juewuy
commented
3 hours ago @bsdcpp 脚本什么版本,另外是否启用了本机代理,然后提供一下问题状态的8-1-4内容
Open bsdcpp opened 3 hours ago
juewuy
commented
3 hours ago @bsdcpp 脚本什么版本,另外是否启用了本机代理,然后提供一下问题状态的8-1-4内容
bsdcpp
commented
3 hours ago 版本:1.9.1rc7 这是默认黑名单情况
table inet shellcrash {
chain input {
type filter hook input priority -100; policy accept;
ip daddr 127.0.0.1 accept
tcp dport 9999 ip saddr { 10.0.8.0/24, 192.168.1.0-192.168.3.255 } accept
tcp dport 9999 reject
tcp dport 7890 ip saddr { 10.0.8.0/24, 192.168.1.0-192.168.3.255 } accept
tcp dport 7890 reject
}
chain prerouting_dns {
type nat hook prerouting priority dstnat; policy accept;
udp dport != 53 return
tcp dport != 53 return
meta mark 0x00001ed6 return
meta skgid { 453, 7890 } return
ip saddr != { 10.0.8.0/24, 192.168.1.0-192.168.3.255 } return
ip6 saddr != { 2408:820c:8211:f179::/64, 2408:820c:8218:7c90::/60, 240e:388:8101:df00::/60, 240e:38f:8105:2038::/64, fd00::/8, fe80::/10 } reject with icmpv6 port-unreachable
udp dport 53 redirect to :1053
tcp dport 53 redirect to :1053
}
chain prerouting {
type filter hook prerouting priority mangle; policy accept;
tcp dport 53 return
udp dport 53 return
tcp dport != { 22, 80, 143, 194, 443, 465, 587, 853, 993, 995, 5222, 8080, 8443 } ip daddr != 198.18.0.0/16 return
meta mark 0x00001ed6 return
meta skgid 7890 return
ip daddr { 0.0.0.0/8, 10.0.0.0/8, 100.64.0.0/10, 127.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12, 192.168.0.0/16, 224.0.0.0/3 } return
ip saddr != { 10.0.8.0/24, 192.168.1.0-192.168.3.255 } return
ip6 daddr { ::/127, ::ffff:0.0.0.0/96, 64:ff9b::/96, 100::/64, 2001::/32, 2001:20::/28, 2001:db8::/32, 2002::/16, 2408:820c:8211:f179::/64, 2408:820c:8218:7c90::/60, 240e:388:8101:df00::/60, 240e:38f:8105:2038::/64, fc00::/7, fe80::/10, ff00::/8 } return
ip6 saddr != { 2408:820c:8211:f179::/64, 2408:820c:8218:7c90::/60, 240e:388:8101:df00::/60, 240e:38f:8105:2038::/64, fd00::/8, fe80::/10 } return
meta l4proto { tcp, udp } meta mark set 0x00001ed4 tproxy to :7893
}
}以下是白名单不正常的情况:
table inet shellcrash {
chain input {
type filter hook input priority -100; policy accept;
ip daddr 127.0.0.1 accept
tcp dport 9999 ip saddr { 10.0.8.0/24, 192.168.1.0-192.168.3.255 } accept
tcp dport 9999 reject
tcp dport 7890 ip saddr { 10.0.8.0/24, 192.168.1.0-192.168.3.255 } accept
tcp dport 7890 reject
}
chain prerouting_dns {
type nat hook prerouting priority dstnat; policy accept;
udp dport != 53 return
tcp dport != 53 return
meta mark 0x00001ed6 return
meta skgid { 453, 7890 } return
ip saddr != { 10.0.8.0/24, 192.168.1.0-192.168.3.255 } return
ip6 saddr != { 2408:820c:8211:f179::/64, 2408:820c:8218:7c90::/60, 240e:388:8101:df00::/60, 240e:38f:8105:2038::/64, fd00::/8, fe80::/10 } reject with icmpv6 port-unreachable
udp dport 53 redirect to :1053
tcp dport 53 redirect to :1053
}
chain prerouting {
