cleaned up root, + added fwd functions for excluding/blocking

2025-02-02 22:56:59 +05:00 · 2025-02-02 22:56:59 +05:00 · 381c5c1442
parent a9f869a9c0
commit 381c5c1442
17 changed files with 194 additions and 107 deletions
--- a/README.md
+++ b/README.md
@ -6,8 +6,9 @@ Install
 1. Drop the files onto OpenWRT (22.03 and higher) router
 2. Run `install_xray.sh`: `chmod +x /root/install_xray.sh && /root/install_xray.sh`
 3. Configure this installation:
- Edit this rule in `configure_xray_startup.sh`: `iptables -t mangle -A XRAY -d 1.1.1.1 -j RETURN` to match your public static IP address
+- Edit this rule in `/etc/xray/startup.sh`: `iptables -t mangle -A XRAY -d 1.1.1.1 -j RETURN` to match your public static IP address
 - In `/root/xray_config/04_outbounds.json` add your connection details
+- You can optionally add excluding/blocking rules to `startup.sh`, see possible additions in `fwd_functions.sh` beside it.
 4. Enable the `xray` service in LuCI (System -> Startup, it should be at the end of the list) and reboot your router.

 (In case it fails to work, you may disable the service and reboot the router again to revert the effects)
--- a/etc/config/xray
+++ b/etc/config/xray
@ -3,7 +3,7 @@ config xray 'enabled'
 	option enabled '1'

 config xray 'config'
-	option confdir '/root/xray_config'
+	option confdir '/etc/xray/config'
 	option datadir '/usr/share/xray'
 	option dialer ''
 	option format 'json'
--- a/etc/init.d/xray
+++ b/etc/init.d/xray
@ -26,7 +26,7 @@ start_service() {
 	config_get format "config" "format" "json"

