#!/bin/bash
# Set iptables for clash redir mode
REDIR_PORT=1234
DNS_PORT=2253
UID_OWNER=1000
iptables -t nat -N CLASH
# LAN
iptables -t nat -A CLASH -p udp -m udp --dport 53 -j REDIRECT --to-ports ${DNS_PORT}
iptables -t nat -A CLASH -p tcp -m tcp --dport 53 -j REDIRECT --to-ports ${DNS_PORT}
iptables -t nat -A CLASH -d 0.0.0.0/8 -j RETURN
iptables -t nat -A CLASH -d 127.0.0.0/8 -j RETURN
iptables -t nat -A CLASH -d 10.0.0.0/8 -j RETURN
iptables -t nat -A CLASH -d 198.18.0.0/16 -j RETURN
iptables -t nat -A CLASH -d 169.254.0.0/16 -j RETURN
iptables -t nat -A CLASH -d 172.16.0.0/12 -j RETURN
iptables -t nat -A CLASH -d 192.168.0.0/16 -j RETURN
iptables -t nat -A CLASH -d 224.0.0.0/4 -j RETURN
iptables -t nat -A CLASH -d 240.0.0.0/4 -j RETURN
iptables -t nat -A CLASH -p tcp -j REDIRECT --to-ports ${REDIR_PORT}
iptables -t nat -I PREROUTING 1 -p all -j CLASH
# Local
iptables -t nat -N CLASH_LOCAL
iptables -t nat -A CLASH_LOCAL -m owner --uid-owner ${UID_OWNER} -j RETURN
iptables -t nat -A CLASH_LOCAL -p udp -m udp --dport 53 -j REDIRECT --to-ports ${DNS_PORT}
iptables -t nat -A CLASH_LOCAL -p tcp -m tcp --dport 53 -j REDIRECT --to-ports ${DNS_PORT}
iptables -t nat -A CLASH_LOCAL -d 0.0.0.0/8 -j RETURN
iptables -t nat -A CLASH_LOCAL -d 127.0.0.0/8 -j RETURN
iptables -t nat -A CLASH_LOCAL -d 10.0.0.0/8 -j RETURN
iptables -t nat -A CLASH_LOCAL -d 198.18.0.0/16 -j RETURN
iptables -t nat -A CLASH_LOCAL -d 169.254.0.0/16 -j RETURN
iptables -t nat -A CLASH_LOCAL -d 172.16.0.0/12 -j RETURN
iptables -t nat -A CLASH_LOCAL -d 192.168.0.0/16 -j RETURN
iptables -t nat -A CLASH_LOCAL -d 224.0.0.0/4 -j RETURN
iptables -t nat -A CLASH_LOCAL -d 240.0.0.0/4 -j RETURN
iptables -t nat -A CLASH_LOCAL -p tcp -j REDIRECT --to-ports ${REDIR_PORT}
iptables -t nat -I OUTPUT 1 -p all -j CLASH_LOCAL
以 recall 用户启动,recall 对应的 uid 为 1000,对应上面的 UID_OWNER
sudo -u recall /data/clash/clash-linux-armv7-2021.05.08 -d /data/clash/
mixed-port: 3333
# 对应上面的 REDIR_PORT
redir-port: 1234
allow-lan: true
mode: rule
log-level: info
external-controller: :9090
# iptables 中把端口转发到 2253, 对应上面的 DNS_PORT
dns:
enable: true
listen: 0.0.0.0:2253
# redir-host or fake-ip
enhanced-mode: redir-host
# fake-ip-range: 198.18.0.1/16
nameserver:
# 本身的请求转发给 mosdns-cn
- '127.0.0.1:3353'
- '119.29.29.29'
proxies:
- name: "ss1"
type: ss
server: server1
port: 443
cipher: chacha20-ietf-poly1305
password: "passwd"
udp: false
- name: "ss2"
type: ss
server: server2
port: 443
cipher: chacha20-ietf-poly1305
password: "passwd"
udp: false
proxy-groups:
- name: DefaultProxy
type: select
proxies:
- 'ss1'
- 'ss2'
- name: "URLTest"
type: url-test
proxies:
- 'ss1'
- 'ss2'
# tolerance: 150
# lazy: true
url: 'http://www.gstatic.com/generate_204'
interval: 300
- name: "Fallback"
type: fallback
proxies:
- 'ss1'
- 'ss2'
url: 'http://www.gstatic.com/generate_204'
interval: 300
- name: Proxy
type: select
proxies:
- 'DefaultProxy'
- 'URLTest'
- 'Fallback'
- name: China
type: select
proxies:
- 'DIRECT'
- name: Reject
type: select
proxies:
- 'REJECT'
- 'DIRECT'
- 'Proxy'
- name: Final
type: select
proxies:
- 'URLTest'
- 'Fallback'
- 'Proxy'
- 'DIRECT'
rule-providers:
reject:
type: http
behavior: domain
url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/reject.txt"
path: ./ruleset/reject.yaml
interval: 86400
icloud:
type: http
behavior: domain
url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/icloud.txt"
path: ./ruleset/icloud.yaml
interval: 86400
apple:
type: http
behavior: domain
url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/apple.txt"
path: ./ruleset/apple.yaml
interval: 86400
google:
type: http
behavior: domain
url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/google.txt"
path: ./ruleset/google.yaml
interval: 86400
proxy:
type: http
behavior: domain
url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/proxy.txt"
path: ./ruleset/proxy.yaml
interval: 86400
direct:
type: http
behavior: domain
url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/direct.txt"
path: ./ruleset/direct.yaml
interval: 86400
private:
type: http
behavior: domain
url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/private.txt"
path: ./ruleset/private.yaml
interval: 86400
gfw:
type: http
behavior: domain
url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/gfw.txt"
path: ./ruleset/gfw.yaml
interval: 86400
greatfire:
type: http
behavior: domain
url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/greatfire.txt"
path: ./ruleset/greatfire.yaml
interval: 86400
tld-not-cn:
type: http
behavior: domain
url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/tld-not-cn.txt"
path: ./ruleset/tld-not-cn.yaml
interval: 86400
telegramcidr:
type: http
behavior: ipcidr
url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/telegramcidr.txt"
path: ./ruleset/telegramcidr.yaml
interval: 86400
cncidr:
type: http
behavior: ipcidr
url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/cncidr.txt"
path: ./ruleset/cncidr.yaml
interval: 86400
lancidr:
type: http
behavior: ipcidr
url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/lancidr.txt"
path: ./ruleset/lancidr.yaml
interval: 86400
rules:
- RULE-SET, reject, REJECT
# 内网域名
- RULE-SET, private, DIRECT
# 内网地址
- RULE-SET, lancidr, DIRECT
- RULE-SET, proxy, Proxy
- RULE-SET, apple, Proxy
- RULE-SET, icloud, Proxy
- RULE-SET, google, Proxy
- RULE-SET, gfw, Proxy
- RULE-SET, greatfire, Proxy
- RULE-SET, tld-not-cn, Proxy
- RULE-SET, telegramcidr, Proxy
# 国内域名
- RULE-SET, direct, China
# 国内 IP
- RULE-SET, cncidr, China
- MATCH,Final
iptables.upset.sh
#!/bin/bash
iptables -t nat -D OUTPUT -j CLASH_LOCAL
iptables -t nat -F CLASH_LOCAL
iptables -t nat -X CLASH_LOCAL
iptables -t nat -D PREROUTING -j CLASH
iptables -t nat -F CLASH
iptables -t nat -X CLASH