Closed odkrys closed 7 years ago
You're forwarding local DNS queries (192.168.1.1:53) to the remote host.
Try
root@Wrt:~# iptables -t mangle -A SHADOWSOCKS -d 10.0.0.0/8 -j RETURN
root@Wrt:~# iptables -t mangle -A SHADOWSOCKS -d 127.0.0.0/8 -j RETURN
root@Wrt:~# iptables -t mangle -A SHADOWSOCKS -d 169.254.0.0/16 -j RETURN
root@Wrt:~# iptables -t mangle -A SHADOWSOCKS -d 172.16.0.0/12 -j RETURN
root@Wrt:~# iptables -t mangle -A SHADOWSOCKS -d 192.168.0.0/16 -j RETURN
it works, thanks. should I apply this?
iptables -t mangle -A SHADOWSOCKS -d 123.123.123.123 -j RETURN
ipset -N gfwlist iphash iptables -t nat -N SHADOWSOCKS iptables -t nat -N SHADOWSOCKS_MARK
iptables -t nat -A SHADOWSOCKS -d 123.123.123.123 -j RETURN
iptables -t nat -A SHADOWSOCKS -d 0.0.0.0/8 -j RETURN iptables -t nat -A SHADOWSOCKS -d 10.0.0.0/8 -j RETURN iptables -t nat -A SHADOWSOCKS -d 127.0.0.0/24 -j RETURN iptables -t nat -A SHADOWSOCKS -d 169.254.0.0/16 -j RETURN iptables -t nat -A SHADOWSOCKS -d 172.16.0.0/12 -j RETURN iptables -t nat -A SHADOWSOCKS -d 192.168.0.0/16 -j RETURN iptables -t nat -A SHADOWSOCKS -d 224.0.0.0/4 -j RETURN iptables -t nat -A SHADOWSOCKS -d 240.0.0.0/4 -j RETURN
iptables -t nat -A SHADOWSOCKS -p tcp -m set --match-set gfwlist dst -j REDIRECT --to-port 1081 iptables -t nat -A SHADOWSOCKS_MARK -p tcp -m set --match-set gfwlist dst -j MARK --set-mark 1
iptables -t nat -A PREROUTING -j SHADOWSOCKS iptables -t nat -A OUTPUT -j SHADOWSOCKS_MARK
modprobe xt_TPROXY
iptables -t mangle -N SHADOWSOCKS iptables -t mangle -N SHADOWSOCKS_MARK
iptables -t mangle -A SHADOWSOCKS -d 0.0.0.0/8 -j RETURN iptables -t mangle -A SHADOWSOCKS -d 10.0.0.0/8 -j RETURN iptables -t mangle -A SHADOWSOCKS -d 127.0.0.0/8 -j RETURN iptables -t mangle -A SHADOWSOCKS -d 169.254.0.0/16 -j RETURN iptables -t mangle -A SHADOWSOCKS -d 172.16.0.0/12 -j RETURN iptables -t mangle -A SHADOWSOCKS -d 192.168.0.0/16 -j RETURN iptables -t mangle -A SHADOWSOCKS -d 224.0.0.0/4 -j RETURN iptables -t mangle -A SHADOWSOCKS -d 240.0.0.0/4 -j RETURN
ip rule add fwmark 0x01/0x01 table 100 ip route add local 0.0.0.0/0 dev lo table 100
iptables -t mangle -A SHADOWSOCKS -p udp -m set --match-set gfwlist dst -j TPROXY --on-port 1081 --tproxy-mark 0x01/0x01 iptables -t mangle -A SHADOWSOCKS_MARK -p udp -m set --match-set gfwlist dst -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -j SHADOWSOCKS iptables -t mangle -A OUTPUT -j SHADOWSOCKS_MARK
Yes, you'd better exclude your server IP as well.
iptables.sh
#!/bin/bash
# 路由器上使用的透明代理iptables规则安装脚本
# 使用方法 先修改脚本中的地址和端口,然后执行脚本,参数:load/unload
SERVER_ADDR="" #你SS服务器的IP
LOCAL_PORT= #你ss-redir 的端口
load(){
#增加IP mark, tproxy转发需要
ip rule add fwmark 0x01/0x01 table 100
ip route add local 0.0.0.0/0 dev lo table 100
#UDP
iptables -t mangle -N SSUDP
iptables -t mangle -A SSUDP -d $SERVER_ADDR/32 -j RETURN
iptables -t mangle -A SSUDP -d 127.0.0.0/8 -j RETURN
iptables -t mangle -A SSUDP -d 192.168.0.0/16 -j RETURN
iptables -t mangle -A SSUDP -p udp -j TPROXY --on-port $LOCAL_PORT --on-ip 0.0.0.0 --tproxy-mark 0x1/0x1
iptables -t mangle -A PREROUTING -j SSUDP
#TCP
iptables -t nat -N SSTCP
iptables -t nat -A SSTCP -d $SERVER_ADDR/32 -j RETURN
iptables -t nat -A SSTCP -d 127.0.0.0/8 -j RETURN
iptables -t nat -A SSTCP -d 192.168.0.0/16 -j RETURN
iptables -t nat -A SSTCP -p tcp -j REDIRECT --to-ports $LOCAL_PORT
iptables -t nat -A PREROUTING -j SSTCP
}
unload(){
ip rule del fwmark 0x01/0x01 table 100
ip route del local 0.0.0.0/0 dev lo table 100
iptables -t mangle -D PREROUTING -j SSUDP
iptables -t nat -D PREROUTING -j SSTCP
iptables -t mangle -F SSUDP
iptables -t nat -F SSTCP
iptables -t mangle -X SSUDP
iptables -t nat -X SSTCP
}
case "$1" in
load)
echo "loading" >&2
load
echo "load success" >&2
;;
unload)
echo "unloading" >&2
unload
echo "unload success" >&2
;;
*)
echo "Usage: $0 {load|unload}" >&2
exit 1
;;
esac
:
What version of shadowsocks-libev are you using?
3.0.6 on both
What operating system are you using?
asuswrt-merlin , debian 8
What did you do?
ss-redir udp relay
What did you expect to see?
all my udp packet or at least dns packet is relayed to vps server
What did you see instead?
dns packet seems to arrive at vps server but server doesn't resolve it.
What is your config in detail (with all sensitive info masked)?
http://imgur.com/a/PIlHC
and my iptables setting is
iptables -t mangle -N SHADOWSOCKS ip rule add fwmark 0x01/0x01 table 100 ip route add local 0.0.0.0/0 dev lo table 100 iptables -t mangle -I SHADOWSOCKS -p udp --dport 53 -j TPROXY --on-port 1081 --tproxy-mark 0x01/0x01 iptables -t mangle -I PREROUTING -j SHADOWSOCKS
ss-tunnel is working well. However I wanna test udp feature of ss-redir. can ss-redir do all udp packet relay to vps? for example, game packets.