search

zfl9 / ss-tproxy

ss/v2ray/xray/trojan/hysteria/naive/socks5 透明代理
GNU Affero General Public License v3.0
2.27k stars 433 forks source link

在树莓派5上运行.,不起作用 (tproxy模式但ss-redir缺少"tcp_tproxy": true) #260

Closed sophauer closed 10 months ago

sophauer commented 10 months ago

不晓得有没有人遭遇跟我一样的问题 在树莓4(debain bulleye)上运行完全正常的,搬到树莓5(debain bookworm),完全不起作用. 检查端口都是up,节点也是正常的,但是无法解析境外网站如facebook,google,可以解析百度 dig www.facebook.com @127.0.0.1 显示无法连接8.8.8.8 ss-tproxy status -x输出,似乎也没见到错误

ss-tproxy 调试信息 ``` ++ dnsmasq_log_file=/dev/null ++ dnsmasq_conf_dir=() ++ dnsmasq_conf_file=() ++ dnsmasq_conf_string=() ++ chinadns_for_gfwlist=true ++ chinadns_bind_port=65353 ++ chinadns_chnlist_first=false ++ chinadns_extra_options='-N gtC' ++ chinadns_verbose=false ++ chinadns_logfile=/dev/null ++ dns2tcp_enable=auto ++ dns2tcp_bind_port=65454 ++ dns2tcp_extra_options= ++ dns2tcp_verbose=false ++ dns2tcp_logfile=/dev/null ++ ipts_if_lo=lo ++ ipts_rt_tab=233 ++ ipts_rt_mark=0x2333 ++ ipts_set_snat=true ++ ipts_set_snat6=false ++ ipts_reddns_onstop=223.5.5.5#53 ++ ipts_reddns6_onstop=240C::6666#53 ++ ipts_proxy_dst_port= ++ ipts_drop_quic=always ++ opts_ss_netstat=auto ++ url_gfwlist=https://raw.githubusercontent.com/pexcn/daily/gh-pages/gfwlist/gfwlist.txt ++ url_chnlist=https://raw.githubusercontent.com/felixonmars/dnsmasq-china-list/master/accelerated-domains.china.conf ++ url_chnroute=https://ftp.apnic.net/stats/apnic/delegated-apnic-latest + is_enabled_ipv4 + is_true true + '[' true = true ']' + is_global_mode + '[' chnroute = global ']' + is_gfwlist_mode + '[' chnroute = gfwlist ']' + is_chnroute_mode + '[' chnroute = chnroute ']' + file_required ignlist.ext + file_is_exists ignlist.ext + '[' -f ignlist.ext ']' + file_required chnlist.txt + file_is_exists chnlist.txt + '[' -f chnlist.txt ']' + file_required chnroute.txt + file_is_exists chnroute.txt + '[' -f chnroute.txt ']' + file_required chnroute6.txt + file_is_exists chnroute6.txt + '[' -f chnroute6.txt ']' + file_required gfwlist.txt + file_is_exists gfwlist.txt + '[' -f gfwlist.txt ']' + file_required gfwlist.ext + file_is_exists gfwlist.ext + '[' -f gfwlist.ext ']' + '[' proxy -a proxy '!=' 0 -a proxy '!=' root ']' + '[' proxy_dns -a proxy_dns '!=' 0 -a proxy_dns '!=' root ']' + '[' proxy '!=' proxy_dns ']' + group_is_exists proxy + is_uint proxy + '[' proxy ']' + '[' -z proxy ']' + grep -q '^proxy:' /etc/group + group_is_exists proxy_dns + is_uint proxy_dns + '[' proxy_dns ']' + '[' -z proxy_dns ']' + grep -q '^proxy_dns:' /etc/group + is_need_iproute + is_tcp_tproxy + is_true true + '[' true = true ']' + command_required ip + command_is_exists ip + type -P ip + command_required ipset + command_is_exists ipset + type -P ipset + is_enabled_ipv4 + is_true true + '[' true = true ']' + command_required iptables + command_is_exists iptables + type -P iptables + is_enabled_ipv6 + is_true false + '[' false = true ']' + '[' '' ']' + dnsmasq_bind_port=60053 + is_built_in_dns + is_false false + is_true false + '[' false = true ']' + set_dns_group dnsmasq + set_command_group proxy_dns dnsmasq + command_required dnsmasq + command_is_exists dnsmasq + type -P dnsmasq ++ command_path dnsmasq ++ type -P dnsmasq + local group=proxy_dns path=/usr/sbin/dnsmasq + chgrp proxy_dns /usr/sbin/dnsmasq + chmod g+xs /usr/sbin/dnsmasq + is_enabled_chinadns + is_chnroute_mode + '[' chnroute = chnroute ']' + set_dns_group chinadns-ng + set_command_group proxy_dns chinadns-ng + command_required chinadns-ng + command_is_exists chinadns-ng + type -P chinadns-ng ++ command_path chinadns-ng ++ type -P chinadns-ng + local group=proxy_dns path=/usr/local/bin/chinadns-ng + chgrp proxy_dns /usr/local/bin/chinadns-ng + chmod g+xs /usr/local/bin/chinadns-ng + is_enabled_dns2tcp + case "$dns2tcp_enable" in + is_enabled_udp + is_false true + is_true true + '[' true = true ']' + set_dns_group dns2tcp + set_command_group proxy_dns dns2tcp + command_required dns2tcp + command_is_exists dns2tcp + type -P dns2tcp ++ command_path dns2tcp ++ type -P dns2tcp + local group=proxy_dns path=/usr/local/bin/dns2tcp + chgrp proxy_dns /usr/local/bin/dns2tcp + chmod g+xs /usr/local/bin/dns2tcp + case "$opts_ss_netstat" in + command_is_exists ss + type -P ss + netstat=ss + load_pidfile + ss_tproxy_is_started + iptables -t mangle -S SSTP_OUTPUT + iptables -t nat -S SSTP_OUTPUT + ip6tables -t mangle -S SSTP_OUTPUT + ip6tables -t nat -S SSTP_OUTPUT + ip -4 rule + grep -q 'lookup 233' + ip -6 rule + grep -q 'lookup 233' + ip -4 route show table 233 + grep -q '^' + ip -6 route show table 233 + grep -q '^' + delete_pidfile + rm -f .ss-tproxy.pid + case "${arg_list[0]}" in + start + ss_tproxy_is_started + iptables -t mangle -S SSTP_OUTPUT + iptables -t nat -S SSTP_OUTPUT + ip6tables -t mangle -S SSTP_OUTPUT + ip6tables -t nat -S SSTP_OUTPUT + ip -4 rule + grep -q 'lookup 233' + ip -6 rule + grep -q 'lookup 233' + ip -4 route show table 233 + grep -q '^' + ip -6 route show table 233 + grep -q '^' + flush_iptables + _flush_iptables iptables + iptables -t mangle -D PREROUTING -j SSTP_PREROUTING + iptables -t mangle -D OUTPUT -j SSTP_OUTPUT + iptables -t nat -D PREROUTING -j SSTP_PREROUTING + iptables -t nat -D OUTPUT -j SSTP_OUTPUT + iptables -t nat -D POSTROUTING -j SSTP_POSTROUTING + for table in mangle nat ++ iptables -t mangle -S ++ grep '^-N SSTP_' ++ awk '{print $2}' + local chain_list= + for table in mangle nat ++ iptables -t nat -S ++ grep '^-N SSTP_' ++ awk '{print $2}' + local 'chain_list=SSTP_POSTROUTING SSTP_PREROUTING' + for chain in $chain_list + iptables -t nat -F SSTP_POSTROUTING + command iptables -w -t nat -F SSTP_POSTROUTING + for chain in $chain_list + iptables -t nat -F SSTP_PREROUTING + command iptables -w -t nat -F SSTP_PREROUTING + for chain in $chain_list + iptables -t nat -X SSTP_POSTROUTING + command iptables -w -t nat -X SSTP_POSTROUTING + for chain in $chain_list + iptables -t nat -X SSTP_PREROUTING + command iptables -w -t nat -X SSTP_PREROUTING + _flush_iptables ip6tables + ip6tables -t mangle -D PREROUTING -j SSTP_PREROUTING + ip6tables -t mangle -D OUTPUT -j SSTP_OUTPUT + ip6tables -t nat -D PREROUTING -j SSTP_PREROUTING + ip6tables -t nat -D OUTPUT -j SSTP_OUTPUT + ip6tables -t nat -D POSTROUTING -j SSTP_POSTROUTING + for table in mangle nat ++ ip6tables -t mangle -S ++ grep '^-N SSTP_' ++ awk '{print $2}' + local chain_list= + for table in mangle nat ++ ip6tables -t nat -S ++ grep '^-N SSTP_' ++ awk '{print $2}' + local chain_list= + call_func pre_start + is_func pre_start ++ type -t pre_start + '[' function = function ']' + pre_start + ping -c1 -W1 www.baidu.com + set_kernel_param + is_enabled_ipv4 + is_true true + '[' true = true ']' + sysctl -wq net.ipv4.ip_forward=1 + is_enabled_ipv6 + is_true false + '[' false = true ']' + sysctl_all_iface 4 route_localnet=1 + for path in /proc/sys/net/ipv$1/conf/* + sysctl -wq net/ipv4/conf/all/route_localnet=1 + for path in /proc/sys/net/ipv$1/conf/* + sysctl -wq net/ipv4/conf/default/route_localnet=1 + for path in /proc/sys/net/ipv$1/conf/* + sysctl -wq net/ipv4/conf/end0/route_localnet=1 + for path in /proc/sys/net/ipv$1/conf/* + sysctl -wq net/ipv4/conf/lo/route_localnet=1 + for path in /proc/sys/net/ipv$1/conf/* + sysctl -wq net/ipv4/conf/wlan0/route_localnet=1 + sysctl_all_iface 4 send_redirects=0 + for path in /proc/sys/net/ipv$1/conf/* + sysctl -wq net/ipv4/conf/all/send_redirects=0 + for path in /proc/sys/net/ipv$1/conf/* + sysctl -wq net/ipv4/conf/default/send_redirects=0 + for path in /proc/sys/net/ipv$1/conf/* + sysctl -wq net/ipv4/conf/end0/send_redirects=0 + for path in /proc/sys/net/ipv$1/conf/* + sysctl -wq net/ipv4/conf/lo/send_redirects=0 + for path in /proc/sys/net/ipv$1/conf/* + sysctl -wq net/ipv4/conf/wlan0/send_redirects=0 + start_ipset + is_global_mode + '[' chnroute = global ']' + is_gfwlist_mode + '[' chnroute = gfwlist ']' + is_chnroute_mode + '[' chnroute = chnroute ']' + list_ext_ipv4 ignlist.ext + init_ipset sstp_white + grep '^-' ignlist.ext ++ str_find sstp_white 6 ++ [[ sstp_white == *\6* ]] ++ echo inet + ipset create sstp_white hash:net family inet + cut -c2- + get_ext_whiteip + is_built_in_dns + is_false false + sed 's/^/add sstp_white /' + is_true false + '[' false = true ']' + get_ext_ip - true 192.168.88.1#53 + case "$2" in + ipset '-!' restore + list_ext_ipv4 - ++ get_ip_from_addr 192.168.88.1#53 ++ local addr=192.168.88.1#53 ++ echo 192.168.88.1 + cut -c2- + grep '^-' - + echo -192.168.88.1 + get_ext_ip '~' true 240C::6666#53 + case "$2" in ++ get_ip_from_addr 240C::6666#53 ++ local addr=240C::6666#53 ++ echo 240C::6666 + echo '~240C::6666' + cat chnroute.txt + list_ext_ipv6 ignlist.ext + init_ipset sstp_white6 + grep '^~' ignlist.ext + cut -c2- ++ str_find sstp_white6 6 ++ [[ sstp_white6 == *\6* ]] ++ echo inet6 + ipset create sstp_white6 hash:net family inet6 + get_ext_whiteip + is_built_in_dns + is_false false + is_true false + '[' false = true ']' + get_ext_ip - true 192.168.88.1#53 + case "$2" in + list_ext_ipv6 - + grep '^~' - ++ get_ip_from_addr 192.168.88.1#53 + cut -c2- + sed 's/^/add sstp_white6 /' ++ local addr=192.168.88.1#53 + ipset '-!' restore ++ echo 