Verify steps
Description
单网口旁路由,Debian13,NFTables
TProxy只能代理本机,局域网设备无法代理,内核上看不到除本机外的TProxy连接。tun和Redir模式正常
局域网地址192.168.0.0/24,具体表现为连接超时,类似防火墙drop的效果。
table inet shellcrash {
chain input {
type filter hook input priority -100; policy accept;
iif "lo" accept
ip saddr { 10.3.3.0/24, 172.19.0.0/16, 172.21.0.0-172.22.255.255, 192.168.0.0/24 } accept
ip6 saddr { fd00::/8, fe80::/10 } accept
tcp dport { 7890, 9999 } reject
udp dport { 7890, 9999 } reject
}
chain prerouting_dns {
type nat hook prerouting priority dstnat; policy accept;
udp dport != 53 return
tcp dport != 53 return
meta mark 0x00001ed6 return
meta skgid { 453, 7890 } return
ip saddr != { 10.3.3.0/24, 172.19.0.0/16, 172.21.0.0-172.22.255.255, 192.168.0.0/24 } return
ip6 saddr != { fd00::/8, fe80::/10 } return
udp dport 53 redirect to :1053
tcp dport 53 redirect to :1053
}
chain output_dns {
type nat hook output priority dstnat; policy accept;
udp dport != 53 return
tcp dport != 53 return
meta mark 0x00001ed6 return
meta skgid { 453, 7890 } return
ip saddr != { 127.0.0.0/8, 172.21.0.1, 172.22.0.1, 192.168.0.2 } return
udp dport 53 redirect to :1053
tcp dport 53 redirect to :1053
}
chain prerouting {
type filter hook prerouting priority mangle; policy accept;
tcp dport 53 return
udp dport 53 return
meta mark 0x00001ed6 return
meta skgid 7890 return
ip daddr != 28.0.0.0/8 tcp dport != { 22, 80, 443, 8080, 8443 } return
ip daddr != 28.0.0.0/8 udp dport != { 22, 80, 443, 8080, 8443 } return
ip6 daddr != fc00::/16 tcp dport != { 22, 80, 443, 8080, 8443 } return
ip6 daddr != fc00::/16 udp dport != { 22, 80, 443, 8080, 8443 } return
ip daddr { 0.0.0.0/8, 10.0.0.0/8, 100.64.0.0/10, 127.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12, 192.168.0.0/16, 224.0.0.0/3 } return
ip saddr != { 10.3.3.0/24, 172.19.0.0/16, 172.21.0.0-172.22.255.255, 192.168.0.0/24 } return
ip daddr @cn_ip return
ip6 daddr { ::/127, ::ffff:0.0.0.0/96, 64:ff9b::/96, 100::/64, 2001::/32, 2001:20::/28, 2001:db8::/32, 2002::/16, fd00::/8, fe80::/10, ff00::/8 } return
ip6 saddr != { fd00::/8, fe80::/10 } return
ip6 daddr @cn_ip6 return
udp dport { 443, 8443 } return
meta l4proto { tcp, udp } meta mark set 0x00001ed4 tproxy to :7893
}
chain output {
type route hook output priority mangle; policy accept;
tcp dport 53 return
udp dport 53 return
meta mark 0x00001ed6 return
meta skgid 7890 return
ip daddr != 28.0.0.0/8 tcp dport != { 22, 80, 443, 8080, 8443 } return
ip daddr != 28.0.0.0/8 udp dport != { 22, 80, 443, 8080, 8443 } return
ip6 daddr != fc00::/16 tcp dport != { 22, 80, 443, 8080, 8443 } return
ip6 daddr != fc00::/16 udp dport != { 22, 80, 443, 8080, 8443 } return
ip daddr { 0.0.0.0/8, 10.0.0.0/8, 100.64.0.0/10, 127.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12, 192.168.0.0/16, 224.0.0.0/3 } return
ip daddr @cn_ip return
ip6 daddr { ::/127, ::ffff:0.0.0.0/96, 64:ff9b::/96, 100::/64, 2001::/32, 2001:20::/28, 2001:db8::/32, 2002::/16, fd00::/8, fe80::/10, ff00::/8 } return
ip6 saddr != { ::1, fd00::/8, fe80::/10 } return
ip6 daddr @cn_ip6 return
udp dport { 443, 8443 } return
meta l4proto { tcp, udp } meta mark set 0x00001ed4
}
chain mark_out {
type filter hook prerouting priority dstnat; policy accept;
meta mark 0x00001ed4 meta l4proto { tcp, udp } tproxy to :7893
}
chain prerouting_vm_dns {
type nat hook prerouting priority dstnat; policy accept;
udp dport != 53 return
tcp dport != 53 return
meta mark 0x00001ed6 return
meta skgid { 453, 7890 } return
ip saddr != 172.16.0.0/13 return
udp dport 53 redirect to :1053
tcp dport 53 redirect to :1053
}
chain prerouting_vm {
type nat hook prerouting priority dstnat; policy accept;
ip saddr != 172.16.0.0/13 return
tcp dport 53 return
udp dport 53 return
meta mark 0x00001ed6 return
meta skgid 7890 return
ip daddr != 28.0.0.0/8 tcp dport != { 22, 80, 443, 8080, 8443 } return
ip daddr != 28.0.0.0/8 udp dport != { 22, 80, 443, 8080, 8443 } return
ip6 daddr != fc00::/16 tcp dport != { 22, 80, 443, 8080, 8443 } return
ip6 daddr != fc00::/16 udp dport != { 22, 80, 443, 8080, 8443 } return
ip daddr { 0.0.0.0/8, 10.0.0.0/8, 100.64.0.0/10, 127.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12, 192.168.0.0/16, 224.0.0.0/3 } return
ip daddr @cn_ip return
meta nfproto ipv6 return
udp dport { 443, 8443 } return
meta l4proto tcp redirect to :7892
}
}
mixed-port: 7890
redir-port: 7892
tproxy-port: 7893
routing-mark: 7894
authentication: [""]
allow-lan: true
mode: Rule
log-level: warn
ipv6: true
tcp-concurrent: true
# interface-name: *
external-controller: :*
external-ui: ui
external-ui-url: https://ghfast.top/https://github.com/Zephyruso/zashboard/releases/latest/download/dist-cdn-fonts.zip
secret: *
tun: { enable: false }
sniffer:
enable: true
parse-pure-ip: true
skip-domain: [Mijia Cloud]
sniff:
http: { ports: [80, 8080-8880], override-destination: true }
tls: { ports: [443, 8443] }
quic: { ports: [443, 8443] }
profile:
store-selected: true
store-fake-ip: true
geodata-mode: true
geo-auto-update: true
geo-update-interval: 24
geox-url:
geoip: "https://cdn.jsdelivr.net/gh/Loyalsoldier/v2ray-rules-dat@release/geoip.dat"
geosite: "https://cdn.jsdelivr.net/gh/Loyalsoldier/v2ray-rules-dat@release/geosite.dat"
# mmdb: "https://testingcf.jsdelivr.net/gh/MetaCubeX/meta-rules-dat@release/country.mmdb"
# asn: "https://github.com/xishang0128/geoip/releases/download/latest/GeoLite2-ASN.mmdb"
direct_dns: &direct_dns
- https://223.6.6.6/dns-query#ecs=218.85.152.99/24&ecs-override=true
- https://120.53.53.53/dns-query#ecs=218.85.152.99/24&ecs-override=true
proxy_dns: &proxy_dns
- https://1.0.0.1/dns-query#disable-ipv6=true
- https://8.8.4.4/dns-query#disable-ipv6=true
- https://doh.opendns.com/dns-query#disable-ipv6=true
dns:
enable: true
ipv6: true
respect-rules: true
listen: 0.0.0.0:1053
# enhanced-mode: fake-ip
# fake-ip-range: 28.0.0.0/8
# fake-ip-range6: fc00::/16
# fake-ip-filter:
# - "*"
# - ".lan"
# - ".local"
# - "geosite:cn"
# - "+.*" # 使用fake-ip模拟redir_host
default-nameserver: [https://223.5.5.5/dns-query]
proxy-server-nameserver: *direct_dns
nameserver: *proxy_dns
nameserver-policy:
"geosite:private": system
"geosite:googlefcm": *direct_dns
"geosite:cn": *direct_dns
hosts:
steamcloud-hkg.oss-accelerate.aliyuncs.com: 47.97.233.72
steamcloud-sgp.oss-accelerate.aliyuncs.com: 47.97.233.72
proxies:
- name: reality_*
server: *
port: *
type: vless
uuid: *
tls: true
servername: *
skip-cert-verify: false
flow: xtls-rprx-vision
client-fingerprint: *
network: tcp
udp: true
tfo: true
mptcp: true
reality-opts:
public-key: *
smux:
enable: true
max-connections: 4
min-streams: 4
brutal-opts:
enable: true
up: *
down: *
- name: hysteria2_*
type: hysteria2
server: *
port: *
password: *
up: "*"
down: "*"
multiplexing: MULTIPLEXING_HIGH
- name: mieru_*
type: mieru
udp: true
server: *
port-range: *-*
transport: TCP
username: *
password: *
tfo: true
mptcp: true
smux:
brutal-opts:
enable: true
up: *
down: *
proxy_groups_args: &proxy_groups_args
url: http://www.gstatic.com/generate_204
interval: 360
url_test_args: &url_test
type: url-test
tolerance: 150
<<: *proxy_groups_args
fallback_args: &fallback
type: fallback
<<: *proxy_groups_args
proxy_group_proxies: &proxy_group_proxies
- DIRECT
- 自动选择-自建
- 自动选择-ikuuu
- 自动选择-AMPN
- 节点选择-ikuuu
- 节点选择-AMPN
proxy-groups:
- name: 自动选择-自建
<<: *fallback
include-all-proxies: true
- name: 节点选择
type: select
proxies: *proxy_group_proxies
include-all: true
- name: 自动选择-ikuuu
<<: *fallback
use: [ikuuu]
- name: 节点选择-ikuuu
type: select
proxies:
- DIRECT
- 自动选择-ikuuu
use: [ikuuu]
- name: 自动选择-AMPN
<<: *fallback
use: [AutoMergePublicNodes]
- name: 节点选择-AMPN
type: select
proxies:
- DIRECT
- 自动选择-AMPN
use: [AutoMergePublicNodes]
- name: 日本节点
<<: *fallback
include-all: true
filter: (?i)jp|japan|日本
- name: CN规则
type: select
proxies: *proxy_group_proxies
include-all-proxies: true
- name: 微软服务
type: select
proxies: *proxy_group_proxies
include-all-proxies: true
- name: OneDrive
type: select
proxies: *proxy_group_proxies
include-all-proxies: true
- name: Apple
type: select
proxies: *proxy_group_proxies
include-all-proxies: true
- name: GitHub
type: select
proxies: *proxy_group_proxies
include-all-proxies: true
proxy-providers:
ikuuu:
type: http
url: *
interval: 86400
AutoMergePublicNodes:
type: http
url: *
interval: 86400
find-process-mode: strict
rules:
# - IP-CIDR,28.0.0.0/8,REJECT,no-resolve
# - IP-CIDR,fc00::/16,REJECT,no-resolve
- GEOIP,private,DIRECT,no-resolve
- RULE-SET,Rule-direct,DIRECT
- RULE-SET,Proxy,节点选择
- RULE-SET,pure,节点选择-ikuuu
- RULE-SET,jp,日本节点
- RULE-SET,Rule-reject,REJECT
- RULE-SET,AWAvenue-Ads-Rule,REJECT
- DOMAIN-KEYWORD,kiwisearchservices,REJECT # See https://github.com/Tobi823/ffupdater/issues/35
- DOMAIN-KEYWORD,dongtaiwang,REJECT
- DOMAIN-KEYWORD,js96110,REJECT # 以权谋私,一边反诈一边推广,恶意封禁正常网站
- GEOSITE,github,GitHub
- GEOSITE,onedrive,OneDrive
- GEOSITE,microsoft,微软服务
- GEOSITE,apple,Apple
- GEOSITE,googlefcm,CN规则
# Google 国内 CDN
- DOMAIN-REGEX,^r+[0-9]+(---|\.)sn-(2x3|ni5|j5o)\w{5}\.xn--ngstr-lra8j\.com$,CN规则
# 国内直连
- GEOSITE,cn,CN规则
- GEOIP,cn,CN规则,no-resolve
# tracker、smtp
- DOMAIN-KEYWORD,smtp,DIRECT
- DOMAIN-KEYWORD,announce,DIRECT
- DOMAIN-KEYWORD,torrent,DIRECT
- DOMAIN-KEYWORD,tracker,DIRECT
# 直连软件
# - PROCESS-NAME,aria2c,DIRECT
# - PROCESS-NAME,BitComet,DIRECT
# - PROCESS-NAME,fdm,DIRECT
# - PROCESS-NAME,NetTransport,DIRECT
# - PROCESS-NAME,qbittorrent,DIRECT
# - PROCESS-NAME,qbittorrent-nox,DIRECT
# - PROCESS-NAME,Thunder,DIRECT
# - PROCESS-NAME,transmission-daemon,DIRECT
# - PROCESS-NAME,transmission-qt,DIRECT
# - PROCESS-NAME,uTorrent,DIRECT
# - PROCESS-NAME,WebTorrent,DIRECT
# - PROCESS-NAME,Folx,DIRECT
# - PROCESS-NAME,Transmission,DIRECT
# - PROCESS-NAME,WebTorrent Helper,DIRECT
# - PROCESS-NAME,v2ray,DIRECT
# - PROCESS-NAME,ss-local,DIRECT
# - PROCESS-NAME,ssr-local,DIRECT
# - PROCESS-NAME,ss-redir,DIRECT
# - PROCESS-NAME,ssr-redir,DIRECT
# - PROCESS-NAME,ss-server,DIRECT
# - PROCESS-NAME,trojan-go,DIRECT
# - PROCESS-NAME,xray,DIRECT
# - PROCESS-NAME,hysteria,DIRECT
# - PROCESS-NAME,singbox,DIRECT
# - PROCESS-NAME,UUBooster,DIRECT
# - PROCESS-NAME,uugamebooster,DIRECT
- PROCESS-NAME,tailscaled,DIRECT
- DST-PORT,80,节点选择
- DST-PORT,443,节点选择
- DST-PORT,8080,节点选择
- MATCH,GLOBAL
rule-providers:
AWAvenue-Ads-Rule:
type: http
behavior: domain
format: mrs
path: "./providers/awa-ads.mrs"
url: https://ghfast.top/https://github.com/TG-Twilight/AWAvenue-Ads-Rule/raw/refs/heads/main/Filters/AWAvenue-Ads-Rule-Clash.mrs
interval: 86400
Rule-direct:
type: file
behavior: domain
format: text
path: "./providers/direct.txt"
Proxy:
type: file
behavior: domain
format: text
path: "./providers/proxy.txt"
Rule-reject:
type: file
behavior: domain
format: text
path: "./providers/reject.txt"
pure:
type: file
behavior: domain
format: text
path: "./providers/pure.txt"
jp:
type: file
behavior: domain
format: text
path: "./providers/jp.txt"
Verify steps
Description
单网口旁路由,Debian13,NFTables
TProxy只能代理本机,局域网设备无法代理,内核上看不到除本机外的TProxy连接。tun和Redir模式正常
局域网地址192.168.0.0/24,具体表现为连接超时,类似防火墙drop的效果。