[v1.0.14] Add USB guest proxy support, fix guest's dns request proxy.

v2ray/etc/config.json

@@ -1,155 +0,0 @@
-// Config file of V2Ray. This file follows standard JSON format, with comments support.
-// Uncomment entries below to satisfy your needs. Also read our manual for more detail at
-// https://www.v2ray.com/
-{
-  "log": {
-    // By default, V2Ray writes access log to stdout.
-    // "access": "/path/to/access/log/file",
-    "access": "none",
-
-    // By default, V2Ray write error log to stdout.
-    // "error": "/path/to/error/log/file",
-    "error": "/data/v2ray/run/error.log",
-
-    // Log level, one of "debug", "info", "warning", "error", "none"
-    "loglevel": "warning"
-  },
-  // List of inbound proxy configurations.
-  "inbounds": [{
-    // Port to listen on. You may need root access if the value is less than 1024.
-    "port": 65535,
-
-    // IP address to listen on. Change to "0.0.0.0" to listen on all network interfaces.
-    "listen": "0.0.0.0",
-
-    // Tag of the inbound proxy. May be used for routing.
-    "tag": "proxy-inbound",
-
-    // Protocol name of inbound proxy.
-    "protocol": "dokodemo-door",
-
-    // Settings of the protocol. Varies based on protocol.
-    "settings": {
-      // Disable timeout setting for keeping persistent connection. Such as FCM.   
-      //  "timeout": 10,
-      "network": "tcp,udp",
-      "followRedirect": true
-    },
-
-    // If you wanna bypass BT streams, you should enable it.
-    "sniffing": {
-      "enabled": false
-    //  ,
-    //  "destOverride": ["http", "tls"]
-    }
-  }],
-  // List of outbound proxy configurations.
-  "outbounds": [{
-    // Replace your proxy protocol in this section, like: vmess or shadowsocks
-    "protocol": "freedom",
-
-    // Settings of the protocol. Varies based on protocol.
-    "settings": {},
-
-    // Tag of the outbound. May be used for routing.
-    "tag": "proxy"
-  },{
-    // Protocol name of the outbound proxy.
-    "protocol": "freedom",
-
-    // Settings of the protocol. Varies based on protocol.
-    "settings": {},
-
-    // Tag of the outbound. May be used for routing.
-    "tag": "direct"
-  },{
-    "protocol": "blackhole",
-    "settings": {},
-    "tag": "blocked"
-  }],
-
-  // Transport is for global transport settings. If you have multiple transports with same settings
-  // (say mKCP), you may put it here, instead of in each individual inbound/outbounds.
-  //"transport": {},
-
-  // Routing controls how traffic from inbounds are sent to outbounds.
-  "routing": {
-    "domainStrategy": "AsIs",
-    "rules":[
-      {
-        // Bypass private IPs.
-        "type": "field",
-        "ip": ["geoip:private"],
-        "outboundTag": "direct"
-      },
-      {
-        // Bypass all china IPs.
-        "type": "field",
-        "ip": ["geoip:cn"],
-        "outboundTag": "direct"
-      }
-      //,
-      //{
-        // Bypass all china sites.
-      //  "type": "field",
-      //  "domain": ["geosite:cn"],
-      //  "outboundTag": "direct"
-      //},
-      //{
-        // To bypass all BT streams, you should enable sniffing.
-      //  "type": "field",
-      //  "protocol":["bittorrent"], 
-      //  "outboundTag": "direct"
-      //},
-      //{
-        // If your network condition not very well, you could bypass dnscrypt-proxy's upstream DNS.
-      //  "type": "field",
-      //  "domain": [
-      //    "cloudflare-dns.com",
-      //    "doh.opendns.com",
-      //    "dns.google"
-      //  ],
-      //  "outboundTag": "direct"
-      //},
-      //{
-        // Blocks major ads.
-      //  "type": "field",
-      //  "domain": ["geosite:category-ads"],
-      //  "outboundTag": "blocked"
-      //}
-    ]
-  },
-
-  // Policy controls some internal behavior of how V2Ray handles connections.
-  // It may be on connection level by user levels in 'levels', or global settings in 'system.'
-  "policy": {
-    // Connection policys by user levels
-    "levels": {
-      "0": {
-        "uplinkOnly": 0,
-        "downlinkOnly": 0
-      }
-    },
-    "system": {
-      "statsInboundUplink": false,
-      "statsInboundDownlink": false
-    }
-  },
-
-  // Stats enables internal stats counter.
-  // This setting can be used together with Policy and Api. 
-  //"stats":{},
-
-  // Api enables gRPC APIs for external programs to communicate with V2Ray instance.
-  //"api": {
-    //"tag": "api",
-    //"services": [
-    //  "HandlerService",
-    //  "LoggerService",
-    //  "StatsService"
-    //]
-  //},
-
-  // You may add other entries to the configuration, but they will not be recognized by V2Ray.
-  "other": {}
-}

v2ray/etc/config.json.template

@@ -45,7 +45,7 @@
   }],
   // List of outbound proxy configurations.
   "outbounds": [{
-    // Replace your proxy protocol in this section, like: vmess or shadowsocks
+    // Replace your proxy protocol in this section, like: VMESS, VLESS or Shadowsocks
     "protocol": "freedom",
 
     // Settings of the protocol. Varies based on protocol.

v2ray/etc/dnscrypt-proxy/dnscrypt-proxy.toml

@@ -3,7 +3,7 @@
 ##################################
 listen_addresses = ['127.0.0.1:65534']
 max_clients = 250
-# user_name = 'nobody'
+# user_name = 'net_raw'
 ipv4_servers = true
 ipv6_servers = false
 dnscrypt_servers = false

v2ray/etc/dnscrypt-proxy/example-dnscrypt-proxy.toml

@@ -117,6 +117,14 @@ timeout = 5000
 keepalive = 30
 
 
+## Add EDNS-client-subnet information to outgoing queries
+##
+## Multiple networks can be listed; they will be randomly chosen.
+## These networks don't have to match your actual networks.
+
+# edns_client_subnet = ["0.0.0.0/0", "2001:db8::/32"]
+
+
 ## Response for blocked queries.  Options are `refused`, `hinfo` (default) or
 ## an IP response.  To give an IP response, use the format `a:<IPv4>,aaaa:<IPv6>`.
 ## Using the `hinfo` option means that some responses will be lies.
@@ -253,7 +261,7 @@ netprobe_address = '9.9.9.9:53'
 ## encrypted-dns-server can be configured to use this for access control
 ## in the [access_control] section
 
-# query_meta = ["key1:value1", "key2:value2", "token:MySecretToken"]
+# query_meta = ['key1:value1', 'key2:value2', 'token:MySecretToken']
 
 
 ## Automatic log files rotation
@@ -386,14 +394,14 @@ cache_neg_max_ttl = 600
 ## For each `listen_address` the complete URL to access the server will be:
 ## `https://<listen_address><path>` (ex: `https://127.0.0.1/dns-query`)
 
-# path = "/dns-query"
+# path = '/dns-query'
 
 
 ## Certificate file and key - Note that the certificate has to be trusted.
 ## See the documentation (wiki) for more information.
 
-# cert_file = "localhost.pem"
-# cert_key_file = "localhost.pem"
+# cert_file = 'localhost.pem'
+# cert_key_file = 'localhost.pem'
 
 
 
@@ -641,7 +649,7 @@ cache_neg_max_ttl = 600
 # The list below enables workarounds to make non-relayed usage more reliable
 # until the servers are fixed.
 
-fragments_blocked = ['cisco', 'cisco-ipv6', 'cisco-familyshield', 'cisco-familyshield-ipv6', 'quad9-dnscrypt-ip4-filter-pri', 'quad9-dnscrypt-ip4-nofilter-pri', 'quad9-dnscrypt-ip6-filter-pri', 'quad9-dnscrypt-ip6-nofilter-pri', 'cleanbrowsing-adult', 'cleanbrowsing-family-ipv6', 'cleanbrowsing-family', 'cleanbrowsing-security']
+fragments_blocked = ['cisco', 'cisco-ipv6', 'cisco-familyshield', 'cisco-familyshield-ipv6', 'cleanbrowsing-adult', 'cleanbrowsing-family-ipv6', 'cleanbrowsing-family', 'cleanbrowsing-security']
 
 
 
@@ -734,13 +742,13 @@ skip_incompatible = false
 [dns64]
 
 ## (Option 1) Static prefix(es) as Pref64::/n CIDRs.
-# prefix = ["64:ff9b::/96"]
+# prefix = ['64:ff9b::/96']
 
 ## (Option 2) DNS64-enabled resolver(s) to discover Pref64::/n CIDRs.
 ## These resolvers are used to query for Well-Known IPv4-only Name (WKN) "ipv4only.arpa." to discover only.
 ## Set with your ISP's resolvers in case of custom prefixes (other than Well-Known Prefix 64:ff9b::/96).
 ## IMPORTANT: Default resolvers listed below support Well-Known Prefix 64:ff9b::/96 only.
-# resolver = ["[2606:4700:4700::64]:53", "[2001:4860:4860::64]:53"]
+# resolver = ['[2606:4700:4700::64]:53', '[2001:4860:4860::64]:53']
 
 
 

v2ray/etc/dnscrypt-proxy/update-rules.sh

@@ -1,18 +1,20 @@
-wget -N https://github.com/felixonmars/dnsmasq-china-list/raw/master/accelerated-domains.china.conf
+rm accelerated-domains.china.conf bogus-nxdomain.china.conf toblock-without-shorturl-optimized.lst dnscrypt-proxy-cloaking.txt example-dnscrypt-proxy.toml
+
+wget https://github.com/felixonmars/dnsmasq-china-list/raw/master/accelerated-domains.china.conf
 echo '# Converted from https://github.com/felixonmars/dnsmasq-china-list/blob/master/accelerated-domains.china.conf' >dnscrypt-forwarding-rules.txt
 echo '# https://github.com/felixonmars/dnsmasq-china-list' >>dnscrypt-forwarding-rules.txt
 echo '# Thanks to all contributors.' >>dnscrypt-forwarding-rules.txt
 echo '' >>dnscrypt-forwarding-rules.txt
 cat accelerated-domains.china.conf | grep -v '^#server' | sed -e 's|/| |g' -e 's|^server= ||' | sed 's/114.114.114.114/114.114.114.114,114.114.115.115/g' >>dnscrypt-forwarding-rules.txt
 
-wget -N https://github.com/felixonmars/dnsmasq-china-list/raw/master/bogus-nxdomain.china.conf
+wget https://github.com/felixonmars/dnsmasq-china-list/raw/master/bogus-nxdomain.china.conf
 echo '# Converted from https://github.com/felixonmars/dnsmasq-china-list/blob/master/bogus-nxdomain.china.conf' >dnscrypt-blacklist-ips.txt
 echo '# https://github.com/felixonmars/dnsmasq-china-list' >>dnscrypt-blacklist-ips.txt
 echo '# Thanks to all contributors.' >>dnscrypt-blacklist-ips.txt
 echo '' >>dnscrypt-blacklist-ips.txt
 cat bogus-nxdomain.china.conf | grep -v '^#bogus' | grep bogus-nxdomain | sed 's/bogus-nxdomain=//g' >>dnscrypt-blacklist-ips.txt
 
-#wget -N https://github.com/missdeer/blocklist/raw/master/toblock-without-shorturl-optimized.lst
+#wget https://github.com/missdeer/blocklist/raw/master/toblock-without-shorturl-optimized.lst
 #echo '# Converted from https://github.com/missdeer/blocklist/blob/master/toblock-without-shorturl-optimized.lst' >dnscrypt-blacklist-domains.txt
 #echo '# https://github.com/missdeer/blocklist' >>dnscrypt-blacklist-domains.txt
 #echo '# Thanks to all contributors.' >>dnscrypt-blacklist-domains.txt
@@ -23,7 +25,7 @@ cat bogus-nxdomain.china.conf | grep -v '^#bogus' | grep bogus-nxdomain | sed 's
 #echo 'ads[0-9]*' >>dnscrypt-blacklist-domains.txt
 #cat toblock-without-shorturl-optimized.lst | grep -v '^#' | tr -s '\n' | tr A-Z a-z | grep -v '^ad\.' | grep -v -e '^ad[0-9]' | grep -v '^ads\.' | grep -v -e '^ads[0-9]' | rev | sort -n | uniq | rev >>dnscrypt-blacklist-domains.txt
 
-#wget -N https://github.com/googlehosts/hosts/raw/master/hosts-files/dnscrypt-proxy-cloaking.txt
+#wget https://github.com/googlehosts/hosts/raw/master/hosts-files/dnscrypt-proxy-cloaking.txt
 #echo '# Converted from https://github.com/googlehosts/hosts/blob/master/hosts-files/dnscrypt-proxy-cloaking.txt' >dnscrypt-cloaking-rules.txt
 #echo '# https://github.com/googlehosts/hosts' >>dnscrypt-cloaking-rules.txt
 #echo '# Thanks to all contributors.' >>dnscrypt-cloaking-rules.txt
@@ -32,4 +34,4 @@ cat bogus-nxdomain.china.conf | grep -v '^#bogus' | grep bogus-nxdomain | sed 's
 
 rm accelerated-domains.china.conf bogus-nxdomain.china.conf toblock-without-shorturl-optimized.lst dnscrypt-proxy-cloaking.txt
 
-wget -N https://raw.githubusercontent.com/jedisct1/dnscrypt-proxy/master/dnscrypt-proxy/example-dnscrypt-proxy.toml
+wget https://raw.githubusercontent.com/jedisct1/dnscrypt-proxy/master/dnscrypt-proxy/example-dnscrypt-proxy.toml

v2ray/scripts/dnscrypt-proxy.service

@@ -1,5 +1,6 @@
 #!/system/bin/sh
 
+dnsmasq_uid="1052"
 bin_name="dnscrypt-proxy"
 bin_file="/system/bin/${bin_name}"
 run_path="/data/v2ray/run"
@@ -7,14 +8,11 @@ pid_file="${run_path}/dnscrypt-proxy.pid"
 conf_path="/data/v2ray/dnscrypt-proxy"
 conf_file="${conf_path}/dnscrypt-proxy.toml"
 bin_opts="-config ${conf_file}"
-appid_file="/data/v2ray/appid.list"
-appid_list=()
-softap_file="/data/v2ray/softap.list"
-softap_list=()
 iptables_wait="iptables"
 v2ray_share=false
-proxy_for_app=false
-inet_uid="3003"
+softap_file="/data/v2ray/softap.list"
+appid_list=()
+proxy_for_guest=false
 host_ip="127.0.0.1"
 dns_port="65534"
 proxy_port="65535"
@@ -39,15 +37,6 @@ find_netstat_path() {
   return 1
 }
 
-iptables_chain_exist() {
-	local chain_list="$1"
-	local target_chain="$2"
-	if `echo "${chain_list}" | grep -q ":${target_chain} "` ; then 
-		return 0
-	fi
-	return 1
-}
-
 probe_dnscrypt-proxy_alive() {
   [ -f ${pid_file} ] && cmd_file="/proc/`cat ${pid_file}`/cmdline" || return 1
   [ -f ${cmd_file} ] && grep -q "dnscrypt-proxy" ${cmd_file} && return 0 || return 1
@@ -64,102 +53,26 @@ probe_v2ray_listen() {
   fi
 }
 
-probe_v2ray_target() {
+check_proxy_guest() {
   ## add eof to appid and softap file
-  echo "" >> "${appid_file}"
-  ## trim empty line in appid and softap file
-  sed -i '/^$/d' "${appid_file}"
-  ## probe proxy app
-  if [ -f ${appid_file} ] ; then
-    ## check appid_file is white-list or black-list
-    if head -1 "${appid_file}" | grep -q 'bypass' ; then
-      app_proxy_mode="skip"
-    else
-      app_proxy_mode="pick"
-    fi
-    ## filter appid number
-    while read appid_line ; do
-      appid_text=(`echo ${appid_line}`)
-      for appid_word in ${appid_text[*]} ; do
-        if echo "${appid_word}" | grep -q '#' ; then
-          break
-        elif [ "${appid_word}" -ge 0 ] 2>/dev/null ; then
-          appid_list=(${appid_list[*]} ${appid_word})
-        fi
-      done
-    done < ${appid_file}
-  fi
+  echo "" >> "${softap_file}"
+  ## trim empty line in softap file
+  sed -i '/^$/d' "${softap_file}"
   ## probe proxy wifi interface
   ${v2ray_share} && [ -f ${softap_file} ] && softap_list=(`cat ${softap_file}`) || unset softap_list
-  ## check proxy app or not
-  if ( [ "${app_proxy_mode}" = "skip" ] || ( [ "${app_proxy_mode}" = "pick" ] && [ ${#appid_list[@]} -gt 0 ] ) ) ; then
-    proxy_for_app=true
-  fi
-  ## check enable proxy iptables or not
-  if ! ( ${proxy_for_app} ) ; then
-    echo "[Error]: DNS is not proxy for APP."
-    exit 1
-  fi
-}
-
-probe_uid_app_name() {
-  app_handle="$2"
-  if [ "$1" == "0" ] ; then
-  	app_name="root"
-  else
-  	app_name=`grep " $1 " /data/system/packages.list | cut -d ' ' -f 1`
-  	app_name=`echo ${app_name} | sed 's/ / \& /g'`
-  fi
-  if [ "${app_name}" != "" ] ; then
-    echo "[Info]: ${app_handle} ${app_name} APP's DNS request."
-  else
-    echo "[Warning]: APP with uid=$1 is not found."
-    return 1
-  fi
-}
-
-proxy_app_dns_iptables() {
-  ## create iptables proxy chains for app tcp
-  ${iptables_wait} -t nat -N APP_DNS_PROXY
-  ## bypass v2ray program
-  ${iptables_wait} -t nat -A APP_DNS_PROXY -m owner --uid-owner ${inet_uid} -j RETURN
-  ## white-list mode
-  if [ "${app_proxy_mode}" = "pick" ] ; then
-    ## proxy all apps network
-    if [ "${appid_list[*]}" = "0" ] ; then
-      echo "[Info]: Proxy all APP's DNS request."
-      ${iptables_wait} -t nat -A APP_DNS_PROXY -m owner ! --uid-owner ${inet_uid} -j V2RAY_APP_DNS
-    ## proxy assign app
-    else
-      for appid in ${appid_list[@]}; do
-        probe_uid_app_name ${appid} "Proxy" && \
-        ${iptables_wait} -t nat -A APP_DNS_PROXY -m owner --uid-owner ${appid} -j V2RAY_APP_DNS
-      done
-    fi
-  ## black-list mode
-  elif [ "${app_proxy_mode}" = "skip" ] ; then
-    for appid in ${appid_list[@]}; do
-      probe_uid_app_name ${appid} "Ignore" && \
-      ${iptables_wait} -t nat -A APP_DNS_PROXY -m owner --uid-owner ${appid} -j RETURN
-    done
-    echo "[Info]: Proxy all remaining APP's DNS request."
-    ${iptables_wait} -t nat -A APP_DNS_PROXY -m owner ! --uid-owner ${inet_uid} -j V2RAY_APP_DNS
-  fi
-  ## apply proxy rules to iptables
-  ${iptables_wait} -t nat -A APP_DNS_PROXY -m owner --uid-owner 0 -j V2RAY_APP_DNS
-  ${iptables_wait} -t nat -A OUTPUT -p udp --dport 53 -j APP_DNS_PROXY
+  ## check proxy wifi guest or not
+  [ ${#softap_list[@]} -gt 0 ] && proxy_for_guest=true
 }
 
 create_proxy_iptables() {
-	echo "[Info]: Create DNS proxy chains."
-  ## create iptables proxy chains for dns
-	${iptables_wait} -t nat -N V2RAY_APP_DNS
-  ## build basic iptables proxy chains
-  ${iptables_wait} -t nat -A V2RAY_APP_DNS -p udp -j DNAT --to-destination ${host_ip}:${dns_port}
-  if ! iptables_chain_exist "${iptables_chains}" "APP_DNS_PROXY" && ${proxy_for_app} ; then
-	  ## proxy app network
-	  proxy_app_dns_iptables
-	fi
+  echo "[Info]: Proxy local system's DNS request."
+  ${iptables_wait} -t nat -A OUTPUT -p udp -m owner --uid-owner 0 --dport 53 -j DNAT --to-destination ${host_ip}:${dns_port}
+  ## proxy wifi guest DNS
+  check_proxy_guest && \
+  if ${proxy_for_guest} ; then
+    echo "[Info]: Proxy dnsmasq's DNS request."
+    ${iptables_wait} -t nat -A OUTPUT -p udp -m owner --uid-owner ${dnsmasq_uid} --dport 53 -j DNAT --to-destination ${host_ip}:${dns_port}
+  fi
 }
 
 display_dnscrypt-proxy_pid() {
@@ -172,23 +85,10 @@ display_dnscrypt-proxy_pid() {
   fi
 }
 
-flush_endpoint_iptables() {
-  ${iptables_wait} -t nat -F V2RAY_APP_DNS 2>/dev/null
-}
-
-flush_nat_iptables() {
-  echo "[Info]: Clean nat proxy iptables rules."
-  local iptables_chains=`iptables-save -t nat | cut -d ' ' -f 1 | tr "\n" " " | grep -o ":[0-9A-Z_]* "`
-  ${iptables_wait} -t nat -D OUTPUT -p udp --dport 53 -j APP_DNS_PROXY 2>/dev/null
-  if iptables_chain_exist "${iptables_chains}" "APP_DNS_PROXY" ; then
-    ${iptables_wait} -t nat -F APP_DNS_PROXY
-    ${iptables_wait} -t nat -X APP_DNS_PROXY
-  fi
-  if iptables_chain_exist "${iptables_chains}" "V2RAY_APP_DNS" ; then
-    ${iptables_wait} -t nat -F V2RAY_APP_DNS
-    ${iptables_wait} -t nat -X V2RAY_APP_DNS
-  fi
-  unset iptables_chains
+flush_dns_iptables() {
+  echo "[Info]: Clean DNS proxy iptables rules."
+  ${iptables_wait} -t nat -D OUTPUT -p udp -m owner --uid-owner 0 --dport 53 -j DNAT --to-destination ${host_ip}:${dns_port} 2>/dev/null
+  ${iptables_wait} -t nat -D OUTPUT -p udp -m owner --uid-owner ${dnsmasq_uid} --dport 53 -j DNAT --to-destination ${host_ip}:${dns_port} 2>/dev/null
 }
 
 start_dnscrypt-proxy() {
@@ -198,6 +98,10 @@ start_dnscrypt-proxy() {
   elif probe_v2ray_listen ; then
     echo "[Info]: Starting ${bin_name} service."
     mkdir -p ${run_path}
+    echo -n "" > ${conf_path}/dnscrypt-nxdomain.log
+    echo -n "" > ${conf_path}/dnscrypt-query.log
+    chown -R net_raw:net_raw ${conf_path}
+    chown net_raw:net_raw ${bin_file}
     chmod 6755 ${bin_file}
     nohup ${bin_file} ${bin_opts} &
     sleep 1
@@ -231,15 +135,10 @@ suit_iptables_version
 
 case "$1" in
   enable)
-    if start_dnscrypt-proxy ; then
-      flush_endpoint_iptables
-      probe_v2ray_target
-      sleep 2
-      create_proxy_iptables
-    fi
+    start_dnscrypt-proxy && create_proxy_iptables
     ;;
   disable)
-    flush_nat_iptables
+    flush_dns_iptables
     stop_dnscrypt-proxy
     ;;
   status)

