"#!/usr/sbin/nft -f
flush ruleset
table inet singbox {
set china_dns_ipv4 {
type ipv4_addr;
elements = { 223.5.5.5, 223.6.6.6, 114.114.114.114, 114.114.115.115 };
}
set china_dns_ipv6 {
type ipv6_addr;
elements = { 2400:3200::1, 2400:3200:baba::1 };
}
set fake_ipv4 {
type ipv4_addr;
flags interval;
elements = { 198.18.0.0/15 };
}
set fake_ipv6 {
type ipv6_addr;
flags interval;
elements = { fc00::/18 };
}
set local_ipv4 {
type ipv4_addr;
flags interval;
elements = { 0.0.0.0/8, 10.0.0.0/8, 127.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12, 192.168.0.0/16, 224.0.0.0/4, 240.0.0.0/4 };
}
set local_ipv6 {
type ipv6_addr;
flags interval;
elements = { ::ffff:0.0.0.0/96, 64:ff9b::/96, 100::/64, 2001:10::/28, 2001:20::/28, 2001:db8::/32, 2002::/16, fe80::/10 };
}
chain redirect-proxy {
fib daddr type { unspec, local, anycast, multicast } return
ip daddr @local_ipv4 return
ip6 daddr @local_ipv6 return
ip daddr @china_dns_ipv4 return
ip6 daddr @china_dns_ipv6 return
meta l4proto tcp redirect to :9777
}
chain redirect-prerouting {
type nat hook prerouting priority dstnat; policy accept;
meta l4proto != tcp return
ct state new ct direction original goto redirect-proxy
}
chain redirect-output {
type nat hook output priority dstnat; policy accept;
meta l4proto != tcp return
fib daddr type { unspec, local, anycast, multicast } return
ip daddr @fake_ipv4 meta l4proto tcp redirect to :9777
ip6 daddr @fake_ipv6 meta l4proto tcp redirect to :9777
}
chain tproxy-proxy {
fib daddr type { unspec, local, anycast, multicast } return
ip daddr @local_ipv4 return
ip6 daddr @local_ipv6 return
ip daddr @china_dns_ipv4 return
ip6 daddr @china_dns_ipv6 return
udp dport {123} return
ip protocol udp meta mark set 1 ct mark set 1 tproxy ip to :9888 accept
ip6 nexthdr udp meta mark set 1 ct mark set 1 tproxy ip6 to :9888 accept
}
chain tproxy-mark {
fib daddr type { unspec, local, anycast, multicast } return
ip daddr @local_ipv4 return
ip6 daddr @local_ipv6 return
ip daddr @china_dns_ipv4 return
ip6 daddr @china_dns_ipv6 return
udp dport {123} return
meta mark set 1
meta l4proto udp ct mark set 1 # nslookup google.com 1.1.1.1 不返回IP,请删除这一行
}
chain tproxy-prerouting {
type filter hook prerouting priority mangle; policy accept;
meta l4proto != udp return
ct direction reply return
ct direction original ct mark 1 meta mark set 1 return
ct direction original goto tproxy-proxy
}
chain tproxy-output {
type route hook output priority mangle; policy accept;
meta l4proto != udp return
meta skgid 0 return # nslookup google.com 1.1.1.1 不返回IP,请删除这一行
ct direction reply return
ct direction original ct mark 1 meta mark set 1 return
ct direction original goto tproxy-mark
}
}
"
flush ruleset
table inet singbox {
set china_dns_ipv4 {
type ipv4_addr;
elements = { 223.5.5.5, 223.6.6.6, 114.114.114.114, 114.114.115.115 };
}
set china_dns_ipv6 {
type ipv6_addr;
elements = { 2400:3200::1, 2400:3200:baba::1 };
}
set fake_ipv4 {
type ipv4_addr;
flags interval;
elements = { 198.18.0.0/15 };
}
set fake_ipv6 {
type ipv6_addr;
flags interval;
elements = { fc00::/18 };
}
set local_ipv4 {
type ipv4_addr;
flags interval;
elements = { 0.0.0.0/8, 10.0.0.0/8, 127.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12, 192.168.0.0/16, 224.0.0.0/4, 240.0.0.0/4 };
}
set local_ipv6 {
type ipv6_addr;
flags interval;
elements = { ::ffff:0.0.0.0/96, 64:ff9b::/96, 100::/64, 2001:10::/28, 2001:20::/28, 2001:db8::/32, 2002::/16, fe80::/10 };
}
chain redirect-proxy {
fib daddr type { unspec, local, anycast, multicast } return
ip daddr @local_ipv4 return
ip6 daddr @local_ipv6 return
ip daddr @china_dns_ipv4 return
ip6 daddr @china_dns_ipv6 return
meta l4proto tcp redirect to :9777
}
chain redirect-prerouting {
type nat hook prerouting priority dstnat; policy accept;
meta l4proto != tcp return
ct state new ct direction original goto redirect-proxy
}
chain redirect-output {
type nat hook output priority dstnat; policy accept;
meta l4proto != tcp return
fib daddr type { unspec, local, anycast, multicast } return
ip daddr @fake_ipv4 meta l4proto tcp redirect to :9777
ip6 daddr @fake_ipv6 meta l4proto tcp redirect to :9777
}
chain tproxy-proxy {
fib daddr type { unspec, local, anycast, multicast } return
ip daddr @local_ipv4 return
ip6 daddr @local_ipv6 return
ip daddr @china_dns_ipv4 return
ip6 daddr @china_dns_ipv6 return
udp dport {123} return
ip protocol udp meta mark set 1 ct mark set 1 tproxy ip to :9888 accept
ip6 nexthdr udp meta mark set 1 ct mark set 1 tproxy ip6 to :9888 accept
}
chain tproxy-mark {
fib daddr type { unspec, local, anycast, multicast } return
ip daddr @local_ipv4 return
ip6 daddr @local_ipv6 return
ip daddr @china_dns_ipv4 return
ip6 daddr @china_dns_ipv6 return
udp dport {123} return
meta mark set 1
meta l4proto udp ct mark set 1 # nslookup google.com 1.1.1.1 不返回IP,请删除这一行
}
chain tproxy-prerouting {
type filter hook prerouting priority mangle; policy accept;
meta l4proto != udp return
ct direction reply return
ct direction original ct mark 1 meta mark set 1 return
ct direction original goto tproxy-proxy
}
chain tproxy-output {
type route hook output priority mangle; policy accept;
meta l4proto != udp return
meta skgid 0 return # nslookup google.com 1.1.1.1 不返回IP,请删除这一行
ct direction reply return
ct direction original ct mark 1 meta mark set 1 return
ct direction original goto tproxy-mark
}
}
"
#路由规则
规则将按照从上到下的顺序匹配,匹配到规则不再往下匹配。
如请求为 udp,而代理节点没有 udp 支持 (例如`ss`节点没写`udp: true`),则会继续向下匹配
出站策略:
DIRECT、REJECT、策略组名字、节点名字、sub-rule
rules:
- DOMAIN-SUFFIX,google.com,Proxy #匹配域名后缀(交由Proxy代理服务器组)
- DOMAIN,google.com,REJECT #匹配域名(拒绝)
- DOMAIN-KEYWORD,google,Proxy #匹配域名关键字(交由Proxy代理服务器组)
- IP-CIDR,127.0.0.0/8,DIRECT #匹配数据目标IP(直连)
- SRC-IP-CIDR,192.168.1.201/32,direct-wan1 #匹配数据发起IP(走WAN1口直连)
- DST-PORT,80,DIRECT #匹配数据目标端口(直连)(114-514/810-1919,65530)
- SRC-PORT,7777,DIRECT #匹配数据源端口(直连)
- NETWORK,udp,DIRECT #网络协议匹配
- DSCP,4,DIRECT #DSCP标记匹配 (仅限 tproxy udp 入站)
- AND,((DOMAIN,baidu.com),(NETWORK,UDP)),DIRECT #同时满足要求匹配
- OR,((NETWORK,UDP),(DOMAIN,baidu.com)),REJECT #满足任意要求匹配
- NOT,((DOMAIN,baidu.com)),PROXY #不匹配 baidu.com 的域名(交由Proxy代理服务器组)
- RULE-SET,youtube,proxy #规则集匹配
- GEOSITE,youtube,PROXY #GEOSITE数据库匹配
- GEOIP,CN,DIRECT #GEOIP数据库匹配
- IP-ASN,13335,DIRECT #目标ASN匹配(ASN数据库)
- IN-TYPE,SOCKS/HTTP,PROXY
- PROCESS-NAME,chrome.exe,PROXY
- SUB-RULE,(NETWORK,tcp),sub-rule #子规则匹配
- MATCH,auto墙内机器或者IPv6 only机器,安装 np 或者安装面板,可能会遇到连接 github 或者 ghrc.io 不通的情况,可以使用以下在 worker 上部署的反代项目
项目: https://github.com/fscarmen2/Cloudflare-Accel
demo: https://accel.forvps.gq/
项目: https://github.com/fscarmen2/Cloudflare-Accel
demo: https://accel.forvps.gq/
GitHub
GitHub - fscarmen2/Cloudflare-Accel: 基于 Cloudflare Workers 的 GitHub 和 Docker 加速服务,自动生成加速链接与命令。
基于 Cloudflare Workers 的 GitHub 和 Docker 加速服务,自动生成加速链接与命令。 - fscarmen2/Cloudflare-Accel
#!/usr/sbin/nft -f
flush ruleset
define RESERVED_IP = {
0.0.0.0/8,
10.0.0.0/8,
127.0.0.0/8,
169.254.0.0/16,
172.16.0.0/12,
192.0.0.0/24,
192.168.0.0/16,
224.0.0.0/4,
240.0.0.0/4
}
define LOCAL_NET = { 10.10.10.0/24 }
define REMOTE_DNS_IP = {
1.1.1.1,
1.0.0.1,
8.8.8.8,
8.8.4.4
}
table ip mihomo {
chain prerouting {
type filter hook prerouting priority mangle; policy accept;
ip daddr $RESERVED_IP return
ip daddr $LOCAL_NET return
ip daddr $REMOTE_DNS_IP return
udp dport { 53, 123 } return
meta mark 1234 return
ip protocol tcp tproxy to :7895 meta mark set 1
ip protocol udp tproxy to :7895 meta mark set 1
}
chain output {
type route hook output priority mangle; policy accept;
ip daddr $RESERVED_IP return
ip daddr $LOCAL_NET return
ip daddr $REMOTE_DNS_IP return
udp dport { 53, 123 } return
meta mark 1234 return
ip protocol tcp meta mark set 1
ip protocol udp meta mark set 1
}
}
# ============ IPv6 改为 set 而不是 define ============
table ip6 mihomo {
set reserved_ip6 {
type ipv6_addr;
flags interval;
elements = {
::1/128,
::/128,
fe80::/10,
ff00::/8,
fc00::/7,
2001:db8::/32,
fec0::/10
}
}
set remote_dns_ip6 {
type ipv6_addr;
elements = {
2001:4860:4860::8888,
2001:4860:4860::8844,
2606:4700:4700::1111,
2606:4700:4700::1001
}
}
chain prerouting {
type filter hook prerouting priority mangle; policy accept;
ip6 daddr @reserved_ip6 return
ip6 daddr @remote_dns_ip6 return
udp dport { 53, 123 } return
meta mark 1234 return
ip6 nexthdr tcp tproxy to :7895 meta mark set 1
ip6 nexthdr udp tproxy to :7895 meta mark set 1
}
chain output {
type route hook output priority mangle; policy accept;
ip6 daddr @reserved_ip6 return
ip6 daddr @remote_dns_ip6 return
udp dport { 53, 123 } return
meta mark 1234 return
ip6 nexthdr tcp meta mark set 1
ip6 nexthdr udp meta mark set 1
}
}#!/usr/sbin/nft -f
flush ruleset
define RESERVED_IP = {
100.64.0.0/10,
127.0.0.0/8,
169.254.0.0/16,
172.16.0.0/12,
192.0.0.0/24,
224.0.0.0/4,
240.0.0.0/4,
255.255.255.255/32
}
define RESERVED_IP6 = {
::1/128,
::/128,
fe80::/10,
ff00::/8,
fc00::/7,
2001:db8::/32,
fec0::/10
}
define LOCAL_NET = { 10.10.10.0/24 }
define LOCAL_NET6 = { fddd:dddd::/64 }
table ip mihomo {
chain prerouting {
type filter hook prerouting priority mangle; policy accept;
ip daddr $RESERVED_IP return
ip daddr $LOCAL_NET return
udp dport { 123 } return
meta mark 1234 return
ip protocol tcp tproxy to :7895 meta mark set 1
ip protocol udp tproxy to :7895 meta mark set 1
}
chain output {
type route hook output priority mangle; policy accept;
ip daddr $RESERVED_IP return
ip daddr $LOCAL_NET return
udp dport { 123 } return
meta mark 1234 return
ip protocol tcp meta mark set 1
ip protocol udp meta mark set 1
}
}
table ip6 mihomo {
chain prerouting {
type filter hook prerouting priority mangle; policy accept;
ip6 daddr $RESERVED_IP6 return
ip6 daddr $LOCAL_NET6 return
meta mark 1234 return
ip6 nexthdr tcp tproxy to :7895 meta mark set 1
ip6 nexthdr udp tproxy to :7895 meta mark set 1
}
chain output {
type route hook output priority mangle; policy accept;
ip6 daddr $RESERVED_IP6 return
ip6 daddr $LOCAL_NET6 return
meta mark 1234 return
ip6 nexthdr tcp meta mark set 1
ip6 nexthdr udp meta mark set 1
}
chain forward {
type filter hook forward priority mangle; policy accept;
#IPv6 TCP MSS 修正规则(适配 MTU=1280,MSS=1220)
tcp flags syn tcp option maxseg size set 1280
}
}