-
Notifications
You must be signed in to change notification settings - Fork 0
/
entry
executable file
·189 lines (167 loc) · 5.08 KB
/
entry
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
#!/bin/sh
set -ex
klipper() {
trap exit TERM INT
BIN_DIR="/sbin"
info() {
{ set +x; } 2> /dev/null
echo '[INFO] ' "$@"
set -x
}
fatal() {
{ set +x; } 2> /dev/null
echo '[ERROR] ' "$@" >&2
set -x
exit 1
}
check_iptables_mode() {
set +e
lsmod | grep -qF nf_tables 2> /dev/null
if [ $? = 0 ]; then
mode=nft
else
mode=legacy
fi
set -e
case "$mode" in
nft)
info "nft mode detected"
set_nft
;;
legacy)
info "legacy mode detected"
set_legacy
;;
*)
fatal "invalid iptables mode"
;;
esac
}
set_nft() {
for i in iptables iptables-save iptables-restore ip6tables; do
ln -sf /sbin/xtables-nft-multi "$BIN_DIR/$i";
done
}
set_legacy() {
for i in iptables iptables-save iptables-restore ip6tables; do
ln -sf /sbin/xtables-legacy-multi "$BIN_DIR/$i";
done
}
start_proxy() {
for src_range in ${SRC_RANGES//,/ }; do
if echo ${src_range} | grep -Eq ":"; then
ip6tables -t filter -I FORWARD -s ${src_range} -p ${DEST_PROTO} --dport ${DEST_PORT} -j ACCEPT
else
iptables -t filter -I FORWARD -s ${src_range} -p ${DEST_PROTO} --dport ${DEST_PORT} -j ACCEPT
fi
done
for dest_ip in ${DEST_IPS//,/ }; do
if echo ${dest_ip} | grep -Eq ":"; then
[ $(cat /proc/sys/net/ipv6/conf/all/forwarding) == 1 ] || exit 1
ip6tables -t filter -A FORWARD -d ${dest_ip}/128 -p ${DEST_PROTO} --dport ${DEST_PORT} -j DROP
ip6tables -t nat -I PREROUTING -p ${DEST_PROTO} --dport ${SRC_PORT} -j DNAT --to [${dest_ip}]:${DEST_PORT}
ip6tables -t nat -I POSTROUTING -d ${dest_ip}/128 -p ${DEST_PROTO} -j MASQUERADE
else
[ $(cat /proc/sys/net/ipv4/ip_forward) == 1 ] || exit 1
iptables -t filter -A FORWARD -d ${dest_ip}/32 -p ${DEST_PROTO} --dport ${DEST_PORT} -j DROP
iptables -t nat -I PREROUTING -p ${DEST_PROTO} --dport ${SRC_PORT} -j DNAT --to ${dest_ip}:${DEST_PORT}
iptables -t nat -I POSTROUTING -d ${dest_ip}/32 -p ${DEST_PROTO} -j MASQUERADE
fi
done
}
check_iptables_mode
start_proxy
if [ ! -e /pause ]; then
mkfifo /pause
fi
</pause
}
genBack() {
first=true
index=1
for dest_ip in ${DEST_IPS//,/ }; do
if echo ${dest_ip} | grep -Eq ":"; then
if [ "$1" = "ipv6" ]; then
if $first; then
echo "backend back_ipv6"
echo " mode tcp"
echo " balance roundrobin"
first=false
fi
echo " server server${index} [${dest_ip}]:${DEST_PORT} send-proxy-v2"
index=$((index + 1))
fi
else
if [ "$1" = "ipv4" ]; then
if $first; then
echo "backend back_ipv4"
echo " mode tcp"
echo " balance roundrobin"
first=false
fi
echo " server server${index} ${dest_ip}:${DEST_PORT} send-proxy-v2"
index=$((index + 1))
fi
fi
done
}
srcRange() {
first=true
for src_range in ${SRC_RANGES//,/ }; do
if echo ${src_range} | grep -Eq ":"; then
if [ "$1" = "ipv6" ]; then
if $first; then
echo -n "tcp-request content accept if { "
echo -n "src ${src_range}"
first=false
else
echo -n " or src ${src_range}"
fi
fi
else
if [ "$1" = "ipv4" ]; then
if $first; then
echo -n "tcp-request content accept if { "
echo -n "src ${src_range}"
first=false
else
echo -n " or src ${src_range}"
fi
fi
fi
done
if [ "$first" != "true" ]; then
echo " }"
fi
}
genHaproxy() {
mkdir -p /var/lib/haproxy
cat > /var/lib/haproxy/haproxy.cfg <<EOF
global
maxconn 10000
user haproxy
defaults
mode tcp
timeout connect 0
timeout client 0
timeout server 0
frontend front
mode tcp
bind [::]:${SRC_PORT} v4v6
tcp-request inspect-delay 5s
$(srcRange "ipv6")
$(srcRange "ipv4")
tcp-request content reject
use_backend back_ipv4 if { src 0.0.0.0/0 }
use_backend back_ipv6 if { src ::/0 }
$(genBack "ipv4")
$(genBack "ipv6")
EOF
cat /var/lib/haproxy/haproxy.cfg
}
if [ $(echo -n "$DEST_PROTO" | tr '[:upper:]' '[:lower:]') == "tcp" ]; then
genHaproxy
haproxy -f /var/lib/haproxy/haproxy.cfg
else
klipper
fi