search

shadowsocks / luci-app-shadowsocks

OpenWrt/LEDE LuCI for Shadowsocks-libev
GNU General Public License v3.0
1.15k stars 419 forks source link

在非openwrt上使用ss-rules(ipset)透明代理出现问题 #120

Closed isjerryxiao closed 7 years ago

isjerryxiao commented 7 years ago

使用的命令行: ./ss-rules -I wlan0 -s xxx.xxx.xxx.xxx -l 1080 -B chnroute.txt -b 192.168.1.0/24 -d SS_SPEC_WAN_AC -o 执行过程无错误,返回值0 然而局域网其他设备只有国外ip能正常访问,国内ip无法访问,本机正常使用chnroute 请问是什么地方出错了呢?

使用sh -x执行的记录如下 (ip均用xxx.xxx.xxx.xxx隐去)

+ IFNAMES=wlan0
+ getopts :s:l:S:L:B:b:W:w:I:d:a:e:oOuUfh arg
+ echo xxx.xxx.xxx.xxx
+ server=xxx.xxx.xxx.xxx
+ getopts :s:l:S:L:B:b:W:w:I:d:a:e:oOuUfh arg
+ local_port=1080
+ getopts :s:l:S:L:B:b:W:w:I:d:a:e:oOuUfh arg
+ WAN_BP_LIST=chnroute.txt
+ getopts :s:l:S:L:B:b:W:w:I:d:a:e:oOuUfh arg
+ WAN_BP_IP=192.168.1.0/24
+ getopts :s:l:S:L:B:b:W:w:I:d:a:e:oOuUfh arg
+ LAN_TARGET=SS_SPEC_WAN_AC
+ getopts :s:l:S:L:B:b:W:w:I:d:a:e:oOuUfh arg
+ OUTPUT=SS_SPEC_WAN_AC
+ getopts :s:l:S:L:B:b:W:w:I:d:a:e:oOuUfh arg
+ [ -z xxx.xxx.xxx.xxx -o -z 1080 ]
+ [  = 1 ]
+ [  = 2 ]
+ flush_rules
+ iptables-save -c
+ + iptables-restore -cgrep
 -v SS_SPEC
+ command -v ip
+ ip rule del fwmark 1 lookup 100
+ ip route del local default dev lo table 100
+ + ipset -n list
grep ss_spec
+ uci get firewall.shadowsocks.path
+ FWI=
+ [ -n  ]
+ return 0
+ ipset_init
+ gen_lan_host_ipset_entry
+ gen_special_purpose_ip
+ sed -e s/^/add ss_spec_dst_sp /
+ cat
+ grep -E ^([0-9]{1,3}\.){3}[0-9]{1,3}
+ sed -e s/^/add ss_spec_dst_bp / chnroute.txt
+ echo add ss_spec_dst_bp 192.168.1.0/24
+ sed -e s/^/add ss_spec_dst_fw / /dev/null
+ ipset -! restore
+ return 0
+ ipt_nat
+ include_ac_rules nat
+ [ nat = mangle ]
+ echo tcp
+ local protocol=tcp
+ gen_prerouting_rules tcp
+ [ -z wlan0 ]
+ echo -I PREROUTING 1 -i wlan0 -p tcp -j SS_SPEC_LAN_DG
+ iptables-restore -n
+ ipt=iptables -t nat
+ iptables -t nat -A SS_SPEC_WAN_FW -p tcp -j REDIRECT --to-ports 1080
+ [ -n SS_SPEC_WAN_AC ]
+ iptables -t nat -N SS_SPEC_WAN_DG
+ iptables -t nat -A SS_SPEC_WAN_DG -m set --match-set ss_spec_dst_sp dst -j RETURN
+ iptables -t nat -A SS_SPEC_WAN_DG -p tcp -j SS_SPEC_WAN_AC
+ iptables -t nat -I OUTPUT 1 -p tcp -j SS_SPEC_WAN_DG
+ return 0
+ ipt_mangle
+ [ -n  ]
+ return 0
+ export_ipt_rules
+ [ -n  ]
+ return 0
+ RET=0
+ [ 0 = 0 ]
+ exit 0

iptables nat表如下

 pkts bytes target     prot opt in     out     source               destination         
  187 11220 SS_SPEC_LAN_DG  tcp  --  wlan0  *       0.0.0.0/0            0.0.0.0/0           

Chain INPUT (policy ACCEPT 20 packets, 1643 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 61 packets, 6034 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   15  2856 SS_SPEC_WAN_DG  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain POSTROUTING (policy ACCEPT 64 packets, 6214 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain SS_SPEC_LAN_AC (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set ss_spec_src_bp src
    0     0 SS_SPEC_WAN_FW  all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set ss_spec_src_fw src
    0     0 SS_SPEC_WAN_AC  all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set ss_spec_src_ac src
  183 10980 SS_SPEC_WAN_AC  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain SS_SPEC_LAN_DG (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    4   240 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set ss_spec_dst_sp dst
  183 10980 SS_SPEC_LAN_AC  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain SS_SPEC_WAN_AC (3 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 SS_SPEC_WAN_FW  all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set ss_spec_dst_fw dst
  178 10680 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set ss_spec_dst_bp dst
   16   960 SS_SPEC_WAN_FW  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain SS_SPEC_WAN_DG (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    4  2196 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set ss_spec_dst_sp dst
   11   660 SS_SPEC_WAN_AC  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain SS_SPEC_WAN_FW (3 references)
 pkts bytes target     prot opt in     out     source               destination         
   16   960 REDIRECT   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            redir ports 1080
isjerryxiao commented 7 years ago

我没有打开ipv4 forward

sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 0

sysctl -w net.ipv4.ip_forward=1解决了问题。