Closed redrohu closed 5 years ago
请打开ipts_set_snat 选项
斐讯N1安装armbian(192.168.0.218)作旁路网关 1.先安装ss-tproxy,ipts_set_snat此时默认为false,再安装docker,安装完后,再将ipts_set_snat设为true,这时就正常了。 2,先安装ss-tproxy,此时将ipts_set_snat设为true,再安装docker,这种情况仍然访问不了国内网站。
以下是1,2分别对应的iptables:
==> iptables-mangle <==
Chain PREROUTING (policy ACCEPT 885 packets, 626K bytes)
num pkts bytes target prot opt in out source destination
1 885 626K SSTP_PREROUTING all -- * * 0.0.0.0/0 0.0.0.0/0
Chain INPUT (policy ACCEPT 88 packets, 7556 bytes)
num pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 797 packets, 618K bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 51 packets, 5128 bytes)
num pkts bytes target prot opt in out source destination
1 51 5128 SSTP_OUTPUT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 848 packets, 624K bytes)
num pkts bytes target prot opt in out source destination
Chain SSTP_PREROUTING (1 references)
num pkts bytes target prot opt in out source destination
1 10 622 RETURN udp -- !lo * 192.168.0.0/16 0.0.0.0/0 udp dpt:53
2 386 67367 SSTP_RULE tcp -- !lo * 192.168.0.0/16 !192.168.0.0/16
3 15 1278 SSTP_RULE udp -- !lo * 192.168.0.0/16 !192.168.0.0/16
4 0 0 TPROXY tcp -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x2333 TPROXY redirect 127.0.0.1:60080 mark 0x0/0x0
5 0 0 TPROXY udp -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x2333 TPROXY redirect 127.0.0.1:60080 mark 0x0/0x0
Chain SSTP_OUTPUT (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 RETURN all -- * lo 0.0.0.0/0 0.0.0.0/0
2 36 3499 RETURN all -- * * 0.0.0.0/0 192.168.0.0/16
3 0 0 SSTP_RULE tcp -- * * 0.0.0.0/0 0.0.0.0/0
4 10 622 SSTP_RULE udp -- * * 0.0.0.0/0 0.0.0.0/0
Chain SSTP_RULE (4 references)
num pkts bytes target prot opt in out source destination
1 411 69267 CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0 CONNMARK restore
2 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x2333
3 0 0 RETURN tcp -- * * 0.0.0.0/0 34.80.246.250 multiport dports 80,443,1:65535
4 0 0 RETURN udp -- * * 0.0.0.0/0 34.80.246.250 multiport dports 80,443,1:65535
5 10 622 RETURN udp -- * * 0.0.0.0/0 114.114.114.114 udp dpt:53
6 0 0 MARK udp -- * * 0.0.0.0/0 8.8.8.8 udp dpt:53 MARK set 0x2333
7 0 0 RETURN udp -- * * 0.0.0.0/0 8.8.8.8 udp dpt:53
8 0 0 MARK tcp -- * * 0.0.0.0/0 0.0.0.0/0 match-set gfwlist dst multiport dports 1:65535 tcp flags:0x17/0x02 MARK set 0x2333
9 0 0 MARK udp -- * * 0.0.0.0/0 0.0.0.0/0 match-set gfwlist dst multiport dports 1:65535 ctstate NEW MARK set 0x2333
10 401 68645 CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0 CONNMARK save
==> iptables-nat <==
Chain PREROUTING (policy ACCEPT 41 packets, 2532 bytes)
num pkts bytes target prot opt in out source destination
1 46 2843 SSTP_PREROUTING all -- * * 0.0.0.0/0 0.0.0.0/0
2 0 0 DOCKER all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT 14 packets, 1123 bytes)
num pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 MASQUERADE all -- * !docker0 172.17.0.0/16 0.0.0.0/0
2 37 2031 SSTP_POSTROUTING all -- * * 0.0.0.0/0 0.0.0.0/0
3 0 0 MASQUERADE tcp -- * * 172.17.0.2 172.17.0.2 tcp dpt:9000
Chain OUTPUT (policy ACCEPT 5 packets, 311 bytes)
num pkts bytes target prot opt in out source destination
1 5 311 SSTP_OUTPUT all -- * * 0.0.0.0/0 0.0.0.0/0
2 0 0 DOCKER all -- * * 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain SSTP_PREROUTING (1 references)
num pkts bytes target prot opt in out source destination
1 5 311 REDIRECT udp -- !lo * 192.168.0.0/16 0.0.0.0/0 udp dpt:53 redir ports 60053
Chain SSTP_OUTPUT (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 REDIRECT udp -- * lo 0.0.0.0/0 127.0.0.1 udp dpt:53 redir ports 60053
Chain SSTP_POSTROUTING (1 references)
num pkts bytes target prot opt in out source destination
1 31 1668 MASQUERADE tcp -- * * 192.168.0.0/16 !192.168.0.0/16 tcp flags:0x17/0x02
2 6 363 MASQUERADE udp -- * * 192.168.0.0/16 !192.168.0.0/16 ctstate NEW
3 0 0 MASQUERADE icmp -- * * 192.168.0.0/16 !192.168.0.0/16 ctstate NEW
Chain DOCKER (2 references)
num pkts bytes target prot opt in out source destination
1 0 0 RETURN all -- docker0 * 0.0.0.0/0 0.0.0.0/0
2 0 0 DNAT tcp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:9000 to:172.17.0.2:9000
=================================================================
==> iptables-mangle <==
