~增加Meta专属sniffer嗅探功能(8-4)
~增加内核完整性检测机制
~优化公网访问本机流量导致回环的问题
This commit is contained in:
juewuy 2022-04-27 22:31:05 +08:00
parent 53ad194475
commit 98388d4374
4 changed files with 59 additions and 24 deletions

Binary file not shown.

View File

@ -2,5 +2,5 @@ clashnet_v=v1.7.6
clashpre_v=2021.09.15 clashpre_v=2021.09.15
clash_v=v1.7.1 clash_v=v1.7.1
meta_v=alpha meta_v=alpha
versionsh=1.5.7
GeoIP_v=20220426 GeoIP_v=20220426
versionsh=1.5.8

View File

@ -1218,7 +1218,7 @@ tools(){
echo -e " 1 ShellClash测试菜单" echo -e " 1 ShellClash测试菜单"
[ -f /etc/firewall.user ] && echo -e " 2 \033[32m配置\033[0m外网访问SSH" [ -f /etc/firewall.user ] && echo -e " 2 \033[32m配置\033[0m外网访问SSH"
[ -f /etc/config/ddns -a -d "/etc/ddns" ] && echo -e " 3 配置DDNS服务(需下载相关脚本)" [ -f /etc/config/ddns -a -d "/etc/ddns" ] && echo -e " 3 配置DDNS服务(需下载相关脚本)"
echo -e " 4 \033[32m流媒体预解析\033[0m————用于解决DNS解锁在TV应用上失效的问题" echo -e " 4 \033[32m流媒体增强\033[0m————用于解决流媒体解锁在TV应用上失效的问题"
[ -x /usr/sbin/otapredownload ] && echo -e " 5 \033[33m$mi_update\033[0m小米系统自动更新" [ -x /usr/sbin/otapredownload ] && echo -e " 5 \033[33m$mi_update\033[0m小米系统自动更新"
[ -f /usr/sbin/otapredownload ] && echo -e " 6 小米设备软固化SSH ———— \033[$mi_autoSSH_type \033[0m" [ -f /usr/sbin/otapredownload ] && echo -e " 6 小米设备软固化SSH ———— \033[$mi_autoSSH_type \033[0m"
echo ----------------------------------------------- echo -----------------------------------------------
@ -1256,20 +1256,40 @@ tools(){
tools tools
elif [ "$num" = 4 ]; then elif [ "$num" = 4 ]; then
if type nslookup > /dev/null 2>&1;then
checkcfg=$(cat $ccfg) checkcfg=$(cat $ccfg)
streaming echo -----------------------------------------------
echo -e "\033[36m请选择实现方式(不建议同时开启)\033[0m"
echo -e " 1 定时预解析流媒体DNS"
echo -e " 2 Meta内核专属tls域名嗅探(推荐) \033[33m$sniffer\033[0m"
echo -e " 0 返回上级菜单"
read -p "请输入对应数字 > " num
if [ -z "$num" ]; then
errornum
elif [ "$num" = 0 ]; then
i=
elif [ "$num" = 1 ]; then
steaming
elif [ "$num" = 2 ]; then
echo -----------------------------------------------
if [ "$sniffer" = "未启用" ];then
if [ "$clashcore" != "clash.meta" ];then
rm -rf $bindir/clash
clashcore=clash.meta
setconfig clashcore $clashcore
echo "已将clash内核切换为Meta内核"
fi
sniffer=已启用
else
sniffer=未启用
fi
setconfig sniffer $sniffer
echo -e "\033[32m设置成功\033[0m"
sleep 1
fi
if [ -n "$PID" ];then if [ -n "$PID" ];then
checkcfg_new=$(cat $ccfg) checkcfg_new=$(cat $ccfg)
[ "$checkcfg" != "$checkcfg_new" ] && checkrestart [ "$checkcfg" != "$checkcfg_new" ] && checkrestart
fi fi
else
echo -----------------------------------------------
echo "当前设备缺少nslookup命令无法启用流媒体预解析功能"
echo "Centos请尝试使用以下命令安装【yum -y install bind-utils】"
echo "Debian/Ubuntu等请尝试使用【sudo apt-get install dnsutils -y】"
sleep 1
fi
tools tools
elif [ -x /usr/sbin/otapredownload ] && [ "$num" = 5 ]; then elif [ -x /usr/sbin/otapredownload ] && [ "$num" = 5 ]; then

