search

XTLS / Xray-core

Xray, Penetrates Everything. Also the best v2ray-core, with XTLS support. Fully compatible configuration.
https://t.me/projectXray
Mozilla Public License 2.0
25.63k stars 3.96k forks source link

在透明代理tproxy中,对tcp53端口的不正常响应 #2377

Closed Caiminoyume closed 1 year ago

Caiminoyume commented 1 year ago

我参考 这篇 配置的透明代理,直接在路由器中运行xray-core,使用fakedns模式(fakeip段是192.18.0.0/16)

客户端版本:1.8.3 环境:openwrt

我发现一旦主机192.168.2.2对路由器192.168.2.1进行tcp连接,会引起192.168.2.1对自己的 tcp 53 端口反复连接,连接数暴增,最终使CPU占用过高,路由器卡死

下面是部分 access 日志

2023/07/26 14:12:10 192.168.2.2:53745 accepted udp:192.168.2.1:53 [all-in -> dns-out]
2023/07/26 14:12:10 192.168.2.2:65176 accepted udp:192.168.2.1:53 [all-in -> dns-out]
2023/07/26 14:12:10 192.168.2.2:64010 accepted udp:192.168.2.1:53 [all-in -> dns-out]
2023/07/26 14:12:10 192.168.2.2:63572 accepted udp:192.168.2.1:53 [all-in -> dns-out]
2023/07/26 14:12:10 192.168.2.2:63611 accepted udp:192.168.2.1:53 [all-in -> dns-out]
2023/07/26 14:12:10 192.168.2.2:60898 accepted udp:192.168.2.1:53 [all-in -> dns-out]
2023/07/26 14:12:10 192.168.2.2:49554 accepted tcp:198.18.1.125:443 [all-in -> proxy]
2023/07/26 14:12:10 192.168.2.2:51312 accepted tcp:192.168.2.1:53 [all-in -> direct]    //似乎是这条开始引起了下面反复请求
2023/07/26 14:12:10 192.168.2.2:59754 accepted udp:192.168.2.1:53 [all-in -> dns-out]
2023/07/26 14:12:10 192.168.2.2:49413 accepted udp:192.168.2.1:53 [all-in -> dns-out]
2023/07/26 14:12:10 192.168.2.2:51941 accepted udp:192.168.2.1:53 [all-in -> dns-out]
2023/07/26 14:12:10 192.168.2.1:34072 accepted tcp:192.168.2.1:53 [all-in -> direct]   //这样的请求在实际日志中持续了上百条,这里只是节选
2023/07/26 14:12:10 192.168.2.1:34080 accepted tcp:192.168.2.1:53 [all-in -> direct]
2023/07/26 14:12:10 192.168.2.1:34094 accepted tcp:192.168.2.1:53 [all-in -> direct]
2023/07/26 14:12:10 192.168.2.2:50845 accepted tcp:198.18.1.187:80 [all-in -> direct]
2023/07/26 14:12:10 192.168.2.1:34100 accepted tcp:192.168.2.1:53 [all-in -> direct]
2023/07/26 14:12:10 192.168.2.1:34102 accepted tcp:192.168.2.1:53 [all-in -> direct]
2023/07/26 14:12:10 192.168.2.1:34116 accepted tcp:192.168.2.1:53 [all-in -> direct]
2023/07/26 14:12:10 192.168.2.1:34120 accepted tcp:192.168.2.1:53 [all-in -> direct]
2023/07/26 14:12:10 192.168.2.1:34132 accepted tcp:192.168.2.1:53 [all-in -> direct]
2023/07/26 14:12:10 192.168.2.1:34134 accepted tcp:192.168.2.1:53 [all-in -> direct]
2023/07/26 14:12:10 192.168.2.1:34140 accepted tcp:192.168.2.1:53 [all-in -> direct]
2023/07/26 14:12:10 192.168.2.1:34144 accepted tcp:192.168.2.1:53 [all-in -> direct]
2023/07/26 14:12:10 192.168.2.1:34158 accepted tcp:192.168.2.1:53 [all-in -> direct]
2023/07/26 14:12:10 192.168.2.1:34166 accepted tcp:192.168.2.1:53 [all-in -> direct]

ipv6 中也具有相同情况

下面是部分 error 日志

2023/07/26 14:23:18 [Warning] transport/internet/tcp: failed to accepted raw connections > accept tcp [::]:12345: accept4: too many open files    //同样,该错误也持续了上百条
2023/07/26 14:23:18 [Warning] transport/internet/tcp: failed to accepted raw connections > accept tcp [::]:12345: accept4: too many open files
2023/07/26 14:23:19 [Warning] transport/internet/tcp: failed to accepted raw connections > accept tcp [::]:12345: accept4: too many open files
2023/07/26 14:23:19 [Warning] transport/internet/tcp: failed to accepted raw connections > accept tcp [::]:12345: accept4: too many open files
2023/07/26 14:23:20 [Warning] transport/internet/tcp: failed to accepted raw connections > accept tcp [::]:12345: accept4: too many open files

