diff --git a/README.md b/README.md new file mode 100644 index 0000000..df91b0f --- /dev/null +++ b/README.md @@ -0,0 +1,6 @@ +## clnc-tun + +### v2.0 + +1. 默认禁止ipv6联网 +2. 清除规则用了while循环,防止有多个重复的规则一次清不掉 \ No newline at end of file diff --git a/clnc-tun/bin/busybox b/clnc-tun/bin/busybox new file mode 100644 index 0000000..6f0db8a Binary files /dev/null and b/clnc-tun/bin/busybox differ diff --git a/clnc-tun/bin/clnc b/clnc-tun/bin/clnc new file mode 100644 index 0000000..23a986f Binary files /dev/null and b/clnc-tun/bin/clnc differ diff --git a/clnc-tun/bin/clncs.bin b/clnc-tun/bin/clncs.bin new file mode 100644 index 0000000..7055dad --- /dev/null +++ b/clnc-tun/bin/clncs.bin @@ -0,0 +1,364 @@ +#!/system/bin/sh + +#全局变量(默认参数) +#可以通过配置文件设置 +TunDev=ctun +udpflag=httpUDP +#免udp(0=关闭,1=开启,2=放行) +mudp=1 +#放行除tcp,udp外的流量(1放行) +fxqt=1 +#IPV6禁网 +denyIPV6=1 + +#================================= +DIR="${0%/*}" +cd $DIR/../ +. ./config.ini +if [ -e confs/${file}.ini ]; then + . confs/${file}.ini +else + echo "请检查配置文件是否正确!" && exit 1 +fi +export PATH=$DIR:$PATH + +if ! grep -q TPROXY /proc/net/ip_tables_targets; then + useTun=1 +fi + +if iptables --help 2>&- | grep -q "xtables"; then + alias iptables="iptables -w" +else + iptables() { + /system/bin/iptables $@ + tmp=$? + [ "$tmp" = "4" ] && iptables $@ + return $tmp + } +fi + +clear_rules() { + while iptables -t nat -D OUTPUT -j nat_OUT; do :; done + while iptables -t nat -D PREROUTING -j nat_PRE; do :; done + while iptables -t mangle -D OUTPUT -j man_OUT; do :; done + while iptables -t mangle -D PREROUTING -j man_PRE; do :; done + iptables -t nat -F nat_OUT + iptables -t nat -X nat_OUT + iptables -t nat -F nat_PRE + iptables -t nat -X nat_PRE + iptables -t mangle -F man_OUT + iptables -t mangle -X man_OUT + iptables -t mangle -F man_PRE + iptables -t mangle -X man_PRE + while iptables -D FORWARD -i $TunDev -j ACCEPT; do :; done + while iptables -D FORWARD -o $TunDev -j ACCEPT; do :; done + iptables -t mangle -P FORWARD ACCEPT + while iptables -t mangle -D FORWARD -p udp -j ACCEPT; do :; done + while iptables -t mangle -D FORWARD -p icmp -j ACCEPT; do :; done + while iptables -t mangle -D PREROUTING ! -p udp -j ACCEPT; do :; done + # 关闭程序 + busybox killall clnc 2>&- + # 清除ip规则 + while ip rule del fwmark 0x1234 lookup 1234; do :; done + while ip route del default dev $TunDev table 1234; do :; done + while ip route del local default dev lo table 1234; do :; done + # 清除IPV6禁网规则 + if ip6tables -t mangle -S 2>&- | grep -q 0x1122; then + while ip6tables -t mangle -D OUTPUT ! -p tcp -m owner --uid 0 -j ACCEPT; do :; done + while ip6tables -t mangle -D OUTPUT ! -o wlan+ -j MARK --set-mark 0x1122; do :; done + while ip6tables -t mangle -D PREROUTING ! -i tun+ -j MARK --set-mark 0x1122; do :; done + while ip -6 rule del fwmark 0x1122 unreachable; do :; done + fi +} + +create_tun() { + [ ! -e "/dev/net/tun" ] && mkdir -p /dev/net && ln -s /dev/tun /dev/net/tun && echo 1 > /proc/sys/net/ipv4/ip_forward +} + +#通过包名得到uid +get_package_uid() { + packageName=${1%%_*} #过滤包名后面的端口 + if echo $packageName | grep -q '[A-Za-z]'; then + packageInfo=`grep -oE "^$packageName ([0-9])+" /data/system/packages.list` + [ $? != 0 ] && return 1 + echo "$1" | grep -qE '_([0-9])+' && \ + echo "${packageInfo#* }_${1#*_}" || \ + echo "${packageInfo#* }" + else + echo "$1" + fi +} + +start_rules() { + iptables -t nat -N nat_OUT + iptables -t nat -A OUTPUT -j nat_OUT + iptables -t nat -N nat_PRE + iptables -t nat -A PREROUTING -j nat_PRE + iptables -t mangle -P FORWARD DROP + iptables -t mangle -A FORWARD -p udp -j ACCEPT + iptables -t mangle -A FORWARD -p icmp -j ACCEPT + iptables -t mangle -A PREROUTING ! -p udp -j ACCEPT + # nat OUTPUT + iptables -t nat -A nat_OUT -m owner --gid-owner 2222 -j ACCEPT + [ "$wifiProxy" = "1" ] || iptables -t nat -A nat_OUT -o wlan+ -j ACCEPT + iptables -t nat -A nat_OUT -o tun+ -j ACCEPT + iptables -t nat -A nat_OUT -o lo -j ACCEPT + # 防止WiFi共享获取不到ip + iptables -t nat -A nat_OUT -d 192.168/16 -j ACCEPT + iptables -t nat -A nat_OUT -p tcp -j REDIRECT --to-ports 1230 + [ "$DNS" = "" ] && iptables -t nat -A nat_OUT -p udp --dport 53 -j ACCEPT || iptables -t nat -A nat_OUT -p udp --dport 53 -j REDIRECT --to-ports 1240 + if [ "$mudp" = '0' ]; then + [ "$fxqt" != '1' ] && iptables -t nat -A nat_OUT ! -p tcp -j REDIRECT --to-ports 1250 || iptables -t nat -A nat_OUT -p udp -j REDIRECT --to-ports 1250 + fi + [ "$mudp" = '1' -a "$fxqt" != '1' ] && iptables -t nat -A nat_OUT ! -p udp -j REDIRECT --to-ports 1250 + # 共享规则 + iptables -t nat -A nat_PRE -s 192.168/16 ! -d 192.168/16 -p tcp -j REDIRECT --to-ports 1230 + [ "$DNS" = "" ] && iptables -t nat -A nat_PRE -s 192.168/16 -p udp --dport 53 -j ACCEPT || iptables -t nat -A nat_PRE -s 192.168/16 -p udp --dport 53 -j REDIRECT --to-ports 1240 + if [ "$mudp" = '0' ]; then + [ "$fxqt" != '1' ] && iptables -t nat -A nat_PRE ! -p tcp -j REDIRECT --to-ports 1250 || iptables -t nat -A nat_PRE -p udp -j REDIRECT --to-ports 1250 + fi + [ "$mudp" = '1' -a "$fxqt" != '1' ] && iptables -t nat -A nat_PRE ! -p udp -j REDIRECT --to-ports 1250 + + # 免udp规则 + if [ "$mudp" == '1' ]; then + iptables -t mangle -N man_OUT + iptables -t mangle -A OUTPUT -j man_OUT + iptables -t mangle -N man_PRE + iptables -t mangle -A PREROUTING -j man_PRE + # PREROUTING + allow_ip="0/8,127/8,10/8,192.168/16,224/3,169.254/16,100.64/10,172.16/12" + iptables -t mangle -A man_PRE -d $allow_ip -j ACCEPT + # OUTPUT + iptables -t mangle -A man_OUT -m owner --gid-owner 2222 -j ACCEPT + [ "$wifiProxy" = "1" ] || iptables -t mangle -A man_OUT -o wlan+ -j ACCEPT + iptables -t mangle -A man_OUT -o tun+ -j ACCEPT + if [ "$useTun" == '1' ]; then + # tun2socks/TPROXY 选择 + ip rule add fwmark 0x1234 lookup 1234 + ip route add default dev $TunDev table 1234 + iptables -t mangle -A man_PRE ! -i tun+ -p udp ! --dport 53 -j MARK --set-mark 0x1234 + iptables -t mangle -A man_OUT ! -d 192.168/16 ! -o lo -p udp ! --dport 53 -j MARK --set-mark 0x1234 + iptables -A FORWARD -i $TunDev -j ACCEPT + iptables -A FORWARD -o $TunDev -j ACCEPT + else + ip rule add fwmark 0x1234 lookup 1234 + ip route add local default dev lo table 1234 + iptables -t mangle -A man_PRE ! -i tun+ -p udp ! --dport 53 -j TPROXY --on-port 1230 --tproxy-mark 0x1234 + iptables -t mangle -A man_OUT ! -d 192.168/16 ! -o lo -p udp ! --dport 53 -j MARK --set-mark 0x1234 + fi + fi + + # IPV6禁网 + if [ "$denyIPV6" == 1 ]; then + ip6tables -t mangle -A OUTPUT ! -p tcp -m owner --uid 0 -j ACCEPT + ip6tables -t mangle -A OUTPUT ! -o wlan+ -j MARK --set-mark 0x1122 + ip6tables -t mangle -A PREROUTING ! -i tun+ -j MARK --set-mark 0x1122 + ip -6 rule add fwmark 0x1122 unreachable + fi + + # 放行规则 + [ "$allowTcpPorts" != "" ] && iptables -t nat -I nat_OUT -p tcp -m multiport --dports $allowTcpPorts -j ACCEPT + [ "$allowUdpPorts" != "" -a "$mudp" = "0" ] && iptables -t nat -I nat_OUT -p udp -m multiport --dports $allowUdpPorts -j ACCEPT + # 本地TCP放行 + for app in $allowAppsTCP; do + uid=`get_package_uid $app` || continue + iptables -t nat -I nat_OUT -p tcp -m owner --uid ${uid%_*} `echo $uid|grep -q '_' && echo "-m multiport --dport ${uid#*_}"` -j ACCEPT + done + if [ "$mudp" = "0" ]; then + # 本地UDP放行 + for app in $allowAppsUDP; do + uid=`get_package_uid $app` || continue + iptables -t nat -I nat_OUT -p udp -m owner --uid ${uid%_*} `echo $uid|grep -q '_' && echo "-m multiport --dport ${uid#*_}"` -j ACCEPT + done + fi + # 本地全局放行 + for app in $allowApps; do + uid=`get_package_uid $app` || continue + iptables -t nat -I nat_OUT -m owner --uid $uid -j ACCEPT + done + # 共享规则 nat PREROUTING + [ "$allowShareTcpPorts" != "" ] && iptables -t nat -I nat_PRE -p tcp -m multiport --dports $allowShareTcpPorts -j ACCEPT + [ "$allowShareUdpPorts" != "" ] && iptables -t nat -I nat_PRE -p udp -m multiport --dports $allowShareUdpPorts -j ACCEPT + + if [ "$mudp" = "1" ]; then + [ "$allowShareUdpPorts" != "" ] && iptables -t mangle -I man_PRE -p udp -m multiport --dports $allowShareUdpPorts -j ACCEPT + [ "$allowUdpPorts" != "" ] && iptables -t mangle -I man_OUT -p udp -m multiport --dports $allowUdpPorts -j ACCEPT + # 本地UDP放行 + for app in $allowAppsUDP; do + uid=`get_package_uid $app` || continue + iptables -t mangle -I man_OUT -p udp -m owner --uid ${uid%_*} `echo $uid|grep -q '_' && echo "-m multiport --dport ${uid#*_}"` -j ACCEPT + done + # 本地全局放行 + for app in $allowApps; do + uid=`get_package_uid $app` || continue + iptables -t mangle -I man_OUT -m owner --uid $uid -j ACCEPT + done + fi +} + +get_ip() { + server=${addr%:*} + if echo $server | grep -q [a-zA-Z]; then + ip=`busybox wget -q -T1 -O- http://119.29.29.29/d?dn=$server | busybox cut -d';' -f1` + echo $ip | grep -q '\([0-9]\{1,3\}\.\)\{3\}[0-9]\{1,3\}' || ip="" + if [ -z "$ip" ]; then + ip=`ping -c1 -w1 -W1 $server | grep 'PING' | busybox cut -d'(' -f2 | busybox cut -d')' -f1` + [ -z "$ip" ] && echo "解析IP失败!($server)" && exit 1 + fi + else + ip=$server + fi + addr=$ip:${addr#*:} +} + +data_control() { + if [ "$netstat" != "$1" -a "$kgwl" = "1" ]; then + wifiip=$(ip addr show wlan0 2>&- | grep 'inet') + if [ "$wifiip" = "" ]; then + [ "$1" = "y" ] && svc data enable && sleep 0.3 + [ "$1" = "n" ] && svc data disable + netstat="$1" + fi + fi +} + +make_config() { +echo 'tcp::Global { + tcp_listen = 0.0.0.0:1230; + timeout = 60; +} + +dns::Global { + dns_listen = 0.0.0.0:1240; + cachePath = /dev/null; +} + +httpMod::clns_https_request { + del_line = host;' > bin/clnc.conf +if [ "$method" == "GET" -o "$method" == "POST" ]; then +echo -E ' set_first = "'$method' '$path' [V]\r\nHost: '$host'\r\n'$clnchead': [H]\r\nClnsProxyType: TUNNEL_PROXY\r\n";' >> bin/clnc.conf +fi +if [ "$method" == "CONNECT" ]; then +echo -E ' set_first = "CONNECT '$path' [V]\r\nHost: '$host'\r\n'$clnchead': [H]\r\n";' >> bin/clnc.conf +fi +if [ "$method" == "WS" -o "$method" == "ws" ]; then +echo -E ' set_first = "GET '$path' HTTP/1.1\r\nHost: '$host'\r\n'$clnchead': [H]\r\nConnection: Upgrade\r\nSec-WebSocket-Key: Cute Linux Network\r\nSec-WebSocket-Version: 13\r\nUpgrade: websocket\r\nOrigin: http://'$host'/\r\nClnsProxyType: TUNNEL_PROXY\r\n";'>> bin/clnc.conf +fi +echo '} + +tcpProxy::https_proxy { + destAddr = '$addr'; + tunnel_encrypt = '$clncpwd'; + tunnel_proxy = on; + tunnelHttpMod = clns_https_request; +} + +tcpAcl::firstConnect { + tcpProxy = https_proxy; + matchMode = firstMatch; + timeout = -1; + dst_port != 0; +} + +dnsAcl { + destAddr = '$addr'; + header_host = '$DNS':53; + lookup_mode = tcpDNS; + tunnel_encrypt = '$clncpwd'; + tunnelHttpMod = clns_https_request; + tunnel_proxy = on; +} + +httpUDP::udp { + udp_tproxy_listen = 0.0.0.0:1230; + header_host = '$host'; + destAddr = '$addr'; + encrypt = '$clncpwd'; + udp_flag = '$udpflag'; + httpMod = clns_https_request; +}' >> bin/clnc.conf + +if [ "$useTun" = "1" ]; then +echo ' +Tun { + tunAddr4 = 10.0.0.10; + //tunAddr6 = fc00::1; + tunMtu = 1500; + tunDevice = '$TunDev'; +} +' >> bin/clnc.conf +fi +} + +save_running_info() { + echo xaddr=$addr >> bin/info + echo xpath=$path >> bin/info + echo xhost=$host >> bin/info + echo xfile=$file >> bin/info +} + +start_server() { + rm -f bin/info + save_running_info + chmod 777 bin/* + [ "$useTun" = "1" ] && create_tun + clnc -c bin/clnc.conf -g 2222 +} + +clear_files() { + sleep 0.5 + rm -f confs/*.bak bin/*.bak #bin/*.conf +} + +status_check() { + ip addr | grep global | grep -E '[1-9]{1,3}[0-9]{0,2}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | \ + while read line + do + [ -z "$line" ] && break + typeset -L17 netcard=${line##* } + IP=${line%%/*} + echo "$netcard${IP##* }" + done + echo + [ -n "$IP" ] && echo + echo -n "✺ Core: " + busybox pidof "clnc" >/dev/null && echo -n "✔clnc " || echo -n "✘clnc " + + echo + [ -n "`busybox pidof clnc`" -a -f "bin/info" ] && . bin/info || rm -f bin/info + [ -f "bin/info" ] && echo + [ -n "$xfile" ] && echo "✺ 已加载配置文件: $xfile" + [ -n "$xaddr" ] && echo "✺ Addr: $xaddr" + [ -n "$xpath" ] && echo "✺ Path: $xpath" + [ -n "$xhost" ] && echo "✺ Host: $xhost" + + type iptables | grep -q "function" && unset -f iptables + echo + echo ✺ nat表: + iptables -t nat -S 2>&- | busybox grep -wE 'nat_OUT|nat_PRE' + if [ "$mudp" = "1" ]; then + echo + echo ✺ mangle表: + iptables -t mangle -S 2>&- | busybox grep -wE 'man_OUT|man_PRE' + fi +} + +main() { + if [ "$1" = "stop" ]; then + rm -f bin/info 2>&- + clear_rules 2>&- + sleep 0.1 + elif [ -z "$1" -o "$1" = "start" ]; then + clear_rules 2>&- + get_ip + make_config + start_server + start_rules 2>&- + data_control n + data_control y + fi + (clear_files &) + status_check +} + +main $1 \ No newline at end of file diff --git a/clnc-tun/bin/clnct.bin b/clnc-tun/bin/clnct.bin new file mode 100644 index 0000000..7f9be26 --- /dev/null +++ b/clnc-tun/bin/clnct.bin @@ -0,0 +1,303 @@ +#!/system/bin/sh + +#全局变量设置(默认参数) +#可以通过配置文件设置 +TunDev=ctun +#免udp(0=关闭,1=开启,2=放行) +mudp=1 +#IPV6禁网 +denyIPV6=1 + +#================================= +DIR="${0%/*}" +cd $DIR/../ +. ./config.ini +if [ -e confs/${file}.ini ]; then + . confs/${file}.ini +else + echo "请检查配置文件是否正确!" && exit 1 +fi +export PATH=$DIR:$PATH + +if iptables --help 2>&- | grep -q "xtables"; then + alias iptables="iptables -w" +else + iptables() { + /system/bin/iptables $@ + tmp=$? + [ "$tmp" = "4" ] && iptables $@ + return $tmp + } +fi + +clear_rules() { + while iptables -t mangle -D PREROUTING -j man_PRE; do :; done + while iptables -t mangle -D OUTPUT -j man_OUT; do :; done + while iptables -D FORWARD -j CFF; do :; done + iptables -t mangle -F man_OUT + iptables -t mangle -X man_OUT + iptables -t mangle -F man_PRE + iptables -t mangle -X man_PRE + iptables -t mangle -F TUN_MARK + iptables -t mangle -X TUN_MARK + iptables -F CFF + iptables -X CFF + busybox killall clnc 2>&- + while ip rule del fwmark 0x1234 lookup 1234; do :; done + while ip route del default dev $TunDev table 1234; do :; done + # 清除IPV6禁网规则 + if ip6tables -t mangle -S 2>&- | grep -q 0x1122; then + while ip6tables -t mangle -D OUTPUT ! -p tcp -m owner --uid 0 -j ACCEPT; do :; done + while ip6tables -t mangle -D OUTPUT ! -o wlan+ -j MARK --set-mark 0x1122; do :; done + while ip6tables -t mangle -D PREROUTING ! -i tun+ -j MARK --set-mark 0x1122; do :; done + while ip -6 rule del fwmark 0x1122 unreachable; do :; done + fi +} + +create_tun() { + [ ! -e "/dev/net/tun" ] && mkdir -p /dev/net && ln -s /dev/tun /dev/net/tun && echo 1 > /proc/sys/net/ipv4/ip_forward +} + +get_package_uid() { + packageName=${1%%_*} #过滤包名后面的端口 + if echo $packageName | grep -q '[A-Za-z]'; then + packageInfo=`grep -oE "^$packageName ([0-9])+" /data/system/packages.list` + [ $? != 0 ] && return 1 + echo "$1" | grep -qE '_([0-9])+' && \ + echo "${packageInfo#* }_${1#*_}" || \ + echo "${packageInfo#* }" + else + echo "$1" + fi +} + +start_rules() { + # ip rule, ip route + ip rule add fwmark 0x1234 lookup 1234 + ip route add default dev $TunDev table 1234 + # 防跳 + iptables -t mangle -N TUN_MARK + allow_ip="0/8,127/8,10/8,192.168/16,224/3,169.254/16,100.64/10,172.16/12" + #allow_ip="0.0.0.0/8,100.64.0.0/10,127.0.0.0/8,169.254.0.0/16,192.0.0.0/24,192.0.2.0/24,192.88.99.0/24,198.18.0.0/15,198.51.100.0/24,203.0.113.0/24,172.16.0.0/12,192.168.0.0/16,10.0.0.0/8,224.0.0.0/3" + + iptables -t mangle -A TUN_MARK -d $allow_ip -j ACCEPT + + iptables -t mangle -N man_OUT + iptables -t mangle -N man_PRE + + # OUTPUT 本机规则 + iptables -t mangle -A man_OUT -j TUN_MARK + iptables -t mangle -A man_OUT -m owner --gid-owner 2222 -j ACCEPT + iptables -t mangle -A man_OUT -o lo -j ACCEPT + iptables -t mangle -A man_OUT -o tun+ -j ACCEPT + [ "$wifiProxy" = "1" ] || iptables -t mangle -A man_OUT -o wlan+ -j ACCEPT + [ "$mudp" = "0" ] && iptables -t mangle -A man_OUT -p udp -j DROP + [ "$mudp" = "2" ] && iptables -t mangle -A man_OUT -p udp -j ACCEPT + iptables -t mangle -A man_OUT -j MARK --set-xmark 0x1234 + iptables -t mangle -I OUTPUT -j man_OUT + # PREROUTING 共享规则 + iptables -t mangle -A man_PRE -j TUN_MARK + [ "$mudp" = "0" ] && iptables -t mangle -A man_PRE -p udp -j DROP + [ "$mudp" = "2" ] && iptables -t mangle -A man_PRE -p udp -j ACCEPT + iptables -t mangle -A man_PRE -s 192.168/16 -j MARK --set-xmark 0x1234 + iptables -t mangle -I PREROUTING -j man_PRE + + iptables -N CFF + iptables -A CFF -i $TunDev -j ACCEPT + iptables -A CFF -o $TunDev -j ACCEPT + iptables -I FORWARD -j CFF + + # IPV6禁网 + if [ "$denyIPV6" == 1 ]; then + ip6tables -t mangle -A OUTPUT ! -p tcp -m owner --uid 0 -j ACCEPT + ip6tables -t mangle -A OUTPUT ! -o wlan+ -j MARK --set-mark 0x1122 + ip6tables -t mangle -A PREROUTING ! -i tun+ -j MARK --set-mark 0x1122 + ip -6 rule add fwmark 0x1122 unreachable + fi + + # 本地UDP放行 + for app in $allowAppsUDP; do + uid=`get_package_uid $app` || continue + iptables -t mangle -I man_OUT -p udp -m owner --uid ${uid%_*} `echo $uid|grep -q '_' && echo "-m multiport --dport ${uid#*_}"` -j ACCEPT + done + # 本地TCP放行 + for app in $allowAppsTCP; do + uid=`get_package_uid $app` || continue + iptables -t mangle -I man_OUT -p tcp -m owner --uid ${uid%_*} `echo $uid|grep -q '_' && echo "-m multiport --dport ${uid#*_}"` -j ACCEPT + done + # 本地全局放行 + for app in $allowApps; do + uid=`get_package_uid $app` || continue + iptables -t mangle -I man_OUT -m owner --uid $uid -j ACCEPT + done + # 端口放行 + [ "$allowTcpPorts" != "" ] && iptables -t mangle -I man_OUT -p tcp -m multiport --dports $allowTcpPorts -j ACCEPT + [ "$allowUdpPorts" != "" ] && iptables -t mangle -I man_OUT -p udp -m multiport --dports $allowUdpPorts -j ACCEPT + # 共享端口放行 + [ "$allowShareTcpPorts" != "" ] && iptables -t mangle -I man_PRE -p tcp -m multiport --dports $allowShareTcpPorts -j ACCEPT + [ "$allowShareUdpPorts" != "" ] && iptables -t mangle -I man_PRE -p udp -m multiport --dports $allowShareUdpPorts -j ACCEPT +} + +get_ip() { + server=${addr%:*} + if echo $server | grep -q [a-zA-Z]; then + ip=`busybox wget -q -T1 -O- http://119.29.29.29/d?dn=$server | busybox cut -d';' -f1` + echo $ip | grep -q '\([0-9]\{1,3\}\.\)\{3\}[0-9]\{1,3\}' || ip="" + if [ -z "$ip" ]; then + ip=`ping -c1 -w1 -W1 $server | grep 'PING' | busybox cut -d'(' -f2 | busybox cut -d')' -f1` + [ -z "$ip" ] && echo "解析IP失败!