Last active
March 23, 2023 07:50
-
-
Save recall704/45fa5271b8b7ffbe2d44d1bf1626b879 to your computer and use it in GitHub Desktop.
gost 透明代理 iptables 配置
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # 你的代理服务器的 IP | |
| PROXY_IP="1.2.3.4" | |
| PROXY_IPSET="proxy_ipset" | |
| INTERNAL_IPSET="internal_ipset" | |
| GFW_IPSET="gfw_ipset" | |
| CHINA_IPSET="china_ipset" | |
| SNI_PORT=443 | |
| REDIRECT_PORT=8443 | |
| # 检查 ipset 是否存在,如果不存在则创建 | |
| create_ipset(){ | |
| ipset -L ${PROXY_IPSET} >/dev/null 2>&1 | |
| if [ $? -eq 0 ]; | |
| then | |
| echo "ipset ${PROXY_IPSET} exists, ignore command..." | |
| else | |
| echo "create ipset: ${PROXY_IPSET}" | |
| ipset -N ${PROXY_IPSET} hash:net maxelem 65536 | |
| fi | |
| ipset -L ${INTERNAL_IPSET} >/dev/null 2>&1 | |
| if [ $? -eq 0 ]; | |
| then | |
| echo "ipset ${INTERNAL_IPSET} exists, ignore command..." | |
| else | |
| echo "create ipset: ${INTERNAL_IPSET}" | |
| ipset -N ${INTERNAL_IPSET} hash:net maxelem 65536 | |
| fi | |
| ipset -L ${GFW_IPSET} >/dev/null 2>&1 | |
| if [ $? -eq 0 ]; | |
| then | |
| echo "ipset ${GFW_IPSET} exists, ignore command..." | |
| else | |
| echo "create ipset: ${GFW_IPSET}" | |
| ipset -N ${GFW_IPSET} hash:net maxelem 65536 | |
| fi | |
| ipset -L ${CHINA_IPSET} >/dev/null 2>&1 | |
| if [ $? -eq 0 ]; | |
| then | |
| echo "ipset ${CHINA_IPSET} exists, ignore command..." | |
| else | |
| echo "create ipset: ${CHINA_IPSET}" | |
| ipset -N ${CHINA_IPSET} hash:net maxelem 65536 | |
| fi | |
| # 将代理 IP 添加到 ipset 中 | |
| ipset add ${PROXY_IPSET} ${PROXY_IP} | |
| # 保留地址也直接连接,不通过代理 | |
| ipset add ${INTERNAL_IPSET} 0.0.0.0/8 | |
| ipset add ${INTERNAL_IPSET} 10.0.0.0/8 | |
| ipset add ${INTERNAL_IPSET} 127.0.0.0/8 | |
| ipset add ${INTERNAL_IPSET} 169.254.0.0/16 | |
| ipset add ${INTERNAL_IPSET} 172.16.0.0/12 | |
| ipset add ${INTERNAL_IPSET} 192.168.0.0/16 | |
| ipset add ${INTERNAL_IPSET} 224.0.0.0/4 | |
| ipset add ${INTERNAL_IPSET} 240.0.0.0/4 | |
| } | |
| create_iptables(){ | |
| # 创建一个 iptables 自定义链,名字叫做 GOST | |
| iptables -t nat -n --list GOST >/dev/null 2>&1 | |
| if [ $? -eq 0 ]; | |
| then | |
| echo "iptables chain GOST exists, ignore command..." | |
| else | |
| echo "create iptables chain: GOST" | |
| iptables -t nat -N GOST | |
| fi | |
| # 清空 gost chain 规则 | |
| iptables -t nat -F GOST | |
| # 代理 IP 不走代理 | |
| iptables -t nat -I GOST 1 -p all -m set --match-set ${PROXY_IPSET} dst -j ACCEPT | |
| # 内部 IP 不走代理 | |
| iptables -t nat -I GOST 2 -p all -m set --match-set ${INTERNAL_IPSET} dst -j ACCEPT | |
| # GFW IP 走代理 | |
| iptables -t nat -I GOST 3 -p tcp --dport 443 -m set --match-set ${GFW_IPSET} dst -j REDIRECT --to-port ${SNI_PORT} | |
| iptables -t nat -I GOST 4 -p tcp -m set --match-set ${GFW_IPSET} dst -j REDIRECT --to-port ${REDIRECT_PORT} | |
| # 中国 IP 不走代理 | |
| iptables -t nat -I GOST 5 -p tcp -m set --match-set ${CHINA_IPSET} dst -j ACCEPT | |
| # 其他 IP 走代理 | |
| iptables -t nat -I GOST 6 -p tcp --dport 443 -j REDIRECT --to-port ${SNI_PORT} | |
| iptables -t nat -I GOST 7 -p tcp -j REDIRECT --to-port ${REDIRECT_PORT} | |
| # 将 OUTPUT 和 PREROUTING 的数据转发到 GOST 链上 | |
| # iptables -t nat -A OUTPUT -p all -j GOST | |
| iptables -t nat -D PREROUTING -p all -j GOST | |
| iptables -t nat -I PREROUTING 1 -p all -j GOST | |
| } | |
| update_chinaip_ipset(){ | |
| # https://github.com/17mon/china_ip_list/blob/master/china_ip_list.txt | |
| url="https://raw.githubusercontent.com/17mon/china_ip_list/master/china_ip_list.txt" | |
| curl -s ${url} > china_ip_list.txt | |
| ipset flush ${CHINA_IPSET} | |
| for ip in $(cat 'china_ip_list.txt'); do | |
| ipset add ${CHINA_IPSET} $ip | |
| done | |
| rm -f china_ip_list.txt | |
| } | |
| create_ipset | |
| create_iptables | |
| update_chinaip_ipset |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment