Coder Social home page Coder Social logo

Comments (20)

zfl9 avatar zfl9 commented on July 19, 2024 1

那你这边要代理 udp 吗?

如果要代理 udp(全局 udp 代理),就需要 tproxy 模块。如果只是代理 tcp,可以不用。

题外话:ss-tproxy 可以只代理 tcp,不需要 tproxy 模块。

如果想使用 chinadns-ng 配合 tcp 全局代理,进行分流,需要使用 tcp 访问上游,可以使用 dns2tcp,也可以使用 dnsproxy(DoH/DoT)。

  1. 修改 /etc/resolv.conf,将 nameserver 改为 127.0.0.1,指向 chinadns-ng
  2. chinadns-ng 监听 127.0.0.1:53
    • 国内上游,随便,假设为223.5.5.5,因为走udp,所以是走直连的。不用特殊处理
    • 国外上游,需要使用 dns2tcp 或 dnsproxy,假设为 dns2tcp,dns2tcp 上游设为 8.8.8.8,因为 tcp 全部都走代理了,所以访问 8.8.8.8:53/tcp 也是走代理
  3. 然后创建 ipset(chnroute数据库),判断是国内ip还是国外ip。导入项目根目录的ipset文件即可

此时,chinadns-ng 这边的国内外分流就完成了,-g gfwlist.txt -m chnlist.txt,再加上 chnroute,chnroute6 两个 ipset 集合(用于 tag:none 域名的判定)。

但是,这种情况下,也仅仅是完成了 DNS 分流,如果要真正可用,你还需要给 TCP 进行分流,也就是在 iptables 中放行国内 IP,可以使用 -m set --match-set chnroute dst -j RETURN 来完成。

最后提一句 ipv6,我看你说到 ipv6 无法代理,这是肯定的,因为 ipv6 用的是 ip6tables,iptables 只负责 ipv4 相关的。

from chinadns-ng.

cattyhouse avatar cattyhouse commented on July 19, 2024 1

klzgrad/naiveproxy#425

from chinadns-ng.

sunlewuyou avatar sunlewuyou commented on July 19, 2024

之所以没有直接用ss-tproxy,第一个是想自己动手一步步摸清原理;第二个是在WSL2子系统部署脚本时发现其内核没有tproxy模块。

from chinadns-ng.

sunlewuyou avatar sunlewuyou commented on July 19, 2024

@zfl9 感谢详细解答,又回去仔细查了ss-tproxy的文档,如果只使用ipt2socks,在WSL下又没有tproxy,iptables的配置应该怎么修改呢?我先问了下GPT,这是它给的回答:

iptables -t nat -N SSREDIR
iptables -t nat -A SSREDIR -j RETURN -m comment --comment "Don't redirect local traffic"
iptables -t nat -A SSREDIR -p tcp -m addrtype --dst-type LOCAL -j RETURN -m comment --comment "Don't redirect local traffic"
iptables -t nat -A SSREDIR -p udp -m addrtype --dst-type LOCAL -j RETURN -m comment --comment "Don't redirect local traffic"
iptables -t nat -A SSREDIR -p tcp -d MyIP --dport MyPort -j RETURN -m comment --comment "Don't redirect traffic sent to ss-server"
iptables -t nat -A SSREDIR -p udp -d MyIP --dport MyPort -j RETURN -m comment --comment "Don't redirect traffic sent to ss-server"
iptables -t nat -A SSREDIR -d 0.0.0.0/8 -j RETURN -m comment --comment "Don't redirect reserved addresses"
iptables -t nat -A SSREDIR -d 10.0.0.0/8 -j RETURN -m comment --comment "Don't redirect reserved addresses"
iptables -t nat -A SSREDIR -d 100.64.0.0/10 -j RETURN -m comment --comment "Don't redirect reserved addresses"
iptables -t nat -A SSREDIR -d 127.0.0.0/8 -j RETURN -m comment --comment "Don't redirect reserved addresses"
iptables -t nat -A SSREDIR -d 169.254.0.0/16 -j RETURN -m comment --comment "Don't redirect reserved addresses"
iptables -t nat -A SSREDIR -d 172.16.0.0/12 -j RETURN -m comment --comment "Don't redirect reserved addresses"
iptables -t nat -A SSREDIR -d 192.0.0.0/24 -j RETURN -m comment --comment "Don't redirect reserved addresses"
iptables -t nat -A SSREDIR -d 192.0.2.0/24 -j RETURN -m comment --comment "Don't redirect reserved addresses"
iptables -t nat -A SSREDIR -d 192.88.99.0/24 -j RETURN -m comment --comment "Don't redirect reserved addresses"
iptables -t nat -A SSREDIR -d 192.168.0.0/16 -j RETURN -m comment --comment "Don't redirect reserved addresses"
iptables -t nat -A SSREDIR -d 198.18.0.0/15 -j RETURN -m comment --comment "Don't redirect reserved addresses"
iptables-t nat -A SSREDIR -d 198.51.100.0/24 -j RETURN -m comment --comment "Don't redirect reserved addresses"
iptables -t nat -A SSREDIR -d 203.0.113.0/24 -j RETURN -m comment --comment "Don't redirect reserved addresses"
iptables -t nat -A SSREDIR -d 224.0.0.0/4 -j RETURN -m comment --comment "Don't redirect reserved addresses"
iptables -t nat -A SSREDIR -d 240.0.0.0/4 -j RETURN -m comment --comment "Don't redirect reserved addresses"
iptables -t nat -A SSREDIR -d 255.255.255.255/32 -j RETURN -m comment --comment "Don't redirect reserved addresses"
iptables -t nat -A SSREDIR -p tcp -j DNAT --to-destination ProxyIP:ProxyPort
iptables -t nat -A OUTPUT -p tcp -m addrtype --src-type LOCAL ! --dst-type LOCAL -j SSREDIR
iptables -t nat -A PREROUTING -p tcp -m addrtype ! --src-type LOCAL ! --dst-type LOCAL -j SSREDIR
iptables -t nat -A PREROUTING -p tcp -m mark --mark 0x2333 -j DNAT --to-destination 127..0.1:60080
iptables -t nat -A PREROUTING -p udp -m mark --mark 0x2333 -j DNAT --to-destination 127.0.0.1:60080

from chinadns-ng.

zfl9 avatar zfl9 commented on July 19, 2024

只要不处理 UDP,有没有 TPROXY 模块都没关系。使用 redsocks/redsocks2/ipt2socks 都是可以的。

代理的分流,其实有两块内容:

  • DNS 分流:需要 dns 组件来完成,比如 chinadns-ng;并且某些时候,dns 进程需要能够操作 ipset,特别是 gfwlist 模式,需要将域名解析出来的 IP 加入 ipset,以便于 iptables 规则实现联动。
  • IP 分流:由 iptables/ip6tables 这边负责,主要体现在:放行保留地址、放行白名单地址(比如大陆IP),为了提升 iptables 匹配性能,最好将这些地址放到 ipset 集合中(你上面的那些规则,其实都不是最佳实践,性能比较低)。

DNS 分流会涉及到两组 DNS 上游,比如在 chinadns-ng 中,一组是国内DNS,一组是可信DNS(国外),访问国内DNS,请记得在 iptables 中放行,避免走代理。访问国外DNS,需要在 iptables 中确保其会走代理,避免被 gfw 干扰/污染。

另外,可以看下 ss-tproxy 的 README,加深这一块的理解。

from chinadns-ng.

zfl9 avatar zfl9 commented on July 19, 2024

关于规则这块,还是看 ss-tproxy 的代码来得快一些,就算我再讲下去,也还是重复 ss-tproxy 的内容 😂

from chinadns-ng.

sunlewuyou avatar sunlewuyou commented on July 19, 2024

@zfl9 谢谢,温故而知新,ss-tproxy 的 README很详细,无奈自己对这块不太熟才踩了好多坑,看到ipt2socks可以将所有tcp和udp的流量都转交给socks代理处理,还没有redsocks2这么麻烦,接下来用它做下测试,正好加强理解。
ipt2socks+iptables处理tcp和udp的流程是不是这样:将所有匹配的流量都重定向到ipt2socks处理后交给socks代理出去,即使client 端只支持 socks5 传入也是可以的。

from chinadns-ng.

