peter-tank commented 5 years ago

尝试加入 Trojan 代理的支持，发现只能代理router自身流量。各位大佬，要怎么来整 ssr-rules 才可以正常透明代理？

peter-tank commented 5 years ago

目前的主要问题是，从 LAN 访问 gfwlist 里的网址会直接报 "ERR_CONNECTION_REFUSED"。

今天翻出来 firewall restore 的相关配置，虽然不懂 iptables 命令，但从字面上感觉 rules 没问题。可能是我试图在 LEDE 旧固件(大至是今年9月的 snap shot)上安装模块 iptables-mod-extra，然后报错内核不匹配，然后就连之前能正常使用的 V2Ray 也出现同样的故障了。

opkg list-installed | grep ip

ddns-scripts - 2.7.8-1
ddns-scripts_aliyun - 1.0.0-2
ddns-scripts_cloudflare.com-v4 - 2.7.8-1
ip-full - 5.0.0-1
ipset - 7.1-3
iptables - 1.8.2-2
iptables-mod-conntrack-extra - 1.8.2-2
iptables-mod-fullconenat - 2018-12-15-d4daedd0-1
iptables-mod-ipopt - 1.8.2-2
iptables-mod-tproxy - 1.8.2-2
kmod-ip6tables - 4.9.196-1
kmod-ipt-conntrack - 4.9.196-1
kmod-ipt-conntrack-extra - 4.9.196-1
kmod-ipt-core - 4.9.196-1
kmod-ipt-fullconenat - 4.9.196+2018-12-15-d4daedd0-1
kmod-ipt-ipopt - 4.9.196-1
kmod-ipt-ipset - 4.9.196-1
kmod-ipt-nat - 4.9.196-1
kmod-ipt-raw - 4.9.196-1
kmod-ipt-tproxy - 4.9.196-1
kmod-iptunnel - 4.9.196-1
kmod-nf-ipt - 4.9.196-1
kmod-nf-ipt6 - 4.9.196-1
libip4tc - 1.8.2-2
libip6tc - 1.8.2-2
libipset - 7.1-3
libjson-script - 2018-07-25-c83a84af-2
luci-lib-ip - git-19.283.54246-96348c8-1
sqm-scripts - 1.3.0-1

gfwlist 模式下：

TCP only

#!/bin/sh
iptables-save -c | grep -v "SS_SPEC" | iptables-restore -c
iptables-restore -n <<-EOT
*nat
:SS_SPEC_WAN_AC - [0:0]
:SS_SPEC_WAN_FW - [0:0]
-I PREROUTING 1 -p tcp -m comment --comment _SS_SPEC_RULE_ -j SS_SPEC_WAN_AC
-I OUTPUT 1 -p tcp -m comment --comment _SS_SPEC_RULE_ -j SS_SPEC_WAN_AC
-A SS_SPEC_WAN_AC -m set --match-set whitelist dst -j RETURN
-A SS_SPEC_WAN_AC -m set --match-set blacklist dst -j SS_SPEC_WAN_FW
-A SS_SPEC_WAN_AC -m set --match-set fplan src -j SS_SPEC_WAN_FW
-A SS_SPEC_WAN_AC -d vps.ip.addr/32 -j RETURN
-A SS_SPEC_WAN_AC -m set --match-set gfwlist dst -j SS_SPEC_WAN_FW
-A SS_SPEC_WAN_AC -m set --match-set gmlan src -m set ! --match-set china dst -j SS_SPEC_WAN_FW
-A SS_SPEC_WAN_AC -m set --match-set china dst -j RETURN
-A SS_SPEC_WAN_FW -d 0.0.0.0/8 -j RETURN
-A SS_SPEC_WAN_FW -d 10.0.0.0/8 -j RETURN
-A SS_SPEC_WAN_FW -d 127.0.0.0/8 -j RETURN
-A SS_SPEC_WAN_FW -d 169.254.0.0/16 -j RETURN
-A SS_SPEC_WAN_FW -d 172.16.0.0/12 -j RETURN
-A SS_SPEC_WAN_FW -d 192.168.0.0/16 -j RETURN
-A SS_SPEC_WAN_FW -d 224.0.0.0/4 -j RETURN
-A SS_SPEC_WAN_FW -d 240.0.0.0/4 -j RETURN
-A SS_SPEC_WAN_FW -p tcp -j REDIRECT --to-ports 1234
COMMIT
*mangle
COMMIT
EOT

