From e07f52d575eb78b0bd3b1c08d70fe117ca557898 Mon Sep 17 00:00:00 2001 From: yumoqing Date: Tue, 2 Dec 2025 00:10:47 +0800 Subject: [PATCH] bugfix --- gateway/00_env.sh | 27 +++++++++++++++++ gateway/10_dhcp_dns.sh | 32 ++++++++++++++++++++ gateway/20_nat_forward.sh | 11 +++++++ gateway/30_chnroute.sh | 43 ++++++++++++++++++++++++++ gateway/40_redsocks.sh | 58 ++++++++++++++++++++++++++++++++++++ gateway/50_dns_over_proxy.sh | 23 ++++++++++++++ gateway/60_iptables_rules.sh | 15 ++++++++++ gateway/90_status.sh | 21 +++++++++++++ gateway/README.md | 53 ++++++++++++++++++++++++++++++++ gateway/uninstall.sh | 17 +++++++++++ scripts/redsocks.sh.j2 | 7 +++-- 11 files changed, 304 insertions(+), 3 deletions(-) create mode 100755 gateway/00_env.sh create mode 100755 gateway/10_dhcp_dns.sh create mode 100755 gateway/20_nat_forward.sh create mode 100755 gateway/30_chnroute.sh create mode 100755 gateway/40_redsocks.sh create mode 100755 gateway/50_dns_over_proxy.sh create mode 100755 gateway/60_iptables_rules.sh create mode 100755 gateway/90_status.sh create mode 100644 gateway/README.md create mode 100755 gateway/uninstall.sh diff --git a/gateway/00_env.sh b/gateway/00_env.sh new file mode 100755 index 0000000..de686f1 --- /dev/null +++ b/gateway/00_env.sh @@ -0,0 +1,27 @@ +#!/bin/bash +# 全局环境变量 +WAN_IF="eno1" +LAN_IF="enx00e04c6800ae" +LAN_NET="192.168.2.0/24" +LAN_GW="192.168.2.1" + +SOCKS5_SERVER="127.0.0.1" +SOCKS5_PORT="1080" +REDSOCKS_PORT="12345" +REDSOCKS_DNS_PORT="5353" + +CHNROUTE_URLS=( + "https://raw.githubusercontent.com/17mon/china_ip_list/master/china_ip_list.txt" + "https://raw.githubusercontent.com/ruijzhan/chnroute/master/chnroute.txt" +) + +DNSMASQ_CHINA_URL="https://raw.githubusercontent.com/felixonmars/dnsmasq-china-list/master/accelerated-domains.china" + +CHINA_DNS1="223.5.5.5" +CHINA_DNS2="119.29.29.29" +FOREIGN_DNS1="8.8.8.8" +FOREIGN_DNS2="1.1.1.1" + +IPSET_FILE="/etc/ipset/chnroute.ipset" +CHN_FILE="/etc/chnroute.list" +DNSMASQ_CHINA_FILE="/etc/dnsmasq.d/china-domains.conf" diff --git a/gateway/10_dhcp_dns.sh b/gateway/10_dhcp_dns.sh new file mode 100755 index 0000000..c5f2657 --- /dev/null +++ b/gateway/10_dhcp_dns.sh @@ -0,0 +1,32 @@ +#!/bin/bash +source ./00_env.sh +set -euo pipefail + +if [[ $EUID -ne 0 ]]; then echo "请用 root/sudo 运行"; exit 1; fi + +apt update +apt install -y dnsmasq ipset curl || true + +cat >/etc/dnsmasq.d/lan.conf < "$DNSMASQ_CHINA_FILE" +while IFS= read -r domain; do + [[ -z "$domain" || "$domain" =~ ^# ]] && continue + d=$(echo "$domain" | awk '{print $1}') + echo "server=/$d/$CHINA_DNS1" >> "$DNSMASQ_CHINA_FILE" + echo "server=/$d/$CHINA_DNS2" >> "$DNSMASQ_CHINA_FILE" +done < /tmp/accelerated.domains + +systemctl restart dnsmasq || true +systemctl enable dnsmasq || true + +echo "DHCP + 国内 DNS 配置完成" diff --git a/gateway/20_nat_forward.sh b/gateway/20_nat_forward.sh new file mode 100755 index 0000000..6806f41 --- /dev/null +++ b/gateway/20_nat_forward.sh @@ -0,0 +1,11 @@ +#!