View File

@ -312,6 +312,10 @@ modify_yaml(){
else else
dns='dns: {enable: true, '$dns_v6', listen: 0.0.0.0:'$dns_port', use-hosts: true, enhanced-mode: redir-host, default-nameserver: ['$dns_default', 127.0.0.1:53], nameserver: ['$dns_nameserver$dns_local'], fallback: ['$dns_fallback'], fallback-filter: {geoip: true}}' dns='dns: {enable: true, '$dns_v6', listen: 0.0.0.0:'$dns_port', use-hosts: true, enhanced-mode: redir-host, default-nameserver: ['$dns_default', 127.0.0.1:53], nameserver: ['$dns_nameserver$dns_local'], fallback: ['$dns_fallback'], fallback-filter: {geoip: true}}'
fi fi
#meta专属功能
if [ "$clashcore" = "clash.meta" -a "$sniffer" = "已启用" ];then
sniffer_set="sniffer: {enable: true, force: false, sniffing: [tls]}"
fi
#设置目录 #设置目录
yaml=$clashdir/config.yaml yaml=$clashdir/config.yaml
tmpdir=/tmp/clash_$USER tmpdir=/tmp/clash_$USER
@ -342,6 +346,7 @@ secret: $secret
$tun $tun
$exper $exper
$dns $dns
$sniffer_set
store-selected: $restore store-selected: $restore
hosts: hosts:
EOF EOF
@ -436,7 +441,12 @@ start_redir(){
done done
iptables -t nat -A clash -p tcp $ports -j REDIRECT --to-ports $redir_port iptables -t nat -A clash -p tcp $ports -j REDIRECT --to-ports $redir_port
fi fi
iptables -t nat -A PREROUTING -p tcp -j clash #获取局域网host地址
host_lan=$(ip a 2>&1 | grep -w 'inet' | grep 'global' | grep -oE '\ 1(92|0|72)\.' | grep -oE '1(92|0|72)' | head -n 1)
[ -n "$host_lan" ] && host_lan=${host_lan}.0.0.0/8
#将PREROUTING链指向clash链
iptables -t nat -A PREROUTING -p tcp -s $host_lan -j clash
#公网访问功能
if [ "$public_support" = "已开启" ];then if [ "$public_support" = "已开启" ];then
iptables -I INPUT -p tcp --dport $mix_port -j ACCEPT iptables -I INPUT -p tcp --dport $mix_port -j ACCEPT
iptables -I INPUT -p tcp --dport $db_port -j ACCEPT iptables -I INPUT -p tcp --dport $db_port -j ACCEPT
@ -478,18 +488,19 @@ start_dns(){
if [ "$macfilter_type" = "白名单" -a -n "$(cat $clashdir/mac)" ];then if [ "$macfilter_type" = "白名单" -a -n "$(cat $clashdir/mac)" ];then
#mac白名单 #mac白名单
for mac in $(cat $clashdir/mac); do for mac in $(cat $clashdir/mac); do
iptables -t nat -A clash_dns -p udp --dport 53 -m mac --mac-source $mac -j REDIRECT --to $dns_port iptables -t nat -A clash_dns -p udp -m mac --mac-source $mac -j REDIRECT --to $dns_port
iptables -t nat -A clash_dns -p tcp --dport 53 -m mac --mac-source $mac -j REDIRECT --to $dns_port iptables -t nat -A clash_dns -p tcp -m mac --mac-source $mac -j REDIRECT --to $dns_port
done done
else else
#mac黑名单 #mac黑名单
for mac in $(cat $clashdir/mac); do for mac in $(cat $clashdir/mac); do
iptables -t nat -A clash_dns -m mac --mac-source $mac -j RETURN iptables -t nat -A clash_dns -m mac --mac-source $mac -j RETURN
done done
iptables -t nat -A clash_dns -p udp --dport 53 -j REDIRECT --to $dns_port iptables -t nat -A clash_dns -p udp -j REDIRECT --to $dns_port
iptables -t nat -A clash_dns -p tcp --dport 53 -j REDIRECT --to $dns_port iptables -t nat -A clash_dns -p tcp -j REDIRECT --to $dns_port
