DaTekShaman/clash-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update iptables scripts for MIHOMO integration and rename setup files

Browse Source
This commit is contained in:
DaTekShaman
2025-12-27 14:47:23 +03:00
parent c592e59d58
commit cd071d5516
4 changed files with 147 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
scripts/iptables-clash-setup.sh
View File

@@ -1,36 +1,36 @@
#!/bin/bash #!/bin/bash
# Очистка старой цепочки # Очистка старой цепочки
iptables -t nat -F CLASH_REDIR 2>/dev/null iptables -t nat -F MIHOMO_REDIR 2>/dev/null
iptables -t nat -X CLASH_REDIR 2>/dev/null iptables -t nat -X MIHOMO_REDIR 2>/dev/null
iptables -t nat -F OUTPUT 2>/dev/null iptables -t nat -F OUTPUT 2>/dev/null
iptables -t nat -X OUTPUT 2>/dev/null iptables -t nat -X OUTPUT 2>/dev/null
# Создание пользовательской цепочки # Создание пользовательской цепочки
iptables -t nat -N CLASH_REDIR iptables -t nat -N MIHOMO_REDIR
# Исключаем loopback и локальные подсети # Исключаем loopback и локальные подсети
iptables -t nat -A CLASH_REDIR -d 127.0.0.0/8 -j RETURN iptables -t nat -A MIHOMO_REDIR -d 127.0.0.0/8 -j RETURN
iptables -t nat -A CLASH_REDIR -d 10.0.0.0/8 -j RETURN iptables -t nat -A MIHOMO_REDIR -d 10.0.0.0/8 -j RETURN
iptables -t nat -A CLASH_REDIR -d 172.16.0.0/12 -j RETURN iptables -t nat -A MIHOMO_REDIR -d 172.16.0.0/12 -j RETURN
iptables -t nat -A CLASH_REDIR -d 192.168.0.0/16 -j RETURN iptables -t nat -A MIHOMO_REDIR -d 192.168.0.0/16 -j RETURN
# Всё остальное TCP → REDIRECT на Clash # Всё остальное TCP → REDIRECT на MIHOMO
iptables -t nat -A CLASH_REDIR -p tcp -j REDIRECT --to-ports 7892 iptables -t nat -A MIHOMO_REDIR -p tcp -j REDIRECT --to-ports 7892
# Исключаем трафик Clash по UID # Исключаем трафик MIHOMO по UID
iptables -t nat -C OUTPUT -m owner --uid-owner clash -j RETURN 2>/dev/null || \ iptables -t nat -C OUTPUT -m owner --uid-owner mihomo -j RETURN 2>/dev/null || \
iptables -t nat -I OUTPUT -m owner --uid-owner clash -j RETURN iptables -t nat -I OUTPUT -m owner --uid-owner mihomo -j RETURN
# Применяем CLASH_REDIR ко всем TCP # Применяем MIHOMO_REDIR ко всем TCP
iptables -t nat -C OUTPUT -p tcp -j CLASH_REDIR 2>/dev/null || \ iptables -t nat -C OUTPUT -p tcp -j MIHOMO_REDIR 2>/dev/null || \
iptables -t nat -A OUTPUT -p tcp -j CLASH_REDIR iptables -t nat -A OUTPUT -p tcp -j MIHOMO_REDIR
# Редирект вайргарда от Netbird неа порт 7982 # Редирект вайргарда от Netbird неа порт 7982
# Перенаправляем трафик от интерфейса netbird в clash # Перенаправляем трафик от интерфейса netbird в MIHOMO
iptables -t nat -C PREROUTING -i wt0 -p tcp -j REDIRECT --to-port 7892 2>/dev/null || \ iptables -t nat -C PREROUTING -i wt0 -p tcp -j REDIRECT --to-port 7892 2>/dev/null || \
iptables -t nat -A PREROUTING -i wt0 -p tcp -j REDIRECT --to-port 7892 iptables -t nat -A PREROUTING -i wt0 -p tcp -j REDIRECT --to-port 7892
# Перенаправляем трафик от интерфейса wireguard в clash # Перенаправляем трафик от интерфейса wireguard в MIHOMO
iptables -t nat -C PREROUTING -i wg0 -p tcp -j REDIRECT --to-port 7892 2>/dev/null || \ iptables -t nat -C PREROUTING -i wg0 -p tcp -j REDIRECT --to-port 7892 2>/dev/null || \
iptables -t nat -A PREROUTING -i wg0 -p tcp -j REDIRECT --to-port 7892 iptables -t nat -A PREROUTING -i wg0 -p tcp -j REDIRECT --to-port 7892

