153 lines
5.0 KiB
Django/Jinja
Executable File
153 lines
5.0 KiB
Django/Jinja
Executable File
#!/bin/bash
|
||
# ==========================================================
|
||
# 192.168.16.2 一键网关 + 透明代理(国外 IP 走 socks5)
|
||
# 仅支持 redsocks(带 UDP 转发)+ ipset 动态分流
|
||
# ==========================================================
|
||
set -euo pipefail
|
||
|
||
############################ 用户只需改下面 3 行 ##############################
|
||
LAN_IF="{{ client_lan_interface }}"
|
||
# 接内网的接口(192.168.16.0/24)
|
||
SOCKS_IP="127.0.0.1" # 你的 socks5 境外 IP
|
||
SOCKS_PORT="1086" # 你的 socks5 端口
|
||
#############################################################################
|
||
|
||
REDSOCKS_BIN=/usr/local/bin/redsocks2
|
||
REDSOCKS_CONF=/etc/redsocks.conf
|
||
LAN_NET="{{ gateway_lan_cidr }}"
|
||
|
||
# ---------- 0. 检测 root ----------
|
||
[[ $EUID -ne 0 ]] && { echo "请 root 运行"; exit 1; }
|
||
|
||
# ---------- 1. 装依赖 ----------
|
||
echo "==> 1. 安装依赖"
|
||
if command -v apt &>/dev/null; then
|
||
apt update -y
|
||
apt install -y git gcc make libevent-dev iptables ipset curl
|
||
elif command -v yum &>/dev/null; then
|
||
yum install -y git gcc make libevent-devel iptables ipset curl
|
||
else
|
||
echo "仅支持 apt/yum 系"; exit 1
|
||
fi
|
||
|
||
# ---------- 3. 写 redsocks 配置 ----------
|
||
cat > $REDSOCKS_CONF <<EOF
|
||
base {
|
||
log_debug = off;
|
||
log_info = on;
|
||
log = syslog;
|
||
daemon = on;
|
||
redirector = iptables;
|
||
}
|
||
redsocks {
|
||
local_ip = 0.0.0.0;
|
||
local_port = 61086;
|
||
ip = $SOCKS_IP;
|
||
port = $SOCKS_PORT;
|
||
type = socks5;
|
||
autoproxy = 0;
|
||
}
|
||
redudp {
|
||
local_ip = 0.0.0.0;
|
||
local_port = 61086;
|
||
ip = $SOCKS_IP;
|
||
port = $SOCKS_PORT;
|
||
type = socks5;
|
||
udp_timeout = 30;
|
||
}
|
||
EOF
|
||
|
||
# ---------- 4. 建 ipset 国外 IP 集合 ----------
|
||
echo "==> 3. 创建 ipset 国外 IP 集合"
|
||
modprobe xt_set 2>/dev/null || true
|
||
ipset create oversea hash:net maxelem 65536 2>/dev/null || true
|
||
|
||
# 懒人方案:直接拉 chnroute 反向列表(国外 IP)
|
||
echo " 下载 chnroute 反向列表…"
|
||
cat /d/ymq/data/ip_list.txt | \
|
||
sed 's/^/-A oversea /' | ipset restore -! 2>/dev/null || {
|
||
echo " 下载失败,改用静态默认全网国外(0.0.0.0/1+128.0.0.0/1)"
|
||
ipset add oversea 0.0.0.0/1
|
||
ipset add oversea 128.0.0.0/1
|
||
}
|
||
|
||
# ---------- 5. 打开内核转发 ----------
|
||
echo "==> 4. 打开内核转发"
|
||
sysctl -w net.ipv4.ip_forward=1
|
||
grep -q '^net.ipv4.ip_forward' /etc/sysctl.conf && \
|
||
sed -i 's/^net.ipv4.ip_forward.*/net.ipv4.ip_forward = 1/' /etc/sysctl.conf || \
|
||
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
|
||
|
||
