Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature] 关于vpn进入内网后走crash的办法 #744

Closed
3 tasks done
bsdcpp opened this issue Aug 25, 2024 · 5 comments
Closed
3 tasks done

[Feature] 关于vpn进入内网后走crash的办法 #744

bsdcpp opened this issue Aug 25, 2024 · 5 comments

Comments

@bsdcpp
Copy link

bsdcpp commented Aug 25, 2024
edited
Loading

Verify steps

  • 我已经在 Issue Tracker 中找过我要提出的问题 I have searched on the issue tracker for a related issue.
  • 我已经使用公测版本测试过,问题依旧存在 I have tested using the test mod, and the issue still exists.
  • 我已经仔细看过 常见问题 并无法自行解决问题

Description

请教下大佬,vpn进站在crash那里应该是看不到设备mac的对吧。所以开了黑白名单的mac模式是无法识别的。
之前的办法是手动加规则,让vpn的ip段(如10.0.0.0/8)的dns在shellcrash_dns里进行转发,这个对于pre核心工作的还可以。

iptables -w -t nat -A shellcrash_dns -p udp -s 10.0.0.0/8 -j REDIRECT --to-port 1053

但是换了meta后,除了上面这条,还需要在shellcrash_mark里进行劫持,手动多加一条命令这个ip才会跑到crash核心来。

iptables -w -t mangle -A shellcrash_mark -p tcp+udp -s 10.0.0.0/8 -j MARK --set-xmark 7892

不知道啥区别。

另外,大佬不知道方不方便后续把ip的黑白名单加入选项,目前我是通过定时任务补规则的,因为每次重启crash都会丢失。
感谢。
@juewuy
Copy link
Owner

juewuy commented Aug 25, 2024

尝试使用自定义vlan网段功能 7-3-3

@bsdcpp
Copy link
Author

bsdcpp commented Aug 25, 2024

早知道早点来提问,问一下果然有收获,我大概不过我没怎么看明白,是不是和mac不能同时处理,就是说我在配置了mac白名单的同时,不能再配置ip规则了对吗?

 #tcp&udp分别进代理链
    proxy_set() {
        if [ "$3" = 'PREROUTING' ] && [ "$macfilter_type" = "白名单" ] && [ -s "$CRASHDIR"/configs/mac ]; then
            for mac in $(cat "$CRASHDIR"/configs/mac); do
                $1 -t $2 -A $4 -p $5 -m mac --mac-source $mac -j $JUMP
            done
        else
            for ip in $HOST_IP; do #仅限指定网段流量
                $1 -t $2 -A $4 -p $5 -s $ip -j $JUMP
                echo $1 -t $2 -A $4 -p $5 -s $ip -j $JUMP
            done
        fi
        #将所在链指定流量指向shellcrash表
        $1 -t $2 -I $3 -p $5 $ports -j $4
        [ "$dns_mod" != "redir_host" ] && [ "$common_ports" = "已开启" ] && [ "$1" = iptables ] && $1 -t $2 -I $3 -p $5 -d 198.18.0.0/16 -j $4
    }
    [ "$5" = "tcp" -o "$5" = "all" ] && proxy_set $1 $2 $3 $4 tcp
    [ "$5" = "udp" -o "$5" = "all" ] && proxy_set $1 $2 $3 $4 udp

这里的判断只会加mac规则

 if [ "$3" = 'PREROUTING' ] && [ "$macfilter_type" = "白名单" ] && [ -s "$CRASHDIR"/configs/mac ]; then

@bsdcpp
Copy link
Author

bsdcpp commented Aug 25, 2024

还有个问题

#if [ "$replace_default_host_ipv4" == "未禁用" ]; then
    if [ "$replace_default_host_ipv4" == "已启用" ]; then
        host_ipv4="$cust_host_ipv4"
    else
        host_ipv4="$host_ipv4$cust_host_ipv4"
    fi

我看界面已经不再用“未禁用”了,而是“已启用”,所以匹配不到覆盖了。

@bsdcpp
Copy link
Author

bsdcpp commented Aug 25, 2024
edited
Loading

早知道早点来提问,问一下果然有收获,我大概不过我没怎么看明白,是不是和mac不能同时处理,就是说我在配置了mac白名单的同时,不能再配置ip规则了对吗?

 #tcp&udp分别进代理链
    proxy_set() {
        if [ "$3" = 'PREROUTING' ] && [ "$macfilter_type" = "白名单" ] && [ -s "$CRASHDIR"/configs/mac ]; then
            for mac in $(cat "$CRASHDIR"/configs/mac); do
                $1 -t $2 -A $4 -p $5 -m mac --mac-source $mac -j $JUMP
            done
        else
            for ip in $HOST_IP; do #仅限指定网段流量
                $1 -t $2 -A $4 -p $5 -s $ip -j $JUMP
                echo $1 -t $2 -A $4 -p $5 -s $ip -j $JUMP
            done
        fi
        #将所在链指定流量指向shellcrash表
        $1 -t $2 -I $3 -p $5 $ports -j $4
        [ "$dns_mod" != "redir_host" ] && [ "$common_ports" = "已开启" ] && [ "$1" = iptables ] && $1 -t $2 -I $3 -p $5 -d 198.18.0.0/16 -j $4
    }
    [ "$5" = "tcp" -o "$5" = "all" ] && proxy_set $1 $2 $3 $4 tcp
    [ "$5" = "udp" -o "$5" = "all" ] && proxy_set $1 $2 $3 $4 udp

这里的判断只会加mac规则

 if [ "$3" = 'PREROUTING' ] && [ "$macfilter_type" = "白名单" ] && [ -s "$CRASHDIR"/configs/mac ]; then

我试过把else去掉,就是执行mac的同时把ip也加入,这样是可以的😂。不知道这样是不是有问题。
修改如下:

--- ori.sh
+++ start.sh
@@ -194,7 +194,7 @@
 		sleep 1 && i=$((i + 1))
 	done
 	#添加自定义ipv4局域网网段
-	if [ "$replace_default_host_ipv4" == "未禁用" ]; then
+	if [ "$replace_default_host_ipv4" == "已启用" ]; then
 		host_ipv4="$cust_host_ipv4"
 	else
 		host_ipv4="$host_ipv4$cust_host_ipv4"
@@ -930,7 +930,7 @@
 			for mac in $(cat "$CRASHDIR"/configs/mac); do
 				$1 -t $2 -A $4 -p $5 -m mac --mac-source $mac -j $JUMP
 			done
-		else
+		#else
 			for ip in $HOST_IP; do #仅限指定网段流量
 				$1 -t $2 -A $4 -p $5 -s $ip -j $JUMP
 			done
@@ -972,7 +972,7 @@
 			$1 -t nat -A $3 -p tcp -m mac --mac-source $mac -j REDIRECT --to-ports $dns_port
 			$1 -t nat -A $3 -p udp -m mac --mac-source $mac -j REDIRECT --to-ports $dns_port
 		done
-	else
+	#else
 		for ip in $HOST_IP; do #仅限指定网段流量
 			$1 -t nat -A $3 -p tcp -s $ip -j REDIRECT --to-ports $dns_port
 			$1 -t nat -A $3 -p udp -s $ip -j REDIRECT --to-ports $dns_port

@juewuy
Copy link
Owner

juewuy commented Aug 25, 2024

@bsdcpp 白名单当然只会允许名单内通过

@bsdcpp bsdcpp mentioned this issue Aug 26, 2024
Closed
@juewuy juewuy closed this as completed Sep 6, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bsdcpp @juewuy