search

ginuerzh / gost

GO Simple Tunnel - a simple tunnel written in golang
MIT License
15.57k stars 2.44k forks source link

[提问] 请问我这样配置可以透明代理所有tcp和udp吗? #775

Closed CCint3 closed 6 months ago

CCint3 commented 2 years ago

场景:代理所有外网的tcp/udp流量,例如本机访问: http://www.baidu.com 就走代理,如果访问 192.168.x.x 就不进行代理;

gost 服务端 ip: 192.168.3.75 监听 1088 端口,创建 socks5 服务 启动代码如下:

gost -L socks5://abcde:abcde@0.0.0.0:1088

gost 客户端 ip: 192.168.3.195 监听 12345 端口,并将 tcp/udp 流量以 socks5 协议发送到 服务端192.168.3.75:1088

gost -L red://:12345?ttl=5 -L redu://:12345?ttl=5 -F socks5://abcde:abcde@192.168.3.75:1088

客户端的 iptables 配置如下:

printf "[apply_iptables]: Create nat.PROXIES chain.\n"
iptables -t nat -N PROXIES

printf "[apply_iptables]: Ignore LANs and some other reserved addresses. for nat.PROXIES\n"
printf "   See Wikipedia and RFC5735 for full list of reserved networks.\n"
iptables -t nat -A PROXIES -p tcp -d 0.0.0.0/8          -j RETURN
iptables -t nat -A PROXIES -p tcp -d 10.0.0.0/8         -j RETURN
iptables -t nat -A PROXIES -p tcp -d 100.64.0.0/10      -j RETURN
iptables -t nat -A PROXIES -p tcp -d 127.0.0.0/8        -j RETURN
iptables -t nat -A PROXIES -p tcp -d 169.254.0.0/16     -j RETURN
iptables -t nat -A PROXIES -p tcp -d 172.16.0.0/12      -j RETURN
iptables -t nat -A PROXIES -p tcp -d 192.0.0.0/24       -j RETURN
iptables -t nat -A PROXIES -p tcp -d 192.0.2.0/24       -j RETURN
iptables -t nat -A PROXIES -p tcp -d 192.88.99.0/24     -j RETURN
iptables -t nat -A PROXIES -p tcp -d 192.168.0.0/16     -j RETURN
iptables -t nat -A PROXIES -p tcp -d 198.18.0.0/15      -j RETURN
iptables -t nat -A PROXIES -p tcp -d 198.51.100.0/24    -j RETURN
iptables -t nat -A PROXIES -p tcp -d 203.0.113.0/24     -j RETURN
iptables -t nat -A PROXIES -p tcp -d 224.0.0.0/4        -j RETURN
iptables -t nat -A PROXIES -p tcp -d 240.0.0.0/4        -j RETURN
iptables -t nat -A PROXIES -p tcp -d 255.255.255.255/32 -j RETURN

printf "[apply_iptables]: Ignore proxy IP address in nat.PROXIES chain.\n"
iptables -t nat -A PROXIES -p tcp -d 192.168.3.75/32       -j RETURN # gost 服务端ip

printf "[apply_iptables]: Anything else should be redirected to local port.\n"
iptables -t nat -A PROXIES -p tcp -j REDIRECT --to-ports 12345 # tcp 流量重定向到本机 12345端口

printf "[apply_iptables]: Create mangle.PROXIES and mangle.PROXIES_LOCAL chain.\n"
iptables -t mangle -N PROXIES
iptables -t mangle -N PROXIES_LOCAL

printf "[apply_iptables]: Ignore LANs and some other reserved addresses. for mangle.PROXIES\n"
iptables -t mangle -A PROXIES -p udp -d 0.0.0.0/8          -j RETURN
iptables -t mangle -A PROXIES -p udp -d 10.0.0.0/8         -j RETURN
iptables -t mangle -A PROXIES -p udp -d 100.64.0.0/10      -j RETURN
iptables -t mangle -A PROXIES -p udp -d 127.0.0.0/8        -j RETURN
iptables -t mangle -A PROXIES -p udp -d 169.254.0.0/16     -j RETURN
iptables -t mangle -A PROXIES -p udp -d 172.16.0.0/12      -j RETURN
iptables -t mangle -A PROXIES -p udp -d 192.0.0.0/24       -j RETURN
iptables -t mangle -A PROXIES -p udp -d 192.0.2.0/24       -j RETURN
iptables -t mangle -A PROXIES -p udp -d 192.88.99.0/24     -j RETURN
iptables -t mangle -A PROXIES -p udp -d 192.168.0.0/16     -j RETURN
iptables -t mangle -A PROXIES -p udp -d 198.18.0.0/15      -j RETURN
iptables -t mangle -A PROXIES -p udp -d 198.51.100.0/24    -j RETURN
iptables -t mangle -A PROXIES -p udp -d 203.0.113.0/24     -j RETURN
iptables -t mangle -A PROXIES -p udp -d 224.0.0.0/4        -j RETURN
iptables -t mangle -A PROXIES -p udp -d 240.0.0.0/4        -j RETURN
iptables -t mangle -A PROXIES -p udp -d 255.255.255.255/32 -j RETURN
iptables -t mangle -A PROXIES -p udp -j TPROXY --on-ip 127.0.0.1 --on-port 12345 --tproxy-mark 0x474F5354" # 0x474F5354 is 'GOST', udp 流量重定向到本机 12345 端口