($server)" && exit 1 + fi + else + ip=$server + fi + addr=$ip:${addr#*:} +} + +data_control() { + if [ "$netstat" != "$1" -a "$kgwl" = "1" ]; then + wifiip=$(ip addr show wlan0 2>&- | grep 'inet') + if [ "$wifiip" = "" ]; then + [ "$1" = "y" ] && svc data enable && sleep 0.3 + [ "$1" = "n" ] && svc data disable + netstat="$1" + fi + fi +} + +make_config() { +echo 'tcp::Global { + timeout = 60; +} + +dns::Global { + cachePath = /dev/null; +} + +httpMod::clns_https_request { + del_line = host;' > bin/clnc.conf +if [ "$method" == "GET" -o "$method" == "POST" ]; then +echo -E ' //伪装成GET,POST,必须包含ClnsProxyType: TUNNEL_PROXY + set_first = "'$method' '$path' [V]\r\nHost: '$host'\r\n'$clnchead': [H]\r\nClnsProxyType: TUNNEL_PROXY\r\n";' >> bin/clnc.conf +fi +if [ "$method" == "CONNECT" ]; then +echo -E ' //伪装成CONNECT,只有CONNECT不需要ClnsProxyType: TUNNEL_PROXY + set_first = "CONNECT '$path' [V]\r\nHost: '$host'\r\n'$clnchead': [H]\r\n";' >> bin/clnc.conf +fi +if [ "$method" == "WS" -o "$method" == "ws" ]; then +echo -E ' //伪装成WS,必须包含ClnsProxyType: TUNNEL_PROXY + set_first = "GET /ws HTTP/1.1\r\nHost: '$host'\r\n'$clnchead': [H]\r\nConnection: Upgrade\r\nSec-WebSocket-Key: Cute Linux Network\r\nSec-WebSocket-Version: 13\r\nUpgrade: websocket\r\nOrigin: http://'$host'/\r\nClnsProxyType: TUNNEL_PROXY\r\n";'>> bin/clnc.conf +fi +echo '} + +tcpProxy::https_proxy { + destAddr = '$addr'; + tunnel_encrypt = '$clncpwd'; + tunnel_proxy = on; + tunnelHttpMod = clns_https_request; +} + +tcpAcl::firstConnect { + tcpProxy = https_proxy; + matchMode = firstMatch; + dst_port != 0; +} + +dnsAcl { + destaddr = '$addr'; + header_host = '$DNS':53; + lookup_mode = tcpDNS; + tunnel_encrypt = '$clncpwd'; + tunnelHttpMod = clns_https_request; + tunnel_proxy = on; +} + +httpUDP::udp { + header_host = '$host'; + destAddr = '$addr'; + encrypt = '$clncpwd'; + udp_flag = '$udpflag'; + httpMod = clns_https_request; +} + +Tun { + tunAddr4 = 10.0.0.10; + //tunAddr6 = fc00::1; + tunMtu = 1500; + tunDevice = '$TunDev'; +} +' >> bin/clnc.conf +} + +save_running_info() { + echo xaddr=$addr >> bin/info + echo xpath=$path >> bin/info + echo xhost=$host >> bin/info + echo xfile=$file >> bin/info +} + +start_server() { + rm -f bin/info + save_running_info + chmod 777 bin/* + ulimit -n 65535 + create_tun + clnc -c bin/clnc.conf -g 2222 +} + +clear_files() { + rm -f confs/*.bak bin/*.bak #bin/*.conf +} + +status_check() { + ip addr | grep global | grep -E '[1-9]{1,3}[0-9]{0,2}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | \ + while read line + do + [ -z "$line" ] && break + typeset -L17 netcard=${line##* } + IP=${line%%/*} + echo "$netcard${IP##* }" + done + echo + [ -n "$IP" ] && echo + echo -n "✺ Core: " + busybox pidof "clnc" >/dev/null && echo -n "✔clnc " || echo -n "✘clnc " + + echo + [ -n "`busybox pidof clnc`" -a -f "bin/info" ] && . bin/info || rm -f bin/info + [ -f "bin/info" ] && echo + [ -n "$xfile" ] && echo "✺ 