search

v2fly / v2ray-step-by-step

This repo is a fork of ToutyRater/v2ray-guide, we aim to provide a new step-by-step guide of v2ray
https://guide.v2fly.org
Creative Commons Attribution 4.0 International
700 stars 420 forks source link

主路由设置透明代理后,从外网不可到达在路由上设置的端口转发。 #265

Closed Cavien closed 2 years ago

Cavien commented 2 years ago

根据官方的说明在主路由下填加如下透明代理:

设置策略路由

ip rule add fwmark 1 table 100 ip route add local 0.0.0.0/0 dev lo table 100

代理局域网设备

nft add table v2ray nft add chain v2ray prerouting { type filter hook prerouting priority 0 \; } nft add rule v2ray prerouting ip daddr {127.0.0.1/32, 224.0.0.0/4, 255.255.255.255/32} return nft add rule v2ray prerouting meta l4proto tcp ip daddr 192.168.0.0/16 return nft add rule v2ray prerouting ip daddr 192.168.0.0/16 udp dport != 53 return nft add rule v2ray prerouting mark 0xff return # 直连 0xff 流量 nft add rule v2ray prerouting meta l4proto {tcp, udp} mark set 1 tproxy to 127.0.0.1:12345 accept # 转发至 V2Ray 12345 端口

代理网关本机

nft add chain v2ray output { type route hook output priority 0 \; } nft add rule v2ray output ip daddr {127.0.0.1/32, 224.0.0.0/4, 255.255.255.255/32} return nft add rule v2ray output meta l4proto tcp ip daddr 192.168.0.0/16 return nft add rule v2ray output ip daddr 192.168.0.0/16 udp dport != 53 return nft add rule v2ray output mark 0xff return # 直连 0xff 流量 nft add rule v2ray output meta l4proto {tcp, udp} mark set 1 accept # 重路由至 prerouting

DIVERT 规则

nft add table filter nft add chain filter divert { type filter hook prerouting priority -150 \; } nft add rule filter divert meta l4proto tcp socket transparent 1 meta mark set 1 accept

至此,内网所有设备使用正常, 但就是外网访问不进来了,端口转发都不可用。

Cavien commented 2 years ago

我尝试删除: nft add rule v2ray prerouting meta l4proto {tcp, udp} mark set 1 tproxy to 127.0.0.1:12345 accept # 转发至 V2Ray 12345 端口 这一条后,端口转发就可以使用了,但内网国际就出不去了。

viponedream commented 2 years ago

你解决了吗? 我也是运行这个iptables, SSH突然就断了.

Cavien commented 2 years ago

没有解决

LeadroyaL commented 1 year ago

@viponedream @Cavien 根源在于:prerouting 过程把 内网设备22端口的返回包也丢给 V2Ray处理了。 我的解决方案是,内网发给外网的、且源头是22端口的包,全部return掉不要交给V2RAY。

我不会敲命令,文件长这样:

        chain prerouting {
                type filter hook prerouting priority mangle; policy accept;
                ip daddr $lan return
                ip daddr 192.168.0.0/16 tcp dport != 53 return
                ip daddr 192.168.0.0/16 udp dport != 53 return
                tcp sport 22 return
                xxxxxxxxxxxxxxxxx
        }

注意这行:tcp sport 22 return