nirui/direct.xml

## direct.xml
<?xml version="1.0" encoding="utf-8"?>
<direct>
  <chain table="filter" ipv="ipv4" chain="proxy_restriction"/>
  <chain table="nat" ipv="ipv4" chain="proxy_redirect"/>

  <rule priority="1" table="filter" ipv="ipv4" chain="proxy_restriction">-p tcp --sport 2302 -j RETURN</rule>
  <rule priority="1" table="filter" ipv="ipv4" chain="proxy_restriction">-p udp --sport 2302 -j RETURN</rule>

  <rule priority="1" table="filter" ipv="ipv4" chain="proxy_restriction">-p tcp --dport 3128 -j RETURN</rule>
  <rule priority="1" table="filter" ipv="ipv4" chain="proxy_restriction">-p tcp --dport 8080 -j RETURN</rule>
  <rule priority="1" table="filter" ipv="ipv4" chain="proxy_restriction">-p tcp --dport 1080 -j RETURN</rule>
  <rule priority="1" table="filter" ipv="ipv4" chain="proxy_restriction">-p tcp --dport 995 -j RETURN</rule>
  <rule priority="1" table="filter" ipv="ipv4" chain="proxy_restriction">-p tcp --dport 587 -j RETURN</rule>
  <rule priority="1" table="filter" ipv="ipv4" chain="proxy_restriction">-p tcp --dport 465 -j RETURN</rule>
  <rule priority="1" table="filter" ipv="ipv4" chain="proxy_restriction">-p tcp --dport 443 -j RETURN</rule>
  <rule priority="1" table="filter" ipv="ipv4" chain="proxy_restriction">-p tcp --dport 22 -j RETURN</rule>
  <rule priority="1" table="filter" ipv="ipv4" chain="proxy_restriction">-p tcp --dport 21 -j RETURN</rule>
  <rule priority="1" table="filter" ipv="ipv4" chain="proxy_restriction">-p tcp --dport 53 -j RETURN</rule>
  <rule priority="1" table="filter" ipv="ipv4" chain="proxy_restriction">-p udp --dport 53 -m limit --limit 6/s --limit-burst 12 -j RETURN</rule>
  <rule priority="255" table="filter" ipv="ipv4" chain="proxy_restriction">-p tcp -j REJECT --reject-with tcp-reset</rule>
  <rule priority="255" table="filter" ipv="ipv4" chain="proxy_restriction">-p udp -j DROP</rule>

  <rule priority="1" table="nat" ipv="ipv4" chain="proxy_redirect">-p tcp --dport 80 -j REDIRECT --to-port 3128</rule>

  <rule priority="1" table="filter" ipv="ipv4" chain="OUTPUT">-m owner --uid-owner shadowsocks -j proxy_restriction</rule>
  <rule priority="1" table="nat" ipv="ipv4" chain="OUTPUT">-m owner --uid-owner shadowsocks -j proxy_redirect</rule>
</direct>

## shadowsocks_boot.sh
iptables -P INPUT DROP
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 29082 -j ACCEPT

# COWARD projector at port 8899
iptables -A INPUT -p tcp --syn --dport 8899 -m connlimit --connlimit-above 64 --connlimit-mask 64 -j DROP
iptables -A INPUT -p tcp --dport 8899 -j ACCEPT
iptables -t filter -m owner --uid-owner shadowsocks -A OUTPUT -p tcp --sport 8899 -j ACCEPT

iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 1024 --connlimit-mask 1024 -j DROP
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --syn --dport 443 -m connlimit --connlimit-above 1024 --connlimit-mask 1024 -j DROP
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --syn --dport 221 -m connlimit --connlimit-above 64 --connlimit-mask 64 -j DROP
iptables -A INPUT -p tcp --dport 221 -j ACCEPT

iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 55580
iptables -A INPUT -p tcp -m tcp --dport 55580 -j ACCEPT
iptables -t filter -m owner --uid-owner shadowsocks -A OUTPUT -p tcp --sport 55580 -j ACCEPT

iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 55443
iptables -A INPUT -p tcp -m tcp --dport 55443 -j ACCEPT
iptables -t filter -m owner --uid-owner shadowsocks -A OUTPUT -p tcp --sport 55443 -j ACCEPT

iptables -t nat -A PREROUTING -p tcp --dport 221 -j REDIRECT --to-port 55521
iptables -A INPUT -p tcp -m tcp --dport 55521 -j ACCEPT
iptables -t filter -m owner --uid-owner shadowsocks -A OUTPUT -p tcp --sport 55521 -j ACCEPT

# COWARD server at port 2302
iptables -A INPUT -p tcp --syn --dport 2302 -m connlimit --connlimit-above 64 --connlimit-mask 64 -j DROP
iptables -A INPUT -p tcp --dport 2302 -j ACCEPT
iptables -t filter -m owner --uid-owner shadowsocks -A OUTPUT -p tcp --sport 2302 -j ACCEPT
iptables -t filter -m owner --uid-owner shadowsocks -A OUTPUT -p udp --sport 2302 -j ACCEPT

