My Router

这里整理一下个人自用 OpenWrt 路由器里用到的一些资源和配置。

dnsmasq-china-list

dnsmasq-china-list 项目提供一个详细的主要中国大陆网站列表，用于做 DNS 中国域名和其它域名解析分离。(参考：中国 IP)

使用方法：

#!/bin/sh

# will create or replace /root/dnsmasq-china-list-master

cd /root
rm -rf dnsmasq-china-list*
wget --no-check-certificate https://github.com/felixonmars/dnsmasq-china-list/archive/master.zip -O dnsmasq-china-list.zip
unzip dnsmasq-china-list.zip

然后在路由器 dnsmasq 配置文件 /etc/dnsmasq.conf　里加上：

conf-dir=/root/dnsmasq-china-list-master,*.conf

重启 dnsmasq 生效。（openwrt: /etc/init.d/dnsmasq restart）

yhosts

yhosts 是一个广告(以及垃圾网站)屏蔽 hosts 项目。

使用方法：

首先在路由器 dnsmasq 配置文件 /etc/dnsmasq.conf 里加上：

addn-hosts=/root/hosts

然后下载 yhosts 项目提供的 hosts.txt 保存为 /root/hosts/yhosts.txt 即可。

#!/bin/sh

mkdir /root/hosts
wget --no-check-certificate https://github.com/vokins/yhosts/blob/master/hosts.txt -O /root/hosts/yhosts.txt

重启 dnsmasq 生效。

/etc/dnsmasq.conf

no-resolv
server=8.8.8.8
server=8.8.4.4
conf-dir=/root/dnsmasq-china-list-master,*.conf
addn-hosts=/root/hosts

#WinHTTP Web Proxy Auto-Discovery Service
dhcp-option=252,"\n"

China IP

获取一份中国 IP 列表保存在 /root/cn.zone 以用于做中国 IP 路由直连。

cd /root && wget http://www.ipdeny.com/ipblocks/data/countries/cn.zone

/etc/rc.local

cd /root

ipset create trust hash:ip
ipset add trust {{VPS1_IP}}
ipset add trust {{VPS2_IP}}

ipset create china hash:net
for i in $(cat ./cn.zone); do ipset -A china $i; done

ip rule add fwmark 0x1/0x1 lookup main prio 2
ip rule add fwmark 0x2/0x2 lookup 3 prio 1
ip rule add lookup 3 prio 3
ip rule add lookup 4 prio 4
ip rule add lookup 10 prio 10
ip rule add lookup 11 prio 11

ip rule add to 192.168.0.0/16 lookup main prio 1
ip rule add to 127.0.0.1/8 lookup main prio 1
ip rule add to 10.0.0.1/8 lookup main prio 1

ip rule add to {{VPS1_IP}} lookup main prio 1
ip rule add to {{VPS2_IP}} lookup main prio 1

sleep 1
# This script (re)starts vpn and add default vpn route to table 10
# ip route add default via 192.168.100.1 table 10 prio 10
/root/startvpn.sh
sleep 2
nohup /root/check_network.sh > /dev/null 2>&1 &

exit 0

/etc/firewall.user

这个是 OpenWrt 默认的用户自定义防火墙规则 shell 脚本文件位置。Web luci 界面里的 "网络 -> 防火墙 -> 自定义规则" 设置用的也是这个文件。

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN  -j TCPMSS --clamp-mss-to-pmtu
iptables -t nat -A POSTROUTING -o tun+ -s 192.168.0.0/16 -j MASQUERADE
iptables -t nat -A POSTROUTING -o tun+ -s 10.0.0.0/8 -j MASQUERADE

ipset create china hash:net
iptables -t mangle -A PREROUTING -m set --match-set china dst -j MARK --set-mark 0x1/0x1
iptables -t mangle -A OUTPUT -m set --match-set china dst -j MARK --set-mark 0x1/0x1

ipset create trust hash:ip
iptables -I INPUT 1 -m set --match-set trust src -j ACCEPT

/root/check_network.sh

#!/bin/sh

while [ 1 ]
do
    LOGTIME=$(date "+%Y-%m-%d %H:%M:%S")
    curl --connect-timeout 5 -s -I www.t66y.com/index.php > /dev/null
    if [ "$?" == "0" ]; then
        echo '['$LOGTIME'] No Problem.'
        sleep 300
    else
        curl --connect-timeout 3 -s -I www.baidu.com > /dev/null
        if [ "$?" == "0" ]; then
            echo '['$LOGTIME'] Problem decteted.'
            # do something such as restart vpn
            /root/startvpn.sh
            sleep 120
        else
            echo '['$LOGTIME'] Network Problem. Do nothing.'
            sleep 120
        fi
    fi
done

本来想用 www.google.co.jp 作为网络状态监测，但是怕频繁访问被 Google 封 VPS IP，所以还是用草榴作为测试网站吧。