From a93c50e81011c2fc66b007ad2c998bccdacbaa8b Mon Sep 17 00:00:00 2001
From: yumoqing <yumoqing@gmail.com>
Date: Mon, 1 Dec 2025 22:40:58 +0800
Subject: [PATCH] bugfix

---
 README.md                      |   3 +
 scripts/gateway.sh.j2          |  39 ++++++++-
 scripts/gfw_rules_generator.py |   2 +-
 scripts/redsocks.sh.j2         | 151 +++++++++++++++++++++++++++++++++
 4 files changed, 193 insertions(+), 2 deletions(-)
 create mode 100755 scripts/redsocks.sh.j2

diff --git a/README.md b/README.md
index 94857f3..9186756 100644
--- a/README.md
+++ b/README.md
@@ -1,5 +1,8 @@
 # softroute
 
+## 依赖
+* [redsocks2](https://github.com/kaizushi/redsocks2)
+* [dnsmasq](https://github.com/poseidon/dnsmasq.git)
 ## 物理机软路由环境
 
 ### 实现的能力：
diff --git a/scripts/gateway.sh.j2 b/scripts/gateway.sh.j2
index 4d1e637..d65a7cb 100644
--- a/scripts/gateway.sh.j2
+++ b/scripts/gateway.sh.j2
@@ -81,9 +81,14 @@ sudo systemctl disable systemd-resolved
 sudo rm /etc/resolv.conf
 # 创建新的 resolv.conf 文件，将本机地址作为唯一的 DNS 服务器
 echo "nameserver 127.0.0.1" | sudo tee /etc/resolv.conf > /dev/null
+sudo mkdir -p --mode=0755 /usr/share/keyrings
+curl -fsSL https://pkg.cloudflare.com/cloudflare-main.gpg | sudo tee /usr/share/keyrings/cloudflare-main.gpg > /dev/null
+
+cat <<EOF | sudo tee /etc/apt/sources.list.d/cloudflared.list>/dev/null
+deb [signed-by=/usr/share/keyrings/cloudflare-main.gpg] https://pkg.cloudflare.com/cloudflared jammy main
+EOF
 
 log_info "开始网关主机配置脚本..."
-
 log_info "更新系统软件包列表..."
 sudo apt update || log_error "apt update 失败。"
 
@@ -96,6 +101,7 @@ install_package iptables-persistent
 install_package ipset
 install_package dnsmasq
 install_package redsocks
+install_package cloudflared
 install_package git
 install_package python3-pip
 install_package isc-dhcp-server # 新增 DHCP 服务器安装
@@ -217,6 +223,31 @@ if ! ss -tnlp | grep ":${LOCAL_SOCKS5_PORT}" &>/dev/null; then
 fi
 log_info "SSH SOCKS5 代理已通过 Systemd 启动，并在 127.0.0.1:${LOCAL_SOCKS5_PORT} 监听，支持自动重连。"
 
+cat <<EOF | sudo tee /etc/systemd/system/cloudflared-dns.service || log_warn "创建systemd DNS服务，端口53053"
+[Unit]
+Description=cloudflared DNS-over-HTTPS proxy
+After=network.target
+
+[Service]
+Type=simple
+ExecStart=/usr/bin/cloudflared proxy-dns \
+  --address 127.0.0.1 \
+  --port 53053 \
+  --upstream https://1.1.1.1/dns-query \
+  --upstream https://1.0.0.1/dns-query \
+  --upstream https://8.8.8.8/dns-query \
+  --upstream https://8.8.4.4/dns-query
+
+Restart=on-failure
+User=nobody
+
+[Install]
+WantedBy=multi-user.target
+EOF
+sudo systemctl daemon-reload
+sudo systemctl enable --now cloudflared-dns
+sudo systemctl status cloudflared-dns
+
 # ==============================================================================
 # 4. 配置 redsocks (透明 SOCKS5 代理) (请替换为以下修正代码！)
 # ==============================================================================
@@ -266,6 +297,9 @@ listen-address=${DNSMASQ_LISTEN_IP},127.0.0.1
 no-resolv
 no-poll
 
