├── Country.mmdb ├── Dockerfile ├── Makefile ├── README.md ├── config.yaml └── entrypoint.sh /Country.mmdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Yi-Z0/docker_global_transparent_proxy/c1cf79b9466b4fa6df73d3d4dfbb271bc1c12b2b/Country.mmdb -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM golang:alpine as builder 2 | 3 | 4 | RUN apk add --no-cache make git && \ 5 | git clone https://github.com/Dreamacro/clash.git /clash-src 6 | 7 | WORKDIR /clash-src 8 | 9 | RUN go mod download 10 | 11 | COPY Makefile /clash-src/Makefile 12 | RUN make current 13 | 14 | 15 | FROM alpine:latest 16 | 17 | # RUN echo "https://mirror.tuna.tsinghua.edu.cn/alpine/v3.11/main/" > /etc/apk/repositories 18 | 19 | COPY --from=builder /clash-src/bin/clash /usr/local/bin/ 20 | COPY Country.mmdb /root/.config/clash/ 21 | COPY entrypoint.sh /usr/local/bin/ 22 | COPY config.yaml /root/.config/clash/ 23 | 24 | RUN apk add --no-cache \ 25 | ca-certificates \ 26 | bash \ 27 | iptables \ 28 | bash-doc \ 29 | bash-completion \ 30 | rm -rf /var/cache/apk/* && \ 31 | chmod a+x /usr/local/bin/entrypoint.sh 32 | 33 | ENTRYPOINT ["entrypoint.sh"] 34 | CMD ["/usr/local/bin/clash","-d","/clash_config"] 35 | 36 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | NAME=clash 2 | BINDIR=bin 3 | VERSION=$(shell git describe --tags || echo "unknown version") 4 | BUILDTIME=$(shell date -u) 5 | GOBUILD=CGO_ENABLED=0 go build -ldflags '-X "github.com/Dreamacro/clash/constant.Version=$(VERSION)" \ 6 | -X "github.com/Dreamacro/clash/constant.BuildTime=$(BUILDTIME)" \ 7 | -w -s' 8 | 9 | PLATFORM_LIST = \ 10 | darwin-amd64 \ 11 | linux-386 \ 12 | linux-amd64 \ 13 | linux-armv5 \ 14 | linux-armv6 \ 15 | linux-armv7 \ 16 | linux-armv8 \ 17 | linux-mips-softfloat \ 18 | linux-mips-hardfloat \ 19 | linux-mipsle-softfloat \ 20 | linux-mipsle-hardfloat \ 21 | linux-mips64 \ 22 | linux-mips64le \ 23 | freebsd-386 \ 24 | freebsd-amd64 25 | 26 | WINDOWS_ARCH_LIST = \ 27 | windows-386 \ 28 | windows-amd64 29 | 30 | current: 31 | $(GOBUILD) -o $(BINDIR)/$(NAME) 32 | 33 | all: linux-amd64 darwin-amd64 windows-amd64 # Most used 34 | 35 | darwin-amd64: 36 | GOARCH=amd64 GOOS=darwin $(GOBUILD) -o $(BINDIR)/$(NAME)-$@ 37 | 38 | linux-386: 39 | GOARCH=386 GOOS=linux $(GOBUILD) -o $(BINDIR)/$(NAME)-$@ 40 | 41 | linux-amd64: 42 | GOARCH=amd64 GOOS=linux $(GOBUILD) -o $(BINDIR)/$(NAME)-$@ 43 | 44 | linux-armv5: 45 | GOARCH=arm GOOS=linux GOARM=5 $(GOBUILD) -o $(BINDIR)/$(NAME)-$@ 46 | 47 | linux-armv6: 48 | GOARCH=arm GOOS=linux GOARM=6 $(GOBUILD) -o $(BINDIR)/$(NAME)-$@ 49 | 50 | linux-armv7: 51 | GOARCH=arm GOOS=linux GOARM=7 $(GOBUILD) -o $(BINDIR)/$(NAME)-$@ 52 | 53 | linux-armv8: 54 | GOARCH=arm64 GOOS=linux $(GOBUILD) -o $(BINDIR)/$(NAME)-$@ 55 | 56 | linux-mips-softfloat: 57 | GOARCH=mips GOMIPS=softfloat GOOS=linux $(GOBUILD) -o $(BINDIR)/$(NAME)-$@ 58 | 59 | linux-mips-hardfloat: 60 | GOARCH=mips GOMIPS=hardfloat GOOS=linux $(GOBUILD) -o $(BINDIR)/$(NAME)-$@ 61 | 62 | linux-mipsle-softfloat: 63 | GOARCH=mipsle GOMIPS=softfloat GOOS=linux $(GOBUILD) -o $(BINDIR)/$(NAME)-$@ 64 | 65 | linux-mipsle-hardfloat: 66 | GOARCH=mipsle GOMIPS=hardfloat GOOS=linux $(GOBUILD) -o $(BINDIR)/$(NAME)-$@ 67 | 68 | linux-mips64: 69 | GOARCH=mips64 GOOS=linux $(GOBUILD) -o $(BINDIR)/$(NAME)-$@ 70 | 71 | linux-mips64le: 72 | GOARCH=mips64le GOOS=linux $(GOBUILD) -o $(BINDIR)/$(NAME)-$@ 73 | 74 | freebsd-386: 75 | GOARCH=386 GOOS=freebsd $(GOBUILD) -o $(BINDIR)/$(NAME)-$@ 76 | 77 | freebsd-amd64: 78 | GOARCH=amd64 GOOS=freebsd $(GOBUILD) -o $(BINDIR)/$(NAME)-$@ 79 | 80 | windows-386: 81 | GOARCH=386 GOOS=windows $(GOBUILD) -o $(BINDIR)/$(NAME)-$@.exe 82 | 83 | windows-amd64: 84 | GOARCH=amd64 GOOS=windows $(GOBUILD) -o $(BINDIR)/$(NAME)-$@.exe 85 | 86 | gz_releases=$(addsuffix .gz, $(PLATFORM_LIST)) 87 | zip_releases=$(addsuffix .zip, $(WINDOWS_ARCH_LIST)) 88 | 89 | $(gz_releases): %.gz : % 90 | chmod +x $(BINDIR)/$(NAME)-$(basename $@) 91 | gzip -f -S -$(VERSION).gz $(BINDIR)/$(NAME)-$(basename $@) 92 | 93 | $(zip_releases): %.zip : % 94 | zip -m -j $(BINDIR)/$(NAME)-$(basename $@)-$(VERSION).zip $(BINDIR)/$(NAME)-$(basename $@).exe 95 | 96 | all-arch: $(PLATFORM_LIST) $(WINDOWS_ARCH_LIST) 97 | 98 | releases: $(gz_releases) $(zip_releases) 99 | clean: 100 | rm $(BINDIR)/* -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # docker_global_transparent_proxy 2 | 使用clash +docker 进行路由转发实现全局透明代理 3 | 4 | ## 食用方法 5 | 1. 开启混杂模式 6 | 7 | `ip link set eth0 promisc on` 8 | 9 | 1. docker创建网络,注意将网段改为你自己的 10 | 11 | `docker network create -d macvlan --subnet=192.168.1.0/24 --gateway=192.168.1.1 -o parent=eth0 macnet` 12 | 13 | 1. 提前准备好正确的clash config , 必须打开redir在7892, 以及dns在53端口 14 | 15 | 1. 运行容器 16 | 17 | `sudo docker run --name clash_tp -d -v /your/path/clash_config:/clash_config --network macnet --ip 192.168.1.100 --privileged zhangyi2018/clash_transparent_proxy` 18 | 19 | 1. 将手机/电脑等客户端 网关设置为容器ip,如192.168.1.100 ,dns也设置成这个 20 | 21 | 22 | ## 附注 : 23 | 24 | 1. 只要规则设置的对, 支持国内直连,国外走代理 25 | 1. 只在linux 测试过,win没试过, mac是不行, 第二步创建网络不行, docker自己的问题, 说不定以后哪天docker for mac支持了? 26 | 27 | ## 构建方法 28 | `docker buildx build --platform linux/386,linux/amd64,linux/arm/v7,linux/arm64/v8 -t zhangyi2018/clash_transparent_proxy:1.0.7 -t zhangyi2018/clash_transparent_proxy:latest . --push` 29 | -------------------------------------------------------------------------------- /config.yaml: -------------------------------------------------------------------------------- 1 | # port of HTTP 2 | port: 7890 3 | 4 | # port of SOCKS5 5 | socks-port: 7891 6 | 7 | # redir port for Linux and macOS 8 | # 必须打开 9 | redir-port: 7892 10 | 11 | allow-lan: true 12 | 13 | # Only applicable when setting allow-lan to true 14 | # "*": bind all IP addresses 15 | # 192.168.122.11: bind a single IPv4 address 16 | # "[aaaa::a8aa:ff:fe09:57d8]": bind a single IPv6 address 17 | # bind-address: "*" 18 | 19 | # Rule / Global/ Direct (default is Rule) 20 | mode: Direct 21 | 22 | # set log level to stdout (default is info) 23 | # info / warning / error / debug / silent 24 | log-level: info 25 | 26 | # RESTful API for clash 27 | external-controller: 127.0.0.1:9090 28 | 29 | # you can put the static web resource (such as clash-dashboard) to a directory, and clash would serve in `${API}/ui` 30 | # input is a relative path to the configuration directory or an absolute path 31 | # external-ui: folder 32 | 33 | # Secret for RESTful API (Optional) 34 | # secret: "" 35 | 36 | # experimental feature 37 | experimental: 38 | ignore-resolve-fail: true # ignore dns resolve fail, default value is true 39 | 40 | # authentication of local SOCKS5/HTTP(S) server 41 | # authentication: 42 | # - "user1:pass1" 43 | # - "user2:pass2" 44 | 45 | # # experimental hosts, support wildcard (e.g. *.clash.dev Even *.foo.