echo $local_ipv4 | sed 's/ /, /g')"
|
||||||
[ "$1" = 'prerouting_vm' ] && HOST_IP="$(echo $vm_ipv4 | sed 's/ /, /g')"
|
[ "$1" = 'prerouting_vm' ] && HOST_IP="$(echo $vm_ipv4 | sed 's/ /, /g')"
|
||||||
nft add chain inet shellcrash "$1"_dns { type nat hook $2 priority -100 \; }
|
nft add chain inet shellcrash "$1"_dns { type nat hook $2 priority -100 \; }
|
||||||
|
#过滤非dns请求
|
||||||
|
nft add rule inet shellcrash "$1"_dns udp dport != 53 return
|
||||||
|
nft add rule inet shellcrash "$1"_dns tcp dport != 53 return
|
||||||
#防回环
|
#防回环
|
||||||
nft add rule inet shellcrash "$1"_dns meta mark $routing_mark return
|
nft add rule inet shellcrash "$1"_dns meta mark $routing_mark return
|
||||||
nft add rule inet shellcrash "$1"_dns meta skgid { 453, 7890 } return
|
nft add rule inet shellcrash "$1"_dns meta skgid { 453, 7890 } return
|
||||||
|
@ -1392,7 +1394,7 @@ start_firewall() { #路由规则总入口
|
||||||
[ "$redir_mod" != "Redir模式" ] && ip -6 rule add fwmark $fwmark table $((table + 1)) 2>/dev/null
|
[ "$redir_mod" != "Redir模式" ] && ip -6 rule add fwmark $fwmark table $((table + 1)) 2>/dev/null
|
||||||
}
|
}
|
||||||
#判断代理用途
|
#判断代理用途
|
||||||
[ "$firewall_area" = 2 -o "$firewall_area" = 3 ] && [ -n "$(grep '0:7890' /etc/passwd)" ] && local_proxy=true
|
[ "$firewall_area" = 2 -o "$firewall_area" = 3 ] && local_proxy=true
|
||||||
[ "$firewall_area" = 1 -o "$firewall_area" = 3 -o "$firewall_area" = 5 ] && lan_proxy=true
|
[ "$firewall_area" = 1 -o "$firewall_area" = 3 -o "$firewall_area" = 5 ] && lan_proxy=true
|
||||||
#防火墙配置
|
#防火墙配置
|
||||||
[ "$firewall_mod" = 'iptables' ] && start_iptables
|
[ "$firewall_mod" = 'iptables' ] && start_iptables
|
||||||
|
@ -1481,6 +1483,7 @@ stop_firewall() { #还原防火墙配置
|
||||||
#redir
|
#redir
|
||||||
$ip6table -t nat -D PREROUTING -p tcp $ports -j shellcrashv6 2>/dev/null
|
$ip6table -t nat -D PREROUTING -p tcp $ports -j shellcrashv6 2>/dev/null
|
||||||
$ip6table -t nat -D OUTPUT -p tcp $ports -j shellcrashv6_out 2>/dev/null
|
$ip6table -t nat -D OUTPUT -p tcp $ports -j shellcrashv6_out 2>/dev/null
|
||||||
|
$ip6table -D INPUT -p tcp --dport 53 -j REJECT 2>/dev/null
|
||||||
$ip6table -D INPUT -p udp --dport 53 -j REJECT 2>/dev/null
|
$ip6table -D INPUT -p udp --dport 53 -j REJECT 2>/dev/null
|
||||||
#mark
|
#mark
|
||||||
$ip6table -t mangle -D PREROUTING -p tcp $ports -j shellcrashv6_mark 2>/dev/null
|
$ip6table -t mangle -D PREROUTING -p tcp $ports -j shellcrashv6_mark 2>/dev/null
|
||||||
|
@ -1703,6 +1706,8 @@ clash_check() { #clash启动前检查
|
||||||
[ "$redir_mod" = "混合模式" ] ||
|
[ "$redir_mod" = "混合模式" ] ||
|
||||||
[ "$redir_mod" = "Tun模式" ] && core_exchange meta '当前内核不支持的配置'
|
[ "$redir_mod" = "Tun模式" ] && core_exchange meta '当前内核不支持的配置'
|
||||||
fi
|
fi
|
||||||
|
[ "$crashcore" = "clash" ] && [ "$firewall_area" = 2 -o "$firewall_area" = 3 ] && [ -z "$(grep '0:7890' /etc/passwd)" ] && \
|
||||||
|
core_exchange meta '当前内核不支持非root用户启用本机代理'
|
||||||
core_check
|
core_check
|
||||||
#预下载GeoIP数据库
|
#预下载GeoIP数据库
|
||||||
[ -n "$(cat "$CRASHDIR"/yamls/*.yaml | grep -oEi 'geoip')" ] && ckgeo Country.mmdb cn_mini.mmdb
|
[ -n "$(cat "$CRASHDIR"/yamls/*.yaml | grep -oEi 'geoip')" ] && ckgeo Country.mmdb cn_mini.mmdb
|
||||||
|
|
Loading…
Reference in New Issue
Block a user