Skip to content

Commit

Permalink
clnc-tun-v2.0
Browse files Browse the repository at this point in the history
  • Loading branch information
zhj9709 committed Jan 19, 2021
0 parents commit 612bb1f
Show file tree
Hide file tree
Showing 10 changed files with 751 additions and 0 deletions.
6 changes: 6 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
## clnc-tun

### v2.0

1. 默认禁止ipv6联网
2. 清除规则用了while循环,防止有多个重复的规则一次清不掉
Binary file added clnc-tun/bin/busybox
Binary file not shown.
Binary file added clnc-tun/bin/clnc
Binary file not shown.
364 changes: 364 additions & 0 deletions clnc-tun/bin/clncs.bin
Original file line number Diff line number Diff line change
@@ -0,0 +1,364 @@
#!/system/bin/sh

#全局变量(默认参数)
#可以通过配置文件设置
TunDev=ctun
udpflag=httpUDP
#免udp(0=关闭,1=开启,2=放行)
mudp=1
#放行除tcp,udp外的流量(1放行)
fxqt=1
#IPV6禁网
denyIPV6=1

#=================================
DIR="${0%/*}"
cd $DIR/../
. ./config.ini
if [ -e confs/${file}.ini ]; then
. confs/${file}.ini
else
echo "请检查配置文件是否正确!" && exit 1
fi
export PATH=$DIR:$PATH

if ! grep -q TPROXY /proc/net/ip_tables_targets; then
useTun=1
fi

if iptables --help 2>&- | grep -q "xtables"; then
alias iptables="iptables -w"
else
iptables() {
/system/bin/iptables $@
tmp=$?
[ "$tmp" = "4" ] && iptables $@
return $tmp
}
fi

clear_rules() {
while iptables -t nat -D OUTPUT -j nat_OUT; do :; done
while iptables -t nat -D PREROUTING -j nat_PRE; do :; done
while iptables -t mangle -D OUTPUT -j man_OUT; do :; done
while iptables -t mangle -D PREROUTING -j man_PRE; do :; done
iptables -t nat -F nat_OUT
iptables -t nat -X nat_OUT
iptables -t nat -F nat_PRE
iptables -t nat -X nat_PRE
iptables -t mangle -F man_OUT
iptables -t mangle -X man_OUT
iptables -t mangle -F man_PRE
iptables -t mangle -X man_PRE
while iptables -D FORWARD -i $TunDev -j ACCEPT; do :; done
while iptables -D FORWARD -o $TunDev -j ACCEPT; do :; done
iptables -t mangle -P FORWARD ACCEPT
while iptables -t mangle -D FORWARD -p udp -j ACCEPT; do :; done
while iptables -t mangle -D FORWARD -p icmp -j ACCEPT; do :; done
while iptables -t mangle -D PREROUTING ! -p udp -j ACCEPT; do :; done
# 关闭程序
busybox killall clnc 2>&-
# 清除ip规则
while ip rule del fwmark 0x1234 lookup 1234; do :; done
while ip route del default dev $TunDev table 1234; do :; done
while ip route del local default dev lo table 1234; do :; done
# 清除IPV6禁网规则
if ip6tables -t mangle -S 2>&- | grep -q 0x1122; then
while ip6tables -t mangle -D OUTPUT ! -p tcp -m owner --uid 0 -j ACCEPT; do :; done
while ip6tables -t mangle -D OUTPUT ! -o wlan+ -j MARK --set-mark 0x1122; do :; done
while ip6tables -t mangle -D PREROUTING ! -i tun+ -j MARK --set-mark 0x1122; do :; done
while ip -6 rule del fwmark 0x1122 unreachable; do :; done
fi
}

create_tun() {
[ ! -e "/dev/net/tun" ] && mkdir -p /dev/net && ln -s /dev/tun /dev/net/tun && echo 1 > /proc/sys/net/ipv4/ip_forward
}

