Skip to content

Commit

Permalink
Fixes for firmware version < 22.03.x with iptables instead of nftables
Browse files Browse the repository at this point in the history 
Tested on OpenWrt 21.02.7
  • Loading branch information
@zerolabnet
zerolabnet committed Aug 27, 2024
1 parent 6029201 commit dc77a97
Show file tree
Hide file tree
Showing 4 changed files with 81 additions and 69 deletions.
4 changes: 2 additions & 2 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,8 +27,8 @@ For iptables (if you have OpenWrt version < 22.03.x) – `iptables-mod-tproxy`.
Download the ssclash package and install it.

```bash
curl -L https://github.com/zerolabnet/ssclash/releases/download/v1.2/luci-app-ssclash_1.2-1_all.ipk -o /tmp/luci-app-ssclash_1.2-1_all.ipk
opkg install /tmp/luci-app-ssclash_1.2-1_all.ipk
curl -L https://github.com/zerolabnet/ssclash/releases/download/v1.3/luci-app-ssclash_1.3-1_all.ipk -o /tmp/luci-app-ssclash_1.3-1_all.ipk
opkg install /tmp/luci-app-ssclash_1.3-1_all.ipk
rm /tmp/*.ipk
```

Expand Down
127 changes: 64 additions & 63 deletions rootfs/opt/clash/bin/clash-rules
View file
Original file line number Diff line number Diff line change
@@ -1,92 +1,93 @@
#!/bin/sh

start(){
if hash nft; then
start() {
if hash nft 2>/dev/null; then
nft -f /opt/clash/nft.conf
ip route add local default dev lo table 100
ip rule add fwmark 1 table 100
elif hash iptables; then
elif hash iptables 2>/dev/null; then
# Block QUIC first (for YouTube)
iptables -t filter -I INPUT -p udp --dport 443 -j REJECT
iptables -t filter -I FORWARD -p udp --dport 443 -j REJECT

iptables -t mangle -N CLASH
iptables -t mangle -I CLASH -p udp --dport 443 -j REJECT # Block QUIC first (for YouTube)
iptables -t mangle -A CLASH -d 0.0.0.0/8 -j RETURN
iptables -t mangle -A CLASH -d 10.0.0.0/8 -j RETURN
iptables -t mangle -A CLASH -d 100.64.0.0/10 -j RETURN
iptables -t mangle -A CLASH -d 127.0.0.0/8 -j RETURN
iptables -t mangle -A CLASH -d 169.254.0.0/16 -j RETURN
iptables -t mangle -A CLASH -d 172.16.0.0/12 -j RETURN
iptables -t mangle -A CLASH -d 192.168.0.0/16 -j RETURN
iptables -t mangle -A CLASH -d 224.0.0.0/4 -j RETURN
iptables -t mangle -A CLASH -d 240.0.0.0/4 -j RETURN
iptables -t mangle -A CLASH -i wg+ -j RETURN
iptables -t mangle -A CLASH -o wg+ -j RETURN
iptables -t mangle -A CLASH -i ppp+ -j RETURN
iptables -t mangle -A CLASH -o ppp+ -j RETURN
iptables -t mangle -A CLASH -i veth+ -j RETURN
iptables -t mangle -A CLASH -o veth+ -j RETURN
iptables -t mangle -A CLASH -i docker+ -j RETURN
iptables -t mangle -A CLASH -o docker+ -j RETURN
iptables -t mangle -A CLASH -p tcp -j TPROXY --on-port 7894 --tproxy-mark 1
iptables -t mangle -A CLASH -p udp -j TPROXY --on-port 7894 --tproxy-mark 1
iptables -t mangle -A PREROUTING -m addrtype --dst-type LOCAL -j RETURN
iptables -t mangle -N CLASH_LOCAL

# Exclude local networks in CLASH
for addr in 0.0.0.0/8 10.0.0.0/8 100.64.0.0/10 127.0.0.0/8 169.254.0.0/16 172.16.0.0/12 192.168.0.0/16 224.0.0.0/4 240.0.0.0/4; do
iptables -t mangle -A CLASH -d $addr -j RETURN
done

# Exclude interfaces in CLASH
for intf in wg+ ppp+ veth+ docker+; do
iptables -t mangle -A CLASH -i $intf -j RETURN
iptables -t mangle -A CLASH -o $intf -j RETURN
done

# TPROXY rules
iptables -t mangle -A CLASH -p tcp -j TPROXY --on-ip 127.0.0.1 --on-port 7894 --tproxy-mark 1
iptables -t mangle -A CLASH -p udp -j TPROXY --on-ip 127.0.0.1 --on-port 7894 --tproxy-mark 1

iptables -t mangle -A PREROUTING -j CLASH

iptables -t mangle -N CLASH_SELF
iptables -t mangle -A CLASH_SELF -d 0.0.0.0/8 -j RETURN
iptables -t mangle -A CLASH_SELF -d 10.0.0.0/8 -j RETURN
iptables -t mangle -A CLASH_SELF -d 100.64.0.0/10 -j RETURN
iptables -t mangle -A CLASH_SELF -d 127.0.0.0/8 -j RETURN
iptables -t mangle -A CLASH_SELF -d 169.254.0.0/16 -j RETURN
iptables -t mangle -A CLASH_SELF -d 172.16.0.0/12 -j RETURN
iptables -t mangle -A CLASH_SELF -d 192.168.0.0/16 -j RETURN
iptables -t mangle -A CLASH_SELF -d 224.0.0.0/4 -j RETURN
iptables -t mangle -A CLASH_SELF -d 240.0.0.0/4 -j RETURN
iptables -t mangle -A CLASH_SELF -i wg+ -j RETURN
iptables -t mangle -A CLASH_SELF -o wg+ -j RETURN
iptables -t mangle -A CLASH_SELF -i ppp+ -j RETURN
iptables -t mangle -A CLASH_SELF -o ppp+ -j RETURN
iptables -t mangle -A CLASH_SELF -i veth+ -j RETURN
iptables -t mangle -A CLASH_SELF -o veth+ -j RETURN
iptables -t mangle -A CLASH_SELF -i docker+ -j RETURN
iptables -t mangle -A CLASH_SELF -o docker+ -j RETURN
iptables -t mangle -A CLASH_SELF -m mark --mark 2 -j RETURN # To avoid cyclic redirection
iptables -t mangle -A CLASH_SELF -p tcp -j MARK --set-mark 1
iptables -t mangle -A CLASH_SELF -p udp -j MARK --set-mark 1
iptables -t mangle -A OUTPUT -j CLASH_SELF
# Exclude local networks in CLASH_LOCAL
for addr in 0.0.0.0/8 10.0.0.0/8 100.64.0.0/10 127.0.0.0/8 169.254.0.0/16 172.16.0.0/12 192.168.0.0/16 224.0.0.0/4 240.0.0.0/4; do
iptables -t mangle -A CLASH_LOCAL -d $addr -j RETURN
done

# Exclude interfaces in CLASH_LOCAL
for intf in wg+ ppp+ veth+ docker+; do
iptables -t mangle -A CLASH_LOCAL -i $intf -j RETURN
iptables -t mangle -A CLASH_LOCAL -o $intf -j RETURN
done

# Prevent cyclic redirection
iptables -t mangle -A CLASH_LOCAL -m mark --mark 2 -j RETURN

# Mark packets for routing
iptables -t mangle -A CLASH_LOCAL -p tcp -j MARK --set-mark 1
iptables -t mangle -A CLASH_LOCAL -p udp -j MARK --set-mark 1
iptables -t mangle -A OUTPUT -j CLASH_LOCAL

ip route add local default dev lo table 100
ip rule add fwmark 1 table 100
else
echo "unknown firewall, ignore"
echo "Unknown firewall, ignoring."
fi
}

stop(){
if hash nft; then
nft table ip clash
stop() {
if hash nft 2>/dev/null; then
nft delete table ip clash
ip route del local default dev lo table 100
ip rule del table 100
elif hash iptables; then
elif hash iptables 2>/dev/null; then
iptables -t filter -D INPUT -p udp --dport 443 -j REJECT
iptables -t filter -D FORWARD -p udp --dport 443 -j REJECT
iptables -t mangle -D PREROUTING -j CLASH
iptables -t mangle -F CLASH
iptables -t mangle -X CLASH

iptables -t mangle -D OUTPUT -j CLASH_SELF
iptables -t mangle -F CLASH_SELF
iptables -t mangle -X CLASH_SELF
iptables -t mangle -D OUTPUT -j CLASH_LOCAL
iptables -t mangle -F CLASH_LOCAL
iptables -t mangle -X CLASH_LOCAL

ip route del local default dev lo table 100
ip rule del table 100
else
echo "unknown firewall, ignore"
echo "Unknown firewall, ignoring."
fi
}

case $1 in
start)
start
;;
stop)
stop
;;
esac
case "$1" in
start)
start
;;
stop)
stop
;;
*)
echo "Usage: $0 {start|stop}"
exit 1
;;
esac
2 changes: 1 addition & 1 deletion rootfs/opt/clash/config.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ profile:
store-fake-ip: true

# Provides a default traffic mark for outbound connections on Linux
routing-mark: 2 # To avoid cyclic redirection
routing-mark: 2 # Prevent cyclic redirection

sniffer:
enable: true
Expand Down
17 changes: 14 additions & 3 deletions rootfs/opt/clash/nft.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,20 +25,31 @@ define RESERVED_IFACE = {
table ip clash {
chain prerouting {
type filter hook prerouting priority mangle; policy accept;
udp dport 443 reject # Block QUIC first (for YouTube)
fib daddr type local return

# Block QUIC first (for YouTube)
udp dport 443 reject

# Exclude reserved IPs and interfaces
ip daddr $RESERVED_IP return
iifname $RESERVED_IFACE return
oifname $RESERVED_IFACE return

# Redirect traffic to TPROXY
ip protocol tcp tproxy to 127.0.0.1:7894 meta mark set 1
ip protocol udp tproxy to 127.0.0.1:7894 meta mark set 1
}
chain output {
type route hook output priority mangle; policy accept;

# Exclude reserved IPs and interfaces
ip daddr $RESERVED_IP return
iifname $RESERVED_IFACE return
oifname $RESERVED_IFACE return
meta mark 2 return # To avoid cyclic redirection

# Prevent cyclic redirection
meta mark 2 return

# Mark packets for routing
ip protocol tcp meta mark set 1
ip protocol udp meta mark set 1
}
Expand Down

0 comments on commit dc77a97

Please sign in to comment.