search

izerosoul / shadowsocks_erx

370 stars 104 forks source link

大量国外网站无法打开 #3

Closed love1980s closed 7 years ago

love1980s commented 7 years ago

配置后 google、facebook等无法打开,但whatismyip.com中显示ip已是ss 的ip

某些国内网站也不行,如 ifanr.com

环境是EdgeRouter X SFP v1.9.1.1

测试 用浏览器配置路由1080端口代理,也可以正常翻墙。

dns 都是默认设置

不知道还需要提供什么信息方便debug。

非常感谢。

----------pdnsd.conf 如下----------

global {
    perm_cache=4096;
    cache_dir="/tmp";
#   pid_file = /var/run/pdnsd.pid;
    run_as="root";
    server_port = 5302;
    status_ctl = on;
    query_method=tcp_only;
    min_ttl=1d; 
    max_ttl=1w;  
    timeout=5;  
    neg_domain_pol=on;
    udpbufsize=1024; 
}
server {
    label= "googledns";
    ip = 8.8.8.8, 8.8.4.4 ; 
    timeout=3; 
    edns_query=yes;
}

-----------shadowsocks.json 如下-----------

{
    "server":"45.32.50.93",
    "server_port":10048,
    "local_address":"0.0.0.0",
    "local_port":8888,
    "password":"已隐藏",
    "timeout":300,
    "method":"rc4-md5"
}
izerosoul commented 7 years ago

请提供以下命令的结果我看看: iptables -L -t nat -n netstat -antp|grep LIST ps -ef|grep shadow cat /etc/dnsmasq.conf

DNS解析结果正常吗? 假设路由器IP为192.168.1.1,那么在电脑上运行: nslookup google.com 192.168.1.1 把结果贴上来。

这种情况多数是DNS问题。

love1980s commented 7 years ago

在电脑上运行 nslookup 结果如下

C:\Users\xiaowo-win7>nslookup baidu.com 192.168.31.1
服务器:  UnKnown
Address:  192.168.31.1

非权威应答:
名称:    baidu.com
Addresses:  123.125.114.144
          220.181.57.217
          111.13.101.208
          180.149.132.47

C:\Users\xiaowo-win7>nslookup google.com 192.168.31.1
服务器:  UnKnown
Address:  192.168.31.1

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** 请求 UnKnown 超时

C:\Users\xiaowo-win7>nslookup whatismyip.com 192.168.31.1
服务器:  UnKnown
Address:  192.168.31.1

非权威应答:
名称:    whatismyip.com
Addresses:  2400:cb00:2048:1::681b:c15c
          2400:cb00:2048:1::681b:c05c
          104.27.193.92
          104.27.192.92

C:\Users\xiaowo-win7>nslookup ifanr.com 192.168.31.1
服务器:  UnKnown
Address:  192.168.31.1

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** 请求 UnKnown 超时

在erx上

  1. iptables 
    
ubnt@ubnt:~$ sudo iptables -L -t nat -n
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
MINIUPNPD  all  --  0.0.0.0/0            0.0.0.0/0
UBNT_PFOR_DNAT_HOOK  all  --  0.0.0.0/0            0.0.0.0/0
VYATTA_PRE_DNAT_HOOK  all  --  0.0.0.0/0            0.0.0.0/0
REDIRECT   tcp  --  0.0.0.0/0            0.0.0.0/0            match-set vpn dst redir ports 1081
SHADOWSOCKS  tcp  --  0.0.0.0/0            0.0.0.0/0

Chain INPUT (policy ACCEPT) target prot opt source destination

Chain OUTPUT (policy ACCEPT) target prot opt source destination SHADOWSOCKS tcp -- 0.0.0.0/0 0.0.0.0/0

Chain POSTROUTING (policy ACCEPT) target prot opt source destination UBNT_VPN_IPSEC_SNAT_HOOK all -- 0.0.0.0/0 0.0.0.0/0 MINIUPNPD-POSTROUTING all -- 0.0.0.0/0 0.0.0.0/0 UBNT_PFOR_SNAT_HOOK all -- 0.0.0.0/0 0.0.0.0/0 MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0 / NAT-5010 / VYATTA_PRE_SNAT_HOOK all -- 0.0.0.0/0 0.0.0.0/0

Chain MINIUPNPD (1 references) target prot opt source destination

Chain MINIUPNPD-POSTROUTING (1 references) target prot opt source destination

Chain SHADOWSOCKS (2 references) target prot opt source destination RETURN all -- 0.0.0.0/0 0.0.0.0/0 match-set ss_ipset_bypass dst REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 redir ports 1081

Chain UBNT_PFOR_DNAT_HOOK (1 references) target prot opt source destination UBNT_PFOR_DNAT_RULES all -- 0.0.0.0/0 0.0.0.0/0 match-set ADDRv4_pppoe0 dst UBNT_PFOR_DNAT_RULES all -- 0.0.0.0/0 0.0.0.0/0 match-set ADDRv4_pppoe0 dst

Chain UBNT_PFOR_DNAT_RULES (2 references) target prot opt source destination DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:192.168.31.130:80 DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 to:192.168.31.130:443 DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:5000 to:192.168.31.130:5000 DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:5001 to:192.168.31.130:5001 DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:6690 to:192.168.31.130:6690 DNAT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:515 to:192.168.31.130:515 DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:631 to:192.168.31.130:631 DNAT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:5353 to:192.168.31.130:5353 DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp multiport dports 3240:3259 to:192.168.31.130:3240-3259 DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3493 to:192.168.31.130:3493 DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:161 to:192.168.31.130:161 DNAT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:161 to:192.168.31.130:161 DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:389 to:192.168.31.130:389 DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:636 to:192.168.31.130:636 DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp multiport dports 5900:5909 to:192.168.31.120 DNAT udp -- 0.0.0.0/0 0.0.0.0/0 udp multiport dports 5900:5909 to:192.168.31.120

Chain UBNT_PFOR_SNAT_HOOK (1 references) target prot opt source destination UBNT_PFOR_SNAT_RULES all -- 0.0.0.0/0 0.0.0.0/0

Chain UBNT_PFOR_SNAT_RULES (1 references) target prot opt source destination MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0 match-set NETv4_switch0 src

Chain UBNT_VPN_IPSEC_SNAT_HOOK (1 references) target prot opt source destination

Chain VYATTA_PRE_DNAT_HOOK (1 references) target prot opt source destination RETURN all -- 0.0.0.0/0 0.0.0.0/0

Chain VYATTA_PRE_SNAT_HOOK (1 references) target prot opt source destination RETURN all -- 0.0.0.0/0 0.0.0.0/0


2. netstat

ubnt@ubnt:~$ netstat -antp|grep LIST (No info could be read for "-p": geteuid()=1000 but you should be root.) tcp 0 0 0.0.0.0:53 0.0.0.0: LISTEN - tcp 0 0 0.0.0.0:5302 0.0.0.0: LISTEN - tcp 0 0 0.0.0.0:22 0.0.0.0: LISTEN - tcp 0 0 0.0.0.0:1080 0.0.0.0: LISTEN - tcp 0 0 0.0.0.0:1081 0.0.0.0: LISTEN - tcp 0 0 0.0.0.0:1723 0.0.0.0: LISTEN - tcp 0 0 0.0.0.0:443 0.0.0.0: LISTEN - tcp 0 0 127.0.0.101:55523 0.0.0.0: LISTEN - tcp 0 0 0.0.0.0:80 0.0.0.0: LISTEN - tcp6 0 0 :::53 ::: LISTEN - tcp6 0 0 :::22 ::: LISTEN - tcp6 0 0 :::443 ::: LISTEN - tcp6 0 0 :::80 :::* LISTEN -

3. ps

ubnt@ubnt:~$ ps -ef|grep shadow root 14462 1 0 04:19 ? 00:00:00 /config/shadowsocks/bin/ss-local -u -l 1080 -c /config/shadowsocks/conf/shadowsocks.json -f /var/run/ss-local.pid root 14485 1 0 04:19 ? 00:00:01 /config/shadowsocks/bin/ss-redir -u -l 1081 -c /config/shadowsocks/conf/shadowsocks.json -f /var/run/ss-redir.pid root 14509 1 0 04:19 ? 00:00:00 /config/shadowsocks/bin/pdnsd -c /config/shadowsocks/conf/pdnsd.conf -d -p /var/run/pdnsd.pid root 14537 1 0 04:19 ? 00:00:00 /config/shadowsocks/bin/chinadns /var/run/chinadns.pid -p 5301 -s 114.114.114.114,127.0.0.1:5302 -c /config/shadowsocks/conf/chnroute.txt ubnt 15099 14215 0 04:30 pts/0 00:00:00 /bin/busybox grep shadow


4. cat /etc/dnsmasq.conf

ubnt@ubnt:~$ cat /etc/dnsmasq.conf #

autogenerated by vyatta-dns-forwarding.pl on Thu Jul 27 15:41:00 UTC 2017

# log-facility=/var/log/dnsmasq.log interface=switch0 cache-size=150 no-resolv server=127.0.0.1#5301



非常感谢。

另外,我安装过下面这个ss方案,但他会导致我端口转发全部失效。所以用了你这个。不知道会不会影响。

http://tookdes.org/geek/archives/ss-on-erx.html
izerosoul commented 7 years ago

看你的情况是pdnsd向8.8.8.8进行DNS解析的时候出了问题,正常情况下ss服务开启后向8.8.8.8:53的请求会走ss通道,但是你这里应该是没走,至于原因,我看你iptables规则比较多,可能产生了冲突,尤其是这一条:

REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 match-set vpn dst redir ports 1081

这不是我的ss服务添加的,而vpn这个ipset中包含了哪些也不清楚,有可能会引起问题。 因为你之前用过其它的程序导致现在的iptables规则已经比较乱了,所以建议你重置路由之后再安装试试,否则不好排查。如果你不想重置动手能力也较强的话可以自己研究下我的ss服务的原理,然后根据调整iptables规则进行排查。

love1980s commented 7 years ago

非常感谢。

重置后重装一切正常。

再次感谢。

love1980s commented 7 years ago

如何设置某个 内网设备ip不走代理,否则我的NAS 做PT下载,会导致走ss,流量瞬间爆了

izerosoul commented 7 years ago

ss启动脚本/etc/init.d/shadowsocks里面有下面一行:

BYPASS_RANGE=192.168.123.0/24

去掉注释(删掉#号)就可以生效,然后192.168.123.0/24这整个网段都不会走ss通道了,同时也无法翻墙了,192.168.123.0/24也可以换成单独IP或者其它网段。

love1980s commented 7 years ago

非常感谢。