#!/bin/bash # ========================================================== # 192.168.16.2 一键网关 + 透明代理(国外 IP 走 socks5) # 仅支持 redsocks(带 UDP 转发)+ ipset 动态分流 # ========================================================== set -euo pipefail ############################ 用户只需改下面 3 行 ############################## LAN_IF="{{ client_lan_interface }}" # 接内网的接口(192.168.16.0/24) SOCKS_IP="127.0.0.1" # 你的 socks5 境外 IP SOCKS_PORT="1086" # 你的 socks5 端口 ############################################################################# REDSOCKS_BIN=/usr/local/bin/redsocks2 REDSOCKS_CONF=/etc/redsocks.conf LAN_NET="{{ gateway_lan_cidr }}" # ---------- 0. 检测 root ---------- [[ $EUID -ne 0 ]] && { echo "请 root 运行"; exit 1; } # ---------- 1. 装依赖 ---------- echo "==> 1. 安装依赖" if command -v apt &>/dev/null; then apt update -y apt install -y git gcc make libevent-dev iptables ipset curl elif command -v yum &>/dev/null; then yum install -y git gcc make libevent-devel iptables ipset curl else echo "仅支持 apt/yum 系"; exit 1 fi # ---------- 3. 写 redsocks 配置 ---------- cat > $REDSOCKS_CONF < 3. 创建 ipset 国外 IP 集合" modprobe xt_set 2>/dev/null || true ipset create oversea hash:net maxelem 65536 2>/dev/null || true # 懒人方案:直接拉 chnroute 反向列表(国外 IP) echo " 下载 chnroute 反向列表…" cat /d/ymq/data/ip_list.txt | \ sed 's/^/-A oversea /' | ipset restore -! 2>/dev/null || { echo " 下载失败,改用静态默认全网国外(0.0.0.0/1+128.0.0.0/1)" ipset add oversea 0.0.0.0/1 ipset add oversea 128.0.0.0/1 } # ---------- 5. 打开内核转发 ---------- echo "==> 4. 打开内核转发" sysctl -w net.ipv4.ip_forward=1 grep -q '^net.ipv4.ip_forward' /etc/sysctl.conf && \ sed -i 's/^net.ipv4.ip_forward.*/net.ipv4.ip_forward = 1/' /etc/sysctl.conf || \ echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf # ---------- 6. 写 iptables 规则 ---------- echo "==> 5. 配置 iptables" # 清理旧链(可重复执行) iptables -t nat -F REDSOCKS2 2>/dev/null || iptables -t nat -N REDSOCKS2 iptables -t mangle -F REDSOCKS2 2>/dev/null || iptables -t mangle -N REDSOCKS2 # 忽略代理自身 → socks5 的流量 iptables -t nat -A REDSOCKS2 -d $SOCKS_IP -j RETURN # 忽略局域网 iptables -t nat -A REDSOCKS2 -d 192.168.0.0/16 -j RETURN iptables -t nat -A REDSOCKS2 -d 10.0.0.0/8 -j RETURN iptables -t nat -A REDSOCKS2 -d 172.16.0.0/12 -j RETURN # 忽略回环 iptables -t nat -A REDSOCKS2 -d 127.0.0.0/8 -j RETURN # 对国外 IP 重定向到 redsocks 61086 iptables -t nat -A REDSOCKS2 -m set --match-set oversea dst -p tcp \ -j REDIRECT --to-ports 61086 # 桥接到 PREROUTING(转发) 和 OUTPUT(本机) iptables -t nat -A PREROUTING -i $LAN_IF -j REDSOCKS2 iptables -t nat -A OUTPUT -j REDSOCKS2 # UDP 透明(TPROXY) iptables -t mangle -A REDSOCKS2 -m set --match-set oversea dst -p udp \ -j TPROXY --on-port 61086 --on-ip 0.0.0.0 --tproxy-mark 0x29a iptables -t mangle -A PREROUTING -i $LAN_IF -j REDSOCKS2 # 让被打标记的包走本地转发 ip rule add fwmark 0x29a lookup 100 2>/dev/null || true ip route add local default dev lo table 100 2>/dev/null || true # NAT 普通国内流量 iptables -t nat -A POSTROUTING -s $LAN_NET -o $LAN_IF -j MASQUERADE # ---------- 7. 启动 redsocks ---------- echo "==> 6. 启动 redsocks 并设置开机自启" cat > /etc/systemd/system/redsocks.service < 7. 保存 iptables 规则" if command -v netfilter-persistent &>/dev/null; then netfilter-persistent save elif command -v iptables-save &>/dev/null; then iptables-save > /etc/iptables.rules grep -q 'iptables-restore' /etc/rc.local || \ echo "iptables-restore < /etc/iptables.rules" >> /etc/rc.local fi echo echo "================ 部署完成 ================" echo "网关地址:192.168.16.2 掩码:255.255.255.0" echo "DHCP 或手动指定网关/DNS 为 192.168.16.2 即可上网" echo "国外 IP 流量已自动走 socks5 $SOCKS_IP:$SOCKS_PORT" echo "查看状态:systemctl status redsocks" echo "================================================"