192.168.88.1 + echo -192.168.88.1 + get_ext_ip '~' true 240C::6666#53 + case "$2" in ++ get_ip_from_addr 240C::6666#53 ++ local addr=240C::6666#53 ++ echo 240C::6666 + echo '~240C::6666' + cat chnroute6.txt + list_ext_ipv4 gfwlist.ext + init_ipset sstp_black + grep '^-' gfwlist.ext ++ str_find sstp_black 6 ++ [[ sstp_black == *\6* ]] ++ echo inet + ipset create sstp_black hash:net family inet + cut -c2- + get_ext_blackip + is_built_in_dns + is_false false + is_true false + '[' false = true ']' + sed 's/^/add sstp_black /' + get_ext_ip - true 8.8.8.8#53 + case "$2" in + ipset '-!' restore ++ get_ip_from_addr 8.8.8.8#53 + list_ext_ipv4 - ++ local addr=8.8.8.8#53 ++ echo 8.8.8.8 + echo -8.8.8.8 + get_ext_ip '~' true 2001:4860:4860::8888#53 + case "$2" in + grep '^-' - ++ get_ip_from_addr 2001:4860:4860::8888#53 ++ local addr=2001:4860:4860::8888#53 ++ echo 2001:4860:4860::8888 + echo '~2001:4860:4860::8888' + cut -c2- + list_ext_ipv6 gfwlist.ext + init_ipset sstp_black6 + grep '^~' gfwlist.ext + cut -c2- ++ str_find sstp_black6 6 ++ [[ sstp_black6 == *\6* ]] ++ echo inet6 + ipset create sstp_black6 hash:net family inet6 + get_ext_blackip + is_built_in_dns + is_false false + is_true false + '[' false = true ']' + get_ext_ip - true 8.8.8.8#53 + list_ext_ipv6 - + case "$2" in ++ get_ip_from_addr 8.8.8.8#53 + grep '^~' - ++ local addr=8.8.8.8#53 ++ echo 8.8.8.8 + cut -c2- + echo -8.8.8.8 + get_ext_ip '~' true 2001:4860:4860::8888#53 + case "$2" in ++ get_ip_from_addr 2001:4860:4860::8888#53 ++ local addr=2001:4860:4860::8888#53 ++ echo 2001:4860:4860::8888 + echo '~2001:4860:4860::8888' + sed 's/^/add sstp_black6 /' + ipset '-!' restore + start_proxyproc + eval start_ss ++ start_ss ++ set_proxy_group ss-redir ++ set_command_group proxy ss-redir ++ command_required ss-redir ++ command_is_exists ss-redir ++ type -P ss-redir +++ command_path ss-redir +++ type -P ss-redir ++ local group=proxy path=/usr/local/bin/ss-redir ++ chgrp proxy /usr/local/bin/ss-redir ++ chmod g+xs /usr/local/bin/ss-redir ++++ nproc +++ seq 1 4 ++ for i in $(seq 1 $(nproc)) ++ ss-redir -c /home/pi/ss.json ++ for i in $(seq 1 $(nproc)) ++ ss-redir -c /home/pi/ss.json ++ for i in $(seq 1 $(nproc)) ++ ss-redir -c /home/pi/ss.json ++ for i in $(seq 1 $(nproc)) ++ ss-redir -c /home/pi/ss.json + start_dnsserver + is_built_in_dns + is_false false + is_true false + '[' false = true ']' + is_enabled_dns2tcp + case "$dns2tcp_enable" in + is_enabled_udp + is_false true + is_true true + '[' true = true ']' + is_enabled_ipv4 + is_true true + '[' true = true ']' ++ start_dns2tcp 1 ++ local args ++ (( 1 )) ++ args='-L 127.0.0.1#65454 -R 8.8.8.8#53' ++ is_true false ++ '[' false = true ']' ++ echo 2286 ++ dns2tcp -L 127.0.0.1#65454 -R 8.8.8.8#53 + sstp_pid_dns2tcp4=2286 + is_enabled_ipv6 + is_true false + '[' false = true ']' + local dns_remote=127.0.0.1#65454 + local dns_remote6=::1#65454 + is_enabled_chinadns + is_chnroute_mode + '[' chnroute = chnroute ']' + start_chinadns + local 'args=-N gtC -b 127.0.0.1 -l 65353' + is_enabled_ipv4 + is_true true + '[' true = true ']' + is_enabled_ipv6 + is_true false + '[' false = true ']' + is_enabled_ipv4 + is_true true + '[' true = true ']' + args+=' -c 192.168.88.1#53' + args+=' -t 127.0.0.1#65454' + is_true false + '[' false = true ']' + is_gfwlist_mode + '[' chnroute = gfwlist ']' ++ trap '' CHLD ++ echo 2288 +++ list_ext_domain gfwlist.ext +++ grep '^@' gfwlist.ext +++ list_ext_domain ignlist.ext +++ cut -c2- +++ cut -c2- +++ grep '^@' ignlist.ext +++ is_true false +++ '[' false = true ']' ++ chinadns-ng -N gtC -b 127.0.0.1 -l 65353 -c 192.168.88.1#53 -t 127.0.0.1#65454 -g gfwlist.txt,/dev/fd/63 -m chnlist.txt,/dev/fd/62 -4 sstp_white -6 sstp_white6 -a -A sstp_black,sstp_black6 + sstp_pid_chinadns=2288 ++ echo 'port = 60053' ++ echo 'group = proxy_dns' ++ is_true false ++ '[' false = true ']' ++ echo 'log-facility = /dev/null' ++ echo 'log-async = 20' ++ dnsmasq --keep-in-foreground --conf-file=- ++ echo domain-needed ++ echo no-resolv ++ echo no-negcache ++ echo 'cache-size = 4096' ++ (( dnsmasq_cache_time_min )) ++ echo 2298 ++ grep -q min-cache-ttl ++ dnsmasq --help ++ echo 'min-cache-ttl = 3600' ++ echo 'dns-forward-max = 1024' ++ is_global_mode ++ '[' chnroute = global ']' ++ is_gfwlist_mode ++ '[' chnroute = gfwlist ']' ++ is_chnroute_mode ++ '[' chnroute = chnroute ']' ++ get_chnroute_dnsconf ++ echo 'server = 127.0.0.1#65353' + sstp_pid_dnsmasq=2298 + start_iproute + is_need_iproute + is_tcp_tproxy + is_true true + '[' true = true ']' + is_enabled_ipv4 + is_true true + '[' true = true ']' + _start_iproute -4 + local family=-4 + ip -4 route add local default dev lo table 233 + ip rule help + grep -Fwq protocol + ip -4 rule add fwmark 0x2333 table 233 protocol static + is_enabled_ipv6 + is_true false + '[' false = true ']' + start_iptables + is_enabled_ipv4 + is_true true + '[' true = true ']' + _start_iptables iptables + start_iptables_pre iptables + iptables -t mangle -N SSTP_PREROUTING + command iptables -w -t mangle -N SSTP_PREROUTING + iptables -t mangle -N SSTP_OUTPUT + command iptables -w -t mangle -N SSTP_OUTPUT + iptables -t nat -N SSTP_PREROUTING + command iptables -w -t nat -N SSTP_PREROUTING + iptables -t nat -N SSTP_OUTPUT + command iptables -w -t nat -N SSTP_OUTPUT + iptables -t nat -N SSTP_POSTROUTING + command iptables -w -t nat -N SSTP_POSTROUTING + local loopback_addr loopback_addrx white_setname black_setname + init_iptables_param iptables + is_ipv4_ipts iptables + '[' iptables = iptables ']' + loopback_addr=127.0.0.1 + loopback_addrx=127.0.0.1 + white_setname=sstp_white + black_setname=sstp_black + is_drop_quic + case "$ipts_drop_quic" in + true + drop_quic iptables + iptables -t mangle -N SSTP_QUIC + command iptables -w -t mangle -N SSTP_QUIC + is_global_mode + '[' chnroute = global ']' + is_gfwlist_mode + '[' chnroute = gfwlist ']' + is_chnroute_mode + '[' chnroute = chnroute ']' + iptables -t mangle -A SSTP_QUIC -m set --match-set sstp_white dst -m set '!' --match-set sstp_black dst -j RETURN + command iptables -w -t mangle -A SSTP_QUIC -m set --match-set sstp_white dst -m set '!' --match-set sstp_black dst -j RETURN + iptables -t mangle -A SSTP_QUIC -j DROP + command iptables -w -t mangle -A SSTP_QUIC -j DROP + iptables -t mangle -A SSTP_OUTPUT -p udp -m udp --dport 443 -m conntrack --ctdir ORIGINAL -m addrtype '!' --dst-type LOCAL -m owner '!' --gid-owner proxy -j SSTP_QUIC + command iptables -w -t mangle -A SSTP_OUTPUT -p udp -m udp --dport 443 -m conntrack --ctdir ORIGINAL -m addrtype '!' --dst-type LOCAL -m owner '!' --gid-owner proxy -j SSTP_QUIC + is_proxy_other + is_false false + is_true false + '[' false = true ']' + iptables -t mangle -A SSTP_PREROUTING -p udp -m udp --dport 443 -m conntrack --ctdir ORIGINAL -m addrtype '!' --dst-type LOCAL -j SSTP_QUIC + command iptables -w -t mangle -A SSTP_PREROUTING -p udp -m udp --dport 443 -m conntrack --ctdir ORIGINAL -m addrtype '!' --dst-type LOCAL -j SSTP_QUIC + is_tcp_tproxy + is_true true + '[' true = true ']' + start_iptables_tproxy iptables + do_proxy_tproxy iptables ++ is_tcp_tproxy ++ is_true true ++ '[' true = true ']' ++ echo 1 + local tcp=1 ++ is_enabled_udp ++ is_false true ++ is_true true ++ '[' true = true ']' ++ echo 0 + local udp=0 + create_sstp_rule iptables tproxy + local table action + '[' tproxy = tproxy ']' + table=mangle + action='-j CONNMARK --set-mark 0x2333' + iptables -t mangle -N SSTP_RULE + command iptables -w -t mangle -N SSTP_RULE + is_global_mode + '[' chnroute = global ']' + is_gfwlist_mode + '[' chnroute = gfwlist ']' + is_chnroute_mode + '[' chnroute = chnroute ']' + iptables -t mangle -A SSTP_RULE -m set --match-set sstp_white dst -m set '!' --match-set sstp_black dst -j RETURN + command iptables -w -t mangle -A SSTP_RULE -m set --match-set sstp_white dst -m set '!' --match-set sstp_black dst -j RETURN + iptables -t mangle -A SSTP_RULE -j CONNMARK --set-mark 0x2333 + command iptables -w -t mangle -A SSTP_RULE -j CONNMARK --set-mark 0x2333 + iptables -t mangle -A SSTP_OUTPUT -m addrtype --dst-type LOCAL -j RETURN + command iptables -w -t mangle -A SSTP_OUTPUT -m addrtype --dst-type LOCAL -j RETURN + iptables -t mangle -A SSTP_OUTPUT -m conntrack --ctdir REPLY -j RETURN + command iptables -w -t mangle -A SSTP_OUTPUT -m conntrack --ctdir REPLY -j RETURN + iptables -t mangle -A SSTP_OUTPUT -m owner --gid-owner proxy -j RETURN + command iptables -w -t mangle -A SSTP_OUTPUT -m owner --gid-owner proxy -j RETURN + (( udp )) + (( tcp )) ++ get_dst_port_match ++ '[' '' ']' + iptables -t mangle -A SSTP_OUTPUT -p tcp -m tcp --syn -j SSTP_RULE + command iptables -w -t mangle -A SSTP_OUTPUT -p tcp -m tcp --syn -j SSTP_RULE + (( udp )) + iptables -t mangle -A SSTP_OUTPUT -m connmark --mark 0x2333 -j MARK --set-mark 0x2333 + command iptables -w -t mangle -A SSTP_OUTPUT -m connmark --mark 0x2333 -j MARK --set-mark 0x2333 + iptables -t mangle -A SSTP_PREROUTING -m addrtype --dst-type LOCAL -j RETURN + command iptables -w -t mangle -A SSTP_PREROUTING -m addrtype --dst-type LOCAL -j RETURN + iptables -t mangle -A SSTP_PREROUTING -m conntrack --ctdir REPLY -j RETURN + command iptables -w -t mangle -A SSTP_PREROUTING -m conntrack --ctdir REPLY -j RETURN + is_proxy_other + is_false false + is_true false + '[' false = true ']' + (( tcp )) ++ get_dst_port_match ++ '[' '' ']' + iptables -t mangle -A SSTP_PREROUTING -p tcp -m tcp --syn -m addrtype '!' --src-type LOCAL -j SSTP_RULE + command iptables -w -t mangle -A SSTP_PREROUTING -p tcp -m tcp --syn -m addrtype '!' --src-type LOCAL -j SSTP_RULE + (( udp )) + (( tcp )) + iptables -t mangle -A SSTP_PREROUTING -p tcp -m connmark --mark 0x2333 -j TPROXY --on-ip 127.0.0.1 --on-port 60080 --tproxy-mark 0x2333 + command iptables -w -t mangle -A SSTP_PREROUTING -p tcp -m connmark --mark 0x2333 -j TPROXY --on-ip 127.0.0.1 --on-port 60080 --tproxy-mark 0x2333 + (( udp )) + redir_dns_request iptables + iptables -t nat -A SSTP_OUTPUT -p udp -m udp --dport 53 -m conntrack --ctstate NEW -m owner '!' --gid-owner proxy -m owner '!' --gid-owner proxy_dns -j REDIRECT --to-ports 60053 + command iptables -w -t nat -A SSTP_OUTPUT -p udp -m udp --dport 53 -m conntrack --ctstate NEW -m owner '!' --gid-owner proxy -m owner '!' --gid-owner proxy_dns -j REDIRECT --to-ports 60053 + iptables -t nat -A SSTP_POSTROUTING -d 127.0.0.1 '!' -s 127.0.0.1 -j SNAT --to-source 127.0.0.1 + command iptables -w -t nat -A SSTP_POSTROUTING -d 127.0.0.1 '!' -s 127.0.0.1 -j SNAT --to-source 127.0.0.1 + is_proxy_other + is_false false + is_true false + '[' false = true ']' + iptables -t nat -A SSTP_PREROUTING -p udp -m udp --dport 53 -m conntrack --ctstate NEW -m addrtype '!' --src-type LOCAL -j REDIRECT --to-ports 60053 + command iptables -w -t nat -A SSTP_PREROUTING -p udp -m udp --dport 53 -m conntrack --ctstate NEW -m addrtype '!' --src-type LOCAL -j REDIRECT --to-ports 60053 + is_proxy_other + is_false false + is_true false + '[' false = true ']' + add_snat_rule iptables + is_ipv4_ipts iptables + '[' iptables = iptables ']' + is_false true + is_true true + '[' true = true ']' + iptables -t nat -N SSTP_POSTROUTING + iptables -t nat -A SSTP_POSTROUTING -m owner '!' --socket-exists -m conntrack --ctstate NEW,RELATED --ctdir ORIGINAL -m conntrack '!' --ctstate SNAT,DNAT -j MASQUERADE + command iptables -w -t nat -A SSTP_POSTROUTING -m owner '!' --socket-exists -m conntrack --ctstate NEW,RELATED --ctdir ORIGINAL -m conntrack '!' --ctstate SNAT,DNAT -j MASQUERADE + start_iptables_post iptables + iptables -t mangle -A PREROUTING -j SSTP_PREROUTING + command iptables -w -t mangle -A PREROUTING -j SSTP_PREROUTING + iptables -t mangle -A OUTPUT -j SSTP_OUTPUT + command iptables -w -t mangle -A OUTPUT -j SSTP_OUTPUT + iptables -t nat -A PREROUTING -j SSTP_PREROUTING + command iptables -w -t nat -A PREROUTING -j SSTP_PREROUTING + iptables -t nat -A OUTPUT -j SSTP_OUTPUT + command iptables -w -t nat -A OUTPUT -j SSTP_OUTPUT + iptables -t nat -A POSTROUTING -j SSTP_POSTROUTING + command iptables -w -t nat -A POSTROUTING -j SSTP_POSTROUTING + is_enabled_ipv6 + is_true false + '[' false = true ']' + call_func post_start + is_func post_start ++ type -t post_start + '[' function = function ']' + post_start + return + save_pidfile + is_built_in_dns + is_false false + is_true false + '[' false = true ']' + echo sstp_pid_dnsmasq=2298 + echo sstp_pid_chinadns=2288 + echo sstp_pid_dns2tcp4=2286 + echo sstp_pid_dns2tcp6= + call_func extra_pid + is_func extra_pid ++ type -t extra_pid + '[' function = function ']' + extra_pid + return + delete_unused_chain + is_enabled_ipv4 + is_true true + '[' true = true ']' + _delete_unused_chain iptables + list=('mangle' 'PREROUTING' 'mangle' 'OUTPUT' 'nat' 'PREROUTING' 'nat' 'OUTPUT' 'nat' 'POSTROUTING') + local list + (( i = 0 )) + (( i < 10 )) + local table=mangle chain=PREROUTING + chain_is_empty iptables mangle SSTP_PREROUTING + local table=mangle chain=SSTP_PREROUTING ++ iptables -t mangle -S SSTP_PREROUTING ++ command iptables -w -t mangle -S SSTP_PREROUTING ++ wc -l + '[' 6 -le 1 ']' + (( i += 2 )) + (( i < 10 )) + local table=mangle chain=OUTPUT + chain_is_empty iptables mangle SSTP_OUTPUT + local table=mangle chain=SSTP_OUTPUT ++ iptables -t mangle -S SSTP_OUTPUT ++ wc -l ++ command iptables -w -t mangle -S SSTP_OUTPUT + '[' 7 -le 1 ']' + (( i += 2 )) + (( i < 10 )) + local table=nat chain=PREROUTING + chain_is_empty iptables nat SSTP_PREROUTING + local table=nat chain=SSTP_PREROUTING ++ iptables -t nat -S SSTP_PREROUTING ++ command iptables -w -t nat -S SSTP_PREROUTING ++ wc -l + '[' 2 -le 1 ']' + (( i += 2 )) + (( i < 10 )) + local table=nat chain=OUTPUT + chain_is_empty iptables nat SSTP_OUTPUT + local table=nat