Last active
April 12, 2021 21:11
-
-
Save neroanelli/7615378 to your computer and use it in GitHub Desktop.
shadowsocks for tomato firmware.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| BIN=shadowsocks | |
| RUN_D=/var/run | |
| ss_local_PID_FILE=$RUN_D/ss-local.pid | |
| ss_redir_PID_FILE=$RUN_D/ss-redir.pid | |
| ipset_blacklist="/opt/etc/ipset/blacklist" | |
| ipset_whitelist="/opt/etc/ipset/whitelist" | |
| file="/opt/etc/config/shadowsocks" | |
| COND=$1 | |
| GetKey(){ | |
| parameter=$1 | |
| awk '$1~/^'$parameter'/{print $2}' $file | |
| } | |
| start_ss() { | |
| # config_load "shadowsocks" | |
| local enabled remote rport lport pass redir_enabled redir_port whitelist_enabled blacklist_enabled | |
| # config_get enabled config enabled | |
| # config_get remote config remote_server | |
| # config_get rport config remote_port | |
| # config_get lport config local_port | |
| # config_get cipher config cipher | |
| # config_get pass config password | |
| # config_get redir_enabled config redir_enabled | |
| # config_get redir_port config redir_port | |
| # config_get whitelist_enabled config whitelist_enabled | |
| # config_get blacklist_enabled config blacklist_enabled | |
| enabled=$(GetKey enabled) | |
| remote=$(GetKey remote_server) | |
| rport=$(GetKey remote_port) | |
| lport=$(GetKey local_port) | |
| cipher=$(GetKey cipher ) | |
| pass=$(GetKey pass) | |
| redir_enabled=$(GetKey redir_enabled) | |
| redir_port=$(GetKey redir_port) | |
| whitelist_enabled=$(GetKey whitelist_enabled) | |
| blacklist_enabled=$(GetKey blacklist_enabled) | |
| echo $remote | |
| echo $rport | |
| echo $lport | |
| echo $pass | |
| [ -z "$remote" ] || [ -z "$rport" ] || [ -z "$lport" ] || [ -z "$pass" ] && { | |
| echo "missing parameters. check config" | |
| return 1 | |
| } | |
| [ "$enabled" = '1' ] && { | |
| echo "Starting ss-local... " | |
| /opt/sbin/ss-local -s "$remote" -p "$rport" -l "$lport" ${cipher:+-m $cipher} -k "$pass" -f "$ss_local_PID_FILE" | |
| } | |
| [ "$redir_enabled" = '1' ] && { | |
| echo "Starting ss-redir... " | |
| /opt/sbin/ss-redir -s "$remote" -p "$rport" -l "$redir_port" ${cipher:+-m $cipher} -k "$pass" -f "$ss_redir_PID_FILE" | |
| #add iptables module | |
| modprobe ipt_REDIRECT | |
| modprobe ipt_set | |
| remoteip="`ping -q -w1 $remote | grep PING | sed -e "s/).*//" | sed -e "s/.*(//"`" | |
| iptables -t nat -N SHADOWSOCKS | |
| iptables -t nat -A SHADOWSOCKS -d $remoteip -j RETURN | |
| iptables -t nat -A SHADOWSOCKS -d 0.0.0.0/8 -j RETURN | |
| iptables -t nat -A SHADOWSOCKS -d 10.0.0.0/8 -j RETURN | |
| iptables -t nat -A SHADOWSOCKS -d 127.0.0.0/8 -j RETURN | |
| iptables -t nat -A SHADOWSOCKS -d 169.254.0.0/16 -j RETURN | |
| iptables -t nat -A SHADOWSOCKS -d 172.16.0.0/12 -j RETURN | |
| iptables -t nat -A SHADOWSOCKS -d 192.168.0.0/16 -j RETURN | |
| iptables -t nat -A SHADOWSOCKS -d 224.0.0.0/4 -j RETURN | |
| iptables -t nat -A SHADOWSOCKS -d 240.0.0.0/4 -j RETURN | |
| if [ "$whitelist_enabled" = '0' ] && [ "$blacklist_enabled" = '0' ]; then | |
| iptables -t nat -A SHADOWSOCKS -p tcp -j REDIRECT --to-ports $redir_port | |
| else | |
| [ "$blacklist_enabled" = '1' ] && { | |
| checkblacklist=$(ipset -L blacklist 2> /dev/null | wc -l) | |
| [ $checkblacklist -eq 0 -a -f "$ipset_blacklist" ] && { | |
| ipset -N blacklist nethash --hashsize 64 | |
| for IP in $(cat $ipset_blacklist) | |
| do | |
| ipset -A blacklist $IP | |
| done | |
| #/opt/sbin/iptables -t nat -A SHADOWSOCKS -p tcp -m set --match-set blacklist src -j RETURN | |
| iptables -t nat -A SHADOWSOCKS -p tcp -m set --set blacklist src -j RETURN | |
| } | |
| } | |
| [ "$whitelist_enabled" = '1' ] && { | |
| checkwhitelist=$(ipset -L whitelist 2> /dev/null | wc -l) | |
| [ $checkwhitelist -eq 0 -a -f "$ipset_whitelist" ] && { | |
| ipset -N whitelist nethash --hashsize 4096 | |
| for IP in $(cat $ipset_whitelist) | |
| do | |
| ipset -A whitelist $IP | |
| done | |
| } | |
| #tomato is different from openwrt,just use "--set" instead. | |
| #/opt/sbin/iptables -t nat -A SHADOWSOCKS -p tcp -m set ! --match-set whitelist dst -j REDIRECT --to-ports $redir_port | |
| iptables -t nat -A SHADOWSOCKS -p tcp -m set ! --set whitelist dst -j REDIRECT --to-ports $redir_port | |
| } | |
| fi | |
| #iptables -t nat -I PREROUTING -j SHADOWSOCKS | |
| iptables -t nat -A PREROUTING -i `nvram get lan_ifname` -p tcp -j SHADOWSOCKS | |
| } | |
| } | |
| ss_local_stop() { | |
| echo "Stopping ss-local.. " | |
| killall ss-local && { | |
| rm -rf "$ss_local_PID_FILE" | |
| } | |
| } | |
| ss_redir_stop() { | |
| echo "Stopping ss-redir.. " | |
| killall ss-redir && { | |
| service firewall restart | |
| ipset -X whitelist | |
| ipset -X blacklist | |
| rm -rf "$ss_redir_PID_FILE" | |
| } | |
| } | |
| stop_ss() { | |
| ss_local_stop | |
| ss_redir_stop | |
| } | |
| #[ $# -eq 0 ] && COND="start" | |
| case $COND in | |
| stop) | |
| logger "Stopping $BIN... " | |
| echo "Stopping $BIN... " | |
| [ -n "`pidof ss-redir`" ] && ss_redir_stop | |
| [ -n "`pidof ss-local`" ] && ss_local_stop | |
| ;; | |
| start) | |
| logger "Starting $BIN... " | |
| echo "Starting $BIN... " | |
| mkdir -p $RUN_D | |
| #Todo,check whether ss-local or ss-redir mode is working. | |
| [ -n "`pidof ss-local`" ] || [ -n "`pidof ss-redir`" ] && echo "$BIN already running!" || start_ss | |
| ;; | |
| restart) | |
| logger "Restarting $BIN... " | |
| echo "Restarting $BIN... " | |
| "$0" stop | |
| sleep 1 | |
| "$0" start | |
| ;; | |
| *) | |
| echo "Usage: $0 (start|stop|restart|usage)" | |
| ;; | |
| esac | |
| exit 0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment