Skip to content

Instantly share code, notes, and snippets.

@cloverstd

cloverstd/config.yml

Last active Aug 24, 2020
Embed
What would you like to do?
clash 旁路由配置
mixed-port: 17890
redir-port: 17892
allow-lan: true
mode: rule
log-level: info
external-controller: 0.0.0.0:9090
dns:
enable: true
ipv6: false
listen: 0.0.0.0:10053
nameserver:
- 8.8.8.8
- tls://dns.rubyfish.cn:853
- https://1.1.1.1/dns-query
- 1.1.1.1
enhanced-mode: fake-ip
#enhanced-mode: redir-host
default-nameserver:
- 114.114.114.114
- 8.8.8.8
fake-ip-range: 198.18.0.1/16
use-hosts: true
fallback:
- tls://dns.rubyfish.cn:853
- https://1.1.1.1/dns-query
proxies:
- name: "proxy1"
#TODO: proxy config
- name: "proxy2"
#TODO: proxy config
proxy-groups:
- name: "auto"
type: url-test
proxies:
- proxy1
- proxy2
url: 'http://www.gstatic.com/generate_204'
interval: 300
- name: "proxy"
type: select
proxies:
- proxy1
- proxy2
- auto
rules:
- DOMAIN-SUFFIX,vx.link,DIRECT
- DOMAIN-SUFFIX,ip.parts,DIRECT
- DOMAIN-SUFFIX,ad.com,REJECT
# 常见名单
- DOMAIN-SUFFIX,google.com,proxy
- DOMAIN-KEYWORD,google,proxy
# rename SOURCE-IP-CIDR and would remove after prerelease
#- SRC-IP-CIDR,192.168.2.184/32,DIRECT
# optional param "no-resolve" for IP rules (GEOIP IP-CIDR)
- IP-CIDR,127.0.0.0/8,DIRECT
- IP-CIDR,192.168.0.0/16,DIRECT
- GEOIP,CN,DIRECT
- MATCH,proxy
#!/bin/bash
proxy_port=17892
clash_dir=/opt/clash
clash_bin=$clash_dir/clash
# prepare: download clash and save it to $clash_dir/$clash_bin
# TODO: download clash
useradd -M -s /usr/sbin/nologin -U clash
chown -R clash:clash $clash_dir
chmod +x $clash_bin
# 让 clash 没有 root 权限也能 listen udp
setcap 'cap_net_admin=eip cap_net_bind_service=+eip' $clash_bin
iptables -t nat -F
iptables -t nat -F clash
iptables -t nat -X clash
# create chain named clash
iptables -t nat -N clash
# 调整文件描述符
echo "* soft nofile 102400" >> /etc/security/limits.conf
echo "* soft nofile 104800" >> /etc/security/limits.conf
# 开启 ip forward
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf && sysctl -p
echo "net.ipv6.conf.all.forwarding = 1" >> /etc/sysctl.conf && sysctl -p
iptables -t nat -A clash -d 0.0.0.0/8 -j RETURN
iptables -t nat -A clash -d 10.0.0.0/8 -j RETURN
iptables -t nat -A clash -d 127.0.0.0/8 -j RETURN
iptables -t nat -A clash -d 169.254.0.0/16 -j RETURN
iptables -t nat -A clash -d 172.16.0.0/12 -j RETURN
iptables -t nat -A clash -d 192.168.0.0/16 -j RETURN
iptables -t nat -A clash -d 224.0.0.0/4 -j RETURN
iptables -t nat -A clash -d 240.0.0.0/4 -j RETURN
iptables -t nat -A clash -p tcp -j REDIRECT --to-port "$proxy_port"
iptables -t nat -I PREROUTING -p tcp -d 8.8.8.8 -j REDIRECT --to-port "$proxy_port"
iptables -t nat -I PREROUTING -p tcp -d 8.8.4.4 -j REDIRECT --to-port "$proxy_port"
iptables -t nat -A PREROUTING -p tcp -j clash
iptables -t nat -A OUTPUT -p tcp -d 198.18.0.0/16 -j REDIRECT --to-port "$proxy_port"
# 让 frp 这个用户不走代理
iptables -t nat -A OUTPUT -p tcp -m owner --uid-owner frp -j RETURN
# 下面的 -m owner 是过滤掉 clash 这个用户下的流量,让旁路由这台机器也能正常上网和走代理,同时也是为了让 proxy 直连而不是走 clash
iptables -t nat -A OUTPUT -p tcp -m owner ! --uid-owner clash -j REDIRECT --to-port $proxy_port
iptables -t nat -F CLASH_DNS
iptables -t nat -X CLASH_DNS
iptables -t nat -N CLASH_DNS
# 让 frp 这个用户不走代理
iptables -t nat -A CLASH_DNS -p udp -m owner --uid-owner frp -j RETURN
iptables -t nat -A CLASH_DNS -p udp -j REDIRECT --to-port 10053
# 下面的 -m owner 是过滤掉 clash 这个用户下的流量,让旁路由这台机器也能正常上网和走代理,同时也是为了让 proxy 直连而不是走 clash
iptables -t nat -I OUTPUT -p udp --dport 53 -m owner ! --uid-owner clash -j CLASH_DNS
iptables -t nat -I PREROUTING -p udp --dport 53 -j REDIRECT --to 10053
# 持久化 iptables
netfilter-persistent save
# 还需要到 [supervisord] 块将 minfds 修改成 102400
[program:clash]
command=/opt/clash/clash -d .
process_name=%(program_name)s
numprocs=1
directory=/opt/clash
umask=022
autostart=true
autorestart=unexpected
stopsignal=TERM
stopwaitsecs=10
stopasgroup=true
killasgroup=true
user=clash
redirect_stderr=false
stdout_logfile=/opt/clash/stdout.log
stdout_logfile_maxbytes=10MB
stdout_logfile_backups=2
stdout_events_enabled=false
stderr_logfile=/opt/clash/stderr.log
stderr_logfile_maxbytes=10MB
stderr_logfile_backups=2
@cloverstd

This comment has been minimized.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.