Last active
January 11, 2024 10:00
-
-
Save xmdhs/dcb9ed3bd8ceabc307480edc3980b2d1 to your computer and use it in GitHub Desktop.
tproxy netmap dmz 示例命令
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| lan="enx8e6a234ea26a" | |
| ipset restore -f /usr/local/etc/ipset/cnipset.conf | |
| ip rule add fwmark 1 table 100 | |
| ip route add local 0.0.0.0/0 dev lo table 100 | |
| iptables -t mangle -A PREROUTING -m state --state NEW -i $lan -j CONNMARK --or-mark 64 | |
| iptables -t mangle -N SINGBOX | |
| iptables -t mangle -A SINGBOX -m set --match-set cn dst -p udp ! --dport 53 -j RETURN | |
| iptables -t mangle -A SINGBOX -m set --match-set cn dst -p tcp -j RETURN | |
| iptables -t mangle -A SINGBOX -m addrtype --dst-type LOCAL -p udp ! --dport 53 -j RETURN | |
| iptables -t mangle -A SINGBOX -m addrtype --dst-type LOCAL -p tcp -j RETURN | |
| iptables -t mangle -A SINGBOX -m addrtype --dst-type BROADCAST -j RETURN | |
| iptables -t mangle -A SINGBOX -m addrtype --dst-type MULTICAST -j RETURN | |
| iptables -t mangle -A SINGBOX -p udp -j TPROXY --on-port 12345 --on-ip 127.0.0.1 --tproxy-mark 1 | |
| iptables -t mangle -A SINGBOX -p tcp -j TPROXY --on-port 12345 --on-ip 127.0.0.1 --tproxy-mark 1 | |
| iptables -t mangle -A PREROUTING -m connmark --mark 64/64 -j SINGBOX | |
| iptables -t filter -I INPUT -m mark --mark 0x1 -j ACCEPT | |
| #旁路由 | |
| #iptables -t nat -A POSTROUTING -m connmark --mark 64/64 -j MASQUERADE | |
| iptables -t mangle -N DIVERT | |
| iptables -t mangle -A DIVERT -j MARK --set-mark 1 | |
| iptables -t mangle -A DIVERT -j ACCEPT | |
| iptables -t mangle -I PREROUTING -p tcp -m socket --transparent -j DIVERT | |
| ip -6 rule add fwmark 1 table 100 | |
| ip -6 route add local ::/0 dev lo table 100 | |
| ip6tables -t mangle -A PREROUTING -m state --state NEW -i $lan -j CONNMARK --or-mark 64 | |
| ip6tables -t mangle -N SINGBOX | |
| ip6tables -t mangle -A SINGBOX -m set --match-set cn6 dst -p udp ! --dport 53 -j RETURN | |
| ip6tables -t mangle -A SINGBOX -m set --match-set cn6 dst -p tcp -j RETURN | |
| ip6tables -t mangle -A SINGBOX -m addrtype --dst-type LOCAL -p udp ! --dport 53 -j RETURN | |
| ip6tables -t mangle -A SINGBOX -m addrtype --dst-type LOCAL -p tcp -j RETURN | |
| ip6tables -t mangle -A SINGBOX -m addrtype --dst-type MULTICAST -j RETURN | |
| ip6tables -t mangle -A SINGBOX -p udp -j TPROXY --on-port 12345 --tproxy-mark 1 | |
| ip6tables -t mangle -A SINGBOX -p tcp -j TPROXY --on-port 12345 --tproxy-mark 1 | |
| ip6tables -t mangle -A PREROUTING -m connmark --mark 64/64 -j SINGBOX | |
| ip6tables -t filter -I INPUT -m mark --mark 0x1 -j ACCEPT | |
| ip6tables -t mangle -N DIVERT | |
| ip6tables -t mangle -A DIVERT -j MARK --set-mark 1 | |
| ip6tables -t mangle -A DIVERT -j ACCEPT | |
| ip6tables -t mangle -I PREROUTING -p tcp -m socket --transparent -j DIVERT |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| #放到 /etc/NetworkManager/dispatcher.d | |
| iptables -N dmz_rule &>/dev/null | |
| iptables -F dmz_rule | |
| iptables -A dmz_rule -d 192.168.20.81 -j ACCEPT | |
| iptables -D FORWARD -j dmz_rule &>/dev/null | |
| iptables -I FORWARD -j dmz_rule | |
| iptables -t nat -N dmz_rule &>/dev/null | |
| iptables -t nat -F dmz_rule | |
| iptables -t nat -A dmz_rule -j DNAT --to-destination 192.168.20.81 | |
| iptables -t nat -D PREROUTING -m addrtype --dst-type LOCAL -i end0 -j dmz_rule &>/dev/null | |
| iptables -t nat -I PREROUTING -m addrtype --dst-type LOCAL -i end0 -j dmz_rule |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| PREVIOUS_IPV6_ADDRESS="YOUR_PREVIOUS_IPV6_ADDRESS" # 替换为之前记录的 IPv6 地址 | |
| interface="end0" | |
| netmap() { | |
| # 获取当前 IPv6 地址 | |
| CURRENT_IPV6_ADDRESS=$(ip -6 addr show dev "$1" | awk '/inet6 .* global/ {print $2}') | |
| if [ -z "$CURRENT_IPV6_ADDRESS" ]; then | |
| return 1 | |
| fi | |
| # 比较当前 IPv6 地址与之前记录的地址 | |
| if [ "$CURRENT_IPV6_ADDRESS" != "$PREVIOUS_IPV6_ADDRESS" ]; then | |
| echo "IPv6 Changed : $CURRENT_IPV6_ADDRESS" | |
| # 执行相应的操作或触发事件 | |
| echo "Reset netmap" | |
| ip6tables -t nat -N netmap_pre &>/dev/null | |
| ip6tables -t nat -F netmap_pre | |
| ip6tables -t nat -A netmap_pre -m addrtype --dst-type LOCAL -j RETURN | |
| ip6tables -t nat -A netmap_pre -d $CURRENT_IPV6_ADDRESS -i end0 -j NETMAP --to 2001:470:f9da:fdfc::/64 | |
| ip6tables -t nat -N netmap_post &>/dev/null | |
| ip6tables -t nat -F netmap_post | |
| ip6tables -t nat -A netmap_post -s 2001:470:f9da:fdfc::/64 -o end0 -j NETMAP --to $CURRENT_IPV6_ADDRESS | |
| ip6tables -t nat -D PREROUTING -j netmap_pre | |
| ip6tables -t nat -D POSTROUTING -j netmap_post | |
| ip6tables -t nat -A PREROUTING -j netmap_pre | |
| ip6tables -t nat -A POSTROUTING -j netmap_post | |
| # 更新记录的 IPv6 地址 | |
| PREVIOUS_IPV6_ADDRESS=$CURRENT_IPV6_ADDRESS | |
| fi | |
| } | |
| netmap $interface | |
| ip monitor address | while read line; do | |
| netmap $interface | |
| done |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment