qxj · April 16, 2019 13:54
diff --git a/README.md b/README.md
diff --git a/dnsmasq_gfwlist.py b/dnsmasq_gfwlist.py
 #!/usr/bin/env python
 #coding=utf-8
 #
 # Generate a list of dnsmasq rules with ipset for gfwlist
 #
 # Copyright (C) 2014 http://www.shuyz.com
 # Ref https://code.google.com/p/autoproxy-gfwlist/wiki/Rules

 import urllib
 import re
 import os
 import datetime
 import base64
 import shutil

 mydnsip = '208.67.222.222'
 mydnsport = '5353'
 #mydnsport = '443'
 rulesfile = '/etc/dnsmasq.d/gfwlist.conf'

 # the url of gfwlist
 baseurl = 'https://raw.githubusercontent.com/gfwlist/gfwlist/master/gfwlist.txt'
 # match comments/title/whitelist/ip address
 comment_pattern = '^\!|\[|^@@|^\d+\.\d+\.\d+\.\d+'
 domain_pattern = '([\w\-\_]+\.[\w\.\-\_]+)[\/\*]*'
 tmpfile = '/tmp/gfwlisttmp'
 # do not write to router internal flash directly
 outfile = '/tmp/gfwlist.conf'

 fs = file(outfile, 'w')
 fs.write('# gfw list ipset rules for dnsmasq\n')
 fs.write('# updated on ' + datetime.datetime.now().strftime("%Y-%m-%d %H:%M:%S") + '\n')
 fs.write('#\n')

 print 'fetching list...'
 content = urllib2.urlopen(baseurl, timeout=15).read().decode('base64')

 # write the decoded content to file then read line by line
 tfs = open(tmpfile, 'w')
 tfs.write(content)
 tfs.close()
 tfs = open(tmpfile, 'r')

 print 'page content fetched, analysis...'

 # remember all blocked domains, in case of duplicate records
 domainlist = []

 for line in tfs.readlines():
    if re.findall(comment_pattern, line):
        print 'this is a comment line: ' + line
        fs.write('#' + line)
    else:
        domain = re.findall(domain_pattern, line)
        if domain:
            try:
                found = domainlist.index(domain[0])
                print domain[0] + ' exists.'
            except ValueError:
                print 'saving ' + domain[0]
                domainlist.append(domain[0])
                fs.write('server=/.%s/%s#%s\n'%(domain[0],mydnsip,mydnsport))
                fs.write('ipset=/.%s/ss\n'%domain[0])
        else:
            print 'no valid domain in this line: ' + line

 tfs.close()
 fs.close();

 print 'moving generated file to dnsmasg directory'
 shutil.move(outfile, rulesfile)

 #print 'restart dnsmasq...'
 #print os.popen('/etc/init.d/dnsmasq restart').read()

 print 'done!'
diff --git a/iptables.sh b/iptables.sh
 #!/bin/bash

 ## https://github.com/alwaystest/Blog/issues/2
 ## http://novawl.blogspot.sg/2015/06/openwrtshadowsocksdnsmasqipset.html

 ## create ipset
 ipset -n list ss &> /dev/null
 if [[ $? -ne 0 ]]; then
    ipset create ss hash:ip
 fi

 ## clean iptables
 iptables -F
 iptables -F -t nat
 iptables -X
 iptables -X -t nat

 ## maquerade packages as gw, DONOT specify "-o wlan0"
 iptables -t nat -A POSTROUTING -j MASQUERADE

 ## create a custom chain
 iptables -t nat -N XGFW

 ## ignore VPS address (optional)
 iptables -t nat -A XGFW -d ${VPS_IP} -j RETURN

 ## ignore LAN address (optional)
 iptables -t nat -A XGFW -d 0.0.0.0/8 -j RETURN
 iptables -t nat -A XGFW -d 10.0.0.0/8 -j RETURN
 iptables -t nat -A XGFW -d 127.0.0.0/8 -j RETURN
 iptables -t nat -A XGFW -d 169.254.0.0/16 -j RETURN
 iptables -t nat -A XGFW -d 172.16.0.0/12 -j RETURN
 iptables -t nat -A XGFW -d 192.168.0.0/16 -j RETURN
 iptables -t nat -A XGFW -d 224.0.0.0/4 -j RETURN
 iptables -t nat -A XGFW -d 240.0.0.0/4 -j RETURN

 # ignore address not in ss ipset
 iptables -t nat -A XGFW -m set ! --match-set ss dst -j RETURN

 ## redirect others to ss-redir port
 iptables -t nat -A XGFW -p tcp -j REDIRECT --to-port 1080

 ## append SHADOWSOCKS chain after PREROUTING to apply it
 iptables -t nat -A PREROUTING -p tcp -j XGFW

 ## hack iptv Q1
 iptables -t nat -A PREROUTING -p tcp -d 210.13.0.184 --dport 80 -j DNAT --to 10.66.0.2:80
 iptables -t nat -A PREROUTING -p udp -d 210.13.31.253 --dport 53 -j DNAT --to 10.66.0.2:53
 iptables -t nat -A PREROUTING -p udp -d 210.13.31.254 --dport 53 -j DNAT --to 10.66.0.2:53
diff --git a/mygfw.conf b/mygfw.conf
 ## Config for dnsmasq

 strict-order
 no-resolv
 no-poll
 cache-size=10000

 port=53
 listen-address=127.0.0.1,192.168.1.1

 ### Specify dns in gfw
 server=114.114.114.114

 ### Blocked domains will be resolved by OpenDNS(208.67.222.222).
 ### Meanwhile, store them into ipset ss for iptables.
 ### FORMAT: server=/<domain>/<opendns>#<port>
 server=/.amazonaws.com/208.67.222.222#443
 ipset=/.amazonaws.com/ss
 server=/.ipython.org/208.67.222.222#443
 ipset=/.ipython.org/ss
 server=/.jupyter.org/208.67.222.222#443
 ipset=/.jupyter.org/ss
 server=/.google.com.sg/208.67.222.222#443
 ipset=/.google.com.sg/ss
 server=/.google.co.jp/208.67.222.222#443
 ipset=/.google.co.jp/ss

 ### Other settings will be generated by dnsmasq_gfwlist.py
	#!/usr/bin/env python
	#coding=utf-8
	#
	# Generate a list of dnsmasq rules with ipset for gfwlist
	#
	# Copyright (C) 2014 http://www.shuyz.com
	# Ref https://code.google.com/p/autoproxy-gfwlist/wiki/Rules

	import urllib
	import re
	import os
	import datetime
	import base64
	import shutil

	mydnsip = '208.67.222.222'
	mydnsport = '5353'
	#mydnsport = '443'
	rulesfile = '/etc/dnsmasq.d/gfwlist.conf'

	# the url of gfwlist
	baseurl = 'https://raw.githubusercontent.com/gfwlist/gfwlist/master/gfwlist.txt'
	# match comments/title/whitelist/ip address
	comment_pattern = '^\!\|\[\|^@@\|^\d+\.\d+\.\d+\.\d+'
	domain_pattern = '([\w\-\_]+\.[\w\.\-\_]+)[\/\]'
	tmpfile = '/tmp/gfwlisttmp'
	# do not write to router internal flash directly
	outfile = '/tmp/gfwlist.conf'

	fs = file(outfile, 'w')
	fs.write('# gfw list ipset rules for dnsmasq\n')
	fs.write('# updated on ' + datetime.datetime.now().strftime("%Y-%m-%d %H:%M:%S") + '\n')
	fs.write('#\n')

	print 'fetching list...'
	content = urllib2.urlopen(baseurl, timeout=15).read().decode('base64')

	# write the decoded content to file then read line by line
	tfs = open(tmpfile, 'w')
	tfs.write(content)
	tfs.close()
	tfs = open(tmpfile, 'r')

	print 'page content fetched, analysis...'

	# remember all blocked domains, in case of duplicate records
	domainlist = []

	for line in tfs.readlines():
	if re.findall(comment_pattern, line):
	print 'this is a comment line: ' + line
	fs.write('#' + line)
	else:
	domain = re.findall(domain_pattern, line)
	if domain:
	try:
	found = domainlist.index(domain[0])
	print domain[0] + ' exists.'
	except ValueError:
	print 'saving ' + domain[0]
	domainlist.append(domain[0])
	fs.write('server=/.%s/%s#%s\n'%(domain[0],mydnsip,mydnsport))
	fs.write('ipset=/.%s/ss\n'%domain[0])
	else:
	print 'no valid domain in this line: ' + line

	tfs.close()
	fs.close();

	print 'moving generated file to dnsmasg directory'
	shutil.move(outfile, rulesfile)

	#print 'restart dnsmasq...'
	#print os.popen('/etc/init.d/dnsmasq restart').read()

	print 'done!'
	#!/bin/bash

	## https://github.com/alwaystest/Blog/issues/2
	## http://novawl.blogspot.sg/2015/06/openwrtshadowsocksdnsmasqipset.html

	## create ipset
	ipset -n list ss &> /dev/null
	if [[ $? -ne 0 ]]; then
	ipset create ss hash:ip
	fi

	## clean iptables
	iptables -F
	iptables -F -t nat
	iptables -X
	iptables -X -t nat

	## maquerade packages as gw, DONOT specify "-o wlan0"
	iptables -t nat -A POSTROUTING -j MASQUERADE

	## create a custom chain
	iptables -t nat -N XGFW

	## ignore VPS address (optional)
	iptables -t nat -A XGFW -d ${VPS_IP} -j RETURN

	## ignore LAN address (optional)
	iptables -t nat -A XGFW -d 0.0.0.0/8 -j RETURN
	iptables -t nat -A XGFW -d 10.0.0.0/8 -j RETURN
	iptables -t nat -A XGFW -d 127.0.0.0/8 -j RETURN
	iptables -t nat -A XGFW -d 169.254.0.0/16 -j RETURN
	iptables -t nat -A XGFW -d 172.16.0.0/12 -j RETURN
	iptables -t nat -A XGFW -d 192.168.0.0/16 -j RETURN
	iptables -t nat -A XGFW -d 224.0.0.0/4 -j RETURN
	iptables -t nat -A XGFW -d 240.0.0.0/4 -j RETURN

	# ignore address not in ss ipset
	iptables -t nat -A XGFW -m set ! --match-set ss dst -j RETURN

	## redirect others to ss-redir port
	iptables -t nat -A XGFW -p tcp -j REDIRECT --to-port 1080

	## append SHADOWSOCKS chain after PREROUTING to apply it
	iptables -t nat -A PREROUTING -p tcp -j XGFW

	## hack iptv Q1
	iptables -t nat -A PREROUTING -p tcp -d 210.13.0.184 --dport 80 -j DNAT --to 10.66.0.2:80
	iptables -t nat -A PREROUTING -p udp -d 210.13.31.253 --dport 53 -j DNAT --to 10.66.0.2:53
	iptables -t nat -A PREROUTING -p udp -d 210.13.31.254 --dport 53 -j DNAT --to 10.66.0.2:53
	## Config for dnsmasq

	strict-order
	no-resolv
	no-poll
	cache-size=10000

	port=53
	listen-address=127.0.0.1,192.168.1.1

	### Specify dns in gfw
	server=114.114.114.114

	### Blocked domains will be resolved by OpenDNS(208.67.222.222).
	### Meanwhile, store them into ipset ss for iptables.
	### FORMAT: server=/<domain>/<opendns>#<port>
	server=/.amazonaws.com/208.67.222.222#443
	ipset=/.amazonaws.com/ss
	server=/.ipython.org/208.67.222.222#443
	ipset=/.ipython.org/ss
	server=/.jupyter.org/208.67.222.222#443
	ipset=/.jupyter.org/ss
	server=/.google.com.sg/208.67.222.222#443
	ipset=/.google.com.sg/ss
	server=/.google.co.jp/208.67.222.222#443
	ipset=/.google.co.jp/ss

	### Other settings will be generated by dnsmasq_gfwlist.py