TPROXY代理方式迷之问题

greekstreet commented 3 years ago

非常感谢各位大侠的无私贡献，最近开始体验 paswall 用着很舒心，但是遇到一点问题，希望能获得大佬指点一二。

症状：TPROXY代理方式下，局域网设备无法扶墙，各种情况测试结果如下。	TCP代理方式	局域网设备扶墙	路由器本身扶墙	Wireguard设备扶墙
默认	正常	正常	正常	正常
REDIRECT	正常	正常	正常	正常
TPROXY	失败	正常	正常	正常

paswall 版本信息： PKG_NAME:=luci-app-passwall PKG_VERSION:=4 PKG_RELEASE:=28 PKG_DATE:=20210712

openwrt 信息： openwrt 21.02 rc3 用的 immortalwrt 的 uboot-rockchip 以及 target/linux/rockchip 以及用 r8168 Linux R4S 5.4.128 #0 SMP PREEMPT Wed Jun 30 20:01:25 2021 aarch64 GNU/Linux 自行编译

软路由信息： Friendlyarm NanoPi R4S 4GB

网络环境：电信千兆，桥接光猫，pppoe 拨号，双栈公网

其他内置软件： docker, wireguard, nfs, ddns, upnp, adblock, acme, nlbwmon, luci-app-statistics

日志信息： 2021-07-18 17:00:01: 删除相关防火墙规则完成。 2021-07-18 17:00:04: 重启 dnsmasq 服务 2021-07-18 17:00:04: 清空并关闭相关程序和缓存完成。 2021-07-18 17:00:05: TCP节点：[❻H2.此处隐去节点名称 [NF] [h2] [1]]xxxx.xxxx.xxxxx:2096，监听端口：1041 2021-07-18 17:00:05: UDP节点没有选择或为空，不代理UDP。 2021-07-18 17:00:05: 过滤服务配置：准备接管域名解析... 2021-07-18 17:00:05: + [0]Pdnsd (127.0.0.1:7913)... 2021-07-18 17:00:05: | - [0]上游DNS：8.8.8.8:53 2021-07-18 17:00:05: - 域名解析：pdnsd + 使用(TCP节点)解析域名... 2021-07-18 17:00:05: * 请确认上游 DNS 支持 TCP 查询，如非直连地址，确保 TCP 代理打开，并且已经正确转发！ 2021-07-18 17:00:05: - [0]节点列表中的域名(vpsiplist)：116.228.111.118,180.168.255.18 2021-07-18 17:00:05: - [0]域名白名单(whitelist)：116.228.111.118,180.168.255.18 2021-07-18 17:00:05: - [0]节点订阅域名(whitelist)：116.228.111.118,180.168.255.18 2021-07-18 17:00:05: - [0]代理域名表(blacklist)：127.0.0.1#7913 2021-07-18 17:00:06: - [0]防火墙域名表(gfwlist)：127.0.0.1#7913 2021-07-18 17:00:13: - [0]中国域名表(chnroute)：116.228.111.118,180.168.255.18 2021-07-18 17:00:13: 开始加载防火墙规则... 2021-07-18 17:00:13: 加入负载均衡的节点到ipset[vpsiplist]直连完成 2021-07-18 17:00:13: 加入所有节点到ipset[vpsiplist]直连完成 2021-07-18 17:00:13: 加载路由器自身 TCP 代理... 2021-07-18 17:00:13: - 启用 TPROXY 模式 2021-07-18 17:00:13: - [0]将上游 DNS 服务器 8.8.8.8:53 加入到路由器自身代理的 TCP 转发链2 2021-07-18 17:00:14: TCP默认代理：使用TCP节点防火墙列表代理所有端口 2021-07-18 17:00:14: 防火墙规则加载完成！ 2021-07-18 17:00:17: 重启 dnsmasq 服务 2021-07-18 17:00:18: 运行完成！

