iptables转发
目前使用统计,trojan最多被封端口(如443),ip没太大问题。 这里使用iptables实现最简单的的动态端口!
将40000~50000的端口流量转发到(被Q)443端口 (注:防火墙不需要放行40000~50000端口,因为是PREROUTING)
iptables 命令
iptables -t nat -A PREROUTING -p tcp --dport 40000:50000 -j REDIRECT --to-ports 443
ubuntu ufw 配置
cat /etc/ufw/before.rules
#
# rules.before
#
# Rules that should be run before the ufw command line added rules. Custom
# rules should be added to one of these chains:
# ufw-before-input
# ufw-before-output
# ufw-before-forward
#
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -p tcp --dport 40000:50000 -j REDIRECT --to-ports 443
# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT
# Don't delete these required lines, otherwise there will be errors
*filter
:ufw-before-input - [0:0]
:ufw-before-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-not-local - [0:0]
# End required lines
... 以下省略
使用nat转发流量,在本机上是不会监听端口的,也就是netstat看不到
执行之后就可以客户端使用40000至50000的任意端口和trojan通信了
生成随机数把原443端口进行替换再base64编码变成客户端订阅可接受的格式 最后将这个订阅放在网站目录下
订阅脚本
v2ray和clash客户端配置文件不同
V2ray
mkdir -p /data/shell/ /www/sub
cat > /data/shell/v2ray_sub.sh << \EOF
#!/bin/bash
# 生成的v2ray订阅文件放在网站根目录下
filePath='/www/sub/v2ray_sub'
# 随机生成40000~50000之间的一个随机数
randPort=$((RANDOM % 10000 + 40000 ))
# 下面是节点信息
echo -e \
"
trojan://xxxxxxx@domain.com:443#AWS-SG01
trojan://xxxxxxx@domain.com:443#AWS-SG02
" \
| sed "s/443/$randPort/g" | base64 > $filePath
chmod +x /data/shell/v2ray_sub.sh
Clash
# /data/shell/trojan_sub.sh
#!/bin/bash
export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:$PATH
config_file=/data/shell/clash_config.yaml
gen_file=/www/sub/trojan_sub
count=`cat $config_file | grep RANDOM_PORT | wc -l`
cat ${config_file} > ${gen_file}
for i in `seq ${count}`;do
rand_port=$((RANDOM % 10000 + 40000 ))
sed -i "s/RANDOM_PORT$i/$rand_port/" $gen_file
done
echo "Generated path: $gen_file"
chmod +x /data/shell/trojan_sub.sh
# /data/shell/clash_config.yaml
mixed-port: 7890
allow-lan: true
mode: Rule
log-level: info
proxies:
# trojan
- {name: kr, type: trojan, server: kr.example.com, port: RANDOM_PORT1, password: EXAMPLE_PASS, udp: true}
- {name: us, type: trojan, server: us.example.com, port: RANDOM_PORT2, password: EXAMPLE_PASS, udp: true}
- {name: cf-trojan, type: trojan, server: cf.example.com, port: 443, password: EXAMPLE_PASS, udp: true, sni: "", network: ws, ws-opts: {path: /ff0d4286, headers: {Host: "us.example.com"}}}
- {name: cf-v2ray, type: vmess, server: cloudflare.co, port: 443, uuid: ff0d4286-7056-4e74-913a-c5ee14cc2014, alterId: 0, cipher: auto, tls: true, skip-cert-verify: true, network: ws, ws-opts: {path: /ff0d4286, headers: {Host: "us.example.com"}}}
proxy-groups:
- name: Proxy
type: select
proxies:
- us
- kr
- { name: "PortProxy", type: select, proxies: ["DIRECT","us","kr"]}
rules:
- RULE-SET,AdBlock,REJECT
- RULE-SET,Proxy,Proxy
- RULE-SET,Apple,Proxy
- RULE-SET,Adobe,Proxy
- RULE-SET,Amazon,Proxy
- RULE-SET,Dler,Proxy
- RULE-SET,Facebook,Proxy
- RULE-SET,GitHub,Proxy
- RULE-SET,Google,Proxy
- RULE-SET,Microsoft,Proxy
- RULE-SET,Netflix,Proxy
- RULE-SET,Speedtest,Proxy
- RULE-SET,Steam,Proxy
- RULE-SET,Spotify,Proxy
- RULE-SET,Telegram,Proxy
- RULE-SET,Twitter,Proxy
- RULE-SET,Tencent,DIRECT
- RULE-SET,TencentVideo,DIRECT
- RULE-SET,YouTube,Proxy
- RULE-SET,PayPal,Proxy
- RULE-SET,Discord,Proxy
- DOMAIN-SUFFIX,live.cn,Proxy
- DOMAIN-SUFFIX,sub.dler.io,Proxy
- DOMAIN-SUFFIX,api.suo.yt,Proxy
- DOMAIN-SUFFIX,dlercloud.com,Proxy
- DOMAIN-KEYWORD,dlercloud,Proxy
- DOMAIN-SUFFIX,wps.com,DIRECT
- DOMAIN-SUFFIX,hktv03.com,DIRECT
- DOMAIN-SUFFIX,tvyb03.com,DIRECT
- DOMAIN-SUFFIX,ai.com,Warp
- DOMAIN-SUFFIX,openai.com,Warp
- DOMAIN-SUFFIX,local,DIRECT
- IP-CIDR,192.168.0.0/16,DIRECT
- IP-CIDR,10.0.0.0/8,DIRECT
- IP-CIDR,172.16.0.0/12,DIRECT
- IP-CIDR,127.0.0.0/8,DIRECT
- IP-CIDR,100.64.0.0/10,DIRECT
