auto iproute: UDP

ChisBread · May 8, 2022 · 72eccfc · 72eccfc
1 parent c3ac40a
commit 72eccfc
Show file tree

Hide file tree

Showing 2 changed files with 78 additions and 48 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -2,7 +2,7 @@ FROM ubuntu:20.04
 RUN sed -i s@/archive.ubuntu.com/@/mirrors.aliyun.com/@g /etc/apt/sources.list \
     && apt-get clean \
     && apt-get update \
-    && apt-get install -y wget xz-utils iptables python3 python3-yaml \
+    && apt-get install -y wget xz-utils iproute2 iptables python3 python3-yaml \
     && rm -rf /var/lib/apt/lists/*
 ARG CLASHVER=v1.10.0
 RUN wget https://github.com/Dreamacro/clash/releases/download/$CLASHVER/clash-linux-amd64-$CLASHVER.gz \
@@ -20,6 +20,7 @@ ENV CLASH_SOCKS_PORT=7891
 ENV CLASH_REDIR_PORT=7892
 ENV CLASH_MIXED_PORT=7893
 ENV DASH_PORT=8080
+ENV IPROUTE=1
 ENV LOG_LEVEL="info"
 ENV SECRET=""
 EXPOSE $CLASH_HTTP_PORT $CLASH_SOCKS_PORT $CLASH_REDIR_PORT $CLASH_MIXED_PORT $DASH_PORT

diff --git a/start.sh b/start.sh
@@ -1,56 +1,81 @@
 #!/bin/bash
 setroute() {
-#在nat表中新建一个clash规则链
-iptables -t nat -N CLASH
-#排除环形地址与保留地址，匹配之后直接RETURN
-iptables -t nat -A CLASH -d 0.0.0.0/8 -j RETURN
-iptables -t nat -A CLASH -d 10.0.0.0/8 -j RETURN
-iptables -t nat -A CLASH -d 127.0.0.0/8 -j RETURN
-iptables -t nat -A CLASH -d 169.254.0.0/16 -j RETURN
-iptables -t nat -A CLASH -d 172.16.0.0/12 -j RETURN
-iptables -t nat -A CLASH -d 192.168.0.0/16 -j RETURN
-iptables -t nat -A CLASH -d 224.0.0.0/4 -j RETURN
-iptables -t nat -A CLASH -d 240.0.0.0/4 -j RETURN
-#重定向tcp流量到本机$CLASH_REDIR_PORT端口
-iptables -t nat -A CLASH -p tcp -j REDIRECT --to-port $CLASH_REDIR_PORT
-#拦截外部tcp数据并交给clash规则链处理
-iptables -t nat -A PREROUTING -p tcp -j CLASH
+    # CLASH rules on nat，mangle
+    iptables -t nat -N CLASH
+    iptables -t mangle -N CLASH
+    ################## TCP转发 ######################
+    # Bypass private IP address ranges
+    iptables -t nat -A CLASH -d 0.0.0.0/8 -j RETURN
+    iptables -t nat -A CLASH -d 10.0.0.0/8 -j RETURN
+    iptables -t nat -A CLASH -d 127.0.0.0/8 -j RETURN
+    iptables -t nat -A CLASH -d 169.254.0.0/16 -j RETURN
+    iptables -t nat -A CLASH -d 172.16.0.0/12 -j RETURN
+    iptables -t nat -A CLASH -d 192.168.0.0/16 -j RETURN
+    iptables -t nat -A CLASH -d 224.0.0.0/4 -j RETURN
+    iptables -t nat -A CLASH -d 240.0.0.0/4 -j RETURN
+    # Redirect(TCP) ignore clash
+    iptables -t nat -A CLASH -p tcp -j REDIRECT --to-port $CLASH_REDIR_PORT
+    iptables -t nat -A PREROUTING -p tcp -j CLASH
+    ################## UDP转发 ######################
+    # IP rules
+    ip rule add fwmark 1 table 100
+    ip route add local default dev lo table 100
 
