Permalink
aa65535
Use IP-address in access control.
2d55704
Dec 26, 2017
Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.
Sign up
aa65535
Use IP-address in access control.
2d55704
| #!/bin/sh | |
| # | |
| # Copyright (C) 2014-2017 Jian Chang <aa65535@live.com> | |
| # | |
| # This is free software, licensed under the GNU General Public License v3. | |
| # See /LICENSE for more information. | |
| # | |
| usage() { | |
| cat <<-EOF | |
| Usage: ss-rules [options] | |
| Valid options are: | |
| -s <server_ips> ip address of shadowsocks remote server | |
| -l <local_port> port number of shadowsocks local server | |
| -S <server_ips> ip address of shadowsocks remote UDP server | |
| -L <local_port> port number of shadowsocks local UDP server | |
| -B <ip_list_file> a file whose content is bypassed ip list | |
| -b <wan_ips> wan ip of will be bypassed | |
| -W <ip_list_file> a file whose content is forwarded ip list | |
| -w <wan_ips> wan ip of will be forwarded | |
| -I <interface> proxy only for the given interface | |
| -d <target> the default target of lan access control | |
| -a <lan_hosts> lan ip of access control, need a prefix to | |
| define proxy type | |
| -e <extra_args> extra arguments for iptables | |
| -o apply the rules to the OUTPUT chain | |
| -O apply the global rules to the OUTPUT chain | |
| -u enable udprelay mode, TPROXY is required | |
| -U enable udprelay mode, using different IP | |
| and ports for TCP and UDP | |
| -f flush the rules | |
| -h show this help message and exit | |
| EOF | |
| exit $1 | |
| } | |
| loger() { | |
| # 1.alert 2.crit 3.err 4.warn 5.notice 6.info 7.debug | |
| logger -st ss-rules[$$] -p$1 $2 | |
| } | |
| flush_rules() { | |
| iptables-save -c | grep -v "SS_SPEC" | iptables-restore -c | |
| if command -v ip >/dev/null 2>&1; then | |
| ip rule del fwmark 1 lookup 100 2>/dev/null | |
| ip route del local default dev lo table 100 2>/dev/null | |
| fi | |
| for setname in $(ipset -n list | grep "ss_spec"); do | |
| ipset destroy $setname 2>/dev/null | |
| done | |
| FWI=$(uci get firewall.shadowsocks.path 2>/dev/null) | |
| [ -n "$FWI" ] && echo '# firewall include file' >$FWI | |
| return 0 | |
| } | |
| ipset_init() { | |
| ipset -! restore <<-EOF || return 1 | |
| create ss_spec_src_ac hash:ip hashsize 64 | |
| create ss_spec_src_bp hash:ip hashsize 64 | |
| create ss_spec_src_fw hash:ip hashsize 64 | |
| create ss_spec_dst_sp hash:net hashsize 64 | |
| create ss_spec_dst_bp hash:net hashsize 64 | |
| create ss_spec_dst_fw hash:net hashsize 64 | |
| $(gen_lan_host_ipset_entry) | |
| $(gen_special_purpose_ip | sed -e "s/^/add ss_spec_dst_sp /") | |
| $(sed -e "s/^/add ss_spec_dst_bp /" ${WAN_BP_LIST:=/dev/null} 2>/dev/null) | |
| $(for ip in $WAN_BP_IP; do echo "add ss_spec_dst_bp $ip"; done) | |
| $(sed -e "s/^/add ss_spec_dst_fw /" ${WAN_FW_LIST:=/dev/null} 2>/dev/null) | |
| $(for ip in $WAN_FW_IP; do echo "add ss_spec_dst_fw $ip"; done) | |
| EOF | |
| return 0 | |
| } | |
| ipt_nat() { | |
| include_ac_rules nat | |
| ipt="iptables -t nat" | |
| $ipt -A SS_SPEC_WAN_FW -p tcp \ | |
| -j REDIRECT --to-ports $local_port || return 1 | |
| if [ -n "$OUTPUT" ]; then | |
| $ipt -N SS_SPEC_WAN_DG | |
| $ipt -A SS_SPEC_WAN_DG -m set --match-set ss_spec_dst_sp dst -j RETURN | |
| $ipt -A SS_SPEC_WAN_DG -p tcp $EXT_ARGS -j $OUTPUT | |
| $ipt -I OUTPUT 1 -p tcp -j SS_SPEC_WAN_DG | |
| fi | |
| return $? | |
| } | |
| ipt_mangle() { | |
| [ -n "$TPROXY" ] || return 0 | |
| if !(lsmod | grep -q TPROXY && command -v ip >/dev/null); then | |
| loger 4 "TPROXY or ip not found." | |
| return 0 | |
| fi | |
| ip rule add fwmark 1 lookup 100 | |
| ip route add local default dev lo table 100 | |
| include_ac_rules mangle | |
| iptables -t mangle -A SS_SPEC_WAN_FW -p udp \ | |
