#!/bin/bash ARCHITECTURE=$(uname -m) OSNAME=$(uname) LIBROOT="$(cd "$(dirname "${BASH_SOURCE[0]:-${(%):-%x}}")" && pwd)" IPLISTPATH=$LIBROOT/../iplist OSRELEASE="" case $ARCHITECTURE in x86_64) WORDSTUFFIX="linux_amd64" ;; armv7l) WORDSTUFFIX="linux_arm7" ;; armv6l) WORDSTUFFIX="linux_arm6" ;; aarch64) WORDSTUFFIX="linux_arm7" ;; *) exit 1 ;; esac case $OSNAME in Linux) OSRELEASE=$(source /etc/os-release && echo $ID) ;; Darwin) OSRELEASE="macos" ;; esac function nt::install_fullconenat() { case $OSRELEASE in arch) pacman -Sy --noconfirm zstd base-devel git clone git://git.netfilter.org/iptables.git git clone https://github.com/Chion82/netfilter-full-cone-nat.git curl -o netfilter-full-cone-nat/linux-5.15.patch https://raw.githubusercontent.com/archlinux/svntogit-community/packages/netfilter-fullconenat/trunk/linux-5.15.patch patch -p1 -i netfilter-full-cone-nat/linux-5.15.patch netfilter-full-cone-nat/xt_FULLCONENAT.c cd netfilter-full-cone-nat make zstd xt_FULLCONENAT.ko cd .. cp netfilter-full-cone-nat/xt_FULLCONENAT.ko.zst /usr/lib/modules/$(uname -r)/kernel/net/netfilter depmod modprobe xt_FULLCONENAT echo xt_FULLCONENAT > /etc/modules-load.d/xt_FULLCONENAT.conf cp netfilter-full-cone-nat/libipt_FULLCONENAT.c iptables/extensions/ cd iptables ./autogen.sh ./configure --prefix=/usr make cp extensions/libipt_FULLCONENAT.so /usr/lib/xtables ;; esac } function nt::iptables_clear() { iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT ip6tables -P INPUT ACCEPT ip6tables -P FORWARD ACCEPT ip6tables -P OUTPUT ACCEPT iptables -t nat -F ip6tables -t nat -F iptables -t mangle -F ip6tables -t mangle -F iptables -F iptables -X ip6tables -F ip6tables -X ip6tables -D INPUT -p tcp --tcp-flags RST RST -j DROP iptables -D INPUT -p tcp --tcp-flags RST RST -j DROP } function nt::iptables_nat(){ nt::iptables_clear sysctl -w net.ipv4.conf.all.forwarding=1 sysctl -w net.ipv6.conf.all.forwarding=1 iptables -t nat -A POSTROUTING -j MASQUERADE ip6tables -t nat -A POSTROUTING -j MASQUERADE iptables -A FORWARD --protocol tcp --tcp-flags SYN,RST SYN --jump TCPMSS --clamp-mss-to-pmtu ip6tables -A FORWARD --protocol tcp --tcp-flags SYN,RST SYN --jump TCPMSS --clamp-mss-to-pmtu ip6tables -A INPUT -p tcp --tcp-flags RST RST -j DROP iptables -A INPUT -p tcp --tcp-flags RST RST -j DROP } function nt::iptables_snat(){ # nt::iptables_snat 10.0.0.0/8 wan x.x.x.x iptables -t nat -A POSTROUTING -s $1 -o $2 -j SNAT --to-source $3 } function nt::ip2int() { local a b c d { IFS=. read a b c d; } <<< $1 echo $(((((((a << 8) | b) << 8) | c) << 8) | d)) } function nt::int2ip() { local ui32=$1; shift local ip n for n in 1 2 3 4; do ip=$((ui32 & 0xff))${ip:+.