With UDP relay

#!/bin/sh
iptables-save -c | grep -v "SS_SPEC" | iptables-restore -c
iptables-restore -n <<-EOT
*nat
:SS_SPEC_WAN_AC - [0:0]
:SS_SPEC_WAN_FW - [0:0]
-I PREROUTING 1 -p tcp -m comment --comment _SS_SPEC_RULE_ -j SS_SPEC_WAN_AC
-I OUTPUT 1 -p tcp -m comment --comment _SS_SPEC_RULE_ -j SS_SPEC_WAN_AC
-A SS_SPEC_WAN_AC -m set --match-set whitelist dst -j RETURN
-A SS_SPEC_WAN_AC -m set --match-set blacklist dst -j SS_SPEC_WAN_FW
-A SS_SPEC_WAN_AC -m set --match-set fplan src -j SS_SPEC_WAN_FW
-A SS_SPEC_WAN_AC -d vps.ip.addr/32 -j RETURN
-A SS_SPEC_WAN_AC -m set --match-set gfwlist dst -j SS_SPEC_WAN_FW
-A SS_SPEC_WAN_AC -m set --match-set gmlan src -m set ! --match-set china dst -j SS_SPEC_WAN_FW
-A SS_SPEC_WAN_AC -m set --match-set china dst -j RETURN
-A SS_SPEC_WAN_FW -d 0.0.0.0/8 -j RETURN
-A SS_SPEC_WAN_FW -d 10.0.0.0/8 -j RETURN
-A SS_SPEC_WAN_FW -d 127.0.0.0/8 -j RETURN
-A SS_SPEC_WAN_FW -d 169.254.0.0/16 -j RETURN
-A SS_SPEC_WAN_FW -d 172.16.0.0/12 -j RETURN
-A SS_SPEC_WAN_FW -d 192.168.0.0/16 -j RETURN
-A SS_SPEC_WAN_FW -d 224.0.0.0/4 -j RETURN
-A SS_SPEC_WAN_FW -d 240.0.0.0/4 -j RETURN
-A SS_SPEC_WAN_FW -p tcp -j REDIRECT --to-ports 1234
COMMIT
*mangle
:SS_SPEC_TPROXY - [0:0]
-I PREROUTING 1 -p udp -m comment --comment _SS_SPEC_RULE_ -j SS_SPEC_TPROXY
-A SS_SPEC_TPROXY -p udp -m udp --dport 53 -j RETURN
-A SS_SPEC_TPROXY -d 0.0.0.0/8 -p udp -j RETURN
-A SS_SPEC_TPROXY -d 10.0.0.0/8 -p udp -j RETURN
-A SS_SPEC_TPROXY -d 127.0.0.0/8 -p udp -j RETURN
-A SS_SPEC_TPROXY -d 169.254.0.0/16 -p udp -j RETURN
-A SS_SPEC_TPROXY -d 172.16.0.0/12 -p udp -j RETURN
-A SS_SPEC_TPROXY -d 192.168.0.0/16 -p udp -j RETURN
-A SS_SPEC_TPROXY -d 224.0.0.0/4 -p udp -j RETURN
-A SS_SPEC_TPROXY -d 240.0.0.0/4 -p udp -j RETURN
-A SS_SPEC_TPROXY -d vps.ip.addr/32 -p udp -j RETURN
-A SS_SPEC_TPROXY -p udp -m set --match-set fplan src -j TPROXY --on-port 1234 --on-ip 0.0.0.0 --tproxy-mark 0x1/0x1
-A SS_SPEC_TPROXY -p udp -m set --match-set china dst -j RETURN
-A SS_SPEC_TPROXY -p udp -m set --match-set gmlan src -m set ! --match-set china dst -j TPROXY --on-port 1234 --on-ip 0.0.0.0 --tproxy-mark 0x1/0x1
-A SS_SPEC_TPROXY -p udp -m set --match-set gfwlist dst -j TPROXY --on-port 1234 --on-ip 0.0.0.0 --tproxy-mark 0x1/0x1
COMMIT
EOT

peter-tank commented 5 years ago

1291 忘了，我更新 V2Ray 二进制到 4.20 了，看来我不适合玩 bleeding。

但是只找到去年的 LEDE stable release 17.01.5 而且 OpenWrt 官版一直就没合并那个我需要的大内存补丁(128M nand @ ar71xx for wndr3700 & wndr4300)。换仓库，找了个最相近内核版本的(kernel 4.9.196, 更老点的 stable release 是 kernel 4.9.152) 然后 opkg install iptables-mod-extra 强制安装这种通用包，应当问题不大吧(当前 kernel 4.9.182 )？