#通过包名得到uid
get_package_uid() {
packageName=${1%%_*} #过滤包名后面的端口
if echo $packageName | grep -q '[A-Za-z]'; then
packageInfo=`grep -oE "^$packageName ([0-9])+" /data/system/packages.list`
[ $? != 0 ] && return 1
echo "$1" | grep -qE '_([0-9])+' && \
echo "${packageInfo#* }_${1#*_}" || \
echo "${packageInfo#* }"
else
echo "$1"
fi
}

start_rules() {
iptables -t nat -N nat_OUT
iptables -t nat -A OUTPUT -j nat_OUT
iptables -t nat -N nat_PRE
iptables -t nat -A PREROUTING -j nat_PRE
iptables -t mangle -P FORWARD DROP
iptables -t mangle -A FORWARD -p udp -j ACCEPT
iptables -t mangle -A FORWARD -p icmp -j ACCEPT
iptables -t mangle -A PREROUTING ! -p udp -j ACCEPT
# nat OUTPUT
iptables -t nat -A nat_OUT -m owner --gid-owner 2222 -j ACCEPT
[ "$wifiProxy" = "1" ] || iptables -t nat -A nat_OUT -o wlan+ -j ACCEPT
iptables -t nat -A nat_OUT -o tun+ -j ACCEPT
iptables -t nat -A nat_OUT -o lo -j ACCEPT
# 防止WiFi共享获取不到ip
iptables -t nat -A nat_OUT -d 192.168/16 -j ACCEPT
iptables -t nat -A nat_OUT -p tcp -j REDIRECT --to-ports 1230
[ "$DNS" = "" ] && iptables -t nat -A nat_OUT -p udp --dport 53 -j ACCEPT || iptables -t nat -A nat_OUT -p udp --dport 53 -j REDIRECT --to-ports 1240
if [ "$mudp" = '0' ]; then
[ "$fxqt" != '1' ] && iptables -t nat -A nat_OUT ! -p tcp -j REDIRECT --to-ports 1250 || iptables -t nat -A nat_OUT -p udp -j REDIRECT --to-ports 1250
fi
[ "$mudp" = '1' -a "$fxqt" != '1' ] && iptables -t nat -A nat_OUT ! -p udp -j REDIRECT --to-ports 1250
# 共享规则
iptables -t nat -A nat_PRE -s 192.168/16 ! -d 192.168/16 -p tcp -j REDIRECT --to-ports 1230
[ "$DNS" = "" ] && iptables -t nat -A nat_PRE -s 192.168/16 -p udp --dport 53 -j ACCEPT || iptables -t nat -A nat_PRE -s 192.168/16 -p udp --dport 53 -j REDIRECT --to-ports 1240
if [ "$mudp" = '0' ]; then
[ "$fxqt" != '1' ] && iptables -t nat -A nat_PRE ! -p tcp -j REDIRECT --to-ports 1250 || iptables -t nat -A nat_PRE -p udp -j REDIRECT --to-ports 1250
fi
[ "$mudp" = '1' -a "$fxqt" != '1' ] && iptables -t nat -A nat_PRE ! -p udp -j REDIRECT --to-ports 1250

# 免udp规则
if [ "$mudp" == '1' ]; then
iptables -t mangle -N man_OUT
iptables -t mangle -A OUTPUT -j man_OUT
iptables -t mangle -N man_PRE
iptables -t mangle -A PREROUTING -j man_PRE
# PREROUTING
allow_ip="0/8,127/8,10/8,192.168/16,224/3,169.254/16,100.64/10,172.16/12"
iptables -t mangle -A man_PRE -d $allow_ip -j ACCEPT
# OUTPUT
iptables -t mangle -A man_OUT -m owner --gid-owner 2222 -j ACCEPT
[ "$wifiProxy" = "1" ] || iptables -t mangle -A man_OUT -o wlan+ -j ACCEPT
iptables -t mangle -A man_OUT -o tun+ -j ACCEPT
if [ "$useTun" == '1' ]; then
# tun2socks/TPROXY 选择
ip rule add fwmark 0x1234 lookup 1234
ip route add default dev $TunDev table 1234
iptables -t mangle -A man_PRE ! -i tun+ -p udp ! --dport 53 -j MARK --set-mark 0x1234
iptables -t mangle -A man_OUT ! -d 192.168/16 ! -o lo -p udp ! --dport 53 -j MARK --set-mark 0x1234
iptables -A FORWARD -i $TunDev -j ACCEPT
iptables -A FORWARD -o $TunDev -j ACCEPT
else
ip rule add fwmark 0x1234 lookup 1234
ip route add local default dev lo table 1234
iptables -t mangle -A man_PRE ! -i tun+ -p udp ! --dport 53 -j TPROXY --on-port 1230 --tproxy-mark 0x1234
iptables -t mangle -A man_OUT ! -d 192.168/16 ! -o lo -p udp ! --dport 53 -j MARK --set-mark 0x1234
fi
fi

