Public

mihomo.sh

#!/bin/sh

tproxy_port="7893"
routing_mark="2023"
id="2024"
iptables="iptables -w 100"
ip6tables="ip6tables -w 100"

intranet=(0.0.0.0/8 10.0.0.0/8 100.64.0.0/10 127.0.0.0/8 169.254.0.0/16 172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 192.88.99.0/24 192.168.0.0/16 198.51.100.0/24 203.0.113.0/24 224.0.0.0/4 233.252.0.0/24 240.0.0.0/4 255.255.255.255/32)

intranet6=(::/128 ::1/128 ::ffff:0:0/96 100::/64 64:ff9b::/96 2001::/32 2001:10::/28 2001:20::/28 2001:db8::/32 2002::/16 fc00::/7 fe80::/10 ff00::/8)

# 捕获 Ctrl + C
trap './stop.sh' SIGINT EXIT

# ROUTE RULES
ip rule add fwmark ${id} lookup ${id}
ip route add local default dev lo table ${id}
ip -6 rule add fwmark ${id} lookup ${id}
ip -6 route add local default dev lo table ${id}

# CLASH_EXTERNAL 链负责处理转发流量
${iptables} -t mangle -N CLASH_EXTERNAL
${iptables} -t mangle -F CLASH_EXTERNAL
${ip6tables} -t mangle -N CLASH_EXTERNAL
${ip6tables} -t mangle -F CLASH_EXTERNAL

# 跳过标记为 ${routing_mark} 的 Clash 的本身流量防止回环
${iptables} -t mangle -A CLASH_EXTERNAL -j RETURN -m mark --mark ${id} # {routing_mark}
${ip6tables} -t mangle -A CLASH_EXTERNAL -j RETURN -m mark --mark ${id} # {routing_mark}

# 目标地址为局域网或保留地址的流量跳过处理
${iptables} -t mangle -A CLASH_EXTERNAL -m addrtype --dst-type LOCAL -j RETURN
${ip6tables} -t mangle -A CLASH_EXTERNAL -m addrtype --dst-type LOCAL -j RETURN

for subnet in ${intranet[@]} ; do
    ${iptables} -t mangle -A CLASH_EXTERNAL -d ${subnet} -j RETURN
done

for subnet6 in ${intranet6[@]} ; do
    ${ip6tables} -t mangle -A CLASH_EXTERNAL -d ${subnet6} -j RETURN
done

# 其他所有流量转向到 ${tproxy_port} 端口，并打上 mark
${iptables} -t mangle -A CLASH_EXTERNAL -p tcp -j TPROXY --on-port ${tproxy_port} --tproxy-mark ${id}
${iptables} -t mangle -A CLASH_EXTERNAL -p udp -j TPROXY --on-port ${tproxy_port} --tproxy-mark ${id}
${ip6tables} -t mangle -A CLASH_EXTERNAL -p tcp -j TPROXY --on-port ${tproxy_port} --tproxy-mark ${id}
#${ip6tables} -t mangle -A CLASH_EXTERNAL -p udp -j TPROXY --on-port ${tproxy_port} --tproxy-mark ${id}

# 最后让所有流量通过 CLASH_EXTERNAL 链进行处理
${iptables} -t mangle -A PREROUTING -j CLASH_EXTERNAL
${ip6tables} -t mangle -A PREROUTING -j CLASH_EXTERNAL

# 新建 DIVERT 规则，避免已有连接的包二次通过 TPROXY，理论上有一定的性能提升
${iptables} -t mangle -N DIVERT
${iptables} -t mangle -F DIVERT
${ip6tables} -t mangle -N DIVERT
${ip6tables} -t mangle -F DIVERT

${iptables} -t mangle -A DIVERT -j MARK --set-mark ${id}
${iptables} -t mangle -A DIVERT -j ACCEPT
${ip6tables} -t mangle -A DIVERT -j MARK --set-mark ${id}
${ip6tables} -t mangle -A DIVERT -j ACCEPT

${iptables} -t mangle -I PREROUTING -p tcp -m socket -j DIVERT
${ip6tables} -t mangle -I PREROUTING -p tcp -m socket -j DIVERT

# 本机直接访问 ${tproxy_port} 会回环. 见 https://github.com/Dreamacro/clash/issues/425
${iptables} -A OUTPUT -d 127.0.0.1 -p tcp -m owner --uid-owner 0 --gid-owner 3005 -m tcp --dport ${tproxy_port} -j REJECT

# 启动 Clash
/data/adb/magisk/busybox setuidgid 0:3005 ./mihomo -d .

stop.sh

tproxy_port="7893"
routing_mark="2023"
id="2024"
iptables="iptables -w 100"
ip6tables="ip6tables -w 100"

ip rule del fwmark ${id} table ${id}
ip route del local default dev lo table ${id}
ip -6 rule del fwmark ${id} table ${id}
ip -6 route del local default dev lo table ${id}

${iptables} -t mangle -D PREROUTING -j CLASH_EXTERNAL
${ip6tables} -t mangle -D PREROUTING -j CLASH_EXTERNAL
    
${iptables} -t mangle -D PREROUTING -p tcp -m socket -j DIVERT
${ip6tables} -t mangle -D PREROUTING -p tcp -m socket -j DIVERT

${iptables} -t mangle -F CLASH_EXTERNAL
${iptables} -t mangle -X CLASH_EXTERNAL
${ip6tables} -t mangle -F CLASH_EXTERNAL
${ip6tables} -t mangle -X CLASH_EXTERNAL

${iptables} -t mangle -F DIVERT
${iptables} -t mangle -X DIVERT
${ip6tables} -t mangle -F DIVERT
${ip6tables} -t mangle -X DIVERT

${iptables} -D OUTPUT -d 127.0.0.1 -p tcp -m owner --uid-owner 0 --gid-owner 3005 -m tcp --dport ${tproxy_port} -j REJECT