#!/bin/sh usage() { cat <<-EOF Usage: ss-rules [options] Valid options are: -s hostname or ip of shadowsocks remote server -l port number of shadowsocks local server -i a file content is bypassed ip list -a lan ip of access control, need a prefix to define access control mode -b wan ip of will be bypassed -w wan ip of will be forwarded -e extra options for iptables -o apply the rules to the OUTPUT chain -u enable udprelay mode, TPROXY is required -f flush the rules EOF } loger() { # 1.alert 2.crit 3.err 4.warn 5.notice 6.info 7.debug logger -st ss-rules[$$] -p$1 $2 } ipt_n="iptables -t nat" ipt_m="iptables -t mangle" flush_r() { local IPT IPT=$(iptables-save -t nat) eval $(echo "$IPT" | grep "_SS_SPEC_RULE_" | \ sed -e 's/^-A/$ipt_n -D/' -e 's/$/;/') for chain in $(echo "$IPT" | awk '/^:SS_SPEC/{print $1}'); do $ipt_n -F ${chain:1} 2>/dev/null && $ipt_n -X ${chain:1} done IPT=$(iptables-save -t mangle) eval $(echo "$IPT" | grep "_SS_SPEC_RULE_" | \ sed -e 's/^-A/$ipt_m -D/' -e 's/$/;/') for chain in $(echo "$IPT" | awk '/^:SS_SPEC/{print $1}'); do $ipt_m -F ${chain:1} 2>/dev/null && $ipt_m -X ${chain:1} done ip rule del fwmark 0x01/0x01 table 100 2>/dev/null ip route del local 0.0.0.0/0 dev lo table 100 2>/dev/null ipset -X ss_spec_lan_ac 2>/dev/null ipset -X ss_spec_wan_ac 2>/dev/null return 0 } ipset_r() { ipset -! -R <<-EOF || return 1 create ss_spec_wan_ac hash:net $(echo -e "$IPLIST" | sed -e "s/^/add ss_spec_wan_ac /") $(for ip in $WAN_FW_IP; do echo "add ss_spec_wan_ac $ip nomatch"; done) EOF $ipt_n -N SS_SPEC_WAN_AC && \ $ipt_n -A SS_SPEC_WAN_AC -m set --match-set ss_spec_wan_ac dst -j RETURN && \ $ipt_n -A SS_SPEC_WAN_AC -j SS_SPEC_WAN_FW return $? } fw_rule() { $ipt_n -N SS_SPEC_WAN_FW && \ $ipt_n -A SS_SPEC_WAN_FW -p tcp \ -j REDIRECT --to-ports $LOCAL_PORT 2>/dev/null || { loger 3 "Can't redirect, please check the iptables." exit 1 } return $? } ac_rule() { local TAG ROUTECHAIN if [ -n "$LAN_AC_IP" ]; then if [ "${LAN_AC_IP:0:1}" = "w" ]; then TAG="nomatch" else if [ "${LAN_AC_IP:0:1}" != "b" ]; then loger 3 "Bad argument \`-a $LAN_AC_IP\`." return 2 fi fi fi ROUTECHAIN=PREROUTING if iptables-save -t nat | grep -q "^:zone_lan_prerouting"; then ROUTECHAIN=zone_lan_prerouting fi ipset -! -R <<-EOF || return 1 create ss_spec_lan_ac hash:net $(for ip in ${LAN_AC_IP:1}; do echo "add ss_spec_lan_ac $ip $TAG"; done) EOF $ipt_n -A $ROUTECHAIN -p tcp $EXT_ARGS \ -m set ! --match-set ss_spec_lan_ac src \ -m comment --comment "_SS_SPEC_RULE_" -j SS_SPEC_WAN_AC if [ "$OUTPUT" = 1 ]; then $ipt_n -A OUTPUT -p tcp $EXT_ARGS \ -m comment --comment "_SS_SPEC_RULE_" -j SS_SPEC_WAN_AC fi return $? } tp_rule() { [ "$TPROXY" = 1 ] || return 0 ip rule add fwmark 0x01/0x01 table 100 ip route add local 0.0.0.0/0 dev lo table 100 $ipt_m -N SS_SPEC_TPROXY $ipt_m -A SS_SPEC_TPROXY -p udp -m set ! --match-set ss_spec_wan_ac dst \ -j TPROXY --on-port $LOCAL_PORT --tproxy-mark 0x01/0x01 $ipt_m -A PREROUTING -p udp $EXT_ARGS \ -m set ! --match-set ss_spec_lan_ac src \ -m comment --comment "_SS_SPEC_RULE_" -j SS_SPEC_TPROXY return $? } while getopts ":s:l:c:i:e:a:b:w:ouf" arg; do case $arg in s) SERVER=$OPTARG ;; l) LOCAL_PORT=$OPTARG ;; i) IGNORE=$OPTARG ;; e) EXT_ARGS=$OPTARG ;; a) LAN_AC_IP=$OPTARG ;; b) WAN_BP_IP=$(for ip in $OPTARG; do echo $ip; done) ;; w) WAN_FW_IP=$OPTARG ;; o) OUTPUT=1 ;; u) TPROXY=1 ;; f) flush_r exit 0 ;; esac done if [ -z "$SERVER" -o -z "$LOCAL_PORT" ]; then usage exit 2 fi SERVER=$(resolveip -t60 $SERVER) if [ -z "$SERVER" ]; then loger 3 "Can't resolve the server hostname." exit 1 fi if [ -f "$IGNORE" ]; then IGNORE_IP=$(cat $IGNORE 2>/dev/null) fi IPLIST=$(cat <<-EOF | grep -E "^([0-9]{1,3}\.){3}[0-9]{1,3}" $SERVER 0.0.0.0/8 10.0.0.0/8 100.64.0.0/10 127.0.0.0/8 169.254.0.0/16 172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 192.88.99.0/24 192.168.0.0/16 198.18.0.0/15 198.51.100.0/24 203.0.113.0/24 224.0.0.0/4 240.0.0.0/4 255.255.255.255 $WAN_BP_IP $IGNORE_IP EOF ) flush_r && fw_rule && ipset_r && ac_rule && tp_rule exit $?