andylizi
commented
3 years ago Define "not working" please.
Closed debiansid closed 2 years ago
andylizi
commented
3 years ago Define "not working" please.
debiansid
commented
3 years ago #FULLCONENAT Rules
iptables-legacy -t nat -I POSTROUTING -o pppoe0 -j FULLCONENAT
iptables-legacy -t nat -I PREROUTING -i pppoe0 -j FULLCONENAT
iptables-legacy -t nat -I PREROUTING -i eth0 -j FULLCONENAT
iptables-legacy -t nat -I PREROUTING -i eth2 -j FULLCONENAT
iptables-legacy -t nat -I PREROUTING -i wg0 -j FULLCONENATstill not fullconenat
andylizi
commented
3 years ago Were the rules added successfully? It's possible that the kernel module wasn't loaded, causing the commands to fail.
And, are you sure the rules should be applied to pppoe0? It's not the same as the external interface itself, as far as I know.
debiansid
commented
3 years ago vyos@vyos:~$ sudo lsmod |grep -i fullcone
xt_FULLCONENAT 40960 5
nf_nat 53248 9 nf_nat_ftp,xt_FULLCONENAT,nf_nat_tftp,nf_nat_pptp,nf_nat_h323,nft_chain_nat,iptable_nat,nf_nat_sip,xt_REDIRECT
nf_conntrack 172032 17 xt_conntrack,nf_nat,nf_conntrack_tftp,nfnetlink_cthelper,nf_nat_ftp,xt_state,nf_conntrack_pptp,xt_FULLCONENAT,nf_nat_tftp,nf_conntrack_sip,nf_conntrack_h323,nf_nat_pptp,nf_conntrack_ftp,xt_CT,nf_nat_h323,nf_nat_sip,xt_REDIRECT
x_tables 53248 16 xt_conntrack,iptable_filter,nft_compat,xt_LOG,xt_state,xt_tcpudp,xt_FULLCONENAT,xt_comment,xt_set,xt_TPROXY,xt_CT,ip_tables,xt_limit,iptable_mangle,xt_REDIRECT,xt_mark
vyos@vyos:~$ sudo iptables-legacy -t nat -nL |more
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
FULLCONENAT all -- 0.0.0.0/0 0.0.0.0/0
FULLCONENAT all -- 0.0.0.0/0 0.0.0.0/0
FULLCONENAT all -- 0.0.0.0/0 0.0.0.0/0
FULLCONENAT all -- 0.0.0.0/0 0.0.0.0/0
Chion82
commented
3 years ago Could you please post all iptables rules? Need to make sure you are not using FULLNAT and SNAT/MASQUERADE or hardware NAT at the same time.
Looks like you are using vyos, which hasn’t been tested yet.
debiansid
commented
3 years ago yes thank you Sir.
#!/bin/sh
# This script is executed at boot time after VyOS configuration is fully applied.
# Any modifications required to work around unfixed bugs
# or use services not available through the VyOS CLI system can be placed here.
#
/usr/sbin/modprobe ip_tables
/usr/sbin/modprobe ip_conntrack
/usr/sbin/modprobe iptable_filter
/usr/sbin/modprobe iptable_mangle
/usr/sbin/modprobe iptable_nat
/usr/sbin/modprobe ipt_LOG
/usr/sbin/modprobe ipt_limit
/usr/sbin/modprobe ipt_state
# force start unbound
/etc/init.d/unbound start
ipset -N china hash:net
for subnet in `cat /config/user-data/iptables/china.txt`; do ipset add china $subnet;done
ipset -N google hash:net
for subnet in `cat /config/user-data/iptables/google.txt`; do ipset add google $subnet;done
