cleaned up root, + added fwd functions for excluding/blocking

2025-02-02 22:56:59 +05:00
parent a9f869a9c0
commit 381c5c1442
17 changed files with 194 additions and 107 deletions
--- a/etc/config/xray
+++ b/etc/config/xray
@@ -3,7 +3,7 @@ config xray 'enabled'
 	option enabled '1'

 config xray 'config'
-	option confdir '/root/xray_config'
+	option confdir '/etc/xray/config'
 	option datadir '/usr/share/xray'
 	option dialer ''
 	option format 'json'
--- a/etc/init.d/xray
+++ b/etc/init.d/xray
@@ -26,7 +26,7 @@ start_service() {
 	config_get format "config" "format" "json"

 	# runs iptables setup
-    /root/configure_xray_startup.sh
+    /etc/xray/startup.sh

 	procd_open_instance "$CONF"
 	procd_set_param command "$PROG" run
--- a/etc/xray/config/01_log.json
+++ b/etc/xray/config/01_log.json
@@ -0,0 +1,9 @@
+{
+    "log":
+    {
+        "access": "/etc/xray/log/access.log",
+        "dnsLog": false,
+        "error": "/etc/xray/log/error.log",
+        "loglevel": "none"
+    }
+}
--- a/etc/xray/config/02_transport.json
+++ b/etc/xray/config/02_transport.json
@@ -0,0 +1,24 @@
+{
+    "transport":
+    {
+        "domainStrategy": "IPIfNonMatch",
+        "grpcSettings":
+        {
+            "health_check_timeout": 20,
+            "idle_timeout": 60,
+            "initial_windows_size": 35536,
+            "permit_without_stream": true
+        },
+        "httpSettings":
+        {
+            "health_check_timeout": 15,
+            "read_idle_timeout": 10
+        },
+        "sockopt":
+        {
+            "tcpFastOpen": true,
+            "tcpMptcp": true,
+            "tcpNoDelay": true
+        }
+    }
+}
--- a/etc/xray/config/03_inbounds.json
+++ b/etc/xray/config/03_inbounds.json
@@ -0,0 +1,33 @@
+{
+    "inbounds":
+    [
+        {
+            "port": 61219,
+            "protocol": "dokodemo-door",
+            "settings":
+            {
+                "followRedirect": true,
+                "network": "tcp,udp"
+            },
+            "sniffing":
+            {
+                "destOverride":
+                [
+                    "http",
+                    "tls",
+                    "quic"
+                ],
+                "enabled": true,
+                "routeOnly": true
+            },
+            "streamSettings":
+            {
+                "sockopt":
+                {
+                    "tproxy": "tproxy"
+                }
+            },
+            "tag": "tproxy"
+        }
+    ]
+}
--- a/etc/xray/config/04_outbounds.json
+++ b/etc/xray/config/04_outbounds.json
@@ -0,0 +1,60 @@
+{
+    "outbounds":
+    [
+        {
+            "protocol": "vless",
+            "settings":
+            {
+                "vnext":
+                [
+                    {
+                        "address": "1.1.1.1",
+                        "port": 443,
+                        "users":
+                        [
+                            {
+                                "encryption": "none",
+                                "flow": "xtls-rprx-vision",
+                                "id": "00000000-0000-0000-0000-000000000000",
+                                "level": 0
+                            }
+                        ]
+                    }
+                ]
+            },
+            "streamSettings":
+            {
+                "network": "tcp",
+                "realitySettings":
+                {
+                    "fingerprint": "chrome",
+                    "publicKey": "",
+                    "serverName": "",
+                    "shortId": "",
+                    "spiderX": "/"
+                },
+                "security": "reality"
+            },
+            "tag": "vless-reality"
+        },
+        {
+            "protocol": "freedom",