*.example.com) 46 | # # static domain has a higher priority than wildcard domain (foo.example.com > *.example.com) 47 | # hosts: 48 | # '*.clash.dev': 127.0.0.1 49 | # 'alpha.clash.dev': '::1' 50 | 51 | dns: 52 | #必须打开dns,防止污染 53 | enable: true # set true to enable dns (default is false) 54 | ipv6: false # default is false 55 | listen: 0.0.0.0:53 56 | enhanced-mode: fake-ip # or fake-ip 57 | # fake-ip-range: 198.18.0.1/16 # if you don't know what it is, don't change it 58 | fake-ip-filter: # fake ip white domain list 59 | - "*.lan" 60 | - localhost.ptlogin2.qq.com 61 | nameserver: 62 | - 114.114.114.114 63 | - tls://dns.rubyfish.cn:853 # dns over tls 64 | - https://1.1.1.1/dns-query # dns over https 65 | fallback: # concurrent request with nameserver, fallback used when GEOIP country isn't CN 66 | - tcp://1.1.1.1 67 | fallback-filter: 68 | geoip: true # default 69 | ipcidr: # ips in these subnets will be considered polluted 70 | - 240.0.0.0/4 71 | 72 | Proxy: 73 | # shadowsocks 74 | # The supported ciphers(encrypt methods): 75 | # aes-128-gcm aes-192-gcm aes-256-gcm 76 | # aes-128-cfb aes-192-cfb aes-256-cfb 77 | # aes-128-ctr aes-192-ctr aes-256-ctr 78 | # rc4-md5 chacha20-ietf xchacha20 79 | # chacha20-ietf-poly1305 xchacha20-ietf-poly1305 80 | # - name: "ss1" 81 | # type: ss 82 | # server: server 83 | # port: 443 84 | # cipher: chacha20-ietf-poly1305 85 | # password: "password" 86 | # # udp: true 87 | 88 | # # old obfs configuration format remove after prerelease 89 | # - name: "ss2" 90 | # type: ss 91 | # server: server 92 | # port: 443 93 | # cipher: chacha20-ietf-poly1305 94 | # password: "password" 95 | # plugin: obfs 96 | # plugin-opts: 97 | # mode: tls # or http 98 | # # host: bing.com 99 | 100 | # - name: "ss3" 101 | # type: ss 102 | # server: server 103 | # port: 443 104 | # cipher: chacha20-ietf-poly1305 105 | # password: "password" 106 | # plugin: v2ray-plugin 107 | # plugin-opts: 108 | # mode: websocket # no QUIC now 109 | # # tls: true # wss 110 | # # skip-cert-verify: true 111 | # # host: bing.com 112 | # # path: "/" 113 | # # mux: true 114 | # # headers: 115 | # # custom: value 116 | 117 | # # vmess 118 | # # cipher support auto/aes-128-gcm/chacha20-poly1305/none 119 | # - name: "vmess" 120 | # type: vmess 121 | # server: server 122 | # port: 443 123 | # uuid: uuid 124 | # alterId: 32 125 | # cipher: auto 126 | # # udp: true 127 | # # tls: true 128 | # # skip-cert-verify: true 129 | # # network: ws 130 | # # ws-path: /path 131 | # # ws-headers: 132 | # # Host: v2ray.com 133 | 134 | # # socks5 135 | # - name: "socks" 136 | # type: socks5 137 | # server: server 138 | # port: 443 139 | # # username: username 140 | # # password: password 141 | # # tls: true 142 | # # skip-cert-verify: true 143 | # # udp: true 144 | 145 | # # http 146 | # - name: "http" 147 | # type: http 148 | # server: server 149 | # port: 443 150 | # # username: username 151 | # # password: password 152 | # # tls: true # https 153 | # # skip-cert-verify: true 154 | 155 | # # snell 156 | # - name: "snell" 157 | # type: snell 158 | # server: server 159 | # port: 44046 160 | # psk: yourpsk 161 | # # obfs-opts: 162 | # # mode: http # or tls 163 | # # host: bing.com 164 | 165 | Proxy Group: 166 | # url-test select which proxy will be used by benchmarking speed to a URL. 167 | # - name: "auto" 168 | # type: url-test 169 | # proxies: 170 | # - ss1 171 | # - ss2 172 | # - vmess1 173 | # url: 'http://www.gstatic.com/generate_204' 174 | # interval: 300 175 | 176 | # # fallback select an available policy by priority. The availability is tested by accessing an URL, just like an auto url-test group. 