TCP.log 信息如下（部分）： Xray 1.4.2 (Xray, Penetrates Everything.) OpenWrt (go1.16.5 linux/arm64) A unified platform for anti-censorship. 2021/07/18 17:02:06 [Info] infra/conf/serial: Reading config: /var/etc/passwall/TCP.json 2021/07/18 17:02:06 [Debug] app/log: Logger started 2021/07/18 17:02:06 [Debug] app/proxyman/inbound: creating stream worker on 0.0.0.0:1041 2021/07/18 17:02:06 [Info] transport/internet/tcp: listening TCP on 0.0.0.0:1041 2021/07/18 17:02:06 [Warning] core: Xray 1.4.2 started 2021/07/18 17:02:29 [Debug] [1277473509] proxy/dokodemo: processing connection from: 58.41.13.6:47763 2021/07/18 17:02:29 [Info] [1277473509] proxy/dokodemo: received request for 58.41.13.6:47763 2021/07/18 17:02:29 [Info] [1277473509] app/dispatcher: default route for tcp:8.8.8.8:53 2021/07/18 17:02:29 58.41.13.6:47763 accepted tcp:8.8.8.8:53 [3987f6dfc4da4c4888a7c6dc685b0121] 2021/07/18 17:02:29 [Debug] transport/internet: dialing to tcp:hkbnjl0.zhs.company:2096 2021/07/18 17:02:30 [Debug] [4144790889] proxy/dokodemo: processing connection from: 58.41.13.6:43238 2021/07/18 17:02:30 [Info] [4144790889] proxy/dokodemo: received request for 58.41.13.6:43238 2021/07/18 17:02:30 [Info] [4144790889] app/dispatcher: default route for tcp:8.8.8.8:53 2021/07/18 17:02:30 58.41.13.6:43238 accepted tcp:8.8.8.8:53 [3987f6dfc4da4c4888a7c6dc685b0121] 2021/07/18 17:02:30 [Info] [1277473509] proxy/vmess/outbound: tunneling request to tcp:8.8.8.8:53 via tcp:hkbnjl0.zhs.company:2096 2021/07/18 17:02:30 [Info] [4144790889] proxy/vmess/outbound: tunneling request to tcp:8.8.8.8:53 via tcp:hkbnjl0.zhs.company:2096 2021/07/18 17:02:30 [Debug] [1186422243] proxy/dokodemo: processing connection from: 58.41.13.6:48925 2021/07/18 17:02:30 [Info] [1186422243] proxy/dokodemo: received request for 58.41.13.6:48925 2021/07/18 17:02:30 [Info] [1186422243] app/dispatcher: default route for tcp:8.8.8.8:53 2021/07/18 17:02:30 58.41.13.6:48925 accepted tcp:8.8.8.8:53 [3987f6dfc4da4c4888a7c6dc685b0121] 2021/07/18 17:02:30 [Debug] [3016637425] proxy/dokodemo: processing connection from: 58.41.13.6:26848 2021/07/18 17:02:30 [Info] [3016637425] proxy/dokodemo: received request for 58.41.13.6:26848 2021/07/18 17:02:30 [Info] [3016637425] app/dispatcher: default route for tcp:8.8.8.8:53 2021/07/18 17:02:30 58.41.13.6:26848 accepted tcp:8.8.8.8:53 [3987f6dfc4da4c4888a7c6dc685b0121] 2021/07/18 17:02:30 [Info] [1186422243] proxy/vmess/outbound: tunneling request to tcp:8.8.8.8:53 via tcp:hkbnjl0.zhs.company:2096 2021/07/18 17:02:30 [Info] [3016637425] proxy/vmess/outbound: tunneling request to tcp:8.8.8.8:53 via tcp:hkbnjl0.zhs.company:2096 2021/07/18 17:02:31 [Debug] [3830069137] proxy/dokodemo: processing connection from: 58.41.13.6:40970 2021/07/18 17:02:31 [Info] [3830069137] proxy/dokodemo: received request for 58.41.13.6:40970 2021/07/18 17:02:31 [Info] [3830069137] app/dispatcher: sniffed domain: www.google.com 2021/07/18 17:02:31 [Info] [3830069137] app/dispatcher: default route for tcp:www.google.com:443 2021/07/18 17:02:31 58.41.13.6:40970 accepted tcp:172.217.174.196:443 [3987f6dfc4da4c4888a7c6dc685b0121] 2021/07/18 17:02:31 [Info] [3830069137] proxy/vmess/outbound: tunneling request to tcp:www.google.com:443 via tcp:hkbnjl0.zhs.company:2096 2021/07/18 17:02:31 [Info] [1277473509] app/proxyman/inbound: connection