Last active
April 19, 2022 04:49
-
-
Save hsupu/6a731a064d140b85e776ac0cda90508f to your computer and use it in GitHub Desktop.
OpenWRT: iptables transparent proxy script for ss-redir
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| LAN_IF=wan1 | |
| SS_PORT=1088 | |
| SSS_HOST= | |
| SSS_PORT= | |
| SSS_METHOD= | |
| SSS_PASS= | |
| iptables -t nat -N ss | |
| iptables -t nat -F ss | |
| iptables -t nat -A ss -d 127.0.0.0/8 -j RETURN # loopback | |
| iptables -t nat -A ss -d 169.254.0.0/16 -j RETURN # linklocal | |
| iptables -t nat -A ss -d 10.0.0.0/8 -j RETURN # A-private | |
| iptables -t nat -A ss -d 172.16.0.0/12 -j RETURN # B-private | |
| #iptables -t nat -A ss -d 192.0.0.0/24 -j RETURN # reserved | |
| #iptables -t nat -A ss -d 192.0.2.0/24 -j RETURN # test | |
| iptables -t nat -A ss -d 192.168.0.0/16 -j RETURN # C-private | |
| #iptables -t nat -A ss -d 198.51.100.0/24 -j RETURN # test | |
| #iptables -t nat -A ss -d 203.0.113.0/24 -j RETURN # test | |
| iptables -t nat -A ss -d 224.0.0.0/4 -j RETURN # multicast | |
| #iptables -t nat -A ss -d 240.0.0.0/4 -j RETURN # reserved | |
| #iptables -t nat -A ss -d 255.255.255.255 -j RETURN # boardcast | |
| # add IPv4 address of ss-server here | |
| iptables -t nat -A ss -p tcp -j REDIRECT --to-ports $SS_PORT | |
| iptables -t mangle -N ss | |
| iptables -t mangle -F ss | |
| iptables -t mangle -A ss -d 127.0.0.0/8 -j RETURN # loopback | |
| iptables -t mangle -A ss -d 169.254.0.0/16 -j RETURN # linklocal | |
| iptables -t mangle -A ss -d 10.0.0.0/8 -j RETURN # A-private | |
| iptables -t mangle -A ss -d 172.16.0.0/12 -j RETURN # B-private | |
| #iptables -t mangle -A ss -d 192.0.0.0/24 -j RETURN # reserved | |
| #iptables -t mangle -A ss -d 192.0.2.0/24 -j RETURN # test | |
| iptables -t mangle -A ss -d 192.168.0.0/16 -j RETURN # C-private | |
| #iptables -t mangle -A ss -d 198.51.100.0/24 -j RETURN # test | |
| #iptables -t mangle -A ss -d 203.0.113.0/24 -j RETURN # test | |
| iptables -t mangle -A ss -d 224.0.0.0/4 -j RETURN # multicast | |
| iptables -t mangle -A ss -d 240.0.0.0/4 -j RETURN # reserved | |
| #iptables -t mangle -A ss -d 255.255.255.255 -j RETURN # boardcast | |
| # add IPv4 address of ss-server here | |
| iptables -t mangle -A ss -p udp -j TPROXY --tproxy-mark 0x64/0x64 --on-port $SS_PORT | |
| # TCP for LAN | |
| iptables -t nat -I zone_lan_prerouting -p tcp -j ss | |
| # TCP for router self | |
| iptables -t nat -I OUTPUT -p tcp -j ss | |
| # UDP for LAN | |
| iptables -t mangle -A PREROUTING -i $LAN_IF -p udp -j ss | |
| INIT_FLAG_FILE=/tmp/.firewall-initialized | |
| if [ ! -f "$INIT_FLAG_FILE" ]; then | |
| touch "$INIT_FLAG_FILE" | |
| ip route add local default dev lo table 100 | |
| ip rule add fwmark 0x64 lookup 100 | |
| fi | |
| # cannot use tmux here, just note. | |
| # | |
| # tmux has -t main || tmux new -d -t main | |
| # tmux new-window -t main ss-redir -b 0.0.0.0 -l $SS_PORT \ | |
| # -s $SSS_HOST -p $SSS_PORT \ | |
| # -m $SSS_METHOD -k $SSS_PASS \ | |
| # -u |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment