"#!/usr/sbin/nft -f
flush ruleset
table inet singbox {
set china_dns_ipv4 {
type ipv4_addr;
elements = { 223.5.5.5, 223.6.6.6, 114.114.114.114, 114.114.115.115 };
}
set china_dns_ipv6 {
type ipv6_addr;
elements = { 2400:3200::1, 2400:3200:baba::1 };
}
set fake_ipv4 {
type ipv4_addr;
flags interval;
elements = { 198.18.0.0/15 };
}
set fake_ipv6 {
type ipv6_addr;
flags interval;
elements = { fc00::/18 };
}
set local_ipv4 {
type ipv4_addr;
flags interval;
elements = { 0.0.0.0/8, 10.0.0.0/8, 127.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12, 192.168.0.0/16, 224.0.0.0/4, 240.0.0.0/4 };
}
set local_ipv6 {
type ipv6_addr;
flags interval;
elements = { ::ffff:0.0.0.0/96, 64:ff9b::/96, 100::/64, 2001:10::/28, 2001:20::/28, 2001:db8::/32, 2002::/16, fe80::/10 };
}
chain redirect-proxy {
fib daddr type { unspec, local, anycast, multicast } return
ip daddr @local_ipv4 return
ip6 daddr @local_ipv6 return
ip daddr @china_dns_ipv4 return
ip6 daddr @china_dns_ipv6 return
meta l4proto tcp redirect to :9777
}
chain redirect-prerouting {
type nat hook prerouting priority dstnat; policy accept;
meta l4proto != tcp return
ct state new ct direction original goto redirect-proxy
}
chain redirect-output {
type nat hook output priority dstnat; policy accept;
meta l4proto != tcp return
fib daddr type { unspec, local, anycast, multicast } return
ip daddr @fake_ipv4 meta l4proto tcp redirect to :9777
ip6 daddr @fake_ipv6 meta l4proto tcp redirect to :9777
}
chain tproxy-proxy {
fib daddr type { unspec, local, anycast, multicast } return
ip daddr @local_ipv4 return
ip6 daddr @local_ipv6 return
ip daddr @china_dns_ipv4 return
ip6 daddr @china_dns_ipv6 return
udp dport {123} return
ip protocol udp meta mark set 1 ct mark set 1 tproxy ip to :9888 accept
ip6 nexthdr udp meta mark set 1 ct mark set 1 tproxy ip6 to :9888 accept
}
chain tproxy-mark {
fib daddr type { unspec, local, anycast, multicast } return
ip daddr @local_ipv4 return
ip6 daddr @local_ipv6 return
ip daddr @china_dns_ipv4 return
ip6 daddr @china_dns_ipv6 return
udp dport {123} return
meta mark set 1
meta l4proto udp ct mark set 1 # nslookup google.com 1.1.1.1 不返回IP,请删除这一行
}
chain tproxy-prerouting {
type filter hook prerouting priority mangle; policy accept;
meta l4proto != udp return
ct direction reply return
ct direction original ct mark 1 meta mark set 1 return
ct direction original goto tproxy-proxy
}
chain tproxy-output {
type route hook output priority mangle; policy accept;
meta l4proto != udp return
meta skgid 0 return # nslookup google.com 1.1.1.1 不返回IP,请删除这一行
ct direction reply return
ct direction original ct mark 1 meta mark set 1 return
ct direction original goto tproxy-mark
}
}
"
flush ruleset
table inet singbox {
set china_dns_ipv4 {
type ipv4_addr;
elements = { 223.5.5.5, 223.6.6.6, 114.114.114.114, 114.114.115.115 };
}
set china_dns_ipv6 {
type ipv6_addr;
elements = { 2400:3200::1, 2400:3200:baba::1 };
}
set fake_ipv4 {
type ipv4_addr;
flags interval;
elements = { 198.18.0.0/15 };
}
set fake_ipv6 {
type ipv6_addr;
flags interval;
elements = { fc00::/18 };
}
set local_ipv4 {
type ipv4_addr;
flags interval;
elements = { 0.0.0.0/8, 10.0.0.0/8, 127.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12, 192.168.0.0/16, 224.0.0.0/4, 240.0.0.0/4 };
}
set local_ipv6 {
type ipv6_addr;
flags interval;
elements = { ::ffff:0.0.0.0/96, 64:ff9b::/96, 100::/64, 2001:10::/28, 2001:20::/28, 2001:db8::/32, 2002::/16, fe80::/10 };
}
chain redirect-proxy {
fib daddr type { unspec, local, anycast, multicast } return
ip daddr @local_ipv4 return
ip6 daddr @local_ipv6 return
ip daddr @china_dns_ipv4 return
ip6 daddr @china_dns_ipv6 return
meta l4proto tcp redirect to :9777
}
chain redirect-prerouting {
type nat hook prerouting priority dstnat; policy accept;
meta l4proto != tcp return
ct state new ct direction original goto redirect-proxy
}
chain redirect-output {
type nat hook output priority dstnat; policy accept;
meta l4proto != tcp return
fib daddr type { unspec, local, anycast, multicast } return
ip daddr @fake_ipv4 meta l4proto tcp redirect to :9777
ip6 daddr @fake_ipv6 meta l4proto tcp redirect to :9777
}
chain tproxy-proxy {
fib daddr type { unspec, local, anycast, multicast } return
ip daddr @local_ipv4 return
ip6 daddr @local_ipv6 return
ip daddr @china_dns_ipv4 return
ip6 daddr @china_dns_ipv6 return
udp dport {123} return
ip protocol udp meta mark set 1 ct mark set 1 tproxy ip to :9888 accept
ip6 nexthdr udp meta mark set 1 ct mark set 1 tproxy ip6 to :9888 accept
}
chain tproxy-mark {
fib daddr type { unspec, local, anycast, multicast } return
ip daddr @local_ipv4 return
ip6 daddr @local_ipv6 return
ip daddr @china_dns_ipv4 return
ip6 daddr @china_dns_ipv6 return
udp dport {123} return
meta mark set 1
meta l4proto udp ct mark set 1 # nslookup google.com 1.1.1.1 不返回IP,请删除这一行
}
chain tproxy-prerouting {
type filter hook prerouting priority mangle; policy accept;
meta l4proto != udp return
ct direction reply return
ct direction original ct mark 1 meta mark set 1 return
ct direction original goto tproxy-proxy
}
chain tproxy-output {
type route hook output priority mangle; policy accept;
meta l4proto != udp return
meta skgid 0 return # nslookup google.com 1.1.1.1 不返回IP,请删除这一行
ct direction reply return
ct direction original ct mark 1 meta mark set 1 return
ct direction original goto tproxy-mark
}
}
"
