From f790f0ca78fbd033b1bf83d35a89361d7495e48e Mon Sep 17 00:00:00 2001 From: Tim Zhang Date: Tue, 26 Jan 2021 22:47:38 +0800 Subject: [PATCH] OpenClash: Fix DNS-hijacking related firewall rules Co-authored-by: vernesong <42875168+vernesong@users.noreply.github.com> Signed-off-by: CN_SZTL --- .../root/etc/init.d/openclash | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/package/ctcgfw/luci-app-openclash/root/etc/init.d/openclash b/package/ctcgfw/luci-app-openclash/root/etc/init.d/openclash index 21fad97232..d2b9544ba2 100755 --- a/package/ctcgfw/luci-app-openclash/root/etc/init.d/openclash +++ b/package/ctcgfw/luci-app-openclash/root/etc/init.d/openclash @@ -1200,15 +1200,16 @@ firewall_redirect_exclude() set_firewall() { - -if [ "$enable_redirect_dns" -eq 1 ] && [ -z "$(iptables -t nat -nL PREROUTING --line-number |grep "redir ports 53$")"]; then - iptables -t nat -A PREROUTING -p udp --dport 53 -j REDIRECT --to-ports 53 - iptables -t nat -A PREROUTING -p tcp --dport 53 -j REDIRECT --to-ports 53 + +DNSPORT="$(uci get dhcp.@dnsmasq[0].port 2>/dev/null || echo 53)" +if [ "$enable_redirect_dns" -eq 1 ] && [ -z "$(iptables -t nat -nL PREROUTING --line-number |grep 'dns_hijack')"]; then + iptables -t nat -A PREROUTING -p udp --dport 53 -j REDIRECT --to-ports "$DNSPORT" -m comment --comment dns_hijack + iptables -t nat -A PREROUTING -p tcp --dport 53 -j REDIRECT --to-ports "$DNSPORT" -m comment --comment dns_hijack fi -if [ "$(iptables -t nat -nL PREROUTING --line-number |grep "redir ports 53" |wc -l)" -gt 2 ] && [ "$enable_redirect_dns" -eq 1 ]; then +if [ "$(iptables -t nat -nL PREROUTING --line-number | grep "redir port $DNSPORT" | wc -l)" -gt 2 ] && [ "$enable_redirect_dns" -eq 1 ]; then echo "发现53端口被劫持,清理防火墙规则..." >$START_LOG - pre_lines=$(iptables -nvL PREROUTING -t nat |sed 1,2d |sed -n '/redir ports 53/=' 2>/dev/null |sort -rn) + pre_lines=$(iptables -nvL PREROUTING -t nat |sed 1,2d | sed -n "/redir port $DNSPORT/=" 2>/dev/null |sort -rn) for pre_line in $pre_lines; do iptables -t nat -D PREROUTING "$pre_line" >/dev/null 2>&1 done @@ -1521,6 +1522,11 @@ revert_firewall() done >/dev/null 2>&1 iptables -t nat -D PREROUTING -p tcp -j openclash >/dev/null 2>&1 + pre_lines=$(iptables -nvL PREROUTING -t nat |sed 1,2d |sed -n '/dns_hijack/=' 2>/dev/null |sort -rn) + for pre_line in $pre_lines; do + iptables -t nat -D PREROUTING "$pre_line" >/dev/null 2>&1 + done >/dev/null 2>&1 + #ipv6 #ip6tables -t mangle -F openclash >/dev/null 2>&1 #ip6tables -t mangle -D PREROUTING -p udp -j openclash >/dev/null 2>&1