 	# runs iptables setup
-    /root/configure_xray_startup.sh
+    /etc/xray/startup.sh

 	procd_open_instance "$CONF"
 	procd_set_param command "$PROG" run
--- a/etc/xray/config/01_log.json
+++ b/etc/xray/config/01_log.json
@ -0,0 +1,9 @@
+{
+    "log":
+    {
+        "access": "/etc/xray/log/access.log",
+        "dnsLog": false,
+        "error": "/etc/xray/log/error.log",
+        "loglevel": "none"
+    }
+}
--- a/etc/xray/config/02_transport.json
+++ b/etc/xray/config/02_transport.json
@ -0,0 +1,24 @@
+{
+    "transport":
+    {
+        "domainStrategy": "IPIfNonMatch",
+        "grpcSettings":
+        {
+            "health_check_timeout": 20,
+            "idle_timeout": 60,
+            "initial_windows_size": 35536,
+            "permit_without_stream": true
+        },
+        "httpSettings":
+        {
+            "health_check_timeout": 15,
+            "read_idle_timeout": 10
+        },
+        "sockopt":
+        {
+            "tcpFastOpen": true,
+            "tcpMptcp": true,
+            "tcpNoDelay": true
+        }
+    }
+}
--- a/root/xray_config/03_inbounds.json
+++ b/root/xray_config/03_inbounds.json
@ -2,13 +2,23 @@
    "inbounds":
    [
        {
-            "tag": "tproxy",
            "port": 61219,
            "protocol": "dokodemo-door",
            "settings":
            {
-                "network": "tcp,udp",
-                "followRedirect": true
+                "followRedirect": true,
+                "network": "tcp,udp"
+            },
+            "sniffing":
+            {
+                "destOverride":
+                [
+                    "http",
+                    "tls",
+                    "quic"
+                ],
+                "enabled": true,
+                "routeOnly": true
            },
            "streamSettings":
            {
@ -17,18 +27,7 @@
                    "tproxy": "tproxy"
                }
            },
-            "sniffing":
-            {
-                "routeOnly": true,
-                "enabled": true,
-                "destOverride":
-                [
-                    "http",
-                    "tls",
-                    "quic"
-                ]
+            "tag": "tproxy"
        }
-        }
-
    ]
 }
--- a/root/xray_config/04_outbounds.json
+++ b/root/xray_config/04_outbounds.json
--- a/root/xray_config/05_routing.json
+++ b/root/xray_config/05_routing.json
--- a/etc/xray/config/06_policy.json
+++ b/etc/xray/config/06_policy.json
@ -0,0 +1,13 @@
+{
+    "policy":
+    {
+        "levels":
+        {
+            "0":
+            {
+				// If you have issues with SSH connections, it's recommended to increase this value. See the docs
+                "connIdle": 30
+            }
+        }
+    }
+}
--- a/etc/xray/fwd_functions.sh
+++ b/etc/xray/fwd_functions.sh
@ -0,0 +1,63 @@
+#!/bin/sh
+
+# Function to add iptables rules for a specific IP and port
+direct_port_for_ip() {
+    ip=$1
+    port=$2
+
+    iptables -t mangle -A XRAY -d "$ip"/32 -p tcp --dport "$port" -j RETURN
+    iptables -t mangle -A XRAY -d "$ip"/32 -p udp --dport "$port" -j RETURN
+    iptables -t mangle -A XRAY -s "$ip"/32 -p tcp --sport "$port" -j RETURN
+    iptables -t mangle -A XRAY -s "$ip"/32 -p udp --sport "$port" -j RETURN
+}
+
+# Function to add iptables rules for a single port without specifying IP
+direct_port() {
+    port=$1
+
+    iptables -t mangle -A XRAY -p tcp --dport "$port" -j RETURN
+    iptables -t mangle -A XRAY -p udp --dport "$port" -j RETURN
+    iptables -t mangle -A XRAY -p tcp --sport "$port" -j RETURN
+    iptables -t mangle -A XRAY -p udp --sport "$port" -j RETURN
+}
+
+# Function to add iptables rules for a range of ports for a specific IP
+direct_port_range_for_ip() {
+    ip=$1
+    start_port=$2
+    end_port=$3
+
+    port=$start_port
+    while [ "$port" -le "$end_port" ]; do
+        direct_port_for_ip "$ip" "$port"
+        port=$((port + 1))
+    done
+}
+
+# Function to add iptables rules for a range of ports without specifying IP
+direct_port_range() {
+    start_port=$1
+    end_port=$2
+
+    port=$start_port
+    while [ "$port" -le "$end_port" ]; do
+        direct_port "$port"
+        port=$((port + 1))
+    done
+}
+
+# Function to add iptables rules for an IP without specifying ports
+direct_ip() {
+    ip=$1
+
+    iptables -t mangle -A XRAY -d "$ip"/32 -j RETURN
+    iptables -t mangle -A XRAY -s "$ip"/32 -j RETURN
+}
+
+# Function to add iptables rules for blocking IP
+block_ip() {
+    ip=$1
+
+    iptables -I FORWARD 1 -d "$ip"/32 -j DROP
+    iptables -I FORWARD 1 -s "$ip"/32 -j DROP
+}
--- a/root/configure_xray_startup.sh
+++ b/root/configure_xray_startup.sh
@ -1,12 +1,15 @@
 #!/bin/sh

 # Ensure this script runs only once per boot
-if [ -f /tmp/configure_xray_startup_executed ]; then
+if [ -f /tmp/xray_startup_executed ]; then
  # The file exists, so do not run the script
  echo "This script was executed already. To revert the results, reboot the device"
  exit 0
 fi

+# Source the function definitions
+. /etc/xray/fwd_functions.sh
+
 # create chain
 ip rule add fwmark 1 table 100
 ip route add local 0.0.0.0/0 dev lo table 100
@ -28,17 +31,19 @@ iptables -t mangle -A XRAY -d 198.51.100.0/24 -j RETURN
 iptables -t mangle -A XRAY -d 203.0.113.0/24 -j RETURN
 iptables -t mangle -A XRAY -d 224.0.0.0/4 -j RETURN
 iptables -t mangle -A XRAY -d 240.0.0.0/4 -j RETURN
+
+
+# !!! PROVIDE YOUR OWN IP HERE !!!
 iptables -t mangle -A XRAY -d 1.1.1.1 -j RETURN