zfl9 avatar zfl9 commented on July 19, 2024

redsocks/redsocks2/ipt2socks 只是负责接收 iptables 过来的 TCP/UDP 流量,然后转发给 socks5 代理服务器(比如 ss-local、trojan)。这个程序本身并不负责“分流”,只是单纯的“协议转换”。

分流由 iptables 规则来实现,所谓分流,就是将不需要走代理的流量“放行”(也就是 -j RETURN),将需要走代理的流量重定向至 redsocks/redsocks2/ipt2socks 的监听端口(-j REDIRECT),接入 socks5 代理。

上面说的分流,是指 IP 分流。除了 IP 分流,还需要 DNS 分流,这是因为我们平常上网,不是直接使用 IP,而是使用域名。

from chinadns-ng.

sunlewuyou avatar sunlewuyou commented on July 19, 2024

是的,我说的只使用ipt2socks是不考虑分流的情况,就只想做到全局透明代理的样子,用来创建某些编译环境时临时使用而已,不需要注重效率,简单就可以了。

from chinadns-ng.

zfl9 avatar zfl9 commented on July 19, 2024

如果只是想简单的全部走代理,那你一开始的那个例子就足够了。并且只需要dns2tcp,不需要chinadns

from chinadns-ng.

zfl9 avatar zfl9 commented on July 19, 2024

如果还想要ipv6,只需要简单复制ipv4的规则,将地址从v4改为v6就好了。

比如监听地址从127.0.0.1改为::1

from chinadns-ng.

sunlewuyou avatar sunlewuyou commented on July 19, 2024

嗯,是的,多尝试几种方法有助于理解,觉得使用ipt2socks更为简单。

from chinadns-ng.

sunlewuyou avatar sunlewuyou commented on July 19, 2024

@zfl9 奇怪,使用ipt2socks没有成功:

[root@centos7 ~]# nslookup cip.cc
;; connection timed out; no servers could be reached

[root@centos7 ~]# ipt2socks -v
2023-05-30 13:30:25 INF: [main] server address: 127.0.0.1#1080
2023-05-30 13:30:25 INF: [main] listen address: 127.0.0.1#60080
2023-05-30 13:30:25 INF: [main] listen address: ::1#60080
2023-05-30 13:30:25 INF: [main] udp cache maximum size: 256
2023-05-30 13:30:25 INF: [main] udp socket idle timeout: 60
2023-05-30 13:30:25 INF: [main] number of worker threads: 1
2023-05-30 13:30:25 INF: [main] enable tcp transparent proxy
2023-05-30 13:30:25 INF: [main] enable udp transparent proxy
2023-05-30 13:30:25 INF: [main] verbose mode (affect performance)
2023-05-30 13:30:29 INF: [udp_tproxy_recvmsg_cb] recv from 192.168.10.9#45756, nrecv:24
2023-05-30 13:30:29 INF: [udp_tproxy_recvmsg_cb] try to connect to 127.0.0.1#1080 ...
2023-05-30 13:30:29 INF: [udp_socks5_connect_cb] connect to 127.0.0.1#1080 succeeded
2023-05-30 13:30:29 INF: [udp_socks5_send_authreq_cb] send to 127.0.0.1#1080, nsend:3
2023-05-30 13:30:29 INF: [udp_socks5_recv_authresp_cb] recv from 127.0.0.1#1080, nrecv:2
2023-05-30 13:30:29 INF: [udp_socks5_recv_authresp_cb] send to 127.0.0.1#1080, nsend:10
2023-05-30 13:30:29 INF: [udp_socks5_recv_proxyresp_cb] recv from 127.0.0.1#1080, nrecv:10
2023-05-30 13:30:29 ERR: [udp_socks5_recv_proxyresp_cb] response->respcode:0x7(Command not supported) is not SUCCEEDED:0
2023-05-30 13:30:29 INF: [udp_socks5_context_timeout_cb] context will be released, reason: manual
2023-05-30 13:30:34 INF: [udp_tproxy_recvmsg_cb] recv from 192.168.10.9#45756, nrecv:24
2023-05-30 13:30:34 INF: [udp_tproxy_recvmsg_cb] try to connect to 127.0.0.1#1080 ...
2023-05-30 13:30:34 INF: [udp_socks5_connect_cb] connect to 127.0.0.1#1080 succeeded
2023-05-30 13:30:34 INF: [udp_socks5_send_authreq_cb] send to 127.0.0.1#1080, nsend:3
2023-05-30 13:30:34 INF: [udp_socks5_recv_authresp_cb] recv from 127.0.0.1#1080, nrecv:2
2023-05-30 13:30:34 INF: [udp_socks5_recv_authresp_cb] send to 127.0.0.1#1080, nsend:10
2023-05-30 13:30:34 INF: [udp_socks5_recv_proxyresp_cb] recv from 127.0.0.1#1080, nrecv:10
2023-05-30 13:30:34 ERR: [udp_socks5_recv_proxyresp_cb] response->respcode:0x7(Command not supported) is not SUCCEEDED:0
2023-05-30 13:30:34 INF: [udp_socks5_context_timeout_cb] context will be released, reason: manual
2023-05-30 13:30:39 INF: [udp_tproxy_recvmsg_cb] recv from 192.168.10.9#45756, nrecv:24
2023-05-30 13:30:39 INF: [udp_tproxy_recvmsg_cb] try to connect to 127.0.0.1#1080 ...
2023-05-30 13:30:39 INF: [udp_socks5_connect_cb] connect to 127.0.0.1#1080 succeeded
2023-05-30 13:30:39 INF: [udp_socks5_send_authreq_cb] send to 127.0.0.1#1080, nsend:3
2023-05-30 13:30:39 INF: [udp_socks5_recv_authresp_cb] recv from 127.0.0.1#1080, nrecv:2
2023-05-30 13:30:39 INF: [udp_socks5_recv_authresp_cb] send to 127.0.0.1#1080, nsend:10
2023-05-30 13:30:39 INF: [udp_socks5_recv_proxyresp_cb] recv from 127.0.0.1#1080, nrecv:10
2023-05-30 13:30:39 ERR: [udp_socks5_recv_proxyresp_cb] response->respcode:0x7(Command not supported) is not SUCCEEDED:0
2023-05-30 13:30:39 INF: [udp_socks5_context_timeout_cb] context will be released, reason: manual

按照 https://gist.github.com/zfl9/d52482118f38ce2c16195583dffc44d2 的脚本内容修改后来测试的。

from chinadns-ng.

zfl9 avatar zfl9 commented on July 19, 2024

上游不支持 udp 代理吧?用的是哪个程序的 socks5

from chinadns-ng.

sunlewuyou avatar sunlewuyou commented on July 19, 2024

@zfl9 我也怀疑是socks5客户端使用ipt2socks也还是不支持,是naiveproxy。可以对此客户端做下支持吗?

from chinadns-ng.

zfl9 avatar zfl9 commented on July 19, 2024

@zfl9 我也怀疑是socks5客户端使用ipt2socks也还是不支持,是naiveproxy。可以对此客户端做下支持吗?

这个需要上游 socks5 支持。naive 目前不支持 socks5 的 udp 代理。

from chinadns-ng.

zfl9 avatar zfl9 commented on July 19, 2024

对于这种情况,你需要稍微修改下 iptables 规则,将 -p udp 的规则注释掉。也就是只代理 tcp。

由于 dns 查询默认走 udp 协议,你需要使用 dns2tcp -L 127.0.0.1#53 -R 8.8.8.8#53,转换为 tcp 查询。

然后 /etc/resolv.conf 改为 127.0.0.1,将 dns 交给 dns2tcp。

from chinadns-ng.

sunlewuyou avatar sunlewuyou commented on July 19, 2024

@zfl9 好的,谢谢悉心指导,没有打扰您午休吧,再次感谢!

from chinadns-ng.

zfl9 avatar zfl9 commented on July 19, 2024

那先关了,这个 issue。

from chinadns-ng.

sunlewuyou avatar sunlewuyou commented on July 19, 2024

好的,正准备自己关的。

from chinadns-ng.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.