odkrys commented 7 years ago

What version of shadowsocks-libev are you using?

3.0.6 on both

What operating system are you using?

asuswrt-merlin , debian 8

What did you do?

ss-redir udp relay

What did you expect to see?

all my udp packet or at least dns packet is relayed to vps server

What did you see instead?

dns packet seems to arrive at vps server but server doesn't resolve it.

What is your config in detail (with all sensitive info masked)?

http://imgur.com/a/PIlHC

and my iptables setting is

iptables -t mangle -N SHADOWSOCKS ip rule add fwmark 0x01/0x01 table 100 ip route add local 0.0.0.0/0 dev lo table 100 iptables -t mangle -I SHADOWSOCKS -p udp --dport 53 -j TPROXY --on-port 1081 --tproxy-mark 0x01/0x01 iptables -t mangle -I PREROUTING -j SHADOWSOCKS

ss-tunnel is working well. However I wanna test udp feature of ss-redir. can ss-redir do all udp packet relay to vps? for example, game packets.

madeye commented 7 years ago

You're forwarding local DNS queries (192.168.1.1:53) to the remote host.

Try

root@Wrt:~# iptables -t mangle -A SHADOWSOCKS -d 10.0.0.0/8 -j RETURN
root@Wrt:~# iptables -t mangle -A SHADOWSOCKS -d 127.0.0.0/8 -j RETURN
root@Wrt:~# iptables -t mangle -A SHADOWSOCKS -d 169.254.0.0/16 -j RETURN
root@Wrt:~# iptables -t mangle -A SHADOWSOCKS -d 172.16.0.0/12 -j RETURN
root@Wrt:~# iptables -t mangle -A SHADOWSOCKS -d 192.168.0.0/16 -j RETURN

odkrys commented 7 years ago

it works, thanks. should I apply this?

iptables -t mangle -A SHADOWSOCKS -d 123.123.123.123 -j RETURN

TCP rules

ipset -N gfwlist iphash iptables -t nat -N SHADOWSOCKS iptables -t nat -N SHADOWSOCKS_MARK

iptables -t nat -A SHADOWSOCKS -d 123.123.123.123 -j RETURN

iptables -t nat -A SHADOWSOCKS -d 0.0.0.0/8 -j RETURN iptables -t nat -A SHADOWSOCKS -d 10.0.0.0/8 -j RETURN iptables -t nat -A SHADOWSOCKS -d 127.0.0.0/24 -j RETURN iptables -t nat -A SHADOWSOCKS -d 169.254.0.0/16 -j RETURN iptables -t nat -A SHADOWSOCKS -d 172.16.0.0/12 -j RETURN iptables -t nat -A SHADOWSOCKS -d 192.168.0.0/16 -j RETURN iptables -t nat -A SHADOWSOCKS -d 224.0.0.0/4 -j RETURN iptables -t nat -A SHADOWSOCKS -d 240.0.0.0/4 -j RETURN

iptables -t nat -A SHADOWSOCKS -p tcp -m set --match-set gfwlist dst -j REDIRECT --to-port 1081 iptables -t nat -A SHADOWSOCKS_MARK -p tcp -m set --match-set gfwlist dst -j MARK --set-mark 1

iptables -t nat -A PREROUTING -j SHADOWSOCKS iptables -t nat -A OUTPUT -j SHADOWSOCKS_MARK

UDP rules

modprobe xt_TPROXY

iptables -t mangle -N SHADOWSOCKS iptables -t mangle -N SHADOWSOCKS_MARK

iptables -t mangle -A SHADOWSOCKS -d 0.0.0.0/8 -j RETURN iptables -t mangle -A SHADOWSOCKS -d 10.0.0.0/8 -j RETURN iptables -t mangle -A SHADOWSOCKS -d 127.0.0.0/8 -j RETURN iptables -t mangle -A SHADOWSOCKS -d 169.254.0.0/16 -j RETURN iptables -t mangle -A SHADOWSOCKS -d 172.16.0.0/12 -j RETURN iptables -t mangle -A SHADOWSOCKS -d 192.168.0.0/16 -j RETURN iptables -t mangle -A SHADOWSOCKS -d 224.0.0.0/4 -j RETURN iptables -t mangle -A SHADOWSOCKS -d 240.0.0.0/4 -j RETURN

ip rule add fwmark 0x01/0x01 table 100 ip route add local 0.0.0.0/0 dev lo table 100

iptables -t mangle -A SHADOWSOCKS -p udp -m set --match-set gfwlist dst -j TPROXY --on-port 1081 --tproxy-mark 0x01/0x01 iptables -t mangle -A SHADOWSOCKS_MARK -p udp -m set --match-set gfwlist dst -j MARK --set-mark 1

iptables -t mangle -A PREROUTING -j SHADOWSOCKS iptables -t mangle -A OUTPUT -j SHADOWSOCKS_MARK

madeye commented 7 years ago

Yes, you'd better exclude your server IP as well.

shellus commented 6 years ago

iptables.sh

#!/bin/bash

# 路由器上使用的透明代理iptables规则安装脚本
# 使用方法 先修改脚本中的地址和端口，然后执行脚本，参数：load/unload

SERVER_ADDR="" #你SS服务器的IP
LOCAL_PORT= #你ss-redir 的端口

load(){
#增加IP mark， tproxy转发需要
ip rule add fwmark 0x01/0x01 table 100
ip route add local 0.0.0.0/0 dev lo table 100
#UDP
iptables -t mangle -N SSUDP
iptables -t mangle -A SSUDP -d $SERVER_ADDR/32 -j RETURN
iptables -t mangle -A SSUDP -d 127.0.0.0/8 -j RETURN
iptables -t mangle -A SSUDP -d 192.168.0.0/16 -j RETURN
iptables -t mangle -A SSUDP -p udp -j TPROXY --on-port $LOCAL_PORT --on-ip 0.0.0.0 --tproxy-mark 0x1/0x1
iptables -t mangle -A PREROUTING -j SSUDP

#TCP
iptables -t nat -N SSTCP
iptables -t nat -A SSTCP -d $SERVER_ADDR/32 -j RETURN
iptables -t nat -A SSTCP -d 127.0.0.0/8 -j RETURN
iptables -t nat -A SSTCP -d 192.168.0.0/16 -j RETURN
iptables -t nat -A SSTCP -p tcp -j REDIRECT --to-ports $LOCAL_PORT
iptables -t nat -A PREROUTING -j SSTCP

}
unload(){
ip rule del fwmark 0x01/0x01 table 100
ip route del local 0.0.0.0/0 dev lo table 100

iptables -t mangle -D PREROUTING -j SSUDP
iptables -t nat -D PREROUTING -j SSTCP
iptables -t mangle -F SSUDP
iptables -t nat -F SSTCP
iptables -t mangle -X SSUDP
iptables -t nat -X SSTCP
}

case "$1" in
    load)
        echo "loading" >&2
        load
        echo "load success" >&2
        ;;
    unload)
        echo "unloading" >&2
        unload
        echo "unload success" >&2
        ;;
    *)
        echo "Usage: $0 {load|unload}" >&2
        exit 1
    ;;
esac
:

shadowsocks / shadowsocks-libev

ss-redir udp relay problem. #1514