~修复tun或混合模式下，屏蔽quic功能未能实际生效的bug

~优化了一下初始化脚本中对nftables和iptables的使用判断 ~默认的常用端口过滤列表中，移除了对53和123端口的支持 ~修复部分情况下因ipv6dns未能正确劫持或拦截导致的dns劫持失败的问题
2024-11-16 03:32:34 +08:00 · 2024-09-15 15:33:10 +08:00 · 2024-09-15 15:33:10 +08:00 · 5ec0b9c238
commit 5ec0b9c238
parent a698c923c2
3 changed files with 28 additions and 13 deletions
--- a/scripts/init.sh
+++ b/scripts/init.sh
@ -206,9 +206,9 @@ else
 fi
 setconfig COMMAND "$COMMAND" ${CRASHDIR}/configs/command.env
 #设置防火墙执行模式
-[ -z "$(grep firewall_mod $CRASHDIR/configs/ShellClash.cfg 2>/dev/null)" ] && {
+grep -q 'firewall_mod' "$CRASHDIR/configs/ShellClash.cfg" 2>/dev/null || {
 	iptables -j REDIRECT -h >/dev/null 2>&1 && firewall_mod=iptables
-	nft add table inet shellcrash 2>/dev/null && firewall_mod=nftables
+	nft add table inet test4532 2>/dev/null && firewall_mod=nftables && nft delete table inet test4532
 	setconfig firewall_mod $firewall_mod
 }
 #设置更新地址
--- a/scripts/menu.sh
+++ b/scripts/menu.sh
@ -38,7 +38,7 @@ ckstatus(){
 	[ -z "$fwmark" ] && fwmark=$redir_port
 	[ -z "$db_port" ] && db_port=9999
 	[ -z "$dns_port" ] && dns_port=1053
-	[ -z "$multiport" ] && multiport='22,53,80,123,143,194,443,465,587,853,993,995,5222,8080,8443'
+	[ -z "$multiport" ] && multiport='22,80,143,194,443,465,587,853,993,995,5222,8080,8443'
 	[ -z "$redir_mod" ] && redir_mod=纯净模式
 	#检查mac地址记录
 	[ ! -f ${CRASHDIR}/configs/mac ] && touch ${CRASHDIR}/configs/mac
--- a/scripts/start.sh
+++ b/scripts/start.sh
@ -31,7 +31,7 @@ getconfig() { #读取配置及全局变量
 	[ -z "$sniffer" ] && sniffer=已开启
 	#是否代理常用端口
 	[ -z "$common_ports" ] && common_ports=已开启
-	[ -z "$multiport" ] && multiport='22,53,80,123,143,194,443,465,587,853,993,995,5222,8080,8443'
+	[ -z "$multiport" ] && multiport='22,80,143,194,443,465,587,853,993,995,5222,8080,8443'
 	[ "$common_ports" = "已开启" ] && ports="-m multiport --dports $multiport"
 	#内核配置文件
 	if [ "$crashcore" = singbox -o "$crashcore" = singboxp ]; then
@ -1008,7 +1008,7 @@ start_ipt_dns() { #iptables-dns通用工具
 			$1 $w -t nat -A $3 -p udp -s $ip -j REDIRECT --to-ports $dns_port
 		done
 	fi
-	[ "$1" = 'ip6tables' ] && {
+	[ "$1" = 'ip6tables' ] && { #屏蔽外部请求
 		$1 $w -t nat -A $3 -p tcp -j RETURN
 		$1 $w -t nat -A $3 -p udp -j RETURN
 	}
@ -1154,9 +1154,15 @@ start_iptables() { #iptables配置总入口
 			set_cn_ip='-m set ! --match-set cn_ip dst'
 			set_cn_ip6='-m set ! --match-set cn_ip6 dst'
 		}
+		[ "$redir_mod" = "Tun模式" -o "$redir_mod" = "混合模式" ] && {
+			$iptable -I FORWARD -p udp --dport 443 -o utun $set_cn_ip -j REJECT >/dev/null 2>&1
+			$ip6table -I FORWARD -p udp --dport 443 -o utun $set_cn_ip6 -j REJECT >/dev/null 2>&1
+		}
+		[ "$redir_mod" = "Tproxy模式" ] && {
 			$iptable -I INPUT -p udp --dport 443 $set_cn_ip -j REJECT >/dev/null 2>&1
 			$ip6table -I INPUT -p udp --dport 443 $set_cn_ip6 -j REJECT >/dev/null 2>&1
 		}