把自己手动编译全版的 V2Ray 二进制(v2ray, 2ctl)放进去，问题依旧，，，另外，上面这个换仓库安装 iptables-mod-extra 的方式并不可以正常加载进去(iptables-mod-extra_1.6.2)，kmodloader 好像会忽略不对内核版的。要纠结这个模块是想换成 ss-tproxy 来处理，因为另一个路由上我配置成功了，只是没有 LuCI 不太便利。

peter-tank commented 4 years ago

找了个好例子，再来一波。。。 LAN -> router1(192.168.2.0/24) -> router2(192.168.1.0/24) -> ISP ...

LAN nslook pass：

nslookup bing.com router.ip.addr#53

Non-authoritative answer:
Name:   bing.com
Address: 204.79.197.200
Name:   bing.com
Address: 13.107.21.200
Name:   bing.com
Address: 2620:1ec:c11::200

curl -v4 https://bing.com --resolve bing.com:443:13.107.21.200
Added bing.com:443:13.107.21.200 to DNS cache
Hostname bing.com was found in DNS cache
Trying 13.107.21.200:443...
TCP_NODELAY set
Closing connection 0 curl: (7) Failed to connect to bing.com port 443: Connection refused
```
LAN curl sucessfully:
```
curl -v4 https://www.bing.com
curl -v4 https://bing.com --resolve bing.com:443:202.89.233.100
Added bing.com:443:202.89.233.100 to DNS cache
Hostname bing.com was found in DNS cache
Trying 202.89.233.100:443...
TCP_NODELAY set
successfully set certificate verify locations: ...

GET / HTTP/2 Host: bing.com User-Agent: curl/7.66.0 Accept: / < HTTP/2 301 < location: https://cn.bing.com/ < server: Microsoft-IIS/10.0 < x-msedge-ref: Ref A: 9742F37156B341D5A3F67ACB0417585A Ref B: BJ1EDGE0112 Ref C: 2019-11-21T00:01:12Z
Connection #0 to host bing.com left intact
```
----
```

路由 router1 nslook pass：

nslookup bing.com router.ip.addr#53
nslookup bing.com router.ip.addr:5335

nslookup bing.com router.ip.addr:5353

Name:      bing.com
Address 1: 204.79.197.200
Address 2: 13.107.21.200
Address 3: 2620:1ec:c11::200

nslookup www.bing.com router.ip.addr#53


Server:     router.ip.addr
Address:    router.ip.addr#53

Name: www.bing.com www.bing.com canonical name = a-0001.a-afdentry.net.trafficmanager.net Name: a-0001.a-afdentry.net.trafficmanager.net a-0001.a-afdentry.net.trafficmanager.net canonical name = cn.cn-0001.cn-msedge.net Name: cn.cn-0001.cn-msedge.net cn.cn-0001.cn-msedge.net canonical name = cn-0001.cn-msedge.net Name: cn-0001.cn-msedge.net Address 1: 202.89.233.100 Address 2: 202.89.233.101 www.bing.com canonical name = a-0001.a-afdentry.net.trafficmanager.net a-0001.a-afdentry.net.trafficmanager.net canonical name = cn.cn-0001.cn-msedge.net cn.cn-0001.cn-msedge.net canonical name = cn-0001.cn-msedge.net Server: router.ip.addr Address: router.ip.addr#53

- `fw3 reload`(mia, adbyby disabled):

Clearing IPv4 filter table
Clearing IPv4 nat table
Clearing IPv4 mangle table
Clearing IPv4 raw table
Populating IPv4 filter table
- Rule 'Allow-DHCP-Renew'
- Rule 'Allow-Ping'
- Rule 'Allow-IGMP'
- Rule 'Allow-IPSec-ESP'
- Rule 'Allow-ISAKMP'
- Rule 'adblock'
- Rule 'kms'
- Rule 'pptp'
- Rule 'gre'
- Forward 'lan' -> 'wan'
- Zone 'lan'
- Zone 'wan'
Populating IPv4 nat table
- Zone 'lan'
- Zone 'wan' Warning: wan will enable FULLCONE-NAT
Populating IPv4 mangle table
- Zone 'lan'
- Zone 'wan'
Populating IPv4 raw table
- Zone 'lan'
  - Using automatic conntrack helper attachment
- Zone 'wan'
Clearing IPv6 filter table
Clearing IPv6 mangle table
Populating IPv6 filter table
- Rule 'Allow-DHCPv6'
- Rule 'Allow-MLD'
- Rule 'Allow-ICMPv6-Input'
- Rule 'Allow-ICMPv6-Forward'
- Rule 'Allow-IPSec-ESP'
- Rule 'Allow-ISAKMP'
- Rule 'adblock'
- Rule 'kms'
- Rule 'pptp'
- Rule 'gre'
- Forward 'lan' -> 'wan'
- Zone 'lan'
- Zone 'wan'
Populating IPv6 mangle table
- Zone 'lan'
- Zone 'wan'
Set tcp_ecn to off
Set tcp_syncookies to on
Set tcp_window_scaling to on
Running script '/etc/zerotier.start'
Running script '/usr/share/miniupnpd/firewall.include'
Running script '/usr/share/adbyby/firewall.include'
Running script '/etc/mia.include'
Running script '/etc/pptpd.include'
Running script '/var/etc/shadowsocksr.include'
```
- `grep -rn "bing\.com" /var/etc/*`
- `grep -rn "www\.bing\.com" /var/etc/*`
- `grep -rn "13\." /var/dnsmasq.*`
- `grep -rn "bing\.com" /var/dnsmasq.*`
- `grep -rn "www\.bing\.com" /var/dnsmasq.*`
- `for l in $(ipset list -n); do echo "----------##$l"; ipset list $l | grep -n "^13\."; done`
- `for l in $(ipset list -n); do echo "---------##$l"; ipset list $l | grep -n "^127\."; done`
```
----------##gmlan ----------##ss_spec_wan_ac 5931:127.0.0.0/8 ----------##gfwlist ----------##fplan ----------##whitelist ----------##blacklist ----------##ss_spec_lan_ac ----------##china
```
- `for l in $(ipset list -n); do echo "----------##$l"; ipset list $l | grep -n "^192\."; done`
```
----------##gmlan ----------##ss_spec_wan_ac 352:192.140.212.0/22 536:192.140.204.0/22 547:192.168.0.0/16 1363:192.197.113.0/24 1941:192.140.128.0/22 2643:192.124.154.0/24 3203:192.140.176.0/22 3425:192.140.180.0/22 3879:192.140.136.0/22 4043:192.140.208.0/22 4053:192.0.0.0/24 4121:192.140.132.0/22 4320:192.88.99.0/24 4563:192.140.192.0/22 4876:192.140.160.0/22 4968:192.140.200.0/22 5136:192.140.172.0/22 5175:192.55.46.0/24 5357:192.55.68.0/22 5723:192.140.196.0/22 5935:192.140.164.0/22 6005:192.51.188.0/24 6418:192.140.184.0/22 6763:192.102.204.0/23 7135:192.0.2.0/24 7830:192.140.168.0/22 8069:192.140.188.0/22 8077:192.144.128.0/17 8331:192.140.156.0/22 ----------##gfwlist ----------##fplan ----------##whitelist ----------##blacklist ----------##ss_spec_lan_ac ----------##china 226:192.140.176.0/22 316:192.140.200.0/22 431:192.140.156.0/22 502:192.55.68.0/22 1235:192.197.113.0/24 1655:192.140.192.0/22 2686:192.140.160.0/22 2703:192.140.180.0/22 3311:192.140.136.0/22 3549:192.140.196.0/22 4547:192.55.46.0/24 4548:192.124.154.0/24 4695:192.51.188.0/24 4866:192.144.128.0/17 5212:192.140.204.0/22 5905:192.140.208.0/22 6135:192.140.184.0/22 6712:192.140.164.0/22 6986:192.102.204.0/23 7307:192.140.172.0/22 7406:192.140.128.0/22 7861:192.140.132.0/22 7922:192.140.188.0/22 7983:192.140.212.0/22 8200:192.140.168.0/22
```
- show_iptables
```
Chain PREROUTING (policy ACCEPT 2041 packets, 117K bytes) num pkts bytes target prot opt in out source destination
1 1564 54972 SS_SPEC_TPROXY udp -- 0.0.0.0/0 0.0.0.0/0 / _SS_SPECRULE /

