Created
April 10, 2021 15:05
-
-
Save ttys3/afa71c3dbc0b26f8f5dba3026d76924e to your computer and use it in GitHub Desktop.
tproxy.sh for clash
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
# @author: ttyS3 | |
# transparent proxy for clash | |
#ref to https://en.wikipedia.org/wiki/Reserved_IP_addresses | |
func_get_reserved_ip_addr() { | |
cat <<-EOF | |
0.0.0.0/8 | |
10.0.0.0/8 | |
100.64.0.0/10 | |
127.0.0.0/8 | |
169.254.0.0/16 | |
172.16.0.0/12 | |
192.0.0.0/24 | |
192.0.2.0/24 | |
192.31.196.0/24 | |
192.52.193.0/24 | |
192.88.99.0/24 | |
192.168.0.0/16 | |
192.175.48.0/24 | |
198.18.0.0/15 | |
198.51.100.0/24 | |
203.0.113.0/24 | |
224.0.0.0/4 | |
240.0.0.0/4 | |
255.255.255.255/32 | |
EOF | |
} | |
func_clash_start() | |
{ | |
logger -t "[script_DEADC0DE]" " ==== clash_start ====" | |
logger -t "[script_DEADC0DE]" "create 0X8BADF00D chain in nat table..." | |
# iptables -t nat -N 0X8BADF00D | |
# iptables -t nat -A 0X8BADF00D -d 192.168.0.0/16 -j RETURN | |
iptables-restore -n <<-EOF | |
*nat | |
:0X8BADF00D - [0:0] | |
$(func_get_reserved_ip_addr | sed -e "s/\(.*\)/-A 0X8BADF00D -d \1 -j RETURN/") | |
COMMIT | |
EOF | |
iptables -t nat -A 0X8BADF00D -p tcp -j REDIRECT --to-ports 7892 | |
# sudo useradd -c "user for clash" -M -N -s /usr/sbin/nologin -u 1024 clash | |
# only valid from OUTPUT/POSTROUTING | |
iptables -t nat -A OUTPUT -m owner --uid-owner 1024 -j RETURN | |
# skip Link-Local Multicast Name Resolution (LLMNR) port | |
iptables -t nat -A OUTPUT -p tcp --dport 5355 -j RETURN | |
iptables -t nat -A OUTPUT -p tcp -j 0X8BADF00D | |
iptables -t nat -A PREROUTING -p tcp -j 0X8BADF00D | |
iptables -L PREROUTING -v -n -t nat | |
iptables -L OUTPUT -v -n -t nat | |
iptables -L 0X8BADF00D -v -n -t nat | |
logger -t "[script_DEADC0DE]" "Done start." | |
} | |
func_clash_stop() | |
{ | |
logger -t "[script_DEADC0DE]" " ==== clash_stoped ====" | |
# rules index | |
prerouting_index=$(iptables -t nat -L PREROUTING -v -n --line-numbers | grep 0X8BADF00D | cut -d " " -f 1 | sort -nr | head -n1) | |
output_index=$(iptables -t nat -L OUTPUT -v -n --line-numbers | grep 0X8BADF00D | cut -d " " -f 1 | sort -nr | head -n1) | |
iptables -t nat -D PREROUTING $prerouting_index >/dev/null 2>&1 | |
iptables -t nat -D OUTPUT $output_index >/dev/null 2>&1 | |
iptables -t nat -D OUTPUT -m owner --uid-owner 1024 -j RETURN 2>&1 | |
iptables -t nat -D OUTPUT -p tcp --dport 5355 -j RETURN | |
iptables -t nat -F 0X8BADF00D >/dev/null 2>&1 | |
iptables -t nat -X 0X8BADF00D >/dev/null 2>&1 | |
iptables -L PREROUTING -v -n -t nat | |
iptables -L OUTPUT -v -n -t nat | |
iptables -L -v -n -t nat | |
logger -t "[script_DEADC0DE]" "Done stop." | |
} | |
case "$1" in | |
start) | |
func_clash_start | |
;; | |
stop) | |
func_clash_stop | |
;; | |
esac | |
systemctl restart systemd-resolved.service | |
resolvectl flush-caches |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment