Last active
August 28, 2024 10:38
-
-
Save Bryan2333/ca2a04e445237ebb3988c92805c6cc1a to your computer and use it in GitHub Desktop.
clash tproxy脚本
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bash | |
if [[ "$EUID" -ne 0 ]] | |
then | |
echo "This script must be run as root!" | |
exit 1 | |
fi | |
## 默认的网关设备 | |
INTERFACE="$(ip route show default | awk '/default/ {print $5}')" | |
## TProxy流量标记 | |
TPROXY_MARK="0x1" | |
## TProxy路由表ID | |
TPROXY_ROUTE_TABLE_4="100" | |
TPROXY_ROUTE_TABLE_6="106" | |
## 绕开的用户 | |
BYPASS_USERS=('clash-meta' 'naiveproxy') | |
## Clash的透明代理端口 | |
TPROXY_PORT="7894" | |
## 需要代理的协议类型 | |
TPROXY_L4PROTO="{tcp, udp}" | |
## 常用端口 | |
COMMON_PORTS="{22, 53, 80, 123, 143, 194, 443, 465, 587, 853, 993, 995, 5222, 8080, 8443}" | |
function wait_online() { | |
while ! curl http://g.cn/generate_204 | |
do | |
sleep 1 | |
done | |
} | |
function check_clash() { | |
if ! pgrep -x clash-meta > /dev/null | |
then | |
echo "clash-meta未启动,请先启动clash-meta" | |
exit 1 | |
fi | |
} | |
function clear_firewall_rules() { | |
if ip rule | grep -qE "fwmark $TPROXY_MARK lookup $TPROXY_ROUTE_TABLE_4" | |
then | |
ip rule del fwmark "$TPROXY_MARK" table "$TPROXY_ROUTE_TABLE_4" | |
ip route del local default dev "$INTERFACE" table "$TPROXY_ROUTE_TABLE_4" | |
fi | |
if ip -6 rule | grep -qE "fwmark $TPROXY_MARK lookup $TPROXY_ROUTE_TABLE_6" | |
then | |
ip -6 rule del fwmark "$TPROXY_MARK" table "$TPROXY_ROUTE_TABLE_6" | |
ip -6 route del local default dev "$INTERFACE" table "$TPROXY_ROUTE_TABLE_6" | |
fi | |
if nft list tables | grep -qE "clash" | |
then | |
nft delete table inet clash | |
fi | |
} | |
function set_firewall_rules() { | |
ip rule add fwmark "$TPROXY_MARK" table "$TPROXY_ROUTE_TABLE_4" | |
ip route add local default dev "$INTERFACE" table "$TPROXY_ROUTE_TABLE_4" | |
ip -6 rule add fwmark "$TPROXY_MARK" table "$TPROXY_ROUTE_TABLE_6" | |
ip -6 route add local default dev "$INTERFACE" table "$TPROXY_ROUTE_TABLE_6" | |
nft -f - <<EOF | |
table inet clash { | |
## 保留IPv4地址 | |
set BYPASS_IPV4 { | |
type ipv4_addr | |
flags interval | |
auto-merge | |
elements = { | |
0.0.0.0/8, | |
10.0.0.0/8, | |
100.64.0.0/10, | |
127.0.0.0/8, | |
169.254.0.0/16, | |
172.16.0.0/12, | |
192.168.0.0/16, | |
224.0.0.0/4, | |
240.0.0.0/4, | |
255.255.255.255 | |
} | |
} | |
## 保留IPv6地址 | |
set BYPASS_IPV6 { | |
type ipv6_addr | |
flags interval | |
auto-merge | |
elements = { | |
::/128, | |
::1/128, | |
64:ff9b::/96, | |
100::/64, | |
2001::/32, | |
2001:20::/28, | |
fe80::/10, | |
ff00::/8 | |
} | |
} | |
chain divert { | |
type filter hook prerouting priority mangle; policy accept; | |
meta l4proto tcp socket transparent 1 meta mark set 0x01 accept comment "跳过已经由TProxy接管的流量" | |
} | |
chain direct { | |
ip daddr @BYPASS_IPV4 accept comment "私有IP" | |
ip6 daddr @BYPASS_IPV6 accept comment "私有IP" | |
tcp dport != $COMMON_PORTS accept comment "绕开P2P流量" | |
udp dport != $COMMON_PORTS accept comment "绕开P2P流量" | |
} | |
chain prerouting { | |
type filter hook prerouting priority filter; policy accept; | |
iif != lo return comment "不处理非本地请求" | |
jump direct | |
meta l4proto $TPROXY_L4PROTO meta mark set $TPROXY_MARK tproxy ip to 127.0.0.1:$TPROXY_PORT accept comment "转发给clash" | |
meta l4proto $TPROXY_L4PROTO meta mark set $TPROXY_MARK tproxy ip6 to [::1]:$TPROXY_PORT accept comment "转发给clash" | |
} | |
chain output { | |
type route hook output priority filter; policy accept; | |
meta skuid {$(id -u "${BYPASS_USERS[@]}" | paste -sd ',')} return comment "naive和clash发出的连接" | |
jump direct | |
meta l4proto $TPROXY_L4PROTO meta mark set $TPROXY_MARK accept comment "重路由到prerouting" | |
} | |
} | |
EOF | |
} | |
case "$1" in | |
"start"|"restart") | |
wait_online | |
check_clash | |
clear_firewall_rules | |
set_firewall_rules | |
;; | |
"stop") | |
clear_firewall_rules | |
;; | |
*) | |
echo "Usage: clash-tproxy [start|restart|stop]" | |
exit 1 | |
;; | |
esac |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bash | |
case "$2" in | |
"up") | |
clash-tproxy start >>/dev/null 2>&1 | |
;; | |
"down") | |
clash-tproxy stop >>/dev/null 2>&1 | |
;; | |
esac |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment