Comments (16)
zfl9
commented on June 15, 2024
你说的全局代理是:除了保留地址(比如192.168.x.x)外,都重定向至 ipt2socks,从而转发给后面的 socks5 代理?
from ipt2socks.
zfl9
commented on June 15, 2024
ipt2socks 的完整日志发一下。
from ipt2socks.
weber110
commented on June 15, 2024
我描述的全局代理也就是透明代理吧,除了局域网内部通信流量,其它都转到socks5代理包含tcp/udp/dns,目前openwrt内部内置了dnsmasq-full监听53端口了。
2024-01-02 17:30:43 INF: [main] server address: 111.111.111.111#30001
2024-01-02 17:30:43 INF: [main] listen address: 127.0.0.1#1088
2024-01-02 17:30:43 INF: [main] listen address: ::1#1088
2024-01-02 17:30:43 INF: [main] udp cache maximum size: 256
2024-01-02 17:30:43 INF: [main] udp socket idle timeout: 60
2024-01-02 17:30:43 INF: [main] number of worker threads: 1
2024-01-02 17:30:43 INF: [main] enable tcp transparent proxy
2024-01-02 17:30:43 INF: [main] enable udp transparent proxy
2024-01-02 17:31:29 ERR: [new_nonblock_sockfd] socket(AF_INET, SOCK_STREAM): No file descriptors available
2024-01-02 17:31:29 ERR: [set_tcp_nodelay] setsockopt(-1, TCP_NODELAY): Bad file descriptor
2024-01-02 17:31:29 ERR: [set_tcp_quickack] setsockopt(-1, TCP_QUICKACK): Bad file descriptor
2024-01-02 17:31:29 ERR: [set_tcp_keepalive] setsockopt(-1, SO_KEEPALIVE): Bad file descriptor
2024-01-02 17:31:29 ERR: [tcp_tproxy_accept_cb] connect to 121.37.247.85#30001: Bad file descriptor
2024-01-02 17:31:29 ERR: [tcp_socks5_recv_authresp_cb] recv from 121.37.247.85#30001: Connection reset by peer
2024-01-02 17:31:29 ERR: [tcp_socks5_recv_authresp_cb] recv from 121.37.247.85#30001: Connection reset by peer
2024-01-02 17:31:29 ERR: [tcp_socks5_recv_authresp_cb] recv from 121.37.247.85#30001: Connection reset by peer
2024-01-02 17:31:29 ERR: [tcp_socks5_recv_authresp_cb] recv from 121.37.247.85#30001: Connection reset by peer
2024-01-02 17:31:29 ERR: [tcp_socks5_recv_authresp_cb] recv from 121.37.247.85#30001: Connection reset by peer
2024-01-02 17:31:29 ERR: [tcp_socks5_recv_authresp_cb] recv from 121.37.247.85#30001: Connection reset by peer
2024-01-02 17:31:29 ERR: [tcp_socks5_recv_authresp_cb] recv from 121.37.247.85#30001: Connection reset by peer
...
2024-01-02 17:31:30 ERR: [tcp_tproxy_accept_cb] accept tcp4 socket: No file descriptors available
2024-01-02 17:31:30 ERR: [tcp_tproxy_accept_cb] accept tcp4 socket: No file descriptors available
2024-01-02 17:31:30 ERR: [tcp_tproxy_accept_cb] accept tcp4 socket: No file descriptors available
2024-01-02 17:31:30 ERR: [tcp_tproxy_accept_cb] accept tcp4 socket: No file descriptors available
2024-01-02 17:31:30 ERR: [tcp_tproxy_accept_cb] accept tcp4 socket: No file descriptors available
2024-01-02 17:31:30 ERR: [tcp_tproxy_accept_cb] accept tcp4 socket: No file descriptors available
...
from ipt2socks.
zfl9
commented on June 15, 2024
看报错信息,应该是nft规则死循环了。
from ipt2socks.
zfl9
commented on June 15, 2024
我待会给一个能用的 nft 规则出来,我先本地搞一下。
from ipt2socks.
zfl9
commented on June 15, 2024
你的 socks5 代理运行在哪里?应该没有和 ipt2socks 在同一个主机上吧?
from ipt2socks.
weber110
commented on June 15, 2024
你的 socks5 代理运行在哪里?应该没有和 ipt2socks 在同一个主机上吧?
对的,没有用本地s5 server
from ipt2socks.
zfl9
commented on June 15, 2024
socks5 server 在 同一局域网 下的 其他主机 上,对吗
from ipt2socks.
weber110
commented on June 15, 2024
不是,socks5 server是外网的,有自己danted搭的也有别人v2搭的。
from ipt2socks.
zfl9
commented on June 15, 2024
按顺序执行以下命令
- 创建 proxy 用户(组),启动 ipt2socks
# 创建proxy组,用于ipt/nft放行
groupadd proxy # 或 addgroup proxy
# 给可执行文件设置setgid权限位
chgrp proxy /path/to/ipt2socks
chmod g+xs /path/to/ipt2socks
#上面两个操作执行过一次就可以了
# 启动ipt2socks进程,不要用-u选项!
ipt2socks -s 服务器ip -p 服务器port -l 1088- nft脚本(应用之前,先清空相应规则链,避免重复!)
table inet mangle {
set byp4 {
typeof ip daddr
flags interval
elements = { 0.0.0.0/8, 10.0.0.0/8,
127.0.0.0/8, 169.254.0.0/16,
172.16.0.0/12, 192.0.0.0/24,
192.0.2.0/24, 192.88.99.0/24,
192.168.0.0/16, 198.18.0.0/15,
198.51.100.0/24, 203.0.113.0/24,
224.0.0.0/4, 240.0.0.0/4 }
}
set byp6 {
typeof ip6 daddr
flags interval
elements = { ::,
::1,
::ffff:0:0:0/96,
64:ff9b::/96,
100::/64,
2001::/32,
2001:20::/28,
2001:db8::/32,
2002::/16,
fc00::/7,
fe80::/10,
ff00::/8 }
}
chain prerouting {
type filter hook prerouting priority mangle; policy accept;
# 放行发往 local 的
fib daddr type local return
# 放行 reply 方向的
ct direction reply return
# 局域网传出的流量
meta l4proto {tcp,udp} ct state new,related fib saddr type != local jump do_proxy
# 本机和局域网流量 => ipt2socks
meta l4proto {tcp,udp} ct mark 1088 tproxy to :1088 meta mark set 1088
}
chain output {
type route hook output priority mangle; policy accept;
# 放行发往 local 的
fib daddr type local return
# 放行 reply 方向的
ct direction reply return
# 放行本机代理进程
skgid proxy return
# 给 connection 打上 mark
meta l4proto {tcp,udp} ct state new,related jump do_proxy
# 给 packet 打上 mark (ip rule)
ct mark 1088 meta mark set 1088
}
chain do_proxy {
ip daddr @byp4 return
ip6 daddr @byp6 return
ct mark set 1088
}
}- ip rule/route
ip rule add fwmark 1088 table 100
ip route add local default dev lo table 100from ipt2socks.
weber110
commented on June 15, 2024
谢谢您抽出时间来解答。
照您提供的示例操作后,启动./ipt2socks -s $sip -p $sport -l 1088 -a $suid -k $spwd -u proxy提示如下:
2024-01-03 14:44:31 INF: [main] listen address: 127.0.0.1#1088
2024-01-03 14:44:31 INF: [main] listen address: ::1#1088
2024-01-03 14:44:31 INF: [main] udp cache maximum size: 256
2024-01-03 14:44:31 INF: [main] udp socket idle timeout: 60
2024-01-03 14:44:31 INF: [main] number of worker threads: 1
2024-01-03 14:44:31 INF: [main] enable tcp transparent proxy
2024-01-03 14:44:31 INF: [main] enable udp transparent proxy
2024-01-03 14:44:31 ERR: [set_ip_transparent] setsockopt(3, IP_TRANSPARENT): Operation not permitted
2024-01-03 14:44:31 ERR: [set_ip_transparent] setsockopt(4, IPV6_TRANSPARENT): Operation not permitted
2024-01-03 14:44:31 ERR: [set_ip_transparent] setsockopt(5, IP_TRANSPARENT): Operation not permitted
2024-01-03 14:44:31 ERR: [set_ip_transparent] setsockopt(6, IPV6_TRANSPARENT): Operation not permitted
猜想是proxy用户没有cap-net-admin权限的缘故吧,所以修改了
skgid proxy return -> skgid root return
同时启动命令改成下面后,应该是流量都没有转发到1088端口来,日志在'enable udp transparent proxy'后没有任何输出
./ipt2socks -s $sip -p $sport -l 1088 -a $suid -k $spwd -u proxy -u root
下面为完整的nft list ruleset打印内容
table inet mangle {
set byp4 {
typeof ip daddr
flags interval
elements = { 0.0.0.0/8, 10.0.0.0/8,
127.0.0.0/8, 169.254.0.0/16,
172.16.0.0/12, 192.0.0.0/24,
192.0.2.0/24, 192.88.99.0/24,
192.168.0.0/16, 198.18.0.0/15,
198.51.100.0/24, 203.0.113.0/24,
224.0.0.0/4, 240.0.0.0/4 }
}
set byp6 {
typeof ip6 daddr
flags interval
elements = { ::,
::1,
::ffff:0:0:0/96,