| -j TPROXY --on-port $LOCAL_PORT --tproxy-mark 0x01/0x01 | |
| return $? | |
| } | |
| export_ipt_rules() { | |
| [ -n "$FWI" ] || return 0 | |
| cat <<-CAT >>$FWI | |
| iptables-save -c | grep -v "SS_SPEC" | iptables-restore -c | |
| iptables-restore -n <<-EOF | |
| $(iptables-save | grep -E "SS_SPEC|^\*|^COMMIT" |\ | |
| sed -e "s/^-A \(OUTPUT\|PREROUTING\)/-I \1 1/") | |
| EOF | |
| CAT | |
| return $? | |
| } | |
| gen_lan_host_ipset_entry() { | |
| for host in $LAN_HOSTS; do | |
| case "${host:0:1}" in | |
| b|B) | |
| echo add ss_spec_src_bp ${host:2} | |
| ;; | |
| g|G) | |
| echo add ss_spec_src_fw ${host:2} | |
| ;; | |
| n|N) | |
| echo add ss_spec_src_ac ${host:2} | |
| ;; | |
| esac | |
| done | |
| } | |
| gen_special_purpose_ip() { | |
| cat <<-EOF | grep -E "^([0-9]{1,3}\.){3}[0-9]{1,3}" | |
| 0.0.0.0/8 | |
| 10.0.0.0/8 | |
| 100.64.0.0/10 | |
| 127.0.0.0/8 | |
| 169.254.0.0/16 | |
| 172.16.0.0/12 | |
| 192.0.0.0/24 | |
| 192.0.2.0/24 | |
| 192.31.196.0/24 | |
| 192.52.193.0/24 | |
| 192.88.99.0/24 | |
| 192.168.0.0/16 | |
| 192.175.48.0/24 | |
| 198.18.0.0/15 | |
| 198.51.100.0/24 | |
| 203.0.113.0/24 | |
| 224.0.0.0/4 | |
| 240.0.0.0/4 | |
| 255.255.255.255 | |
| $server | |
| $SERVER | |
| EOF | |
| } | |
| include_ac_rules() { | |
| local protocol=$([ "$1" = "mangle" ] && echo udp || echo tcp) | |
| iptables-restore -n <<-EOF | |
| *$1 | |
| :SS_SPEC_LAN_DG - [0:0] | |
| :SS_SPEC_LAN_AC - [0:0] | |
| :SS_SPEC_WAN_AC - [0:0] | |
| :SS_SPEC_WAN_FW - [0:0] | |
| -A SS_SPEC_LAN_DG -m set --match-set ss_spec_dst_sp dst -j RETURN | |
| -A SS_SPEC_LAN_DG -p $protocol $EXT_ARGS -j SS_SPEC_LAN_AC | |
| -A SS_SPEC_LAN_AC -m set --match-set ss_spec_src_bp src -j RETURN | |
| -A SS_SPEC_LAN_AC -m set --match-set ss_spec_src_fw src -j SS_SPEC_WAN_FW | |
| -A SS_SPEC_LAN_AC -m set --match-set ss_spec_src_ac src -j SS_SPEC_WAN_AC | |
| -A SS_SPEC_LAN_AC -j ${LAN_TARGET:=SS_SPEC_WAN_AC} | |
| -A SS_SPEC_WAN_AC -m set --match-set ss_spec_dst_fw dst -j SS_SPEC_WAN_FW | |
| -A SS_SPEC_WAN_AC -m set --match-set ss_spec_dst_bp dst -j RETURN | |
| -A SS_SPEC_WAN_AC -j SS_SPEC_WAN_FW | |
| $(gen_prerouting_rules $protocol) | |
| COMMIT | |
| EOF | |
| } | |
| gen_prerouting_rules() { | |
| [ -z "$IFNAMES" ] && echo -I PREROUTING 1 -p $1 -j SS_SPEC_LAN_DG | |
| for ifname in $IFNAMES; do | |
| echo -I PREROUTING 1 -i $ifname -p $1 -j SS_SPEC_LAN_DG | |
| done | |
| } | |
| while getopts ":s:l:S:L:B:b:W:w:I:d:a:e:oOuUfh" arg; do | |
| case "$arg" in | |
| s) | |
| server=$(for ip in $OPTARG; do echo $ip; done) | |
| ;; | |
| l) | |
| local_port=$OPTARG | |
| ;; | |
| S) | |
| SERVER=$(for ip in $OPTARG; do echo $ip; done) | |
| ;; | |
| L) | |
| LOCAL_PORT=$OPTARG | |
| ;; | |
| B) | |
| WAN_BP_LIST=$OPTARG | |
| ;; | |
| b) | |
| WAN_BP_IP=$OPTARG | |
| ;; | |
| W) | |
| WAN_FW_LIST=$OPTARG | |
| ;; | |
| w) | |
| WAN_FW_IP=$OPTARG | |
| ;; | |
| I) | |
| IFNAMES=$OPTARG | |
| ;; | |
| d) | |
| LAN_TARGET=$OPTARG | |
| ;; | |
| a) | |
| LAN_HOSTS=$OPTARG | |
| ;; | |
| e) | |
| EXT_ARGS=$OPTARG | |
| ;; | |
| o) | |
| OUTPUT=SS_SPEC_WAN_AC | |
| ;; | |
| O) | |
| OUTPUT=SS_SPEC_WAN_FW | |
| ;; | |
| u) | |
| TPROXY=1 | |
| ;; | |
| U) | |
| TPROXY=2 | |
| ;; | |
| f) | |
| flush_rules | |
| exit 0 | |
| ;; | |
| h) | |
| usage 0 | |
| ;; | |
| esac | |
| done | |
| [ -z "$server" -o -z "$local_port" ] && usage 2 | |
| if [ "$TPROXY" = 1 ]; then | |
| unset SERVER | |
| LOCAL_PORT=$local_port | |
| elif [ "$TPROXY" = 2 ]; then | |
| : ${SERVER:?"You must assign an ip for the udp relay server."} | |
| : ${LOCAL_PORT:?"You must assign a port for the udp relay server."} | |
| fi | |
| flush_rules && ipset_init && ipt_nat && ipt_mangle && export_ipt_rules | |
| RET=$? | |
| [ "$RET" = 0 ] || loger 3 "Start failed!" | |
| exit $RET |