ends > proxy/dokodemo: connection ends > context canceled 2021/07/18 17:02:31 [Info] [1277473509] app/proxyman/outbound: failed to process outbound traffic > proxy/vmess/outbound: connection ends > context canceled 2021/07/18 17:02:31 [Info] [4144790889] app/proxyman/inbound: connection ends > proxy/dokodemo: connection ends > context canceled 2021/07/18 17:02:31 [Info] [4144790889] app/proxyman/outbound: failed to process outbound traffic > proxy/vmess/outbound: connection ends > context canceled 2021/07/18 17:02:32 [Info] [1186422243] app/proxyman/inbound: connection ends > proxy/dokodemo: connection ends > context canceled 2021/07/18 17:02:32 [Info] [3016637425] app/proxyman/inbound: connection ends > proxy/dokodemo: connection ends > context canceled 2021/07/18 17:02:32 [Info] [3016637425] app/proxyman/outbound: failed to process outbound traffic > proxy/vmess/outbound: connection ends > context canceled 2021/07/18 17:02:32 [Info] [1186422243] app/proxyman/outbound: failed to process outbound traffic > proxy/vmess/outbound: connection ends > context canceled 2021/07/18 17:02:35 [Debug] [3979918850] proxy/dokodemo: processing connection from: 58.41.13.6:45977 2021/07/18 17:02:35 [Info] [3979918850] proxy/dokodemo: received request for 58.41.13.6:45977 2021/07/18 17:02:35 [Info] [3979918850] app/dispatcher: default route for tcp:8.8.8.8:53 2021/07/18 17:02:35 58.41.13.6:45977 accepted tcp:8.8.8.8:53 [3987f6dfc4da4c4888a7c6dc685b0121] 2021/07/18 17:02:35 [Debug] [1953975629] proxy/dokodemo: processing connection from: 58.41.13.6:7921 2021/07/18 17:02:35 [Info] [1953975629] proxy/dokodemo: received request for 58.41.13.6:7921 2021/07/18 17:02:35 [Info] [1953975629] app/dispatcher: default route for tcp:8.8.8.8:53 2021/07/18 17:02:35 58.41.13.6:7921 accepted tcp:8.8.8.8:53 [3987f6dfc4da4c4888a7c6dc685b0121] 2021/07/18 17:02:35 [Info] [3979918850] proxy/vmess/outbound: tunneling request to tcp:8.8.8.8:53 via tcp:hkbnjl0.zhs.company:2096 2021/07/18 17:02:35 [Info] [1953975629] proxy/vmess/outbound: tunneling request to tcp:8.8.8.8:53 via tcp:hkbnjl0.zhs.company:2096 2021/07/18 17:02:36 [Debug] [2428850977] proxy/dokodemo: processing connection from: 58.41.13.6:38334 2021/07/18 17:02:36 [Info] [2428850977] proxy/dokodemo: received request for 58.41.13.6:38334 2021/07/18 17:02:36 [Info] [2428850977] app/dispatcher: sniffed domain: downloads.openwrt.org 2021/07/18 17:02:36 [Info] [2428850977] app/dispatcher: default route for tcp:downloads.openwrt.org:443 2021/07/18 17:02:36 58.41.13.6:38334 accepted tcp:168.119.138.211:443 [3987f6dfc4da4c4888a7c6dc685b0121] 2021/07/18 17:02:36 [Info] [2428850977] proxy/vmess/outbound: tunneling request to tcp:downloads.openwrt.org:443 via tcp:hkbnjl0.zhs.company:2096 2021/07/18 17:02:37 [Info] [3979918850] app/proxyman/inbound: connection ends > proxy/dokodemo: connection ends > context canceled 2021/07/18 17:02:37 [Info] [3979918850] app/proxyman/outbound: failed to process outbound traffic > proxy/vmess/outbound: connection ends > context canceled 2021/07/18 17:02:37 [Info] [1953975629] app/proxyman/inbound: connection ends > proxy/dokodemo: connection ends > context canceled 2021/07/18 17:02:37 [Info] [1953975629] app/proxyman/outbound: failed to process outbound traffic > proxy/vmess/outbound: connection ends > context canceled