126
scripts/iptables-mihomo-setup.sh Normal file
View File

@@ -0,0 +1,126 @@
#!/bin/bash
set -euo pipefail
# ----------------------------
# Config
# ----------------------------
MIHOMO_UID="mihomo"
REDIR_PORT="7892" # mihomo redir-port (NAT REDIRECT for TCP)
TPROXY_PORT="7893" # mihomo tproxy-port (TPROXY for TCP/UDP)
FW_MARK="0x1"
ROUTE_TABLE="100"
# Interfaces to EXCLUDE completely from interception
EXCLUDE_IFACES=("tun0" "wg0")
# ----------------------------
# Helpers
# ----------------------------
ipt() { iptables "$@"; }
ensure_ip_rule() {
# Route marked traffic to local via custom table (idempotent-ish)
ip rule list | grep -q "fwmark ${FW_MARK} lookup ${ROUTE_TABLE}" || \
ip rule add fwmark ${FW_MARK} lookup ${ROUTE_TABLE}
# Route everything in that table to local loopback so TPROXY can catch it
ip route show table ${ROUTE_TABLE} | grep -q "^local 0.0.0.0/0 dev lo" || \
ip route add local 0.0.0.0/0 dev lo table ${ROUTE_TABLE}
}
# ----------------------------
# NAT (REDIRECT) part (TCP only)
# ----------------------------
# Cleanup old chains (ignore if absent)
ipt -t nat -F MIHOMO_REDIR 2>/dev/null || true
ipt -t nat -X MIHOMO_REDIR 2>/dev/null || true
# NOTE: Your original script flushes OUTPUT table nat globally.
# Keeping behavior to match your current approach, but yes, it nukes other rules.
ipt -t nat -F OUTPUT 2>/dev/null || true
# Create chain
ipt -t nat -N MIHOMO_REDIR
# Exclude loopback and local subnets
ipt -t nat -A MIHOMO_REDIR -d 127.0.0.0/8 -j RETURN
ipt -t nat -A MIHOMO_REDIR -d 10.0.0.0/8 -j RETURN
ipt -t nat -A MIHOMO_REDIR -d 172.16.0.0/12 -j RETURN
ipt -t nat -A MIHOMO_REDIR -d 192.168.0.0/16 -j RETURN
# Exclude traffic that is going via tun0/wg0 (your "do not touch" tunnels)
for IFACE in "${EXCLUDE_IFACES[@]}"; do
ipt -t nat -A OUTPUT -o "${IFACE}" -j RETURN 2>/dev/null || true
done
# Exclude mihomo's own traffic by UID
ipt -t nat -C OUTPUT -m owner --uid-owner "${MIHOMO_UID}" -j RETURN 2>/dev/null || \
ipt -t nat -I OUTPUT -m owner --uid-owner "${MIHOMO_UID}" -j RETURN
# Everything else TCP -> REDIRECT to mihomo
ipt -t nat -A MIHOMO_REDIR -p tcp -j REDIRECT --to-ports "${REDIR_PORT}"
# Apply to local OUTPUT TCP
ipt -t nat -C OUTPUT -p tcp -j MIHOMO_REDIR 2>/dev/null || \
ipt -t nat -A OUTPUT -p tcp -j MIHOMO_REDIR
# Apply to traffic coming from NetBird interface (ingress)
# Exclude tun0/wg0 by design: only target wt0 here.
ipt -t nat -C PREROUTING -i wt0 -p tcp -j REDIRECT --to-port "${REDIR_PORT}" 2>/dev/null || \
ipt -t nat -A PREROUTING -i wt0 -p tcp -j REDIRECT --to-port "${REDIR_PORT}"
# IMPORTANT:
# Removed your old rule "PREROUTING -i wg0 ... REDIRECT"
# because you explicitly asked to exclude wg0 from routing/interception.
# ----------------------------
# MANGLE (TPROXY) part (TCP+UDP typically)
# ----------------------------
ensure_ip_rule
# Cleanup old chains
ipt -t mangle -F MIHOMO_TPROXY 2>/dev/null || true
ipt -t mangle -X MIHOMO_TPROXY 2>/dev/null || true
# Create chain
ipt -t mangle -N MIHOMO_TPROXY
# Exclusions: loopback/local subnets
ipt -t mangle -A MIHOMO_TPROXY -d 127.0.0.0/8 -j RETURN
ipt -t mangle -A MIHOMO_TPROXY -d 10.0.0.0/8 -j RETURN
ipt -t mangle -A MIHOMO_TPROXY -d 172.16.0.0/12 -j RETURN
ipt -t mangle -A MIHOMO_TPROXY -d 192.168.0.0/16 -j RETURN
# Exclude traffic arriving from tun0/wg0 (ingress side)
for IFACE in "${EXCLUDE_IFACES[@]}"; do
ipt -t mangle -A PREROUTING -i "${IFACE}" -j RETURN 2>/dev/null || true
done
# Exclude traffic leaving via tun0/wg0 (local OUTPUT side)
for IFACE in "${EXCLUDE_IFACES[@]}"; do
ipt -t mangle -C OUTPUT -o "${IFACE}" -j RETURN 2>/dev/null || \
ipt -t mangle -I OUTPUT -o "${IFACE}" -j RETURN
done
# Exclude mihomo's own traffic (OUTPUT) so it doesn't eat itself
ipt -t mangle -C OUTPUT -m owner --uid-owner "${MIHOMO_UID}" -j RETURN 2>/dev/null || \
ipt -t mangle -I OUTPUT -m owner --uid-owner "${MIHOMO_UID}" -j RETURN
# --- TPROXY for local VM traffic (OUTPUT) ---
# Mark TCP/UDP so policy routing sends them to lo (where mihomo tproxy listens)
ipt -t mangle -C OUTPUT -p tcp -j MARK --set-mark "${FW_MARK}" 2>/dev/null || \
ipt -t mangle -A OUTPUT -p tcp -j MARK --set-mark "${FW_MARK}"
ipt -t mangle -C OUTPUT -p udp -j MARK --set-mark "${FW_MARK}" 2>/dev/null || \
ipt -t mangle -A OUTPUT -p udp -j MARK --set-mark "${FW_MARK}"
# --- TPROXY for wt0 ingress traffic (PREROUTING) ---
# First run through our exclusions, then TPROXY it.
ipt -t mangle -C PREROUTING -i wt0 -j MIHOMO_TPROXY 2>/dev/null || \
ipt -t mangle -A PREROUTING -i wt0 -j MIHOMO_TPROXY
ipt -t mangle -A MIHOMO_TPROXY -p tcp -j TPROXY --on-port "${TPROXY_PORT}" --tproxy-mark "${FW_MARK}/${FW_MARK}"
ipt -t mangle -A MIHOMO_TPROXY -p udp -j TPROXY --on-port "${TPROXY_PORT}" --tproxy-mark "${FW_MARK}/${FW_MARK}"