type filter hook prerouting priority mangle; policy accept;
tcp dport 53 return
udp dport 53 return
tcp dport != { 22, 80, 143, 194, 443, 465, 587, 853, 993, 995, 5222, 8080, 8443 } ip daddr != 198.18.0.0/16 return
meta mark 0x00001ed6 return
meta skgid 7890 return
ip daddr { 0.0.0.0/8, 10.0.0.0/8, 100.64.0.0/10, 127.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12, 192.168.0.0/16, 224.0.0.0/3 } return
ip6 daddr { ::/127, ::ffff:0.0.0.0/96, 64:ff9b::/96, 100::/64, 2001::/32, 2001:20::/28, 2001:db8::/32, 2002::/16, 2408:820c:8211:f179::/64, 2408:820c:8218:7c90::/60, 240e:388:8101:df00::/60, 240e:38f:8105:2038::/64, fc00::/7, fe80::/10, ff00::/8 } return
ip6 saddr != { 2408:820c:8211:f179::/64, 2408:820c:8218:7c90::/60, 240e:388:8101:df00::/60, 240e:38f:8105:2038::/64, fd00::/8, fe80::/10 } return
meta l4proto { tcp, udp } meta mark set 0x00001ed4 tproxy to :7893
}
}对比后,差异在 ip saddr != { 10.0.8.0/24, 192.168.1.0-192.168.3.255 } return
juewuy
commented
3 hours ago @bsdcpp 看不出问题,防火墙配置是正常的,理论上也不会影响本机
bsdcpp
commented
3 hours ago @bsdcpp 看不出问题,防火墙配置是正常的,理论上也不会影响本机
我更新了下回复,麻烦再看下。
juewuy
commented
3 hours ago @bsdcpp 这里防火墙配置都是正常的,prerouting链也不会影响本机流量
juewuy
commented
3 hours ago @bsdcpp 如果是在docker中测试,需要启用容器/虚拟机代理功能
bsdcpp
commented
3 hours ago 我是在真机环境下安装的,之前用iptables是没问题的,我再调试下看看,顺便学习下nft,感谢大佬解答,售后一级棒🎉
bsdcpp
commented
7 minutes ago @juewuy 通过tcpdump观察,开黑名单的时候:
22:07:26.882400 pppoe-wan In IP 进入IP.32964 > 服务端IP.50000: UDP, length 96
22:07:26.937646 pppoe-wan Out IP 服务端IP.50000 > 进入IP.32964: UDP, length 96
22:07:26.994227 pppoe-wan In IP 进入IP.32964 > 服务端IP.50000: UDP, length 96
22:07:27.561369 pppoe-wan In IP 进入IP.32964 > 服务端IP.50000: UDP, length 96
22:07:27.671277 pppoe-wan In IP 进入IP.32964 > 服务端IP.50000: UDP, length 96
22:07:28.006316 pppoe-wan In IP 进入IP.32964 > 服务端IP.50000: UDP, length 96
22:07:28.618137 pppoe-wan Out IP 服务端IP.50000 > 进入IP.32964: UDP, length 96一旦开白名单,似乎有包进了lo,回环了吗,只有进没有出了?
22:07:28.652399 pppoe-wan In IP 进入IP.32964 > 服务端IP.50000: UDP, length 96
22:07:28.665062 lo In IP 服务端IP.33441 > 服务端IP.50000: UDP, length 96
22:07:28.777946 lo In IP 服务端IP.50000 > 服务端IP.33441: UDP, length 96
22:07:28.778022 lo In IP 服务端IP.50000 > 服务端IP.33441: UDP, length 96
22:07:28.842484 pppoe-wan In IP 进入IP.32964 > 服务端IP.50000: UDP, length 96
22:07:28.850514 lo In IP 服务端IP.48605 > 服务端IP.50000: UDP, length 96
22:07:28.850914 lo In IP 服务端IP.50000 > 服务端IP.48605: UDP, length 96
22:07:28.938108 lo In IP 服务端IP.50000 > 服务端IP.48605: UDP, length 96
22:07:29.098005 lo In IP 服务端IP.50000 > 服务端IP.48605: UDP, length 96
22:07:29.201430 pppoe-wan In IP 进入IP.32964 > 服务端IP.50000: UDP, length 96貌似之前看到过这样的问题,不知道是不是同一类问题:https://github.com/juewuy/ShellCrash/issues/783
Verify steps
Description
全新安装的情况下也能复现,切换黑名单/关闭sc马上恢复。局域网设备好像不受影响,路由器本身国内163,baidu都无法ping通,谢谢。 shellcrash新装默认配置,只改了tproxy:nftables + tproxy + fake