diff --git a/bin/ShellClash.tar.gz b/bin/ShellClash.tar.gz index fa8ef16..86e63b0 100644 Binary files a/bin/ShellClash.tar.gz and b/bin/ShellClash.tar.gz differ diff --git a/bin/clashfm.tar.gz b/bin/clashfm.tar.gz index 3893d94..b27359a 100644 Binary files a/bin/clashfm.tar.gz and b/bin/clashfm.tar.gz differ diff --git a/bin/version b/bin/version index d0c001e..ef02612 100644 --- a/bin/version +++ b/bin/version @@ -2,5 +2,5 @@ clashnet_v=v1.7.6 clashpre_v=2022.11.25 clash_v=v1.7.1 meta_v=v1.14.2 -versionsh=1.7.3b GeoIP_v=20230401 +versionsh=1.7.4 diff --git a/scripts/clash.sh b/scripts/clash.sh index 64b1b2c..9735749 100644 --- a/scripts/clash.sh +++ b/scripts/clash.sh @@ -98,7 +98,7 @@ ckstatus(){ #检查执行权限 [ ! -x $clashdir/start.sh ] && chmod +x $clashdir/start.sh #检查/tmp内核文件 - for file in `ls -F /tmp | grep -v [/\$] | grep -v '\ ' | grep -iE '^clash$|^clash-linux*'` ; do + for file in `ls -F /tmp | grep -v [/\$] | grep -v '\ ' | grep -iE '^clash$|^clash-linux*|^clash.meta*'` ; do file=/tmp/$file chmod +x $file tmp_version=$($file -v 2>/dev/null) diff --git a/scripts/getdate.sh b/scripts/getdate.sh index 9b1b059..36b6f33 100644 --- a/scripts/getdate.sh +++ b/scripts/getdate.sh @@ -944,7 +944,7 @@ userguide(){ setconfig redir_mod "$redir_mod" #设置开机启动 [ -f /etc/rc.common ] && /etc/init.d/clash enable - [ "$(pidof systemd)" = 1 ] && systemctl enable clash.service > /dev/null 2>&1 + ckcmd systemctl && systemctl enable clash.service > /dev/null 2>&1 rm -rf $clashdir/.dis_startup autostart=enable #检测IP转发 @@ -1013,7 +1013,7 @@ userguide(){ sethost fi } - if [ "$(pidof systemd)" = 1 ];then + if ckcmd systemctl;then echo ----------------------------------------------- echo -e "\033[32m是否开启公网访问Dashboard面板及socks服务?\033[0m" echo -e "注意当前设备必须有公网IP才能从公网正常访问" @@ -1103,23 +1103,28 @@ testcommand(){ nft list table inet shellclash else echo -------------------Redir--------------------- - iptables -t nat -L PREROUTING --line-numbers - iptables -t nat -L clash_dns --line-numbers - iptables -t nat -L clash --line-numbers - [ -n "$(echo $redir_mod | grep 'Tproxy')" ] && { + iptables -t nat -L PREROUTING --line-numbers + iptables -t nat -L clash_dns --line-numbers + iptables -t nat -L clash --line-numbers + [ -n "$(echo $redir_mod | grep -E 'Tproxy模式|混合模式|Tun模式')" ] && { echo ----------------Tun/Tproxy------------------- - iptables -t mangle -L PREROUTING --line-numbers - iptables -t mangle -L clash --line-numbers + iptables -t mangle -L PREROUTING --line-numbers + iptables -t mangle -L clash --line-numbers } - [ -n "$(echo $redir_mod | grep 'Tproxy')" -a "$ipv6_redir" = "已开启" ] && { + [ "$local_proxy" = "已开启" ] && [ "$local_type" = "iptables增强模式" ] && { + echo ----------------OUTPUT------------------- + iptables -t nat -L OUTPUT --line-numbers + iptables -t nat -L clash_out --line-numbers + } + [ -n "$(echo $redir_mod | grep -E 'Tproxy模式|混合模式|Tun模式')" -a "$ipv6_redir" = "已开启" ] && { echo ----------------Tun/Tproxy------------------- - ip6tables -t mangle -L PREROUTING --line-numbers - ip6tables -t mangle -L clashv6 --line-numbers + ip6tables -t mangle -L PREROUTING --line-numbers + ip6tables -t mangle -L clashv6 --line-numbers [ -n "$(lsmod | grep 'ip6table_nat')" ] && { echo -------------------Redir--------------------- - ip6tables -t nat -L PREROUTING --line-numbers - ip6tables -t nat -L clashv6_dns --line-numbers - ip6tables -t nat -L clashv6 --line-numbers + ip6tables -t nat -L PREROUTING --line-numbers + ip6tables -t nat -L clashv6_dns --line-numbers + ip6tables -t nat -L clashv6 --line-numbers } } fi diff --git a/scripts/init.sh b/scripts/init.sh index 4fbc4b5..7375909 100644 --- a/scripts/init.sh +++ b/scripts/init.sh @@ -1,7 +1,7 @@ #!