# Public SS-Server shared to friends on 9999
iptables -A INPUT -p tcp --syn --dport 9999 -m connlimit --connlimit-above 32 --connlimit-mask 32 -j DROP
iptables -A INPUT -p tcp --dport 9999 -j ACCEPT
iptables -t filter -m owner --uid-owner shadowsocks -A OUTPUT -p tcp --sport 9999 -j ACCEPT
iptables -t filter -m owner --uid-owner shadowsocks -A OUTPUT -p udp --sport 9999 -j ACCEPT

iptables -t nat -m owner --uid-owner shadowsocks -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port 8080

iptables -t filter -m owner --uid-owner shadowsocks -A OUTPUT -p tcp --dport 8080 -j ACCEPT
iptables -t filter -m owner --uid-owner shadowsocks -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -m owner --uid-owner shadowsocks -A OUTPUT -p tcp --dport 443 -j ACCEPT
iptables -t filter -m owner --uid-owner shadowsocks -A OUTPUT -p udp --dport 53 -m limit --limit 6/s --limit-burst 12 -j ACCEPT
iptables -t filter -m owner --uid-owner shadowsocks -A OUTPUT -p tcp --dport 53 -j ACCEPT
iptables -t filter -m owner --uid-owner shadowsocks -A OUTPUT -p tcp -j REJECT --reject-with tcp-reset


#       -s <server_host>           host name or ip address of your remote server
#       -p <server_port>           port number of your remote server
#       -l <local_port>            port number of your local server
#       -k <password>              password of your remote server

su - shadowsocks -c "ss-server -s 0.0.0.0 -p 9999 -l 1080 -k public -m rc4-md5 -u &"
su - shadowsocks -c "/opt/coward/coward -p /opt/coward/proxy.conf -d -log /tmp/coward.log -s proxy &>/tmp/coward-crash.log &"
su - shadowsocks -c "/opt/coward/coward -p /opt/coward/projector.conf -d -log /tmp/coward-projector.log -s projector &>/tmp/coward-projector-crash.log &"
su - root -c "/opt/trap/trap -config /opt/trap/trap-config.json -log /tmp/trap.log -profiling-cpu /tmp/trap-cpu.pprof -profiling-mem /tmp/trap-mem.pprof 2>/tmp/trap-crash.log &"
	<?xml version="1.0" encoding="utf-8"?>
	<direct>
	<chain table="filter" ipv="ipv4" chain="proxy_restriction"/>
	<chain table="nat" ipv="ipv4" chain="proxy_redirect"/>

	<rule priority="1" table="filter" ipv="ipv4" chain="proxy_restriction">-p tcp --sport 2302 -j RETURN</rule>
	<rule priority="1" table="filter" ipv="ipv4" chain="proxy_restriction">-p udp --sport 2302 -j RETURN</rule>

	<rule priority="1" table="filter" ipv="ipv4" chain="proxy_restriction">-p tcp --dport 3128 -j RETURN</rule>
	<rule priority="1" table="filter" ipv="ipv4" chain="proxy_restriction">-p tcp --dport 8080 -j RETURN</rule>
	<rule priority="1" table="filter" ipv="ipv4" chain="proxy_restriction">-p tcp --dport 1080 -j RETURN</rule>
	<rule priority="1" table="filter" ipv="ipv4" chain="proxy_restriction">-p tcp --dport 995 -j RETURN</rule>
	<rule priority="1" table="filter" ipv="ipv4" chain="proxy_restriction">-p tcp --dport 587 -j RETURN</rule>
	<rule priority="1" table="filter" ipv="ipv4" chain="proxy_restriction">-p tcp --dport 465 -j RETURN</rule>
	<rule priority="1" table="filter" ipv="ipv4" chain="proxy_restriction">-p tcp --dport 443 -j RETURN</rule>
	<rule priority="1" table="filter" ipv="ipv4" chain="proxy_restriction">-p tcp --dport 22 -j RETURN</rule>
	<rule priority="1" table="filter" ipv="ipv4" chain="proxy_restriction">-p tcp --dport 21 -j RETURN</rule>
	<rule priority="1" table="filter" ipv="ipv4" chain="proxy_restriction">-p tcp --dport 53 -j RETURN</rule>
	<rule priority="1" table="filter" ipv="ipv4" chain="proxy_restriction">-p udp --dport 53 -m limit --limit 6/s --limit-burst 12 -j RETURN</rule>
	<rule priority="255" table="filter" ipv="ipv4" chain="proxy_restriction">-p tcp -j REJECT --reject-with tcp-reset</rule>
	<rule priority="255" table="filter" ipv="ipv4" chain="proxy_restriction">-p udp -j DROP</rule>

	<rule priority="1" table="nat" ipv="ipv4" chain="proxy_redirect">-p tcp --dport 80 -j REDIRECT --to-port 3128</rule>

	<rule priority="1" table="filter" ipv="ipv4" chain="OUTPUT">-m owner --uid-owner shadowsocks -j proxy_restriction</rule>
	<rule priority="1" table="nat" ipv="ipv4" chain="OUTPUT">-m owner --uid-owner shadowsocks -j proxy_redirect</rule>
	</direct>
	iptables -P INPUT DROP
	iptables -P FORWARD ACCEPT
	iptables -P OUTPUT ACCEPT
	iptables -A INPUT -i lo -j ACCEPT
	iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
	iptables -A INPUT -p tcp --dport 29082 -j ACCEPT

	# COWARD projector at port 8899
	iptables -A INPUT -p tcp --syn --dport 8899 -m connlimit --connlimit-above 64 --connlimit-mask 64 -j DROP
	iptables -A INPUT -p tcp --dport 8899 -j ACCEPT
	iptables -t filter -m owner --uid-owner shadowsocks -A OUTPUT -p tcp --sport 8899 -j ACCEPT

	iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 1024 --connlimit-mask 1024 -j DROP
	iptables -A INPUT -p tcp --dport 80 -j ACCEPT
	iptables -A INPUT -p tcp --syn --dport 443 -m connlimit --connlimit-above 1024 --connlimit-mask 1024 -j DROP
	iptables -A INPUT -p tcp --dport 443 -j ACCEPT
	iptables -A INPUT -p tcp --syn --dport 221 -m connlimit --connlimit-above 64 --connlimit-mask 64 -j DROP
	iptables -A INPUT -p tcp --dport 221 -j ACCEPT

	iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 55580
	iptables -A INPUT -p tcp -m tcp --dport 55580 -j ACCEPT
	iptables -t filter -m owner --uid-owner shadowsocks -A OUTPUT -p tcp --sport 55580 -j ACCEPT

	iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 55443
	iptables -A INPUT -p tcp -m tcp --dport 55443 -j ACCEPT
	iptables -t filter -m owner --uid-owner shadowsocks -A OUTPUT -p tcp --sport 55443 -j ACCEPT

	iptables -t nat -A PREROUTING -p tcp --dport 221 -j REDIRECT --to-port 55521
	iptables -A INPUT -p tcp -m tcp --dport 55521 -j ACCEPT
	iptables -t filter -m owner --uid-owner shadowsocks -A OUTPUT -p tcp --sport 55521 -j ACCEPT

	# COWARD server at port 2302
	iptables -A INPUT -p tcp --syn --dport 2302 -m connlimit --connlimit-above 64 --connlimit-mask 64 -j DROP
	iptables -A INPUT -p tcp --dport 2302 -j ACCEPT
	iptables -t filter -m owner --uid-owner shadowsocks -A OUTPUT -p tcp --sport 2302 -j ACCEPT
	iptables -t filter -m owner --uid-owner shadowsocks -A OUTPUT -p udp --sport 2302 -j ACCEPT

	# Public SS-Server shared to friends on 9999
	iptables -A INPUT -p tcp --syn --dport 9999 -m connlimit --connlimit-above 32 --connlimit-mask 32 -j DROP
	iptables -A INPUT -p tcp --dport 9999 -j ACCEPT
	iptables -t filter -m owner --uid-owner shadowsocks -A OUTPUT -p tcp --sport 9999 -j ACCEPT
	iptables -t filter -m owner --uid-owner shadowsocks -A OUTPUT -p udp --sport 9999 -j ACCEPT

	iptables -t nat -m owner --uid-owner shadowsocks -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port 8080

	iptables -t filter -m owner --uid-owner shadowsocks -A OUTPUT -p tcp --dport 8080 -j ACCEPT
	iptables -t filter -m owner --uid-owner shadowsocks -A OUTPUT -p tcp --dport 80 -j ACCEPT
	iptables -t filter -m owner --uid-owner shadowsocks -A OUTPUT -p tcp --dport 443 -j ACCEPT
	iptables -t filter -m owner --uid-owner shadowsocks -A OUTPUT -p udp --dport 53 -m limit --limit 6/s --limit-burst 12 -j ACCEPT
	iptables -t filter -m owner --uid-owner shadowsocks -A OUTPUT -p tcp --dport 53 -j ACCEPT
	iptables -t filter -m owner --uid-owner shadowsocks -A OUTPUT -p tcp -j REJECT --reject-with tcp-reset


	# -s <server_host> host name or ip address of your remote server
	# -p <server_port> port number of your remote server
	# -l <local_port> port number of your local server
	# -k <password> password of your remote server

	su - shadowsocks -c "ss-server -s 0.0.0.0 -p 9999 -l 1080 -k public -m rc4-md5 -u &"
	su - shadowsocks -c "/opt/coward/coward -p /opt/coward/proxy.conf -d -log /tmp/coward.log -s proxy &>/tmp/coward-crash.log &"
	su - shadowsocks -c "/opt/coward/coward -p /opt/coward/projector.conf -d -log /tmp/coward-projector.log -s projector &>/tmp/coward-projector-crash.log &"
	su - root -c "/opt/trap/trap -config /opt/trap/trap-config.json -log /tmp/trap.log -profiling-cpu /tmp/trap-cpu.pprof -profiling-mem /tmp/trap-mem.pprof 2>/tmp/trap-crash.log &"