Chain INPUT (policy ACCEPT 2041 packets, 117K bytes) num pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination
1 19 1140 TCPMSS tcp -- wlan1 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 / !fw3: Zone wan MTU fixing / TCPMSS clamp to PMTU 2 0 0 TCPMSS tcp -- eth0.2 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 / !fw3: Zone wan MTU fixing / TCPMSS clamp to PMTU

Chain OUTPUT (policy ACCEPT 890 packets, 86127 bytes) num pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 890 packets, 86127 bytes) num pkts bytes target prot opt in out source destination

Chain SS_SPEC_TPROXY (1 references) num pkts bytes target prot opt in out source destination
1 123 6827 RETURN udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53 2 0 0 RETURN udp -- 0.0.0.0/0 0.0.0.0/8
3 0 0 RETURN udp -- 0.0.0.0/0 10.0.0.0/8
4 120 9312 RETURN udp -- 0.0.0.0/0 127.0.0.0/8
5 0 0 RETURN udp -- 0.0.0.0/0 169.254.0.0/16
6 0 0 RETURN udp -- 0.0.0.0/0 172.16.0.0/12
7 1311 37383 RETURN udp -- 0.0.0.0/0 192.168.0.0/16
8 0 0 RETURN udp -- 0.0.0.0/0 224.0.0.0/4
9 10 1450 RETURN udp -- 0.0.0.0/0 240.0.0.0/4
10 0 0 RETURN udp -- 0.0.0.0/0 113.190.241.173
11 0 0 TPROXY udp -- 0.0.0.0/0 0.0.0.0/0 match-set fplan src TPROXY redirect 0.0.0.0:1234 mark 0x100/0xfff 12 0 0 TPROXY udp -- 0.0.0.0/0 0.0.0.0/0 match-set gmlan src ! match-set china dst TPROXY redirect 0.0.0.0:1234 mark 0x100/0xfff 13 0 0 TPROXY udp -- 0.0.0.0/0 0.0.0.0/0 ! match-set ss_spec_wan_ac dst TPROXY redirect 0.0.0.0:1234 mark 0x100/0xfff

Chain PREROUTING (policy ACCEPT 16 packets, 1810 bytes) num pkts bytes target prot opt in out source destination
1 6 360 SS_SPEC_WAN_AC tcp -- 0.0.0.0/0 0.0.0.0/0 / _SS_SPECRULE / 2 2254 151K REDIRECT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53 redir ports 53 3 0 0 REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 redir ports 53 4 566 64132 prerouting_rule all -- 0.0.0.0/0 0.0.0.0/0 / !fw3: Custom prerouting rule chain / 5 334 31432 zone_lan_prerouting all -- br-lan 0.0.0.0/0 0.0.0.0/0 / !fw3 / 6 232 32700 zone_wan_prerouting all -- wlan1 0.0.0.0/0 0.0.0.0/0 / !fw3 / 7 0 0 zone_wan_prerouting all -- eth0.2 0.0.0.0/0 0.0.0.0/0 / !fw3 */

Chain INPUT (policy ACCEPT 10 packets, 630 bytes) num pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 67 packets, 3766 bytes) num pkts bytes target prot opt in out source destination
1 4 240 SS_SPEC_WAN_AC tcp -- 0.0.0.0/0 0.0.0.0/0 / _SS_SPECRULE /

Chain POSTROUTING (policy ACCEPT 64 packets, 3559 bytes) num pkts bytes target prot opt in out source destination
1 1322 77044 postrouting_rule all -- 0.0.0.0/0 0.0.0.0/0 / !fw3: Custom postrouting rule chain / 2 0 0 zone_lan_postrouting all -- br-lan 0.0.0.0/0 0.0.0.0/0 / !fw3 / 3 315 20281 zone_wan_postrouting all -- wlan1 0.0.0.0/0 0.0.0.0/0 / !fw3 / 4 0 0 zone_wan_postrouting all -- eth0.2 0.0.0.0/0 0.0.0.0/0 / !fw3 */

Chain MINIUPNPD (1 references) num pkts bytes target prot opt in out source destination

Chain MINIUPNPD-POSTROUTING (1 references) num pkts bytes target prot opt in out source destination

