5 Usage: ss-rules [options]
9 -s <server_host> hostname or ip of shadowsocks remote server
10 -l <local_port> port number of shadowsocks local server
11 -i <ip_list_file> a file content is bypassed ip list
12 -a <lan_ips> lan ip of access control, need a prefix to
13 define access control mode
14 -b <wan_ips> wan ip of will be bypassed
15 -w <wan_ips> wan ip of will be forwarded
16 -e <extra_options> extra options for iptables
17 -o apply the rules to the OUTPUT chain
18 -u enable udprelay mode, TPROXY is required
24 # 1.alert 2.crit 3.err 4.warn 5.notice 6.info 7.debug
25 logger
-st ss-rules
[$$
] -p$1 $2
28 ipt_n
="iptables -t nat"
29 ipt_m
="iptables -t mangle"
34 IPT
=$
(iptables-save
-t nat
)
35 eval $
(echo "$IPT" |
grep "_SS_SPEC_RULE_" | \
36 sed -e 's/^-A/$ipt_n -D/' -e 's/$/;/')
38 for chain
in $
(echo "$IPT" |
awk '/^:SS_SPEC/{print $1}'); do
39 $ipt_n -F ${chain:1} 2>/dev
/null
&& $ipt_n -X ${chain:1}
42 IPT
=$
(iptables-save
-t mangle
)
43 eval $
(echo "$IPT" |
grep "_SS_SPEC_RULE_" | \
44 sed -e 's/^-A/$ipt_m -D/' -e 's/$/;/')
46 for chain
in $
(echo "$IPT" |
awk '/^:SS_SPEC/{print $1}'); do
47 $ipt_m -F ${chain:1} 2>/dev
/null
&& $ipt_m -X ${chain:1}
50 ip rule del fwmark
0x01/0x01 table
100 2>/dev
/null
51 ip route del
local 0.0.0.0/0 dev lo table
100 2>/dev
/null
52 ipset
-X ss_spec_lan_ac
2>/dev
/null
53 ipset
-X ss_spec_wan_ac
2>/dev
/null
58 ipset
-! -R <<-EOF || return 1
59 create ss_spec_wan_ac hash:net
60 $(echo -e "$IPLIST" | sed -e "s/^/add ss_spec_wan_ac /")
61 $(for ip in $WAN_FW_IP; do echo "add ss_spec_wan_ac $ip nomatch"; done)
63 $ipt_n -N SS_SPEC_WAN_AC
&& \
64 $ipt_n -A SS_SPEC_WAN_AC
-m set --match-set ss_spec_wan_ac dst
-j RETURN
&& \
65 $ipt_n -A SS_SPEC_WAN_AC
-j SS_SPEC_WAN_FW
70 $ipt_n -N SS_SPEC_WAN_FW
&& \
71 $ipt_n -A SS_SPEC_WAN_FW
-p tcp \
72 -j REDIRECT
--to-ports $LOCAL_PORT 2>/dev
/null ||
{
73 loger
3 "Can't redirect, please check the iptables."
82 if [ -n "$LAN_AC_IP" ]; then
83 if [ "${LAN_AC_IP:0:1}" = "w" ]; then
86 if [ "${LAN_AC_IP:0:1}" != "b" ]; then
87 loger
3 "Bad argument \`-a $LAN_AC_IP\`."
94 if iptables-save
-t nat |
grep -q "^:zone_lan_prerouting"; then
95 ROUTECHAIN
=zone_lan_prerouting
98 ipset
-! -R <<-EOF || return 1
99 create ss_spec_lan_ac hash:net
100 $(for ip in ${LAN_AC_IP:1}; do echo "add ss_spec_lan_ac $ip $TAG"; done)
102 $ipt_n -A $ROUTECHAIN -p tcp
$EXT_ARGS \
103 -m set ! --match-set ss_spec_lan_ac src \
104 -m comment
--comment "_SS_SPEC_RULE_" -j SS_SPEC_WAN_AC
106 if [ "$OUTPUT" = 1 ]; then
107 $ipt_n -A OUTPUT
-p tcp
$EXT_ARGS \
108 -m comment
--comment "_SS_SPEC_RULE_" -j SS_SPEC_WAN_AC
114 [ "$TPROXY" = 1 ] ||
return 0
115 ip rule add fwmark
0x01/0x01 table
100
116 ip route add
local 0.0.0.0/0 dev lo table
100
117 $ipt_m -N SS_SPEC_TPROXY
118 $ipt_m -A SS_SPEC_TPROXY
-p udp
-m set ! --match-set ss_spec_wan_ac dst \
119 -j TPROXY
--on-port $LOCAL_PORT --tproxy-mark 0x01/0x01
120 $ipt_m -A PREROUTING
-p udp
$EXT_ARGS \
121 -m set ! --match-set ss_spec_lan_ac src \
122 -m comment
--comment "_SS_SPEC_RULE_" -j SS_SPEC_TPROXY
126 while getopts ":s:l:c:i:e:a:b:w:ouf" arg
; do
144 WAN_BP_IP
=$
(for ip
in $OPTARG; do echo $ip; done)
162 if [ -z "$SERVER" -o -z "$LOCAL_PORT" ]; then
167 SERVER
=$
(resolveip
-t60 $SERVER)
169 if [ -z "$SERVER" ]; then
170 loger
3 "Can't resolve the server hostname."
174 if [ -f "$IGNORE" ]; then
175 IGNORE_IP
=$
(cat $IGNORE 2>/dev
/null
)
178 IPLIST
=$
(cat <<-EOF | grep -E "^([0-9]{1,3}\.){3}[0-9]{1,3}"
201 flush_r
&& fw_rule
&& ipset_r
&& ac_rule
&& tp_rule