/bin/sh # Copyright (C) Juewuy -version=1.7.3b +version=1.7.4 setdir(){ dir_avail(){ @@ -152,9 +152,9 @@ if [ -f /etc/rc.common ];then cp -f $clashdir/clashservice /etc/init.d/clash chmod 755 /etc/init.d/clash else - [ "$(pidof systemd)" = 1 ] && [ -w /etc/systemd/system ] && sysdir=/etc/systemd/system - [ "$(pidof systemd)" = 1 ] && [ -w /usr/lib/systemd/system ] && sysdir=/usr/lib/systemd/system - if [ -n "$sysdir" ];then + [ -w /etc/systemd/system ] && sysdir=/etc/systemd/system + [ -w /usr/lib/systemd/system ] && sysdir=/usr/lib/systemd/system + if [ -n "$sysdir" -a -z "$WSL_DISTRO_NAME" ];then #wsl环境不使用systemd #设为systemd方式启动 mv -f $clashdir/clash.service $sysdir/clash.service 2>/dev/null sed -i "s%/etc/clash%$clashdir%g" $sysdir/clash.service diff --git a/scripts/start.sh b/scripts/start.sh index 090593c..c5f4f83 100644 --- a/scripts/start.sh +++ b/scripts/start.sh @@ -141,8 +141,15 @@ autoSSH(){ [ -f $clashdir/dropbear_rsa_host_key ] && ln -sf $clashdir/dropbear_rsa_host_key /etc/dropbear/dropbear_rsa_host_key [ -f $clashdir/authorized_keys ] && ln -sf $clashdir/authorized_keys /etc/dropbear/authorized_keys } -host_lan(){ - [ -n "$(echo $host | grep -oE "([0-9]{1,3}[\.]){3}[0-9]{1,3}" )" ] && host_lan="$(echo $host | grep -oE "([0-9]{1,3}[\.]){3}")0/24" +getlanip(){ + host_ipv4=$(ip a 2>&1 | grep -w 'inet' | grep 'global' | grep 'br' | grep -v 'iot' | grep -E ' 1(92|0|72)\.' | sed 's/.*inet.//g' | sed 's/br.*$//g' ) #ipv4局域网网段 + host_ipv6=$(ip a 2>&1 | grep -w 'inet6' | grep -E 'global' | sed 's/.*inet6.//g' | sed 's/scope.*$//g' ) #ipv6公网地址段 + #缺省配置 + [ -z "$host_ipv4" ] && host_ipv4='192.168.0.0/16 10.0.0.0/12 172.16.0.0/12' + [ -z "$host_ipv6" ] && host_ipv6='fe80::/10 fd00::/8' + #保留地址 + reserve_ipv4="0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 100.64.0.0/10 169.254.0.0/16 172.16.0.0/12 192.168.0.0/16 224.0.0.0/4 240.0.0.0/4" + reserve_ipv6="::/128 ::1/128 ::ffff:0:0/96 64:ff9b::/96 100::/64 2001::/32 2001:20::/28 2001:db8::/32 2002::/16 fc00::/7 fe80::/10 ff00::/8" } #配置文件相关 getyaml(){ @@ -490,63 +497,55 @@ cn_ipv6_route(){ } start_redir(){ #获取局域网host地址 - host_lan - #流量过滤规则 + getlanip + #流量过滤 iptables -t nat -N clash - iptables -t nat -A clash -d 0.0.0.0/8 -j RETURN - iptables -t nat -A clash -d 10.0.0.0/8 -j RETURN - iptables -t nat -A clash -d 127.0.0.0/8 -j RETURN - iptables -t nat -A clash -d 100.64.0.0/10 -j RETURN - iptables -t nat -A clash -d 169.254.0.0/16 -j RETURN - iptables -t nat -A clash -d 172.16.0.0/12 -j RETURN - iptables -t nat -A clash -d 192.168.0.0/16 -j RETURN - iptables -t nat -A clash -d 224.0.0.0/4 -j RETURN - iptables -t nat -A clash -d 240.0.0.0/4 -j RETURN - [ -n "$host_lan" ] && iptables -t nat -A clash -d $host_lan -j RETURN + for ip in $host_ipv4 $reserve_ipv4;do #跳过目标保留地址及目标本机网段 + iptables -t nat -A clash -d $ip -j RETURN + done #绕过CN_IP - [ "$dns_mod" = "redir_host" -a "$cn_ip_route" = "已开启" ] && iptables -t nat -A clash -m set --match-set cn_ip dst -j RETURN 2>/dev/null - [ "$dns_mod" = "fake-ip" ] && iptables -t nat -A clash -s 198.18.0.0/16 -j RETURN + [ "$dns_mod" = "redir_host" -a "$cn_ip_route" = "已开启" ] && \ + iptables -t nat -A clash -m set --match-set cn_ip dst -j RETURN 2>/dev/null + #局域网设备过滤 if [ "$macfilter_type" = "白名单" -a -n "$(cat $clashdir/mac)" ];then - #mac白名单 - for mac in $(cat $clashdir/mac); do + for mac in $(cat $clashdir/mac); do #mac白名单 iptables -t nat -A clash -p tcp -m mac --mac-source $mac -j REDIRECT --to-ports $redir_port done else - #mac黑名单 - for mac in $(cat $clashdir/mac); do + for mac in $(cat $clashdir/mac); do #mac黑名单 iptables -t nat -A clash -m mac --mac-source $mac -j RETURN done - iptables -t nat -A clash -p tcp -s 192.168.0.0/16 -j REDIRECT --to-ports $redir_port - iptables -t nat -A clash -p tcp -s 10.0.0.0/12 -j REDIRECT --to-ports $redir_port - iptables -t nat -A clash -p tcp -s 172.16.0.0/12 -j REDIRECT --to-ports $redir_port - [ -n "$host_lan" ] && iptables -t nat -A clash -p tcp -s $host_lan -j REDIRECT --to-ports $redir_port + #仅代理本机局域网网段流量 + for ip in $host_ipv4;do + iptables -t nat -A clash -p tcp -s $ip -j REDIRECT --to-ports $redir_port + done fi #将PREROUTING链指向clash链 iptables -t nat -A PREROUTING -p tcp $ports -j clash #设置ipv6转发 if [ "$ipv6_redir" = "已开启" -a -n "$(lsmod | grep 'ip6table_nat')" ];then - ip6tables -t nat -N clashv6 - ip6tables -t nat -A clashv6 -d ::1/128 -j RETURN - ip6tables -t nat -A clashv6 -d fc00::/7 -j RETURN - ip6tables -t nat -A clashv6 -d fe80::/10 -j RETURN - [ "$dns_mod" = "redir_host" -a "$cn_ipv6_route" = "已开启" ] && ip6tables -t nat -A clashv6 -m set --match-set cn_ip6 dst -j RETURN 2>/dev/null + for ip in $reserve_ipv6 $host_ipv6;do #跳过目标保留地址及目标本机网段 + ip6tables -t nat -A clashv6 -d $ip -j RETURN + done + #绕过CN_IPV6 + [ "$dns_mod" = "redir_host" -a "$cn_ipv6_route" = "已开启" ] && \ + ip6tables -t nat -A clashv6 -m set --match-set cn_ip6 dst -j RETURN 2>/dev/null + #局域网设备过滤 if [ "$macfilter_type" = "白名单" -a -n "$(cat $clashdir/mac)" ];then - #mac白名单 - for mac in $(cat $clashdir/mac); do - ip6tables -t nat -A clashv6 -p tcp $ports -m mac --mac-source $mac -j REDIRECT --to-ports $redir_port + for mac in $(cat $clashdir/mac); do #mac白名单 + ip6tables -t nat -A clashv6 -p tcp -m mac --mac-source $mac -j REDIRECT --to-ports $redir_port done else - #mac黑名单 - for mac in $(cat $clashdir/mac); do + for mac in $(cat $clashdir/mac); do #mac黑名单 ip6tables -t nat -A clashv6 -m mac --mac-source $mac -j RETURN done - for ip in $ipv6_wan ;do - ip6tables -t nat -A clashv6 -p tcp -s $ip -j RETURN #屏蔽本机ipv6地址 + #仅代理本机局域网网段流量 + for ip in $host_ipv6;do + ip6tables -t nat -A clashv6 -p tcp -s $ip -j REDIRECT --to-ports $redir_port done - ip6tables -t nat -A clashv6 -p tcp $ports -j REDIRECT --to-ports $redir_port fi - ip6tables -t nat -A PREROUTING -p tcp -j clashv6 + ip6tables -t nat -A PREROUTING -p tcp $ports -j clashv6 fi return 0 } @@ -559,13 +558,11 @@ start_ipt_dns(){ #设置dns转发 iptables -t nat -N clash_dns if [ "$macfilter_type" = "白名单" -a -n "$(cat $clashdir/mac)" ];then - #mac白名单 - for mac in $(cat $clashdir/mac); do + for mac in $(cat $clashdir/mac); do #mac白名单 iptables -t nat -A clash_dns -p udp -m mac --mac-source $mac -j REDIRECT --to $dns_port done else - #mac黑名单 - for mac in $(cat $clashdir/mac); do + for mac in $(cat $clashdir/mac); do #mac黑名单 iptables -t nat -A clash_dns -m mac --mac-source $mac -j RETURN done iptables -t nat -A clash_dns -p udp -j REDIRECT --to $dns_port @@ -575,13 +572,11 @@ start_ipt_dns(){ if [ -n "$(lsmod | grep 'ip6table_nat')" -a -n "$(lsmod | grep 'xt_nat')" ];then ip6tables -t nat -N clashv6_dns > /dev/null 2>&1 if [ "$macfilter_type" = "白名单" -a -n "$(cat $clashdir/mac)" ];then - #mac白名单 - for mac in $(cat $clashdir/mac); do + for mac in $(cat $clashdir/mac); do #mac白名单 ip6tables -t nat -A clashv6_dns -p udp -m mac --mac-source $mac -j REDIRECT --to $dns_port done else - #mac黑名单 - for mac in $(cat $clashdir/mac); do + for mac in $(cat $clashdir/mac); do #mac黑名单 ip6tables -t nat -A clashv6_dns -m mac --mac-source $mac -j RETURN done ip6tables -t nat -A clashv6_dns -p udp -j REDIRECT --to $dns_port @@ -596,38 +591,31 @@ start_ipt_dns(){ start_tproxy(){ modprobe xt_TPROXY &>/dev/null && { #获取局域网host地址 - host_lan + getlanip ip rule add fwmark 1 table 100 ip route add local default dev lo table 100 iptables -t mangle -N clash iptables -t mangle -A clash -p udp --dport 53 -j RETURN - iptables -t mangle -A clash -d 0.0.0.0/8 -j RETURN - iptables -t mangle -A clash -d 10.0.0.0/8 -j RETURN - iptables -t mangle -A clash -d 127.0.0.0/8 -j RETURN - iptables -t mangle -A clash -d 100.64.0.0/10 -j RETURN - iptables -t mangle -A clash -d 169.254.0.0/16 -j RETURN - iptables -t mangle -A clash -d 172.16.0.0/12 -j RETURN - iptables -t mangle -A clash -d 192.168.0.0/16 -j RETURN - iptables -t mangle -A clash -d 224.0.0.0/4 -j RETURN - iptables -t mangle -A clash -d 240.0.0.0/4 -j RETURN - [ -n "$host_lan" ] && iptables -t mangle -A clash -d $host_lan -j RETURN - [ "$dns_mod" = "redir_host" -a "$cn_ip_route" = "已开启" ] && iptables -t mangle -A clash -m set --match-set cn_ip dst -j RETURN 2>/dev/null - [ "$dns_mod" = "fake-ip" ] && iptables -t mangle -A clash -s 198.18.0.0/16 -j RETURN + for ip in $host_ipv4 $reserve_ipv4;do #跳过目标保留地址及目标本机网段 + iptables -t mangle -A clash -d $ip -j RETURN + done + #绕过CN_IP + [ "$dns_mod" = "redir_host" -a "$cn_ip_route" = "已开启" ] && \ + iptables -t mangle -A clash -m set --match-set cn_ip dst -j RETURN 2>/dev/null + #tcp&udp分别进代理链 tproxy_set(){ if [ "$macfilter_type" = "白名单" -a -n "$(cat $clashdir/mac)" ];then - #mac白名单 - for mac in $(cat $clashdir/mac); do + for mac in $(cat $clashdir/mac); do #mac白名单 iptables -t mangle -A clash -p $1 -m mac --mac-source $mac -j TPROXY --on-port $tproxy_port --tproxy-mark 1 done else - #mac黑名单 - for mac in $(cat $clashdir/mac); do + for mac in $(cat $clashdir/mac); do #mac黑名单 iptables -t mangle -A clash -m mac --mac-source $mac -j RETURN done - iptables -t mangle -A clash -p $1 -s 192.168.0.0/16 -j TPROXY --on-port $tproxy_port --tproxy-mark 1 - iptables -t mangle -A clash -p $1 -s 10.0.0.0/12 -j TPROXY --on-port $tproxy_port --tproxy-mark 1 - iptables -t mangle -A clash -p $1 -s 172.16.0.0/12 -j TPROXY --on-port $tproxy_port --tproxy-mark 1 - [ -n "$host_lan" ] && iptables -t mangle -A clash -p $1 -s $host_lan -j TPROXY --on-port $tproxy_port --tproxy-mark 1 + #仅代理本机局域网网段流量 + for ip in $host_ipv4;do + iptables -t mangle -A clash -p $1 -s $ip -j TPROXY --on-port $tproxy_port --tproxy-mark 1 + done fi iptables -t mangle -A PREROUTING -p $1 $ports -j clash } @@ -645,10 +633,13 @@ start_tproxy(){ ip -6 route add local ::/0 dev lo table 101 ip6tables -t mangle -N clashv6 ip6tables -t mangle -A clashv6 -p udp --dport 53 -j RETURN - ip6tables -t mangle -A clashv6 -d ::1/128 -j RETURN - ip6tables -t mangle -A clashv6 -d fc00::/7 -j RETURN - ip6tables -t mangle -A clashv6 -d fe80::/10 -j RETURN - [ "$dns_mod" = "redir_host" -a "$cn_ipv6_route" = "已开启" ] && ip6tables -t mangle -A clashv6 -m set --match-set cn_ip6 dst -j RETURN 2>/dev/null + for ip in $host_ipv6 $reserve_ipv6;do #跳过目标保留地址及目标本机网段 + ip6tables -t mangle -A clashv6 -d $ip -j RETURN + done + #绕过CN_IPV6 + [ "$dns_mod" = "redir_host" -a "$cn_ipv6_route" = "已开启" ] && \ + ip6tables -t mangle -A clashv6 -m set --match-set cn_ip6 dst -j RETURN 2>/dev/null + #tcp&udp分别进代理链 