+#!/bin/sh
+
+usage() {
+ cat <<-EOF
+ Usage: ss-rules [options]
+
+ Valid options are:
+
+ -s <server_host> hostname or ip of shadowsocks remote server
+ -l <local_port> port number of shadowsocks local server
+ -i <ip_list_file> a file content is bypassed ip list
+ -a <lan_ips> lan ip of access control, need a prefix to
+ define access control mode
+ -b <wan_ips> wan ip of will be bypassed
+ -w <wan_ips> wan ip of will be forwarded
+ -e <extra_options> extra options for iptables
+ -o apply the rules to the OUTPUT chain
+ -u enable udprelay mode, TPROXY is required
+ -f flush the rules
+EOF
+}
+
+loger() {
+ # 1.alert 2.crit 3.err 4.warn 5.notice 6.info 7.debug
+ logger -st ss-rules[$$] -p$1 $2
+}
+
+ipt_n="iptables -t nat"
+ipt_m="iptables -t mangle"
+
+flush_r() {
+ local IPT
+
+ IPT=$(iptables-save -t nat)
+ eval $(echo "$IPT" | grep "_SS_SPEC_RULE_" | \
+ sed -e 's/^-A/$ipt_n -D/' -e 's/$/;/')
+
+ for chain in $(echo "$IPT" | awk '/^:SS_SPEC/{print $1}'); do
+ $ipt_n -F ${chain:1} 2>/dev/null && $ipt_n -X ${chain:1}
+ done
+
+ IPT=$(iptables-save -t mangle)
+ eval $(echo "$IPT" | grep "_SS_SPEC_RULE_" | \
+ sed -e 's/^-A/$ipt_m -D/' -e 's/$/;/')
+
+ for chain in $(echo "$IPT" | awk '/^:SS_SPEC/{print $1}'); do
+ $ipt_m -F ${chain:1} 2>/dev/null && $ipt_m -X ${chain:1}
+ done
+
+ ip rule del fwmark 0x01/0x01 table 100 2>/dev/null
+ ip route del local 0.0.0.0/0 dev lo table 100 2>/dev/null
+ ipset -X ss_spec_lan_ac 2>/dev/null
+ ipset -X ss_spec_wan_ac 2>/dev/null
+ return 0
+}
+
+ipset_r() {
+ ipset -! -R <<-EOF || return 1
+ create ss_spec_wan_ac hash:net
+ $(echo -e "$IPLIST" | sed -e "s/^/add ss_spec_wan_ac /")
+ $(for ip in $WAN_FW_IP; do echo "add ss_spec_wan_ac $ip nomatch"; done)
+EOF
+ $ipt_n -N SS_SPEC_WAN_AC && \
+ $ipt_n -A SS_SPEC_WAN_AC -m set --match-set ss_spec_wan_ac dst -j RETURN && \
+ $ipt_n -A SS_SPEC_WAN_AC -j SS_SPEC_WAN_FW
+ return $?
+}
+
+fw_rule() {
+ $ipt_n -N SS_SPEC_WAN_FW && \
+ $ipt_n -A SS_SPEC_WAN_FW -p tcp \
+ -j REDIRECT --to-ports $LOCAL_PORT 2>/dev/null || {
+ loger 3 "Can't redirect, please check the iptables."
+ exit 1
+ }
+ return $?
+}
+
+ac_rule() {
+ local TAG ROUTECHAIN
+
+ if [ -n "$LAN_AC_IP" ]; then
+ if [ "${LAN_AC_IP:0:1}" = "w" ]; then
+ TAG="nomatch"
+ else
+ if [ "${LAN_AC_IP:0:1}" != "b" ]; then
+ loger 3 "Bad argument \`-a $LAN_AC_IP\`."
+ return 2
+ fi
+ fi
+ fi
+
+ ROUTECHAIN=PREROUTING
+ if iptables-save -t nat | grep -q "^:zone_lan_prerouting"; then
+ ROUTECHAIN=zone_lan_prerouting
+ fi
+
+ ipset -! -R <<-EOF || return 1
+ create ss_spec_lan_ac hash:net
+ $(for ip in ${LAN_AC_IP:1}; do echo "add ss_spec_lan_ac $ip $TAG"; done)
+EOF
+ $ipt_n -A $ROUTECHAIN -p tcp $EXT_ARGS \
+ -m set ! --match-set ss_spec_lan_ac src \
+ -m comment --comment "_SS_SPEC_RULE_" -j SS_SPEC_WAN_AC
+
+ if [ "$OUTPUT" = 1 ]; then
+ $ipt_n -A OUTPUT -p tcp $EXT_ARGS \
+ -m comment --comment "_SS_SPEC_RULE_" -j SS_SPEC_WAN_AC
+ fi
+ return $?
+}
+
+tp_rule() {
+ [ "$TPROXY" = 1 ] || return 0
+ ip rule add fwmark 0x01/0x01 table 100
+ ip route add local 0.0.0.0/0 dev lo table 100
+ $ipt_m -N SS_SPEC_TPROXY
+ $ipt_m -A SS_SPEC_TPROXY -p udp -m set ! --match-set ss_spec_wan_ac dst \
+ -j TPROXY --on-port $LOCAL_PORT --tproxy-mark 0x01/0x01
+ $ipt_m -A PREROUTING -p udp $EXT_ARGS \
+ -m set ! --match-set ss_spec_lan_ac src \
+ -m comment --comment "_SS_SPEC_RULE_" -j SS_SPEC_TPROXY
+ return $?
+}
+
+while getopts ":s:l:c:i:e:a:b:w:ouf" arg; do
+ case $arg in
+ s)
+ SERVER=$OPTARG
+ ;;
+ l)
+ LOCAL_PORT=$OPTARG
+ ;;
+ i)
+ IGNORE=$OPTARG
+ ;;
+ e)
+ EXT_ARGS=$OPTARG
+ ;;
+ a)
+ LAN_AC_IP=$OPTARG
+ ;;
+ b)
+ WAN_BP_IP=$(for ip in $OPTARG; do echo $ip; done)
+ ;;
+ w)
+ WAN_FW_IP=$OPTARG
+ ;;
+ o)
+ OUTPUT=1
+ ;;
+ u)
+ TPROXY=1
+ ;;
+ f)
+ flush_r
+ exit 0
+ ;;
+ esac
+done
+
+if [ -z "$SERVER" -o -z "$LOCAL_PORT" ]; then
+ usage
+ exit 2
+fi
+
+SERVER=$(resolveip -t60 $SERVER)
+
+if [ -z "$SERVER" ]; then
+ loger 3 "Can't resolve the server hostname."
+ exit 1
+fi
+
+if [ -f "$IGNORE" ]; then
+ IGNORE_IP=$(cat $IGNORE 2>/dev/null)
+fi
+
+IPLIST=$(cat <<-EOF | grep -E "^([0-9]{1,3}\.){3}[0-9]{1,3}"
+ $SERVER
+ 0.0.0.0/8
+ 10.0.0.0/8
+ 100.64.0.0/10
+ 127.0.0.0/8
+ 169.254.0.0/16
+ 172.16.0.0/12
+ 192.0.0.0/24
+ 192.0.2.0/24
+ 192.88.99.0/24
+ 192.168.0.0/16
+ 198.18.0.0/15
+ 198.51.100.0/24
+ 203.0.113.0/24
+ 224.0.0.0/4
+ 240.0.0.0/4
+ 255.255.255.255
+ $WAN_BP_IP
+ $IGNORE_IP
+EOF
+)
+
+flush_r && fw_rule && ipset_r && ac_rule && tp_rule
+
+exit $?