Skip to content

Instantly share code, notes, and snippets.

@Bryan2333

Bryan2333/clash-tproxy

Last active August 28, 2024 10:38
Show Gist options
  • Save Bryan2333/ca2a04e445237ebb3988c92805c6cc1a to your computer and use it in GitHub Desktop.
Save Bryan2333/ca2a04e445237ebb3988c92805c6cc1a to your computer and use it in GitHub Desktop.
Download ZIP
clash tproxy脚本
Raw
clash-tproxy
#!/usr/bin/env bash
if [[ "$EUID" -ne 0 ]]
then
echo "This script must be run as root!"
exit 1
fi
## 默认的网关设备
INTERFACE="$(ip route show default | awk '/default/ {print $5}')"
## TProxy流量标记
TPROXY_MARK="0x1"
## TProxy路由表ID
TPROXY_ROUTE_TABLE_4="100"
TPROXY_ROUTE_TABLE_6="106"
## 绕开的用户
BYPASS_USERS=('clash-meta' 'naiveproxy')
## Clash的透明代理端口
TPROXY_PORT="7894"
## 需要代理的协议类型
TPROXY_L4PROTO="{tcp, udp}"
## 常用端口
COMMON_PORTS="{22, 53, 80, 123, 143, 194, 443, 465, 587, 853, 993, 995, 5222, 8080, 8443}"
function wait_online() {
while ! curl http://g.cn/generate_204
do
sleep 1
done
}
function check_clash() {
if ! pgrep -x clash-meta > /dev/null
then
echo "clash-meta未启动,请先启动clash-meta"
exit 1
fi
}
function clear_firewall_rules() {
if ip rule | grep -qE "fwmark $TPROXY_MARK lookup $TPROXY_ROUTE_TABLE_4"
then
ip rule del fwmark "$TPROXY_MARK" table "$TPROXY_ROUTE_TABLE_4"
ip route del local default dev "$INTERFACE" table "$TPROXY_ROUTE_TABLE_4"
fi
if ip -6 rule | grep -qE "fwmark $TPROXY_MARK lookup $TPROXY_ROUTE_TABLE_6"
then
ip -6 rule del fwmark "$TPROXY_MARK" table "$TPROXY_ROUTE_TABLE_6"
ip -6 route del local default dev "$INTERFACE" table "$TPROXY_ROUTE_TABLE_6"
fi
if nft list tables | grep -qE "clash"
then
nft delete table inet clash
fi
}
function set_firewall_rules() {
ip rule add fwmark "$TPROXY_MARK" table "$TPROXY_ROUTE_TABLE_4"
ip route add local default dev "$INTERFACE" table "$TPROXY_ROUTE_TABLE_4"
ip -6 rule add fwmark "$TPROXY_MARK" table "$TPROXY_ROUTE_TABLE_6"
ip -6 route add local default dev "$INTERFACE" table "$TPROXY_ROUTE_TABLE_6"
nft -f - <<EOF
table inet clash {
## 保留IPv4地址
set BYPASS_IPV4 {
type ipv4_addr
flags interval
auto-merge
elements = {
0.0.0.0/8,
10.0.0.0/8,
100.64.0.0/10,
127.0.0.0/8,
169.254.0.0/16,
172.16.0.0/12,
192.168.0.0/16,
224.0.0.0/4,
240.0.0.0/4,
255.255.255.255
}
}
## 保留IPv6地址
set BYPASS_IPV6 {
type ipv6_addr
flags interval
auto-merge
elements = {
::/128,
::1/128,
64:ff9b::/96,
100::/64,
2001::/32,
2001:20::/28,
fe80::/10,
ff00::/8
}
}
chain divert {
type filter hook prerouting priority mangle; policy accept;
meta l4proto tcp socket transparent 1 meta mark set 0x01 accept comment "跳过已经由TProxy接管的流量"
}
chain direct {
ip daddr @BYPASS_IPV4 accept comment "私有IP"
ip6 daddr @BYPASS_IPV6 accept comment "私有IP"
tcp dport != $COMMON_PORTS accept comment "绕开P2P流量"
udp dport != $COMMON_PORTS accept comment "绕开P2P流量"
}
chain prerouting {
type filter hook prerouting priority filter; policy accept;
iif != lo return comment "不处理非本地请求"
jump direct
meta l4proto $TPROXY_L4PROTO meta mark set $TPROXY_MARK tproxy ip to 127.0.0.1:$TPROXY_PORT accept comment "转发给clash"
meta l4proto $TPROXY_L4PROTO meta mark set $TPROXY_MARK tproxy ip6 to [::1]:$TPROXY_PORT accept comment "转发给clash"
}
chain output {
type route hook output priority filter; policy accept;
meta skuid {$(id -u "${BYPASS_USERS[@]}" | paste -sd ',')} return comment "naive和clash发出的连接"
jump direct
meta l4proto $TPROXY_L4PROTO meta mark set $TPROXY_MARK accept comment "重路由到prerouting"
}
}
EOF
}
case "$1" in
"start"|"restart")
wait_online
check_clash
clear_firewall_rules
set_firewall_rules
;;
"stop")
clear_firewall_rules
;;
*)
echo "Usage: clash-tproxy [start|restart|stop]"
exit 1
;;
esac
Raw
clash-tproxy-dispatcher
#!/usr/bin/env bash
case "$2" in
"up")
clash-tproxy start >>/dev/null 2>&1
;;
"down")
clash-tproxy stop >>/dev/null 2>&1
;;
esac
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment