-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathvyos-postconfig-bootup.script
More file actions
82 lines (64 loc) · 3.46 KB
/
vyos-postconfig-bootup.script
File metadata and controls
82 lines (64 loc) · 3.46 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
#!/bin/sh
# This script is executed at boot time after VyOS configuration is fully applied.
# Any modifications required to work around unfixed bugs
# or use services not available through the VyOS CLI system can be placed here.
#
/usr/sbin/modprobe ip_tables
/usr/sbin/modprobe ip_conntrack
/usr/sbin/modprobe iptable_filter
/usr/sbin/modprobe iptable_mangle
/usr/sbin/modprobe iptable_nat
/usr/sbin/modprobe ipt_LOG
/usr/sbin/modprobe ipt_limit
/usr/sbin/modprobe ipt_state
#setup unbound
useradd -d/etc/unbound -s/usr/sbin/nologin unbound
systemctl start unbound
ipset -N china hash:net
for subnet in `cat /config/user-data/iptables/china.txt`; do ipset add china $subnet;done
ipset -N google hash:net
for subnet in `cat /config/user-data/iptables/google.txt`; do ipset add google $subnet;done
# Create new chain
iptables-legacy -t mangle -N SSREDIR
# connection-mark -> packet-mark
iptables-legacy -t mangle -A SSREDIR -j CONNMARK --restore-mark
iptables-legacy -t mangle -A SSREDIR -m mark --mark 0x2333 -j RETURN
# Ignore your shadowsocks server's addresses
# It's very IMPORTANT, just be careful.
for i in `cat /config/user-data/iptables/localips`; do
iptables-legacy -t mangle -A SSREDIR -p tcp -d $i -j RETURN
iptables-legacy -t mangle -A SSREDIR -p udp -d $i -j RETURN
done
# Ignore CHN route list
iptables-legacy -t mangle -A SSREDIR -p tcp -m set --match-set china dst -j RETURN
iptables-legacy -t mangle -A SSREDIR -p udp -m set --match-set china dst -j RETURN
# Ignore white list
#iptables-legacy -t mangle -A SSREDIR -p tcp -m set --match-set white_ip_list dst -j RETURN
#iptables-legacy -t mangle -A SSREDIR -p udp -m set --match-set white_ip_list dst -j RETURN
# mark the first packet of the connection
iptables-legacy -t mangle -A SSREDIR -p tcp --syn -j MARK --set-mark 0x2333
iptables-legacy -t mangle -A SSREDIR -p udp -m conntrack --ctstate NEW -j MARK --set-mark 0x2333
# packet-mark -> connection-mark
iptables-legacy -t mangle -A SSREDIR -j CONNMARK --save-mark
##################### OUTPUT #####################
# proxy the outgoing traffic from this machine
iptables-legacy -t mangle -A OUTPUT -p tcp -m owner --uid-owner unbound -j RETURN
iptables-legacy -t mangle -A OUTPUT -p udp -m owner --uid-owner unbound -j RETURN
iptables-legacy -t mangle -A OUTPUT -p tcp -m addrtype --src-type LOCAL ! --dst-type LOCAL -j SSREDIR
iptables-legacy -t mangle -A OUTPUT -p udp -m addrtype --src-type LOCAL ! --dst-type LOCAL -j SSREDIR
##################### PREROUTING #####################
# proxy traffic passing through this machine (other->other)
iptables-legacy -t mangle -A PREROUTING -p tcp -m addrtype ! --src-type LOCAL ! --dst-type LOCAL -j SSREDIR
iptables-legacy -t mangle -A PREROUTING -p udp -m addrtype ! --src-type LOCAL ! --dst-type LOCAL -j SSREDIR
# hand over the marked package to TPROXY for processing
iptables-legacy -t mangle -A PREROUTING -p tcp -m mark --mark 0x2333 -j TPROXY --on-ip 0.0.0.0 --on-port 1080
iptables-legacy -t mangle -A PREROUTING -p udp -m mark --mark 0x2333 -j TPROXY --on-ip 0.0.0.0 --on-port 1080
ip route add local default dev lo table 100
ip rule add fwmark 0x2333 table 100
##############################################
# FULLCONENAT Rules
iptables-legacy -t nat -I POSTROUTING -o pppoe0 -j FULLCONENAT
iptables-legacy -t nat -I PREROUTING -i pppoe0 -j FULLCONENAT
iptables-legacy -t nat -I PREROUTING -i eth0 -j FULLCONENAT
iptables-legacy -t nat -I PREROUTING -i eth2 -j FULLCONENAT
iptables-legacy -t nat -I PREROUTING -i wg0 -j FULLCONENAT