tproxy_set6(){ if [ "$macfilter_type" = "白名单" -a -n "$(cat $clashdir/mac)" ];then #mac白名单 @@ -660,53 +651,56 @@ start_tproxy(){ for mac in $(cat $clashdir/mac); do ip6tables -t mangle -A clashv6 -m mac --mac-source $mac -j RETURN done - for ip in $ipv6_wan ;do - ip6tables -t mangle -A clashv6 -p $1 -s $ip -j RETURN #屏蔽本机ipv6地址 + #仅代理本机局域网网段流量 + for ip in $host_ipv6;do + ip6tables -t mangle -A clashv6 -p $1 -s $ip -j TPROXY --on-port $tproxy_port --tproxy-mark 1 done - ip6tables -t mangle -A clashv6 -p $1 -j TPROXY --on-port $tproxy_port --tproxy-mark 1 fi ip6tables -t mangle -A PREROUTING -p $1 $ports -j clashv6 } [ "$1" = "all" ] && tproxy_set6 tcp tproxy_set6 udp - + + #屏蔽QUIC [ "$quic_rj" = 已启用 ] && { - ip6tables -I INPUT -p udp --dport 443 -m comment --comment "ShellClash-QUIC-REJECT" $set_cn_ip -j REJECT 2>/dev/null + [ "$dns_mod" = "redir_host" -a "$cn_ipv6_route" = "已开启" ] && set_cn_ip6='-m set ! --match-set cn_ip6 dst' + ip6tables -I INPUT -p udp --dport 443 -m comment --comment "ShellClash-QUIC-REJECT" $set_cn_ip6 -j REJECT 2>/dev/null } } } } start_output(){ + #获取局域网host地址 + getlanip + #获取本机所有出口IP地址 + local_ipv4=$(ip route 2>&1 | grep 'src' | grep -Ev 'utun|iot'| grep -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3} $' | sed 's/.*src //g' ) #流量过滤 iptables -t nat -N clash_out iptables -t nat -A clash_out -m owner --gid-owner 7890 -j RETURN - iptables -t nat -A clash_out -d 0.0.0.0/8 -j RETURN - iptables -t nat -A clash_out -d 10.0.0.0/8 -j RETURN - iptables -t nat -A clash_out -d 100.64.0.0/10 -j RETURN - iptables -t nat -A clash_out -d 127.0.0.0/8 -j RETURN - iptables -t nat -A clash_out -d 169.254.0.0/16 -j RETURN - iptables -t nat -A clash_out -d 192.168.0.0/16 -j RETURN - iptables -t nat -A clash_out -d 224.0.0.0/4 -j RETURN - iptables -t nat -A clash_out -d 240.0.0.0/4 -j RETURN + for ip in $local_ipv4 $reserve_ipv4;do #跳过目标保留地址及目标本机网段 + iptables -t nat -A clash_out -d $ip -j RETURN + done + #绕过CN_IP [ "$dns_mod" = "redir_host" -a "$cn_ip_route" = "已开启" ] && \ - iptables -t nat -A clash_out -m set --match-set cn_ip dst -j RETURN >/dev/null 2>&1 #绕过大陆IP - iptables -t nat -A clash_out -p tcp -j REDIRECT --to-ports $redir_port - # - iptables -t nat -A OUTPUT -p tcp -j clash_out + iptables -t nat -A clash_out -m set --match-set cn_ip dst -j RETURN >/dev/null 2>&1 + #仅允许本机流量 + for ip in 127.0.0.0/8 $local_ipv4;do + iptables -t nat -A clash_out -p tcp -s $ip -j REDIRECT --to-ports $redir_port + done + iptables -t nat -A OUTPUT -p tcp $ports -j clash_out #设置dns转发 [ "$dns_no" != "已禁用" ] && { iptables -t nat -N clash_dns_out iptables -t nat -A clash_dns_out -m owner --gid-owner 7890 -j RETURN - iptables -t nat -A clash_dns_out -p udp -j REDIRECT --to $dns_port + iptables -t nat -A clash_dns_out -p udp -s 127.0.0.0/8 -j REDIRECT --to $dns_port iptables -t nat -A OUTPUT -p udp --dport 53 -j clash_dns_out } #Docker转发 ckcmd docker && { iptables -t nat -N clash_docker - iptables -t nat -A clash_docker -d 10.0.0.0/8 -j RETURN - iptables -t nat -A clash_docker -d 127.0.0.0/8 -j RETURN - iptables -t nat -A clash_docker -d 172.16.0.0/12 -j RETURN - iptables -t nat -A clash_docker -d 192.168.0.0/16 -j RETURN + for ip in $host_ipv4 $reserve_ipv4;do #跳过目标保留地址及目标本机网段 + iptables -t nat -A clash_docker -d $ip -j RETURN + done iptables -t nat -A clash_docker -p tcp -j REDIRECT --to-ports $redir_port iptables -t nat -A PREROUTING -p tcp -s 172.16.0.0/12 -j clash_docker [ "$dns_no" != "已禁用" ] && iptables -t nat -A PREROUTING -p udp --dport 53 -s 172.16.0.0/12 -j REDIRECT --to $dns_port @@ -717,7 +711,7 @@ start_tun(){ #允许流量 iptables -I FORWARD -o utun -j ACCEPT iptables -I FORWARD -s 198.18.0.0/16 -o utun -j RETURN - #ip6tables -I FORWARD -o utun -j ACCEPT > /dev/null 2>&1 + ip6tables -I FORWARD -o utun -j ACCEPT > /dev/null 2>&1 #屏蔽QUIC if [ "$quic_rj" = 已启用 ];then [ "$dns_mod" = "redir_host" -a "$cn_ip_route" = "已开启" ] && set_cn_ip='-m set ! --match-set cn_ip dst' @@ -733,36 +727,28 @@ start_tun(){ ip route add default dev utun table 100 ip rule add fwmark 1 table 100 #获取局域网host地址 - host_lan + getlanip iptables -t mangle -N clash - iptables -t mangle -F clash iptables -t mangle -A clash -p udp --dport 53 -j RETURN - iptables -t mangle -A clash -d 0.0.0.0/8 -j RETURN - iptables -t mangle -A clash -d 10.0.0.0/8 -j RETURN - iptables -t mangle -A clash -d 127.0.0.0/8 -j RETURN - iptables -t mangle -A clash -d 100.64.0.0/10 -j RETURN - iptables -t mangle -A clash -d 169.254.0.0/16 -j RETURN - iptables -t mangle -A clash -d 172.16.0.0/12 -j RETURN - iptables -t mangle -A clash -d 192.168.0.0/16 -j RETURN - iptables -t mangle -A clash -d 224.0.0.0/4 -j RETURN - iptables -t mangle -A clash -d 240.0.0.0/4 -j RETURN - iptables -t mangle -A clash -s 198.18.0.0/16 -j RETURN - [ -n "$host_lan" ] && iptables -t mangle -A clash -d $host_lan -j RETURN - [ "$dns_mod" = "redir_host" -a "$cn_ip_route" = "已开启" ] && iptables -t mangle -A clash -m set --match-set cn_ip dst -j RETURN 2>/dev/null + for ip in $host_ipv4 $reserve_ipv4;do #跳过目标保留地址及目标本机网段 + iptables -t mangle -A clash -d $ip -j RETURN + done + #绕过CN_IP + [ "$dns_mod" = "redir_host" -a "$cn_ip_route" = "已开启" ] && \ + iptables -t mangle -A clash -m set --match-set cn_ip dst -j RETURN 2>/dev/null + #局域网设备过滤 if [ "$macfilter_type" = "白名单" -a -n "$(cat $clashdir/mac)" ];then - #mac白名单 - for mac in $(cat $clashdir/mac); do + for mac in $(cat $clashdir/mac); do #mac白名单 iptables -t mangle -A clash -m mac --mac-source $mac -j MARK --set-mark 1 done else - #mac黑名单 - for mac in $(cat $clashdir/mac); do + for mac in $(cat $clashdir/mac); do #mac黑名单 iptables -t mangle -A clash -m mac --mac-source $mac -j RETURN done - iptables -t mangle -A clash -s 192.168.0.0/16 -j MARK --set-mark 1 - iptables -t mangle -A clash -s 10.0.0.0/12 -j MARK --set-mark 1 - iptables -t mangle -A clash -s 172.16.0.0/12 -j MARK --set-mark 1 - [ -n "$host_lan" ] && iptables -t mangle -A clash -s $host_lan -j MARK --set-mark 1 + #仅代理本机局域网网段流量 + for ip in $host_ipv4;do + iptables -t mangle -A clash -s $ip -j MARK --set-mark 1 + done fi iptables -t mangle -A PREROUTING -p udp $ports -j clash [ "$1" = "all" ] && iptables -t mangle -A PREROUTING -p tcp $ports -j clash @@ -773,24 +759,25 @@ start_tun(){ ip -6 rule add fwmark 1 table 101 ip6tables -t mangle -N clashv6 ip6tables -t mangle -A clashv6 -p udp --dport 53 -j RETURN - ip6tables -t mangle -A clashv6 -d ::1/128 -j RETURN - ip6tables -t mangle -A clashv6 -d fc00::/7 -j RETURN - ip6tables -t mangle -A clashv6 -d fe80::/10 -j RETURN - [ "$dns_mod" = "redir_host" -a "$cn_ipv6_route" = "已开启" ] && ip6tables -t mangle -A clashv6 -m set --match-set cn_ip6 dst -j RETURN 2>/dev/null + for ip in $host_ipv6 $reserve_ipv6;do #跳过目标保留地址及目标本机网段 + ip6tables -t mangle -A clashv6 -d $ip -j RETURN + done + #绕过CN_IPV6 + [ "$dns_mod" = "redir_host" -a "$cn_ipv6_route" = "已开启" ] && \ + ip6tables -t mangle -A clashv6 -m set --match-set cn_ip6 dst -j RETURN 2>/dev/null + #局域网设备过滤 if [ "$macfilter_type" = "白名单" -a -n "$(cat $clashdir/mac)" ];then - #mac白名单 - for mac in $(cat $clashdir/mac); do + for mac in $(cat $clashdir/mac); do #mac白名单 ip6tables -t mangle -A clashv6 -m mac --mac-source $mac -j MARK --set-mark 1 done else - #mac黑名单 - for mac in $(cat $clashdir/mac); do + for mac in $(cat $clashdir/mac); do #mac黑名单 ip6tables -t mangle -A clashv6 -m mac --mac-source $mac -j RETURN done - for ip in $ipv6_wan ;do - ip6tables -t mangle -A clashv6 -s $ip -j RETURN #屏蔽本机ipv6地址 + #仅代理本机局域网网段流量 + for ip in $host_ipv6;do + ip6tables -t mangle -A clashv6 -s $ip -j MARK --set-mark 1 done - ip6tables -t mangle -A clashv6 -j MARK --set-mark 1 fi ip6tables -t mangle -A PREROUTING -p udp $ports -j clashv6 [ "$1" = "all" ] && ip6tables -t mangle -A PREROUTING -p tcp $ports -j clashv6 @@ -799,8 +786,11 @@ start_tun(){ } } start_nft(){ + #获取局域网host地址 + getlanip [ "$common_ports" = "已开启" ] && PORTS=$(echo $multiport | sed 's/,/, /g') - RESERVED_IP="{0.0.0.0/8, 10.0.0.0/8, 127.0.0.0/8, 100.64.0.0/10, 169.254.0.0/16, 172.16.0.0/12, 192.168.0.0/16, 224.0.0.0/4, 240.0.0.0/4}" + RESERVED_IP="{$(echo $reserve_ipv4 | sed 's/ /, /g')}" + HOST_IP="{$(echo $host_ipv4 | sed 's/ /, /g')}" #设置策略路由 ip rule add fwmark 1 table 100 2> /dev/null ip route add local default dev lo table 100 2> /dev/null @@ -820,7 +810,9 @@ start_nft(){ } #过滤保留地址 nft add rule inet shellclash prerouting ip daddr {${RESERVED_IP}} return - #过滤CN-IP + #仅代理本机局域网网段流量 + nft add rule inet shellclash prerouting ip saddr != {${HOST_IP}} return + #绕过CN-IP [ "$dns_mod" = "redir_host" -a "$cn_ip_route" = "已开启" -a -f $bindir/cn_ip.txt ] && { CN_IP=$(awk '{printf "%s, ",$1}' $bindir/cn_ip.txt) [ -n "$CN_IP" ] && nft add rule inet shellclash prerouting ip daddr {${CN_IP}} return @@ -829,18 +821,19 @@ start_nft(){ [ -n "$PORTS" ] && nft add rule inet shellclash prerouting tcp dport != {${PORTS}} return #ipv6支持 if [ "$ipv6_redir" = "已开启" ];then - RESERVED_IP6="{::1/128, fc00::/7, fe80::/10}" + RESERVED_IP6="{$(echo "$reserve_ipv6 $host_ipv6" | sed 's/ /, /g')}" + HOST_IP6="{$(echo $host_ipv6 | sed 's/ /, /g')}" ip -6 rule add fwmark 1 table 101 2> /dev/null ip -6 route add local ::/0 dev lo table 101 2> /dev/null + #过滤保留地址及本机地址 nft add rule inet shellclash prerouting ip6 daddr {${RESERVED_IP6}} return + #仅代理本机局域网网段流量 + nft add rule inet shellclash prerouting ip6 saddr != {${HOST_IP6}} return + #绕过CN_IPV6 [ "$dns_mod" = "redir_host" -a "$cn_ipv6_route" = "已开启" -a -f $bindir/cn_ipv6.txt ] && { CN_IP6=$(awk '{printf "%s, ",$1}' $bindir/cn_ipv6.txt) [ -n "$CN_IP6" ] && nft add rule inet shellclash prerouting ip6 daddr {${CN_IP6}} return } - [ -n "$ipv6_wan" ] && { - LOCAL_IP6="{$(echo $ipv6_wan | sed s/\ /\,\ /g)}" - nft add rule inet shellclash prerouting ip6 daddr {${LOCAL_IP6}} return #屏蔽本机ipv6地址 - } else nft add rule inet shellclash prerouting meta nfproto ipv6 return fi @@ -888,24 +881,35 @@ start_nft_dns(){ nft add rule inet shellclash dns tcp dport 53 redirect to ${dns_port} } start_wan(){ + #获取局域网host地址 + getlanip [ "$mix_port" = "7890" -o -z "$authentication" ] && { - iptables -A INPUT -p tcp -s 10.0.0.0/8 --dport $mix_port -j ACCEPT - iptables -A INPUT -p tcp -s 127.0.0.0/8 --dport $mix_port -j ACCEPT - iptables -A INPUT -p tcp -s 192.168.0.0/16 --dport $mix_port -j ACCEPT - iptables -A INPUT -p tcp -s 172.16.0.0/12 --dport $mix_port -j ACCEPT - iptables -A INPUT -p tcp --dport $mix_port -j REJECT - ckcmd ip6tables && ip6tables -A INPUT -p tcp --dport $mix_port -j REJECT 2> /dev/null + #仅允许局域网设备访问混合端口 + for ip in $host_ipv4;do + iptables -A