Austin/ShellCrash
1
0
Fork 0
mirror of https://github.com/juewuy/ShellCrash.git synced 2024-11-16 03:32:34 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

~新增独立的容器/虚拟机代理开关,以解决代理失败的问题

Browse Source 
~回退对singbox入站添加"domain_strategy":"prefer_ipv4"参数的改动
This commit is contained in:
juewuy 2024-08-25 20:48:41 +08:00
parent b8af49fcbe
commit e64bafeb04
3 changed files with 84 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
scripts/menu.sh
View File

@ -1104,8 +1104,9 @@ setboot(){ #启动相关设置
}
set_firewall_area(){
[ -z "$vm_redir" ] && vm_redir='未开启'
echo -----------------------------------------------
echo -e "\033[31m注意\033[0m基于桥接网卡的Docker/虚拟机流量,请使用1或3"
echo -e "\033[31m注意\033[0m基于桥接网卡的Docker/虚拟机流量,请单独启用6"
echo -e "\033[33m如你使用了第三方DNS如smartdns等请勿启用本机代理或使用shellcrash用户执行\033[0m"
echo -----------------------------------------------
echo -e " 1 \033[32m仅劫持局域网流量\033[0m"
@ -1113,9 +1114,13 @@ set_firewall_area(){
echo -e " 3 \033[32m劫持局域网+本机流量\033[0m"
echo -e " 4 不配置流量劫持(纯净模式)\033[0m"
#echo -e " 5 \033[33m转发局域网流量到旁路由设备\033[0m"
echo -e " 6 劫持容器/虚拟机流量: \033[36m$vm_redir\033[0m"
echo -e " 0 返回上级菜单"
echo -----------------------------------------------
read -p "请输入对应数字 > " num
case $num in
0)
;;
[1-4])
[ $firewall_area -ge 4 ] && {
redir_mod=Redir模式
@ -1145,6 +1150,45 @@ set_firewall_area(){
setconfig redir_mod $redir_mod
}
;;
6)
if [ -n "$vm_ipv4" ];then
vm_des='当前劫持'
else
vm_ipv4=$(ip a 2>&1 | grep -w 'inet' | grep 'global' | grep 'brd' | grep -E 'docker|podman|virbr|vnet|ovs|vmbr|veth|vmnic|vboxnet|lxcbr|xenbr|vEthernet' | sed 's/.*inet.//g' | sed 's/ br.*$//g' | sed 's/metric.*$//g' | tr '\n' ' ')
vm_des='当前获取到'
fi
echo -----------------------------------------------
echo -e "$vm_des的容器/虚拟机网段为:\033[32m$vm_ipv4\033[0m"
echo -e "如未包含容器网段,请先运行容器再运行脚本或者手动设置网段"
echo -----------------------------------------------
echo -e " 1 \033[32m启用劫持并使用默认网段\033[0m"
echo -e " 2 \033[36m启用劫持并自定义网段\033[0m"
echo -e " 3 \033[31m禁用劫持\033[0m"
echo -e " 0 返回上级菜单"
echo -----------------------------------------------
read -p "请输入对应数字 > " num
case $num in
1)
vm_redir=已开启
;;
2)
echo -e "多个网段请用空格连接可运行容器后使用【ip route】命令查看网段地址"
echo -e "示例:\033[32m10.88.0.0/16 172.17.0.0/16\033[0m"
read -p "请输入自定义网段 > " text
[ -n "$text" ] && vm_ipv4=$text
vm_redir=已开启
;;
3)
vm_redir=未开启
unset vm_ipv4
;;
*)
;;
esac
setconfig vm_redir $vm_redir
setconfig vm_ipv4 "\'$vm_ipv4\'"
set_firewall_area
;;
*) errornum ;;
esac
sleep 1