printf "[apply_iptables]: Ignore LANs and some other reserved addresses. for mangle.PROXIES_LOCAL\n"
iptables -t mangle -A PROXIES_LOCAL -p udp -d 0.0.0.0/8          -j RETURN
iptables -t mangle -A PROXIES_LOCAL -p udp -d 10.0.0.0/8         -j RETURN
iptables -t mangle -A PROXIES_LOCAL -p udp -d 100.64.0.0/10      -j RETURN
iptables -t mangle -A PROXIES_LOCAL -p udp -d 127.0.0.0/8        -j RETURN
iptables -t mangle -A PROXIES_LOCAL -p udp -d 169.254.0.0/16     -j RETURN
iptables -t mangle -A PROXIES_LOCAL -p udp -d 172.16.0.0/12      -j RETURN
iptables -t mangle -A PROXIES_LOCAL -p udp -d 192.0.0.0/24       -j RETURN
iptables -t mangle -A PROXIES_LOCAL -p udp -d 192.0.2.0/24       -j RETURN
iptables -t mangle -A PROXIES_LOCAL -p udp -d 192.88.99.0/24     -j RETURN
iptables -t mangle -A PROXIES_LOCAL -p udp -d 192.168.0.0/16     -j RETURN
iptables -t mangle -A PROXIES_LOCAL -p udp -d 198.18.0.0/15      -j RETURN
iptables -t mangle -A PROXIES_LOCAL -p udp -d 198.51.100.0/24    -j RETURN
iptables -t mangle -A PROXIES_LOCAL -p udp -d 203.0.113.0/24     -j RETURN
iptables -t mangle -A PROXIES_LOCAL -p udp -d 224.0.0.0/4        -j RETURN
iptables -t mangle -A PROXIES_LOCAL -p udp -d 240.0.0.0/4        -j RETURN
iptables -t mangle -A PROXIES_LOCAL -p udp -d 255.255.255.255/32 -j RETURN
iptables -t mangle -A PROXIES_LOCAL -p udp -d 192.168.3.75/32       -j RETURN # gost 服务端ip
iptables -t mangle -A PROXIES_LOCAL -p udp -j MARK --set-mark 0x474F5354" # 0x474F5354 is 'GOST'

printf "[apply_iptables]: apply ip rule and route.\n"
ip rule add fwmark 0x474F5354 table 100" # 0x474F5354 is 'GOST'
ip route add local 0.0.0.0/0 dev lo table 100

printf "[apply_iptables]: apply nat.PROXIES Chain to nat.OUTPUT for all tcp.\n"
iptables -t nat    -A OUTPUT     -p tcp -j PROXIES

printf "[apply_iptables]: apply mangle.PROXIES Chain to mangle.PREROUTING for all udp.\n"
iptables -t mangle -A PREROUTING -p udp -j PROXIES

printf "[apply_iptables]: apply mangle.PROXIES_LOCAL Chain to mangle.OUTPUT for all udp.\n"
iptables -t mangle -A OUTPUT     -p udp -j PROXIES_LOCAL

printf "[apply_iptables]: lookup nat.OUTPUT table.\n"
iptables --line -t nat -nvxL OUTPUT
printf "* * * * * * * * * * * * * * * * * * * * * * * * * * * *\n\n"

printf "[apply_iptables]: lookup nat.PROXIES table.\n"
iptables --line -t nat -nvxL PROXIES
printf "* * * * * * * * * * * * * * * * * * * * * * * * * * * *\n\n"

printf "[apply_iptables]: lookup mangle.PREROUTING table.\n"
iptables --line -t mangle -nvxL PREROUTING
printf "* * * * * * * * * * * * * * * * * * * * * * * * * * * *\n\n"

printf "[apply_iptables]: lookup mangle.OUTPUT table.\n"
iptables --line -t mangle -nvxL OUTPUT
printf "* * * * * * * * * * * * * * * * * * * * * * * * * * * *\n\n"

printf "[apply_iptables]: lookup mangle.PROXIES table.\n"
iptables --line -t mangle -nvxL PROXIES
printf "* * * * * * * * * * * * * * * * * * * * * * * * * * * *\n\n"

printf "[apply_iptables]: lookup mangle.PROXIES_LOCAL table.\n"
iptables --line -t mangle -nvxL PROXIES_LOCAL
CCint3 commented 2 years ago

主要问题是在代理 udp 时,我这个配置是否完全ok;我有些搞不明白 udp 流量 在当前这套配置下是如何进行的。 网上查阅一些资料说时 udp -> mangle.PREROUTING -> IP ROUTE -> mangle.OUTPUT -> loopback -> mangle.PREROUTING -> 出网???