Add iptables setup script for Mihomo configuration

scripts/iptables-mihomo-setup-mark2.sh

@@ -0,0 +1,83 @@
+#!/bin/bash
+set -u
+
+# ----------------------------
+# Config
+# ----------------------------
+MIHOMO_UID="mihomo"
+TPROXY_PORT="7893"
+FW_MARK="0x1"
+ROUTE_TABLE="100"
+
+# Интерфейсы клиентов (откуда прилетают запросы)
+LAN_IFACES=("eth1" "wt0")
+
+# Порты самого сервера, которые НЕ надо проксировать (Web UI, SSH)
+LOCAL_PORTS="9090,22"
+
+# ----------------------------
+# Helpers
+# ----------------------------
+ipt() { iptables "$@"; }
+
+cleanup_references() {
+    local chain=$1
+    iptables-save | grep "\-j $chain" | sed "s/^-A/-D/" | while read rule; do
+        iptables -t mangle $rule 2>/dev/null || true
+    done
+}
+
+ensure_ip_rule() {
+  if ! ip rule list | grep -q "fwmark ${FW_MARK} lookup ${ROUTE_TABLE}"; then
+    ip rule add fwmark ${FW_MARK} lookup ${ROUTE_TABLE}
+  fi
+  if ! ip route show table ${ROUTE_TABLE} | grep -q "local default"; then
+    ip route add local 0.0.0.0/0 dev lo table ${ROUTE_TABLE}
+  fi
+}
+
+# ----------------------------
+# 1. CLEANUP
+# ----------------------------
+echo "--- Cleaning up rules ---"
+cleanup_references "MIHOMO_TPROXY"
+ipt -t mangle -F MIHOMO_TPROXY 2>/dev/null || true
+ipt -t mangle -X MIHOMO_TPROXY 2>/dev/null || true
+
+# ----------------------------
+# 2. SETUP
+# ----------------------------
+ensure_ip_rule
+
+# --- CHAIN: PREROUTING (Для клиентов) ---
+ipt -t mangle -N MIHOMO_TPROXY
+
+# === 1. Исключения по Портам (CRITICAL FIX) ===
+# Если стучатся в веб-морду или SSH - пропускаем мимо TProxy
+ipt -t mangle -A MIHOMO_TPROXY -p tcp -m multiport --dports "${LOCAL_PORTS}" -j RETURN
+
+# === 2. Исключения по IP (Bypass) ===
+# RFC1918 Private Networks
+ipt -t mangle -A MIHOMO_TPROXY -d 0.0.0.0/8 -j RETURN
+ipt -t mangle -A MIHOMO_TPROXY -d 10.0.0.0/8 -j RETURN
+ipt -t mangle -A MIHOMO_TPROXY -d 127.0.0.0/8 -j RETURN
+ipt -t mangle -A MIHOMO_TPROXY -d 169.254.0.0/16 -j RETURN
+ipt -t mangle -A MIHOMO_TPROXY -d 172.16.0.0/12 -j RETURN
+ipt -t mangle -A MIHOMO_TPROXY -d 192.168.0.0/16 -j RETURN
+# Multicast
+ipt -t mangle -A MIHOMO_TPROXY -d 224.0.0.0/4 -j RETURN
+ipt -t mangle -A MIHOMO_TPROXY -d 240.0.0.0/4 -j RETURN
+# !!! NETBIRD / CGNAT (Fix for VPN access) !!!
+ipt -t mangle -A MIHOMO_TPROXY -d 100.64.0.0/10 -j RETURN
+
+# === 3. Заворачиваем в TProxy ===
+ipt -t mangle -A MIHOMO_TPROXY -p tcp -j TPROXY --on-port "${TPROXY_PORT}" --tproxy-mark "${FW_MARK}"
+ipt -t mangle -A MIHOMO_TPROXY -p udp -j TPROXY --on-port "${TPROXY_PORT}" --tproxy-mark "${FW_MARK}"
+
+# ----------------------------
+# 3. APPLY
+# ----------------------------
+for IFACE in "${LAN_IFACES[@]}"; do
+    echo "Adding TProxy rules for interface: $IFACE"
+    ipt -t mangle -A PREROUTING -i "$IFACE" -j MIHOMO_TPROXY
+done