# IPV6禁网
if [ "$denyIPV6" == 1 ]; then
ip6tables -t mangle -A OUTPUT ! -p tcp -m owner --uid 0 -j ACCEPT
ip6tables -t mangle -A OUTPUT ! -o wlan+ -j MARK --set-mark 0x1122
ip6tables -t mangle -A PREROUTING ! -i tun+ -j MARK --set-mark 0x1122
ip -6 rule add fwmark 0x1122 unreachable
fi

# 放行规则
[ "$allowTcpPorts" != "" ] && iptables -t nat -I nat_OUT -p tcp -m multiport --dports $allowTcpPorts -j ACCEPT
[ "$allowUdpPorts" != "" -a "$mudp" = "0" ] && iptables -t nat -I nat_OUT -p udp -m multiport --dports $allowUdpPorts -j ACCEPT
# 本地TCP放行
for app in $allowAppsTCP; do
uid=`get_package_uid $app` || continue
iptables -t nat -I nat_OUT -p tcp -m owner --uid ${uid%_*} `echo $uid|grep -q '_' && echo "-m multiport --dport ${uid#*_}"` -j ACCEPT
done
if [ "$mudp" = "0" ]; then
# 本地UDP放行
for app in $allowAppsUDP; do
uid=`get_package_uid $app` || continue
iptables -t nat -I nat_OUT -p udp -m owner --uid ${uid%_*} `echo $uid|grep -q '_' && echo "-m multiport --dport ${uid#*_}"` -j ACCEPT
done
fi
# 本地全局放行
for app in $allowApps; do
uid=`get_package_uid $app` || continue
iptables -t nat -I nat_OUT -m owner --uid $uid -j ACCEPT
done
# 共享规则 nat PREROUTING
[ "$allowShareTcpPorts" != "" ] && iptables -t nat -I nat_PRE -p tcp -m multiport --dports $allowShareTcpPorts -j ACCEPT
[ "$allowShareUdpPorts" != "" ] && iptables -t nat -I nat_PRE -p udp -m multiport --dports $allowShareUdpPorts -j ACCEPT

if [ "$mudp" = "1" ]; then
[ "$allowShareUdpPorts" != "" ] && iptables -t mangle -I man_PRE -p udp -m multiport --dports $allowShareUdpPorts -j ACCEPT
[ "$allowUdpPorts" != "" ] && iptables -t mangle -I man_OUT -p udp -m multiport --dports $allowUdpPorts -j ACCEPT
# 本地UDP放行
for app in $allowAppsUDP; do
uid=`get_package_uid $app` || continue
iptables -t mangle -I man_OUT -p udp -m owner --uid ${uid%_*} `echo $uid|grep -q '_' && echo "-m multiport --dport ${uid#*_}"` -j ACCEPT
done
# 本地全局放行
for app in $allowApps; do
uid=`get_package_uid $app` || continue
iptables -t mangle -I man_OUT -m owner --uid $uid -j ACCEPT
done
fi
}

get_ip() {
server=${addr%:*}
if echo $server | grep -q [a-zA-Z]; then
ip=`busybox wget -q -T1 -O- http://119.29.29.29/d?dn=$server | busybox cut -d';' -f1`
echo $ip | grep -q '\([0-9]\{1,3\}\.\)\{3\}[0-9]\{1,3\}' || ip=""
if [ -z "$ip" ]; then
ip=`ping -c1 -w1 -W1 $server | grep 'PING' | busybox cut -d'(' -f2 | busybox cut -d')' -f1`
[ -z "$ip" ] && echo "解析IP失败!($server)" && exit 1
fi
else
ip=$server
fi
addr=$ip:${addr#*:}
}

data_control() {
if [ "$netstat" != "$1" -a "$kgwl" = "1" ]; then
wifiip=$(ip addr show wlan0 2>&- | grep 'inet')
if [ "$wifiip" = "" ]; then
[ "$1" = "y" ] && svc data enable && sleep 0.3
[ "$1" = "n" ] && svc data disable
netstat="$1"
fi
fi
}

