search

ToutyRater / v2ray-guide

https://toutyrater.github.io/
1.65k stars 447 forks source link

强烈建议修补透明代理iptables规则 #69

Closed ghost closed 4 years ago

ghost commented 5 years ago

首先,感谢您的tproxy透明代理方案,算是我见过的唯一齐全的tproxy透明代理配置

然而,有关tproxy透明代理的iptables规则,建议添加:

iptables -t mangle -I V2RAY -d 255.255.255.255 -j RETURN

否则,网关路由器会出错,甚至整个局域网不稳定

折腾了我好一阵子

seewpx commented 5 years ago

【已解决】,我没配置对,忘记先把之前的规则表删掉了。


# 代理网关本机
iptables -t mangle -N V2RAY_MASK 
iptables -t mangle -A V2RAY_MASK -d 192.168.0.0/16 -p tcp -j RETURN # 直连局域网
iptables -t mangle -A V2RAY_MASK -d 192.168.0.0/16 -p udp ! --dport 53 -j RETURN # 直连局域网,53 端口除外(因为要使用 V2Ray 的 DNS)
iptables -t mangle -A V2RAY_MASK -j RETURN -m mark --mark 0xff    # 直连 SO_MARK 为 0xff 的流量(0xff 是 16 进制数,数值上等同与上面V2Ray 配置的 255),此规则目的是避免代理本机(网关)流量出现回环问题
iptables -t mangle -A V2RAY_MASK -p udp -j MARK --set-mark 1   # 给 UDP 打标记,重路由
iptables -t mangle -A V2RAY_MASK -p tcp -j MARK --set-mark 1   # 给 TCP 打标记,重路由
iptables -t mangle -A OUTPUT -j V2RAY_MASK # 应用规则

我按手册输入到

iptables -t mangle -A OUTPUT -j V2RAY_MASK # 应用规则

提示我

iptables: Invalid argument. Run `dmesg' for more information.

dmesg显示:

x_tables: ip_tables: TPROXY target: used from hooks PREROUTING/OUTPUT, but only usable from PREROUTING

请问怎么办

ghost commented 5 years ago

另外,还要排除掉 224.0.0.0/24

ToutyRater commented 5 years ago

能否详细描述一下具体现象。 ~在配置示例中,routing 已经配置好 V2Ray 都会由 freedom 发出所有目的 IP 为包括 225.225.225.225/32 和 224.0.0.0/4 的保留地址的包~ 抱歉,刚刚看了一下源码,geoip:private 并不包含 225.225.225.225/32 和 224.0.0.0/4,不过我还是好奇网关出错和局域网不稳定是什么情况, 因为 225.225.225.225 是广播,局域网内各个设备都会收到,还有排除 224.0.0.0/24 又是什么原因

ghost commented 5 years ago

现象就是在访问局域网内各设备时出现丢包中断,最后连访问路由器web界面也有中断; 我觉得是把路由器的广播透明代理出去导致了这种现象; 224.0.0.0/24是multicast,也是特殊ip段。

ToutyRater commented 5 years ago

教程已修改。 因为我这边没法重现,还是希望能看到相关日志,而不是猜测的说法。

ghost commented 5 years ago

感谢反馈我的提议,也许这只是在使用低端路由器时才出现的想象, 关键是,在把路由器所发出的组播及广播数据包转发出去时,路由器是否会崩溃,由于路由器较垃圾,没什么路由器日志可提供。 我不太了解有关广播和组播的协议,但能肯定的是, 如果不另加设置(iptables里或v2ray路由里),广播和组播数据包是一定会转发出去的,这在服务器的v2ray日志里得到确认了。

biaocy commented 5 years ago

今天在配置树莓派透明代理的时候也碰到同类问题.原理我不太清楚. 我遇到的情况是,在网关设置好透明代理后,让客户端重新连接网关.此时,客户端是无法连接网关的.在网关v2ray的日志里,可以看到地址255.255.255.255匹配端口67/68不断出现,在服务器v2ray的日志里,也能看到255.255.255.255:67的出现.

之后查了下维基,客户端重新连接网关之后,向网关发送DHCP请求,按照维基的描述,客户端开始是从自身68端口向地址255.255.255.255的端口67发送DHCP DISCOVERY请求.

我想请问下这种数据包走过的路径是否这样: 基于未修改前的iptables的规则,上述请求会被转发到v2ray transparent 的 inbound,然后经过routing到第一个 outbound,也就是 proxy?

服务器v2ray日志如下

2019/11/01 05:59:54 [Info] [4129809701] v2ray.com/core/proxy/vmess/inbound: received request for udp:255.255.255.255:67
2019/11/01 05:59:54 [Info] [4129809701] v2ray.com/core/app/dispatcher: default route for udp:255.255.255.255:67
2019/11/01 05:59:54 [Info] [4129809701] v2ray.com/core/proxy/freedom: opening connection to udp:255.255.255.255:67
2019/11/01 06:00:04 [Info] [308410397] v2ray.com/core/proxy/vmess/inbound: received request for tcp:basketbuild.com:443
2019/11/01 06:00:04 [Info] [308410397] v2ray.com/core/app/dispatcher: default route for tcp:basketbuild.com:443
2019/11/01 06:00:04 [Info] [308410397] v2ray.com/core/proxy/freedom: opening connection to tcp:basketbuild.com:443
2019/11/01 06:00:04 [Info] [308410397] v2ray.com/core/transport/internet/tcp: dialing TCP to tcp:basketbuild.com:443
2019/11/01 06:00:06 [Info] [1617652838] v2ray.com/core/proxy/vmess/inbound: received request for tcp:google.com:80
2019/11/01 06:00:06 [Info] [1617652838] v2ray.com/core/app/dispatcher: default route for tcp:google.com:80
2019/11/01 06:00:06 [Info] [1617652838] v2ray.com/core/proxy/freedom: opening connection to tcp:google.com:80
2019/11/01 06:00:06 [Info] [1617652838] v2ray.com/core/transport/internet/tcp: dialing TCP to tcp:google.com:80
2019/11/01 06:00:08 [Info] [1617652838] v2ray.com/core/app/proxyman/outbound: failed to process outbound traffic > v2ray.com/core/proxy/freedom: connection ends > context canceled
2019/11/01 06:00:08 [Info] [1617652838] v2ray.com/core/app/proxyman/inbound: connection ends > v2ray.com/core/proxy/vmess/inbound: connection ends > io: read/write on closed pipe
2019/11/01 06:00:20 [Info] [308410397] v2ray.com/core/transport/internet/tcp: dialing TCP to tcp:basketbuild.com:443
2019/11/01 06:00:23 [Info] [1445875078] v2ray.com/core/proxy/vmess/inbound: received request for tcp:www.google.com:80
2019/11/01 06:00:23 [Info] [1445875078] v2ray.com/core/app/dispatcher: default route for tcp:www.google.com:80
2019/11/01 06:00:23 [Info] [1445875078] v2ray.com/core/proxy/freedom: opening connection to tcp:www.google.com:80
2019/11/01 06:00:23 [Info] [1445875078] v2ray.com/core/transport/internet/tcp: dialing TCP to tcp:www.google.com:80
2019/11/01 06:00:23 [Info] [1936435131] v2ray.com/core/app/proxyman/outbound: failed to process outbound traffic > v2ray.com/core/proxy/freedom: connection ends > context canceled
2019/11/01 06:00:23 [Info] [1079043385] v2ray.com/core/app/proxyman/outbound: failed to process outbound traffic > v2ray.com/core/proxy/freedom: connection ends > context canceled
2019/11/01 06:00:24 [Info] [1445875078] v2ray.com/core/app/proxyman/outbound: failed to process outbound traffic > v2ray.com/core/proxy/freedom: connection ends > context canceled
2019/11/01 06:00:24 [Info] [1445875078] v2ray.com/core/app/proxyman/inbound: connection ends > v2ray.com/core/proxy/vmess/inbound: connection ends > io: read/write on closed pipe
2019/11/01 06:00:27 [Info] [4129809701] v2ray.com/core/app/proxyman/outbound: failed to process outbound traffic > v2ray.com/core/proxy/freedom: connection ends > context canceled
2019/11/01 06:00:27 [Info] [4129809701] v2ray.com/core/app/proxyman/inbound: connection ends > v2ray.com/core/proxy/vmess/inbound: connection ends > io: read/write on closed pipe
2019/11/01 06:00:28 [Info] [2637969270] v2ray.com/core/proxy/vmess/inbound: received request for udp:255.255.255.255:67
2019/11/01 06:00:28 [Info] [2637969270] v2ray.com/core/app/dispatcher: default route for udp:255.255.255.255:67
2019/11/01 06:00:28 [Info] [2637969270] v2ray.com/core/proxy/freedom: opening connection to udp:255.255.255.255:67
2019/11/01 06:00:36 [Info] [308410397] v2ray.com/core/transport/internet/tcp: dialing TCP to tcp:basketbuild.com:443

P.S. 网关不在身边,时间太晚了,网关v2ray的日志明天再贴

ToutyRater commented 5 years ago

@biaocy 多谢反馈。我大概知道问题了,应该是我测试的时候漏了些东西。请问,你的 DHCP 服务是开在路由器上还是树莓派?

biaocy commented 5 years ago

@ToutyRater DHCP服务在路由器和树莓派上都有开启.客户端IP是树莓派DHCP服务分配的.树莓派网关IP是192.168.4.1.客户端连着树莓派网关wifi.

以下是在客户端查询的DHCP服务日志:

sudo dhclient -d -nw wlp4s0
Internet Systems Consortium DHCP Client 4.3.5
Copyright 2004-2016 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/

Listening on LPF/wlp4s0/b8:ee:65:2d:a1:ea
Sending on   LPF/wlp4s0/b8:ee:65:2d:a1:ea
Sending on   Socket/fallback
DHCPREQUEST of 192.168.4.16 on wlp4s0 to 255.255.255.255 port 67 (xid=0x59506a61)
DHCPACK of 192.168.4.16 from 192.168.4.1
RTNETLINK answers: File exists
bound to 192.168.4.16 -- renewal in 42021 seconds.