fi fi
iptables -t nat -A PREROUTING -p udp -j clash_dns iptables -t nat -A PREROUTING -p udp --dport 53 -j clash_dns
iptables -t nat -A PREROUTING -p tcp --dport 53 -j clash_dns
#ipv6DNS #ipv6DNS
ip6_nat=$(ip6tables -t nat -L 2>&1 | grep -o 'Chain') ip6_nat=$(ip6tables -t nat -L 2>&1 | grep -o 'Chain')
if [ -n "$ip6_nat" ];then if [ -n "$ip6_nat" ];then
@ -497,18 +508,19 @@ start_dns(){
if [ "$macfilter_type" = "白名单" -a -n "$(cat $clashdir/mac)" ];then if [ "$macfilter_type" = "白名单" -a -n "$(cat $clashdir/mac)" ];then
#mac白名单 #mac白名单
for mac in $(cat $clashdir/mac); do for mac in $(cat $clashdir/mac); do
ip6tables -t nat -A clashv6_dns -p udp --dport 53 -m mac --mac-source $mac -j REDIRECT --to $dns_port ip6tables -t nat -A clashv6_dns -p udp -m mac --mac-source $mac -j REDIRECT --to $dns_port
ip6tables -t nat -A clashv6_dns -p tcp --dport 53 -m mac --mac-source $mac -j REDIRECT --to $dns_port ip6tables -t nat -A clashv6_dns -p tcp -m mac --mac-source $mac -j REDIRECT --to $dns_port
done done
else else
#mac黑名单 #mac黑名单
for mac in $(cat $clashdir/mac); do for mac in $(cat $clashdir/mac); do
ip6tables -t nat -A clashv6_dns -m mac --mac-source $mac -j RETURN ip6tables -t nat -A clashv6_dns -m mac --mac-source $mac -j RETURN
done done
ip6tables -t nat -A clashv6_dns -p udp --dport 53 -j REDIRECT --to $dns_port ip6tables -t nat -A clashv6_dns -p udp -j REDIRECT --to $dns_port
ip6tables -t nat -A clashv6_dns -p tcp --dport 53 -j REDIRECT --to $dns_port ip6tables -t nat -A clashv6_dns -p tcp -j REDIRECT --to $dns_port
fi fi
ip6tables -t nat -A PREROUTING -p udp -j clashv6_dns ip6tables -t nat -A PREROUTING -p udp --dport 53 -j clashv6_dns
ip6tables -t nat -A PREROUTING -p tcp --dport 53 -j clashv6_dns
else else
ip6tables -I INPUT -p tcp --dport 53 -j REJECT > /dev/null 2>&1 ip6tables -I INPUT -p tcp --dport 53 -j REJECT > /dev/null 2>&1
ip6tables -I INPUT -p udp --dport 53 -j REJECT > /dev/null 2>&1 ip6tables -I INPUT -p udp --dport 53 -j REJECT > /dev/null 2>&1
@ -694,6 +706,7 @@ web_restore(){
#启动相关 #启动相关
catpac(){ catpac(){
cat > /tmp/clash_pac <<EOF cat > /tmp/clash_pac <<EOF
//如看见此处内容,请重新安装本地面板!
function FindProxyForURL(url, host) { function FindProxyForURL(url, host) {
if ( if (
isInNet(host, "0.0.0.0", "255.0.0.0")|| isInNet(host, "0.0.0.0", "255.0.0.0")||
@ -719,6 +732,8 @@ bfstart(){
[ ! -d $bindir/ui ] && mkdir -p $bindir/ui [ ! -d $bindir/ui ] && mkdir -p $bindir/ui
update_url=https://ghproxy.com/https://raw.githubusercontent.com/juewuy/ShellClash/master update_url=https://ghproxy.com/https://raw.githubusercontent.com/juewuy/ShellClash/master
#检查clash核心 #检查clash核心
$bindir/clash -v >/dev/null 2>&1
[ "$?" != 0 ] && rm -rf $bindir/clash
if [ ! -f $bindir/clash ];then if [ ! -f $bindir/clash ];then
if [ -f $clashdir/clash ];then if [ -f $clashdir/clash ];then
mv $clashdir/clash $bindir/clash && chmod +x $bindir/clash mv $clashdir/clash $bindir/clash && chmod +x $bindir/clash