From c98e50bf013917cc25dfbbcd3667d26986d8abd3 Mon Sep 17 00:00:00 2001 From: juewuy Date: Sat, 19 Oct 2024 14:43:54 +0800 Subject: [PATCH] =?UTF-8?q?~=E4=BF=AE=E5=A4=8Dipv6-fakeip=E5=9C=B0?= =?UTF-8?q?=E5=9D=80=E8=A2=AB=E9=94=99=E8=AF=AF=E5=B1=8F=E8=94=BD=E7=9A=84?= =?UTF-8?q?bug=20~=E5=B0=86final-dns=E6=94=B9=E4=B8=BAproxydns=E4=BB=A5?= =?UTF-8?q?=E8=A7=A3=E5=86=B3=E9=83=A8=E5=88=86dns=E6=B3=84=E9=9C=B2?= =?UTF-8?q?=E9=97=AE=E9=A2=98=20~=E4=BF=AE=E5=A4=8Dnftables=E6=A8=A1?= =?UTF-8?q?=E5=BC=8F=E5=9C=A8=E7=99=BD=E5=90=8D=E5=8D=95=E4=B8=BA=E7=A9=BA?= =?UTF-8?q?=E6=97=B6=E4=BC=9A=E9=94=99=E8=AF=AF=E8=B7=AF=E7=94=B1=E5=A4=96?= =?UTF-8?q?=E9=83=A8=E6=B5=81=E9=87=8F=E7=9A=84bug=20~=E4=BF=AE=E5=A4=8Dip?= =?UTF-8?q?v6-tporxy=E6=A8=A1=E5=BC=8F=E4=B8=8B=E9=83=A8=E5=88=86iptables?= =?UTF-8?q?=E5=86=85=E5=AE=B9=E6=97=A0=E6=B3=95=E6=AD=A3=E7=A1=AE=E6=B3=A8?= =?UTF-8?q?=E9=94=80=E7=9A=84bug?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- scripts/start.sh | 50 +++++++++++++++++++++++++++--------------------- 1 file changed, 28 insertions(+), 22 deletions(-) diff --git a/scripts/start.sh b/scripts/start.sh index b07b825..fe08ca1 100644 --- a/scripts/start.sh +++ b/scripts/start.sh @@ -210,7 +210,7 @@ getlanip() { #获取局域网host地址 [ -z "$local_ipv4" ] && local_ipv4=$(ip route 2>&1 | grep -Eo 'src.*' | grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | sort -u) #保留地址 [ -z "$reserve_ipv4" ] && reserve_ipv4="0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 100.64.0.0/10 169.254.0.0/16 172.16.0.0/12 192.168.0.0/16 224.0.0.0/4 240.0.0.0/4" - [ -z "$reserve_ipv6" ] && reserve_ipv6="::/128 ::1/128 ::ffff:0:0/96 64:ff9b::/96 100::/64 2001::/32 2001:20::/28 2001:db8::/32 2002::/16 fc00::/7 fe80::/10 ff00::/8" + [ -z "$reserve_ipv6" ] && reserve_ipv6="::/128 ::1/128 ::ffff:0:0/96 64:ff9b::/96 100::/64 2001::/32 2001:20::/28 2001:db8::/32 2002::/16 fe80::/10 ff00::/8" } #配置文件相关 check_clash_config() { #检查clash配置文件 @@ -669,7 +669,7 @@ EOF $direct_dns { "query_type": [ "A", "AAAA" ], "server": "dns_fakeip", "rewrite_ttl": 1 } ], - "final": "dns_direct", + "final": "dns_proxy", "independent_cache": true, "reverse_mapping": true, "fakeip": { "enabled": true, "inet4_range": "198.18.0.0/16", "inet6_range": "fc00::/16" } @@ -1191,28 +1191,32 @@ start_nft_route() { #nftables-route通用工具 [ "$firewall_area" = 5 ] && nft add rule inet shellcrash $1 ip saddr $bypass_host return nft add rule inet shellcrash $1 ip daddr {$RESERVED_IP} return #过滤保留地址 #过滤局域网设备 - if [ "$1" = 'prerouting' ] && [ "$macfilter_type" != "白名单" ];then - [ -s "$CRASHDIR"/configs/mac ] && { - MAC=$(awk '{printf "%s, ",$1}' "$CRASHDIR"/configs/mac) - nft add rule inet shellcrash $1 ether saddr {$MAC} return + [ "$1" = 'prerouting' ] && { + [ "$macfilter_type" != "白名单" ] && { + [ -s "$CRASHDIR"/configs/mac ] && { + MAC=$(awk '{printf "%s, ",$1}' "$CRASHDIR"/configs/mac) + nft add rule inet shellcrash $1 ether saddr {$MAC} return + } + [ -s "$CRASHDIR"/configs/ip_filter ] && { + FL_IP=$(awk '{printf "%s, ",$1}' "$CRASHDIR"/configs/ip_filter) + nft add rule inet shellcrash $1 ip saddr {$FL_IP} return + } + nft add rule inet shellcrash $1 ip saddr != {$HOST_IP} return #仅代理本机局域网网段流量 } - [ -s "$CRASHDIR"/configs/ip_filter ] && { - FL_IP=$(awk '{printf "%s, ",$1}' "$CRASHDIR"/configs/ip_filter) - nft add rule inet shellcrash $1 ip saddr {$FL_IP} return + [ "$macfilter_type" = "白名单" ] && { + [ -s "$CRASHDIR"/configs/mac ] && MAC=$(awk '{printf "%s, ",$1}' "$CRASHDIR"/configs/mac) + [ -s "$CRASHDIR"/configs/ip_filter ] && FL_IP=$(awk '{printf "%s, ",$1}' "$CRASHDIR"/configs/ip_filter) + if [ -n "$MAC" ] && [ -n "$FL_IP" ];then + nft add rule inet shellcrash $1 ether saddr != {$MAC} ip saddr != {$FL_IP} return + elif [ -n "$MAC" ];then + nft add rule inet shellcrash $1 ether saddr != {$MAC} return + elif [ -n "$FL_IP" ];then + nft add rule inet shellcrash $1 ip saddr != {$FL_IP} return + else + nft add rule inet shellcrash $1 ip saddr != {$HOST_IP} return #仅代理本机局域网网段流量 + fi } - nft add rule inet shellcrash $1 ip saddr != {$HOST_IP} return #仅代理本机局域网网段流量 - fi - if [ "$1" = 'prerouting' ] && [ "$macfilter_type" = "白名单" ];then - [ -s "$CRASHDIR"/configs/mac ] && MAC=$(awk '{printf "%s, ",$1}' "$CRASHDIR"/configs/mac) - [ -s "$CRASHDIR"/configs/ip_filter ] && FL_IP=$(awk '{printf "%s, ",$1}' "$CRASHDIR"/configs/ip_filter) - if [ -n "$MAC" ] && [ -n "$FL_IP" ];then - nft add rule inet shellcrash $1 ether saddr != {$MAC} ip saddr != {$FL_IP} return - elif [ -n "$MAC" ];then - nft add rule inet shellcrash $1 ether saddr != {$MAC} return - elif [ -n "$FL_IP" ];then - nft add rule inet shellcrash $1 ip saddr != {$FL_IP} return - fi - fi + } #绕过CN-IP [ "$dns_mod" != "fake-ip" -a "$cn_ip_route" = "已开启" -a -f "$BINDIR"/cn_ip.txt ] && { CN_IP=$(awk '{printf "%s, ",$1}' "$BINDIR"/cn_ip.txt) @@ -1496,6 +1500,8 @@ stop_firewall() { #还原防火墙配置 $ip6table -t mangle -D OUTPUT -p tcp $ports -j shellcrashv6_mark_out 2>/dev/null $ip6table -t mangle -D OUTPUT -p udp $ports -j shellcrashv6_mark_out 2>/dev/null $ip6table -D INPUT -p udp --dport 443 $set_cn_ip -j REJECT 2>/dev/null + $ip6table -t mangle -D PREROUTING -m mark --mark $fwmark -p tcp -j TPROXY --on-port $tproxy_port 2>/dev/null + $ip6table -t mangle -D PREROUTING -m mark --mark $fwmark -p udp -j TPROXY --on-port $tproxy_port 2>/dev/null #tun $ip6table -D FORWARD -o utun -j ACCEPT 2>/dev/null #屏蔽QUIC