search

hmgle / graftcp

A flexible tool for redirecting a given program's TCP traffic to SOCKS5 or HTTP proxy.
GNU General Public License v3.0
2.1k stars 173 forks source link

Linux上另外一种实现更简单的重定向方法 #17

Closed heiher closed 1 year ago

heiher commented 5 years ago

基于iptables + network classifier cgroup的,用于实现per app的TCP、DNS重定向,支持子进程自动继承,实现更简单。

具体实现:https://hev.cc/2813.html

hmgle commented 5 years ago

安装试了下,用 tproxy 尝试请求 Google 失败了,连接 Baidu 是成功的。

tproxy curl --verbose https://www.google.com
* Rebuilt URL to: https://www.google.com/
* Hostname was NOT found in DNS cache
*   Trying 172.217.20.100...
* connect to 172.217.20.100 port 443 failed: Connection timed out
* Failed to connect to www.google.com port 443: Connection timed out
* Closing connection 0
curl: (7) Failed to connect to www.google.com port 443: Connection timed out

看了下是流量没有重定向,没有生效。

hmgle commented 5 years ago

使用 iptables 的话也可以参考依云的使用 cgroups net_cls 来让 docker 走代理

heiher commented 5 years ago

安装试了下,用 tproxy 尝试请求 Google 失败了,连接 Baidu 是成功的。

tproxy curl --verbose https://www.google.com
* Rebuilt URL to: https://www.google.com/
* Hostname was NOT found in DNS cache
*   Trying 172.217.20.100...
* connect to 172.217.20.100 port 443 failed: Connection timed out
* Failed to connect to www.google.com port 443: Connection timed out
* Closing connection 0
curl: (7) Failed to connect to www.google.com port 443: Connection timed out

看了下是流量没有重定向,没有生效。

确认两个点:

  1. 进程是否成功加入 tproxy cgroup。(可以把当前的bash进程加进去,它fork子进程来执行的外部命令都会被重定向)
  2. iptables tproxy rules是否成功导入,且cgroup match和redirect对不对。(配合ss-redir吗?ss-redir没用过,它对DNS是如何处理的?)
hmgle commented 5 years ago

看了下是我本机的 iptables 版本太低,还不支持 cgroup