#TCP Rules
# Create new chain
iptables-legacy -t nat -N SHADOWSOCKS
iptables-legacy -t nat -N SHADOWSOCKS_MARK
# Ignore your shadowsocks server's addresses
# It's very IMPORTANT, just be careful.
for i in `cat /config/user-data/iptables/localips`; do
iptables-legacy -t nat -A SHADOWSOCKS -d $i -j RETURN
iptables-legacy -t nat -A SHADOWSOCKS_MARK -d $i -j RETURN
done
# Redirect google
iptables-legacy -t nat -A SHADOWSOCKS -p tcp -m set --match-set google dst -j REDIRECT --to-port 1082
iptables-legacy -t nat -A SHADOWSOCKS_MARK -p tcp -m set --match-set google dst -j MARK --set-mark 1
# Redirect Hulu
#iptables-legacy -t nat -A SHADOWSOCKS -p tcp -m set --match-set hulu dst -j REDIRECT --to-port 1081
#iptables-legacy -t nat -A SHADOWSOCKS_MARK -p tcp -m set --match-set hulu dst -j MARK --set-mark 1
# Ignore CHN route list
iptables-legacy -t nat -A SHADOWSOCKS -m set --match-set china dst -j RETURN
iptables-legacy -t nat -A SHADOWSOCKS_MARK -m set --match-set china dst -j RETURN
# Anything else should be redirected to shadowsocks's local port
iptables-legacy -t nat -A SHADOWSOCKS -p tcp -j REDIRECT --to-ports 1080
iptables-legacy -t nat -A SHADOWSOCKS_MARK -p tcp -j MARK --set-mark 1
# Apply TCP rules
#iptables-legacy -t nat -A OUTPUT -p tcp -m set --match-set hulu dst -j SHADOWSOCKS
iptables-legacy -t nat -A PREROUTING -p tcp -j SHADOWSOCKS
iptables-legacy -t nat -A OUTPUT -p tcp -j SHADOWSOCKS
iptables-legacy -t nat -A OUTPUT -p tcp -j SHADOWSOCKS_MARK
##############################################
# FULLCONENAT Rules
iptables-legacy -t nat -I POSTROUTING -o pppoe0 -j FULLCONENAT
iptables-legacy -t nat -I PREROUTING -i pppoe0 -j FULLCONENAT
iptables-legacy -t nat -I PREROUTING -i eth0 -j FULLCONENAT
iptables-legacy -t nat -I PREROUTING -i eth2 -j FULLCONENAT
iptables-legacy -t nat -I PREROUTING -i wg0 -j FULLCONENAT
##############################################
# UDP Rules
# Create new chain
iptables-legacy -t mangle -N SHADOWSOCKS
iptables-legacy -t mangle -N SHADOWSOCKS_MARK
/usr/sbin/ip route flush table 100
/usr/sbin/ip route add local default dev lo table 100
/usr/sbin/ip rule add fwmark 1 lookup 100
# Ignore your shadowsocks server's addresses
# It's very IMPORTANT, just be careful.
for j in `cat /config/user-data/iptables/localips`; do
iptables-legacy -t mangle -A SHADOWSOCKS -d $j -j RETURN
iptables-legacy -t mangle -A SHADOWSOCKS_MARK -d $j -j RETURN
done
iptables-legacy -t mangle -A SHADOWSOCKS -p udp -m set --match-set china dst -j RETURN
iptables-legacy -t mangle -A SHADOWSOCKS -p udp -j TPROXY --on-port 1080 --tproxy-mark 0x01/0x01
iptables-legacy -t mangle -A SHADOWSOCKS_MARK -p udp -m set --match-set china dst -j RETURN
iptables-legacy -t mangle -A SHADOWSOCKS_MARK -p udp -j MARK --set-mark 1
# Apply UDP rules
iptables-legacy -t mangle -A PREROUTING -p udp -j SHADOWSOCKS
iptables-legacy -t mangle -A OUTPUT -p udp -j SHADOWSOCKS_MARKit was working on 5.4.81 , same rules.
debiansid
commented
3 years ago Could you please post all iptables rules? Need to make sure you are not using FULLNAT and SNAT/MASQUERADE or hardware NAT at the same time.
Looks like you are using vyos, which hasn’t been tested yet.
vyos is based on Debian.
I found it is not working on 5.10.77 any clue?