DaTekShaman
95230c6349
- Introduced `iptables-mihomo-setup-mark2.sh` for advanced TProxy configuration. - Created `iptables-mihomo-setup.sh` for legacy iptables management. - Added `dnssec-test.sh` for DNSSEC interception testing. - Implemented `config-warpgate-alpine.sh` for comprehensive Warpgate setup. - Developed `iptables-mihomo-setup-alpine-mark2.sh` for refined TProxy rules on Alpine. - Added `iptables-mihomo-setup-alpine.sh` for basic TProxy setup on Alpine. - Created `update-core-and-dash.sh` for automated updates of Mihomo core and Zashboard UI.
89 lines
3.1 KiB
Bash
89 lines
3.1 KiB
Bash
#!/bin/bash
|
||
set -u
|
||
|
||
# ----------------------------
|
||
# Config
|
||
# ----------------------------
|
||
MIHOMO_UID="mihomo"
|
||
TPROXY_PORT="7893"
|
||
FW_MARK="0x1"
|
||
ROUTE_TABLE="100"
|
||
|
||
# Интерфейсы клиентов (откуда прилетают запросы)
|
||
LAN_IFACES=("wt0" "eth1" "eth2")
|
||
|
||
# Порты самого сервера, которые НЕ надо проксировать (Web UI, SSH)
|
||
LOCAL_PORTS="9090,22"
|
||
|
||
# ----------------------------
|
||
# Helpers
|
||
# ----------------------------
|
||
ipt() { iptables "$@"; }
|
||
|
||
cleanup_references() {
|
||
local chain=$1
|
||
iptables-save | grep "\-j $chain" | sed "s/^-A/-D/" | while read rule; do
|
||
iptables -t mangle $rule 2>/dev/null || true
|
||
done
|
||
}
|
||
|
||
ensure_ip_rule() {
|
||
# 1. Перехват трафика от клиентов в TProxy (то, что мы уже починили)
|
||
if ! ip rule list | grep -q "fwmark ${FW_MARK} lookup ${ROUTE_TABLE}"; then
|
||
ip rule add fwmark ${FW_MARK} lookup ${ROUTE_TABLE} pref 90
|
||
fi
|
||
if ! ip route show table ${ROUTE_TABLE} | grep -q "local default"; then
|
||
ip route add local 0.0.0.0/0 dev lo table ${ROUTE_TABLE}
|
||
fi
|
||
|
||
# 2. НОВОЕ: Выпуск трафика Mihomo в интернет в обход Netbird
|
||
if ! ip rule list | grep -q "fwmark 1337 lookup main"; then
|
||
ip rule add fwmark 1337 lookup main pref 80
|
||
fi
|
||
}
|
||
|
||
# ----------------------------
|
||
# 1. CLEANUP
|
||
# ----------------------------
|
||
echo "--- Cleaning up rules ---"
|
||
cleanup_references "MIHOMO_TPROXY"
|
||
ipt -t mangle -F MIHOMO_TPROXY 2>/dev/null || true
|
||
ipt -t mangle -X MIHOMO_TPROXY 2>/dev/null || true
|
||
|
||
# ----------------------------
|
||
# 2. SETUP
|
||
# ----------------------------
|
||
ensure_ip_rule
|
||
|
||
# --- CHAIN: PREROUTING (Для клиентов) ---
|
||
ipt -t mangle -N MIHOMO_TPROXY
|
||
|
||
# === 1. Исключения по Портам (CRITICAL FIX) ===
|
||
# Если стучатся в веб-морду или SSH - пропускаем мимо TProxy
|
||
ipt -t mangle -A MIHOMO_TPROXY -p tcp -m multiport --dports "${LOCAL_PORTS}" -j RETURN
|
||
|
||
# === 2. Исключения по IP (Bypass) ===
|
||
# RFC1918 Private Networks
|
||
ipt -t mangle -A MIHOMO_TPROXY -d 0.0.0.0/8 -j RETURN
|
||
ipt -t mangle -A MIHOMO_TPROXY -d 10.0.0.0/8 -j RETURN
|
||
ipt -t mangle -A MIHOMO_TPROXY -d 127.0.0.0/8 -j RETURN
|
||
ipt -t mangle -A MIHOMO_TPROXY -d 169.254.0.0/16 -j RETURN
|
||
ipt -t mangle -A MIHOMO_TPROXY -d 172.16.0.0/12 -j RETURN
|
||
ipt -t mangle -A MIHOMO_TPROXY -d 192.168.0.0/16 -j RETURN
|
||
# Multicast
|
||
ipt -t mangle -A MIHOMO_TPROXY -d 224.0.0.0/4 -j RETURN
|
||
ipt -t mangle -A MIHOMO_TPROXY -d 240.0.0.0/4 -j RETURN
|
||
# !!! NETBIRD / CGNAT (Fix for VPN access) !!!
|
||
ipt -t mangle -A MIHOMO_TPROXY -d 100.64.0.0/10 -j RETURN
|
||
|
||
# === 3. Заворачиваем в TProxy ===
|
||
ipt -t mangle -A MIHOMO_TPROXY -p tcp -j TPROXY --on-port "${TPROXY_PORT}" --tproxy-mark "${FW_MARK}"
|
||
ipt -t mangle -A MIHOMO_TPROXY -p udp -j TPROXY --on-port "${TPROXY_PORT}" --tproxy-mark "${FW_MARK}"
|
||
|
||
# ----------------------------
|
||
# 3. APPLY
|
||
# ----------------------------
|
||
for IFACE in "${LAN_IFACES[@]}"; do
|
||
echo "Adding TProxy rules for interface: $IFACE"
|
||
ipt -t mangle -A PREROUTING -i "$IFACE" -j MIHOMO_TPROXY
|
||
done |