/bin/bash +source ./00_env.sh +set -euo pipefail + +echo 1 > /proc/sys/net/ipv4/ip_forward +grep -q '^net.ipv4.ip_forward' /etc/sysctl.conf || echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf + +iptables -t nat -A POSTROUTING -s $LAN_NET -o $WAN_IF -j MASQUERADE +netfilter-persistent save || true + +echo "NAT 出口 + IP 转发配置完成" diff --git a/gateway/30_chnroute.sh b/gateway/30_chnroute.sh new file mode 100755 index 0000000..563024c --- /dev/null +++ b/gateway/30_chnroute.sh @@ -0,0 +1,43 @@ +#!/bin/bash +source ./00_env.sh +set -euo pipefail + +apt install -y ipset || true +mkdir -p /etc/ipset + +rm -f "$CHN_FILE" +for url in "${CHNROUTE_URLS[@]}"; do + curl -fsSL "$url" -o /tmp/chn.tmp && grep -E '^[0-9]' /tmp/chn.tmp | sed 's/\r//g' > "$CHN_FILE" && break +done + +ipset list chnroute -n &>/dev/null && ipset flush chnroute && ipset destroy chnroute || true +ipset create chnroute hash:net family inet maxelem 65536 || true + +for net in 0.0.0.0/8 10.0.0.0/8 100.64.0.0/10 127.0.0.0/8 169.254.0.0/16 172.16.0.0/12 192.168.0.0/16; do + ipset add chnroute $net || true +done + +while IFS= read -r line; do + [[ -z "$line" || "$line" =~ ^# ]] && continue + ipset add chnroute "$line" || true +done < "$CHN_FILE" + +ipset save > "$IPSET_FILE" + +cat >/etc/systemd/system/ipset-load.service </dev/null 2>&1; then + cd /tmp + git clone https://github.com/semigodking/redsocks.git + cd redsocks + make + cp redsocks /usr/sbin/redsocks +fi + +cat >/etc/redsocks.conf </etc/systemd/system/redsocks.service </etc/systemd/system/redsocks-dns.service </dev/null || true +iptables -t nat -N REDSOCKS + +iptables -t nat -A REDSOCKS -m set --match-set chnroute dst -j RETURN +iptables -t nat -A REDSOCKS -p tcp -j REDIRECT --to-ports $REDSOCKS_PORT +iptables -t nat -A PREROUTING -s $LAN_NET -p tcp -j REDSOCKS +iptables -t nat -A POSTROUTING -s $LAN_NET -o $WAN_IF -j MASQUERADE + +netfilter-persistent save || true +echo "iptables 分流规则已应用" diff --git a/gateway/90_status.sh b/gateway/90_status.sh new file mode 100755 index 0000000..aa2b00a --- /dev/null +++ b/gateway/90_status.sh @@ -0,0 +1,21 @@ +#!