-#在nat表中新建一个clash_dns规则链
-iptables -t nat -N CLASH_DNS
-#清空clash_dns规则链
-iptables -t nat -F CLASH_DNS
-#重定向udp流量到本机1053端口(DNS)
-iptables -t nat -A CLASH_DNS -p udp -j REDIRECT --to-port 1053
-#抓取本机产生的53端口流量交给clash_dns规则链处理
-iptables -t nat -I OUTPUT -p udp --dport 53 -j CLASH_DNS
-#拦截外部udp的53端口流量交给clash_dns规则链处理
-iptables -t nat -I PREROUTING -p udp --dport 53 -j CLASH_DNS
+    # Bypass private IP address ranges
+    iptables -t mangle -N CLASH
+    iptables -t mangle -A CLASH -d 0.0.0.0/8 -j RETURN
+    iptables -t mangle -A CLASH -d 10.0.0.0/8 -j RETURN
+    iptables -t mangle -A CLASH -d 127.0.0.0/8 -j RETURN
+    iptables -t mangle -A CLASH -d 169.254.0.0/16 -j RETURN
+    iptables -t mangle -A CLASH -d 172.16.0.0/12 -j RETURN
+    iptables -t mangle -A CLASH -d 192.168.0.0/16 -j RETURN
+    iptables -t mangle -A CLASH -d 224.0.0.0/4 -j RETURN
+    iptables -t mangle -A CLASH -d 240.0.0.0/4 -j RETURN
+
+    # Redirect(UDP) ignore clash
+    iptables -t mangle -A CLASH -p udp -j TPROXY --on-port $CLASH_REDIR_PORT --tproxy-mark 1
+    iptables -t mangle -A PREROUTING -p udp -j CLASH
+    ################## DNS转发 ######################
+    iptables -t nat -N CLASH_DNS
+    iptables -t nat -F CLASH_DNS
+    # Redirect(DNS)
+    iptables -t nat -A CLASH_DNS -p udp -j REDIRECT --to-port 1053
+    iptables -t nat -I OUTPUT -p udp --dport 53 -j CLASH_DNS
+    iptables -t nat -I PREROUTING -p udp --dport 53 -j CLASH_DNS
+    #iptables -t nat -I PREROUTING -p udp --dport 53 -d 192.168.0.0/16 -j REDIRECT --to 1053
 }
 unsetroute() {
-while :
-do
-iptables -t nat -D PREROUTING -p tcp -j CLASH
-if [ "$?" == "0" ]; then continue; fi
-iptables -t nat -D OUTPUT -p udp --dport 53 -j CLASH_DNS
-if [ "$?" == "0" ]; then continue; fi
-iptables -t nat -D PREROUTING -p udp --dport 53 -j CLASH_DNS
-if [ "$?" == "0" ]; then continue; fi
-iptables -t nat -F CLASH
-iptables -t nat -X CLASH
-iptables -t nat -F CLASH_DNS
-iptables -t nat -X CLASH_DNS
-break;
-done
+    while :
+    do
+        iptables -t nat -D PREROUTING -p tcp -j CLASH 2>&1 >/dev/null
+        if [ "$?" == "0" ]; then continue; fi
+        iptables -t mangle -D PREROUTING -p udp -j CLASH 2>&1 >/dev/null
+        if [ "$?" == "0" ]; then continue; fi
+        iptables -t nat -D OUTPUT -p udp --dport 53 -j CLASH_DNS 2>&1 >/dev/null
+        if [ "$?" == "0" ]; then continue; fi
+        iptables -t nat -D PREROUTING -p udp --dport 53 -j CLASH_DNS 2>&1 >/dev/null
+        if [ "$?" == "0" ]; then continue; fi
+        iptables -t nat -F CLASH
+        iptables -t nat -X CLASH
+        iptables -t mangle -F CLASH
+        iptables -t mangle -X CLASH
+        iptables -t nat -F CLASH_DNS
+        iptables -t nat -X CLASH_DNS
+        break;
+    done
 }
 #清理
 _term() {
-  unsetroute
-  echo "Caught SIGTERM signal!"
-  echo "Tell the clash session to shut down."
-  pid=`cat /var/clash.pid`
-  # terminate when the clash-daemon process dies
-  tail --pid=${pid} -f /dev/null
+    echo "Caught SIGTERM signal!"
+    echo "Tell the clash session to shut down."
+    pid=`cat /var/clash.pid`
+    # terminate when the clash-daemon process dies
+    tail --pid=${pid} -f /dev/null
+    if [ "$IPROUTE" == "1" ]; then
+        echo "unset iproutes ..."
+        unsetroute 2>&1 >/dev/null
+        echo "done."
+    fi
 }
 trap _term SIGTERM SIGINT
 # 初始化 /etc/clash
@@ -63,9 +88,13 @@ fi
 if [ ! -d "/etc/clash/dashboard" ]; then
     cp -arp /default/clash/dashboard /etc/clash/dashboard
 fi
-setroute
+if [ "$IPROUTE" == "1" ]; then
+    echo "set iproutes ..."
+    setroute
+    echo "done."
+fi
 python3 /default/clash/utils/override.py "/etc/clash/config.yaml" "$CLASH_HTTP_PORT" "$CLASH_SOCKS_PORT" "$CLASH_REDIR_PORT" "$CLASH_MIXED_PORT" "$LOG_LEVEL"
-clash -d /etc/clash -ext-ctl "0.0.0.0:$DASH_PORT" -ext-ui /etc/clash/dashboard/public 2>&1 >/etc/clash/clash.log &
+/usr/bin/clash -d /etc/clash -ext-ctl "0.0.0.0:$DASH_PORT" -ext-ui /etc/clash/dashboard/public 2>&1 >/etc/clash/clash.log &
 echo $! > /var/clash.pid
 echo "Dashboard Address: http://YOUR_IP:$DASH_PORT/ui"
 tail -f /etc/clash/clash.log &