Route request to direct outband if request ip match server public ip

AkramiPro commented 1 month ago

Operating system

Linux

System version

Linux s04 6.8.10-x64v3-xanmod1 #0~20240517.g2e7da9e SMP PREEMPT_DYNAMIC Fri May 17 18:21:06 UTC x86_64 GNU/Linux

Installation type

Original sing-box Command Line

If you are using a graphical client, please provide the version of the client.

No response

Version

sing-box version 1.9.0-rc.22

Environment: go1.22.3 linux/amd64
Tags: with_gvisor,with_quic,with_dhcp,with_wireguard,with_ech,with_utls,with_reality_server,with_acme,with_clash_api
Revision: a89107ea9dc9863acfdf8e5a560e8d26332a8fdf
CGO: disabled

Description

my server ip is 1.2.3.4 i run socks5 on 1.2.3.4:1080 in my server i use warp to handle all request

the problem is i can not access my server through the socks connection i have a service on port 9595 that want to access i can access https://1.2.3.4:9595 without proxy but not work when use socks5 proxy

the issue is in server config must use direct outbound if request ip is match server public ip address.

i try to use ip_is_private in routing rules but i think it just not works for detect server public ip.

i know that i can do it manually by set my server public ip in routing rules but i have many servers and the server ip may change and i was hoping that maybe you can add option to detect if the request ip is match server public ip so we can route this requests to direct outbound automatically.

Reproduction

set default outband anything rather than direct.
try to access server other ports using server public ip through sing-box

curl  --socks5-hostname 1.2.3.4:1080 https://1.2.3.4:9595 
curl: (56) Recv failure: Connection reset by peer

{
  "log": {
    "disabled": false
  },
  "dns": {
    "strategy": "ipv4_only",
    "disable_cache": false,
    "independent_cache": true,
    "servers": [
      {
        "address": "tcp://8.8.8.8:53",
        "detour": "direct",
        "tag": "dns-local"
      },
      {
        "address": "rcode://success",
        "tag": "dns-block"
      }
    ]
  },
  "inbounds": [
    {
      "type": "socks",
      "tag": "socks-in",
      "listen": "0.0.0.0",
      "listen_port": 1080,
      "tcp_fast_open": false,
      "udp_fragment": false
    }
  ],
  "outbounds": [
    {
      "type": "direct",
      "tag": "proxy",
      "bind_interface": "wg01",
      "tcp_fast_open": false
    },
    {
      "type": "direct",
      "tag": "direct",
      "tcp_fast_open": false
    },
    {
      "type": "block",
      "tag": "block"
    },
    {
      "tag": "dns-out",
      "type": "dns"
    }
  ],
  "experimental": {
    "cache_file": {
      "enabled": true,
      "path": "/root/sing-box-cache-01.db"
    }
  },
  "route": {
    "auto_detect_interface": true,
    "rule_set": [
      {
        "tag": "geosite-private",
        "type": "remote",
        "format": "binary",
        "url": "https://raw.githubusercontent.com/SagerNet/sing-geosite/rule-set/geosite-private.srs",
        "download_detour": "direct"
      }
    ],
    "rules": [
      {
        "type": "logical",
        "mode": "or",
        "rules": [
          {
            "protocol": "dns"
          },
          {
            "port": 53
          }
        ],
        "outbound": "dns-out"
      },
      {
        "protocol": "quic",
        "outbound": "block"
      },
      {
        "ip_is_private": true,
        "outbound": "direct"
      },
      {
        "rule_set": "geosite-private"
        "outbound": "direct"
      }
    ]
  }
}

Logs

No response

Supporter

[ ] I am a sponsor

Integrity requirements

[X] I confirm that I have read the documentation, understand the meaning of all the configuration items I wrote, and did not pile up seemingly useful options or default values.
[X] I confirm that I have provided the server and client configuration files and process that can be reproduced locally, instead of a complicated client configuration file that has been stripped of sensitive data.
[X] I confirm that I have provided the simplest configuration that can be used to reproduce the error I reported, instead of depending on remote servers, TUN, graphical interface clients, or other closed-source software.
[X] I confirm that I have provided the complete configuration files and logs, rather than just providing parts I think are useful out of confidence in my own intelligence.

dyhkwong commented 4 weeks ago

sing-box can't magically be aware of your server's public ip especially some servers are behind nat.

AkramiPro commented 4 weeks ago

sing-box can't magically be aware of your server's public ip especially some servers are behind nat.

i think you can use curl ip.gs to get the server public ip you can add this like ip_is_private so we can use ip_is_server_public

SagerNet / sing-box