Closed Zyx-A closed 4 years ago
补充一句,刚刚使用npx @nondanee/unblockneteasemusic
方式安装并运行,其代理功能也不能使用
设为系统代理以后打开客户端有 MITM 或者 TUNNEL log 吗?
浏览器应该默认都走系统代理的,浏览器可以正常使用吗?
或者 export http_proxy=xxx
再 curl xxx.com
可以正常联网吗?
export http_proxy
这个对客户端是无效的
可能你的客户端不认系统代理
设为系统代理以后打开客户端有 MITM 或者 TUNNEL log 吗?
没明白意思,不知道该怎么看。
浏览器应该默认都走系统代理的,浏览器可以正常使用吗? 或者
export http_proxy=xxx
再curl xxx.com
可以正常联网吗?
不走unblockneteasemusic
的代理是可以正常通信的,但走了它的代理,则会提示失败。
export http_proxy
这个对客户端是无效的 可能你的客户端不认系统代理
不认识这个参数没关系,我还使用了别的工具,如proxychains-ng
,这个工具能强制重定向所有流量到指定代理。如下面就是我的具体操作步骤及结果返回:
$ nc -zv 127.0.0.1 8080
Ncat: Version 7.50 ( https://nmap.org/ncat )
Ncat: Connected to 127.0.0.1:8080.
Ncat: 0 bytes sent, 0 bytes received in 0.01 seconds.
$ grep -vE '^#|^\s*$' proxychains-cloudMusic.conf
strict_chain
quiet_mode
proxy_dns
remote_dns_subnet 224
tcp_read_time_out 15000
tcp_connect_time_out 8000
localnet 10.0.0.0/255.0.0.0
localnet 172.16.0.0/255.240.0.0
localnet 192.168.0.0/255.255.0.0
[ProxyList]
http 127.0.0.1 8080
$ proxychains4 -f proxychains-cloudMusic.conf curl www.baidu.com
[proxychains] config file found: proxychains-cloudMusic.conf
[proxychains] preloading /usr/local/lib/libproxychains4.so
curl: (7) Failed to connect to 127.0.0.1: 拒绝连接
$ proxychains4 -f proxychains-cloudMusic.conf /usr/bin/flatpak run --branch=stable --arch=x86_64 --command=netease-cloud-music --file-forwarding com.netease.CloudMusic
[proxychains] config file found: proxychains-cloudMusic.conf
[proxychains] preloading /usr/local/lib/libproxychains4.so
Qt: Session management error: None of the authentication protocols specified are supported
03-15, 17:45:34 [Error ] [ 0] Media changed
03-15, 17:45:34 [Error ] [ 0] Player opening
No appenders assotiated with category qt.network.ssl
[Warning] <> QSslSocket: cannot resolve CRYPTO_num_locks
No appenders assotiated with category qt.network.ssl
[Warning] <> QSslSocket: cannot resolve CRYPTO_set_id_callback
No appenders assotiated with category qt.network.ssl
[Warning] <> QSslSocket: cannot resolve CRYPTO_set_locking_callback
No appenders assotiated with category qt.network.ssl
[Warning] <> QSslSocket: cannot resolve ERR_free_strings
No appenders assotiated with category qt.network.ssl
[Warning] <> QSslSocket: cannot resolve EVP_CIPHER_CTX_cleanup
No appenders assotiated with category qt.network.ssl
[Warning] <> QSslSocket: cannot resolve EVP_CIPHER_CTX_init
No appenders assotiated with category qt.network.ssl
[Warning] <> QSslSocket: cannot resolve sk_new_null
No appenders assotiated with category qt.network.ssl
[Warning] <> QSslSocket: cannot resolve sk_push
No appenders assotiated with category qt.network.ssl
[Warning] <> QSslSocket: cannot resolve sk_free
No appenders assotiated with category qt.network.ssl
[Warning] <> QSslSocket: cannot resolve sk_num
No appenders assotiated with category qt.network.ssl
[Warning] <> QSslSocket: cannot resolve sk_pop_free
No appenders assotiated with category qt.network.ssl
[Warning] <> QSslSocket: cannot resolve sk_value
No appenders assotiated with category qt.network.ssl
[Warning] <> QSslSocket: cannot resolve SSL_library_init
No appenders assotiated with category qt.network.ssl
[Warning] <> QSslSocket: cannot resolve SSL_load_error_strings
No appenders assotiated with category qt.network.ssl
[Warning] <> QSslSocket: cannot resolve SSL_get_ex_new_index
No appenders assotiated with category qt.network.ssl
[Warning] <> QSslSocket: cannot resolve SSLv2_client_method
No appenders assotiated with category qt.network.ssl
[Warning] <> QSslSocket: cannot resolve SSLv3_client_method
No appenders assotiated with category qt.network.ssl
[Warning] <> QSslSocket: cannot resolve SSLv23_client_method
No appenders assotiated with category qt.network.ssl
[Warning] <> QSslSocket: cannot resolve SSLv2_server_method
No appenders assotiated with category qt.network.ssl
[Warning] <> QSslSocket: cannot resolve SSLv3_server_method
No appenders assotiated with category qt.network.ssl
[Warning] <> QSslSocket: cannot resolve SSLv23_server_method
No appenders assotiated with category qt.network.ssl
[Warning] <> QSslSocket: cannot resolve X509_STORE_CTX_get_chain
No appenders assotiated with category qt.network.ssl
[Warning] <> QSslSocket: cannot resolve OPENSSL_add_all_algorithms_noconf
No appenders assotiated with category qt.network.ssl
[Warning] <> QSslSocket: cannot resolve OPENSSL_add_all_algorithms_conf
No appenders assotiated with category qt.network.ssl
[Warning] <> QSslSocket: cannot resolve SSLeay
No appenders assotiated with category qt.network.ssl
[Warning] <> QSslSocket: cannot resolve SSLeay_version
No appenders assotiated with category qt.network.ssl
[Warning] <> Incompatible version of OpenSSL
不走
unblockneteasemusic
的代理是可以正常通信的,但走了它的代理,则会提示失败。
这个有问题,npx 启动的可以吗?
curl 测试,能访问baidu,但依然会提示版权保护。
$ proxychains4 curl www.baidu.com &>/dev/null && echo True
True
$ proxychains4 -f proxychains-cloudMusic.conf /usr/bin/flatpak run --branch=stable --arch=x86_64 --command=netease-cloud-music --file-forwarding com.netease.CloudMusic
[proxychains] config file found: proxychains-cloudMusic.conf
[proxychains] preloading /usr/local/lib/libproxychains4.so
Qt: Session management error: None of the authentication protocols specified are supported
No appenders assotiated with category qt.network.ssl
[Warning] <> QSslSocket: cannot resolve CRYPTO_num_locks
No appenders assotiated with category qt.network.ssl
[Warning] <> QSslSocket: cannot resolve CRYPTO_set_id_callback
No appenders assotiated with category qt.network.ssl
[Warning] <> QSslSocket: cannot resolve CRYPTO_set_locking_callback
No appenders assotiated with category qt.network.ssl
[Warning] <> QSslSocket: cannot resolve ERR_free_strings
No appenders assotiated with category qt.network.ssl
[Warning] <> QSslSocket: cannot resolve EVP_CIPHER_CTX_cleanup
No appenders assotiated with category qt.network.ssl
[Warning] <> QSslSocket: cannot resolve EVP_CIPHER_CTX_init
No appenders assotiated with category qt.network.ssl
[Warning] <> QSslSocket: cannot resolve sk_new_null
No appenders assotiated with category qt.network.ssl
[Warning] <> QSslSocket: cannot resolve sk_push
No appenders assotiated with category qt.network.ssl
[Warning] <> QSslSocket: cannot resolve sk_free
No appenders assotiated with category qt.network.ssl
[Warning] <> QSslSocket: cannot resolve sk_num
No appenders assotiated with category qt.network.ssl
[Warning] <> QSslSocket: cannot resolve sk_pop_free
No appenders assotiated with category qt.network.ssl
[Warning] <> QSslSocket: cannot resolve sk_value
No appenders assotiated with category qt.network.ssl
[Warning] <> QSslSocket: cannot resolve SSL_library_init
No appenders assotiated with category qt.network.ssl
[Warning] <> QSslSocket: cannot resolve SSL_load_error_strings
No appenders assotiated with category qt.network.ssl
[Warning] <> QSslSocket: cannot resolve SSL_get_ex_new_index
No appenders assotiated with category qt.network.ssl
[Warning] <> QSslSocket: cannot resolve SSLv2_client_method
No appenders assotiated with category qt.network.ssl
[Warning] <> QSslSocket: cannot resolve SSLv3_client_method
No appenders assotiated with category qt.network.ssl
[Warning] <> QSslSocket: cannot resolve SSLv23_client_method
No appenders assotiated with category qt.network.ssl
[Warning] <> QSslSocket: cannot resolve SSLv2_server_method
No appenders assotiated with category qt.network.ssl
[Warning] <> QSslSocket: cannot resolve SSLv3_server_method
No appenders assotiated with category qt.network.ssl
[Warning] <> QSslSocket: cannot resolve SSLv23_server_method
No appenders assotiated with category qt.network.ssl
[Warning] <> QSslSocket: cannot resolve X509_STORE_CTX_get_chain
No appenders assotiated with category qt.network.ssl
[Warning] <> QSslSocket: cannot resolve OPENSSL_add_all_algorithms_noconf
No appenders assotiated with category qt.network.ssl
[Warning] <> QSslSocket: cannot resolve OPENSSL_add_all_algorithms_conf
No appenders assotiated with category qt.network.ssl
[Warning] <> QSslSocket: cannot resolve SSLeay
No appenders assotiated with category qt.network.ssl
[Warning] <> QSslSocket: cannot resolve SSLeay_version
No appenders assotiated with category qt.network.ssl
[Warning] <> Incompatible version of OpenSSL
03-15, 18:09:05 [Error ] [ 0] void netease::AudioPlayer::handleMediaStatusChanged(netease::VlcMediaPlayer::MediaStatus) Invalid Media: "1389068639_1_65184476-bitrate-320-ob0VXc"
03-15, 18:09:05 [Error ] [ 0] void netease::AudioPlayer::handleMediaStatusChanged(netease::VlcMediaPlayer::MediaStatus) Invalid Media: "28546232_1_65184476-bitrate-320-p9foW7"
那就不是我的问题了
UblockNeteaseMusic server 的日志有没有啊
启动的时候有没有带参数 --ignore-certificate-errors
?README 里写了的
那就不是我的问题了
。。。。。。 可我其他软件、浏览器等都能使用相同的方法走代理上网啊。
UblockNeteaseMusic server 的日志有没有啊
没有日志啊。有我就发你了。
$ npx @nondanee/unblockneteasemusic -p 8080
npx: 1 安装成功,用时 1.287 秒
HTTP Server running @ http://0.0.0.0:8080
www.baidu.com
^C
启动的时候有没有带参数
--ignore-certificate-errors
?README 里写了的
我使用的就是你提供的docker-compose.yml
启动的,除了指定容器名称,其他参数都没修改。
另外我刚刚尝试过了,没有任何改善
$ proxychains4 -f proxychains-cloudMusic.conf /usr/bin/flatpak run --branch=stable --arch=x86_64 --command=netease-cloud-music --file-forwarding com.netease.CloudMusic --ignore-certificate-errors
[proxychains] config file found: proxychains-cloudMusic.conf
[proxychains] preloading /usr/local/lib/libproxychains4.so
Qt: Session management error: None of the authentication protocols specified are supported
03-16, 00:41:42 [Error ] [ 0] Media changed
03-16, 00:41:42 [Error ] [ 0] Player opening
另外当我使用npx @nondanee/unblockneteasemusic -p 8080 -s
开启了严格模式后,curl www.baidu.com
提示连接被拒绝,但云音乐又是能正常打开日推界面,这说明UblockNeteaseMusic Server
对目的地为music.163.com
、interface.music.163.com
时的流量转发及非163域名的过滤功能是正常工作的。
而当我使用UblockNeteaseMusic Server
监听80
端口,并将hosts文件改为127.0.0.1
时,云音乐是能被正常破解的,这说明当目的地是自己时的破解功能是正常工作的。
所以我这边判断,故障点应当是:Server 把本应由自己处理的数据当做普通的转发数据识别了,然后就直接转发出去了,并没有经历地址替换、或HTTP头修改的过程;反之如果接收对象是自己,则会正确的修改并转发数据。即在流量劫持与替换这一块的功能上。
最后你自己使用代理模式能正确使用吗?
