Created
December 10, 2023 12:21
-
-
Save LittleChest/8c799bf76b3f7bdb96cde9b6f256bb74 to your computer and use it in GitHub Desktop.
Public
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
tproxy_port="7893" | |
routing_mark="2023" | |
id="2024" | |
iptables="iptables -w 100" | |
ip6tables="ip6tables -w 100" | |
intranet=(0.0.0.0/8 10.0.0.0/8 100.64.0.0/10 127.0.0.0/8 169.254.0.0/16 172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 192.88.99.0/24 192.168.0.0/16 198.51.100.0/24 203.0.113.0/24 224.0.0.0/4 233.252.0.0/24 240.0.0.0/4 255.255.255.255/32) | |
intranet6=(::/128 ::1/128 ::ffff:0:0/96 100::/64 64:ff9b::/96 2001::/32 2001:10::/28 2001:20::/28 2001:db8::/32 2002::/16 fc00::/7 fe80::/10 ff00::/8) | |
# 捕获 Ctrl + C | |
trap './stop.sh' SIGINT EXIT | |
# ROUTE RULES | |
ip rule add fwmark ${id} lookup ${id} | |
ip route add local default dev lo table ${id} | |
ip -6 rule add fwmark ${id} lookup ${id} | |
ip -6 route add local default dev lo table ${id} | |
# CLASH_EXTERNAL 链负责处理转发流量 | |
${iptables} -t mangle -N CLASH_EXTERNAL | |
${iptables} -t mangle -F CLASH_EXTERNAL | |
${ip6tables} -t mangle -N CLASH_EXTERNAL | |
${ip6tables} -t mangle -F CLASH_EXTERNAL | |
# 跳过标记为 ${routing_mark} 的 Clash 的本身流量防止回环 | |
${iptables} -t mangle -A CLASH_EXTERNAL -j RETURN -m mark --mark ${id} # {routing_mark} | |
${ip6tables} -t mangle -A CLASH_EXTERNAL -j RETURN -m mark --mark ${id} # {routing_mark} | |
# 目标地址为局域网或保留地址的流量跳过处理 | |
${iptables} -t mangle -A CLASH_EXTERNAL -m addrtype --dst-type LOCAL -j RETURN | |
${ip6tables} -t mangle -A CLASH_EXTERNAL -m addrtype --dst-type LOCAL -j RETURN | |
for subnet in ${intranet[@]} ; do | |
${iptables} -t mangle -A CLASH_EXTERNAL -d ${subnet} -j RETURN | |
done | |
for subnet6 in ${intranet6[@]} ; do | |
${ip6tables} -t mangle -A CLASH_EXTERNAL -d ${subnet6} -j RETURN | |
done | |
# 其他所有流量转向到 ${tproxy_port} 端口,并打上 mark | |
${iptables} -t mangle -A CLASH_EXTERNAL -p tcp -j TPROXY --on-port ${tproxy_port} --tproxy-mark ${id} | |
${iptables} -t mangle -A CLASH_EXTERNAL -p udp -j TPROXY --on-port ${tproxy_port} --tproxy-mark ${id} | |
${ip6tables} -t mangle -A CLASH_EXTERNAL -p tcp -j TPROXY --on-port ${tproxy_port} --tproxy-mark ${id} | |
#${ip6tables} -t mangle -A CLASH_EXTERNAL -p udp -j TPROXY --on-port ${tproxy_port} --tproxy-mark ${id} | |
# 最后让所有流量通过 CLASH_EXTERNAL 链进行处理 | |
${iptables} -t mangle -A PREROUTING -j CLASH_EXTERNAL | |
${ip6tables} -t mangle -A PREROUTING -j CLASH_EXTERNAL | |
# 新建 DIVERT 规则,避免已有连接的包二次通过 TPROXY,理论上有一定的性能提升 | |
${iptables} -t mangle -N DIVERT | |
${iptables} -t mangle -F DIVERT | |
${ip6tables} -t mangle -N DIVERT | |
${ip6tables} -t mangle -F DIVERT | |
${iptables} -t mangle -A DIVERT -j MARK --set-mark ${id} | |
${iptables} -t mangle -A DIVERT -j ACCEPT | |
${ip6tables} -t mangle -A DIVERT -j MARK --set-mark ${id} | |
${ip6tables} -t mangle -A DIVERT -j ACCEPT | |
${iptables} -t mangle -I PREROUTING -p tcp -m socket -j DIVERT | |
${ip6tables} -t mangle -I PREROUTING -p tcp -m socket -j DIVERT | |
# 本机直接访问 ${tproxy_port} 会回环. 见 https://github.com/Dreamacro/clash/issues/425 | |
${iptables} -A OUTPUT -d 127.0.0.1 -p tcp -m owner --uid-owner 0 --gid-owner 3005 -m tcp --dport ${tproxy_port} -j REJECT | |
# 启动 Clash | |
/data/adb/magisk/busybox setuidgid 0:3005 ./mihomo -d . |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
tproxy_port="7893" | |
routing_mark="2023" | |
id="2024" | |
iptables="iptables -w 100" | |
ip6tables="ip6tables -w 100" | |
ip rule del fwmark ${id} table ${id} | |
ip route del local default dev lo table ${id} | |
ip -6 rule del fwmark ${id} table ${id} | |
ip -6 route del local default dev lo table ${id} | |
${iptables} -t mangle -D PREROUTING -j CLASH_EXTERNAL | |
${ip6tables} -t mangle -D PREROUTING -j CLASH_EXTERNAL | |
${iptables} -t mangle -D PREROUTING -p tcp -m socket -j DIVERT | |
${ip6tables} -t mangle -D PREROUTING -p tcp -m socket -j DIVERT | |
${iptables} -t mangle -F CLASH_EXTERNAL | |
${iptables} -t mangle -X CLASH_EXTERNAL | |
${ip6tables} -t mangle -F CLASH_EXTERNAL | |
${ip6tables} -t mangle -X CLASH_EXTERNAL | |
${iptables} -t mangle -F DIVERT | |
${iptables} -t mangle -X DIVERT | |
${ip6tables} -t mangle -F DIVERT | |
${ip6tables} -t mangle -X DIVERT | |
${iptables} -D OUTPUT -d 127.0.0.1 -p tcp -m owner --uid-owner 0 --gid-owner 3005 -m tcp --dport ${tproxy_port} -j REJECT |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment