bugfix

gateway/00_env.sh

@@ -0,0 +1,27 @@
+#!/bin/bash
+# 全局环境变量
+WAN_IF="eno1"
+LAN_IF="enx00e04c6800ae"
+LAN_NET="192.168.2.0/24"
+LAN_GW="192.168.2.1"
+
+SOCKS5_SERVER="127.0.0.1"
+SOCKS5_PORT="1080"
+REDSOCKS_PORT="12345"
+REDSOCKS_DNS_PORT="5353"
+
+CHNROUTE_URLS=(
+  "https://raw.githubusercontent.com/17mon/china_ip_list/master/china_ip_list.txt"
+  "https://raw.githubusercontent.com/ruijzhan/chnroute/master/chnroute.txt"
+)
+
+DNSMASQ_CHINA_URL="https://raw.githubusercontent.com/felixonmars/dnsmasq-china-list/master/accelerated-domains.china"
+
+CHINA_DNS1="223.5.5.5"
+CHINA_DNS2="119.29.29.29"
+FOREIGN_DNS1="8.8.8.8"
+FOREIGN_DNS2="1.1.1.1"
+
+IPSET_FILE="/etc/ipset/chnroute.ipset"
+CHN_FILE="/etc/chnroute.list"
+DNSMASQ_CHINA_FILE="/etc/dnsmasq.d/china-domains.conf"

gateway/10_dhcp_dns.sh

@@ -0,0 +1,32 @@
+#!/bin/bash
+source ./00_env.sh
+set -euo pipefail
+
+if [[ $EUID -ne 0 ]]; then echo "请用 root/sudo 运行"; exit 1; fi
+
+apt update
+apt install -y dnsmasq ipset curl || true
+
+cat >/etc/dnsmasq.d/lan.conf <<EOL
+interface=$LAN_IF
+bind-interfaces
+dhcp-range=192.168.2.100,192.168.2.200,12h
+dhcp-option=3,$LAN_GW
+dhcp-option=6,$LAN_GW
+server=$FOREIGN_DNS1
+server=$FOREIGN_DNS2
+EOL
+
+curl -fsSL "$DNSMASQ_CHINA_URL" -o /tmp/accelerated.domains || true
+echo "# Auto-generated China domains" > "$DNSMASQ_CHINA_FILE"
+while IFS= read -r domain; do
+  [[ -z "$domain" || "$domain" =~ ^# ]] && continue
+  d=$(echo "$domain" | awk '{print $1}')
+  echo "server=/$d/$CHINA_DNS1" >> "$DNSMASQ_CHINA_FILE"
+  echo "server=/$d/$CHINA_DNS2" >> "$DNSMASQ_CHINA_FILE"
+done < /tmp/accelerated.domains
+
+systemctl restart dnsmasq || true
+systemctl enable dnsmasq || true
+
+echo "DHCP + 国内 DNS 配置完成"

gateway/20_nat_forward.sh

@@ -0,0 +1,11 @@
+#!/bin/bash
+source ./00_env.sh
+set -euo pipefail
+
+echo 1 > /proc/sys/net/ipv4/ip_forward
+grep -q '^net.ipv4.ip_forward' /etc/sysctl.conf || echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
+
+iptables -t nat -A POSTROUTING -s $LAN_NET -o $WAN_IF -j MASQUERADE
+netfilter-persistent save || true
+
+echo "NAT 出口 + IP 转发配置完成"

gateway/30_chnroute.sh

@@ -0,0 +1,43 @@
+#!/bin/bash
+source ./00_env.sh
+set -euo pipefail
+
+apt install -y ipset || true
+mkdir -p /etc/ipset
+
+rm -f "$CHN_FILE"
+for url in "${CHNROUTE_URLS[@]}"; do
+  curl -fsSL "$url" -o /tmp/chn.tmp && grep -E '^[0-9]' /tmp/chn.tmp | sed 's/\r//g' > "$CHN_FILE" && break
+done
+
+ipset list chnroute -n &>/dev/null && ipset flush chnroute && ipset destroy chnroute || true
+ipset create chnroute hash:net family inet maxelem 65536 || true
+
+for net in 0.0.0.0/8 10.0.0.0/8 100.64.0.0/10 127.0.0.0/8 169.254.0.0/16 172.16.0.0/12 192.168.0.0/16; do
+  ipset add chnroute $net || true
+done
+
+while IFS= read -r line; do
+  [[ -z "$line" || "$line" =~ ^# ]] && continue
+  ipset add chnroute "$line" || true
+done < "$CHN_FILE"
+
+ipset save > "$IPSET_FILE"
+
+cat >/etc/systemd/system/ipset-load.service <<EOL
+[Unit]
+Description=Load ipset rules
+After=network.target
+[Service]
+Type=oneshot
+ExecStart=/sbin/ipset restore -f $IPSET_FILE
+RemainAfterExit=yes
+[Install]
+WantedBy=multi-user.target
+EOL
+
+systemctl daemon-reload
+systemctl enable ipset-load.service
+systemctl start ipset-load.service || true
+
+echo "CHNROUTE ipset 已安装"

gateway/40_redsocks.sh

@@ -0,0 +1,58 @@
+#!/bin/bash
+source ./00_env.sh
+set -euo pipefail
+
+apt install -y build-essential libevent-dev libssl-dev git || true
+
+if ! command -v redsocks >/dev/null 2>&1; then
+  cd /tmp
+  git clone https://github.com/semigodking/redsocks.git
+  cd redsocks
+  make
+  cp redsocks /usr/sbin/redsocks
+fi
+
+cat >/etc/redsocks.conf <<EOL
+base {
+  log_debug = off;
+  log_info = on;
+  daemon = on;
+  redirector = iptables;
+}
+
+redsocks {
+  local_ip = 127.0.0.1;
+  local_port = $REDSOCKS_PORT;
+  ip = $SOCKS5_SERVER;
+  port = $SOCKS5_PORT;
+  type = socks5;
+  autoproxy = 0;
+}
+
+redsocks {
+  local_ip = 127.0.0.1;
+  local_port = $REDSOCKS_DNS_PORT;
+  ip = $SOCKS5_SERVER;
+  port = $SOCKS5_PORT;
+  type = socks5;
+  autoproxy = 0;
+}
+EOL
+
+cat >/etc/systemd/system/redsocks.service <<EOL
+[Unit]
+Description=Redsocks2 transparent proxy
+After=network-online.target ipset-load.service
+Wants=network-online.target
+[Service]
+ExecStart=/usr/sbin/redsocks -c /etc/redsocks.conf
+Restart=on-failure
+[Install]
+WantedBy=multi-user.target
+EOL
+
+systemctl daemon-reload
+systemctl enable redsocks
+systemctl restart redsocks || true
+
+echo "redsocks2 配置完成"

gateway/50_dns_over_proxy.sh

@@ -0,0 +1,23 @@
+#!/bin/bash
+source ./00_env.sh
+set -euo pipefail
+
+apt install -y redsocks2 || true
+
+cat >/etc/systemd/system/redsocks-dns.service <<EOL
+[Unit]
+Description=Redirect DNS queries over redsocks2
+After=network-online.target redsocks.service
+[Service]
+Type=simple
+ExecStart=/usr/sbin/redsocks -c /etc/redsocks.conf
+Restart=always
+[Install]
+WantedBy=multi-user.target
+EOL
+
+systemctl daemon-reload
+systemctl enable redsocks-dns
+systemctl start redsocks-dns || true
+
+echo "国外 DNS 代理（防污染）已启动"

gateway/60_iptables_rules.sh

@@ -0,0 +1,15 @@
+#!/bin/bash
+source ./00_env.sh
+set -euo pipefail
+
+iptables -t nat -F
+iptables -t nat -X REDSOCKS 2>/dev/null || true
+iptables -t nat -N REDSOCKS
+
+iptables -t nat -A REDSOCKS -m set --match-set chnroute dst -j RETURN
+iptables -t nat -A REDSOCKS -p tcp -j REDIRECT --to-ports $REDSOCKS_PORT
+iptables -t nat -A PREROUTING -s $LAN_NET -p tcp -j REDSOCKS
+iptables -t nat -A POSTROUTING -s $LAN_NET -o $WAN_IF -j MASQUERADE
+
+netfilter-persistent save || true
+echo "iptables 分流规则已应用"

gateway/90_status.sh

@@ -0,0 +1,21 @@
+#!/bin/bash
+source ./00_env.sh
+set -euo pipefail
+
+echo "=== ipset 状态 ==="
+ipset list chnroute
+
+echo "=== iptables NAT 状态 ==="
+iptables -t nat -L -n -v --line-numbers
+
+echo "=== redsocks 状态 ==="
+systemctl status redsocks
+
+echo "=== dnsmasq 状态 ==="
+systemctl status dnsmasq
+
+echo "=== 测试国内解析 ==="
+dig @127.0.0.1 www.baidu.com
+
+echo "=== 测试国外解析 ==="
+dig @127.0.0.1 www.google.com

gateway/README.md

@@ -0,0 +1,53 @@
+
+### 脚本功能说明
+
+- **00_env.sh**  
+  - 配置 WAN / LAN 网卡名、下层网段、SOCKS5 地址与端口、CHNROUTE 地址等。
+
+- **10_dhcp_dns.sh**  
+  - 安装 dnsmasq  
+  - 下层 DHCP 分配 IP  
+  - 国内域名直连 DNS 配置，提升国内访问速度
+
+- **20_nat_forward.sh**  
+  - 开启 IPv4 转发  
+  - 配置 NAT 出口，允许下层网络访问上层网络
+
+- **30_chnroute.sh**  
+  - 下载最新 CHNROUTE 国内 IP 列表  
+  - 创建 ipset `chnroute`  
+  - 添加私有网段和国内 IP，用于国内外分流
+
+- **40_redsocks.sh**  
+  - 安装 redsocks2  
+  - 配置透明代理，将 TCP 流量重定向到 SOCKS5 代理  
+  - 启动 systemd 服务，自动运行
+
+- **50_dns_over_proxy.sh**  
+  - 将国外 DNS 查询通过 redsocks2 转发，防止 DNS 污染  
+  - 启动 systemd 服务，开机自启
+
+- **60_iptables_rules.sh**  
+  - 设置 iptables NAT 链和 REDSOCKS 链  
+  - 国内 IP 直连，国外 TCP 流量重定向到 redsocks2  
+  - 配合 CHNROUTE ipset 使用，实现国内外分流
+
+- **90_status.sh**  
+  - 查看 ipset 状态  
+  - 查看 iptables NAT 状态  
+  - 查看 redsocks 和 dnsmasq 服务状态  
+  - 测试国内和国外域名解析
+
+- **uninstall.sh**  
+  - 停止并禁用所有服务  
+  - 清理 iptables NAT 规则和 ipset  
+  - 删除配置文件，回滚系统
+
+---
+
+## 3️⃣ 部署步骤
+
+1. 下载或复制 `generate_gateway.sh` 脚本到 Ubuntu 22.04 主机：
+```bash
+wget <你的脚本下载地址> -O generate_gateway.sh
+

gateway/uninstall.sh

@@ -0,0 +1,17 @@
+#!/bin/bash
+source ./00_env.sh
+set -euo pipefail
+
+systemctl stop redsocks redsocks-dns ipset-load.service dnsmasq || true
+systemctl disable redsocks redsocks-dns ipset-load.service dnsmasq || true
+
+iptables -t nat -F
+iptables -t nat -X REDSOCKS 2>/dev/null || true
+
+ipset destroy chnroute || true
+
+rm -f /etc/redsocks.conf /etc/ipset/chnroute.ipset /etc/chnroute.list
+rm -f /etc/dnsmasq.d/lan.conf /etc/dnsmasq.d/china-domains.conf
+rm -f /etc/systemd/system/redsocks* /etc/systemd/system/ipset-load.service
+
+echo "全部配置已卸载"

scripts/redsocks.sh.j2

@@ -6,14 +6,15 @@
 set -euo pipefail
 
 ############################ 用户只需改下面 3 行 ##############################
-LAN_IF="eth0"                 # 接内网的接口（192.168.16.0/24）
+LAN_IF="{{ client_lan_interface }}"
-SOCKS_IP=""47.236.181.229            # 你的 socks5 境外 IP
+# 接内网的接口（192.168.16.0/24）
+SOCKS_IP="127.0.0.1"            # 你的 socks5 境外 IP
 SOCKS_PORT="1086"            # 你的 socks5 端口
 #############################################################################
 
 REDSOCKS_BIN=/usr/local/bin/redsocks2
 REDSOCKS_CONF=/etc/redsocks.conf
-LAN_NET="192.168.16.0/24"
+LAN_NET="{{ gateway_lan_cidr }}"
 
 # ---------- 0. 检测 root ----------
 [[ $EUID -ne 0 ]] && { echo "请 root 运行"; exit 1; }