search

shadowsocks / luci-app-shadowsocks

OpenWrt/LEDE LuCI for Shadowsocks-libev
GNU General Public License v3.0
1.15k stars 419 forks source link

Wiki中的Gfwlist模式 #146

Open cokebar opened 7 years ago

cokebar commented 7 years ago

wiki中新建了一个gfwlist的ipset,然后添加一条命令,match gfwlist这个ipset的转发到SS_SPEC_WAN_FW, 但是有“每次重启 shadowsocks 后 SS_SPEC_WAN_AC 都会被销毁重建”的问题,因为执行ss-rules会首先flush rules。 但为何要建立一个gfwlist的ipset,为什么不直接使用ss_spec_dst_fw,dnsmasq解析后直接添加到ss_spec_dst_fw这个ipset中了,这样就没有这个问题了

aa65535 commented 7 years ago

这样就不会把 gfwlist 这个 ipset 销毁,所以不需要重启 dnsmasq 来重新添加 ip.

cokebar commented 7 years ago

有个人给我反映使用你wiki中的方法,把那条iptables加到/etc/firewall.user,路由器开机无法翻墙。 开机时候,/etc/firewall.user执行的时候可能ss-rules还没执行,SS_SPEC_XXX_XX的链可能还没建立,所以可能导致语句执行出错。即使ss-rules早于/etc/firewall.user执行,但/etc/config/firewall中,下面还有一个shadowsocks.include,这条也会导致之前添加的iptables -t nat -I SS_SPEC_WAN_AC 1 -m set --match-set gfwlist dst -j SS_SPEC_WAN_FW被删掉。 所以,对于合理地完成开机自启动, @aa65535 你有什么建议么

knlvz commented 7 years ago

@cokebar 对于开机自动执行的话,我的目前的做法是在ss-rules里的ipt_nat()函数里面添加$ipt -I SS_SPEC_WAN_AC 1 -m set --match-set gfwlist dst -j SS_SPEC_WAN_FW来解决重启路由后需要执行这个命令。

sotux commented 6 years ago

我改了一下 ss-rules,加入 gfwlist,请 @aa65535 看一下这样行不行 在 ipset_init() 前加入以下代码

gfwlist_init() {
    ipt="iptables -t nat"
    setname=$(ipset -n list | grep -w "gfwlist")
    if [ ! "$setname" ]; then
        ipset create gfwlist hash:ip
    fi
    $ipt -I SS_SPEC_WAN_AC 1 -m set --match-set gfwlist dst -j SS_SPEC_WAN_FW
    return 0
}

最后改为这样

flush_rules && ipset_init && ipt_nat && ipt_mangle && gfwlist_init && export_ipt_rules
phoniwell commented 6 years ago

@sotux

I tried your script, it works.

one little problem: it can ONLY redirect TCP traffic. To redirect UDP as well, you could add this line iptables -t mangle -I SS_SPEC_WAN_AC 1 -m set --match-set gfwlist dst -j SS_SPEC_WAN_FW

cokebar commented 6 years ago

@sotux gfwlist模式下 udp relay 意义不大

openlcc commented 6 years ago

wan口掉线重拨后“iptables -t nat -I SS_SPEC_WAN_AC 1 -m set --match-set gfwlist dst -j SS_SPEC_WAN_FW”失效,需要重新运行才行,请问怎样设置才能wan口掉线重拨后自动运行这条指令?

cokebar commented 6 years ago

@legendchi 不知道下面这种方法行不行,没测试 编写一个脚本,内容为你需要在wan口重连后执行的命令,然后在/etc/config/firewall的末尾添加:

config include 'yourscriptname'
    option type 'script'
    option path '/path/to/yourscript'
    option reload '1'
phoniwell commented 6 years ago

@legendchi Why you have this problem? luci-app-shadowsocks will add the firewall reload rule during installation. Thus the firewall rules will re-applied after WAN reconnected.

The following is excerpted from etc/uci-defaults/luci-shadowsocks, which is extracted from luci-app-shadowsocks package:

`uci -q batch <<-EOF >/dev/null

delete ucitrack.@shadowsocks[-1]

add ucitrack shadowsocks

set ucitrack.@shadowsocks[-1].init=shadowsocks

commit ucitrack

delete firewall.shadowsocks

set firewall.shadowsocks=include

set firewall.shadowsocks.type=script

set firewall.shadowsocks.path=/var/etc/shadowsocks.include

set firewall.shadowsocks.reload=1

commit firewall

EOF`

But if you want to use gfwlist scheme, you'd better name the specified ipset name carefully, because /usr/bin/ss-rules (part of the luci-app-shadowsocks package) will only maintain ipset names started with ssspec, like ss_spec_gfwlist.

openlcc commented 6 years ago

@cokebar 非常感谢,按照你的方法,wan口在发生变化重新完成拨号后顺利的执行了iptables。