- IP-CIDR,172.13.1.32/32,DIRECT
- DST-PORT,24790,PortProxy
- GEOIP,CN,DIRECT
- MATCH,Proxy
rule-providers:
AdBlock: {type: http, behavior: classical, path: ./Filter/AdBlock, url: https://raw.fastgit.org/Semporia/Clash/master/Rule/AdBlock.yaml, interval: 3600}
Apple: {type: http, behavior: classical, path: ./Filter/Apple, url: https://raw.fastgit.org/Semporia/Clash/master/Rule/Apple.yaml, interval: 3600}
Adobe: {type: http, behavior: classical, path: ./Filter/Adobe, url: https://raw.fastgit.org/Semporia/Clash/master/Rule/Adobe.yaml, interval: 3600}
Amazon: {type: http, behavior: classical, path: ./Filter/Amazon, url: https://raw.fastgit.org/Semporia/Clash/master/Rule/Amazon.yaml, interval: 3600}
China: {type: http, behavior: classical, path: ./Filter/China, url: https://raw.fastgit.org/Semporia/Clash/master/Rule/China.yaml, interval: 3600}
Dler: {type: http, behavior: classical, path: ./Filter/Dler, url: https://raw.fastgit.org/Semporia/Clash/master/Rule/Dler.yaml, interval: 3600}
Facebook: {type: http, behavior: classical, path: ./Filter/Facebook, url: https://raw.fastgit.org/Semporia/Clash/master/Rule/Facebook.yaml, interval: 3600}
GitHub: {type: http, behavior: classical, path: ./Filter/GitHub, url: https://raw.fastgit.org/Semporia/Clash/master/Rule/GitHub.yaml, interval: 3600}
Google: {type: http, behavior: classical, path: ./Filter/Google, url: https://raw.fastgit.org/Semporia/Clash/master/Rule/Google.yaml, interval: 3600}
Microsoft: {type: http, behavior: classical, path: ./Filter/Microsoft, url: https://raw.fastgit.org/Semporia/Clash/master/Rule/Microsoft.yaml, interval: 3600}
Netflix: {type: http, behavior: classical, path: ./Filter/Netflix, url: https://raw.fastgit.org/Semporia/Clash/master/Rule/Netflix.yaml, interval: 3600}
Spotify: {type: http, behavior: classical, path: ./Filter/Spotify, url: https://raw.fastgit.org/Semporia/Clash/master/Rule/Spotify.yaml, interval: 3600}
Speedtest: {type: http, behavior: classical, path: ./Filter/Speedtest, url: https://raw.fastgit.org/Semporia/Clash/master/Rule/Speedtest.yaml, interval: 3600}
Steam: {type: http, behavior: classical, path: ./Filter/Steam, url: https://raw.fastgit.org/Semporia/Clash/master/Rule/Steam.yaml, interval: 3600}
Telegram: {type: http, behavior: classical, path: ./Filter/Telegram, url: https://raw.fastgit.org/Semporia/Clash/master/Rule/Telegram.yaml, interval: 3600}
Twitter: {type: http, behavior: classical, path: ./Filter/Twitter, url: https://raw.fastgit.org/Semporia/Clash/master/Rule/Twitter.yaml, interval: 3600}
Tencent: {type: http, behavior: classical, path: ./Filter/Tencent, url: https://raw.fastgit.org/Semporia/Clash/master/Rule/Tencent.yaml, interval: 3600}
TencentVideo: {type: http, behavior: classical, path: ./Filter/TencentVideo, url: https://raw.fastgit.org/Semporia/Clash/master/Rule/TencentVideo.yaml, interval: 3600}
YouTube: {type: http, behavior: classical, path: ./Filter/YouTube, url: https://raw.fastgit.org/Semporia/Clash/master/Rule/YouTube.yaml, interval: 3600}
PayPal: {type: http, behavior: classical, path: ./Filter/PayPal, url: https://raw.fastgit.org/Semporia/Clash/master/Rule/PayPal.yaml, interval: 3600}
Discord: {type: http, behavior: classical, path: ./Filter/Discord, url: https://raw.fastgit.org/Semporia/Clash/master/Rule/Discord.yaml, interval: 3600}
Proxy: {type: http, behavior: classical, path: ./Filter/Proxy, url: https://raw.fastgit.org/Semporia/Clash/master/Rule/Proxy.yaml, interval: 3600}
定时切换端口
root@us:~$ crontab -e
# m h dom mon dow command
*/30 * * * * /data/shell/v2ray_sub.sh
*/30 * * * * /data/shell/clash_sub.sh
Docker Web
docker run -d --name nginx -v /www/sub:/usr/share/nginx/html/ -p 90:80 nginx
客户端添加订阅
v2ray: http://domain:90/v2ray_sub
clash: http://domain:90/trojan_sub
OK,搞定。每30分钟刷新的订阅都是不同的端口