+            "tag": "direct"
+        },
+        {
+            "protocol": "blackhole",
+            "settings":
+            {
+                "response":
+                {
+                    "type": "http"
+                }
+            },
+            "tag": "block"
+        },
+        {
+            "protocol": "dns",
+            "tag": "dns"
+        }
+    ]
+}
--- a/etc/xray/config/05_routing.json
+++ b/etc/xray/config/05_routing.json
@@ -0,0 +1,99 @@
+{
+  "routing": {
+    "rules": [
+      // Capture DNS
+      {
+        "inboundTag": ["redirect", "tproxy"],
+        "outboundTag": "dns",
+        "type": "field",
+        "port": 53
+      },
+      // Block QUIC
+      {
+        "inboundTag": ["redirect", "tproxy"],
+        "outboundTag": "block",
+        "type": "field",
+        "protocol": ["quic"]
+      },
+      // Force specific source IPs to go direct
+      {
+        "inboundTag": ["redirect", "tproxy"],
+        "outboundTag": "direct",
+        "type": "field",
+        "source": [
+          "192.168.2.255",
+          "192.168.2.254"
+        ]
+      },
+      // Block common ads and other stuff
+      {
+        "inboundTag": ["redirect", "tproxy"],
+        "outboundTag": "block",
+        "type": "field",
+        "domain": [
+          "geosite:category-ads-all",
+          "google-analytics",
+          "analytics.yandex",
+          "appcenter.ms",
+          "app-measurement.com",
+          "firebase.io",
+          "crashlytics.com"
+        ]
+      },
+      // Force BitTorrent to go through direct
+      {
+        "inboundTag": ["redirect", "tproxy"],
+        "outboundTag": "direct",
+        "type": "field",
+        "protocol": ["bittorrent"]
+      },     
+      // Explicitly force direct
+      {
+        "inboundTag": ["redirect", "tproxy"],
+        "outboundTag": "direct",
+        "type": "field",
+        "domain": [
+          "regexp:^([\\w\\-\\.]+\\.)ru$",  // .ru
+          "regexp:^([\\w\\-\\.]+\\.)su$",  // .su
+          "regexp:^([\\w\\-\\.]+\\.)xn--p1ai$",  // .рф
+          "regexp:^([\\w\\-\\.]+\\.)xn--p1acf$",  // .рус
+          "regexp:^([\\w\\-\\.]+\\.)xn--80asehdb$",  // .онлайн
+          "regexp:^([\\w\\-\\.]+\\.)xn--c1avg$", // .орг
+          "regexp:^([\\w\\-\\.]+\\.)xn--80aswg$",  // .сайт
+          "regexp:^([\\w\\-\\.]+\\.)xn--80adxhks$",  // .москва
+          "regexp:^([\\w\\-\\.]+\\.)moscow$",  //  .moscow
+          "regexp:^([\\w\\-\\.]+\\.)xn--d1acj3b$",  // .дети
+          "regexp:^([\\w\\-\\.]+\\.)yandex$",  // .yandex
+          "geosite:category-ru",
+          "geosite:category-gov-ru",
+          "geosite:yandex",
+          "geosite:steam",
+          "geosite:vk",
+          "geosite:category-gov-ru",
+          "regexp:^assets(\\d*?)\\.xboxlive\\.com$",
+          "domain:rt.ru",
+          "domain:ngenix.net",
+          "domain:plex.tv",
+          "geoip:ru",
+          "domain:kaspersky.com",
+          "domain:koronapay.com",
+          "domain:binance.com",
+          "domain:raiffeisen.ru",
+          "geosite:xiaomi",
+          "geosite:mihoyo",
+          "domain:xsolla.com",
+          "domain:download.developer.apple.com",
+          // "domain:aeza.net",
+          "domain:veesp.com"
+        ]
+      },
+
+      // No rules found? Go vless-reality
+      {
+        "inboundTag": ["redirect", "tproxy"],
+        "outboundTag": "vless-reality",
+        "type": "field"
+      }
+    ]
+  }
+}
--- a/etc/xray/config/06_policy.json
+++ b/etc/xray/config/06_policy.json
@@ -0,0 +1,13 @@
+{
+    "policy":
+    {
+        "levels":
+        {
+            "0":
+            {
+				// If you have issues with SSH connections, it's recommended to increase this value. See the docs
+                "connIdle": 30
+            }
+        }
+    }
+}
--- a/etc/xray/fwd_functions.sh
+++ b/etc/xray/fwd_functions.sh
@@ -0,0 +1,63 @@
+#!/bin/sh
+
+# Function to add iptables rules for a specific IP and port
+direct_port_for_ip() {
+    ip=$1
+    port=$2
+
+    iptables -t mangle -A XRAY -d "$ip"/32 -p tcp --dport "$port" -j RETURN
+    iptables -t mangle -A XRAY -d "$ip"/32 -p udp --dport "$port" -j RETURN
+    iptables -t mangle -A XRAY -s "$ip"/32 -p tcp --sport "$port" -j RETURN
+    iptables -t mangle -A XRAY -s "$ip"/32 -p udp --sport "$port" -j RETURN
+}
+
+# Function to add iptables rules for a single port without specifying IP
+direct_port() {
+    port=$1
+
+    iptables -t mangle -A XRAY -p tcp --dport "$port" -j RETURN
+    iptables -t mangle -A XRAY -p udp --dport "$port" -j RETURN
+    iptables -t mangle -A XRAY -p tcp --sport "$port" -j RETURN
+    iptables -t mangle -A XRAY -p udp --sport "$port" -j RETURN
+}
+
+# Function to add iptables rules for a range of ports for a specific IP
+direct_port_range_for_ip() {
+    ip=$1
+    start_port=$2
+    end_port=$3
+
+    port=$start_port
+    while [ "$port" -le "$end_port" ]; do
+        direct_port_for_ip "$ip" "$port"
+        port=$((port + 1))
+    done
+}
+
+# Function to add iptables rules for a range of ports without specifying IP
+direct_port_range() {
+    start_port=$1
+    end_port=$2
+
+    port=$start_port
+    while [ "$port" -le "$end_port" ]; do
+        direct_port "$port"
+        port=$((port + 1))
+    done
+}
+
+# Function to add iptables rules for an IP without specifying ports
+direct_ip() {
+    ip=$1
+
+    iptables -t mangle -A XRAY -d "$ip"/32 -j RETURN
+    iptables -t mangle -A XRAY -s "$ip"/32 -j RETURN
+}
+
+# Function to add iptables rules for blocking IP
+block_ip() {
+    ip=$1
+
+    iptables -I FORWARD 1 -d "$ip"/32 -j DROP
+    iptables -I FORWARD 1 -s "$ip"/32 -j DROP
+}
--- a/etc/xray/startup.sh
+++ b/etc/xray/startup.sh
@@ -0,0 +1,54 @@
+#!/bin/sh
+
+# Ensure this script runs only once per boot
+if [ -f /tmp/xray_startup_executed ]; then
+  # The file exists, so do not run the script
+  echo "This script was executed already. To revert the results, reboot the device"
+  exit 0
+fi
+
+# Source the function definitions
+. /etc/xray/fwd_functions.sh
+
+# create chain
+ip rule add fwmark 1 table 100
+ip route add local 0.0.0.0/0 dev lo table 100
+iptables -t mangle -N XRAY
+
+# exclude private ipv4
+iptables -t mangle -A XRAY -d 255.255.255.255/32 -j RETURN
+iptables -t mangle -A XRAY -d 0.0.0.0/8 -j RETURN
+iptables -t mangle -A XRAY -d 10.0.0.0/8 -j RETURN
+iptables -t mangle -A XRAY -d 100.64.0.0/10 -j RETURN
+iptables -t mangle -A XRAY -d 127.0.0.0/8 -j RETURN
+iptables -t mangle -A XRAY -d 169.254.0.0/16 -j RETURN
+iptables -t mangle -A XRAY -d 172.16.0.0/12 -j RETURN
+iptables -t mangle -A XRAY -d 192.0.0.0/24 -j RETURN
+iptables -t mangle -A XRAY -d 192.0.2.0/24 -j RETURN
+iptables -t mangle -A XRAY -d 192.168.0.0/16 -j RETURN
+iptables -t mangle -A XRAY -d 198.18.0.0/15 -j RETURN
+iptables -t mangle -A XRAY -d 198.51.100.0/24 -j RETURN
+iptables -t mangle -A XRAY -d 203.0.113.0/24 -j RETURN
+iptables -t mangle -A XRAY -d 224.0.0.0/4 -j RETURN
+iptables -t mangle -A XRAY -d 240.0.0.0/4 -j RETURN
+
+
+# !!! PROVIDE YOUR OWN IP HERE !!!
+iptables -t mangle -A XRAY -d 1.1.1.1 -j RETURN
+
+
+
+# exclude from Xray the following:
+# SAMPLE - you can test the rules using /root/fwd_manual.sh script
+# traefik HTTP+HTTPS
+#direct_port_range_for_ip "10.241.1.165" 80 443
+
+
+
+# add forwarding rule
+iptables -t mangle -A XRAY -p tcp -j TPROXY --on-port 61219 --tproxy-mark 1
+iptables -t mangle -A XRAY -p udp -j TPROXY --on-port 61219 --tproxy-mark 1
+iptables -t mangle -A PREROUTING -j XRAY
+
+# required for check above
+touch /tmp/xray_startup_executed