Rework into using nftables, along with proper Xray DNS configuration

2025-04-13 13:41:16 +05:00
parent a5c8961d78
commit f9645b0ef6
17 changed files with 249 additions and 195 deletions
--- a/etc/xray/nft.conf
+++ b/etc/xray/nft.conf
@@ -0,0 +1,33 @@
+#!/usr/sbin/nft -f
+
+define RESERVED_IP = {
+    10.0.0.0/8,
+    100.64.0.0/10,
+    127.0.0.0/8,
+    169.254.0.0/16,
+    172.16.0.0/12,
+    192.0.0.0/24,
+    224.0.0.0/4,
+    240.0.0.0/4,
+    255.255.255.255/32
+}
+
+table ip xray {
+        chain prerouting {
+                type filter hook prerouting priority mangle; policy accept;
+                ip daddr $RESERVED_IP return
+                ip daddr 192.168.0.0/16 tcp dport != 53 return
+                ip daddr 192.168.0.0/16 udp dport != 53 return
+                ip protocol tcp tproxy to 127.0.0.1:61219 meta mark set 1
+                ip protocol udp tproxy to 127.0.0.1:61219 meta mark set 1
+        }
+        chain output {
+                type route hook output priority mangle; policy accept;
+                ip daddr $RESERVED_IP return
+                ip daddr 192.168.0.0/16 tcp dport != 53 return
+                ip daddr 192.168.0.0/16 udp dport != 53 return
+                meta mark 2 return
+                ip protocol tcp meta mark set 1
+                ip protocol udp meta mark set 1
+        }
+}