下面是我的 xray 部分配置

{
    "dns": {
        "servers": ["fakedns"],
        "queryStrategy": "UseIP"
    },
    "fakedns": {
        "ipPool": "198.18.0.0/16",
        "poolSize": 65535
    },
    "routing": {
        "domainStrategy": "IPIfNonMatch",
        "rules": [
            {
                "type": "field",
                "inboundTag": ["all-in"],
                "port": 53,
                "network": "udp",
                "outboundTag": "dns-out"
            },
       //分流规则略],
      }
    "inbounds": [
        {
            "tag": "all-in",
            "port": 12345,
            "protocol": "dokodemo-door",
            "settings": {
                "network": "tcp,udp",
                "followRedirect": true
            },
            "sniffing": {
                "enabled": true,
                "destOverride": ["http","tls","quic","fakedns"],
                "metadataOnly": false
            },
            "streamSettings": {
                "sockopt": {
                    "tproxy": "tproxy"
                }
            }
        }
    ]
    "outbounds": [
     //proxy 略
     //freedom 略
        {
            "tag": "dns-out",
            "protocol": "dns"
        }
    ]
}

下面是我的 iptable 规则

ip rule add fwmark 1 table 100
ip route add local 0.0.0.0/0 dev lo table 100
iptables -t mangle -N XRAY
iptables -t mangle -A XRAY -d 127.0.0.0/8 -j RETURN
iptables -t mangle -A XRAY -d 224.0.0.0/4 -j RETURN
iptables -t mangle -A XRAY -d 240.0.0.0/4 -j RETURN
iptables -t mangle -A XRAY -d 255.255.255.255/32 -j RETURN
iptables -t mangle -A XRAY -d 192.168.0.0/16 -p tcp ! --dport 53 -j RETURN
iptables -t mangle -A XRAY -d 192.168.0.0/16 -p udp ! --dport 53 -j RETURN
iptables -t mangle -A XRAY -p tcp -j TPROXY --on-port 12345 --tproxy-mark 1
iptables -t mangle -A XRAY -p udp -j TPROXY --on-port 12345 --tproxy-mark 1
iptables -t mangle -A PREROUTING -j XRAY

ipv6=$(ip -6 route show dev lo)
ipv6_CIDR=${ipv6: 12: 24}
ip -6 rule add fwmark 1 table 106
ip -6 route add local ::/0 dev lo table 106
ip6tables -t mangle -N XRAY6
ip6tables -t mangle -A XRAY6 -d ::1/128 -j RETURN
ip6tables -t mangle -A XRAY6 -d ${ipv6_CIDR} -p tcp ! --dport 53 -j RETURN
ip6tables -t mangle -A XRAY6 -d ${ipv6_CIDR} -p udp ! --dport 53 -j RETURN
ip6tables -t mangle -A XRAY6 -p udp -j TPROXY --on-port 12345 --tproxy-mark 1
ip6tables -t mangle -A XRAY6 -p tcp -j TPROXY --on-port 12345 --tproxy-mark 1
ip6tables -t mangle -A PREROUTING -j XRAY6
Smallthing commented 1 year ago

防火墙规则有问题吧,死循环了

slinar commented 1 year ago
  1. 路由规则中有没有IP规则?
  2. ”iptables -t mangle -A PREROUTING -j XRAY“ 修改为 “iptables -t mangle -A PREROUTING -s 192.168.2.0/24 -j XRAY” 试一试
Caiminoyume commented 1 year ago
  1. 路由规则中有没有IP规则?

有分流IP规则

  1. ”iptables -t mangle -A PREROUTING -j XRAY“ 修改为 “iptables -t mangle -A PREROUTING -s 192.168.2.0/24 -j XRAY” 试一试

我现在把iptables -t mangle -A XRAY -d 192.168.0.0/16 -p tcp ! --dport 53 -j RETURN改为iptables -t mangle -A XRAY -d 192.168.2.0/8 -p tcp -j RETURN 目前暂未发现问题