feat: Add Mihomo and TProxy setup scripts for Alpine and legacy systems

- Introduced `iptables-mihomo-setup-mark2.sh` for advanced TProxy configuration. - Created `iptables-mihomo-setup.sh` for legacy iptables management. - Added `dnssec-test.sh` for DNSSEC interception testing. - Implemented `config-warpgate-alpine.sh` for comprehensive Warpgate setup. - Developed `iptables-mihomo-setup-alpine-mark2.sh` for refined TProxy rules on Alpine. - Added `iptables-mihomo-setup-alpine.sh` for basic TProxy setup on Alpine. - Created `update-core-and-dash.sh` for automated updates of Mihomo core and Zashboard UI.
2026-04-11 19:32:05 +03:00
parent 3e22a60e2f
commit 95230c6349
17 changed files with 293 additions and 2289 deletions
--- a/scripts/warpgates/iptables-mihomo-setup-alpine.sh
+++ b/scripts/warpgates/iptables-mihomo-setup-alpine.sh
@@ -0,0 +1,89 @@
+#!/bin/bash
+set -u
+
+# ----------------------------
+# Config
+# ----------------------------
+MIHOMO_UID="mihomo"
+TPROXY_PORT="7893"
+FW_MARK="0x1"
+ROUTE_TABLE="100"
+
+# Интерфейсы клиентов (откуда прилетают запросы)
+LAN_IFACES=("wt0" "eth1" "eth2")
+
+# Порты самого сервера, которые НЕ надо проксировать (Web UI, SSH)
+LOCAL_PORTS="9090,22"
+
+# ----------------------------
+# Helpers
+# ----------------------------
+ipt() { iptables "$@"; }
+
+cleanup_references() {
+    local chain=$1
+    iptables-save | grep "\-j $chain" | sed "s/^-A/-D/" | while read rule; do
+        iptables -t mangle $rule 2>/dev/null || true
+    done
+}
+
+ensure_ip_rule() {
+  # 1. Перехват трафика от клиентов в TProxy (то, что мы уже починили)
+  if ! ip rule list | grep -q "fwmark ${FW_MARK} lookup ${ROUTE_TABLE}"; then
+    ip rule add fwmark ${FW_MARK} lookup ${ROUTE_TABLE} pref 90
+  fi
+  if ! ip route show table ${ROUTE_TABLE} | grep -q "local default"; then
+    ip route add local 0.0.0.0/0 dev lo table ${ROUTE_TABLE}
+  fi
+  
+  # 2. НОВОЕ: Выпуск трафика Mihomo в интернет в обход Netbird
+  if ! ip rule list | grep -q "fwmark 1337 lookup main"; then
+    ip rule add fwmark 1337 lookup main pref 80
+  fi
+}
+
+# ----------------------------
+# 1. CLEANUP
+# ----------------------------
+echo "--- Cleaning up rules ---"
+cleanup_references "MIHOMO_TPROXY"
+ipt -t mangle -F MIHOMO_TPROXY 2>/dev/null || true
+ipt -t mangle -X MIHOMO_TPROXY 2>/dev/null || true
+
+# ----------------------------
+# 2. SETUP
+# ----------------------------
+ensure_ip_rule
+
+# --- CHAIN: PREROUTING (Для клиентов) ---
+ipt -t mangle -N MIHOMO_TPROXY
+
+# === 1. Исключения по Портам (CRITICAL FIX) ===
+# Если стучатся в веб-морду или SSH - пропускаем мимо TProxy
+ipt -t mangle -A MIHOMO_TPROXY -p tcp -m multiport --dports "${LOCAL_PORTS}" -j RETURN
+
+# === 2. Исключения по IP (Bypass) ===
+# RFC1918 Private Networks
+ipt -t mangle -A MIHOMO_TPROXY -d 0.0.0.0/8 -j RETURN
+ipt -t mangle -A MIHOMO_TPROXY -d 10.0.0.0/8 -j RETURN
+ipt -t mangle -A MIHOMO_TPROXY -d 127.0.0.0/8 -j RETURN
+ipt -t mangle -A MIHOMO_TPROXY -d 169.254.0.0/16 -j RETURN
+ipt -t mangle -A MIHOMO_TPROXY -d 172.16.0.0/12 -j RETURN
+ipt -t mangle -A MIHOMO_TPROXY -d 192.168.0.0/16 -j RETURN
+# Multicast
+ipt -t mangle -A MIHOMO_TPROXY -d 224.0.0.0/4 -j RETURN
+ipt -t mangle -A MIHOMO_TPROXY -d 240.0.0.0/4 -j RETURN
+# !!! NETBIRD / CGNAT (Fix for VPN access) !!!
+ipt -t mangle -A MIHOMO_TPROXY -d 100.64.0.0/10 -j RETURN
+
+# === 3. Заворачиваем в TProxy ===
+ipt -t mangle -A MIHOMO_TPROXY -p tcp -j TPROXY --on-port "${TPROXY_PORT}" --tproxy-mark "${FW_MARK}"
+ipt -t mangle -A MIHOMO_TPROXY -p udp -j TPROXY --on-port "${TPROXY_PORT}" --tproxy-mark "${FW_MARK}"
+
+# ----------------------------
+# 3. APPLY
+# ----------------------------
+for IFACE in "${LAN_IFACES[@]}"; do
+    echo "Adding TProxy rules for interface: $IFACE"
+    ipt -t mangle -A PREROUTING -i "$IFACE" -j MIHOMO_TPROXY
+done