Comments (10)
cattyhouse
commented on May 26, 2024
运行下面三个命令, 并贴出结果, 才知道什么是什么...
realpath /usr/sbin/iptablesiptables-nft-saveiptables-legacy-save
from ss-tproxy.
cattyhouse
commented on May 26, 2024
前面有个typo , 更新了下.
from ss-tproxy.
millken
commented on May 26, 2024
运行下面三个命令, 并贴出结果, 才知道什么是什么...
stop 后,dig 查询 github.com 是可以的。
realpath /usr/sbin/iptables
/usr/sbin/xtables-nft-multi
iptables-nft-save
# Generated by iptables-nft-save v1.8.9 (nf_tables) on Sat Jul 15 21:09:29 2023
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:SSTP_OUTPUT - [0:0]
:SSTP_PREROUTING - [0:0]
:SSTP_RULE - [0:0]
-A PREROUTING -j SSTP_PREROUTING
-A OUTPUT -j SSTP_OUTPUT
-A SSTP_OUTPUT -m addrtype --dst-type LOCAL -j RETURN
-A SSTP_OUTPUT -m conntrack --ctdir REPLY -j RETURN
-A SSTP_OUTPUT -m owner --gid-owner 13 -j RETURN
-A SSTP_OUTPUT -p udp -m udp --dport 53 -m owner ! --gid-owner 1001 -j RETURN
-A SSTP_OUTPUT -p udp -m conntrack --ctstate NEW,RELATED -j SSTP_RULE
-A SSTP_OUTPUT -m connmark --mark 0x2333 -j MARK --set-xmark 0x2333/0xffffffff
-A SSTP_PREROUTING -m addrtype --dst-type LOCAL -j RETURN
-A SSTP_PREROUTING -m conntrack --ctdir REPLY -j RETURN
-A SSTP_PREROUTING -p udp -m udp ! --dport 53 -m conntrack --ctstate NEW,RELATED -m addrtype ! --src-type LOCAL -j SSTP_RULE
-A SSTP_PREROUTING -p udp -m connmark --mark 0x2333 -j TPROXY --on-port 60080 --on-ip 127.0.0.1 --tproxy-mark 0x2333/0xffffffff
-A SSTP_RULE -m set --match-set sstp_white dst -m set ! --match-set sstp_black dst -j RETURN
-A SSTP_RULE -j CONNMARK --set-xmark 0x2333/0xffffffff
COMMIT
# Completed on Sat Jul 15 21:09:29 2023
# Generated by iptables-nft-save v1.8.9 (nf_tables) on Sat Jul 15 21:09:29 2023
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Sat Jul 15 21:09:29 2023
# Generated by iptables-nft-save v1.8.9 (nf_tables) on Sat Jul 15 21:09:29 2023
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:DOCKER - [0:0]
:SSTP_OUTPUT - [0:0]
:SSTP_POSTROUTING - [0:0]
:SSTP_PREROUTING - [0:0]
:SSTP_RULE - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A PREROUTING -j SSTP_PREROUTING
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT -j SSTP_OUTPUT
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -j SSTP_POSTROUTING
-A DOCKER -i docker0 -j RETURN
-A SSTP_OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m addrtype ! --dst-type LOCAL -m owner ! --gid-owner 13 -j SSTP_RULE
-A SSTP_OUTPUT -p udp -m udp --dport 53 -m conntrack --ctstate NEW -m owner ! --gid-owner 13 -m owner ! --gid-owner 1001 -j REDIRECT --to-ports 60053
-A SSTP_POSTROUTING ! -s 127.0.0.1/32 -d 127.0.0.1/32 -j SNAT --to-source 127.0.0.1
-A SSTP_PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m addrtype ! --src-type LOCAL ! --dst-type LOCAL -j SSTP_RULE
-A SSTP_PREROUTING -p udp -m udp --dport 53 -m conntrack --ctstate NEW -m addrtype ! --src-type LOCAL -j REDIRECT --to-ports 60053
-A SSTP_RULE -m set --match-set sstp_white dst -m set ! --match-set sstp_black dst -j RETURN
-A SSTP_RULE -p tcp -j DNAT --to-destination 127.0.0.1:60080
COMMIT
# Completed on Sat Jul 15 21:09:29 2023
# Warning: iptables-legacy tables present, use iptables-legacy-save to see them
iptables-legacy-save
# Generated by iptables-save v1.8.9 on Sat Jul 15 21:10:55 2023
*mangle
:PREROUTING ACCEPT [14377821:1988555072]
:INPUT ACCEPT [14377821:1988555072]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [14378671:1988826510]
:POSTROUTING ACCEPT [14378671:1988826510]
COMMIT
# Completed on Sat Jul 15 21:10:55 2023
# Generated by iptables-save v1.8.9 on Sat Jul 15 21:10:55 2023
*filter
:INPUT ACCEPT [16401644:2265354032]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [16402352:2265668456]
COMMIT
# Completed on Sat Jul 15 21:10:55 2023
from ss-tproxy.
cattyhouse
commented on May 26, 2024
-
说明 debian 12 默认用了 nft 后端, 其实那个提示可以忽略 (# Warning: iptables-legacy tables present, use iptables-legacy to see them), 因为你的 legacy-save 里面规则是空的 (除了计数器和默认的链之外).
- 如果你不想忽略, 那么检查下系统是否有什么东西启动了 iptables-legacy ...
systemctl list-unit-files --type=service,timer --state=enabled
- 如果你不想忽略, 那么检查下系统是否有什么东西启动了 iptables-legacy ...
-
我觉得问题在于 chinadns 的配置 :
2023-07-15 20:35:47 I [ipset.c:565 ipset_init] tag:none test: sstp_white6你用的是sstp_white6来做分流的, 但是你的 iptables 规则用的是sstp_white
from ss-tproxy.
millken
commented on May 26, 2024
systemctl list-unit-files --type=service,timer --state=enabled
UNIT FILE STATE PRESET
apparmor.service enabled enabled
console-setup.service enabled enabled
containerd.service enabled enabled
cron.service enabled enabled
docker.service enabled enabled
e2scrub_reap.service enabled enabled
[email protected] enabled enabled
keyboard-setup.service enabled enabled
networking.service enabled enabled
postgresql.service enabled enabled
ssh.service enabled enabled
systemd-pstore.service enabled enabled
systemd-timesyncd.service enabled enabled
zerotier-one.service enabled enabled
apt-daily-upgrade.timer enabled enabled
chinadns 的配置我没有动,下面是 start -x 生成的信息。这里有什么问题吗?
chinadns-ng -b 127.0.0.1 -l 65353 -c 223.5.5.5#53 -t 8.8.8.8#53 -g gfwlist.txt,/dev/fd/63 -m chnlist.txt,/dev/fd/62 -4 sstp_white -6 sstp_white6 -a -A sstp_black,sstp_black6
from ss-tproxy.
cattyhouse
commented on May 26, 2024
哦你的那个 chinadns log 没有完整贴上来..
从你的 iptables 规则来看, 我发现2个点
- 你用的是 redirect + tproxy 混合模式的代理. 你的代理程序是这个模式吗?
- 你用了一个 账号为 1001 的组, 请检查下这个组是不是单独为 dns 开的一个组 还是说你现有的用户? (建议单独开一个dns专用组)
- 你用了一个 账号为 13 的组处理 代理程序发出的流量, 这个组是不是你单独开的一个组? 还是用了系统现成的? (建议单独开一个代理专用组)
- 次要的: docker.service 有可能给你启动了 iptables-legacy
from ss-tproxy.
cattyhouse
commented on May 26, 2024
还有检查一下代理程序是以什么身份运行的? 是否做了这个处理?
from ss-tproxy.
millken
commented on May 26, 2024
这里 2,3 都是脚本自动创建的 group
proxy:x:13:
proxy_dns:x:1001:
还有检查一下代理程序是以什么身份运行的? 是否做了这个处理?
代理用的,ipt2socks。已经做了相关操作
from ss-tproxy.
cattyhouse
commented on May 26, 2024
这里 2,3 都是脚本自动创建的 group
proxy:x:13: proxy_dns:x:1001:还有检查一下代理程序是以什么身份运行的? 是否做了这个处理?
代理用的,ipt2socks。已经做了相关操作
ipt2socks 默认是纯 tproxy模式 而不是 混合(tcp redirect + udp tproxy)模式
from ss-tproxy.
millken
commented on May 26, 2024
Thanks,问题已解决。
主要是proxy 配置错误,不能使用内网地址。
proxy_startcmd='ipt2socks -s 192.168.0.1 -p 1080 </dev/null &>>/var/log/ipt2socks.log &'
改成即可
proxy_startcmd='ipt2socks -s 127.0.0.1 -p 1080 </dev/null &>>/var/log/ipt2socks.log &'
from ss-tproxy.
Related Issues (20)
- wiki dnsr方案 自定义 DNS 中chinadns-ng 的参数是不是有问题? HOT 1
- 开启ss-tproxy ,ipv6 不通,请作者看看 HOT 3
- 大侠你好:遇到这个问题,麻烦帮我解决,谢谢了! HOT 95
- 请教如何配置xray reality HOT 6
- ss-redir默认单线程运行, 可使用--reuse-port启用多进程负载均衡,发挥多核性能 HOT 6
- 无法启动proxy/tcp和proxy/udp HOT 39
- N1盒子挂在路由器下面,安装了ss-troxy.N1上能够正常跑透明代理。但是如果连接路由器的设备设置用N1盒子做网关,就无法上网 HOT 3
- 有支持 windows主机的方案吗? HOT 7
- 透明代理能设置转发访问端口白名单吗? HOT 11
- 升级脚本后 chinadns 无法开启,启动失败 HOT 18
- 关于ipts_proxy_dst_port的疑问 HOT 41
- 只有http代理应该如何使用 HOT 4
- 在树莓派5上运行.,不起作用 (tproxy模式但ss-redir缺少"tcp_tproxy": true) HOT 16
- Question.请问如何配置DNS HOT 4
- iptables相关内核模块缺失
- 是否有并发线程限制? HOT 12
- 端口检测时机的小疑问 HOT 3
- 教程修改建议,关于naive,. HOT 4
- 新版的能在ss-tproxy.conf里添加个设置参数来过滤IPV6吗? HOT 3
- 有关远程局域网 HOT 11
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ss-tproxy.