android shell 转发代理shell示例

android shell文件中语法见：

shell语法

https://blog.csdn.net/hfreeman2008/article/details/51416188

代理原理是设置iptables网关策略+redsocks转发->代理服务器3proxy设置

proxy.sh文件

#!/system/bin/sh

# 本sh仅实现了sock5代理配置
# $0表示sh文件本身路径,$1表示第一个参数

# $1 type:start/stop，为开启或者关闭代理功能
# $2 remoteHost:远程代理ip地址，如119.x.xx.xx
# $3 remotePort:远程代理ip端口，如1801
# $4 remoteUserName:远程代理用户名，user1
# $5 remotePasswd:远程代理用户密码，123
# 示例：start 119.x.xx.xx 1801 user1 123 

DIR=/data/local/tmp
IPTABLES_DIR=/system/bin
REDSOCKS_DIR=/system/bin


echo "init sh..."

type=$1
remoteHost=$2
remotePort=$3
remoteUserName=$4
remotePasswd=$5



os_version=$(getprop ro.build.version.sdk)

# if [ "$os_version" -eq "19" ]; then
  # cmd="当前os版本为：19"
  # echo $cmd
# elif [ "$os_version" -eq "28" ]; then
  # cmd="当前os版本为：28"
  # echo $cmd
# else
  # cmd="当前os版本为：default"
  # echo $cmd
# fi




# 判断system/bin下有没有redsocks文件
# echo "$REDSOCKS_DIR/redsocks"
if [ -e "$REDSOCKS_DIR/redsocks" ]; then
    REDSOCKS_DIR=/system/bin
    echo "redsocks在/system"
elif [ -e "$DIR/redsocks" ]; then
    REDSOCKS_DIR=/data/local/tmp
    chmod 755 $REDSOCKS_DIR/redsocks
    echo "redsocks在/data/local/tmp下"
else
    echo "redsocks不存在"
    # 是不是要关闭网络
    exit
fi

echo "redsocks存在$REDSOCKS_DIR"

case $type in
    start)
# 执行start代理服务
    echo "
    base {
     log_debug = off;
     log_info = off;
     log = stderr;
     daemon = on;
     redirector = iptables;
    }
    " >$DIR/redsocks.conf
# 根据命令参数执行
    echo "
    redsocks {
    local_ip = 0.0.0.0;
    local_port = 8123;
    ip = $remoteHost;
    port = $remotePort;
    type = socks5;
    login = "$remoteUserName";
    password = "$remotePasswd";
    }
    " >>$DIR/redsocks.conf    
    # 开始执行具体逻辑
    # ...
    # 1.关闭进程redsocks
    echo "执行start命令，开启远程代理服务"
    kill -9 `cat $DIR/redsocks.pid`
    rm $DIR/redsocks.pid
    
    killall -9 redsocks
    killall -9 cntlm
    killall -9 stunnel
    killall -9 tproxy

    # 2.redsocks转发端口打开
    $REDSOCKS_DIR/redsocks -p $DIR/redsocks.pid -c $DIR/redsocks.conf

    echo "type:${1},ip:${2},host:${3},user:${4},passwd:${5}"
    
    # 3.情况默认的iptables规则
    $IPTABLES_DIR/iptables -t filter -F
    $IPTABLES_DIR/iptables -t nat -F

    # 4.放行过滤流入本机的端口为8123、8124的tcp数据包
    $IPTABLES_DIR/iptables -A INPUT -p tcp --dport 8123 -j ACCEPT
    $IPTABLES_DIR/iptables -A INPUT -p tcp --dport 8124 -j ACCEPT

    $IPTABLES_DIR/iptables -A INPUT -p tcp --dport 8123 -j DROP
    $IPTABLES_DIR/iptables -A INPUT -p tcp --dport 8124 -j DROP

    # 5.黑名单：转发除指定ip之外的所有数据包
    $IPTABLES_DIR/iptables -t nat -A PREROUTING -p tcp -d 192.168.43.0/24 -j RETURN
    $IPTABLES_DIR/iptables -t nat -A PREROUTING -p tcp -j REDIRECT --to 8123

    # 6.设置不转发出去的私有地址数据包

    # 6.1不重定向目的地址为服务器的包直接放行（redsock处理过了），如果也做转发就是死循环
    $IPTABLES_DIR/iptables -t nat -A OUTPUT -p tcp -d $remoteHost -j RETURN

    # 6.2不重定向私有地址的流量
    $IPTABLES_DIR/iptables -t nat -A OUTPUT -d 0.0.0.0/8 -j RETURN
    $IPTABLES_DIR/iptables -t nat -A OUTPUT -d 10.0.0.0/8 -j RETURN
    $IPTABLES_DIR/iptables -t nat -A OUTPUT -d 100.64.0.0/10 -j RETURN
    $IPTABLES_DIR/iptables -t nat -A OUTPUT -d 127.0.0.0/8 -j RETURN
    $IPTABLES_DIR/iptables -t nat -A OUTPUT -d 169.254.0.0/16 -j RETURN
    $IPTABLES_DIR/iptables -t nat -A OUTPUT -d 172.16.0.0/12 -j RETURN
    $IPTABLES_DIR/iptables -t nat -A OUTPUT -d 192.168.0.0/16 -j RETURN
    $IPTABLES_DIR/iptables -t nat -A OUTPUT -d 198.18.0.0/15 -j RETURN
    $IPTABLES_DIR/iptables -t nat -A OUTPUT -d 224.0.0.0/4 -j RETURN
    $IPTABLES_DIR/iptables -t nat -A OUTPUT -d 240.0.0.0/4 -j RETURN

    # 7.1添加手机控制器app uid的包放行
    #iptables -t nat -A OUTPUT -p tcp -m owner --uid-owner luser -j RETURN

    # 7.2重定向所有不满足以上条件的数据包到redsocks监听的端口
    $IPTABLES_DIR/iptables -t nat -A OUTPUT -p tcp -j REDIRECT --to-ports 8123
        
    ;;
    stop)
    # 执行stop代理服务
    # ...
    # 1.关闭进程redsocks
    echo "执行stop命令，关闭远程代理服务"
    kill -9 `cat $DIR/redsocks.pid`
    rm $DIR/redsocks.pid
    
    killall -9 redsocks
    killall -9 cntlm
    killall -9 stunnel
    killall -9 tproxy
    
    $IPTABLES_DIR/iptables -t filter -F
    $IPTABLES_DIR/iptables -t nat -F
    
    ;;
    *)
    echo "没有输入有效参数，exit"
    ;;
esac

3proxy设置的3proxy.cfg

nscache 65536
timeouts 1 5 30 60 180 1800 15 60
service
log D:WindWind.NET.ClientWindNETUsers114029648IMFile2weqweq-Debug3proxy.log D
logformat "- +_L%Y-%m-%d %H:%M:%S %z %N.%p %E %U %C:%c %R:%r %O %I %h %T"
archiver rar rar a -df -inul %A %F
rotate 30

users user1:CL:123 user2:CL:123#external 192.168.2.101
#internal 192.168.2.101

auth strong
flush
# We want to protect internal interface
deny * * 127.0.0.1,192.168.2.1
# and llow HTTP and HTTPS traffic.
allow *
#allow * * * 80-88,8080-8088,8001-8010 HTTP 
#allow * * * 443,8443,8001-8010 HTTPS
#proxy -a -p1801
maxconn 1000
socks -p1801