/bin/bash +source ./00_env.sh +set -euo pipefail + +echo "=== ipset 状态 ===" +ipset list chnroute + +echo "=== iptables NAT 状态 ===" +iptables -t nat -L -n -v --line-numbers + +echo "=== redsocks 状态 ===" +systemctl status redsocks + +echo "=== dnsmasq 状态 ===" +systemctl status dnsmasq + +echo "=== 测试国内解析 ===" +dig @127.0.0.1 www.baidu.com + +echo "=== 测试国外解析 ===" +dig @127.0.0.1 www.google.com diff --git a/gateway/README.md b/gateway/README.md new file mode 100644 index 0000000..e3cd019 --- /dev/null +++ b/gateway/README.md @@ -0,0 +1,53 @@ + +### 脚本功能说明 + +- **00_env.sh** + - 配置 WAN / LAN 网卡名、下层网段、SOCKS5 地址与端口、CHNROUTE 地址等。 + +- **10_dhcp_dns.sh** + - 安装 dnsmasq + - 下层 DHCP 分配 IP + - 国内域名直连 DNS 配置,提升国内访问速度 + +- **20_nat_forward.sh** + - 开启 IPv4 转发 + - 配置 NAT 出口,允许下层网络访问上层网络 + +- **30_chnroute.sh** + - 下载最新 CHNROUTE 国内 IP 列表 + - 创建 ipset `chnroute` + - 添加私有网段和国内 IP,用于国内外分流 + +- **40_redsocks.sh** + - 安装 redsocks2 + - 配置透明代理,将 TCP 流量重定向到 SOCKS5 代理 + - 启动 systemd 服务,自动运行 + +- **50_dns_over_proxy.sh** + - 将国外 DNS 查询通过 redsocks2 转发,防止 DNS 污染 + - 启动 systemd 服务,开机自启 + +- **60_iptables_rules.sh** + - 设置 iptables NAT 链和 REDSOCKS 链 + - 国内 IP 直连,国外 TCP 流量重定向到 redsocks2 + - 配合 CHNROUTE ipset 使用,实现国内外分流 + +- **90_status.sh** + - 查看 ipset 状态 + - 查看 iptables NAT 状态 + - 查看 redsocks 和 dnsmasq 服务状态 + - 测试国内和国外域名解析 + +- **uninstall.sh** + - 停止并禁用所有服务 + - 清理 iptables NAT 规则和 ipset + - 删除配置文件,回滚系统 + +--- + +## 3️⃣ 部署步骤 + +1. 下载或复制 `generate_gateway.sh` 脚本到 Ubuntu 22.04 主机: +```bash +wget <你的脚本下载地址> -O generate_gateway.sh + diff --git a/gateway/uninstall.sh b/gateway/uninstall.sh new file mode 100755 index 0000000..76db2df --- /dev/null +++ b/gateway/uninstall.sh @@ -0,0 +1,17 @@ +#!/bin/bash +source ./00_env.sh +set -euo pipefail + +systemctl stop redsocks redsocks-dns ipset-load.service dnsmasq || true +systemctl disable redsocks redsocks-dns ipset-load.service dnsmasq || true + +iptables -t nat -F +iptables -t nat -X REDSOCKS 2>/dev/null || true + +ipset destroy chnroute || true + +rm -f /etc/redsocks.conf /etc/ipset/chnroute.ipset /etc/chnroute.list +rm -f /etc/dnsmasq.d/lan.conf /etc/dnsmasq.d/china-domains.conf +rm -f /etc/systemd/system/redsocks* /etc/systemd/system/ipset-load.service + +echo "全部配置已卸载" diff --git a/scripts/redsocks.sh.j2 b/scripts/redsocks.sh.j2 index f92690f..808549b 100755 --- a/scripts/redsocks.sh.j2 +++ b/scripts/redsocks.sh.j2 @@ -6,14 +6,15 @@ set -euo pipefail ############################ 用户只需改下面 3 行 ############################## -LAN_IF="eth0" # 接内网的接口(192.168.16.0/24) -SOCKS_IP=""47.236.181.229 # 你的 socks5 境外 IP +LAN_IF="{{ client_lan_interface }}" +# 接内网的接口(192.168.16.0/24) +SOCKS_IP="127.0.0.1" # 你的 socks5 境外 IP SOCKS_PORT="1086" # 你的 socks5 端口 ############################################################################# REDSOCKS_BIN=/usr/local/bin/redsocks2 REDSOCKS_CONF=/etc/redsocks.conf -LAN_NET="192.168.16.0/24" +LAN_NET="{{ gateway_lan_cidr }}" # ---------- 0. 检测 root ---------- [[ $EUID -ne 0 ]] && { echo "请 root 运行"; exit 1; }