search

zw963 / asuswrt-merlin-transparent-proxy

transparent proxy base on ss, v2ray, xray, ipset, iptables, chinadns on asuswrt merlin or side router.
MIT License
380 stars 80 forks source link

iptable增加UDP转发 #22

Closed gitx6 closed 7 years ago

gitx6 commented 7 years ago

chrome的quic功能会造成youtube连接速度很高,但是缓冲为零。原因是谷歌会验证你的UDP地址和TCP地址是否相同,所以UDP包也必须在iptables转发,并且ss也要开启UDP relay。

参考TCP,是不是可以加上以下两条做UDP转发?

iptables -t nat -A SHADOWSOCKS -p udp -j REDIRECT --to-port SS_LOCAL_PORT iptables -t nat -I PREROUTING -p udp -m multiport --dports 80,443 -j SHADOWSOCKS

zw963 commented 7 years ago

谢谢那的反馈,我可能得过一阵子才能添加这些功能,最近有事无法及时响应。

2017年6月21日 14:08,"wangxin6" notifications@github.com写道:

chrome的quic功能会造成youtube连接速度很高,但是缓冲为零。原因是谷歌会验证你的UDP地址和TCP地址是否相同, 所以UDP包也必须在iptables转发,并且ss也要开启UDP relay。

参考TCP,是不是可以加上以下两条做UDP转发?

iptables -t nat -A SHADOWSOCKS -p udp -j REDIRECT --to-port SS_LOCAL_PORT iptables -t nat -I PREROUTING -p udp -m multiport --dports 80,443 -j SHADOWSOCKS

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/zw963/asuswrt-merlin-transparent-proxy/issues/22, or mute the thread https://github.com/notifications/unsubscribe-auth/AAhhBjQN0ct0CMrfRx35H9tnwJ0-mjaSks5sGLNkgaJpZM4OAfzO .

gitx6 commented 7 years ago

这两行命令不一定正确,等您有时间再改。谢谢。

zw963 commented 7 years ago

我读了下 man 帮助.

 [!] -p, --protocol protocol
              The protocol of the rule or of the packet to check.  The specified protocol can be one of tcp, udp, udplite, icmp, icmpv6,esp, ah, sctp, mh  or  the  special
              keyword "all", or it can be a numeric value, representing one of these protocols or a different one.  A protocol name from /etc/protocols is also allowed.  A
              "!" argument before the protocol inverts the test.  The number zero is equivalent to all. "all" will match with all protocols and is taken  as  default  when
              this  option  is  omitted.   Note that, in ip6tables, IPv6 extension headers except esp are not allowed.  esp and ipv6-nonext can be used with Kernel version
              2.6.11 or later.  The number zero is equivalent to all, which means that you cannot test the protocol field for the value 0  directly.  To  match  on  a  HBH
              header, even if it were the last, you cannot use -p 0, but always need -m hbh.

如果不指定 -p 协议, 默认就是 'all', 所以, 麻烦你试一下, 手动修改 iptables.sh 中对应脚本,

$iptables -t nat -A SHADOWSOCKS -p tcp -j REDIRECT --to-ports SS_LOCAL_PORT
$iptables -t nat -I PREROUTING -p tcp -m multiport --dports 80,443 -j SHADOWSOCKS

$iptables -t nat -A SHADOWSOCKS -j REDIRECT --to-ports SS_LOCAL_PORT
$iptables -t nat -I PREROUTING -m multiport --dports 80,443 -j SHADOWSOCKS

如果有效果, FQ 也仍旧可用, 请反馈, 我加进来, 我之前并没有做过这方面测试.仍

gitx6 commented 7 years ago

经测试,去除-p tcp后,无法FQ。

zw963 commented 7 years ago

@wangxin6 , 谢了, 那么应该 -p all 也是不可以的了? 麻烦有空的时候验证下.

gitx6 commented 7 years ago

-p all 参数facebook可以上,google不能上。

以前不能上的国内网站在-p all参数下可以访问了。

zw963 commented 7 years ago 
"all" will match with all protocols and is taken  as  default  when
this  option  is  omitted.

这是我本地 linux 的 iptables man 帮助.(路由器应该类似)

所以, 去除 -p tcp 应该等价于 添加 -p all 才对.

gitx6 commented 7 years ago

在chrome地址栏输入chrome://flags然后disable Experimental QUIC protocol 就可以看油管视频了