-# exclude forwarding to and from 10.241.1.3 on ports 80 and 443
-iptables -t mangle -A XRAY -d 10.241.1.3/32 -p tcp --dport 80 -j RETURN
-iptables -t mangle -A XRAY -d 10.241.1.3/32 -p tcp --dport 443 -j RETURN
-iptables -t mangle -A XRAY -d 10.241.1.3/32 -p udp --dport 80 -j RETURN
-iptables -t mangle -A XRAY -d 10.241.1.3/32 -p udp --dport 443 -j RETURN
-iptables -t mangle -A XRAY -s 10.241.1.3/32 -p tcp --sport 80 -j RETURN
-iptables -t mangle -A XRAY -s 10.241.1.3/32 -p tcp --sport 443 -j RETURN
-iptables -t mangle -A XRAY -s 10.241.1.3/32 -p udp --sport 80 -j RETURN
-iptables -t mangle -A XRAY -s 10.241.1.3/32 -p udp --sport 443 -j RETURN
+
+
+# exclude from Xray the following:
+# SAMPLE - you can test the rules using /root/fwd_manual.sh script
+# traefik HTTP+HTTPS
+#direct_port_range_for_ip "10.241.1.165" 80 443
+
+

 # add forwarding rule
 iptables -t mangle -A XRAY -p tcp -j TPROXY --on-port 61219 --tproxy-mark 1
@ -46,4 +51,4 @@ iptables -t mangle -A XRAY -p udp -j TPROXY --on-port 61219 --tproxy-mark 1
 iptables -t mangle -A PREROUTING -j XRAY

 # required for check above
-touch /tmp/configure_xray_startup_executed
+touch /tmp/xray_startup_executed
--- a/root/fwd_manual.sh
+++ b/root/fwd_manual.sh
@ -0,0 +1,6 @@
+#!/bin/sh
+
+# Source the function definitions
+. /etc/xray/fwd_functions.sh
+
+direct_ip "10.241.1.3"
--- a/root/install_xray.sh
+++ b/root/install_xray.sh
@ -35,5 +35,8 @@ opkg install kmod-nft-nat
 opkg install kmod-nft-offload
 opkg install kmod-nft-tproxy

-chmod +x /root/configure_xray_startup.sh
+chmod +x /etc/xray/fwd_functions.sh
+chmod +x /etc/xray/startup.sh
 chmod +x /etc/init.d/xray
+chmod +x /root/restart_xray.sh
+chmod +x /root/fwd_manual.sh
--- a/root/restart_xray.sh
+++ b/root/restart_xray.sh
@ -0,0 +1,2 @@
+#!/bin/sh
+/etc/init.d/xray restart
--- a/root/xray_config/01_log.json
+++ b/root/xray_config/01_log.json
@ -1,9 +0,0 @@
-{
-	"log": 
-		{
-			"access": "",
-			"error": "",
-			"loglevel": "none",
-			"dnsLog": false
-		}
-}
--- a/root/xray_config/02_transport.json
+++ b/root/xray_config/02_transport.json
@ -1,20 +0,0 @@
-{
-	"transport": {
-		"domainStrategy": "IPIfNonMatch",
-		"httpSettings": {
-			"read_idle_timeout": 10,
-			"health_check_timeout": 15
-		},
-		"grpcSettings": {
-			"idle_timeout": 60,
-			"health_check_timeout": 20,
-			"permit_without_stream": true,
-			"initial_windows_size": 35536
-		},
-		"sockopt": {
-			"tcpMptcp": true,
-			"tcpFastOpen": true,
-			"tcpNoDelay": true
-		}
-	}
-}
--- a/root/xray_config/06_policy.json
+++ b/root/xray_config/06_policy.json
@ -1,9 +0,0 @@
-{
-  "policy": {
-    "levels": {
-      "0": {
-        "connIdle": 30
-      }
-    }
-  }
-}