# ---------- 6. 写 iptables 规则 ----------
|
||
echo "==> 5. 配置 iptables"
|
||
# 清理旧链(可重复执行)
|
||
iptables -t nat -F REDSOCKS2 2>/dev/null || iptables -t nat -N REDSOCKS2
|
||
iptables -t mangle -F REDSOCKS2 2>/dev/null || iptables -t mangle -N REDSOCKS2
|
||
|
||
# 忽略代理自身 → socks5 的流量
|
||
iptables -t nat -A REDSOCKS2 -d $SOCKS_IP -j RETURN
|
||
# 忽略局域网
|
||
iptables -t nat -A REDSOCKS2 -d 192.168.0.0/16 -j RETURN
|
||
iptables -t nat -A REDSOCKS2 -d 10.0.0.0/8 -j RETURN
|
||
iptables -t nat -A REDSOCKS2 -d 172.16.0.0/12 -j RETURN
|
||
# 忽略回环
|
||
iptables -t nat -A REDSOCKS2 -d 127.0.0.0/8 -j RETURN
|
||
|
||
# 对国外 IP 重定向到 redsocks 61086
|
||
iptables -t nat -A REDSOCKS2 -m set --match-set oversea dst -p tcp \
|
||
-j REDIRECT --to-ports 61086
|
||
|
||
# 桥接到 PREROUTING(转发) 和 OUTPUT(本机)
|
||
iptables -t nat -A PREROUTING -i $LAN_IF -j REDSOCKS2
|
||
iptables -t nat -A OUTPUT -j REDSOCKS2
|
||
|
||
# UDP 透明(TPROXY)
|
||
iptables -t mangle -A REDSOCKS2 -m set --match-set oversea dst -p udp \
|
||
-j TPROXY --on-port 61086 --on-ip 0.0.0.0 --tproxy-mark 0x29a
|
||
iptables -t mangle -A PREROUTING -i $LAN_IF -j REDSOCKS2
|
||
# 让被打标记的包走本地转发
|
||
ip rule add fwmark 0x29a lookup 100 2>/dev/null || true
|
||
ip route add local default dev lo table 100 2>/dev/null || true
|
||
|
||
# NAT 普通国内流量
|
||
iptables -t nat -A POSTROUTING -s $LAN_NET -o $LAN_IF -j MASQUERADE
|
||
|
||
# ---------- 7. 启动 redsocks ----------
|
||
echo "==> 6. 启动 redsocks 并设置开机自启"
|
||
cat > /etc/systemd/system/redsocks.service <<EOF
|
||
[Unit]
|
||
Description=redsocks transparent proxy
|
||
After=network.target
|
||
|
||
[Service]
|
||
Type=simple
|
||
ExecStart=$REDSOCKS_BIN -c $REDSOCKS_CONF
|
||
Restart=always
|
||
LimitNOFILE=65535
|
||
|
||
[Install]
|
||
WantedBy=multi-user.target
|
||
EOF
|
||
systemctl daemon-reload
|
||
systemctl enable --now redsocks
|
||
systemctl status redsocks --no-pager
|
||
|
||
# ---------- 8. 保存 iptables ----------
|
||
echo "==> 7. 保存 iptables 规则"
|
||
if command -v netfilter-persistent &>/dev/null; then
|
||
netfilter-persistent save
|
||
elif command -v iptables-save &>/dev/null; then
|
||
iptables-save > /etc/iptables.rules
|
||
grep -q 'iptables-restore' /etc/rc.local || \
|
||
echo "iptables-restore < /etc/iptables.rules" >> /etc/rc.local
|
||
fi
|
||
|
||
echo
|
||
echo "================ 部署完成 ================"
|
||
echo "网关地址:192.168.16.2 掩码:255.255.255.0"
|
||
echo "DHCP 或手动指定网关/DNS 为 192.168.16.2 即可上网"
|
||
echo "国外 IP 流量已自动走 socks5 $SOCKS_IP:$SOCKS_PORT"
|
||
echo "查看状态:systemctl status redsocks"
|
||
echo "================================================"
|
||
|