64:ff9b::/96,
100::/64,
2001::/32,
2001:20::/28,
2001:db8::/32,
2002::/16,
fc00::/7,
fe80::/10,
ff00::/8 }
}
chain prerouting {
type filter hook prerouting priority mangle; policy accept;
fib daddr type local return
ct direction reply return
meta l4proto { tcp, udp } ct state related,new fib saddr type != local jump do_proxy
meta l4proto { tcp, udp } ct mark 0x00000440 tproxy to :1088 meta mark set 0x00000440
fib daddr type local return
ct direction reply return
meta l4proto { tcp, udp } ct state related,new fib saddr type != local jump do_proxy
meta l4proto { tcp, udp } ct mark 0x00000440 tproxy to :1088 meta mark set 0x00000440
fib daddr type local return
ct direction reply return
meta l4proto { tcp, udp } ct state related,new fib saddr type != local jump do_proxy
meta l4proto { tcp, udp } ct mark 0x00000440 tproxy to :1088 meta mark set 0x00000440
fib daddr type local return
ct direction reply return
meta l4proto { tcp, udp } ct state related,new fib saddr type != local jump do_proxy
meta l4proto { tcp, udp } ct mark 0x00000440 tproxy to :1088 meta mark set 0x00000440
fib daddr type local return
ct direction reply return
meta l4proto { tcp, udp } ct state related,new fib saddr type != local jump do_proxy
meta l4proto { tcp, udp } ct mark 0x00000440 tproxy to :1088 meta mark set 0x00000440
}
chain output {
type route hook output priority mangle; policy accept;
fib daddr type local return
ct direction reply return
meta skgid 1000 return
meta l4proto { tcp, udp } ct state related,new jump do_proxy
ct mark 0x00000440 meta mark set 0x00000440
fib daddr type local return
ct direction reply return
meta skgid 1000 return
meta l4proto { tcp, udp } ct state related,new jump do_proxy
ct mark 0x00000440 meta mark set 0x00000440
fib daddr type local return
ct direction reply return
meta skgid 1000 return
meta l4proto { tcp, udp } ct state related,new jump do_proxy
ct mark 0x00000440 meta mark set 0x00000440
fib daddr type local return
ct direction reply return
meta skgid 1000 return
meta l4proto { tcp, udp } ct state related,new jump do_proxy
ct mark 0x00000440 meta mark set 0x00000440
fib daddr type local return
ct direction reply return
meta skgid 1000 return
meta l4proto { tcp, udp } ct state related,new jump do_proxy
ct mark 0x00000440 meta mark set 0x00000440
}
chain do_proxy {
ip daddr @byp4 return
ip6 daddr @byp6 return
ct mark set 0x00000440
ip daddr @byp4 return
ip6 daddr @byp6 return
ct mark set 0x00000440
ip daddr @byp4 return
ip6 daddr @byp6 return
ct mark set 0x00000440
ip daddr @byp4 return
ip6 daddr @byp6 return
ct mark set 0x00000440
ip daddr @byp4 return
ip6 daddr @byp6 return
ct mark set 0x00000440
}
}
table inet dnsmasq {
chain prerouting {
type nat hook prerouting priority dstnat - 5; policy accept;
meta nfproto { ipv4, ipv6 } udp dport 53 counter packets 473 bytes 30796 redirect to :53 comment "DNSMASQ HIJACK"
}
}
table inet fw4 {
ct helper amanda {
type "amanda" protocol udp
l3proto inet
}
ct helper ftp {
type "ftp" protocol tcp
l3proto inet
}
ct helper RAS {
type "RAS" protocol udp
l3proto inet
}
ct helper Q.931 {
type "Q.931" protocol tcp
l3proto inet
}
ct helper irc {
type "irc" protocol tcp
l3proto ip
}
ct helper pptp {
type "pptp" protocol tcp
l3proto ip
}
ct helper sip {
type "sip" protocol udp
l3proto inet
}
ct helper snmp {
type "snmp" protocol udp
l3proto ip
}
ct helper tftp {
type "tftp" protocol udp
l3proto inet
}
chain input {
type filter hook input priority filter; policy drop;
iifname "lo" accept comment "!fw4: Accept traffic from loopback"
ct state established,related accept comment "!fw4: Allow inbound established and related flows"
tcp flags syn / fin,syn,rst,ack jump syn_flood comment "!fw4: Rate limit TCP syn packets"
iifname { "br-lan", "phy0-ap0" } jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
iifname "eth1" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
jump handle_reject
}
chain forward {
type filter hook forward priority filter; policy drop;
ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
iifname { "br-lan", "phy0-ap0" } jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
iifname "eth1" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
jump handle_reject
}
chain output {
type filter hook output priority filter; policy accept;
oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
ct state established,related accept comment "!fw4: Allow outbound established and related flows"
oifname { "br-lan", "phy0-ap0" } jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"
oifname "eth1" jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic"
}
chain prerouting {
type filter hook prerouting priority filter; policy accept;
}
chain handle_reject {
meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
reject comment "!fw4: Reject any other traffic"
}
chain syn_flood {
limit rate 25/second burst 50 packets return comment "!fw4: Accept SYN packets below rate-limit"
drop comment "!fw4: Drop excess packets"
}
chain input_lan {
jump accept_from_lan
}
chain output_lan {
jump accept_to_lan
}
chain forward_lan {
jump accept_to_wan comment "!fw4: Accept lan to wan forwarding"
jump accept_to_lan
}
chain accept_from_lan {
iifname { "br-lan", "phy0-ap0" } counter packets 486 bytes 32048 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
}
chain accept_to_lan {
oifname { "br-lan", "phy0-ap0" } counter packets 1 bytes 328 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
}
chain input_wan {
meta nfproto ipv4 udp dport 68 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCP-Renew"
icmp type echo-request counter packets 0 bytes 0 accept comment "!fw4: Allow-Ping"
meta nfproto ipv4 meta l4proto igmp counter packets 3 bytes 108 accept comment "!fw4: Allow-IGMP"
meta nfproto ipv6 udp dport 546 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCPv6"
ip6 saddr fe80::/10 icmpv6 type . icmpv6 code { mld-listener-query . no-route, mld-listener-report . no-route, mld-listener-done . no-route, mld2-listener-report . no-route } counter packets 3 bytes 228 accept comment "!fw4: Allow-MLD"
icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply, nd-router-solicit, nd-router-advert } limit rate 1000/second counter packets 3 bytes 192 accept comment "!fw4: Allow-ICMPv6-Input"
icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, nd-neighbor-solicit . no-route, nd-neighbor-advert . no-route, parameter-problem . admin-prohibited } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Input"
ct status dnat accept comment "!fw4: Accept port redirections"
jump reject_from_wan
}
chain output_wan {
jump accept_to_wan
}
chain forward_wan {
icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, parameter-problem . admin-prohibited } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
meta l4proto esp counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-IPSec-ESP"
udp dport 500 counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-ISAKMP"
ct status dnat accept comment "!fw4: Accept port forwards"
jump reject_to_wan
}
chain accept_to_wan {
meta nfproto ipv4 oifname "eth1" ct state invalid counter packets 18 bytes 720 drop comment "!fw4: Prevent NAT leakage"
oifname "eth1" counter packets 4452 bytes 285382 accept comment "!fw4: accept wan IPv4/IPv6 traffic"
}
chain reject_from_wan {
iifname "eth1" counter packets 33 bytes 3525 jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
}
chain reject_to_wan {
oifname "eth1" counter packets 0 bytes 0 jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
}
chain dstnat {
type nat hook prerouting priority dstnat; policy accept;
iifname "eth1" jump dstnat_wan comment "!fw4: Handle wan IPv4/IPv6 dstnat traffic"
}
chain srcnat {
type nat hook postrouting priority srcnat; policy accept;
oifname "eth1" jump srcnat_wan comment "!fw4: Handle wan IPv4/IPv6 srcnat traffic"
}
chain dstnat_wan {
meta nfproto ipv4 fullcone comment "!fw4: Handle wan IPv4 fullcone NAT dstnat traffic"
}
chain srcnat_wan {
meta nfproto ipv4 fullcone comment "!fw4: Handle wan IPv4 fullcone NAT srcnat traffic"
}
chain raw_prerouting {
type filter hook prerouting priority raw; policy accept;
}
chain raw_output {
type filter hook output priority raw; policy accept;
}
chain mangle_prerouting {
type filter hook prerouting priority mangle; policy accept;
}
chain mangle_postrouting {
type filter hook postrouting priority mangle; policy accept;
}
chain mangle_input {
type filter hook input priority mangle; policy accept;
}
chain mangle_output {
type route hook output priority mangle; policy accept;
}
chain mangle_forward {
type filter hook forward priority mangle; policy accept;
iifname "eth1" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 ingress MTU fixing"
oifname "eth1" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 egress MTU fixing"
}
}
from ipt2socks.
zfl9
commented on June 15, 2024
你的 nft 规则已经重复了,存在污染,先重启下系统(或者 nft flush 相关的 mangle 规则链)
from ipt2socks.
zfl9
commented on June 15, 2024
猜想是proxy用户没有cap-net-admin权限的缘故吧,所以修改了
skgid proxy return -> skgid root return
这里不能这样改,不然root用户组的所有流量都不会走代理(这就是你后面描述的症状)
from ipt2socks.
zfl9
commented on June 15, 2024
我重新编辑了之前回复的内容,这回应该可以了。
from ipt2socks.
weber110
commented on June 15, 2024
你的 nft 规则已经重复了,存在污染,先重启下系统(或者 nft flush 相关的 mangle 规则链)
您指的污染是prerouting/output链内重复出现设置代码吧,这个我也不知道原因,这个nft list ruleset就是重启后打印的。之前用别的s5 client的ruleset-post nft文件,也一样会重复规则,但流量拦截代理还是成功的。
按您最新的关于用户组及权限设置后,和之前直接删除skgid proxy return一样的效果,ipt2socks5启动日志打印后无别的流量日志了。
from ipt2socks.
zfl9
commented on June 15, 2024
重启下系统,从干净状态开始
from ipt2socks.
Related Issues (20)
- 请求增加fake dns功能 HOT 5
- [udp_socks5_recv_udpmessage_cb] bind tproxy reply address: Address in use HOT 8
- 谁可以分享一下 ipt2socks ipatables透明代理规则。 HOT 5
- 是否能承受高负载转发 HOT 1
- How can I forward ipt2socks TPROXY port to a subnet? HOT 2
- 建议增加dns to socks5这里的功能 HOT 3
- linux
- 请各位大佬帮我看看为什么用ipt2socks转UDP出错,xray转就没问题 HOT 5
- '-b' 参数不起作用 HOT 4
- Can't forward UDP to a sub-net with tproxy HOT 4
- 编译环境有问题 HOT 8
- 可否加入代理链的支持? HOT 1
- 能否加入 socks4 协议支持? HOT 8
- [Question] How can I forward traffic across network namespaces with ipt2socks? HOT 3
- 在speedtest.net测试单线程峰值速度更高 HOT 28
- Is "really" transparent proxy? HOT 3
- ERROR: package/feeds/helloworld/ipt2socks failed to build. HOT 4
- 为什么ipt2socks需要udp 443的端口监听呢? HOT 9
- 当socks服务开在本地服务器时,则会陷入socks循环请求(iptables规则死循环) HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ipt2socks.