passwall 配置文件信息： config global option socks_enabled '0' option udp_node 'nil' option dns_mode 'pdnsd' option up_china_dns 'default' option dns_forward '8.8.8.8' option udp_proxy_mode 'chnroute' option localhost_tcp_proxy_mode 'default' option localhost_udp_proxy_mode 'default' option close_log_tcp '0' option close_log_udp '0' option trojan_loglevel '2' option enabled '1' option tcp_proxy_mode 'gfwlist' option tcp_node '3987f6dfc4da4c4888a7c6dc685b0121' option loglevel 'debug'

config global_haproxy option balancing_enable '0'

config global_delay option auto_on '0' option start_daemon '0' option start_delay '1'

config global_forwarding option process '0' option tcp_no_redir_ports 'disable' option udp_redir_ports '1:65535' option proxy_ipv6 '0' option udp_no_redir_ports 'disable' option tcp_redir_ports '1:65535' option accept_icmp '1' option tcp_proxy_way 'tproxy'

config global_other option nodes_ping 'auto_ping tcping' option ipv6_tproxy '0' option status 'big_icon'

config global_rules option auto_update '0' option chnlist_update '1' option chnroute_update '1' option chnroute6_update '1' option gfwlist_update '1' option gfwlist_url 'https://cdn.jsdelivr.net/gh/YW5vbnltb3Vz/domain-list-community@release/gfwlist.txt' option chnroute_url 'https://ispip.clang.cn/all_cn.txt' option chnroute6_url 'https://ispip.clang.cn/all_cn_ipv6.txt' list chnlist_url 'https://cdn.jsdelivr.net/gh/felixonmars/dnsmasq-china-list/accelerated-domains.china.conf' list chnlist_url 'https://cdn.jsdelivr.net/gh/felixonmars/dnsmasq-china-list/apple.china.conf' list chnlist_url 'https://cdn.jsdelivr.net/gh/felixonmars/dnsmasq-china-list/google.china.conf' option xray_location_asset '/usr/share/xray/' option geosite_update '1' option geoip_update '1'

config global_app option xray_file '/usr/bin/xray' option trojan_go_file '/usr/bin/trojan-go' option kcptun_client_file '/usr/bin/kcptun-client' option brook_file '/usr/bin/brook'

config global_subscribe option subscribe_proxy '0' option auto_update_subscribe '0' option allowInsecure '1' option filter_keyword_mode '2' list filter_keep_list 'HK' list filter_keep_list 'SG'

config auto_switch option enable '0' option testing_time '1' option connect_timeout '3' option retry_num '3'

config nodes '696cd32c1d5149ee95fd1b3accbad6df' option remarks '分流总节点' option type 'Xray' option protocol '_shunt' option youtube 'nil' option netflix 'nil' option TVB 'nil' option Telegram 'nil' option default_node 'nil' option default_proxy '0' option domainStrategy 'IPIfNonMatch'

config shunt_rules 'ads' option remarks '广告' option domain_list 'geosite:category-ads'

config shunt_rules 'China' option remarks 'China' option domain_list 'geosite:cn' option ip_list 'geoip:cn'

config shunt_rules 'Telegram' option remarks 'Telegram' option ip_list '149.154.160.0/20 91.108.4.0/22 91.108.56.0/24 109.239.140.0/24 67.198.55.0/24'

config shunt_rules 'youtube' option remarks 'youtube' option domain_list 'youtube youtube.com youtu.be googlevideo.com ytimg.com gvt2.com'

config shunt_rules 'netflix' option remarks '奈飞' option domain_list 'fast.com netflix netflix.com netflix.net nflxso.net nflxext.com nflximg.com nflximg.net nflxvideo.net netflixdnstest0.com netflixdnstest1.com netflixdnstest2.com netflixdnstest3.com netflixdnstest4.com netflixdnstest5.com netflixdnstest6.com netflixdnstest7.com netflixdnstest8.com netflixdnstest9.com'

config shunt_rules 'TVB' option remarks 'TVB' option domain_list 'tvb.com mytvsuper.com' ...

xiaorouji commented 3 years ago

极有可能是 docker 我这里测试正常

greekstreet commented 3 years ago

极有可能是 docker 我这里测试正常

多谢回复。我试过把dockerd停掉，关闭wireguard, @macvlan等接口，似乎还是不行，不知道该怎么查问题。请问大佬有没有空装个docker帮调试看到底是不是这块问题呢？这个问题奇怪就奇怪在就局域网设备不行，其他都行，或者有什么办法比如防火墙规则 workaround 一下？其实本来用 TPROXY，是体验下 ipv6 TPROXY，结果 ipv4 Tproxy 也是有问题。

xiaorouji commented 3 years ago

/etc/sysctl.d/sysctl-br-netfilter-ip.conf 设置为

net.bridge.bridge-nf-call-ip6tables=0 net.bridge.bridge-nf-call-iptables=0

重启试试

greekstreet commented 3 years ago

/etc/sysctl.d/sysctl-br-netfilter-ip.conf 设置为

net.bridge.bridge-nf-call-ip6tables=0 net.bridge.bridge-nf-call-iptables=0

重启试试

确认可行！太棒了！感谢！🙏 其实不用重启，我直接加到 /etc/sysctl.conf 末尾，然后直接 sysctl -p 生效即可。

经过测试 ipv4 和 ipv6 均没有问题。

70599 commented 2 years ago

那这样对docker有什么影响吗？我自己这样设置后passwall的tproxy正常了，docker也没有感知到问题。但是这两条规则有它的原因吧？

Testeera commented 1 year ago

mark

xiaorouji / openwrt-passwall

TPROXY代理方式迷之问题 #1320