已加载配置文件: $xfile" + [ -n "$xaddr" ] && echo "✺ Addr: $xaddr" + [ -n "$xpath" ] && echo "✺ Path: $xpath" + [ -n "$xhost" ] && echo "✺ Host: $xhost" + + type iptables | grep -q "function" && unset -f iptables + echo "" + echo ✺ mangle表 TUN_MARK链: + iptables -t mangle -S TUN_MARK 2>&- + echo "" + echo ✺ mangle表 man_OUT链: + iptables -t mangle -S 2>&- | grep man_OUT + echo "" + echo ✺ mangle表 man_PRE链: + iptables -t mangle -S 2>&- | grep man_PRE +} + +main() { + if [ "$1" = "stop" ]; then + rm -f bin/info 2>&- + clear_rules 2>&- + sleep 0.1 + elif [ -z "$1" -o "$1" = "start" ]; then + clear_rules 2>&- + get_ip + make_config + start_server + start_rules 2>&- + data_control n + data_control y + fi + status_check + clear_files +} + +main $1 \ No newline at end of file diff --git a/clnc-tun/config.ini b/clnc-tun/config.ini new file mode 100644 index 0000000..f65ee9a --- /dev/null +++ b/clnc-tun/config.ini @@ -0,0 +1,43 @@ +#配置文件(confs里,不需要后缀名) +file=1 + +#防跳选择(修改前请先关闭防跳) +#clnct:全部流量都由tun处理 +#clncs:仅udp流量由tun处理 +exec=clncs + +#执行脚本是否开关网络(0=关闭,1=开启) +kgwl=0 + +#是否使用tun(0=关闭,1=开启) +#不支持TPROXY的手机会强制开启,无需设置 +#防跳选择clnct不需要设置 +useTun=0 + +#WiFi代理(1代理) +wifiProxy=0 + +#==== 本机放行设置 ====# +#应用UDP放行, uid/包名[_指定放行端口(多个,隔开) 默认全部端口] (多个使用空格隔开) +#格式:allowAppsUDP="8080 10025_8000 com.tencent.mtt_80,8080 com.tencent.mtt" +allowAppsUDP="" + +#应用TCP放行(格式同上) +allowAppsTCP="" + +#应用全局放行(填uid或包名) +allowApps="" + +#UDP端口放行(多个使用逗号(,)隔开) +#端口范围使用:隔开,如0:65535,为放行全部端口 +allowUdpPorts="" + +#TCP端口放行(同上) +allowTcpPorts="" + +#==== 共享放行设置 ====# +#共享UDP端口放行(同上) +allowShareUdpPorts="" + +#共享TCP端口放行(同上) +allowShareTcpPorts="" \ No newline at end of file diff --git a/clnc-tun/confs/1.ini b/clnc-tun/confs/1.ini new file mode 100644 index 0000000..394cb7a --- /dev/null +++ b/clnc-tun/confs/1.ini @@ -0,0 +1,23 @@ +#服务器地址 +addr="5.5.5.5:80" + +#clnc加密设置 +clncpwd="123456" + +#clnc代理头域 +clnchead="Meng" + +#UDP标识(一般不用改) +udpflag="httpUDP" + +#请求方法(为WS,GET,POST,CONNECT等) +method="GET" + +#path +path="/" + +#免流Host +host="m.baidu.com" + +#DNS设置(留空放行) +DNS="223.5.5.5" \ No newline at end of file diff --git "a/clnc-tun/\345\205\263\351\227\255.sh" "b/clnc-tun/\345\205\263\351\227\255.sh" new file mode 100644 index 0000000..cef5e1d --- /dev/null +++ "b/clnc-tun/\345\205\263\351\227\255.sh" @@ -0,0 +1,4 @@ +cd ${0%/*} +chmod -R 777 . +. ./config.ini +./bin/"$exec".bin stop \ No newline at end of file diff --git "a/clnc-tun/\345\274\200\345\220\257.sh" "b/clnc-tun/\345\274\200\345\220\257.sh" new file mode 100644 index 0000000..bbeac91 --- /dev/null +++ "b/clnc-tun/\345\274\200\345\220\257.sh" @@ -0,0 +1,4 @@ +cd ${0%/*} +chmod -R 777 . +. ./config.ini +./bin/"$exec".bin start \ No newline at end of file diff --git "a/clnc-tun/\346\243\200\346\265\213.sh" "b/clnc-tun/\346\243\200\346\265\213.sh" new file mode 100644 index 0000000..2805479 --- /dev/null +++ "b/clnc-tun/\346\243\200\346\265\213.sh" @@ -0,0 +1,4 @@ +cd ${0%/*} +chmod -R 777 . +. ./config.ini +./bin/"$exec".bin check \ No newline at end of file