透明代理tcp tproxy 的问题

AmberisMyShiba commented 1 year ago

最近在openwrt实体机上测试hy2，发现一个tcp tproxy的问题。看hy1的配置文件，tcp透明代理使用的时redirect的方式，但是hy2只提供tproxy的方式。hy2的运行正常，但是联网测试出现connection refused的提示

hy2的错误输出如下。

2023-09-04T10:08:31Z ERROR TCP transparent proxy error {"addr": "12x.xx.xx.xxxx:49222", "reqAddr": "127.0.0.1:1234", "error": "dial error: dial tcp4 127.0.0.1: 1234: connect: connection refused"} 2023-09-04T10:08:31Z ERROR TCP transparent proxy error {"addr": "12x.xx.xx.xxxx:49232", "reqAddr": "127.0.0.1:1234", "error": "dial error: dial tcp4 127.0.0.1: 1234: connect: connection refused"} 2023-09-04T10:08:41Z ERROR TCP transparent proxy error {"addr": "192.168.1.235:46042", "reqAddr": "192.168.1.1:1234", "error": "dial error: dial tcp4 192.168.1.1: 1234: i/o timeout"} 2023-09-04T10:08:41Z ERROR TCP transparent proxy error {"addr": "12x.xx.xx.xxxx:40446", "reqAddr": "127.0.0.1:1234", "error": "dial error: dial tcp4 127.0.0.1: 1234: connect: connection refused"} 2023-09-04T10:08:51Z ERROR TCP transparent proxy error {"addr": "192.168.1.235:46280", "reqAddr": "192.168.1.1:1234", "error": "dial error: dial tcp4 192.168.1.1: 1234: i/o timeout"}

hy2的配置如下

{ "tls": { "insecure": false, "sni": "mysite.com" }, "lazy": true, "tcpTProxy": { "listen": "0.0.0.0:1234" }, "socks5":{ "listen": "0.0.0.0:1080" }, "fast_open": true, "bandwidth": { "down": "300 mbps", "up": "100 mbps" }, "disable_mtu_discovery": false, "auth": "Strong_PASS_word", "server": "mysite.com:443" }

tproxy的监听端口明明是0.0.0.0: 1234怎么返回的错误是127.0.0.1 refuse？

相同的配置，在linux上跑一点问题也没有，在openwrt上跑就出现上述提示，不过全局socks5是正常的。请教一下各位，这个问题是内核不支持还是iptables规则导致的？如何排查？

tobyxdd commented 1 year ago

你是怎么配置 iptables/nftables 规则的？

AmberisMyShiba commented 1 year ago

你是怎么配置 iptables/nftables 规则的？

我并没有对iptables做特别的配置，用的是ssr-plus的默认设置固件是LEDE的源 下面是我的iptables root@OpenWrt:~# iptables -t mangle -L -nv Chain PREROUTING (policy ACCEPT 1404K packets, 1375M bytes) pkts bytes target prot opt in out source destination
27247 2927K SS_SPEC_TPROXY udp -- br-lan 0.0.0.0/0 0.0.0.0/0 / _SS_SPECRULE / 15M 16G mwan3_hook all -- * 0.0.0.0/0 0.0.0.0/0

Chain INPUT (policy ACCEPT 1145K packets, 1157M bytes) pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 280K packets, 219M bytes) pkts bytes target prot opt in out source destination
4792 291K TCPMSS tcp -- pppoe-wan 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 / !fw3: Zone wan MTU fixing / TCPMSS clamp to PMTU 4613 255K TCPMSS tcp -- pppoe-wan 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 / !fw3: Zone wan MTU fixing / TCPMSS clamp to PMTU

Chain OUTPUT (policy ACCEPT 616K packets, 1092M bytes) pkts bytes target prot opt in out source destination
2879K 8529M mwan3_hook all -- 0.0.0.0/0 0.0.0.0/0

Chain POSTROUTING (policy ACCEPT 896K packets, 1311M bytes) pkts bytes target prot opt in out source destination

Chain SS_SPEC_TPROXY (1 references) pkts bytes target prot opt in out source destination
2854 194K RETURN udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53 0 0 RETURN udp -- 0.0.0.0/0 0.0.0.0/8
0 0 RETURN udp -- 0.0.0.0/0 10.0.0.0/8
0 0 RETURN udp -- 0.0.0.0/0 127.0.0.0/8
0 0 RETURN udp -- 0.0.0.0/0 169.254.0.0/16
0 0 RETURN udp -- 0.0.0.0/0 172.16.0.0/12
62 8977 RETURN udp -- 0.0.0.0/0 192.168.0.0/16
954 327K RETURN udp -- 0.0.0.0/0 224.0.0.0/4
7 4260 RETURN udp -- 0.0.0.0/0 240.0.0.0/4
24 1079 RETURN udp -- 0.0.0.0/0 172.93.32.78 udp dpt:!53 0 0 RETURN udp -- 0.0.0.0/0 0.0.0.0/0 match-set bplan src 0 0 TPROXY udp -- 0.0.0.0/0 0.0.0.0/0 match-set fplan src TPROXY redirect 0.0.0.0:301 mark 0x1/0x1 10 1010 RETURN udp -- 0.0.0.0/0 0.0.0.0/0 match-set ss_spec_wan_ac dst 2679 527K RETURN udp -- 0.0.0.0/0 0.0.0.0/0 match-set china dst 0 0 DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:80 0 0 TPROXY udp -- 0.0.0.0/0 0.0.0.0/0 match-set gmlan src ! match-set china dst TPROXY redirect 0.0.0.0:301 mark 0x1/0x1 20657 1864K TPROXY udp -- 0.0.0.0/0 0.0.0.0/0 ! match-set ss_spec_wan_ac dst TPROXY redirect 0.0.0.0:301 mark 0x1/0x1

