android shell文件中语法见:
https://blog.csdn.net/hfreeman2008/article/details/51416188
代理原理是设置iptables网关策略+redsocks转发->代理服务器3proxy设置
proxy.sh文件
#!/system/bin/sh # 本sh仅实现了sock5代理配置 # $0表示sh文件本身路径,$1表示第一个参数 # $1 type:start/stop,为开启或者关闭代理功能 # $2 remoteHost:远程代理ip地址,如119.x.xx.xx # $3 remotePort:远程代理ip端口,如1801 # $4 remoteUserName:远程代理用户名,user1 # $5 remotePasswd:远程代理用户密码,123 # 示例:start 119.x.xx.xx 1801 user1 123 DIR=/data/local/tmp IPTABLES_DIR=/system/bin REDSOCKS_DIR=/system/bin echo "init sh..." type=$1 remoteHost=$2 remotePort=$3 remoteUserName=$4 remotePasswd=$5 os_version=$(getprop ro.build.version.sdk) # if [ "$os_version" -eq "19" ]; then # cmd="当前os版本为:19" # echo $cmd # elif [ "$os_version" -eq "28" ]; then # cmd="当前os版本为:28" # echo $cmd # else # cmd="当前os版本为:default" # echo $cmd # fi # 判断system/bin下有没有redsocks文件 # echo "$REDSOCKS_DIR/redsocks" if [ -e "$REDSOCKS_DIR/redsocks" ]; then REDSOCKS_DIR=/system/bin echo "redsocks在/system" elif [ -e "$DIR/redsocks" ]; then REDSOCKS_DIR=/data/local/tmp chmod 755 $REDSOCKS_DIR/redsocks echo "redsocks在/data/local/tmp下" else echo "redsocks不存在" # 是不是要关闭网络 exit fi echo "redsocks存在$REDSOCKS_DIR" case $type in start) # 执行start代理服务 echo " base { log_debug = off; log_info = off; log = stderr; daemon = on; redirector = iptables; } " >$DIR/redsocks.conf # 根据命令参数执行 echo " redsocks { local_ip = 0.0.0.0; local_port = 8123; ip = $remoteHost; port = $remotePort; type = socks5; login = \"$remoteUserName\"; password = \"$remotePasswd\"; } " >>$DIR/redsocks.conf # 开始执行具体逻辑 # ... # 1.关闭进程redsocks echo "执行start命令,开启远程代理服务" kill -9 `cat $DIR/redsocks.pid` rm $DIR/redsocks.pid killall -9 redsocks killall -9 cntlm killall -9 stunnel killall -9 tproxy # 2.redsocks转发端口打开 $REDSOCKS_DIR/redsocks -p $DIR/redsocks.pid -c $DIR/redsocks.conf echo "type:${1},ip:${2},host:${3},user:${4},passwd:${5}" # 3.情况默认的iptables规则 $IPTABLES_DIR/iptables -t filter -F $IPTABLES_DIR/iptables -t nat -F # 4.放行过滤流入本机的端口为8123、8124的tcp数据包 $IPTABLES_DIR/iptables -A INPUT -p tcp --dport 8123 -j ACCEPT $IPTABLES_DIR/iptables -A INPUT -p tcp --dport 8124 -j ACCEPT $IPTABLES_DIR/iptables -A INPUT -p tcp --dport 8123 -j DROP $IPTABLES_DIR/iptables -A INPUT -p tcp --dport 8124 -j DROP # 5.黑名单:转发除指定ip之外的所有数据包 $IPTABLES_DIR/iptables -t nat -A PREROUTING -p tcp -d 192.168.43.0/24 -j RETURN $IPTABLES_DIR/iptables -t nat -A PREROUTING -p tcp -j REDIRECT --to 8123 # 6.设置不转发出去的私有地址数据包 # 6.1不重定向目的地址为服务器的包直接放行(redsock处理过了),如果也做转发就是死循环 $IPTABLES_DIR/iptables -t nat -A OUTPUT -p tcp -d $remoteHost -j RETURN # 6.2不重定向私有地址的流量 $IPTABLES_DIR/iptables -t nat -A OUTPUT -d 0.0.0.0/8 -j RETURN $IPTABLES_DIR/iptables -t nat -A OUTPUT -d 10.0.0.0/8 -j RETURN $IPTABLES_DIR/iptables -t nat -A OUTPUT -d 100.64.0.0/10 -j RETURN $IPTABLES_DIR/iptables -t nat -A OUTPUT -d 127.0.0.0/8 -j RETURN $IPTABLES_DIR/iptables -t nat -A OUTPUT -d 169.254.0.0/16 -j RETURN $IPTABLES_DIR/iptables -t nat -A OUTPUT -d 172.16.0.0/12 -j RETURN $IPTABLES_DIR/iptables -t nat -A OUTPUT -d 192.168.0.0/16 -j RETURN $IPTABLES_DIR/iptables -t nat -A OUTPUT -d 198.18.0.0/15 -j RETURN $IPTABLES_DIR/iptables -t nat -A OUTPUT -d 224.0.0.0/4 -j RETURN $IPTABLES_DIR/iptables -t nat -A OUTPUT -d 240.0.0.0/4 -j RETURN # 7.1添加手机控制器app uid的包放行 #iptables -t nat -A OUTPUT -p tcp -m owner --uid-owner luser -j RETURN # 7.2重定向所有不满足以上条件的数据包到redsocks监听的端口 $IPTABLES_DIR/iptables -t nat -A OUTPUT -p tcp -j REDIRECT --to-ports 8123 ;; stop) # 执行stop代理服务 # ... # 1.关闭进程redsocks echo "执行stop命令,关闭远程代理服务" kill -9 `cat $DIR/redsocks.pid` rm $DIR/redsocks.pid killall -9 redsocks killall -9 cntlm killall -9 stunnel killall -9 tproxy $IPTABLES_DIR/iptables -t filter -F $IPTABLES_DIR/iptables -t nat -F ;; *) echo "没有输入有效参数,exit" ;; esac
3proxy设置的3proxy.cfg
nscache 65536 timeouts 1 5 30 60 180 1800 15 60 service log D:\Wind\Wind.NET.Client\WindNET\Users\114029648\IM\File2\weqweq-\Debug\3proxy.log D logformat "- +_L%Y-%m-%d %H:%M:%S %z %N.%p %E %U %C:%c %R:%r %O %I %h %T" archiver rar rar a -df -inul %A %F rotate 30 users user1:CL:123 user2:CL:123#external 192.168.2.101 #internal 192.168.2.101 auth strong flush # We want to protect internal interface deny * * 127.0.0.1,192.168.2.1 # and llow HTTP and HTTPS traffic. allow * #allow * * * 80-88,8080-8088,8001-8010 HTTP #allow * * * 443,8443,8001-8010 HTTPS #proxy -a -p1801 maxconn 1000 socks -p1801