diff --git a/package/ctcgfw/luci-app-openclash/root/etc/init.d/openclash b/package/ctcgfw/luci-app-openclash/root/etc/init.d/openclash index 21fad97232..d2b9544ba2 100755 --- a/package/ctcgfw/luci-app-openclash/root/etc/init.d/openclash +++ b/package/ctcgfw/luci-app-openclash/root/etc/init.d/openclash @@ -1200,15 +1200,16 @@ firewall_redirect_exclude() set_firewall() { - -if [ "$enable_redirect_dns" -eq 1 ] && [ -z "$(iptables -t nat -nL PREROUTING --line-number |grep "redir ports 53$")"]; then - iptables -t nat -A PREROUTING -p udp --dport 53 -j REDIRECT --to-ports 53 - iptables -t nat -A PREROUTING -p tcp --dport 53 -j REDIRECT --to-ports 53 + +DNSPORT="$(uci get dhcp.@dnsmasq[0].port 2>/dev/null || echo 53)" +if [ "$enable_redirect_dns" -eq 1 ] && [ -z "$(iptables -t nat -nL PREROUTING --line-number |grep 'dns_hijack')"]; then + iptables -t nat -A PREROUTING -p udp --dport 53 -j REDIRECT --to-ports "$DNSPORT" -m comment --comment dns_hijack + iptables -t nat -A PREROUTING -p tcp --dport 53 -j REDIRECT --to-ports "$DNSPORT" -m comment --comment dns_hijack fi -if [ "$(iptables -t nat -nL PREROUTING --line-number |grep "redir ports 53" |wc -l)" -gt 2 ] && [ "$enable_redirect_dns" -eq 1 ]; then +if [ "$(iptables -t nat -nL PREROUTING --line-number | grep "redir port $DNSPORT" | wc -l)" -gt 2 ] && [ "$enable_redirect_dns" -eq 1 ]; then echo "发现53端口被劫持,清理防火墙规则..." >$START_LOG - pre_lines=$(iptables -nvL PREROUTING -t nat |sed 1,2d |sed -n '/redir ports 53/=' 2>/dev/null |sort -rn) + pre_lines=$(iptables -nvL PREROUTING -t nat |sed 1,2d | sed -n "/redir port $DNSPORT/=" 2>/dev/null |sort -rn) for pre_line in $pre_lines; do iptables -t nat -D PREROUTING "$pre_line" >/dev/null 2>&1 done @@ -1521,6 +1522,11 @@ revert_firewall() done >/dev/null 2>&1 iptables -t nat -D PREROUTING -p tcp -j openclash >/dev/null 2>&1 + pre_lines=$(iptables -nvL PREROUTING -t nat |sed 1,2d |sed -n '/dns_hijack/=' 2>/dev/null |sort -rn) + for pre_line in $pre_lines; do + iptables -t nat -D PREROUTING "$pre_line" >/dev/null 2>&1 + done >/dev/null 2>&1 + #ipv6 #ip6tables -t mangle -F openclash >/dev/null 2>&1 #ip6tables -t mangle -D PREROUTING -p udp -j openclash >/dev/null 2>&1