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 1181 84552 SSTP_PREROUTING all -- * * 0.0.0.0/0 0.0.0.0/0
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 293 39034 SSTP_OUTPUT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain SSTP_PREROUTING (1 references)
num pkts bytes target prot opt in out source destination
1 22 1406 RETURN udp -- !lo * 192.168.0.0/16 0.0.0.0/0 udp dpt:53
2 709 38251 SSTP_RULE tcp -- !lo * 192.168.0.0/16 !192.168.0.0/16
3 84 6305 SSTP_RULE udp -- !lo * 192.168.0.0/16 !192.168.0.0/16
4 0 0 TPROXY tcp -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x2333 TPROXY redirect 127.0.0.1:60080 mark 0x0/0x0
5 0 0 TPROXY udp -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x2333 TPROXY redirect 127.0.0.1:60080 mark 0x0/0x0
Chain SSTP_OUTPUT (1 references)
num pkts bytes target prot opt in out source destination
1 24 2379 RETURN all -- * lo 0.0.0.0/0 0.0.0.0/0
2 137 26431 RETURN all -- * * 0.0.0.0/0 192.168.0.0/16
3 5 200 SSTP_RULE tcp -- * * 0.0.0.0/0 0.0.0.0/0
4 120 8806 SSTP_RULE udp -- * * 0.0.0.0/0 0.0.0.0/0
Chain SSTP_RULE (4 references)
num pkts bytes target prot opt in out source destination
1 918 53562 CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0 CONNMARK restore
2 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x2333
3 0 0 RETURN tcp -- * * 0.0.0.0/0 34.80.246.250 multiport dports 80,443,1:65535
4 0 0 RETURN udp -- * * 0.0.0.0/0 34.80.246.250 multiport dports 80,443,1:65535
5 28 1814 RETURN udp -- * * 0.0.0.0/0 114.114.114.114 udp dpt:53
6 0 0 MARK udp -- * * 0.0.0.0/0 8.8.8.8 udp dpt:53 MARK set 0x2333
7 0 0 RETURN udp -- * * 0.0.0.0/0 8.8.8.8 udp dpt:53
8 0 0 MARK tcp -- * * 0.0.0.0/0 0.0.0.0/0 match-set gfwlist dst multiport dports 1:65535 tcp flags:0x17/0x02 MARK set 0x2333
9 0 0 MARK udp -- * * 0.0.0.0/0 0.0.0.0/0 match-set gfwlist dst multiport dports 1:65535 ctstate NEW MARK set 0x2333
10 890 51748 CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0 CONNMARK save
==> iptables-nat <==
Chain PREROUTING (policy ACCEPT 749 packets, 44136 bytes)
num pkts bytes target prot opt in out source destination
1 19 1613 DOCKER all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
2 759 44759 SSTP_PREROUTING all -- * * 0.0.0.0/0 0.0.0.0/0
Chain INPUT (policy ACCEPT 111 packets, 9024 bytes)
num pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 11 packets, 693 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 MASQUERADE all -- * !docker0 172.17.0.0/16 0.0.0.0/0
2 0 0 MASQUERADE tcp -- * * 172.17.0.2 172.17.0.2 tcp dpt:9000
3 38 2595 SSTP_POSTROUTING all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 39 packets, 2652 bytes)
num pkts bytes target prot opt in out source destination
1 45 3054 SSTP_OUTPUT all -- * * 0.0.0.0/0 0.0.0.0/0
2 0 0 DOCKER all -- * * 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
3 32 2193 SSTP_OUTPUT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain SSTP_OUTPUT (2 references)
num pkts bytes target prot opt in out source destination
1 6 402 REDIRECT udp -- * lo 0.0.0.0/0 127.0.0.1 udp dpt:53 redir ports 60053
2 0 0 REDIRECT udp -- * lo 0.0.0.0/0 127.0.0.1 udp dpt:53 redir ports 60053
Chain DOCKER (2 references)
num pkts bytes target prot opt in out source destination
1 0 0 RETURN all -- docker0 * 0.0.0.0/0 0.0.0.0/0
2 0 0 DNAT tcp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:9000 to:172.17.0.2:9000
Chain SSTP_PREROUTING (1 references)
num pkts bytes target prot opt in out source destination
1 15 949 REDIRECT udp -- !lo * 192.168.0.0/16 0.0.0.0/0 udp dpt:53 redir ports 60053
Chain SSTP_POSTROUTING (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 MASQUERADE tcp -- * * 192.168.0.0/16 !192.168.0.0/16 tcp flags:0x17/0x02
2 32 2193 MASQUERADE udp -- * * 192.168.0.0/16 !192.168.0.0/16 ctstate NEW
3 0 0 MASQUERADE icmp -- * * 192.168.0.0/16 !192.168.0.0/16 ctstate NEW
具体docker有啥规则我不清楚,反正就是set_snat选项设为true,如果与docker有冲突,那么就restart ss-tproxy看看?试过没有
我感觉与规则的顺序有关,编辑 /usr/local/bin/ss-tproxy 脚本,找到 start_iptables_post_rules 函数,将 -A
改为 -I
。然后在安装完 docker 之后,restart ss-tproxy 脚本,看能否解决冲突问题。
将 start_iptables_post_rules 函数,将 -A 改为 -I 也不行。 在ss-tproxy.conf 后面添加:
post_start() {
iptables -P FORWARD ACCEPT
}
问题解决
用的是v2ray代理,纯tproxy,gfwlist模式,没有安装docker前,一切正常,但安装docker后同网段其他主机不能访问国内网站,恢复安装docker之前的iptables后又正常了。怎样做才能共存呢?
安装docker之前的iptables: