search

wangyu- / udp2raw

A Tunnel which Turns UDP Traffic into Encrypted UDP/FakeTCP/ICMP Traffic by using Raw Socket,helps you Bypass UDP FireWalls(or Unstable UDP Environment)
MIT License
6.96k stars 1.15k forks source link

能增加支持nftables吗? #468

Open kursk-ye opened 1 year ago

kursk-ye commented 1 year ago

升级到openwrt 22.03.2后,不再支持iptables,只支持nftables,udp2raw能不能支持使用nftables设置?非常感谢

listenfree commented 1 year ago
Kenajcrap commented 8 months ago

  • 修改路由器 /etc/nftables.d/10-custom-filter-chains.nft 在下面的链中加上服务端的ip和port,把它们drop掉 chain user_post_input { type filter hook input priority 1; policy accept; ip saddr x.x.x.x tcp sport xxxxx drop

    • udp2raw不要加-a参数

按照您的指示进行操作后,结果如下:

root@OpenWrt:/tmp# ./udp2raw_mips24kc_le -s -l 10.170.15.2:443 -r 127.0.0.1:51820 -k "[REDACTED]"
[2023-11-04 22:39:45][INFO]argc=8 ./udp2raw_mips24kc_le -s -l 10.170.15.2:443 -r 127.0.0.1:51820 -k [REDACTED] 
[2023-11-04 22:39:45][INFO]parsing address: 10.170.15.2:443
[2023-11-04 22:39:45][INFO]its an ipv4 adress
[2023-11-04 22:39:45][INFO]ip_address is {10.170.15.2}, port is {443}
[2023-11-04 22:39:45][INFO]parsing address: 127.0.0.1:51820
[2023-11-04 22:39:45][INFO]its an ipv4 adress
[2023-11-04 22:39:45][INFO]ip_address is {127.0.0.1}, port is {51820}
[2023-11-04 22:39:45][INFO]important variables: log_level=4:INFO raw_mode=faketcp cipher_mode=aes128cbc auth_mode=md5 key=Pizzak-99eudp2raw local_addr=10.170.15.2:443 remote_addr=127.0.0.1:51820 socket_buf_size=1048576 
[2023-11-04 22:39:45][WARN]you can run udp2raw with non-root account for better security. check README.md in repo for more info.
[2023-11-04 22:39:45][INFO]remote_ip=[127.0.0.1], make sure this is a vaild IP address
[2023-11-04 22:39:45][INFO]const_id:f811ed55
[2023-11-04 22:39:45][WARN] -a has not been set, make sure you have added the needed iptables rules manually
[2023-11-04 22:39:45][FATAL]bind fail

这是我的文件 /etc/nftables.d/10-custom-filter-chains.nft:

chain user_post_input {
    type filter hook input priority 1; policy accept;
    ip saddr 10.170.15.2 tcp sport 443 drop;
    ct state new log prefix "Firewall4 accepted ingress: "
}

感谢您的支持!

wangyu- commented 8 months ago

bind fail means there is another process occupying the same port.

find that process and kill it

haohetao commented 6 months ago

我也希望增加nftables的支持,openwrt上已经不再支持iptables了

wangyu- commented 6 months ago

不存在udp2raw本身支不支持nftables的问题。

所谓udp2raw只支持iptables, 是-a参数只支持自动添加iptables的规定。

-a本身只是为了方便,不影响功能。

其他防火墙,可以不使用-a,自己添加规则,,参考:

https://github.com/wangyu-/udp2raw/discussions/501

haohetao commented 6 months ago

不存在udp2raw本身支不支持nftables的问题。

所谓udp2raw只支持iptables, 是-a参数只支持自动添加iptables的规定。

-a本身只是为了方便,不影响功能。

其他防火墙,可以不使用-a,自己添加规则,,参考:

https://github.com/wangyu-/udp2raw/discussions/501

-a也支持nft不是更方便吗

wangyu- commented 6 months ago

-a也支持nft不是更方便吗

确实。 代码开源的,你fork一份,做好了给别人用。

另外建议把netsh advfirewall (windows)、pfctl (macos/bsd)顺便也做了,让windows mac bsd用户也跟着一起方便。

wangyu- commented 3 weeks ago

升级到openwrt 22.03.2后,不再支持iptables,只支持nftables,udp2raw能不能支持使用nftables设置?非常感谢

我试了一下 最新的openwrt trunk (版本比23还要新)

iptables还是可以用的呀。

你是不是没装iptables的package? (可能是iptables-nft, 我不确定)

wangyu- commented 3 weeks ago

说openwrt iptables不能用的照这个检查一下:

root@OpenWrt:~/udp2raw# opkg list|grep iptables
iptables-nft - 1.8.8-2

root@OpenWrt:~/udp2raw# cat /etc/os-release |grep RELEASE
OPENWRT_RELEASE="OpenWrt SNAPSHOT r25318-3e8d2f2439"  (最新trunk版本)

root@OpenWrt:~/udp2raw# iptables
iptables v1.8.8 (nf_tables): no command specified
Try `iptables -h' or 'iptables --help' for more information.

root@OpenWrt:~/udp2raw# ./udp2raw -c -l0.0.0.0:3333  -r45.76.100.53:4096  -k "passwd" --raw-mode faketcp -a
[2024-06-11 22:06:31][INFO]argc=9 ./udp2raw -c -l0.0.0.0:3333 -r45.76.100.53:4096 -k passwd --raw-mode faketcp -a
[2024-06-11 22:06:31][INFO]parsing address: 0.0.0.0:3333
[2024-06-11 22:06:31][INFO]parsing address: 45.76.100.53:4096
[2024-06-11 22:06:31][INFO]important variables: log_level=4:INFO raw_mode=faketcp cipher_mode=aes128cbc auth_mode=md5 key=passwd local_addr=0.0.0.0:3333 remote_addr=45.76.100.53:4096 socket_buf_size=1048576
[2024-06-11 22:06:31][WARN]you can run udp2raw with non-root account for better security. check README.md in repo for more info.
[2024-06-11 22:06:31][INFO]remote_ip=[45.76.100.53], make sure this is a vaild IP address
[2024-06-11 22:06:31][INFO]const_id:17718af3
[2024-06-11 22:06:31][INFO]run_command iptables -N udp2rawDwrW_17718af3_C0
[2024-06-11 22:06:31][INFO]run_command iptables -F udp2rawDwrW_17718af3_C0
[2024-06-11 22:06:31][INFO]run_command iptables -I udp2rawDwrW_17718af3_C0 -j DROP
[2024-06-11 22:06:31][INFO]run_command iptables -I INPUT -s 45.76.100.53 -p tcp -m tcp --sport 4096 -j udp2rawDwrW_17718af3_C0
[2024-06-11 22:06:31][WARN]auto added iptables rules
[2024-06-11 22:06:31][INFO]source_addr is now 10.0.0.155
[2024-06-11 22:06:31][INFO]using port 54973
[2024-06-11 22:06:31][INFO]state changed from client_idle to client_tcp_handshake
[2024-06-11 22:06:31][INFO](re)sent tcp syn
[2024-06-11 22:06:31][INFO]state changed from client_tcp_handshake to client_handshake1
[2024-06-11 22:06:31][INFO](re)sent handshake1
[2024-06-11 22:06:32][INFO]changed state from to client_handshake1 to client_handshake2,my_id is b44ac5d6,oppsite id is 5f2c28c1
[2024-06-11 22:06:32][INFO](re)sent handshake2
[2024-06-11 22:06:32][INFO]changed state from to client_handshake2 to client_ready