INPUT -p tcp -s $ip --dport $mix_port -j ACCEPT + done + iptables -A INPUT -p tcp --dport $mix_port -j REJECT + ip6tables -A INPUT -p tcp --dport $mix_port -j REJECT 2> /dev/null } if [ "$public_support" = "已开启" ];then [ "$mix_port" != "7890" -a -n "$authentication" ] && { - iptables -I INPUT -p tcp --dport $mix_port -j ACCEPT - ckcmd ip6tables && ip6tables -I INPUT -p tcp --dport $mix_port -j ACCEPT 2> /dev/null + iptables -I INPUT -p tcp --dport $mix_port -j ACCEPT + ip6tables -I INPUT -p tcp --dport $mix_port -j ACCEPT 2> /dev/null } iptables -I INPUT -p tcp --dport $db_port -j ACCEPT - ckcmd ip6tables && ip6tables -I INPUT -p tcp --dport $db_port -j ACCEPT 2> /dev/null + ip6tables -I INPUT -p tcp --dport $db_port -j ACCEPT 2> /dev/null + else + #仅允许局域网设备访问面板 + for ip in $host_ipv4;do + iptables -A INPUT -p tcp -s $ip --dport $db_port -j ACCEPT + done + iptables -A INPUT -p tcp --dport $db_port -j REJECT + ip6tables -A INPUT -p tcp --dport $db_port -j REJECT 2> /dev/null fi } stop_firewall(){ + #获取局域网host地址 + getlanip #重置iptables相关规则 ckcmd iptables && { #redir @@ -941,18 +945,19 @@ stop_firewall(){ iptables -t mangle -F clash 2> /dev/null iptables -t mangle -X clash 2> /dev/null #公网访问 - iptables -D INPUT -p tcp -s 10.0.0.0/8 --dport $mix_port -j ACCEPT 2> /dev/null - iptables -D INPUT -p tcp -s 127.0.0.0/8 --dport $mix_port -j ACCEPT 2> /dev/null - iptables -D INPUT -p tcp -s 172.16.0.0/12 --dport $mix_port -j ACCEPT 2> /dev/null - iptables -D INPUT -p tcp -s 192.168.0.0/16 --dport $mix_port -j ACCEPT 2> /dev/null + for ip in $host_ipv4;do + iptables -D INPUT -p tcp -s $ip --dport $mix_port -j ACCEPT 2> /dev/null + iptables -D INPUT -p tcp -s $ip --dport $db_port -j ACCEPT 2> /dev/null + done iptables -D INPUT -p tcp --dport $mix_port -j REJECT 2> /dev/null iptables -D INPUT -p tcp --dport $mix_port -j ACCEPT 2> /dev/null + iptables -D INPUT -p tcp --dport $db_port -j REJECT 2> /dev/null iptables -D INPUT -p tcp --dport $db_port -j ACCEPT 2> /dev/null } #重置ipv6规则 ckcmd ip6tables && { #redir - ip6tables -t nat -D PREROUTING -p tcp -j clashv6 2> /dev/null + ip6tables -t nat -D PREROUTING -p tcp $ports -j clashv6 2> /dev/null ip6tables -D INPUT -p udp --dport 53 -m comment --comment "ShellClash-IPV6_DNS-REJECT" -j REJECT 2> /dev/null ip6tables -t nat -F clashv6 2> /dev/null ip6tables -t nat -X clashv6 2> /dev/null @@ -962,7 +967,7 @@ stop_firewall(){ ip6tables -t nat -X clashv6_dns 2> /dev/null #tun ip6tables -D FORWARD -o utun -j ACCEPT 2> /dev/null - ip6tables -I FORWARD -p udp --dport 443 -o utun -m comment --comment "ShellClash-QUIC-REJECT" -j REJECT >/dev/null 2>&1 + ip6tables -D FORWARD -p udp --dport 443 -o utun -m comment --comment "ShellClash-QUIC-REJECT" -j REJECT >/dev/null 2>&1 #屏蔽QUIC [ "$dns_mod" = "redir_host" -a "$cn_ipv6_route" = "已开启" ] && set_cn_ip6='-m set ! --match-set cn_ip6 dst' iptables -D INPUT -p udp --dport 443 -m comment --comment "ShellClash-QUIC-REJECT" $set_cn_ip6 -j REJECT 2> /dev/null @@ -970,6 +975,7 @@ stop_firewall(){ #公网访问 ip6tables -D INPUT -p tcp --dport $mix_port -j REJECT 2> /dev/null ip6tables -D INPUT -p tcp --dport $mix_port -j ACCEPT 2> /dev/null + ip6tables -D INPUT -p tcp --dport $db_port -j REJECT 2> /dev/null ip6tables -D INPUT -p tcp --dport $db_port -j ACCEPT 2> /dev/null #tproxy&tun ip6tables -t mangle -D PREROUTING -p tcp $ports -j clashv6 2> /dev/null @@ -1434,6 +1440,9 @@ unset_proxy) sed -i '/all_proxy/'d $profile sed -i '/ALL_PROXY/'d $profile ;; +*) + $1 $2 $3 $4 $5 $6 $7 + ;; esac