4
systemd-units/mihomo-iptables.service
View File

@@ -1,11 +1,11 @@
[Unit] [Unit]
Description=Mihomo iptables rules fixer Description=Mihomo IPtables rules fixer
After=network.target After=network.target
Before=mihomo.service Before=mihomo.service
[Service] [Service]
Type=oneshot Type=oneshot
ExecStart=/usr/local/bin/iptables-clash-setup.sh ExecStart=/usr/local/bin/iptables-mihomo-setup.sh
RemainAfterExit=true RemainAfterExit=true
[Install] [Install]

4
systemd-units/mihomo.service
View File

@@ -3,7 +3,7 @@ Description=Mihomo Daemon, Another Clash Kernel.
After=network.target NetworkManager.service systemd-networkd.service iwd.service After=network.target NetworkManager.service systemd-networkd.service iwd.service
[Service] [Service]
User=clash User=mihomo
Type=simple Type=simple
LimitNPROC=500 LimitNPROC=500
LimitNOFILE=1000000 LimitNOFILE=1000000
@@ -11,7 +11,7 @@ CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_SYS_TIM
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_SYS_TIME CAP_SYS_PTRACE CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_SYS_TIME CAP_SYS_PTRACE CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE
Restart=always Restart=always
ExecStartPre=/usr/bin/sleep 1s ExecStartPre=/usr/bin/sleep 1s
ExecStart=/usr/local/bin/mihomo -d /etc/clash ExecStart=/usr/local/bin/mihomo -d /etc/mihomo
ExecReload=/bin/kill -HUP $MAINPID ExecReload=/bin/kill -HUP $MAINPID
[Install] [Install]