chain=SSTP_OUTPUT ++ iptables -t nat -S SSTP_OUTPUT ++ wc -l ++ command iptables -w -t nat -S SSTP_OUTPUT + '[' 2 -le 1 ']' + (( i += 2 )) + (( i < 10 )) + local table=nat chain=POSTROUTING + chain_is_empty iptables nat SSTP_POSTROUTING + local table=nat chain=SSTP_POSTROUTING ++ iptables -t nat -S SSTP_POSTROUTING ++ wc -l ++ command iptables -w -t nat -S SSTP_POSTROUTING + '[' 3 -le 1 ']' + (( i += 2 )) + (( i < 10 )) + is_enabled_ipv6 + is_true false + '[' false = true ']' + status ++ font_bold chnroute ++ printf '\e[1mchnroute\e[0m' + echo -e 'mode:\t\tchnroute' mode: chnroute + _status proxy/tcp tcp_port_is_exists 60080 + local name=proxy/tcp func=tcp_port_is_exists + shift 2 + tcp_port_is_exists 60080 + ss -lnpt + grep -q ':60080[[:blank:]]' ++ color_green '[running]' ++ printf '\e[32m[running]\e[0m' + echo -e 'proxy/tcp:\t[running]' proxy/tcp: [running] + is_enabled_udp + is_false true + is_true true + '[' true = true ']' + is_built_in_dns + is_false false + is_true false + '[' false = true ']' + _status dnsmasq process_is_running 2298 + local name=dnsmasq func=process_is_running + shift 2 + process_is_running 2298 + kill -0 2298 ++ color_green '[running]' ++ printf '\e[32m[running]\e[0m' + echo -e 'dnsmasq:\t[running]' dnsmasq: [running] + is_enabled_chinadns + is_chnroute_mode + '[' chnroute = chnroute ']' + _status chinadns process_is_running 2288 + local name=chinadns func=process_is_running + shift 2 + process_is_running 2288 + kill -0 2288 ++ color_green '[running]' ++ printf '\e[32m[running]\e[0m' + echo -e 'chinadns:\t[running]' chinadns: [running] + is_enabled_dns2tcp + case "$dns2tcp_enable" in + is_enabled_udp + is_false true + is_true true + '[' true = true ']' + is_enabled_ipv4 + is_true true + '[' true = true ']' + _status dns2tcp4 process_is_running 2286 + local name=dns2tcp4 func=process_is_running + shift 2 + process_is_running 2286 + kill -0 2286 ++ color_green '[running]' ++ printf '\e[32m[running]\e[0m' + echo -e 'dns2tcp4:\t[running]' dns2tcp4: [running] + is_enabled_dns2tcp + case "$dns2tcp_enable" in + is_enabled_udp + is_false true + is_true true + '[' true = true ']' + is_enabled_ipv6 + is_true false + '[' false = true ']' + call_func extra_status + is_func extra_status ++ type -t extra_status + '[' function = function ']' + extra_status + return + return 0 root@rpi5:/home/pi# clear root@rpi5:/home/pi# ss-tproxy status -x + (( ++i )) + (( i < 2 )) + '[' 1 -eq 0 ']' + '[' /etc/ss-tproxy ']' + '[' ss-tproxy.conf ']' + cd -- /etc/ss-tproxy + load_config + file_required ss-tproxy.conf + file_is_exists ss-tproxy.conf + '[' -f ss-tproxy.conf ']' + source ss-tproxy.conf status ++ mode=chnroute ++ ipv4=true ++ ipv6=false ++ tproxy=true ++ tcponly=true ++ selfonly=false ++ proxy_procgroup=proxy ++ proxy_tcpport=60080 ++ proxy_udpport=60080 ++ proxy_startcmd=start_ss ++ proxy_stopcmd=stop_ss ++ dns_custom=false ++ dns_procgroup=proxy_dns ++ dns_mainport=60053 ++ dns_direct=192.168.88.1#53 ++ dns_direct6=240C::6666#53 ++ dns_direct_white=true ++ dns_direct6_white=true ++ dns_remote=8.8.8.8#53 ++ dns_remote6=2001:4860:4860::8888#53 ++ dns_remote_black=true ++ dns_remote6_black=true ++ dnsmasq_bind_port= ++ dnsmasq_cache_size=4096 ++ dnsmasq_cache_time_min=3600 ++ dnsmasq_query_maxcnt=1024 ++ dnsmasq_log_enable=false ++ dnsmasq_log_file=/dev/null ++ dnsmasq_conf_dir=() ++ dnsmasq_conf_file=() ++ dnsmasq_conf_string=() ++ chinadns_for_gfwlist=true ++ chinadns_bind_port=65353 ++ chinadns_chnlist_first=false ++ chinadns_extra_options='-N gtC' ++ chinadns_verbose=false ++ chinadns_logfile=/dev/null ++ dns2tcp_enable=auto ++ dns2tcp_bind_port=65454 ++ dns2tcp_extra_options= ++ dns2tcp_verbose=false ++ dns2tcp_logfile=/dev/null ++ ipts_if_lo=lo ++ ipts_rt_tab=233 ++ ipts_rt_mark=0x2333 ++ ipts_set_snat=true ++ ipts_set_snat6=false ++ ipts_reddns_onstop=223.5.5.5#53 ++ ipts_reddns6_onstop=240C::6666#53 ++ ipts_proxy_dst_port= ++ ipts_drop_quic=always ++ opts_ss_netstat=auto ++ url_gfwlist=https://raw.githubusercontent.com/pexcn/daily/gh-pages/gfwlist/gfwlist.txt ++ url_chnlist=https://raw.githubusercontent.com/felixonmars/dnsmasq-china-list/master/accelerated-domains.china.conf ++ url_chnroute=https://ftp.apnic.net/stats/apnic/delegated-apnic-latest + is_enabled_ipv4 + is_true true + '[' true = true ']' + is_global_mode + '[' chnroute = global ']' + is_gfwlist_mode + '[' chnroute = gfwlist ']' + is_chnroute_mode + '[' chnroute = chnroute ']' + file_required ignlist.ext + file_is_exists ignlist.ext + '[' -f ignlist.ext ']' + file_required chnlist.txt + file_is_exists chnlist.txt + '[' -f chnlist.txt ']' + file_required chnroute.txt + file_is_exists chnroute.txt + '[' -f chnroute.txt ']' + file_required chnroute6.txt + file_is_exists chnroute6.txt + '[' -f chnroute6.txt ']' + file_required gfwlist.txt + file_is_exists gfwlist.txt + '[' -f gfwlist.txt ']' + file_required gfwlist.ext + file_is_exists gfwlist.ext + '[' -f gfwlist.ext ']' + '[' proxy -a proxy '!