v2ray/scripts/v2ray.inotify

@@ -17,6 +17,13 @@ start_v2ray() {
   if [ -f /data/v2ray/appid.list ] || [ -f /data/v2ray/softap.list ] ; then
     ${tproxy} enable
     [ -f "${dnscrypt_conf}" ] && ${dns_proxy_service} enable
+    settings put global airplane_mode_on 1
+    sleep 1
+    am broadcast -a android.intent.action.AIRPLANE_MODE
+    sleep 1
+    settings put global airplane_mode_on 0
+    sleep 1
+    am broadcast -a android.intent.action.AIRPLANE_MODE
   fi
 }
 

v2ray/scripts/v2ray.tproxy

@@ -2,6 +2,7 @@
 
 route_id="1130"
 inet_uid="3003"
+net_raw_uid="3004"
 route_name="v2ray"
 proxy_port="65535"
 proxy_mark="0x20151130"
@@ -15,7 +16,7 @@ softap_list=()
 v2ray_share=false
 proxy_for_app=false
 proxy_for_guest=false
-intranet=(0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 172.16.0.0/12 192.168.0.0/16 224.0.0.0/4 240.0.0.0/4)
+intranet=(0.0.0.0/8 127.0.0.0/8 169.254.0.0/16 172.16.0.0/12 224.0.0.0/4 240.0.0.0/4)
 
 suit_iptables_version() {
   iptables_version=`iptables -V | grep -o "v1\.[0-9]"`
@@ -163,6 +164,7 @@ proxy_app_tcp_iptables() {
         probe_uid_app_name ${appid} "Proxy" && \
         ${iptables_wait} -t nat -A APP_TCP_PROXY -m owner --uid-owner ${appid} -j V2RAY
       done
+      ${iptables_wait} -t nat -A APP_TCP_PROXY -m owner --uid-owner ${net_raw_uid} -j V2RAY
     fi
   ## black-list mode
   elif [ "${app_proxy_mode}" = "skip" ] ; then
@@ -174,7 +176,6 @@ proxy_app_tcp_iptables() {
     ${iptables_wait} -t nat -A APP_TCP_PROXY -m owner ! --uid-owner ${inet_uid} -j V2RAY
   fi
   ## apply proxy rules to iptables
-  ${iptables_wait} -t nat -A APP_TCP_PROXY -m owner --uid-owner 0 -j V2RAY
   ${iptables_wait} -t nat -A OUTPUT -p tcp -j APP_TCP_PROXY
 }
 
@@ -183,8 +184,8 @@ proxy_guest_tcp_iptables() {
   ${iptables_wait} -t nat -N GUEST_TCP_PROXY
   ## proxy assign softap
   for softap in ${softap_list[@]}; do
-    echo "[Info]: Proxy ${softap} WiFi guest's TCP network."
-    ${iptables_wait} -t nat -A GUEST_TCP_PROXY -i ${softap} -j V2RAY
+    echo "[Info]: Proxy ${softap} guest's TCP network."
+    ${iptables_wait} -t nat -A GUEST_TCP_PROXY -s ${softap} -j V2RAY
   done
   ${iptables_wait} -t nat -A PREROUTING -p tcp -j GUEST_TCP_PROXY
 }
@@ -218,7 +219,7 @@ filter_proxy_iptables() {
     ${iptables_wait} -t filter -A PROTECT_V2RAY -i lo -j RETURN
     ## permit assign softap
     for softap in ${softap_list[@]}; do
-      ${iptables_wait} -t filter -A PROTECT_V2RAY -i ${softap} -j RETURN
+      ${iptables_wait} -t filter -A PROTECT_V2RAY -s ${softap} -j RETURN
     done
     ## deny all other visit
     ${iptables_wait} -t filter -A PROTECT_V2RAY -p tcp --dport ${proxy_port} -j DROP