Chain SS_SPEC_WAN_AC (2 references) num pkts bytes target prot opt in out source destination
1 0 0 RETURN all -- 0.0.0.0/0 0.0.0.0/0 match-set whitelist dst 2 0 0 SS_SPEC_WAN_FW all -- 0.0.0.0/0 0.0.0.0/0 match-set blacklist dst 3 0 0 SS_SPEC_WAN_FW all -- 0.0.0.0/0 0.0.0.0/0 match-set fplan src 4 0 0 RETURN all -- 0.0.0.0/0 113.190.241.173
5 8 480 RETURN all -- 0.0.0.0/0 0.0.0.0/0 match-set ss_spec_wan_ac dst 6 2 120 SS_SPEC_WAN_FW all -- 0.0.0.0/0 0.0.0.0/0

Chain SS_SPEC_WAN_FW (3 references) num pkts bytes target prot opt in out source destination
1 0 0 RETURN all -- 0.0.0.0/0 0.0.0.0/8
2 0 0 RETURN all -- 0.0.0.0/0 10.0.0.0/8
3 0 0 RETURN all -- 0.0.0.0/0 127.0.0.0/8
4 0 0 RETURN all -- 0.0.0.0/0 169.254.0.0/16
5 0 0 RETURN all -- 0.0.0.0/0 172.16.0.0/12
6 0 0 RETURN all -- 0.0.0.0/0 192.168.0.0/16
7 0 0 RETURN all -- 0.0.0.0/0 224.0.0.0/4
8 0 0 RETURN all -- 0.0.0.0/0 240.0.0.0/4
9 2 120 REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 redir ports 1234

Chain postrouting_lan_rule (1 references) num pkts bytes target prot opt in out source destination

Chain postrouting_rule (1 references) num pkts bytes target prot opt in out source destination

Chain postrouting_wan_rule (1 references) num pkts bytes target prot opt in out source destination

Chain prerouting_lan_rule (1 references) num pkts bytes target prot opt in out source destination

Chain prerouting_rule (1 references) num pkts bytes target prot opt in out source destination

Chain prerouting_wan_rule (1 references) num pkts bytes target prot opt in out source destination

Chain zone_lan_postrouting (1 references) num pkts bytes target prot opt in out source destination
1 0 0 postrouting_lan_rule all -- 0.0.0.0/0 0.0.0.0/0 / !fw3: Custom lan postrouting rule chain /

Chain zone_lan_prerouting (1 references) num pkts bytes target prot opt in out source destination
1 334 31432 prerouting_lan_rule all -- 0.0.0.0/0 0.0.0.0/0 / !fw3: Custom lan prerouting rule chain /

Chain zone_wan_postrouting (2 references) num pkts bytes target prot opt in out source destination
1 314 20204 MINIUPNPD-POSTROUTING all -- 0.0.0.0/0 0.0.0.0/0
2 315 20281 postrouting_wan_rule all -- 0.0.0.0/0 0.0.0.0/0 / !fw3: Custom wan postrouting rule chain / 3 315 20281 FULLCONENAT all -- 0.0.0.0/0 0.0.0.0/0 / !fw3 /

Chain zone_wan_prerouting (2 references) num pkts bytes target prot opt in out source destination
1 232 32700 MINIUPNPD all -- 0.0.0.0/0 0.0.0.0/0
2 232 32700 prerouting_wan_rule all -- 0.0.0.0/0 0.0.0.0/0 / !fw3: Custom wan prerouting rule chain / 3 232 32700 FULLCONENAT all -- 0.0.0.0/0 0.0.0.0/0 / !fw3 /

peter-tank commented 4 years ago

现在应当是搞清楚了利益于某人的CI，试图自己拼包，发现的确是不应该从官方的发布来更新netfilter相关的东西。 FULLCONAT相关补丁与官包绝对不相容。

peter-tank commented 4 years ago

Actually, nothing do with iptables and the FULLCONENAT patch. It's my fault, I have forgot the changed listen address to 127.0.0.1, not the desired one 0.0.0.0

coolsnowwolf / lede

[luci-app-ssr-plus]在仅代理 TCP 时，ssr-rules 无法正常代理 LAN 流量。 #2024

目前的主要问题是，从 LAN 访问 gfwlist 里的网址会直接报 "ERR_CONNECTION_REFUSED"。

1291 忘了，我更新 V2Ray 二进制到 4.20 了，看来我不适合玩 bleeding。