~修复tun或混合模式下,屏蔽quic功能未能实际生效的bug

~优化了一下初始化脚本中对nftables和iptables的使用判断
~默认的常用端口过滤列表中,移除了对53和123端口的支持
~修复部分情况下因ipv6dns未能正确劫持或拦截导致的dns劫持失败的问题
This commit is contained in:
juewuy 2024-09-15 15:33:10 +08:00
parent a698c923c2
commit 5ec0b9c238
3 changed files with 28 additions and 13 deletions

View File

@ -206,9 +206,9 @@ else
fi
setconfig COMMAND "$COMMAND" ${CRASHDIR}/configs/command.env
#设置防火墙执行模式
[ -z "$(grep firewall_mod $CRASHDIR/configs/ShellClash.cfg 2>/dev/null)" ] && {
grep -q 'firewall_mod' "$CRASHDIR/configs/ShellClash.cfg" 2>/dev/null || {
iptables -j REDIRECT -h >/dev/null 2>&1 && firewall_mod=iptables
nft add table inet shellcrash 2>/dev/null && firewall_mod=nftables
nft add table inet test4532 2>/dev/null && firewall_mod=nftables && nft delete table inet test4532
setconfig firewall_mod $firewall_mod
}
#设置更新地址

View File

@ -38,7 +38,7 @@ ckstatus(){
[ -z "$fwmark" ] && fwmark=$redir_port
[ -z "$db_port" ] && db_port=9999
[ -z "$dns_port" ] && dns_port=1053
[ -z "$multiport" ] && multiport='22,53,80,123,143,194,443,465,587,853,993,995,5222,8080,8443'
[ -z "$multiport" ] && multiport='22,80,143,194,443,465,587,853,993,995,5222,8080,8443'
[ -z "$redir_mod" ] && redir_mod=纯净模式
#检查mac地址记录
[ ! -f ${CRASHDIR}/configs/mac ] && touch ${CRASHDIR}/configs/mac