make_config() {
echo 'tcp::Global {
tcp_listen = 0.0.0.0:1230;
timeout = 60;
}
dns::Global {
dns_listen = 0.0.0.0:1240;
cachePath = /dev/null;
}
httpMod::clns_https_request {
del_line = host;' > bin/clnc.conf
if [ "$method" == "GET" -o "$method" == "POST" ]; then
echo -E ' set_first = "'$method' '$path' [V]\r\nHost: '$host'\r\n'$clnchead': [H]\r\nClnsProxyType: TUNNEL_PROXY\r\n";' >> bin/clnc.conf
fi
if [ "$method" == "CONNECT" ]; then
echo -E ' set_first = "CONNECT '$path' [V]\r\nHost: '$host'\r\n'$clnchead': [H]\r\n";' >> bin/clnc.conf
fi
if [ "$method" == "WS" -o "$method" == "ws" ]; then
echo -E ' set_first = "GET '$path' HTTP/1.1\r\nHost: '$host'\r\n'$clnchead': [H]\r\nConnection: Upgrade\r\nSec-WebSocket-Key: Cute Linux Network\r\nSec-WebSocket-Version: 13\r\nUpgrade: websocket\r\nOrigin: http://'$host'/\r\nClnsProxyType: TUNNEL_PROXY\r\n";'>> bin/clnc.conf
fi
echo '}
tcpProxy::https_proxy {
destAddr = '$addr';
tunnel_encrypt = '$clncpwd';
tunnel_proxy = on;
tunnelHttpMod = clns_https_request;
}
tcpAcl::firstConnect {
tcpProxy = https_proxy;
matchMode = firstMatch;
timeout = -1;
dst_port != 0;
}
dnsAcl {
destAddr = '$addr';
header_host = '$DNS':53;
lookup_mode = tcpDNS;
tunnel_encrypt = '$clncpwd';
tunnelHttpMod = clns_https_request;
tunnel_proxy = on;
}
httpUDP::udp {
udp_tproxy_listen = 0.0.0.0:1230;
header_host = '$host';
destAddr = '$addr';
encrypt = '$clncpwd';
udp_flag = '$udpflag';
httpMod = clns_https_request;
}' >> bin/clnc.conf

if [ "$useTun" = "1" ]; then
echo '
Tun {
tunAddr4 = 10.0.0.10;
//tunAddr6 = fc00::1;
tunMtu = 1500;
tunDevice = '$TunDev';
}
' >> bin/clnc.conf
fi
}

save_running_info() {
echo xaddr=$addr >> bin/info
echo xpath=$path >> bin/info
echo xhost=$host >> bin/info
echo xfile=$file >> bin/info
}

start_server() {
rm -f bin/info
save_running_info
chmod 777 bin/*
[ "$useTun" = "1" ] && create_tun
clnc -c bin/clnc.conf -g 2222
}

clear_files() {
sleep 0.5
rm -f confs/*.bak bin/*.bak #bin/*.conf
}

status_check() {
ip addr | grep global | grep -E '[1-9]{1,3}[0-9]{0,2}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | \
while read line
do
[ -z "$line" ] && break
typeset -L17 netcard=${line##* }
IP=${line%%/*}
echo "$netcard${IP##* }"
done
echo
[ -n "$IP" ] && echo
echo -n "✺ Core: "
busybox pidof "clnc" >/dev/null && echo -n "✔clnc " || echo -n "✘clnc "

echo
[ -n "`busybox pidof clnc`" -a -f "bin/info" ] && . bin/info || rm -f bin/info
[ -f "bin/info" ] && echo
[ -n "$xfile" ] && echo "✺ 已加载配置文件: $xfile"
[ -n "$xaddr" ] && echo "✺ Addr: $xaddr"
[ -n "$xpath" ] && echo "✺ Path: $xpath"
[ -n "$xhost" ] && echo "✺ Host: $xhost"

type iptables | grep -q "function" && unset -f iptables
echo
echo ✺ nat表:
iptables -t nat -S 2>&- | busybox grep -wE 'nat_OUT|nat_PRE'
if [ "$mudp" = "1" ]; then
echo
echo ✺ mangle表:
iptables -t mangle -S 2>&- | busybox grep -wE 'man_OUT|man_PRE'
fi
}

main() {
if [ "$1" = "stop" ]; then
rm -f bin/info 2>&-
clear_rules 2>&-
sleep 0.1
elif [ -z "$1" -o "$1" = "start" ]; then
clear_rules 2>&-
get_ip
make_config
start_server
start_rules 2>&-
data_control n
data_control y
fi
(clear_files &)
status_check
}

main $1
Loading

0 comments on commit 612bb1f

Please sign in to comment.