yumoqing/softroute
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
softroute/ecs/gateway_config.sh
yumoqing cf1854f718 bugfix
2025-11-30 11:45:02 +08:00

168 lines
7.7 KiB
Bash
Executable File
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

#!/bin/bash
set -eo pipefail
curuser=ymq
sudo systemctl stop systemd-resolved
sudo systemctl disable systemd-resolved
sudo rm /etc/resolv.conf
echo "nameserver 1.1.1.1" | sudo tee /etc/resolv.conf
# ==============================================================================
# 网关主机配置变量 - 请根据你的实际环境修改!
# ==============================================================================
# 网关主机的主网卡名称 (例如 eth0, ens5 等)
GATEWAY_MAIN_INTERFACE="eth0"
# 网关主机的内网IP (脚本会自动获取用于监听和DNS)
# 我们假设该网卡上有一个内网IP例如 10.0.0.10
GATEWAY_LAN_IP=""
GATEWAY_PUBLIC_IP="" # 网关主机的公网IP脚本会尝试获取
GATEWAY_LAN_CIDR="192.168.16.0/24" # 你的云平台内部网络的IP范围例如 10.0.0.0/16
# SSH SOCKS5 代理配置
REMOTE_SSH_USER="ocaiuser" # 远程服务器的SSH用户名
REMOTE_SSH_IP="opencomputing.ai" # 远程服务器的IP地址
REMOTE_SSH_PORT="22" # 远程服务器的SSH端口
LOCAL_SOCKS5_PORT="127.0.0.1:1086" # SSH SOCKS5 代理在本机监听的端口 (127.0.0.1:1080)
# 透明代理工具 redsocks2 监听端口
REDSOCKS_PORT="12345" # redsocks2 在本机监听的端口
# DNSMASQ 配置
DNSMASQ_LISTEN_IP="" # 脚本会自动获取 GATEWAY_LAN_IP
DOMESTIC_DNS="223.5.5.5,114.114.114.114" # 国内DNS服务器
FOREIGN_DNS="8.8.8.8,1.1.1.1" # 国外DNS服务器 (通过SSH SOCKS5代理访问)
# GFWLIST2NEW 工具仓库和安装路径
GFWLIST2NEW_REPO="https://github.com/cokebar/gfwlist2dnsmasq_python.git"
GFWLIST2NEW_DIR="/opt/gfwlist2new"
# ==============================================================================
# 通用函数
# ==============================================================================
log_info() {
echo -e "\e[32m[INFO] $(date +'%Y-%m-%d %H:%M:%S') $1\e[0m"
}
log_warn() {
echo -e "\e[33m[WARN] $(date +'%Y-%m-%d %H:%M:%S') $1\e[0m" >&2
}
log_error() {
echo -e "\e[31m[ERROR] $(date +'%Y-%m-%d %H:%M:%S') $1\e[0m" >&2
exit 1
}
check_root() {
if [[ $EUID -ne 0 ]]; then
log_error "此脚本必须以 root 用户或使用 sudo 运行。"
fi
}
install_package() {
PACKAGE="$1"
if ! dpkg -s "$PACKAGE" &>/dev/null; then
log_info "安装 $PACKAGE..."
sudo apt install -y "$PACKAGE" || log_error "安装 $PACKAGE 失败。"
else
log_info "$PACKAGE 已安装。"
fi
}
# ==============================================================================
# 0. 前置检查与环境初始化
# ==============================================================================
# check_root
log_info "开始网关主机配置脚本 (云服务器环境)..."
log_info "更新系统软件包列表..."
sudo apt update || log_error "apt update 失败。"
log_info "禁用 UFW 以避免与 iptables 冲突..."
sudo ufw disable || log_warn "UFW 未运行或禁用失败,请手动确认。"
log_info "SSH SOCKS5 代理已通过 Systemd 启动,并在 127.0.0.1:${LOCAL_SOCKS5_PORT} 监听,支持自动重连。"
# ==============================================================================
# 5. 安装和配置 gfwlist2new (保持不变)
# ==============================================================================
log_info "安装和配置 gfwlist2new 工具..."
if [ ! -d "${GFWLIST2NEW_DIR}" ]; then
log_info "克隆 gfwlist2new 仓库..."
sudo git clone "https://github.com/cokebar/gfwlist2dnsmasq_python.git" "${GFWLIST2NEW_DIR}" || log_error "克隆 gfwlist2new 仓库失败。"
fi
cd "${GFWLIST2NEW_DIR}"
log_info "安装 gfwlist2new 依赖..."
sudo pip3 install -r requirements.txt || log_error "安装 gfwlist2new 依赖失败。"
log_info "配置 gfwlist2new 的配置文件 config.conf..."
sudo cp config.conf config.conf.bak_$(date +%Y%m%d%H%M%S) || log_warn "备份 gfwlist2new config.conf 失败。"
cat <<EOF | sudo tee config.conf > /dev/null
[DEFAULT]
IPSET_NAME = gfwlist
IPSET_FILE = /etc/ipset/gfwlist.conf
DNSMASQ_CONF_PATH = /etc/dnsmasq.d/gfwlist_router.conf
DNSMASQ_LOG_PATH = /var/log/dnsmasq.log
DNS_PROXY_SERVER = 127.0.0.1#${REDSOCKS_PORT} # 这里的端口要指向 redsocks2
Proxy Config
SOCKS5_SERVER = 127.0.0.1:${LOCAL_SOCKS5_PORT} # 这里的端口是SSH SOCKS5代理
GITHUB_RAW_URL = raw.githubusercontent.com
EOF
log_info "执行 gfwlist2new 生成 ipset 和 dnsmasq 规则..."
sudo python3 gfwlist2new.py -s "${SOCKS5_SERVER}" -f "8.8.8.8,1.1.1.1" -d "223.5.5.5,114.114.114.114" || log_error "gfwlist2new 运行失败。"
sudo systemctl restart dnsmasq || log_error "重启 dnsmasq (gfwlist) 失败。"
log_info "设置 gfwlist2new 定时更新任务 (每天凌晨 3:00)..."
(sudo crontab -l 2>/dev/null; echo "0 3 * * * cd ${GFWLIST2NEW_DIR} && sudo python3 gfwlist2new.py -s ${SOCKS5_SERVER} -f 8.8.8.8,1.1.1.1 -d 223.5.5.5,114.114.114.114 && sudo systemctl restart dnsmasq") | sudo crontab -
log_info "gfwlist2new 配置完成并设置定时更新。"
cd - > /dev/null
# ==============================================================================
# 6. 配置 IPTABLES 规则实现透明代理和 NAT (针对单网卡环境)
# ==============================================================================
log_info "配置 IPTABLES 规则 (NAT 和透明代理,针对云服务器单网卡环境)..."
sudo iptables -F
sudo iptables -X
sudo iptables -t nat -F
sudo iptables -t nat -X
sudo iptables -t mangle -F
sudo iptables -t mangle -X
# 1. 开启 NAT (使内网访问外网)
# MASQUERADE 应该基于出口接口,这里就是 GATEWAY_MAIN_INTERFACE
# --to-source 可以明确指定公网IP如果GATEWAY_PUBLIC_IP能获取到
if [ -n "${GATEWAY_PUBLIC_IP}" ]; then
sudo iptables -t nat -A POSTROUTING -o ${GATEWAY_MAIN_INTERFACE} -s ${GATEWAY_LAN_CIDR} -j SNAT --to-source ${GATEWAY_PUBLIC_IP}
log_info "已配置 NAT 规则出口IP为 ${GATEWAY_PUBLIC_IP}"
else
sudo iptables -t nat -A POSTROUTING -o ${GATEWAY_MAIN_INTERFACE} -s ${GATEWAY_LAN_CIDR} -j MASQUERADE
log_info "已配置 NAT 规则,使用 ${GATEWAY_MAIN_INTERFACE} 主IP作为出口。"
fi
# 2. IP 转发规则 (允许所有来自内网段的流量通过 GATEWAY_MAIN_INTERFACE 转发)
# 这里更简化,所有来自内网段的流量都接受转发
sudo iptables -A FORWARD -s ${GATEWAY_LAN_CIDR} -o ${GATEWAY_MAIN_INTERFACE} -j ACCEPT
sudo iptables -A FORWARD -i ${GATEWAY_MAIN_INTERFACE} -d ${GATEWAY_LAN_CIDR} -m state --state RELATED,ESTABLISHED -j ACCEPT
log_info "已配置 IP 转发规则。"
# 3. 透明代理规则 (使用 redsocks2 和 ipset)
# 重定向所有来自内网段的 TCP 流量如果目标IP在 gfwlist 中,则到 redsocks2
sudo iptables -t nat -A PREROUTING -i ${GATEWAY_MAIN_INTERFACE} -p tcp -s ${GATEWAY_LAN_CIDR} -m set --match-set gfwlist dst -j REDIRECT --to-ports ${REDSOCKS_PORT}
log_info "已配置透明代理重定向规则 (所有端口目标IP在 gfwlist 中的内网TCP流量到 redsocks2)。"
# 4. 排除 redsocks2 自身流量循环 (保持不变)
sudo iptables -t nat -A OUTPUT -p tcp -d 127.0.0.1 --dport ${REDSOCKS_PORT} -j RETURN
sudo iptables -t nat -A OUTPUT -p tcp -d 127.0.0.1 --dport ${LOCAL_SOCKS5_PORT} -j RETURN
log_info "已配置排除 redsocks2 自身流量循环的规则。"
# 保存 iptables 规则
sudo netfilter-persistent save || log_error "保存 iptables 规则失败。"
sudo systemctl enable netfilter-persistent || log_error "启用 netfilter-persistent 服务失败。"
log_info "IPTABLES 规则已配置并保存。"
log_info "----------------------------------------------------------------------------------"
log_info "网关云主机配置完成!"
log_info "请检查 redsocks2 和 ssh -D 进程是否正常运行。"
log_info "请注意SSH SOCKS5 代理可能需要手动输入密码或配置免密登录才能持久运行。"
log_info "----------------------------------------------------------------------------------"
Reference in New Issue View Git Blame Copy Permalink