#!/bin/bash

V2RAY_PORT=12345
PROXY_SET="gfwlist"
PRIVATE=(0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 172.16.0.0/12 192.168.0.0/16 224.0.0.0/4 240.0.0.0/4)

check_iptables() {
  iptables_version=`iptables -V | grep -o "v1\.[0-9]"`
  if [ "${iptables_version}" = "v1.8" ] ; then
    echo "[Info]: Current iptables version: ${iptables_version}"
  else
    echo "[Error]: Cant run this script without iptables"
    exit 1
  fi
}

create_proxy_iptables() {
  ipset list $PROXY_SET > /dev/null
  if [ $? -ne 0 ]; then
    echo "[Info]: Create ipset ${PROXY_SET}"
    ipset create $PROXY_SET hash:ip
  fi
  echo "[Info]: Create proxy iptables rules"
  iptables -t nat -N V2RAY
  # 内网网段请求返回
  for subnet in ${PRIVATE[@]}; do
    iptables -t nat -A V2RAY -d ${subnet} -j RETURN
  done
  # 代理所有请求
  iptables -t nat -A V2RAY -p tcp -j REDIRECT --to-ports ${V2RAY_PORT}
  iptables -t nat -A V2RAY -p udp -j REDIRECT --to-ports ${V2RAY_PORT}

  # 符合GFWLIST的包转发至V2RAY链
  # 在PREROUTING链转发则可以处理来自于局域网的包
  iptables -t nat -A PREROUTING -m set --match-set $PROXY_SET dst -j V2RAY
}

flush_nat_iptables() {
  echo "[Info]: Clean nat proxy iptables rules."
  ip_chain_check=`iptables-save -t nat | cut -d ' ' -f 1 | tr "\n" " "`
  if eval "echo \"${ip_chain_check}\"  | grep -q \":V2RAY\"" ; then
    iptables -t nat -D PREROUTING -m set --match-set $PROXY_SET dst -j V2RAY
    iptables -t nat -F V2RAY
    iptables -t nat -X V2RAY
  fi
  unset ip_chain_check
}

disable_proxy() {
  flush_nat_iptables
}

enable_proxy() {
  create_proxy_iptables
}

# find_ip_path
check_iptables

case "$1" in
  enable)
    disable_proxy
    enable_proxy
    ;;
  disable)
    disable_proxy
    ;;
  *)
    echo "$0:  usage:  $0 {enable|disable}"
    ;;
esac