View File

@ -31,7 +31,7 @@ getconfig() { #读取配置及全局变量
[ -z "$sniffer" ] && sniffer=已开启
#是否代理常用端口
[ -z "$common_ports" ] && common_ports=已开启
[ -z "$multiport" ] && multiport='22,53,80,123,143,194,443,465,587,853,993,995,5222,8080,8443'
[ -z "$multiport" ] && multiport='22,80,143,194,443,465,587,853,993,995,5222,8080,8443'
[ "$common_ports" = "已开启" ] && ports="-m multiport --dports $multiport"
#内核配置文件
if [ "$crashcore" = singbox -o "$crashcore" = singboxp ]; then
@ -1008,7 +1008,7 @@ start_ipt_dns() { #iptables-dns通用工具
$1 $w -t nat -A $3 -p udp -s $ip -j REDIRECT --to-ports $dns_port
done
fi
[ "$1" = 'ip6tables' ] && {
[ "$1" = 'ip6tables' ] && { #屏蔽外部请求
$1 $w -t nat -A $3 -p tcp -j RETURN
$1 $w -t nat -A $3 -p udp -j RETURN
}
@ -1154,10 +1154,16 @@ start_iptables() { #iptables配置总入口
set_cn_ip='-m set ! --match-set cn_ip dst'
set_cn_ip6='-m set ! --match-set cn_ip6 dst'
}
[ "$redir_mod" = "Tun模式" -o "$redir_mod" = "混合模式" ] && {
$iptable -I FORWARD -p udp --dport 443 -o utun $set_cn_ip -j REJECT >/dev/null 2>&1
$ip6table -I FORWARD -p udp --dport 443 -o utun $set_cn_ip6 -j REJECT >/dev/null 2>&1
}
[ "$redir_mod" = "Tproxy模式" ] && {
$iptable -I INPUT -p udp --dport 443 $set_cn_ip -j REJECT >/dev/null 2>&1
$ip6table -I INPUT -p udp --dport 443 $set_cn_ip6 -j REJECT >/dev/null 2>&1
}
}
}
start_nft_route() { #nftables-route通用工具
#$1:name $2:hook(prerouting/output) $3:type(nat/mangle/filter) $4:priority(-100/-150)
[ "$common_ports" = "已开启" ] && PORTS=$(echo $multiport | sed 's/,/, /g')
@ -1254,7 +1260,7 @@ start_nft_dns() { #nftables-dns
nft add rule inet shellcrash "$1"_dns meta skgid { 453, 7890 } return
[ "$firewall_area" = 5 ] && nft add rule inet shellcrash "$1"_dns ip saddr $bypass_host return
nft add rule inet shellcrash "$1"_dns ip saddr != {$HOST_IP} return #屏蔽外部请求
[ "$1" = 'prerouting' ] && nft add rule inet shellcrash "$1"_dns ip6 saddr != {$HOST_IP6} return #屏蔽外部请求
[ "$1" = 'prerouting' ] && nft add rule inet shellcrash "$1"_dns ip6 saddr != {$HOST_IP6} reject #屏蔽外部请求
#过滤局域网设备
[ "$1" = 'prerouting' ] && [ -s "$CRASHDIR"/configs/mac ] && {
MAC=$(awk '{printf "%s, ",$1}' "$CRASHDIR"/configs/mac)
@ -1341,12 +1347,19 @@ start_nftables() { #nftables配置总入口
start_nft_route prerouting_vm prerouting nat -100
}
#屏蔽QUIC
[ "$quic_rj" = '已启用' -a "$lan_proxy" = true -a "$redir_mod" != "Redir模式" ] && {
[ "$quic_rj" = '已启用' -a "$lan_proxy" = true && {
[ "$redir_mod" = "Tproxy模式" ] && {
nft add chain inet shellcrash quic_rj { type filter hook input priority 0 \; }
[ -n "$CN_IP" ] && nft add rule inet shellcrash quic_rj ip daddr {$CN_IP} return
[ -n "$CN_IP6" ] && nft add rule inet shellcrash quic_rj ip6 daddr {$CN_IP6} return
nft add rule inet shellcrash quic_rj udp dport {443, 8443} reject comment 'ShellCrash-QUIC-REJECT'
}
[ "$redir_mod" = "Tun模式" -o "$redir_mod" = "混合模式" ] && {
nft insert rule inet fw4 forward oifname "utun" udp dport {443, 8443} reject comment 'ShellCrash-QUIC-REJECT'
[ -n "$CN_IP" ] && nft insert rule inet fw4 forward oifname "utun" ip daddr {$CN_IP} return
[ -n "$CN_IP6" ] && nft insert rule inet fw4 forward oifname "utun" ip6 daddr {$CN_IP6} return
}
}
}
start_firewall() { #路由规则总入口
getlanip #获取局域网host地址
@ -1436,6 +1449,7 @@ stop_firewall() { #还原防火墙配置
#屏蔽QUIC
[ "$dns_mod" != "fake-ip" -a "$cn_ip_route" = "已开启" ] && set_cn_ip='-m set ! --match-set cn_ip dst'
$iptable -D INPUT -p udp --dport 443 $set_cn_ip -j REJECT 2>/dev/null
$iptable -D FORWARD -p udp --dport 443 -o utun $set_cn_ip -j REJECT 2>/dev/null
#公网访问
for ip in $host_ipv4 $local_ipv4 $reserve_ipv4; do
$iptable -D INPUT -p tcp -s $ip --dport $mix_port -j ACCEPT 2>/dev/null
@ -1477,6 +1491,7 @@ stop_firewall() { #还原防火墙配置
#屏蔽QUIC
[ "$dns_mod" != "fake-ip" -a "$cn_ipv6_route" = "已开启" ] && set_cn_ip6='-m set ! --match-set cn_ip6 dst'
$ip6table -D INPUT -p udp --dport 443 $set_cn_ip6 -j REJECT 2>/dev/null
$ip6table -D FORWARD -p udp --dport 443 -o utun $set_cn_ip -j REJECT 2>/dev/null
#公网访问
$ip6table -D INPUT -p tcp --dport $mix_port -j REJECT 2>/dev/null
$ip6table -D INPUT -p tcp --dport $mix_port -j ACCEPT 2>/dev/null