网易云客户端不是我开发的啊 我只能保证代理服务器本身正常运行,至于客户端有没有走代理我无能为力
启动参数 --ignore-certificate-errors
是网易云的启动参数,我看你已经加了
严格模式的逻辑 README 里也说了
(此模式下仅放行网易云音乐所属域名的请求)
baidu.com 必然会被拒绝
按照你说的,如果 server 直接转发了,没有任何修改,也会有 log 出现 任何请求到代理上,只要没被黑白名单组合过滤掉,不管有没有修改,都会在 log 里 但是你告诉我没有日志 说明请求根本就没发到代理上
有问题可以直接 review 代码
正常,我一直用的代理模式,不过我日常只使用 Windows 端和 Android 端
刚试了下 ubuntu 上用也没啥问题
是在系统设置 UI 里设的代理 (DE 是 Gnome),相当于在 shell 里这样设置
gsettings set org.gnome.system.proxy mode 'manual'
gsettings set org.gnome.system.proxy.http enabled true
gsettings set org.gnome.system.proxy.http host '127.0.0.1'
gsettings set org.gnome.system.proxy.https host '127.0.0.1'
gsettings set org.gnome.system.proxy.http port 8080
gsettings set org.gnome.system.proxy.https port 8080
我找到一些可能的原因,但折腾了几天。。。没折腾出来。。。
http_proxy
、https_proxy
、UI 里设的代理 (DE 测试的是 MATE 和 Gnome ),造成不能走代理。作为对比,Telegram Desktop 只要设置这两个参数,后者都能正常走代理。proxychains-ng
通过注入的方式强制进行代理。作为对比,当 Telegram Desktop 也是使用 flatpak 的方式安装时,也不能通过proxychains-ng
的方式实现强制走代理,但能通过http_proxy
、https_proxy
的方式。域名
或IP
匹配后强制重定向,但也失败了,不知道为什么始终不能匹配到。。。主要配置如下:iptables
的方式:cat > /etc/dnsmasq.d/unblockneteasemusic.conf <<'EOF'
listen-address=127.0.0.2
server=/.163.com/223.5.5.5#5353
ipset=/.music.163.com/interface.music.163.com/interface3.music.163.com/unblockneteasemusic
EOF
ipset create unblockneteasemusic hash:ip
## 使用了如下几种防火墙配置方案,但都没效果,我不知道哪里出错了。。。T_T
# 方法一:匹配域名重定向到本地代理端口 8080
iptables -t nat -A PREROUTING -p tcp -m set --match-set unblockneteasemusic dst -j REDIRECT --to-port 8080
# 方法二:匹配域名重定向到 127.0.0.1 的 80 端口(实现效果等同于修改hosts文件,但是是通过防火墙实现的)
iptables -t nat -A PREROUTING -p tcp -m set --match-set unblockneteasemusic dst -j DNAT --to-destination 127.0.0.1:80
# 方法三:通过 HTTP Host Header 头字段,匹配域名,并转发
iptables -t nat -I PREROUTING -p tcp -m string --string "163.com" --algo bm -j DNAT --to-destination 127.0.0.1:8080
iptables -t nat -I PREROUTING -p tcp -m string --string "163.com" -m multiport --dport 80,443 --algo bm -j DNAT --to-destination 127.0.0.1:8080
# PS:通过如下规则验证,又确实能阻断软件对163域名的访问:
# iptables -I OUTPUT -p tcp -m string --string "163.com" --algo bm -j DROP
# 方法四:匹配IP(通过`nslookup`解析出来的`music.163.com`、`interface.music.163.com`的域名IP),并四条全部执行成功后执行的,以重定向代理端口
iptables -t nat -I PREROUTING -p tcp -d 115.236.118.33 -m multiport --dport 80,443 -j DNAT --to-destination 127.0.0.1:8080
iptables -t nat -I PREROUTING -p tcp -d 59.111.181.35 -m multiport --dport 80,443 -j DNAT --to-destination 127.0.0.1:8080
iptables -t nat -I PREROUTING -p tcp -d 59.111.181.38 -m multiport --dport 80,443 -j DNAT --to-destination 127.0.0.1:8080
iptables -t nat -I PREROUTING -p tcp -d 59.111.181.60 -m multiport --dport 80,443 -j DNAT --to-destination 127.0.0.1:8080
firewall-cmd
因为没有找到 URL 重定向的配置教程,没法实现强制转发。我目前的方式就是使用 nginx 对 URL 重定向 + 修改 hosts 文件的方式临时使用的,但这样的影响范围就太大了,而我的目的就是不对 hosts 文件进行修改,将影响范围尽量压缩到仅影响netease-cloud-music
。
最后附一张我默认的 iptables 的配置清单
# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:67
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
INPUT_direct all -- 0.0.0.0/0 0.0.0.0/0
INPUT_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
INPUT_ZONES all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all -- 0.0.0.0/0 0.0.0.0/0
DOCKER-ISOLATION-STAGE-1 all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
DOCKER all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
DOCKER all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
DOCKER all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 192.168.122.0/24 ctstate RELATED,ESTABLISHED
ACCEPT all -- 192.168.122.0/24 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
FORWARD_direct all -- 0.0.0.0/0 0.0.0.0/0
FORWARD_IN_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
FORWARD_IN_ZONES all -- 0.0.0.0/0 0.0.0.0/0
FORWARD_OUT_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
FORWARD_OUT_ZONES all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:68
OUTPUT_direct all -- 0.0.0.0/0 0.0.0.0/0
Chain DOCKER (3 references)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 172.19.0.2 tcp dpt:1082
ACCEPT tcp -- 0.0.0.0/0 172.19.0.2 tcp dpt:1081
ACCEPT tcp -- 0.0.0.0/0 172.19.0.2 tcp dpt:1080
ACCEPT tcp -- 0.0.0.0/0 172.18.0.2 tcp dpt:9000
ACCEPT tcp -- 0.0.0.0/0 172.19.0.4 tcp dpt:443
ACCEPT tcp -- 0.0.0.0/0 172.19.0.4 tcp dpt:80
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- 0.0.0.0/0 0.0.0.0/0
DOCKER-ISOLATION-STAGE-2 all -- 0.0.0.0/0 0.0.0.0/0
DOCKER-ISOLATION-STAGE-2 all -- 0.0.0.0/0 0.0.0.0/0
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-ISOLATION-STAGE-2 (3 references)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD_IN_ZONES (1 references)
target prot opt source destination
FWDI_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
FWDI_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
Chain FORWARD_IN_ZONES_SOURCE (1 references)
target prot opt source destination
Chain FORWARD_OUT_ZONES (1 references)
target prot opt source destination
FWDO_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
FWDO_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
Chain FORWARD_OUT_ZONES_SOURCE (1 references)
target prot opt source destination
Chain FORWARD_direct (1 references)
target prot opt source destination
Chain FWDI_public (2 references)
target prot opt source destination
FWDI_public_log all -- 0.0.0.0/0 0.0.0.0/0
FWDI_public_deny all -- 0.0.0.0/0 0.0.0.0/0
FWDI_public_allow all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
Chain FWDI_public_allow (1 references)
target prot opt source destination
Chain FWDI_public_deny (1 references)
target prot opt source destination
Chain FWDI_public_log (1 references)
target prot opt source destination
Chain FWDO_public (2 references)
target prot opt source destination
FWDO_public_log all -- 0.0.0.0/0 0.0.0.0/0
FWDO_public_deny all -- 0.0.0.0/0 0.0.0.0/0
FWDO_public_allow all -- 0.0.0.0/0 0.0.0.0/0
Chain FWDO_public_allow (1 references)
target prot opt source destination
Chain FWDO_public_deny (1 references)
target prot opt source destination
Chain FWDO_public_log (1 references)
target prot opt source destination
Chain INPUT_ZONES (1 references)
target prot opt source destination
IN_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
IN_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
Chain INPUT_ZONES_SOURCE (1 references)
target prot opt source destination
Chain INPUT_direct (1 references)
target prot opt source destination
Chain IN_public (2 references)
target prot opt source destination
IN_public_log all -- 0.0.0.0/0 0.0.0.0/0
IN_public_deny all -- 0.0.0.0/0 0.0.0.0/0
IN_public_allow all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
Chain IN_public_allow (1 references)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:631 ctstate NEW
ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353 ctstate NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:631 ctstate NEW
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:631 ctstate NEW
Chain IN_public_deny (1 references)
target prot opt source destination
Chain IN_public_log (1 references)
target prot opt source destination
Chain OUTPUT_direct (1 references)
target prot opt source destination
http 和 https 流量要分开转发 https 流量直接发到 http 代理端口上是处理不了的,必须要有 http connect 建立隧道才行
方法一,不行
方法二、方法三、方法四,http 和 https 需要分开处理
--dport 80 -j DNAT --to-destination $HOST:$HTTP_PORT
--dport 443 -j DNAT --to-destination $HOST:$HTTPS_PORT
要注意的是还要排除 UnblockNeteaseMusic 代理发出的请求,不然就死循环了
方法二、方法四比较好排除,挑一个不在 match-set 里的网易云 ip,设置为 -f
(方法四我理解的是手动做了 --match-set
,等于方法二)
方法三只能在 iptables 上排除,因为代理发出的请求,请求头一样能匹配规则,可能需要 -m owner --uid-owner
等条件
另外,测试了一下,需要用 OUTPUT,用 PREROUTING 没有效果,不知道原因
sudo ipset create cloudmusic hash:net
sudo ipset add cloudmusic 59.111.181.0/24 # 我 ping 了下我这边都是 59.111.181 开头
sudo iptables -t nat -I OUTPUT -p tcp -m set --match-set cloudmusic dst --dport 80 -j DNAT --to-destination 127.0.0.1:8080
sudo iptables -t nat -I OUTPUT -p tcp -m set --match-set cloudmusic dst --dport 443 -j DNAT --to-destination 127.0.0.1:8081
因为 59.111.181.35, 59.111.181.38 既是主站 IP,也是 httpdns 地址 https://www.boce.com/tool?url=music.httpdns.c.163.com&type=get
拦截掉的话 UnblockNeteaseMusic 没法启动,如果不方便排除,可以直接去掉
- Promise.all([httpdns, httpdns2].map(query => query(target.join(','))).concat(target.map(dns)))
+ Promise.resolve([])
sudo ipset create cloudmusic hash:net
sudo ipset add cloudmusic 59.111.181.0/24 # 我 ping 了下我这边都是 59.111.181 开头
sudo iptables -t nat -I OUTPUT -p tcp -m set --match-set cloudmusic dst --dport 80 -j DNAT --to-destination 127.0.0.1:8080
sudo iptables -t nat -I OUTPUT -p tcp -m set --match-set cloudmusic dst --dport 443 -j DNAT --to-destination 127.0.0.1:8081
因为我的环境是docker版,所以只使用了这一块的配置,就可以使用了,没有修改程序(app.js)代码。 @nondanee 大佬,真牛逼!
关于通过匹配字符串和进程的进一步缩小影响范围的匹配方案我再研究下。
我也试了 确实用 docker 版有奇效~ 不会因为这个 OUTPUT 规则启动不了 大概是有网络隔离或者其他什么排除策略吧 不太懂😂
👌
经过测试,使用提供的
docker-compose.yml
脚本运行的Docker版不能生效。 镜像信息如下:docker-compose.yml
脚本内容如下:当将映射端口由默认的
8080
修改为80
后,且修改/etc/hosts
文件的情况下,能正常破解,能正确播放。但当使用代理功能时,即
8080
端口;http://127.0.0.1:8080
;/etc/hosts
文件中并没有将域名重定向为127.0.0.1
(如果重定向为127.0.0.1
,则会出现页面打不开,访问失败的情况);除了在图形化界面的系统代理设置界面进行代理设置,我还使用
proxychains-ng
、export http_proxy="127.0.0.1:8080"
等命令行下操作的方式都测试过,均是一样的现象。虽然我不认为问题出在系统环境,但我依然贴一下我的系统环境: 操作系统版本:
CentOS 7.6
软件安装方式:sudo flatpak install flathub com.netease.CloudMusic