Last active
March 5, 2023 16:46
-
-
Save cloverstd/0c3da3191797e8837cf86e5791404e55 to your computer and use it in GitHub Desktop.
clash 旁路由配置
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| mixed-port: 17890 | |
| redir-port: 17892 | |
| allow-lan: true | |
| mode: rule | |
| log-level: info | |
| external-controller: 0.0.0.0:9090 | |
| dns: | |
| enable: true | |
| ipv6: false | |
| listen: 0.0.0.0:10053 | |
| nameserver: | |
| - 8.8.8.8 | |
| - tls://dns.rubyfish.cn:853 | |
| - https://1.1.1.1/dns-query | |
| - 1.1.1.1 | |
| enhanced-mode: fake-ip | |
| #enhanced-mode: redir-host | |
| default-nameserver: | |
| - 114.114.114.114 | |
| - 8.8.8.8 | |
| fake-ip-range: 198.18.0.1/16 | |
| use-hosts: true | |
| fallback: | |
| - tls://dns.rubyfish.cn:853 | |
| - https://1.1.1.1/dns-query | |
| proxies: | |
| - name: "proxy1" | |
| #TODO: proxy config | |
| - name: "proxy2" | |
| #TODO: proxy config | |
| proxy-groups: | |
| - name: "auto" | |
| type: url-test | |
| proxies: | |
| - proxy1 | |
| - proxy2 | |
| url: 'http://www.gstatic.com/generate_204' | |
| interval: 300 | |
| - name: "proxy" | |
| type: select | |
| proxies: | |
| - proxy1 | |
| - proxy2 | |
| - auto | |
| rules: | |
| - DOMAIN-SUFFIX,vx.link,DIRECT | |
| - DOMAIN-SUFFIX,ip.parts,DIRECT | |
| - DOMAIN-SUFFIX,ad.com,REJECT | |
| # 常见名单 | |
| - DOMAIN-SUFFIX,google.com,proxy | |
| - DOMAIN-KEYWORD,google,proxy | |
| # rename SOURCE-IP-CIDR and would remove after prerelease | |
| #- SRC-IP-CIDR,192.168.2.184/32,DIRECT | |
| # optional param "no-resolve" for IP rules (GEOIP IP-CIDR) | |
| - IP-CIDR,127.0.0.0/8,DIRECT | |
| - IP-CIDR,192.168.0.0/16,DIRECT | |
| - GEOIP,CN,DIRECT | |
| - MATCH,proxy |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| proxy_port=17892 | |
| clash_dir=/opt/clash | |
| clash_bin=$clash_dir/clash | |
| # prepare: download clash and save it to $clash_dir/$clash_bin | |
| # TODO: download clash | |
| useradd -M -s /usr/sbin/nologin -U clash | |
| chown -R clash:clash $clash_dir | |
| chmod +x $clash_bin | |
| # 让 clash 没有 root 权限也能 listen udp | |
| setcap 'cap_net_admin=eip cap_net_bind_service=+eip' $clash_bin | |
| iptables -t nat -F | |
| iptables -t nat -F clash | |
| iptables -t nat -X clash | |
| # create chain named clash | |
| iptables -t nat -N clash | |
| # 调整文件描述符 | |
| echo "* soft nofile 102400" >> /etc/security/limits.conf | |
| echo "* soft nofile 104800" >> /etc/security/limits.conf | |
| # 开启 ip forward | |
| echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf && sysctl -p | |
| echo "net.ipv6.conf.all.forwarding = 1" >> /etc/sysctl.conf && sysctl -p | |
| iptables -t nat -A clash -d 0.0.0.0/8 -j RETURN | |
| iptables -t nat -A clash -d 10.0.0.0/8 -j RETURN | |
| iptables -t nat -A clash -d 127.0.0.0/8 -j RETURN | |
| iptables -t nat -A clash -d 169.254.0.0/16 -j RETURN | |
| iptables -t nat -A clash -d 172.16.0.0/12 -j RETURN | |
| iptables -t nat -A clash -d 192.168.0.0/16 -j RETURN | |
| iptables -t nat -A clash -d 224.0.0.0/4 -j RETURN | |
| iptables -t nat -A clash -d 240.0.0.0/4 -j RETURN | |
| iptables -t nat -A clash -p tcp -j REDIRECT --to-port "$proxy_port" | |
| iptables -t nat -I PREROUTING -p tcp -d 8.8.8.8 -j REDIRECT --to-port "$proxy_port" | |
| iptables -t nat -I PREROUTING -p tcp -d 8.8.4.4 -j REDIRECT --to-port "$proxy_port" | |
| iptables -t nat -A PREROUTING -p tcp -j clash | |
| iptables -t nat -A OUTPUT -p tcp -d 198.18.0.0/16 -j REDIRECT --to-port "$proxy_port" | |
| # 让 frp 这个用户不走代理 | |
| iptables -t nat -A OUTPUT -p tcp -m owner --uid-owner frp -j RETURN | |
| # 下面的 -m owner 是过滤掉 clash 这个用户下的流量,让旁路由这台机器也能正常上网和走代理,同时也是为了让 proxy 直连而不是走 clash | |
| iptables -t nat -A OUTPUT -p tcp -m owner ! --uid-owner clash -j REDIRECT --to-port $proxy_port | |
| iptables -t nat -F CLASH_DNS | |
| iptables -t nat -X CLASH_DNS | |
| iptables -t nat -N CLASH_DNS | |
| # 让 frp 这个用户不走代理 | |
| iptables -t nat -A CLASH_DNS -p udp -m owner --uid-owner frp -j RETURN | |
| iptables -t nat -A CLASH_DNS -p udp -j REDIRECT --to-port 10053 | |
| # 下面的 -m owner 是过滤掉 clash 这个用户下的流量,让旁路由这台机器也能正常上网和走代理,同时也是为了让 proxy 直连而不是走 clash | |
| iptables -t nat -I OUTPUT -p udp --dport 53 -m owner ! --uid-owner clash -j CLASH_DNS | |
| iptables -t nat -I PREROUTING -p udp --dport 53 -j REDIRECT --to 10053 | |
| # 持久化 iptables | |
| netfilter-persistent save |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # 还需要到 [supervisord] 块将 minfds 修改成 102400 | |
| [program:clash] | |
| command=/opt/clash/clash -d . | |
| process_name=%(program_name)s | |
| numprocs=1 | |
| directory=/opt/clash | |
| umask=022 | |
| autostart=true | |
| autorestart=unexpected | |
| stopsignal=TERM | |
| stopwaitsecs=10 | |
| stopasgroup=true | |
| killasgroup=true | |
| user=clash | |
| redirect_stderr=false | |
| stdout_logfile=/opt/clash/stdout.log | |
| stdout_logfile_maxbytes=10MB | |
| stdout_logfile_backups=2 | |
| stdout_events_enabled=false | |
| stderr_logfile=/opt/clash/stderr.log | |
| stderr_logfile_maxbytes=10MB | |
| stderr_logfile_backups=2 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
根据 WIFI 切换 Mac WIFI 配置
https://github.com/eprev/locationchanger
https://razeencheng.com/post/auto-change-network-location-base-on-name-of-wifi.html