53
scripts/start.sh
View File

@ -186,7 +186,7 @@ mark_time() { #时间戳
getlanip() { #获取局域网host地址
i=1
while [ "$i" -le "20" ]; do
host_ipv4=$(ip a 2>&1 | grep -w 'inet' | grep 'global' | grep 'brd' | grep -Ev 'utun|iot|peer' | grep -E ' 1(92|0|72)\.' | sed 's/.*inet.//g' | sed 's/br.*$//g' | sed 's/metric.*$//g') #ipv4局域网网段
host_ipv4=$(ip a 2>&1 | grep -w 'inet' | grep 'global' | grep 'brd' | grep -Ev 'utun|iot|peer|docker|podman|virbr|vnet|ovs|vmbr|veth|vmnic|vboxnet|lxcbr|xenbr|vEthernet' | grep -E ' 1(92|0|72)\.' | sed 's/.*inet.//g' | sed 's/br.*$//g' | sed 's/metric.*$//g') #ipv4局域网网段
[ "$ipv6_redir" = "已开启" ] && host_ipv6=$(ip a 2>&1 | grep -w 'inet6' | grep -E 'global' | sed 's/.*inet6.//g' | sed 's/scope.*$//g') #ipv6公网地址段
[ -f "$TMPDIR"/ShellCrash.log ] && break
[ -n "$host_ipv4" -a "$ipv6_redir" != "已开启" ] && break
@ -711,7 +711,6 @@ EOF
"listen": "::",
"listen_port": $mix_port,
$userpass
"domain_strategy":"prefer_ipv4",
"sniff": false
}, {
"type": "direct",
@ -723,7 +722,6 @@ EOF
"tag": "redirect-in",
"listen": "::",
"listen_port": $redir_port,
"domain_strategy":"prefer_ipv4",
"sniff": true,
"sniff_override_destination": $sniffer
}, {
@ -731,7 +729,6 @@ EOF
"tag": "tproxy-in",
"listen": "::",
"listen_port": $tproxy_port,
"domain_strategy":"prefer_ipv4",
"sniff": true,
"sniff_override_destination": $sniffer
}
@ -749,7 +746,6 @@ EOF
"inet4_address": "172.19.0.1/30",
"auto_route": false,
"stack": "system",
"domain_strategy":"prefer_ipv4",
"sniff": true,
"sniff_override_destination": $sniffer
}
@ -897,6 +893,7 @@ start_ipt_route() { #iptables-route通用工具
RESERVED_IP=$reserve_ipv4
HOST_IP=$host_ipv4
[ "$3" = 'OUTPUT' ] && HOST_IP="127.0.0.0/8 $local_ipv4"
[ "$4" = 'shellcrash_vm' ] && HOST_IP="$vm_ipv4"
}
[ "$1" = 'ip6tables' ] && {
RESERVED_IP=$reserve_ipv6
@ -929,7 +926,7 @@ start_ipt_route() { #iptables-route通用工具
}
#tcp&udp分别进代理链
proxy_set() {
if [ "$3" = 'PREROUTING' ] && [ "$macfilter_type" = "白名单" ] && [ -s "$CRASHDIR"/configs/mac ]; then
if [ "$3" = 'PREROUTING' ] && [ "$4" != 'shellcrash_vm' ] && [ "$macfilter_type" = "白名单" ] && [ -s "$CRASHDIR"/configs/mac ];then
for mac in $(cat "$CRASHDIR"/configs/mac); do
$1 -t $2 -A $4 -p $5 -m mac --mac-source $mac -j $JUMP
done
@ -949,8 +946,9 @@ start_ipt_dns() { #iptables-dns通用工具
#$1:iptables/ip6tables $2:所在的表(OUTPUT/PREROUTING) $3:新创建的shellcrash表
#区分ipv4/ipv6
[ "$1" = 'iptables' ] && {
HOST_IP=$host_ipv4
HOST_IP="$host_ipv4"
[ "$2" = 'OUTPUT' ] && HOST_IP="127.0.0.0/8 $local_ipv4"
[ "$3" = 'shellcrash_vm_dns' ] && HOST_IP="$vm_ipv4"
}
[ "$1" = 'ip6tables' ] && HOST_IP=$host_ipv6
$1 -t nat -N $3
@ -969,7 +967,7 @@ start_ipt_dns() { #iptables-dns通用工具
$1 -t nat -A $3 -m mac --mac-source $mac -j RETURN
done
}
if [ "$2" = 'PREROUTING' ] && [ -s "$CRASHDIR"/configs/mac ] && [ "$macfilter_type" = "白名单" ]; then
if [ "$2" = 'PREROUTING' ] && [ "$3" != 'shellcrash_vm_dns' ] && [ -s "$CRASHDIR"/configs/mac ] && [ "$macfilter_type" = "白名单" ]; then
for mac in $(cat "$CRASHDIR"/configs/mac); do
$1 -t nat -A $3 -p tcp -m mac --mac-source $mac -j REDIRECT --to-ports $dns_port
$1 -t nat -A $3 -p udp -m mac --mac-source $mac -j REDIRECT --to-ports $dns_port
@ -1103,6 +1101,11 @@ start_iptables() { #iptables配置总入口
fi
}
}
[ "$vm_redir" = "已开启" ] && {
JUMP="REDIRECT --to-ports $redir_port" #跳转劫持的具体命令
start_ipt_dns iptables PREROUTING shellcrash_vm_dns #ipv4-局域网dns转发
start_ipt_route iptables nat PREROUTING shellcrash_vm tcp #ipv4-局域网tcp转发
}
#启动DNS劫持
[ "$dns_no" != "已禁用" -a "$dns_redir" != "已开启" -a "$firewall_area" -le 3 ] && {
[ "$lan_proxy" = true ] && {
@ -1131,6 +1134,7 @@ start_nft_route() { #nftables-route通用工具
RESERVED_IP=$(echo $reserve_ipv4 | sed 's/ /, /g')
HOST_IP=$(echo $host_ipv4 | sed 's/ /, /g')
[ "$1" = 'output' ] && HOST_IP="127.0.0.0/8, $(echo $local_ipv4 | sed 's/ /, /g')"
[ "$1" = 'prerouting_vm' ] && HOST_IP="$(echo $vm_ipv4 | sed 's/ /, /g')"
#添加新链
nft add chain inet shellcrash $1 { type $3 hook $2 priority $4 \; }
#过滤dns
@ -1142,7 +1146,7 @@ start_nft_route() { #nftables-route通用工具
#nft add rule inet shellcrash $1 ip saddr 198.18.0.0/16 return
[ "$firewall_area" = 5 ] && nft add rule inet shellcrash $1 ip saddr $bypass_host return
#过滤局域网设备
[ -s "$CRASHDIR"/configs/mac ] && {
[ "$1" = 'prerouting' ] && [ -s "$CRASHDIR"/configs/mac ] && {
MAC=$(awk '{printf "%s, ",$1}' "$CRASHDIR"/configs/mac)
if [ "$macfilter_type" = "黑名单" ]; then
nft add rule inet shellcrash $1 ether saddr {$MAC} return
@ -1200,7 +1204,8 @@ start_nft_dns() { #nftables-dns
HOST_IP=$(echo $host_ipv4 | sed 's/ /, /g')
HOST_IP6=$(echo $host_ipv6 | sed 's/ /, /g')
[ "$1" = 'output' ] && HOST_IP="127.0.0.0/8, $(echo $local_ipv4 | sed 's/ /, /g')"
nft add chain inet shellcrash "$1"_dns { type nat hook $1 priority -100 \; }
[ "$1" = 'prerouting_vm' ] && HOST_IP="$(echo $vm_ipv4 | sed 's/ /, /g')"
nft add chain inet shellcrash "$1"_dns { type nat hook $2 priority -100 \; }
#防回环
nft add rule inet shellcrash "$1"_dns meta mark $routing_mark return
nft add rule inet shellcrash "$1"_dns meta skgid { 453, 7890 } return
@ -1208,7 +1213,7 @@ start_nft_dns() { #nftables-dns
nft add rule inet shellcrash "$1"_dns ip saddr != {$HOST_IP} return #屏蔽外部请求
[ "$1" = 'prerouting' ] && nft add rule inet shellcrash "$1"_dns ip6 saddr != {$HOST_IP6} return #屏蔽外部请求
#过滤局域网设备
[ -s "$CRASHDIR"/configs/mac ] && {
[ "$1" = 'prerouting' ] && [ -s "$CRASHDIR"/configs/mac ] && {
MAC=$(awk '{printf "%s, ",$1}' "$CRASHDIR"/configs/mac)
if [ "$macfilter_type" = "黑名单" ]; then
nft add rule inet shellcrash "$1"_dns ether saddr {$MAC} return
@ -1248,8 +1253,8 @@ start_nftables() { #nftables配置总入口
start_nft_wan
#启动DNS劫持
[ "$dns_no" != "已禁用" -a "$dns_redir" != "已开启" -a "$firewall_area" -le 3 ] && {
[ "$lan_proxy" = true ] && start_nft_dns prerouting #局域网dns转发
[ "$local_proxy" = true ] && start_nft_dns output #本机dns转发
[ "$lan_proxy" = true ] && start_nft_dns prerouting prerouting #局域网dns转发
[ "$local_proxy" = true ] && start_nft_dns output output #本机dns转发
}
#分模式设置流量劫持
[ "$redir_mod" = "Redir模式" ] && {
@ -1287,6 +1292,11 @@ start_nftables() { #nftables配置总入口
[ "$lan_proxy" = true ] && start_nft_route prerouting prerouting filter -150
[ "$local_proxy" = true ] && start_nft_route output output route -150
}
[ "$vm_redir" = "已开启" ] && {
start_nft_dns prerouting_vm prerouting
JUMP="meta l4proto tcp redirect to $redir_port" #跳转劫持的具体命令
start_nft_route prerouting_vm prerouting nat -100
}
#屏蔽QUIC
[ "$quic_rj" = '已启用' -a "$lan_proxy" = true -a "$redir_mod" != "Redir模式" ] && {
nft add chain inet shellcrash quic_rj { type filter hook input priority 0 \; }
@ -1352,7 +1362,7 @@ stop_firewall() { #还原防火墙配置
#重置iptables相关规则
ckcmd iptables && {
#清理shellcrash自建表
for table in shellcrash_dns shellcrash shellcrash_out shellcrash_dns_out; do
for table in shellcrash_dns shellcrash shellcrash_out shellcrash_dns_out shellcrash_vm shellcrash_vm_dns; do
iptables -t nat -F $table 2>/dev/null
iptables -t nat -X $table 2>/dev/null
done
@ -1370,6 +1380,12 @@ stop_firewall() { #还原防火墙配置
iptables -t nat -D PREROUTING -p tcp -d 198.18.0.0/16 -j shellcrash 2>/dev/null
iptables -t nat -D OUTPUT -p tcp $ports -j shellcrash_out 2>/dev/null
iptables -t nat -D OUTPUT -p tcp -d 198.18.0.0/16 -j shellcrash_out 2>/dev/null
#vm_dns
iptables -t nat -D PREROUTING -p tcp --dport 53 -j shellcrash_vm_dns 2>/dev/null
iptables -t nat -D PREROUTING -p udp --dport 53 -j shellcrash_vm_dns 2>/dev/null
#vm_redir
iptables -t nat -D PREROUTING -p tcp $ports -j shellcrash_vm 2>/dev/null
iptables -t nat -D PREROUTING -p tcp -d 198.18.0.0/16 -j shellcrash_vm 2>/dev/null
#TPROXY&tun
iptables -t mangle -D PREROUTING -p tcp $ports -j shellcrash_mark 2>/dev/null
iptables -t mangle -D PREROUTING -p udp $ports -j shellcrash_mark 2>/dev/null
@ -1653,16 +1669,13 @@ network_check() { #检查是否联网
ping -c 3 $host >/dev/null 2>&1 && return 0
sleep 2
done
logger "当前设备无法连接网络,已取消开机启动!" 33
logger "当前设备无法连接网络,已停止启动!" 33
exit 1
}
bfstart() { #启动前
routing_mark=$((fwmark + 2))
#启动前等待
[ ! -f "$TMPDIR"/crash_start_time ] && {
#检测网络连接
network_check
}
#检测网络连接
[ ! -f "$TMPDIR"/crash_start_time ] && ckcmd ping && network_check
[ ! -d "$BINDIR"/ui ] && mkdir -p "$BINDIR"/ui
[ -z "$crashcore" ] && crashcore=clash
#执行条件任务

7
scripts/update.sh
View File

@ -2472,7 +2472,7 @@ testcommand(){
if [ "$firewall_mod" = "nftables" ];then
nft list table inet shellcrash
else
[ "$firewall_area" = 1 -o "$firewall_area" = 3 -o "$firewall_area" = 5 ] && {
[ "$firewall_area" = 1 -o "$firewall_area" = 3 -o "$firewall_area" = 5 -o "$vm_redir" = "已开启" ] && {
echo ----------------Redir+DNS---------------------
iptables -t nat -L PREROUTING --line-numbers
iptables -t nat -L shellcrash_dns --line-numbers
@ -2509,6 +2509,11 @@ testcommand(){
}
}
}
[ "$vm_redir" = "已开启" ] && {
echo -------------vm-Redir-------------------
iptables -t nat -L shellcrash_vm --line-numbers
iptables -t nat -L shellcrash_vm_dns --line-numbers
}
fi
exit;
elif [ "$num" = 5 ]; then