177 | # - name: "fallback-auto" 178 | # type: fallback 179 | # proxies: 180 | # - ss1 181 | # - ss2 182 | # - vmess1 183 | # url: 'http://www.gstatic.com/generate_204' 184 | # interval: 300 185 | 186 | # # load-balance: The request of the same eTLD will be dial on the same proxy. 187 | # - name: "load-balance" 188 | # type: load-balance 189 | # proxies: 190 | # - ss1 191 | # - ss2 192 | # - vmess1 193 | # url: 'http://www.gstatic.com/generate_204' 194 | # interval: 300 195 | 196 | # # select is used for selecting proxy or proxy group 197 | # # you can use RESTful API to switch proxy, is recommended for use in GUI. 198 | # - name: Proxy 199 | # type: select 200 | # proxies: 201 | # - ss1 202 | # - ss2 203 | # - vmess1 204 | # - auto 205 | 206 | Rule: 207 | # - DOMAIN-SUFFIX,google.com,auto 208 | # - DOMAIN-KEYWORD,google,auto 209 | # - DOMAIN,google.com,auto 210 | - DOMAIN-SUFFIX,ad.com,REJECT 211 | # rename SOURCE-IP-CIDR and would remove after prerelease 212 | - SRC-IP-CIDR,192.168.1.201/32,DIRECT 213 | # optional param "no-resolve" for IP rules (GEOIP IP-CIDR) 214 | - IP-CIDR,127.0.0.0/8,DIRECT 215 | - GEOIP,CN,DIRECT 216 | - DST-PORT,80,DIRECT 217 | - SRC-PORT,7777,DIRECT 218 | # FINAL would remove after prerelease 219 | # you also can use `FINAL,Proxy` or `FINAL,,Proxy` now 220 | # - MATCH,auto 221 | - FINAL,DIRECT -------------------------------------------------------------------------------- /entrypoint.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -e 4 | 5 | 6 | reset_iptables(){ 7 | iptables -P INPUT ACCEPT 8 | iptables -P FORWARD ACCEPT 9 | iptables -P OUTPUT ACCEPT 10 | iptables -t nat -F 11 | iptables -t mangle -F 12 | iptables -F 13 | iptables -X 14 | } 15 | 16 | set_clash_iptables(){ 17 | # 在 nat 表中创建新链 18 | iptables -t nat -N CLASHRULE 19 | 20 | iptables -t nat -A CLASHRULE -p tcp --dport 1905 -j RETURN 21 | 22 | iptables -t nat -A CLASHRULE -d 0.0.0.0/8 -j RETURN 23 | iptables -t nat -A CLASHRULE -d 10.0.0.0/8 -j RETURN 24 | iptables -t nat -A CLASHRULE -d 127.0.0.0/8 -j RETURN 25 | iptables -t nat -A CLASHRULE -d 169.254.0.0/16 -j RETURN 26 | iptables -t nat -A CLASHRULE -d 172.16.0.0/12 -j RETURN 27 | iptables -t nat -A CLASHRULE -d 192.168.0.0/16 -j RETURN 28 | iptables -t nat -A CLASHRULE -d 224.0.0.0/4 -j RETURN 29 | iptables -t nat -A CLASHRULE -d 240.0.0.0/4 -j RETURN 30 | iptables -t nat -A CLASHRULE -p tcp -j REDIRECT --to-ports 7892 31 | 32 | #拦截 dns 请求并且转发! 33 | iptables -t nat -A PREROUTING -p udp --dport 53 -j REDIRECT --to-ports 53 34 | iptables -t nat -A PREROUTING -p tcp --dport 53 -j REDIRECT --to-ports 53 35 | 36 | # 在 PREROUTING 链前插入 CLASHRULE 链,使其生效 37 | iptables -t nat -A PREROUTING -p tcp -j CLASHRULE 38 | } 39 | 40 | reset_iptables 41 | set_clash_iptables 42 | 43 | #开启转发 44 | echo "1" > /proc/sys/net/ipv4/ip_forward 45 | 46 | if [ ! -e '/clash_config/config.yaml' ]; then 47 | echo "init /clash_config/config.yaml" 48 | cp /root/.config/clash/config.yaml /clash_config/config.yaml 49 | fi 50 | 51 | if [ ! -e '/clash_config/Country.mmdb' ]; then 52 | echo "init /clash_config/Country.mmdb" 53 | cp /root/.config/clash/Country.mmdb /clash_config/Country.mmdb 54 | fi 55 | 56 | ip addr 57 | 58 | exec "$@" --------------------------------------------------------------------------------