semigodking
commented
5 years ago 你是怎么确认你这个tap0是工作的? 我认为你这个tap0并不能正常工作。tap0是没有实际出口的,所以,从tap0过来的包是需要其它网口来转发的,通常是需要做MASQURADE 。而你并没有在iptables里做这个工作。
Closed haormj closed 5 years ago
semigodking
commented
5 years ago 你是怎么确认你这个tap0是工作的? 我认为你这个tap0并不能正常工作。tap0是没有实际出口的,所以,从tap0过来的包是需要其它网口来转发的,通常是需要做MASQURADE 。而你并没有在iptables里做这个工作。
semigodking
commented
5 years ago 之所以会loop,是因为redsocks发出的包又被REDIRECT回给redsocks了。所以,解决方法就是用iptables 的owner match来解决 iptables -t nat -I OUTPUT -m owner --pid-owner \<pid of redsocks> -j RETURN
haormj
commented
5 years ago @semigodking
你好,通过查看iptables文档,我这边没有 pid owner选项
owner
This module attempts to match various characteristics of the packet creator, for locally generated packets. This match is only valid in the
OUTPUT and POSTROUTING chains. Forwarded packets do not have any socket associated with them. Packets from kernel threads do have a socket,
but usually no owner.
[!] --uid-owner username
[!] --uid-owner userid[-userid]
Matches if the packet socket's file structure (if it has one) is owned by the given user. You may also specify a numerical UID, or
an UID range.
[!] --gid-owner groupname
[!] --gid-owner groupid[-groupid]
Matches if the packet socket's file structure is owned by the given group. You may also specify a numerical GID, or a GID range.
[!] --socket-exists
Matches if the packet is associated with a socket.
iptables v1.6.1 Linux pc 4.15.0-48-generic #51-Ubuntu SMP Wed Apr 3 08:28:49 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
semigodking
commented
5 years ago 那就变通一下,让redsocks 运行在特定user 下。然后通过user id来match。
Ward Harris notifications@github.com 于 2019年5月17日周五 07:03写道:
@semigodking https://github.com/semigodking
你好,通过查看iptables文档,我这边没有 pid owner选项
owner
This module attempts to match various characteristics of the packet creator, for locally generated packets. This match is only valid in the OUTPUT and POSTROUTING chains. Forwarded packets do not have any socket associated with them. Packets from kernel threads do have a socket, but usually no owner. [!] --uid-owner username [!] --uid-owner userid[-userid] Matches if the packet socket's file structure (if it has one) is owned by the given user. You may also specify a numerical UID, or an UID range. [!] --gid-owner groupname [!] --gid-owner groupid[-groupid] Matches if the packet socket's file structure is owned by the given group. You may also specify a numerical GID, or a GID range. [!] --socket-exists Matches if the packet is associated with a socket.iptables v1.6.1 Linux pc 4.15.0-48-generic #51 https://github.com/semigodking/redsocks/issues/51-Ubuntu SMP Wed Apr 3 08:28:49 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/semigodking/redsocks/issues/118?email_source=notifications&email_token=AAP2XDYADOT6XUC67QKBE7DPVXR3HA5CNFSM4HNLYBRKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODVTI3EA#issuecomment-493260176, or mute the thread https://github.com/notifications/unsubscribe-auth/AAP2XD5FHTAPHAMVBP5WQYLPVXR3HANCNFSM4HNLYBRA .
首先非常感谢此工具 @semigodking
环境说明
iptables将除内网IP和代理服务器地址外所有TCP流量转发到redsocks此链路完全没问题,而且代理dns解析也没问题, 因为容易遇到环境问题,个人也构建了docker镜像,欢迎大家使用 :-)
问题
因为iptables几乎将所有TCP流量都导入到redsocks,所以每次开启auto proxy都会直接造成循环
基于以上问题,思考得出:
修改redsocks配置
}
1558002847.387333 notice redsocks.c:645 redsocks_relay_connected(...) [172.19.1.104:59600->74.125.206.210:443]: red_is_socket_connected_ok: No route to host 1558002850.459261 notice utils.c:375 red_is_socket_connected_ok(...) connect: No route to host