=' 0 -a proxy '!=' root ']' + '[' proxy_dns -a proxy_dns '!=' 0 -a proxy_dns '!=' root ']' + '[' proxy '!=' proxy_dns ']' + group_is_exists proxy + is_uint proxy + '[' proxy ']' + '[' -z proxy ']' + grep -q '^proxy:' /etc/group + group_is_exists proxy_dns + is_uint proxy_dns + '[' proxy_dns ']' + '[' -z proxy_dns ']' + grep -q '^proxy_dns:' /etc/group + is_need_iproute + is_tcp_tproxy + is_true true + '[' true = true ']' + command_required ip + command_is_exists ip + type -P ip + command_required ipset + command_is_exists ipset + type -P ipset + is_enabled_ipv4 + is_true true + '[' true = true ']' + command_required iptables + command_is_exists iptables + type -P iptables + is_enabled_ipv6 + is_true false + '[' false = true ']' + '[' '' ']' + dnsmasq_bind_port=60053 + is_built_in_dns + is_false false + is_true false + '[' false = true ']' + set_dns_group dnsmasq + set_command_group proxy_dns dnsmasq + command_required dnsmasq + command_is_exists dnsmasq + type -P dnsmasq ++ command_path dnsmasq ++ type -P dnsmasq + local group=proxy_dns path=/usr/sbin/dnsmasq + chgrp proxy_dns /usr/sbin/dnsmasq + chmod g+xs /usr/sbin/dnsmasq + is_enabled_chinadns + is_chnroute_mode + '[' chnroute = chnroute ']' + set_dns_group chinadns-ng + set_command_group proxy_dns chinadns-ng + command_required chinadns-ng + command_is_exists chinadns-ng + type -P chinadns-ng ++ command_path chinadns-ng ++ type -P chinadns-ng + local group=proxy_dns path=/usr/local/bin/chinadns-ng + chgrp proxy_dns /usr/local/bin/chinadns-ng + chmod g+xs /usr/local/bin/chinadns-ng + is_enabled_dns2tcp + case "$dns2tcp_enable" in + is_enabled_udp + is_false true + is_true true + '[' true = true ']' + set_dns_group dns2tcp + set_command_group proxy_dns dns2tcp + command_required dns2tcp + command_is_exists dns2tcp + type -P dns2tcp ++ command_path dns2tcp ++ type -P dns2tcp + local group=proxy_dns path=/usr/local/bin/dns2tcp + chgrp proxy_dns /usr/local/bin/dns2tcp + chmod g+xs /usr/local/bin/dns2tcp + case "$opts_ss_netstat" in + command_is_exists ss + type -P ss + netstat=ss + load_pidfile + ss_tproxy_is_started + iptables -t mangle -S SSTP_OUTPUT + source .ss-tproxy.pid ++ sstp_pid_dnsmasq=2298 ++ sstp_pid_chinadns=2288 ++ sstp_pid_dns2tcp4=2286 ++ sstp_pid_dns2tcp6= + case "${arg_list[0]}" in + status ++ font_bold chnroute ++ printf '\e[1mchnroute\e[0m' + echo -e 'mode:\t\tchnroute' mode: chnroute + _status proxy/tcp tcp_port_is_exists 60080 + local name=proxy/tcp func=tcp_port_is_exists + shift 2 + tcp_port_is_exists 60080 + ss -lnpt + grep -q ':60080[[:blank:]]' ++ color_green '[running]' ++ printf '\e[32m[running]\e[0m' + echo -e 'proxy/tcp:\t[running]' proxy/tcp: [running] + is_enabled_udp + is_false true + is_true true + '[' true = true ']' + is_built_in_dns + is_false false + is_true false + '[' false = true ']' + _status dnsmasq process_is_running 2298 + local name=dnsmasq func=process_is_running + shift 2 + process_is_running 2298 + kill -0 2298 ++ color_green '[running]' ++ printf '\e[32m[running]\e[0m' + echo -e 'dnsmasq:\t[running]' dnsmasq: [running] + is_enabled_chinadns + is_chnroute_mode + '[' chnroute = chnroute ']' + _status chinadns process_is_running 2288 + local name=chinadns func=process_is_running + shift 2 + process_is_running 2288 + kill -0 2288 ++ color_green '[running]' ++ printf '\e[32m[running]\e[0m' + echo -e 'chinadns:\t[running]' chinadns: [running] + is_enabled_dns2tcp + case "$dns2tcp_enable" in + is_enabled_udp + is_false true + is_true true + '[' true = true ']' + is_enabled_ipv4 + is_true true + '[' true = true ']' + _status dns2tcp4 process_is_running 2286 + local name=dns2tcp4 func=process_is_running + shift 2 + process_is_running 2286 + kill -0 2286 ++ color_green '[running]' ++ printf '\e[32m[running]\e[0m' + echo -e 'dns2tcp4:\t[running]' dns2tcp4: [running] + is_enabled_dns2tcp + case "$dns2tcp_enable" in + is_enabled_udp + is_false true + is_true true + '[' true = true ']' + is_enabled_ipv6 + is_true false + '[' false = true ']' + call_func extra_status + is_func extra_status ++ type -t extra_status + '[' function = function ']' + extra_status + return + return 0 ```
zfl9 commented 10 months ago

描述具体点,什么症状。

ss-tproxy restart 是否有报错?

ss-tproxy 主机上,是否正常访问国内(baidu.com)、国外(google.com)?

sophauer commented 10 months ago

检查端口都是up,节点也是正常的,但是无法解析境外网站如facebook,google,可以解析百度 dig www.facebook.com @127.0.0.1 显示无法连接8.8.8.8 ss-tproxy status -x输出,似乎也没见到错误

检查端口都是up,节点也是正常的,但是无法解析境外网站如facebook,google,可以解析百度 dig www.facebook.com @127.0.0.1 显示无法连接8.8.8.8 ss-tproxy start完全没错误

zfl9 commented 10 months ago

试试 tcponly='true' 模式

sophauer commented 10 months ago

试试 tcponly='true' 模式

节点是自建的,我知道不支持UDP,所以一直是tcponly='true'

sophauer commented 10 months ago

我想说的是,完全一样的配置,在树莓4用bulleye可以上,树莓5用bookworm不能上,原本以为是selinux问题,disable selinux问题依旧

zfl9 commented 10 months ago

iptables -t raw -S iptables -t mangle -S iptables -t nat -S iptables -t filter -S

发来看下规则

zfl9 commented 10 months ago

也可以试试 dns_remote 把 8.8.8.8 改为 1.1.1.1

sophauer commented 10 months ago

iptables -t mangle -S

root@rpi5:/etc/ss-tproxy# iptables -t raw -S -P PREROUTING ACCEPT -P OUTPUT ACCEPT root@rpi5:/etc/ss-tproxy# iptables -t mangle -S -P PREROUTING ACCEPT -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -P POSTROUTING ACCEPT -N SSTP_OUTPUT -N SSTP_PREROUTING -N SSTP_QUIC -N SSTP_RULE -A PREROUTING -j SSTP_PREROUTING -A OUTPUT -j SSTP_OUTPUT -A SSTP_OUTPUT -p udp -m udp --dport 443 -m conntrack --ctdir ORIGINAL -m addrtype ! --dst-type LOCAL -m owner ! --gid-owner 13 -j SSTP_QUIC -A SSTP_OUTPUT -m addrtype --dst-type LOCAL -j RETURN -A SSTP_OUTPUT -m conntrack --ctdir REPLY -j RETURN -A SSTP_OUTPUT -m owner --gid-owner 13 -j RETURN -A SSTP_OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j SSTP_RULE -A SSTP_OUTPUT -m connmark --mark 0x2333 -j MARK --set-xmark 0x2333/0xffffffff -A SSTP_PREROUTING -p udp -m udp --dport 443 -m conntrack --ctdir ORIGINAL -m addrtype ! --dst-type LOCAL -j SSTP_QUIC -A SSTP_PREROUTING -m addrtype --dst-type LOCAL -j RETURN -A SSTP_PREROUTING -m conntrack --ctdir REPLY -j RETURN -A SSTP_PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m addrtype ! --src-type LOCAL -j SSTP_RULE -A SSTP_PREROUTING -p tcp -m connmark --mark 0x2333 -j TPROXY --on-port 60080 --on-ip 127.0.0.1 --tproxy-mark 0x2333/0xffffffff -A SSTP_QUIC -m set --match-set sstp_white dst -m set ! --match-set sstp_black dst -j RETURN -A SSTP_QUIC -j DROP -A SSTP_RULE -m set --match-set sstp_white dst -m set ! --match-set sstp_black dst -j RETURN -A SSTP_RULE -j CONNMARK --set-xmark 0x2333/0xffffffff root@rpi5:/etc/ss-tproxy# iptables -t nat -S -P PREROUTING ACCEPT -P INPUT ACCEPT -P OUTPUT ACCEPT -P POSTROUTING ACCEPT -N SSTP_OUTPUT -N SSTP_POSTROUTING -N SSTP_PREROUTING -A PREROUTING -j SSTP_PREROUTING -A OUTPUT -j SSTP_OUTPUT -A POSTROUTING -j SSTP_POSTROUTING -A SSTP_OUTPUT -p udp -m udp --dport 53 -m conntrack --ctstate NEW -m owner ! --gid-owner 13 -m owner ! --gid-owner 1001 -j REDIRECT --to-ports 60053 -A SSTP_POSTROUTING ! -s 127.0.0.1/32 -d 127.0.0.1/32 -j SNAT --to-source 127.0.0.1 -A SSTP_POSTROUTING -m owner ! --socket-exists -m conntrack --ctstate NEW,RELATED --ctdir ORIGINAL -m conntrack ! --ctstate SNAT,DNAT -j MASQUERADE -A SSTP_PREROUTING -p udp -m udp --dport 53 -m conntrack --ctstate NEW -m addrtype ! --src-type LOCAL -j REDIRECT --to-ports 60053 root@rpi5:/etc/ss-tproxy# iptables -t filter -S -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT

sophauer commented 10 months ago

另外树莓5的网卡名称不是eth0,是end0 这有影响吗

sophauer commented 10 months ago

也可以试试 dns_remote 把 8.8.8.8 改为 1.1.1.1 一样

root@rpi5:/etc/ss-tproxy# dig www.google.com ^Croot@rpi5:/etc/ss-tproxy# dig www.google.com @127.0.0.1 ;; communications error to 127.0.0.1#53: timed out ;; communications error to 127.0.0.1#53: timed out ;; communications error to 127.0.0.1#53: timed out

; <<>> DiG 9.18.19-1~deb12u1-Debian <<>> www.google.com @127.0.0.1 ;; global options: +cmd ;; no servers could be reached

zfl9 commented 10 months ago

试下: dig @127.0.0.1 -p65454 www.google.com

zfl9 commented 10 months ago

另外树莓5的网卡名称不是eth0,是end0 这有影响吗

没影响,不关心网卡名。

sophauer commented 10 months ago

试下: dig @127.0.0.1 -p65454 www.google.com

root@rpi5:/etc/ss-tproxy# dig @127.0.0.1 -p65454 www.google.com ;; communications error to 127.0.0.1#65454: timed out ;; communications error to 127.0.0.1#65454: timed out ;; communications error to 127.0.0.1#65454: timed out

; <<>> DiG 9.18.19-1~deb12u1-Debian <<>> @127.0.0.1 -p65454 www.google.com ; (1 server found) ;; global options: +cmd ;; no servers could be reached 端口65454是up的 root@rpi5:/etc/ss-tproxy# lsof -n -i :65454 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME dns2tcp 2708 root 3u IPv4 24822 0t0 UDP 127.0.0.1:65454

zfl9 commented 10 months ago

你把 dns2tcp 的 log 开一下(/dev/null改为一个log路径,verbose=true设置下),然后重新 dig 65454 端口,看下 dns2tcp 的 log 什么情况。

zfl9 commented 10 months ago

我看你设置的是 tproxy=true 模式,你 ss.json 里面有设置 "tcp_tproxy": true 吗?

sophauer commented 10 months ago

我看你设置的是 tproxy=true 模式,你 ss.json 里面有设置 "tcp_tproxy": true 吗?

晕倒,大佬果然是大佬.,问题就出在这,修改好一切正常了 感谢,请原谅我的愚蠢