# iptables
ip rule add fwmark 1 table 100
ip route add local 0.0.0.0/0 dev lo table 100
iptables -t mangle -N clash
iptables -t mangle -A clash -d 0.0.0.0/8 -j RETURN
iptables -t mangle -A clash -d 10.0.0.0/8 -j RETURN
iptables -t mangle -A clash -d 127.0.0.0/8 -j RETURN
iptables -t mangle -A clash -d 169.254.0.0/16 -j RETURN
iptables -t mangle -A clash -d 172.16.0.0/12 -j RETURN
iptables -t mangle -A clash -d 192.168.0.0/16 -j RETURN
iptables -t mangle -A clash -d 224.0.0.0/4 -j RETURN
iptables -t mangle -A clash -d 240.0.0.0/4 -j RETURN
iptables -t mangle -A clash -p udp -j TPROXY --on-port 7893 --tproxy-mark 1
iptables -t mangle -A clash -p tcp -j TPROXY --on-port 7893 --tproxy-mark 1
iptables -t mangle -A PREROUTING -j clash
# sysctl.conf
net.ipv4.ip_forward = 1
# config.yaml
tproxy-port: 7893
allow-lan: true
external-controller: 0.0.0.0:9090
secret: ""
mode: rule
dns:
  enable: true
  listen: 0.0.0.0:5053
  default-nameserver:
    - 8.8.8.8
  enhanced-mode: redir-host
  fake-ip-range: 198.18.0.1/16
  nameserver:
    - 114.114.114.114
  fallback:
    - 8.8.8.8
  fallback-filter:
    geoip: true
    geoip-code: CN
    domain:
      - 'telera.ph'
      - '+.dmhy.org'
      - '+.google.com'
      - '+.facebook.com'
      - '+.youtube.com'
      - '+.redditmedia.com'
proxy-groups:
  - name: Proxy
    type: select
    proxies:
      - node
proxies:
  - name: node
    type: vmess
    server: #
    port: 443
    uuid: #
    alterId: #
    cipher: none
    udp: true
    tls: true
    servername: #
    network: ws
    ws-path: #
    ws-headers:
      Host: #
rules:
  - GEOIP,CN,DIRECT
  - MATCH,Proxy