+# 将国外 DNS 指向 cloudflared（永不污染）
+server=127.0.0.1#53053
+
 # 国内域名直连公共DNS
 server={{ domestic_dns1 }}
 server={{ domestic_dns2 }}
@@ -343,6 +377,9 @@ sudo iptables -t nat -X
 sudo iptables -t mangle -F
 sudo iptables -t mangle -X
 
+sudo iptables -I INPUT -p udp --dport 5353 -j ACCEPT
+sudo iptables -I INPUT -p tcp --dport 5353 -j ACCEPT
+
 # 1. 开启 NAT (使内网访问外网)
 sudo iptables -t nat -A POSTROUTING -o {{ wan_interface }} -j MASQUERADE
 log_info "已配置 NAT 规则。"
diff --git a/scripts/gfw_rules_generator.py b/scripts/gfw_rules_generator.py
index 8d92cad..52ca0da 100644
--- a/scripts/gfw_rules_generator.py
+++ b/scripts/gfw_rules_generator.py
@@ -78,7 +78,7 @@ def generate_rules(proxy_server, foreign_dns_list, domestic_dns_list, ipset_name
 	# 代理的上游 DNS (只使用提供的第一个国外 DNS)
 	primary_foreign_dns = foreign_dns_list[0]
 	proxy_port = proxy_server.split(':')[1]
-	proxy_dns_server = f"{primary_foreign_dns}#53" 
+	proxy_dns_server = "127.0.0.1#53053" 
 
 	try:
 		with open(dnsmasq_conf_path, 'w') as f:
diff --git a/scripts/redsocks.sh.j2 b/scripts/redsocks.sh.j2
new file mode 100755
index 0000000..f92690f
--- /dev/null
+++ b/scripts/redsocks.sh.j2
@@ -0,0 +1,151 @@
+#!/bin/bash
+# ==========================================================
+# 192.168.16.2 一键网关 + 透明代理（国外 IP 走 socks5）
+# 仅支持 redsocks（带 UDP 转发）+ ipset 动态分流
+# ==========================================================
+set -euo pipefail
+
+############################ 用户只需改下面 3 行 ##############################
+LAN_IF="eth0"                 # 接内网的接口（192.168.16.0/24）
+SOCKS_IP=""47.236.181.229            # 你的 socks5 境外 IP
+SOCKS_PORT="1086"            # 你的 socks5 端口
+#############################################################################
+
+REDSOCKS_BIN=/usr/local/bin/redsocks2
+REDSOCKS_CONF=/etc/redsocks.conf
+LAN_NET="192.168.16.0/24"
+
+# ---------- 0. 检测 root ----------
+[[ $EUID -ne 0 ]] && { echo "请 root 运行"; exit 1; }
+
+# ---------- 1. 装依赖 ----------
+echo "==> 1. 安装依赖"
+if command -v apt &>/dev/null; then
+    apt update -y
+    apt install -y git gcc make libevent-dev iptables ipset curl
+elif command -v yum &>/dev/null; then
+    yum install -y git gcc make libevent-devel iptables ipset curl
+else
+    echo "仅支持 apt/yum 系"; exit 1
+fi
+
+# ---------- 3. 写 redsocks 配置 ----------
+cat > $REDSOCKS_CONF <<EOF
+base {
+    log_debug = off;
+    log_info  = on;
+    log = syslog;
+    daemon = on;
+    redirector = iptables;
+}
+redsocks {
+    local_ip   = 0.0.0.0;
+    local_port = 61086;
+    ip         = $SOCKS_IP;
+    port       = $SOCKS_PORT;
+    type       = socks5;
+    autoproxy  = 0;
+}
+redudp {
+    local_ip   = 0.0.0.0;
+    local_port = 61086;
+    ip         = $SOCKS_IP;
+    port       = $SOCKS_PORT;
+    type       = socks5;
+    udp_timeout = 30;
+}
+EOF
+
+# ---------- 4. 建 ipset 国外 IP 集合 ----------
+echo "==> 3. 创建 ipset 国外 IP 集合"
+modprobe xt_set 2>/dev/null || true
+ipset create oversea hash:net maxelem 65536 2>/dev/null || true
+
+# 懒人方案：直接拉 chnroute 反向列表（国外 IP）
+echo "    下载 chnroute 反向列表…"
+cat /d/ymq/data/ip_list.txt | \
+  sed 's/^/-A oversea /' | ipset restore -! 2>/dev/null || {
+    echo "    下载失败，改用静态默认全网国外(0.0.0.0/1+128.0.0.0/1)"
+    ipset add oversea 0.0.0.0/1
+    ipset add oversea 128.0.0.0/1
+}
+
+# ---------- 5. 打开内核转发 ----------
+echo "==> 4. 打开内核转发"
+sysctl -w net.ipv4.ip_forward=1
+grep -q '^net.ipv4.ip_forward' /etc/sysctl.conf && \
+  sed -i 's/^net.ipv4.ip_forward.*/net.ipv4.ip_forward = 1/' /etc/sysctl.conf || \
+  echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
+
+# ---------- 6. 写 iptables 规则 ----------
+echo "==> 5. 配置 iptables"
+# 清理旧链（可重复执行）
+iptables -t nat -F REDSOCKS2 2>/dev/null || iptables -t nat -N REDSOCKS2
+iptables -t mangle -F REDSOCKS2 2>/dev/null || iptables -t mangle -N REDSOCKS2
+
+# 忽略代理自身 →  socks5 的流量
+iptables -t nat -A REDSOCKS2 -d $SOCKS_IP -j RETURN
+# 忽略局域网
+iptables -t nat -A REDSOCKS2 -d 192.168.0.0/16 -j RETURN
+iptables -t nat -A REDSOCKS2 -d 10.0.0.0/8   -j RETURN
+iptables -t nat -A REDSOCKS2 -d 172.16.0.0/12 -j RETURN
+# 忽略回环
+iptables -t nat -A REDSOCKS2 -d 127.0.0.0/8  -j RETURN
+
+# 对国外 IP 重定向到 redsocks 61086
+iptables -t nat -A REDSOCKS2 -m set --match-set oversea dst -p tcp \
+  -j REDIRECT --to-ports 61086
+
+# 桥接到 PREROUTING（转发） 和 OUTPUT（本机）
+iptables -t nat -A PREROUTING -i $LAN_IF -j REDSOCKS2
+iptables -t nat -A OUTPUT -j REDSOCKS2
+
+# UDP 透明（TPROXY）
+iptables -t mangle -A REDSOCKS2 -m set --match-set oversea dst -p udp \
+  -j TPROXY --on-port 61086 --on-ip 0.0.0.0 --tproxy-mark 0x29a
+iptables -t mangle -A PREROUTING -i $LAN_IF -j REDSOCKS2
+# 让被打标记的包走本地转发
+ip rule add fwmark 0x29a lookup 100 2>/dev/null || true
+ip route add local default dev lo table 100 2>/dev/null || true
+
+# NAT 普通国内流量
+iptables -t nat -A POSTROUTING -s $LAN_NET -o $LAN_IF -j MASQUERADE
+
+# ---------- 7. 启动 redsocks ----------
+echo "==> 6. 启动 redsocks 并设置开机自启"
+cat > /etc/systemd/system/redsocks.service <<EOF
+[Unit]
+Description=redsocks transparent proxy
+After=network.target
+
+[Service]
+Type=simple
+ExecStart=$REDSOCKS_BIN -c $REDSOCKS_CONF
+Restart=always
+LimitNOFILE=65535
+
+[Install]
+WantedBy=multi-user.target
+EOF
+systemctl daemon-reload
+systemctl enable --now redsocks
+systemctl status redsocks --no-pager
+
+# ---------- 8. 保存 iptables ----------
+echo "==> 7. 保存 iptables 规则"
+if command -v netfilter-persistent &>/dev/null; then
+    netfilter-persistent save
+elif command -v iptables-save &>/dev/null; then
+    iptables-save > /etc/iptables.rules
+    grep -q 'iptables-restore' /etc/rc.local || \
+      echo "iptables-restore < /etc/iptables.rules" >> /etc/rc.local
+fi
+
+echo
+echo "================  部署完成  ================"
+echo "网关地址：192.168.16.2   掩码：255.255.255.0"
+echo "DHCP 或手动指定网关/DNS 为 192.168.16.2 即可上网"
+echo "国外 IP 流量已自动走 socks5 $SOCKS_IP:$SOCKS_PORT"
+echo "查看状态：systemctl status redsocks"
+echo "================================================"
+