feat: Add Mihomo and TProxy setup scripts for Alpine and legacy systems

- Introduced `iptables-mihomo-setup-mark2.sh` for advanced TProxy configuration.
- Created `iptables-mihomo-setup.sh` for legacy iptables management.
- Added `dnssec-test.sh` for DNSSEC interception testing.
- Implemented `config-warpgate-alpine.sh` for comprehensive Warpgate setup.
- Developed `iptables-mihomo-setup-alpine-mark2.sh` for refined TProxy rules on Alpine.
- Added `iptables-mihomo-setup-alpine.sh` for basic TProxy setup on Alpine.
- Created `update-core-and-dash.sh` for automated updates of Mihomo core and Zashboard UI.

scripts/legacy/config-warpgate-debian.sh

@@ -0,0 +1,207 @@
+#!/bin/bash
+set -euo pipefail
+
+# ==========================================
+# 0. USER INTERACTION
+# ==========================================
+# Запрашиваем пароль сразу, чтобы скрипт мог работать без присмотра дальше
+echo "-----------------------------------------------------"
+echo "🔐 USER SETUP"
+echo "-----------------------------------------------------"
+read -sp "Enter password for new user 'supervisor': " SUPERVISOR_PASS
+echo
+if [ -z "$SUPERVISOR_PASS" ]; then
+    echo "❌ Password cannot be empty."
+    exit 1
+fi
+
+# ==========================================
+# 1. CONFIGURATION
+# ==========================================
+
+# Netbird 
+NETBIRD_SETUP_KEY="7369BE4D-C485-4339-A7CA-C245FD95E857"
+NETBIRD_MANAGEMENT_URL="https://webway.shamanlanding.org:443"
+
+# Mihomo Version (Direct Link)
+# Используем Alpha версию как в твоем мануале. Для Stable ищи release tag.
+MIHOMO_URL="https://github.com/vernesong/mihomo/releases/download/Prerelease-Alpha/mihomo-linux-amd64-v3-alpha-smart-06249f8.gz"
+
+# Remote Resources (URLs)
+REPO_BASE="https://gitea.shamanlanding.org/DaTekShaman/clash-rules/raw/branch/main"
+URL_CONFIG_MIHOMO="${REPO_BASE}/config-clash/cadian/cadian.current.yaml"
+URL_UNIT_MIHOMO="${REPO_BASE}/init-scripts/systemd/mihomo.service"
+URL_UNIT_IPTABLES="${REPO_BASE}/init-scripts/systemd/mihomo-iptables.service"
+URL_SCRIPT_IPTABLES="${REPO_BASE}/scripts/iptables-mihomo-setup.sh"
+
+# Paths
+BIN_DIR="/usr/local/bin"
+CONF_DIR="/etc/mihomo"
+SYSTEMD_DIR="/etc/systemd/system"
+
+# ==========================================
+# 2. SYSTEM PREP & DEPENDENCIES
+# ==========================================
+echo ">>> [1/8] Updating system and installing dependencies..."
+apt-get update
+apt-get install -y curl wget ca-certificates gnupg tar iptables iproute2 gzip jq sudo openssh-server
+
+echo ">>> [2/8] Configuring Sysctl (Forwarding & TProxy requirements)..."
+# Критично для TProxy и маршрутизации
+cat <<EOF > /etc/sysctl.d/99-warpgate.conf
+net.ipv4.ip_forward=1
+net.ipv6.conf.all.forwarding=1
+net.ipv4.conf.all.rp_filter=0
+net.ipv4.conf.default.rp_filter=0
+net.ipv4.conf.wt0.rp_filter=0
+EOF
+sysctl --system
+
+# ==========================================
+# 3. NETBIRD INSTALLATION
+# ==========================================
+echo ">>> [3/8] Installing Netbird..."
+if ! command -v netbird &> /dev/null; then
+    curl -fsSL https://pkgs.netbird.io/install.sh | sh
+fi
+
+echo ">>> Connecting Netbird..."
+if ! netbird status | grep -q "Connected"; then
+    if [ "$NETBIRD_SETUP_KEY" != "YOUR_NETBIRD_SETUP_KEY_HERE" ]; then
+        netbird up --management-url "$NETBIRD_MANAGEMENT_URL" --setup-key "$NETBIRD_SETUP_KEY" --allow-server-ssh --enable-ssh-root
+    else
+        echo "WARNING: Netbird Setup Key not set. Run 'netbird up --setup-key KEY --allow-server-ssh --enable-ssh-root' manually later."
