search

shadowsocks / luci-app-shadowsocks

OpenWrt/LEDE LuCI for Shadowsocks-libev
GNU General Public License v3.0
1.15k stars 419 forks source link

按照wiki的GFWList设置后无效 #128

Closed knlvz closed 7 years ago

knlvz commented 7 years ago

使用chnroute全部国外IP走ss可以上,按照wiki教程设置gfwlist,无法通过ss上了,下面是我的设置,不知道哪里出错了。 1 3

一些ipset list

Name: ss_spec_dst_bp
Type: hash:net
Revision: 4
Header: family inet hashsize 64 maxelem 65536
Size in memory: 888
References: 2
Members:
128.0.0.0/1
0.0.0.0/1

Name: ss_spec_dst_fw
Type: hash:net
Revision: 4
Header: family inet hashsize 64 maxelem 65536
Size in memory: 824
References: 2
Members:

Name: gfwlist
Type: hash:ip
Revision: 2
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 8248
References: 0
Members:

里面都没有ip

iptalbes:

*nat
:PREROUTING ACCEPT [4522:154217]
:INPUT ACCEPT [50:3993]
:OUTPUT ACCEPT [59:4020]
:POSTROUTING ACCEPT [20:1577]
:MINIUPNPD - [0:0]
:MINIUPNPD-POSTROUTING - [0:0]
:SS_SPEC_LAN_AC - [0:0]
:SS_SPEC_LAN_DG - [0:0]
:SS_SPEC_WAN_AC - [0:0]
:SS_SPEC_WAN_DG - [0:0]
:SS_SPEC_WAN_FW - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -p tcp -j SS_SPEC_LAN_DG
-A PREROUTING -m id --id 0x66773300 -m comment --comment "user chain for prerouting" -j prerouting_rule
-A PREROUTING -i br-lan -m id --id 0x66773300 -j zone_lan_prerouting
-A PREROUTING -i eth0.2 -m id --id 0x66773300 -j zone_wan_prerouting
-A OUTPUT -p tcp -j SS_SPEC_WAN_DG
-A POSTROUTING -m id --id 0x66773300 -m comment --comment "user chain for postrouting" -j postrouting_rule
-A POSTROUTING -o br-lan -m id --id 0x66773300 -j zone_lan_postrouting
-A POSTROUTING -o eth0.2 -m id --id 0x66773300 -j zone_wan_postrouting
-A SS_SPEC_LAN_AC -m set --match-set ss_spec_src_bp src -j RETURN
-A SS_SPEC_LAN_AC -m set --match-set ss_spec_src_fw src -j SS_SPEC_WAN_FW
-A SS_SPEC_LAN_AC -m set --match-set ss_spec_src_ac src -j SS_SPEC_WAN_AC
-A SS_SPEC_LAN_AC -j SS_SPEC_WAN_AC
-A SS_SPEC_LAN_DG -m set --match-set ss_spec_dst_sp dst -j RETURN
-A SS_SPEC_LAN_DG -p tcp -j SS_SPEC_LAN_AC
-A SS_SPEC_WAN_AC -m set --match-set gfwlist dst -j SS_SPEC_WAN_FW
-A SS_SPEC_WAN_AC -m set --match-set ss_spec_dst_fw dst -j SS_SPEC_WAN_FW
-A SS_SPEC_WAN_AC -m set --match-set ss_spec_dst_bp dst -j RETURN
-A SS_SPEC_WAN_AC -j SS_SPEC_WAN_FW
-A SS_SPEC_WAN_DG -m set --match-set ss_spec_dst_sp dst -j RETURN
-A SS_SPEC_WAN_DG -p tcp -j SS_SPEC_WAN_AC
-A SS_SPEC_WAN_FW -p tcp -j REDIRECT --to-ports 1234
-A zone_lan_postrouting -m id --id 0x66773300 -m comment --comment "user chain for postrouting" -j postrouting_lan_rule
-A zone_lan_prerouting -m id --id 0x66773300 -m comment --comment "user chain for prerouting" -j prerouting_lan_rule
-A zone_wan_postrouting -j MINIUPNPD-POSTROUTING
-A zone_wan_postrouting -m id --id 0x66773300 -m comment --comment "user chain for postrouting" -j postrouting_wan_rule
-A zone_wan_postrouting -m id --id 0x66773300 -j MASQUERADE
-A zone_wan_prerouting -j MINIUPNPD
-A zone_wan_prerouting -m id --id 0x66773300 -m comment --comment "user chain for prerouting" -j prerouting_wan_rule
COMMIT

/etc/dnsmasq.conf里面只添加了conf-dir=/etc/dnsmasq.d /etc/dnsmasq.d/gfw_list.conf里面的内容,做测试只加了两个域名。

server=/google.com/127.0.0.1#5353
ipset=/google.com/gfwlist
server=/ipip.net/127.0.0.1#5353
ipset=/ipip.net/gfwlist
cokebar commented 7 years ago

对dnsmasq发起DNS查询,查询ipip.net,然后看看ipset中是否增加了对应ip

cokebar commented 7 years ago

另外 dnsmasq需要换成dnsmasq-full

knlvz commented 7 years ago

直接查,无法查询。

[root@PandoraBox_6190:/root]#nslookup ipip.net
Server:    127.0.0.1
Address 1: 127.0.0.1 localhost

nslookup: can't resolve 'ipip.net': Name or service not known

指定127.0.0.1:5353,这是说明转发没问题是吗?

[root@PandoraBox_6190:/root]#nslookup www.ipip.net 127.0.0.1:5353
Server:    127.0.0.1
Address 1: 127.0.0.1 localhost

Name:      www.ipip.net
Address 1: 121.12.98.98

有dnsmasq-full和dnsmasq,这两个同时存在有冲突吗?

[root@PandoraBox_6190:/root]#opkg list-installed
6in4 - 23-1
6to4 - 12-2
bandwidth-pandorabox - 2
base-files - 157-2017-06-28-git-d033ac5fc
block-mount - 2016-09-31-94a5b0ad8d53f024f036c3526b48c34ebbd66a2f
bndstrg - 1
busybox - 1.24.1-1
cfdisk - 2.24.1-1
chat - 2.4.7-8
comgt - 0.32-23
ddns-scripts - 2.7.6-14
detect_internet - 1
dnsmasq - 2.76-5
dnsmasq-dhcpv6 - 2.76-5
dnsmasq-full - 2.76-5
dosfsck - 3.0.28-1
knlvz commented 7 years ago

我在怀疑是不是这个固件是shadowsocks-live-spec版,因为我看到有ss-rules,是不是这个版本就无法使用gfwlist了?

aa65535 commented 7 years ago

@knlvz dnsmasq 的问题,只能使用 dnsmasq-full

knlvz commented 7 years ago

确实是dnsmasq的问题,之前是dnsmasq-full的2.76版本,后来换成2.75版就正常了。感谢!

cccRaim commented 6 years ago

能问一下,各端口的配置吗?53,5300,5353各应该配置在哪里?