Skip to main content

"#!/usr/sbin/nft -fflush rulesettable inet singbox {set china_dns_ipv4 { type ipv4_addr; elements = { 223.5.5.5, 223.6.6.6, 114.114.114.114, 114.114.115.115 };}set china_dns_ipv6 { type ipv6_addr; elements = { 2400:3200::1, 2400:3200:baba::1 };}set fake_ipv4 { type ipv4_addr; flags interval; elements = { 198.18.0.0/15 };}set fake_ipv6 { type ipv6_addr; flags interval; elements = { fc00::/18 };}set local_ipv4 { type ipv4_addr; flags interval; elements = { 0.0.0.0/8, 10.0.0.0/8, 127.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12, 192.168.0.0/16, 224.0.0.0/4, 240.0.0.0/4 };}set local_ipv6 { type ipv6_addr; flags interval; elements = { ::ffff:0.0.0.0/96, 64:ff9b::/96, 100::/64, 2001:10::/28, 2001:20::/28, 2001:db8::/32, 2002::/16, fe80::/10 };}chain redirect-proxy { fib daddr type { unspec, local, anycast, multicast } return ip daddr @local_ipv4 return ip6 daddr @local_ipv6 return ip daddr @china_dns_ipv4 return ip6 daddr @china_dns_ipv6 return meta l4proto tcp redirect to :9777} chain redirect-prerouting { type nat hook prerouting priority dstnat; policy accept; meta l4proto != tcp return ct state new ct direction original goto redirect-proxy}chain redirect-output { type nat hook output priority dstnat; policy accept; meta l4proto != tcp return fib daddr type { unspec, local, anycast, multicast } return ip daddr @fake_ipv4 meta l4proto tcp redirect to :9777 ip6 daddr @fake_ipv6 meta l4proto tcp redirect to :9777}chain tproxy-proxy { fib daddr type { unspec, local, anycast, multicast } return ip daddr @local_ipv4 return ip6 daddr @local_ipv6 return ip daddr @china_dns_ipv4 return ip6 daddr @china_dns_ipv6 return udp dport {123} return ip protocol udp meta mark set 1 ct mark set 1 tproxy ip to :9888 accept ip6 nexthdr udp meta mark set 1 ct mark set 1 tproxy ip6 to :9888 accept}chain tproxy-mark { fib daddr type { unspec, local, anycast, multicast } return ip daddr @local_ipv4 return ip6 daddr @local_ipv6 return ip daddr @china_dns_ipv4 return ip6 daddr @china_dns_ipv6 return udp dport {123} return meta mark set 1 meta l4proto udp ct mark set 1 # nslookup google.com 1.1.1.1 不返回IP,请删除这一行}chain tproxy-prerouting { type filter hook prerouting priority mangle; policy accept; meta l4proto != udp return ct direction reply return ct direction original ct mark 1 meta mark set 1 return ct direction original goto tproxy-proxy}chain tproxy-output { type route hook output priority mangle; policy accept; meta l4proto != udp return meta skgid 0 return # nslookup google.com 1.1.1.1 不返回IP,请删除这一行 ct direction reply return ct direction original ct mark 1 meta mark set 1 return ct direction original goto tproxy-mark}}"

  1. "#!/usr/sbin/nft -f

    flush ruleset

    table inet singbox {

    set china_dns_ipv4 {
    type ipv4_addr;
    elements = { 223.5.5.5, 223.6.6.6, 114.114.114.114, 114.114.115.115 };
    }

    set china_dns_ipv6 {
    type ipv6_addr;
    elements = { 2400:3200::1, 2400:3200:baba::1 };
    }

    set fake_ipv4 {
    type ipv4_addr;
    flags interval;
    elements = { 198.18.0.0/15 };
    }

    set fake_ipv6 {
    type ipv6_addr;
    flags interval;
    elements = { fc00::/18 };
    }

    set local_ipv4 {
    type ipv4_addr;
    flags interval;
    elements = { 0.0.0.0/8, 10.0.0.0/8, 127.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12, 192.168.0.0/16, 224.0.0.0/4, 240.0.0.0/4 };
    }

    set local_ipv6 {
    type ipv6_addr;
    flags interval;
    elements = { ::ffff:0.0.0.0/96, 64:ff9b::/96, 100::/64, 2001:10::/28, 2001:20::/28, 2001:db8::/32, 2002::/16, fe80::/10 };
    }

    chain redirect-proxy {
    fib daddr type { unspec, local, anycast, multicast } return
    ip daddr @local_ipv4 return
    ip6 daddr @local_ipv6 return
    ip daddr @china_dns_ipv4 return
    ip6 daddr @china_dns_ipv6 return
    meta l4proto tcp redirect to :9777
    }

    chain redirect-prerouting {
    type nat hook prerouting priority dstnat; policy accept;
    meta l4proto != tcp return
    ct state new ct direction original goto redirect-proxy
    }

    chain redirect-output {
    type nat hook output priority dstnat; policy accept;
    meta l4proto != tcp return
    fib daddr type { unspec, local, anycast, multicast } return
    ip daddr @fake_ipv4 meta l4proto tcp redirect to :9777
    ip6 daddr @fake_ipv6 meta l4proto tcp redirect to :9777
    }

    chain tproxy-proxy {
    fib daddr type { unspec, local, anycast, multicast } return
    ip daddr @local_ipv4 return
    ip6 daddr @local_ipv6 return
    ip daddr @china_dns_ipv4 return
    ip6 daddr @china_dns_ipv6 return
    udp dport {123} return
    ip protocol udp meta mark set 1 ct mark set 1 tproxy ip to :9888 accept
    ip6 nexthdr udp meta mark set 1 ct mark set 1 tproxy ip6 to :9888 accept
    }

    chain tproxy-mark {
    fib daddr type { unspec, local, anycast, multicast } return
    ip daddr @local_ipv4 return
    ip6 daddr @local_ipv6 return
    ip daddr @china_dns_ipv4 return
    ip6 daddr @china_dns_ipv6 return
    udp dport {123} return
    meta mark set 1
    meta l4proto udp ct mark set 1 # nslookup google.com 1.1.1.1 不返回IP,请删除这一行
    }

    chain tproxy-prerouting {
    type filter hook prerouting priority mangle; policy accept;
    meta l4proto != udp return
    ct direction reply return
    ct direction original ct mark 1 meta mark set 1 return
    ct direction original goto tproxy-proxy
    }

    chain tproxy-output {
    type route hook output priority mangle; policy accept;
    meta l4proto != udp return
    meta skgid 0 return # nslookup google.com 1.1.1.1 不返回IP,请删除这一行
    ct direction reply return
    ct direction original ct mark 1 meta mark set 1 return
    ct direction original goto tproxy-mark
    }
    }
    "