Chain mwan3_connected (2 references) pkts bytes target prot opt in out source destination
9205K 13G MARK all -- 0.0.0.0/0 0.0.0.0/0 match-set mwan3_connected dst MARK or 0x3f00

Chain mwan3_hook (2 references) pkts bytes target prot opt in out source destination
17M 24G CONNMARK all -- 0.0.0.0/0 0.0.0.0/0 CONNMARK restore mask 0x3f00 257K 17M mwan3_ifaces_in all -- 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0x3f00 183K 13M mwan3_connected all -- 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0x3f00 104K 7643K mwan3_rules all -- 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0x3f00 17M 24G CONNMARK all -- 0.0.0.0/0 0.0.0.0/0 CONNMARK save mask 0x3f00 15M 16G mwan3_connected all -- 0.0.0.0/0 0.0.0.0/0 mark match ! 0x3f00/0x3f00

Chain mwan3_iface_in_wan (1 references) pkts bytes target prot opt in out source destination
5 220 MARK all -- pppoe-wan 0.0.0.0/0 0.0.0.0/0 match-set mwan3_connected src mark match 0x0/0x3f00 / default / MARK or 0x3f00 74123 3832K MARK all -- pppoe-wan 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0x3f00 / wan / MARK xset 0x100/0x3f00

Chain mwan3_ifaces_in (1 references) pkts bytes target prot opt in out source destination
257K 17M mwan3_iface_in_wan all -- 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0x3f00

Chain mwan3_policy_balanced (2 references) pkts bytes target prot opt in out source destination
23430 1772K MARK all -- 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0x3f00 statistic mode random probability 0.25000000000 / wan 1 4 / MARK xset 0x100/0x3f00 69667 5172K MARK all -- 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0x3f00 / wan 3 3 / MARK xset 0x100/0x3f00

Chain mwan3_rule_https (1 references) pkts bytes target prot opt in out source destination
11272 705K MARK all -- 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0x3f00 MARK xset 0x100/0x3f00 108 7265 MARK all -- 0.0.0.0/0 0.0.0.0/0 mark match 0x100/0x3f00 ! match-set mwan3_sticky_https src,src MARK and 0xffffc0ff 108 7265 MARK all -- 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0x3f00 MARK xset 0x100/0x3f00 112 7489 MARK all -- 0.0.0.0/0 0.0.0.0/0 mark match 0x100/0x3f00 ! match-set mwan3_sticky_https src,src MARK and 0xffffc0ff 112 7489 mwan3_policy_balanced all -- 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0x3f00 11272 705K SET all -- 0.0.0.0/0 0.0.0.0/0 mark match ! 0xfc00/0xfc00 del-set mwan3_sticky_https src,src 11272 705K SET all -- 0.0.0.0/0 0.0.0.0/0 mark match ! 0xfc00/0xfc00 add-set mwan3_sticky_https src,src

Chain mwan3_rules (1 references) pkts bytes target prot opt in out source destination
11272 705K mwan3_rule_https tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 443 mark match 0x0/0x3f00 92985 6936K mwan3_policy_balanced all -- 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0x3f00

Chain qos_Default (0 references) pkts bytes target prot opt in out source destination
0 0 CONNMARK all -- 0.0.0.0/0 0.0.0.0/0 CONNMARK restore mask 0xf 0 0 qos_Default_ct all -- 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0xf 0 0 MARK udp -- 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0xf0 length 0:500 MARK xset 0x22/0xff 0 0 MARK icmp -- 0.0.0.0/0 0.0.0.0/0 MARK xset 0x11/0xff 0 0 MARK tcp -- 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0xf0 tcp spts:1024:65535 dpts:1024:65535 MARK xset 0x44/0xff 0 0 MARK udp -- 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0xf0 udp spts:1024:65535 dpts:1024:65535 MARK xset 0x44/0xff 0 0 CONNMARK all -- 0.0.0.0/0 0.0.0.0/0 CONNMARK save mask 0xff

Chain qos_Default_ct (1 references) pkts bytes target prot opt in out source destination
0 0 MARK tcp -- 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0xf tcp multiport ports 22,53 / ssh, dns / MARK xset 0x11/0xff 0 0 MARK udp -- 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0xf udp multiport ports 22,53 / ssh, dns / MARK xset 0x11/0xff 0 0 MARK tcp -- 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0xf tcp multiport ports 20,21,25,80,110,443,993,995 / ftp, smtp, http(s), imap / MARK xset 0x33/0xff 0 0 MARK tcp -- 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0xf tcp multiport ports 5190 / AOL, iChat, ICQ / MARK xset 0x22/0xff 0 0 MARK udp -- 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0xf udp multiport ports 5190 / AOL, iChat, ICQ / MARK xset 0x22/0xff 0 0 CONNMARK all -- 0.0.0.0/0 0.0.0.0/0 CONNMARK save mask 0xff

fw876 / helloworld

透明代理tcp tproxy 的问题 #1260

hy2的错误输出如下。

hy2的配置如下