+	}
 }
 start_nft_route() { #nftables-route通用工具
 	#$1:name  $2:hook(prerouting/output)  $3:type(nat/mangle/filter)  $4:priority(-100/-150)
@ -1254,7 +1260,7 @@ start_nft_dns() { #nftables-dns
 	nft add rule inet shellcrash "$1"_dns meta skgid { 453, 7890 } return
 	[ "$firewall_area" = 5 ] && nft add rule inet shellcrash "$1"_dns ip saddr $bypass_host return
 	nft add rule inet shellcrash "$1"_dns ip saddr != {$HOST_IP} return #屏蔽外部请求
-	[ "$1" = 'prerouting' ] && nft add rule inet shellcrash "$1"_dns ip6 saddr != {$HOST_IP6} return #屏蔽外部请求
+	[ "$1" = 'prerouting' ] && nft add rule inet shellcrash "$1"_dns ip6 saddr != {$HOST_IP6} reject #屏蔽外部请求
 	#过滤局域网设备
 	[ "$1" = 'prerouting' ] && [ -s "$CRASHDIR"/configs/mac ] && {
 		MAC=$(awk '{printf "%s, ",$1}' "$CRASHDIR"/configs/mac)
@ -1341,12 +1347,19 @@ start_nftables() { #nftables配置总入口
 		start_nft_route prerouting_vm prerouting nat -100
 	}
 	#屏蔽QUIC
-	[ "$quic_rj" = '已启用' -a "$lan_proxy" = true -a "$redir_mod" != "Redir模式" ] && {
+	[ "$quic_rj" = '已启用' -a "$lan_proxy" = true && {
+		[ "$redir_mod" = "Tproxy模式" ] && {
 			nft add chain inet shellcrash quic_rj { type filter hook input priority 0 \; }
 			[ -n "$CN_IP" ] && nft add rule inet shellcrash quic_rj ip daddr {$CN_IP} return
 			[ -n "$CN_IP6" ] && nft add rule inet shellcrash quic_rj ip6 daddr {$CN_IP6} return
 			nft add rule inet shellcrash quic_rj udp dport {443, 8443} reject comment 'ShellCrash-QUIC-REJECT'
 		}
+		[ "$redir_mod" = "Tun模式" -o "$redir_mod" = "混合模式" ] && {
+			nft insert rule inet fw4 forward oifname "utun" udp dport {443, 8443} reject comment 'ShellCrash-QUIC-REJECT'
+			[ -n "$CN_IP" ] && nft insert rule inet fw4 forward oifname "utun" ip daddr {$CN_IP} return
+			[ -n "$CN_IP6" ] && nft insert rule inet fw4 forward oifname "utun" ip6 daddr {$CN_IP6} return
+		}
+	}
 }
 start_firewall() { #路由规则总入口
 	getlanip          #获取局域网host地址
@ -1436,6 +1449,7 @@ stop_firewall() { #还原防火墙配置
 		#屏蔽QUIC
 		[ "$dns_mod" != "fake-ip" -a "$cn_ip_route" = "已开启" ] && set_cn_ip='-m set ! --match-set cn_ip dst'
 		$iptable -D INPUT -p udp --dport 443 $set_cn_ip -j REJECT 2>/dev/null
+		$iptable -D FORWARD -p udp --dport 443 -o utun $set_cn_ip -j REJECT 2>/dev/null
 		#公网访问
 		for ip in $host_ipv4 $local_ipv4 $reserve_ipv4; do
 			$iptable -D INPUT -p tcp -s $ip --dport $mix_port -j ACCEPT 2>/dev/null
@ -1477,6 +1491,7 @@ stop_firewall() { #还原防火墙配置
 		#屏蔽QUIC
 		[ "$dns_mod" != "fake-ip" -a "$cn_ipv6_route" = "已开启" ] && set_cn_ip6='-m set ! --match-set cn_ip6 dst'
 		$ip6table -D INPUT -p udp --dport 443 $set_cn_ip6 -j REJECT 2>/dev/null
+		$ip6table -D FORWARD -p udp --dport 443 -o utun $set_cn_ip -j REJECT 2>/dev/null
 		#公网访问
 		$ip6table -D INPUT -p tcp --dport $mix_port -j REJECT 2>/dev/null
 		$ip6table -D INPUT -p tcp --dport $mix_port -j ACCEPT 2>/dev/null