Rework into using nftables, along with proper Xray DNS configuration

2025-04-13 13:41:16 +05:00
parent a5c8961d78
commit f9645b0ef6
17 changed files with 249 additions and 195 deletions
--- a/etc/xray/startup.sh
+++ b/etc/xray/startup.sh
@@ -1,54 +1,43 @@
 #!/bin/sh

-# Ensure this script runs only once per boot
-if [ -f /tmp/xray_startup_executed ]; then
-  # The file exists, so do not run the script
-  echo "This script was executed already. To revert the results, reboot the device"
-  exit 0
-fi
-
-# Source the function definitions
 . /etc/xray/fwd_functions.sh

-# create chain
+# Get WAN device name first
+WAN_DEVICE=$(uci get network.wan.device)
+
+if [ -z "$WAN_DEVICE" ]; then
+    echo "Error: Could not determine WAN device"
+    exit 1
+fi
+
+# Get WAN interface IP address using the device name, excluding localhost and private IPs
+# Comment this out, if it doesn't work for you
+WAN_IP=$(ip addr show $WAN_DEVICE | grep 'inet ' | awk '{print $2}' | cut -d/ -f1 | grep -v '^127\.' | grep -v '^192\.168\.')
+# WAN_IP="1.1.1.1"
+
+if [ -z "$WAN_IP" ]; then
+    echo "Error: Could not determine WAN IP address for device $WAN_DEVICE"
+    exit 1
+fi
+
+if [ -f /tmp/xray_startup_executed ]; then
+  sh /etc/xray/revert.sh
+fi
+
+# Create routing table and rules
+ip route add local default dev lo table 100
 ip rule add fwmark 1 table 100
-ip route add local 0.0.0.0/0 dev lo table 100
-iptables -t mangle -N XRAY

-# exclude private ipv4
-iptables -t mangle -A XRAY -d 255.255.255.255/32 -j RETURN
-iptables -t mangle -A XRAY -d 0.0.0.0/8 -j RETURN
-iptables -t mangle -A XRAY -d 10.0.0.0/8 -j RETURN
-iptables -t mangle -A XRAY -d 100.64.0.0/10 -j RETURN
-iptables -t mangle -A XRAY -d 127.0.0.0/8 -j RETURN
-iptables -t mangle -A XRAY -d 169.254.0.0/16 -j RETURN
-iptables -t mangle -A XRAY -d 172.16.0.0/12 -j RETURN
-iptables -t mangle -A XRAY -d 192.0.0.0/24 -j RETURN
-iptables -t mangle -A XRAY -d 192.0.2.0/24 -j RETURN
-iptables -t mangle -A XRAY -d 192.168.0.0/16 -j RETURN
-iptables -t mangle -A XRAY -d 198.18.0.0/15 -j RETURN
-iptables -t mangle -A XRAY -d 198.51.100.0/24 -j RETURN
-iptables -t mangle -A XRAY -d 203.0.113.0/24 -j RETURN
-iptables -t mangle -A XRAY -d 224.0.0.0/4 -j RETURN
-iptables -t mangle -A XRAY -d 240.0.0.0/4 -j RETURN
+# Load nftables rules from nft.conf
+nft -f /etc/xray/nft.conf

+# Execute custom rules if they exist
+if [ -f /etc/xray/custom_rules.sh ]; then
+    sh /etc/xray/custom_rules.sh
+fi

-# !!! PROVIDE YOUR OWN IP HERE !!!
-iptables -t mangle -A XRAY -d 1.1.1.1 -j RETURN
-
-
-
-# exclude from Xray the following:
-# SAMPLE - you can test the rules using /root/fwd_manual.sh script
-# traefik HTTP+HTTPS
-#direct_port_range_for_ip "10.241.1.165" 80 443
-
-
-
-# add forwarding rule
-iptables -t mangle -A XRAY -p tcp -j TPROXY --on-port 61219 --tproxy-mark 1
-iptables -t mangle -A XRAY -p udp -j TPROXY --on-port 61219 --tproxy-mark 1
-iptables -t mangle -A PREROUTING -j XRAY
+# Add rules to bypass the firewall for the WAN IP
+direct_ip "$WAN_IP"

 # required for check above
 touch /tmp/xray_startup_executed