}$ip ui32=$((ui32 >> 8)) done echo $ip } function nt::netmask() { # Example: netmask 24 => 255.255.255.0 local mask=$((0xffffffff << (32 - $1))); shift int2ip $mask } function nt::broadcast() { # Example: broadcast 192.0.2.0 24 => 192.0.2.255 local addr=$(ip2int $1); shift local mask=$((0xffffffff << (32 -$1))); shift int2ip $((addr | ~mask)) } function nt::network() { # Example: network 192.0.2.0 24 => 192.0.2.0 local addr=$(ip2int $1); shift local mask=$((0xffffffff << (32 -$1))); shift int2ip $((addr & mask)) } function nt::portforward() { sourceip=$1 sourceport=$2 destinationip=$3 destinationport=$4 snatip=$5 iptables -t nat -A PREROUTING -d $sourceip -p tcp --dport $sourceport -j DNAT --to $destinationip:$destinationport iptables -t nat -A POSTROUTING -d $destinationip -p tcp -dport $destinationport -j SNAT --to $snatip } function nt::china_route_novia() { case $OSNAME in Linux) for ip in $(cat $IPLISTPATH/cn_rules); do ip route add $ip dev $1 > /dev/null 2>&1 > /dev/null done ;; Darwin) ;; *) exit 1 ;; esac } function nt::china_route() { case $OSNAME in Linux) for ip in $(cat $IPLISTPATH/cn_rules); do ip route add $ip via $1 dev $2 > /dev/null 2>&1 > /dev/null done ;; Darwin) ;; *) exit 1 ;; esac } function nt::world_route() { case $OSNAME in Linux) for ip in $(cat $IPLISTPATH/world_rules); do ip route add $ip via $1 dev $2 # > /dev/null 2>&1 > /dev/null done ;; Darwin) ;; *) exit 1 ;; esac } function nt::world_route6() { case $OSNAME in Linux) for ip in $(cat $IPLISTPATH/v6_world_rules); do ip -6 route add $ip via $1 dev $2 # > /dev/null 2>&1 > /dev/null done ;; Darwin) ;; *) exit 1 ;; esac } function nt::china_route6() { case $OSNAME in Linux) for ip in $(cat $IPLISTPATH/v6_china_rules); do ip -6 route add $ip dev $1 # > /dev/null 2>&1 > /dev/null done ;; Darwin) ;; *) exit 1 ;; esac } function nt::route6_dev() { case $OSNAME in Linux) for ip in $(cat $IPLISTPATH/$1); do ip -6 route add $ip dev $2 # > /dev/null 2>&1 > /dev/null done ;; Darwin) ;; *) exit 1 ;; esac } function nt::remove_world_route() { case $OSNAME in Linux) for ip in $(cat $IPLISTPATH/world_rules); do ip route del $ip> /dev/null 2>&1 > /dev/null done ;; Darwin) ;; *) exit 1 ;; esac } function nt::remove_world_route6() { case $OSNAME in Linux) for ip in $(cat $IPLISTPATH/v6_world_rules); do ip -6 route del $ip> /dev/null 2>&1 > /dev/null done ;; Darwin) ;; *) exit 1 ;; esac } function nt::add_world_rule(){ echo $1 >> $IPLISTPATH/own_world_rules cat $IPLISTPATH/own_world_rules $IPLISTPATH/world_rules | cidr-merger --batch --cidr > $IPLISTPATH/_world_rules rm $IPLISTPATH/world_rules mv $IPLISTPATH/_world_rules $IPLISTPATH/world_rules ip route add $1 via $2 dev $3 } function nt::add_v6_world_rule(){ # nt::add_v6_world_rule 2a02:26f0:6e00::/48 fc80:1989:604:2021::1 wg1 echo $1 >> $IPLISTPATH/v6_world_rules ip -6 route add $1 via $2 dev $3 } function nt::build_world_rule(){ cat $IPLISTPATH/own_world_rules $IPLISTPATH/world_rules | cidr-merger --batch --cidr > $IPLISTPATH/_world_rules rm $IPLISTPATH/world_rules mv $IPLISTPATH/_world_rules $IPLISTPATH/world_rules } function nt::install_cider_merger(){ go get github.com/zhanhb/cidr-merger } echo "ARCH: $ARCHITECTURE" echo "Libroot:" $LIBROOT source $LIBROOT/wg.sh source $LIBROOT/ssu.sh source $LIBROOT/badvpn.sh