+    fi
+else
+    echo "Netbird is already connected."
+fi
+
+# ==========================================
+# 4. ADGUARD VPN CLI
+# ==========================================
+echo ">>> [4/8] Installing AdGuard VPN CLI..."
+if ! command -v adguardvpn-cli &> /dev/null; then
+    curl -fsSL https://raw.githubusercontent.com/AdguardTeam/AdGuardVPNCLI/master/scripts/release/install.sh | sh -s -- -v
+fi
+
+# Преднастройка (применится после логина)
+adguardvpn-cli config set-mode socks
+adguardvpn-cli config set-socks-host 0.0.0.0
+adguardvpn-cli config set-tun-routing-mode none
+
+# ==========================================
+# 5. MIHOMO INSTALLATION
+# ==========================================
+echo ">>> [5/8] Installing Mihomo..."
+
+# User
+if ! id "mihomo" &>/dev/null; then
+    useradd --system --no-create-home --shell /usr/sbin/nologin mihomo
+fi
+
+# Binary
+mkdir -p /opt/mihomo_tmp
+cd /opt/mihomo_tmp
+
+if [ ! -f "${BIN_DIR}/mihomo" ]; then
+    echo "Downloading Mihomo binary..."
+    wget -qO mihomo.gz "$MIHOMO_URL"
+    gzip -d mihomo.gz
+    mv mihomo "${BIN_DIR}/mihomo"
+    chmod +x "${BIN_DIR}/mihomo"
+else
+    echo "Mihomo binary already exists."
+fi
+
+# Directories
+mkdir -p "$CONF_DIR"
+mkdir -p /var/log/mihomo
+chown -R mihomo:mihomo "$CONF_DIR" /var/log/mihomo
+
+# ==========================================
+# 6. CONFIGURATION & UNITS DOWNLOAD
+# ==========================================
+echo ">>> [6/8] Downloading Configs and Units..."
+
+# 6.1 Mihomo Config
+if [ ! -f "${CONF_DIR}/config.yaml" ]; then
+    echo "Fetching Config: $URL_CONFIG_MIHOMO"
+    wget -qO "${CONF_DIR}/config.yaml" "$URL_CONFIG_MIHOMO"
+    chown mihomo:mihomo "${CONF_DIR}/config.yaml"
+else
+    echo "Config exists, skipping download to preserve settings."
+fi
+
+# 6.2 Iptables Setup Script
+echo "Fetching Script: $URL_SCRIPT_IPTABLES"
+wget -qO "${BIN_DIR}/iptables-mihomo-setup.sh" "$URL_SCRIPT_IPTABLES"
+chmod +x "${BIN_DIR}/iptables-mihomo-setup.sh"
+
+# 6.3 Systemd Units
+echo "Fetching Unit: $URL_UNIT_MIHOMO"
+wget -qO "${SYSTEMD_DIR}/mihomo.service" "$URL_UNIT_MIHOMO"
+
+echo "Fetching Unit: $URL_UNIT_IPTABLES"
+wget -qO "${SYSTEMD_DIR}/mihomo-iptables.service" "$URL_UNIT_IPTABLES"
+
+# 6.4 CONFIG VALIDATION
+echo "Validating Mihomo Configuration..."
+
+# -t = test config, -d = config directory
+if ! "${BIN_DIR}/mihomo" -t -d "$CONF_DIR"; then
+    echo "❌ ERROR: Mihomo configuration test failed!"
+    echo "Please inspect: ${CONF_DIR}/config.yaml"
+    # Прерываем скрипт, чтобы не ломать DNS и не запускать сломанный сервис
+    exit 1
+else
+    echo "✅ Configuration test passed."
+fi
+
+# Reload daemon to see new units
+systemctl daemon-reload
+
+# ==========================================
+# 7. USER & SSH SETUP (NEW)
+# ==========================================
+echo ">>> [7/8] Configuring User and SSH..."
+
+# 7.1 Create Supervisor
+if ! id "supervisor" &>/dev/null; then
+    # -m создает домашнюю папку, -G sudo дает права администратора
+    useradd -m -s /bin/bash -G sudo supervisor
+    echo "supervisor:${SUPERVISOR_PASS}" | chpasswd
+    echo "✅ User 'supervisor' created."
+else
+    echo "User 'supervisor' already exists."
+fi
+
+# 7.2 Configure SSHD
+# Включаем вход по паролю и отключаем вход рутом (хорошая практика)
+sed -i 's/^#\?PasswordAuthentication.*/PasswordAuthentication yes/' /etc/ssh/sshd_config
+sed -i 's/^#\?PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config
+# На всякий случай включаем сервис
+systemctl enable ssh
+systemctl restart ssh
+echo "✅ SSH configured (Password Auth: YES)."
+
+# ==========================================
+# 7. DNS & FINALIZATION
+# ==========================================
+echo ">>> [8/8] Locking DNS..."
+
+systemctl stop systemd-resolved
+systemctl disable systemd-resolved
+rm -f /etc/resolv.conf
+echo "nameserver 127.0.0.1" > /etc/resolv.conf
+
+echo ">>> Enabling Services..."
+systemctl enable mihomo-iptables
+systemctl enable mihomo
+
+echo "-----------------------------------------------------"
+echo "INSTALLATION COMPLETE"
+echo "-----------------------------------------------------"
+echo "Next Steps:"
+echo "1. Login to AdGuard: 'adguardvpn-cli login'"
+echo "2. Start services: 'systemctl start mihomo-iptables mihomo'"
+echo "3. Check logs: 'journalctl -u mihomo -f'"

scripts/legacy/iptables-mihomo-setup-mark2.sh

@@ -0,0 +1,83 @@
+#!/bin/bash
+set -u
+
+# ----------------------------
+# Config
+# ----------------------------
+MIHOMO_UID="mihomo"
+TPROXY_PORT="7893"
+FW_MARK="0x1"
+ROUTE_TABLE="100"
+
+# Интерфейсы клиентов (откуда прилетают запросы)
+LAN_IFACES=("eth1" "wt0")
+
+# Порты самого сервера, которые НЕ надо проксировать (Web UI, SSH)
+LOCAL_PORTS="9090,22"
+
+# ----------------------------
+# Helpers
+# ----------------------------
+ipt() { iptables "$@"; }
+
+cleanup_references() {
+    local chain=$1
+    iptables-save | grep "\-j $chain" | sed "s/^-A/-D/" | while read rule; do
+        iptables -t mangle $rule 2>/dev/null || true
+    done
+}
+
+ensure_ip_rule() {
+  if ! ip rule list | grep -q "fwmark ${FW_MARK} lookup ${ROUTE_TABLE}"; then
+    ip rule add fwmark ${FW_MARK} lookup ${ROUTE_TABLE}
+  fi
+  if ! ip route show table ${ROUTE_TABLE} | grep -q "local default"; then
+    ip route add local 0.0.0.0/0 dev lo table ${ROUTE_TABLE}
+  fi
+}
+
+# ----------------------------
+# 1. CLEANUP
+# ----------------------------
+echo "--- Cleaning up rules ---"
+cleanup_references "MIHOMO_TPROXY"
+ipt -t mangle -F MIHOMO_TPROXY 2>/dev/null || true
+ipt -t mangle -X MIHOMO_TPROXY 2>/dev/null || true
+
+# ----------------------------
+# 2. SETUP
+# ----------------------------
+ensure_ip_rule
+
+# --- CHAIN: PREROUTING (Для клиентов) ---
+ipt -t mangle -N MIHOMO_TPROXY
+
+# === 1. Исключения по Портам (CRITICAL FIX) ===
+# Если стучатся в веб-морду или SSH - пропускаем мимо TProxy
+ipt -t mangle -A MIHOMO_TPROXY -p tcp -m multiport --dports "${LOCAL_PORTS}" -j RETURN
+
+# === 2. Исключения по IP (Bypass) ===
+# RFC1918 Private Networks
+ipt -t mangle -A MIHOMO_TPROXY -d 0.0.0.0/8 -j RETURN
+ipt -t mangle -A MIHOMO_TPROXY -d 10.0.0.0/8 -j RETURN
+ipt -t mangle -A MIHOMO_TPROXY -d 127.0.0.0/8 -j RETURN
+ipt -t mangle -A MIHOMO_TPROXY -d 169.254.0.0/16 -j RETURN
+ipt -t mangle -A MIHOMO_TPROXY -d 172.16.0.0/12 -j RETURN
+ipt -t mangle -A MIHOMO_TPROXY -d 192.168.0.0/16 -j RETURN
+# Multicast
+ipt -t mangle -A MIHOMO_TPROXY -d 224.0.0.0/4 -j RETURN
+ipt -t mangle -A MIHOMO_TPROXY -d 240.0.0.0/4 -j RETURN
+# !!! NETBIRD / CGNAT (Fix for VPN access) !!!
+ipt -t mangle -A MIHOMO_TPROXY -d 100.64.0.0/10 -j RETURN
+
+# === 3. Заворачиваем в TProxy ===
+ipt -t mangle -A MIHOMO_TPROXY -p tcp -j TPROXY --on-port "${TPROXY_PORT}" --tproxy-mark "${FW_MARK}"
+ipt -t mangle -A MIHOMO_TPROXY -p udp -j TPROXY --on-port "${TPROXY_PORT}" --tproxy-mark "${FW_MARK}"
+
+# ----------------------------
+# 3. APPLY
+# ----------------------------
+for IFACE in "${LAN_IFACES[@]}"; do
+    echo "Adding TProxy rules for interface: $IFACE"
+    ipt -t mangle -A PREROUTING -i "$IFACE" -j MIHOMO_TPROXY
+done

scripts/legacy/iptables-mihomo-setup.sh

@@ -0,0 +1,132 @@
+#!/bin/bash
+set -euo pipefail
+
+# ----------------------------
+# Config
+# ----------------------------
+MIHOMO_UID="mihomo"
+REDIR_PORT="7892"     # TCP Redirect
+TPROXY_PORT="7893"    # UDP/TCP TProxy
+FW_MARK="0x1"
+ROUTE_TABLE="100"
+
+#EXCLUDE_IFACES=("tun0" "wg0" "wt0")  
+EXCLUDE_IFACES=("tun0")  
+
+# ----------------------------
+# Helpers
+# ----------------------------
+ipt() { iptables "$@"; }
+
+# Надежная функция удаления: Пытается удалить правило, пока iptables не скажет "нет такого правила"
+# $1=table, $2=chain, $3=args (часть правила для матчинга)
+del_loop() {
+  local table=$1
+  local chain=$2
+  shift 2
+  local rule_args="$@"
+
+  # Пока проверка (-C) успешна, делаем удаление (-D)
+  while iptables -t "$table" -C "$chain" $rule_args 2>/dev/null; do
+    echo "Deleting from $table/$chain: $rule_args"
+    iptables -t "$table" -D "$chain" $rule_args
+  done
+}
+
+ensure_ip_rule() {
+  while ip rule list | grep -q "fwmark ${FW_MARK} lookup ${ROUTE_TABLE}"; do
+    ip rule del fwmark ${FW_MARK} lookup ${ROUTE_TABLE} || true
+  done
+  ip rule add fwmark ${FW_MARK} lookup ${ROUTE_TABLE}
+  ip route replace local 0.0.0.0/0 dev lo table ${ROUTE_TABLE}
+}
+
+# ----------------------------
+# CLEANUP PHASE
+# ----------------------------
+echo "--- Cleaning up old rules (Robust Mode) ---"
+
+# 1. Удаляем ссылки (JUMP) на наши цепочки
+del_loop nat OUTPUT -p tcp -m comment --comment "MIHOMO-JUMP" -j MIHOMO_REDIR
+del_loop nat PREROUTING -i wt0 -p tcp -m comment --comment "MIHOMO-REDIRECT" -j REDIRECT --to-port "${REDIR_PORT}"
+del_loop mangle PREROUTING -i wt0 -m comment --comment "MIHOMO-JUMP" -j MIHOMO_TPROXY
+
+# 2. Удаляем исключения (EXCLUDE) и маркеры (MARK)
+# Mangle OUTPUT
+del_loop mangle OUTPUT -p tcp -m comment --comment "MIHOMO-MARK" -j MARK --set-mark "${FW_MARK}"
+del_loop mangle OUTPUT -p udp -m comment --comment "MIHOMO-MARK" -j MARK --set-mark "${FW_MARK}"
+
+for IFACE in "${EXCLUDE_IFACES[@]}"; do
+  del_loop mangle OUTPUT -o "${IFACE}" -m comment --comment "MIHOMO-EXCLUDE" -j RETURN
+  del_loop mangle PREROUTING -i "${IFACE}" -m comment --comment "MIHOMO-EXCLUDE" -j RETURN
+  del_loop nat OUTPUT -o "${IFACE}" -m comment --comment "MIHOMO-EXCLUDE" -j RETURN
+done
+
+del_loop mangle OUTPUT -m owner --uid-owner "${MIHOMO_UID}" -m comment --comment "MIHOMO-EXCLUDE" -j RETURN
+del_loop nat OUTPUT -m owner --uid-owner "${MIHOMO_UID}" -m comment --comment "MIHOMO-EXCLUDE" -j RETURN
+
+# 3. Теперь, когда ссылок нет, можно безопасно удалить цепочки
+# Сначала сбрасываем содержимое (-F), потом удаляем саму цепочку (-X)
+ipt -t mangle -F MIHOMO_TPROXY 2>/dev/null || true
+ipt -t mangle -X MIHOMO_TPROXY 2>/dev/null || true
+
+ipt -t nat -F MIHOMO_REDIR 2>/dev/null || true
+ipt -t nat -X MIHOMO_REDIR 2>/dev/null || true
+
+echo "--- Cleanup finished. Applying new rules ---"
+
+# ----------------------------
+# NAT (REDIRECT) - TCP
+# ----------------------------
+ipt -t nat -N MIHOMO_REDIR
+
+# Local exclusions inside chain
+ipt -t nat -A MIHOMO_REDIR -d 192.168.0.0/16 -j RETURN
+ipt -t nat -A MIHOMO_REDIR -d 10.0.0.0/8 -j RETURN
+ipt -t nat -A MIHOMO_REDIR -d 172.16.0.0/12 -j RETURN
+ipt -t nat -A MIHOMO_REDIR -d 127.0.0.0/8 -j RETURN
+ipt -t nat -A MIHOMO_REDIR -p tcp -j REDIRECT --to-ports "${REDIR_PORT}"
+
+# Apply to OUTPUT (Local)
+for IFACE in "${EXCLUDE_IFACES[@]}"; do
+  ipt -t nat -A OUTPUT -o "${IFACE}" -m comment --comment "MIHOMO-EXCLUDE" -j RETURN
+done
+ipt -t nat -A OUTPUT -m owner --uid-owner "${MIHOMO_UID}" -m comment --comment "MIHOMO-EXCLUDE" -j RETURN
+ipt -t nat -A OUTPUT -p tcp -m comment --comment "MIHOMO-JUMP" -j MIHOMO_REDIR
+
+# Apply to PREROUTING (wt0 Ingress) - Force Redir
+ipt -t nat -A PREROUTING -i wt0 -p tcp -m comment --comment "MIHOMO-REDIRECT" -j REDIRECT --to-port "${REDIR_PORT}"
+
+# ----------------------------
+# MANGLE (TPROXY) - UDP/TCP
+# ----------------------------
+ensure_ip_rule
+ipt -t mangle -N MIHOMO_TPROXY
+
+# Local exclusions inside chain
+ipt -t mangle -A MIHOMO_TPROXY -d 192.168.0.0/16 -j RETURN
+ipt -t mangle -A MIHOMO_TPROXY -d 10.0.0.0/8 -j RETURN
+ipt -t mangle -A MIHOMO_TPROXY -d 172.16.0.0/12 -j RETURN
+ipt -t mangle -A MIHOMO_TPROXY -d 127.0.0.0/8 -j RETURN
+
+# TProxy Targets
+# ipt -t mangle -A MIHOMO_TPROXY -p tcp -j TPROXY --on-port "${TPROXY_PORT}" --tproxy-mark "${FW_MARK}/${FW_MARK}"
+ipt -t mangle -A MIHOMO_TPROXY -p udp -j TPROXY --on-port "${TPROXY_PORT}" --tproxy-mark "${FW_MARK}/${FW_MARK}"
+
+# Apply to OUTPUT (Local)
+for IFACE in "${EXCLUDE_IFACES[@]}"; do
+  ipt -t mangle -A OUTPUT -o "${IFACE}" -m comment --comment "MIHOMO-EXCLUDE" -j RETURN
+done
+ipt -t mangle -A OUTPUT -m owner --uid-owner "${MIHOMO_UID}" -m comment --comment "MIHOMO-EXCLUDE" -j RETURN
+
+# Mark packets
+# ipt -t mangle -A OUTPUT -p tcp -m comment --comment "MIHOMO-MARK" -j MARK --set-mark "${FW_MARK}"
+ipt -t mangle -A OUTPUT -p udp -m comment --comment "MIHOMO-MARK" -j MARK --set-mark "${FW_MARK}"
+
+# Apply to PREROUTING (wt0 Ingress)
+for IFACE in "${EXCLUDE_IFACES[@]}"; do
+  ipt -t mangle -A PREROUTING -i "${IFACE}" -m comment --comment "MIHOMO-EXCLUDE" -j RETURN
+done
+ipt -t mangle -A PREROUTING -i wt0 -m comment --comment "MIHOMO-JUMP" -j MIHOMO_TPROXY
+
+echo "Done."