DaTekShaman/clash-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Upd

Browse Source
This commit is contained in:
DaTekShaman
2025-12-27 16:19:22 +03:00
parent a6cb527bb3
commit ce1cf4407c
1 changed files with 100 additions and 98 deletions
Download Patch File Download Diff File Expand all files Collapse all files

196
scripts/iptables-mihomo-setup.sh
View File

@@ -5,7 +5,6 @@ set -euo pipefail
# Config # Config
# ---------------------------- # ----------------------------
MIHOMO_UID="mihomo" MIHOMO_UID="mihomo"
REDIR_PORT="7892" # mihomo redir-port (NAT REDIRECT for TCP) REDIR_PORT="7892" # mihomo redir-port (NAT REDIRECT for TCP)
TPROXY_PORT="7893" # mihomo tproxy-port (TPROXY for TCP/UDP) TPROXY_PORT="7893" # mihomo tproxy-port (TPROXY for TCP/UDP)
FW_MARK="0x1" FW_MARK="0x1"
@@ -19,129 +18,132 @@ EXCLUDE_IFACES=("tun0" "wg0")
# ---------------------------- # ----------------------------
ipt() { iptables "$@"; } ipt() { iptables "$@"; }
del_jump_all() { # Функция для удаления правил по комментарию (чтобы не тереть чужое)
local table="$1" chain="$2" target="$3" # Используем trick: добавляем комментарий ко всем правилам, чтобы потом их найти и удалить
# Delete all rules in $chain that jump to $target (repeat until none left) cleanup_rules() {
while iptables -t "$table" -C "$chain" -j "$target" 2>/dev/null; do local table="$1"
iptables -t "$table" -D "$chain" -j "$target" local chain="$2"
done local comment="$3"
}
del_jump_iface_all() { # List rules with line numbers, grep by comment, sort reverse order (to delete safely), delete
local table="$1" chain="$2" iface="$3" target="$4" iptables -t "$table" -nL "$chain" --line-numbers 2>/dev/null | \
while iptables -t "$table" -C "$chain" -i "$iface" -j "$target" 2>/dev/null; do grep "$comment" | \
iptables -t "$table" -D "$chain" -i "$iface" -j "$target" sort -r | \
awk '{print $1}' | \
while read -r line; do
echo "Deleting rule $line from $table/$chain..."
iptables -t "$table" -D "$chain" "$line"
done done
} }
ensure_ip_rule() { ensure_ip_rule() {
# Remove duplicates if any (doesn't error if absent) # Clean up ip rules first
while ip rule list | grep -q "fwmark ${FW_MARK} lookup ${ROUTE_TABLE}"; do while ip rule list | grep -q "fwmark ${FW_MARK} lookup ${ROUTE_TABLE}"; do
ip rule del fwmark ${FW_MARK} lookup ${ROUTE_TABLE} || true ip rule del fwmark ${FW_MARK} lookup ${ROUTE_TABLE} || true
done done
ip rule add fwmark ${FW_MARK} lookup ${ROUTE_TABLE} ip rule add fwmark ${FW_MARK} lookup ${ROUTE_TABLE}
# Route table entry, forced # Route table entry, forced
ip route replace local 0.0.0.0/0 dev lo table ${ROUTE_TABLE} ip route replace local 0.0.0.0/0 dev lo table ${ROUTE_TABLE}
} }
# ---------------------------- # ----------------------------
# NAT (REDIRECT) part (TCP only) # CLEANUP PHASE
# ---------------------------- # ----------------------------
echo "Cleaning up old rules..."
# Cleanup old chains (ignore if absent) # 1. Clean MANGLE references
ipt -t nat -F MIHOMO_REDIR 2>/dev/null || true cleanup_rules mangle OUTPUT "MIHOMO-MARK"
ipt -t nat -X MIHOMO_REDIR 2>/dev/null || true cleanup_rules mangle OUTPUT "MIHOMO-EXCLUDE"
cleanup_rules mangle PREROUTING "MIHOMO-JUMP"
cleanup_rules mangle PREROUTING "MIHOMO-EXCLUDE"
# NOTE: Your original script flushes OUTPUT table nat globally. # 2. Clean NAT references
# Keeping behavior to match your current approach, but yes, it nukes other rules. cleanup_rules nat OUTPUT "MIHOMO-JUMP"
ipt -t nat -F OUTPUT 2>/dev/null || true cleanup_rules nat OUTPUT "MIHOMO-EXCLUDE"
cleanup_rules nat PREROUTING "MIHOMO-REDIRECT"
del_jump_all nat OUTPUT MIHOMO_REDIR # 3. Flush and Delete Chains
# Now that references are gone, we can safely kill the chains
# Create chain
ipt -t nat -N MIHOMO_REDIR
# Exclude loopback and local subnets
# ipt -t nat -A MIHOMO_REDIR -d 127.0.0.0/8 -j RETURN
# ipt -t nat -A MIHOMO_REDIR -d 10.0.0.0/8 -j RETURN
# ipt -t nat -A MIHOMO_REDIR -d 172.16.0.0/12 -j RETURN
ipt -t nat -A MIHOMO_REDIR -d 192.168.0.0/16 -j RETURN
# Exclude traffic that is going via tun0/wg0 (your "do not touch" tunnels)
for IFACE in "${EXCLUDE_IFACES[@]}"; do
ipt -t nat -A OUTPUT -o "${IFACE}" -j RETURN 2>/dev/null || true
done
# Exclude mihomo's own traffic by UID
ipt -t nat -C OUTPUT -m owner --uid-owner "${MIHOMO_UID}" -j RETURN 2>/dev/null || \
ipt -t nat -I OUTPUT -m owner --uid-owner "${MIHOMO_UID}" -j RETURN
# Everything else TCP -> REDIRECT to mihomo
ipt -t nat -A MIHOMO_REDIR -p tcp -j REDIRECT --to-ports "${REDIR_PORT}"
# Apply to local OUTPUT TCP
ipt -t nat -C OUTPUT -p tcp -j MIHOMO_REDIR 2>/dev/null || \
ipt -t nat -A OUTPUT -p tcp -j MIHOMO_REDIR
# Apply to traffic coming from NetBird interface (ingress)
# Exclude tun0/wg0 by design: only target wt0 here.
ipt -t nat -C PREROUTING -i wt0 -p tcp -j REDIRECT --to-port "${REDIR_PORT}" 2>/dev/null || \
ipt -t nat -A PREROUTING -i wt0 -p tcp -j REDIRECT --to-port "${REDIR_PORT}"
# IMPORTANT:
# Removed your old rule "PREROUTING -i wg0 ... REDIRECT"
# because you explicitly asked to exclude wg0 from routing/interception.
# ----------------------------
# MANGLE (TPROXY) part (TCP+UDP typically)
# ----------------------------
ensure_ip_rule
# Cleanup old chains
ipt -t mangle -F MIHOMO_TPROXY 2>/dev/null || true ipt -t mangle -F MIHOMO_TPROXY 2>/dev/null || true
ipt -t mangle -X MIHOMO_TPROXY 2>/dev/null || true ipt -t mangle -X MIHOMO_TPROXY 2>/dev/null || true
del_jump_iface_all mangle PREROUTING wt0 MIHOMO_TPROXY ipt -t nat -F MIHOMO_REDIR 2>/dev/null || true
ipt -t nat -X MIHOMO_REDIR 2>/dev/null || true
# ----------------------------
# NAT (REDIRECT) part (TCP only)
# ----------------------------
echo "Applying NAT rules..."
ipt -t nat -N MIHOMO_REDIR
# Exclude private networks
ipt -t nat -A MIHOMO_REDIR -d 192.168.0.0/16 -j RETURN
ipt -t nat -A MIHOMO_REDIR -d 10.0.0.0/8 -j RETURN
ipt -t nat -A MIHOMO_REDIR -d 172.16.0.0/12 -j RETURN
ipt -t nat -A MIHOMO_REDIR -d 127.0.0.0/8 -j RETURN
# Everything else TCP -> REDIRECT
ipt -t nat -A MIHOMO_REDIR -p tcp -j REDIRECT --to-ports "${REDIR_PORT}"
# --- APPLY TO OUTPUT (Local Traffic) ---
# Exclude traffic going via tunnels (tun0/wg0)
for IFACE in "${EXCLUDE_IFACES[@]}"; do
ipt -t nat -A OUTPUT -o "${IFACE}" -m comment --comment "MIHOMO-EXCLUDE" -j RETURN
done
# Exclude mihomo user
ipt -t nat -A OUTPUT -m owner --uid-owner "${MIHOMO_UID}" -m comment --comment "MIHOMO-EXCLUDE" -j RETURN
# Redirect remaining TCP
ipt -t nat -A OUTPUT -p tcp -m comment --comment "MIHOMO-JUMP" -j MIHOMO_REDIR
# --- APPLY TO INGRESS (wt0) ---
# Exclude wt0 -> tun0/wg0 logic handled by routing mostly, but let's be safe if needed.
# For now, strictly redirect TCP incoming on wt0
ipt -t nat -A PREROUTING -i wt0 -p tcp -m comment --comment "MIHOMO-REDIRECT" -j REDIRECT --to-port "${REDIR_PORT}"
# ----------------------------
# MANGLE (TPROXY) part (TCP+UDP)
# ----------------------------
echo "Applying TPROXY rules..."
ensure_ip_rule
# Create chain
ipt -t mangle -N MIHOMO_TPROXY ipt -t mangle -N MIHOMO_TPROXY
# Exclusions: loopback/local subnets # Exclude private networks
ipt -t mangle -A MIHOMO_TPROXY -d 127.0.0.0/8 -j RETURN ipt -t mangle -A MIHOMO_TPROXY -d 192.168.0.0/16 -j RETURN
ipt -t mangle -A MIHOMO_TPROXY -d 10.0.0.0/8 -j RETURN ipt -t mangle -A MIHOMO_TPROXY -d 10.0.0.0/8 -j RETURN
ipt -t mangle -A MIHOMO_TPROXY -d 172.16.0.0/12 -j RETURN ipt -t mangle -A MIHOMO_TPROXY -d 172.16.0.0/12 -j RETURN
ipt -t mangle -A MIHOMO_TPROXY -d 192.168.0.0/16 -j RETURN ipt -t mangle -A MIHOMO_TPROXY -d 127.0.0.0/8 -j RETURN
# Exclude traffic arriving from tun0/wg0 (ingress side)
for IFACE in "${EXCLUDE_IFACES[@]}"; do
ipt -t mangle -A PREROUTING -i "${IFACE}" -j RETURN 2>/dev/null || true
done
# Exclude traffic leaving via tun0/wg0 (local OUTPUT side)
for IFACE in "${EXCLUDE_IFACES[@]}"; do
ipt -t mangle -C OUTPUT -o "${IFACE}" -j RETURN 2>/dev/null || \
ipt -t mangle -I OUTPUT -o "${IFACE}" -j RETURN
done
# Exclude mihomo's own traffic (OUTPUT) so it doesn't eat itself
ipt -t mangle -C OUTPUT -m owner --uid-owner "${MIHOMO_UID}" -j RETURN 2>/dev/null || \
ipt -t mangle -I OUTPUT -m owner --uid-owner "${MIHOMO_UID}" -j RETURN
# --- TPROXY for local VM traffic (OUTPUT) ---
# Mark TCP/UDP so policy routing sends them to lo (where mihomo tproxy listens)
ipt -t mangle -C OUTPUT -p tcp -j MARK --set-mark "${FW_MARK}" 2>/dev/null || \
ipt -t mangle -A OUTPUT -p tcp -j MARK --set-mark "${FW_MARK}"
ipt -t mangle -C OUTPUT -p udp -j MARK --set-mark "${FW_MARK}" 2>/dev/null || \
ipt -t mangle -A OUTPUT -p udp -j MARK --set-mark "${FW_MARK}"
# --- TPROXY for wt0 ingress traffic (PREROUTING) ---
# First run through our exclusions, then TPROXY it.
ipt -t mangle -C PREROUTING -i wt0 -j MIHOMO_TPROXY 2>/dev/null || \
ipt -t mangle -A PREROUTING -i wt0 -j MIHOMO_TPROXY
# TPROXY Target
ipt -t mangle -A MIHOMO_TPROXY -p tcp -j TPROXY --on-port "${TPROXY_PORT}" --tproxy-mark "${FW_MARK}/${FW_MARK}" ipt -t mangle -A MIHOMO_TPROXY -p tcp -j TPROXY --on-port "${TPROXY_PORT}" --tproxy-mark "${FW_MARK}/${FW_MARK}"
ipt -t mangle -A MIHOMO_TPROXY -p udp -j TPROXY --on-port "${TPROXY_PORT}" --tproxy-mark "${FW_MARK}/${FW_MARK}" ipt -t mangle -A MIHOMO_TPROXY -p udp -j TPROXY --on-port "${TPROXY_PORT}" --tproxy-mark "${FW_MARK}/${FW_MARK}"
# --- APPLY TO OUTPUT (Local Traffic) ---
# Exclude tunnels
for IFACE in "${EXCLUDE_IFACES[@]}"; do
ipt -t mangle -A OUTPUT -o "${IFACE}" -m comment --comment "MIHOMO-EXCLUDE" -j RETURN
done
# Exclude mihomo user
ipt -t mangle -A OUTPUT -m owner --uid-owner "${MIHOMO_UID}" -m comment --comment "MIHOMO-EXCLUDE" -j RETURN
# Mark remaining traffic for Policy Routing
ipt -t mangle -A OUTPUT -p tcp -m comment --comment "MIHOMO-MARK" -j MARK --set-mark "${FW_MARK}"
ipt -t mangle -A OUTPUT -p udp -m comment --comment "MIHOMO-MARK" -j MARK --set-mark "${FW_MARK}"
# --- APPLY TO INGRESS (wt0) ---
# Exclude tunnels (ingress logic)
for IFACE in "${EXCLUDE_IFACES[@]}"; do
ipt -t mangle -A PREROUTING -i "${IFACE}" -m comment --comment "MIHOMO-EXCLUDE" -j RETURN
done
# Jump wt0 traffic to TPROXY chain
ipt -t mangle -A PREROUTING -i wt0 -m comment --comment "MIHOMO-JUMP" -j MIHOMO_TPROXY
echo "Done."