Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
clash 旁路由配置
mixed-port: 17890
redir-port: 17892
allow-lan: true
mode: rule
log-level: info
external-controller: 0.0.0.0:9090
dns:
enable: true
ipv6: false
listen: 0.0.0.0:10053
nameserver:
- 8.8.8.8
- tls://dns.rubyfish.cn:853
- https://1.1.1.1/dns-query
- 1.1.1.1
enhanced-mode: fake-ip
#enhanced-mode: redir-host
default-nameserver:
- 114.114.114.114
- 8.8.8.8
fake-ip-range: 198.18.0.1/16
use-hosts: true
fallback:
- tls://dns.rubyfish.cn:853
- https://1.1.1.1/dns-query
proxies:
- name: "proxy1"
#TODO: proxy config
- name: "proxy2"
#TODO: proxy config
proxy-groups:
- name: "auto"
type: url-test
proxies:
- proxy1
- proxy2
url: 'http://www.gstatic.com/generate_204'
interval: 300
- name: "proxy"
type: select
proxies:
- proxy1
- proxy2
- auto
rules:
- DOMAIN-SUFFIX,vx.link,DIRECT
- DOMAIN-SUFFIX,ip.parts,DIRECT
- DOMAIN-SUFFIX,ad.com,REJECT
# 常见名单
- DOMAIN-SUFFIX,google.com,proxy
- DOMAIN-KEYWORD,google,proxy
# rename SOURCE-IP-CIDR and would remove after prerelease
#- SRC-IP-CIDR,192.168.2.184/32,DIRECT
# optional param "no-resolve" for IP rules (GEOIP IP-CIDR)
- IP-CIDR,127.0.0.0/8,DIRECT
- IP-CIDR,192.168.0.0/16,DIRECT
- GEOIP,CN,DIRECT
- MATCH,proxy
#!/bin/bash
proxy_port=17892
clash_dir=/opt/clash
clash_bin=$clash_dir/clash
# prepare: download clash and save it to $clash_dir/$clash_bin
# TODO: download clash
useradd -M -s /usr/sbin/nologin -U clash
chown -R clash:clash $clash_dir
chmod +x $clash_bin
# 让 clash 没有 root 权限也能 listen udp
setcap 'cap_net_admin=eip cap_net_bind_service=+eip' $clash_bin
iptables -t nat -F
iptables -t nat -F clash
iptables -t nat -X clash
# create chain named clash
iptables -t nat -N clash
# 调整文件描述符
echo "* soft nofile 102400" >> /etc/security/limits.conf
echo "* soft nofile 104800" >> /etc/security/limits.conf
# 开启 ip forward
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf && sysctl -p
echo "net.ipv6.conf.all.forwarding = 1" >> /etc/sysctl.conf && sysctl -p
iptables -t nat -A clash -d 0.0.0.0/8 -j RETURN
iptables -t nat -A clash -d 10.0.0.0/8 -j RETURN
iptables -t nat -A clash -d 127.0.0.0/8 -j RETURN
iptables -t nat -A clash -d 169.254.0.0/16 -j RETURN
iptables -t nat -A clash -d 172.16.0.0/12 -j RETURN
iptables -t nat -A clash -d 192.168.0.0/16 -j RETURN
iptables -t nat -A clash -d 224.0.0.0/4 -j RETURN
iptables -t nat -A clash -d 240.0.0.0/4 -j RETURN
iptables -t nat -A clash -p tcp -j REDIRECT --to-port "$proxy_port"
iptables -t nat -I PREROUTING -p tcp -d 8.8.8.8 -j REDIRECT --to-port "$proxy_port"
iptables -t nat -I PREROUTING -p tcp -d 8.8.4.4 -j REDIRECT --to-port "$proxy_port"
iptables -t nat -A PREROUTING -p tcp -j clash
iptables -t nat -A OUTPUT -p tcp -d 198.18.0.0/16 -j REDIRECT --to-port "$proxy_port"
# 让 frp 这个用户不走代理
iptables -t nat -A OUTPUT -p tcp -m owner --uid-owner frp -j RETURN
# 下面的 -m owner 是过滤掉 clash 这个用户下的流量,让旁路由这台机器也能正常上网和走代理,同时也是为了让 proxy 直连而不是走 clash
iptables -t nat -A OUTPUT -p tcp -m owner ! --uid-owner clash -j REDIRECT --to-port $proxy_port
iptables -t nat -F CLASH_DNS
iptables -t nat -X CLASH_DNS
iptables -t nat -N CLASH_DNS
# 让 frp 这个用户不走代理
iptables -t nat -A CLASH_DNS -p udp -m owner --uid-owner frp -j RETURN
iptables -t nat -A CLASH_DNS -p udp -j REDIRECT --to-port 10053
# 下面的 -m owner 是过滤掉 clash 这个用户下的流量,让旁路由这台机器也能正常上网和走代理,同时也是为了让 proxy 直连而不是走 clash
iptables -t nat -I OUTPUT -p udp --dport 53 -m owner ! --uid-owner clash -j CLASH_DNS
iptables -t nat -I PREROUTING -p udp --dport 53 -j REDIRECT --to 10053
# 持久化 iptables
netfilter-persistent save
# 还需要到 [supervisord] 块将 minfds 修改成 102400
[program:clash]
command=/opt/clash/clash -d .
process_name=%(program_name)s
numprocs=1
directory=/opt/clash
umask=022
autostart=true
autorestart=unexpected
stopsignal=TERM
stopwaitsecs=10
stopasgroup=true
killasgroup=true
user=clash
redirect_stderr=false
stdout_logfile=/opt/clash/stdout.log
stdout_logfile_maxbytes=10MB
stdout_logfile_backups=2
stdout_events_enabled=false
stderr_logfile=/opt/clash/stderr.log
stderr_logfile_maxbytes=10MB
stderr_logfile_backups=2
@cloverstd
Copy link
Author

cloverstd commented Aug 24, 2020

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment