Last active
February 27, 2021 10:48
-
-
Save recall704/c217f83b373a275005b8766767c0ef8b to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh /etc/rc.common | |
USE_PROCD=1 | |
START=99 | |
STOP=98 | |
ProxyIPSet="proxy_ipset" | |
InternalIPSet="internal_ipset" | |
GreatFireWallIPSet="gfw_ipset" | |
ChinaIPSet="china_ipset" | |
# sni 端口, http 和 https 转发到该端口 | |
SniPort=1443 | |
# redirect 端口 | |
RedirectPort=8443 | |
# 代理 ip | |
ProxyIP="vps_ip_ip" | |
# 代理端口 | |
ProxyPort=5655 | |
# 代理算法 | |
ProxyEncryptionAlgorithm="AEAD_CHACHA20_POLY1305" | |
# 代理密码 | |
ProxyPassword="xxoo10086" | |
GostProxyCommand="-F=ss2://${ProxyEncryptionAlgorithm}:${ProxyPassword}@${ProxyIP}:${ProxyPort}" | |
# gost 路径 | |
BinaryPath="/data/gost/gost_amrv7" | |
create_ipset() { | |
ipset -N -! ${ProxyIPSet} hash:net maxelem 1000000 | |
ipset -N -! ${InternalIPSet} hash:net maxelem 1000000 | |
ipset -N -! ${GreatFireWallIPSet} hash:net maxelem 1000000 | |
ipset -N -! ${ChinaIPSet} hash:net maxelem 1000000 | |
# 将代理 IP 添加到 ipset 中 | |
ipset add ${ProxyIPSet} ${ProxyIP} | |
# 保留地址也直接连接,不通过代理 | |
ipset add ${InternalIPSet} 0.0.0.0/8 | |
ipset add ${InternalIPSet} 10.0.0.0/8 | |
ipset add ${InternalIPSet} 127.0.0.0/8 | |
ipset add ${InternalIPSet} 169.254.0.0/16 | |
ipset add ${InternalIPSet} 172.16.0.0/12 | |
ipset add ${InternalIPSet} 192.168.0.0/16 | |
ipset add ${InternalIPSet} 224.0.0.0/4 | |
ipset add ${InternalIPSet} 240.0.0.0/4 | |
} | |
create_iptables() { | |
echo "create iptable rule for gost" | |
# check chain exists or not | |
iptables -t nat -C GOST >/dev/null 2>&1 | |
if [ $? -eq 0 ]; then | |
echo "iptables chain GOST exists, ignore command..." | |
else | |
echo "create iptables chain: GOST" | |
iptables -t nat -N GOST | |
fi | |
# 清空 gost chain 规则 | |
iptables -t nat -F GOST | |
# 代理 IP 不走代理 | |
iptables -t nat -I GOST 1 -p all -m set --match-set ${ProxyIPSet} dst -j ACCEPT | |
# 内部 IP 不走代理 | |
iptables -t nat -I GOST 2 -p all -m set --match-set ${InternalIPSet} dst -j ACCEPT | |
# GFW IP 走代理 | |
iptables -t nat -I GOST 3 -p tcp --dport 443 -m set --match-set ${GreatFireWallIPSet} dst -j REDIRECT --to-port ${SniPort} | |
iptables -t nat -I GOST 4 -p tcp -m set --match-set ${GreatFireWallIPSet} dst -j REDIRECT --to-port ${RedirectPort} | |
# 中国 IP 不走代理 | |
iptables -t nat -I GOST 5 -p tcp -m set --match-set ${ChinaIPSet} dst -j ACCEPT | |
# 其他 IP 走代理 | |
iptables -t nat -I GOST 6 -p tcp --dport 443 -j REDIRECT --to-port ${SniPort} | |
iptables -t nat -I GOST 7 -p tcp -j REDIRECT --to-port ${RedirectPort} | |
# 将 OUTPUT 和 PREROUTING 的数据转发到 GOST 链上 | |
# iptables -t nat -A OUTPUT -p all -j GOST | |
# iptables -t nat -D PREROUTING -p all -j GOST | |
iptables -t nat -I PREROUTING 1 -p all -j GOST | |
} | |
remove_iptables() { | |
echo "remove gost iptable rules" | |
iptables -t nat -D PREROUTING -p all -j GOST | |
iptables -t nat -F GOST | |
iptables -t nat -X GOST | |
ipset flush ${ProxyIPSet} | |
ipset flush ${InternalIPSet} | |
ipset flush ${GreatFireWallIPSet} | |
ipset flush ${ChinaIPSet} | |
} | |
start_service() { | |
echo "start" | |
procd_open_instance gost | |
procd_set_param command /bin/sh -c "${BinaryPath} -L sni://:${SniPort} -L=redirect://:${RedirectPort} ${GostProxyCommand} > /tmp/gost.log 2>&1" | |
procd_set_param respawn | |
[ -e /proc/sys/kernel/core_pattern ] && { | |
procd_set_param limits core="unlimited" | |
} | |
procd_close_instance | |
create_ipset | |
create_iptables | |
} | |
stop_service() { | |
echo "stop" | |
remove_iptables | |
local service_pid="" | |
service_pid=$(ps -w | grep gost | grep -v grep | awk '{print $1}') | |
if [ "${service_pid}" != "" ]; then | |
kill -2 ${service_pid} | |
fi | |
# force kill process | |
service_pid=$(ps -w | grep gost | grep -v grep | awk '{print $1}') | |
if [ "${service_pid}" != "" ]; then | |
sleep 3 | |
kill -9 ${service_pid} | |
fi | |
} | |
reload_service() { | |
echo "restart" | |
stop_service | |
start_service | |
} | |
status_service() { | |
local service_pid="" | |
service_pid=$(ps -w | grep gost | grep -v grep | awk '{print $1}') | |
if [ "${service_pid}" != "" ]; then | |
echo "gost is running" | |
return 1 | |
else | |
echo "gost is not running" | |
return 0 | |
fi | |
} |
save content to /etc/init.d/gost
,
chmod+x /etc/init.d/gost
/etc/init.d/gost enable
/etc/init.d/gost start
/etc/init.d/gost status
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
save it to
update.ipset.sh