fish/immortalwrt
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

OpenClash: Fix DNS-hijacking related firewall rules

Browse Source 
Co-authored-by: vernesong <42875168+vernesong@users.noreply.github.com>
Signed-off-by: CN_SZTL <cnsztl@project-openwrt.eu.org>
This commit is contained in:
Tim Zhang 2021-01-26 22:47:38 +08:00 committed by CN_SZTL
parent bf200c0467
commit f790f0ca78
No known key found for this signature in database
GPG Key ID: 6850B6345C862176
1 changed files with 12 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
package/ctcgfw/luci-app-openclash/root/etc/init.d/openclash
View File

@ -1200,15 +1200,16 @@ firewall_redirect_exclude()
set_firewall()
{
if [ "$enable_redirect_dns" -eq 1 ] && [ -z "$(iptables -t nat -nL PREROUTING --line-number |grep "redir ports 53$")"]; then
iptables -t nat -A PREROUTING -p udp --dport 53 -j REDIRECT --to-ports 53
iptables -t nat -A PREROUTING -p tcp --dport 53 -j REDIRECT --to-ports 53
DNSPORT="$(uci get dhcp.@dnsmasq[0].port 2>/dev/null || echo 53)"
if [ "$enable_redirect_dns" -eq 1 ] && [ -z "$(iptables -t nat -nL PREROUTING --line-number |grep 'dns_hijack')"]; then
iptables -t nat -A PREROUTING -p udp --dport 53 -j REDIRECT --to-ports "$DNSPORT" -m comment --comment dns_hijack
iptables -t nat -A PREROUTING -p tcp --dport 53 -j REDIRECT --to-ports "$DNSPORT" -m comment --comment dns_hijack
fi
if [ "$(iptables -t nat -nL PREROUTING --line-number |grep "redir ports 53" |wc -l)" -gt 2 ] && [ "$enable_redirect_dns" -eq 1 ]; then
if [ "$(iptables -t nat -nL PREROUTING --line-number | grep "redir port $DNSPORT" | wc -l)" -gt 2 ] && [ "$enable_redirect_dns" -eq 1 ]; then
echo "发现53端口被劫持清理防火墙规则..." >$START_LOG
pre_lines=$(iptables -nvL PREROUTING -t nat |sed 1,2d |sed -n '/redir ports 53/=' 2>/dev/null |sort -rn)
pre_lines=$(iptables -nvL PREROUTING -t nat |sed 1,2d | sed -n "/redir port $DNSPORT/=" 2>/dev/null |sort -rn)
for pre_line in $pre_lines; do
iptables -t nat -D PREROUTING "$pre_line" >/dev/null 2>&1
done
@ -1521,6 +1522,11 @@ revert_firewall()
done >/dev/null 2>&1
iptables -t nat -D PREROUTING -p tcp -j openclash >/dev/null 2>&1
pre_lines=$(iptables -nvL PREROUTING -t nat |sed 1,2d |sed -n '/dns_hijack/=' 2>/dev/null |sort -rn)
for pre_line in $pre_lines; do
iptables -t nat -D PREROUTING "$pre_line" >/dev/null 2>&1
done >/dev/null 2>&1
#ipv6
#ip6tables -t mangle -F openclash >/dev/null 2>&1
#ip6tables -t mangle -D PREROUTING -p udp -j openclash >/dev/null 2>&1