背景:基于最新 lede 代码编译,开启 SSR-Plus
我登录路由器,ps 可以看到
dns2tcp -L 127.0.0.1#5335 -R 8.8.8.8#53
chinadns-ng -l 5333 -4 china -p 3 -c 114.114.114.114 -t 127.0.0.1#5335 -N -f -r
dnsmasq -C /var/etc/dnsmasq.conf.cfg01411c
dnsmasq 的上游服务器配置为resolv-file=/tmp/resolv.conf.d/resolv.conf.auto
该文件内容: (均为 Wan 下发的 DNS 地址)
# Interface wan
nameserver xxxxxxxxxxxxxxx
nameserverxxxxxxxxxxxxxxx
# Interface wan6
nameserver xxxxxxxxxxxxxxx
# Interface wan_6
nameserver xxxxxxxxxxxxxxx
nameserver xxxxxxxxxxxxxxx
这里 chinadns-ng 和 dns2tcp 我能理解,chinadns-ng 将国内 dns 查询分流到 114 ,将海外 dns 查询转到 dns2tcp ,然后 dns2tcp 又去 8.8.8.8 查询 DNS 记录。
但是!这个 dnsmasq 我就不理解了,53 端口是 dnsmasq 占用的,我电脑默认应该是访问路由器 53 端口查 DNS ,也就是访问 dnsmasq 的 DNS 服务,这样一来,chinadns-ng 的服务不就相当于没用上吗? dnsmasq 上游都是 wan 下发的 DNS 服务器,那这样是如何防止 DNS 污染呢?
但最终结果好像又不是这样的,实际使用好像又没有出现 DNS 污染,那这样的话 dnsmasq 究竟在哪配置把流量导入 chinadns-ng 的呢?我研究了非常久,dnsmasq 明明就是使用的 wan 下发 DNS 呀,没有其他的上游设置了
1
defunct9 199 天前
看看 iptable
|
2
Jinnrry OP @defunct9 iptable 我不怎么熟,但是 iptables -S 看起来也没有 53 端口相关的转发吧
-P INPUT ACCEPT -P FORWARD DROP -P OUTPUT ACCEPT -N MINIUPNPD -N forwarding_lan_rule -N forwarding_rule -N forwarding_wan_rule -N input_lan_rule -N input_rule -N input_wan_rule -N output_lan_rule -N output_rule -N output_wan_rule -N reject -N syn_flood -N zone_lan_dest_ACCEPT -N zone_lan_forward -N zone_lan_input -N zone_lan_output -N zone_lan_src_ACCEPT -N zone_wan_dest_ACCEPT -N zone_wan_dest_REJECT -N zone_wan_forward -N zone_wan_input -N zone_wan_output -N zone_wan_src_REJECT -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input -A INPUT -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_input -A INPUT -i eth1 -m comment --comment "!fw3" -j zone_wan_input -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward -A FORWARD -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_forward -A FORWARD -i eth1 -m comment --comment "!fw3" -j zone_wan_forward -A FORWARD -m comment --comment "!fw3" -j reject -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output -A OUTPUT -o pppoe-wan -m comment --comment "!fw3" -j zone_wan_output -A OUTPUT -o eth1 -m comment --comment "!fw3" -j zone_wan_output -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable -A syn_flood -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN -A syn_flood -m comment --comment "!fw3" -j DROP -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT -A zone_wan_dest_ACCEPT -o pppoe-wan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP -A zone_wan_dest_ACCEPT -o pppoe-wan -m comment --comment "!fw3" -j ACCEPT -A zone_wan_dest_ACCEPT -o eth1 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP -A zone_wan_dest_ACCEPT -o eth1 -m comment --comment "!fw3" -j ACCEPT -A zone_wan_dest_REJECT -o pppoe-wan -m comment --comment "!fw3" -j reject -A zone_wan_dest_REJECT -o eth1 -m comment --comment "!fw3" -j reject -A zone_wan_forward -j MINIUPNPD -A zone_wan_forward -j MINIUPNPD -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT -A zone_wan_forward -p tcp -m tcp --dport 7744 -m comment --comment "!fw3: vpn" -j zone_lan_dest_ACCEPT -A zone_wan_forward -p tcp -m tcp --dport 56471 -m comment --comment "!fw3: QBittorrent" -j zone_lan_dest_ACCEPT -A zone_wan_forward -p tcp -m tcp --dport 51413 -m comment --comment "!fw3: Transmission" -j zone_lan_dest_ACCEPT -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT -A zone_wan_input -p tcp -m tcp --dport 1688 -m comment --comment "!fw3: kms" -j ACCEPT -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT -A zone_wan_src_REJECT -i pppoe-wan -m comment --comment "!fw3" -j reject -A zone_wan_src_REJECT -i eth1 -m comment --comment "!fw3" -j reject |
3
kursk 199 天前
简单来说,DNSMASQ 有两个参数 server 和 ipset 发挥的作用
server 的作用是将指定的域名交给指定的域名服务器解析,并将 ip 存入 ipset 中,iptables 再将目标地址为这个 ipset 的 package 转发到科学上网的端口或线路上 你研究一下这个参数的说明 -S, --local, --server=[/[<domain>]/[domain/]][<server>[#<port>]][@<interface>][@<source-ip>[#<port>]] Specify upstream servers directly. Setting this flag does not suppress reading of /etc/resolv.conf, use --no-resolv to do that. If one or more optional domains are given, that server is used only for those domains and they are queried only using the specified server. This is intended for private nameservers: if you have a nameserver on your network which deals with names of the form xxx.internal.thekelleys.org.uk at 192.168.1.1 then giving the flag --server=/internal.thekelleys.org.uk/192.168.1.1 will send all queries for internal machines to that nameserver, everything else will go to the servers in /etc/resolv.conf. DNSSEC validation is turned off for such private nameservers, UNLESS a --trust-anchor is specified for the domain in question. An empty domain specification, // has the special meaning of "unqualified names only" ie names without any dots in them. A non-standard port may be specified as part of the IP address using a # character. More than one --server flag is allowed, with repeated domain or ipaddr parts as required. More specific domains take precedence over less specific domains, so: --server=/google.com/1.2.3.4 --server=/www.google.com/2.3.4.5 will send queries for google.com and gmail.google.com to 1.2.3.4, but www.google.com will go to 2.3.4.5 Matching of domains is normally done on complete labels, so /google.com/ matches google.com and www.google.com but NOT supergoogle.com. This can be overridden with a * at the start of a pattern only: /*google.com/ will match google.com and www.google.com AND supergoogle.com. The non-wildcard form has priority, so if /google.com/ and /*google.com/ are both specified then google.com and www.google.com will match /google.com/ and /*google.com/ will only match supergoogle.com. For historical reasons, the pattern /.google.com/ is equivalent to /google.com/ if you wish to match any subdomain of google.com but NOT google.com itself, use /*.google.com/ The special server address '#' means, "use the standard servers", so --server=/google.com/1.2.3.4 --server=/www.google.com/# will send queries for google.com and its subdomains to 1.2.3.4, except www.google.com (and its subdomains) which will be forwarded as usual. Also permitted is a -S flag which gives a domain but no IP address; this tells dnsmasq that a domain is local and it may answer queries from /etc/hosts or DHCP but should never forward queries on that domain to any upstream servers. --local is a synonym for --server to make configuration files clearer in this case. IPv6 addresses may include an %interface scope-id, eg fe80::202:a412:4512:7bbf%eth0. The optional string after the @ character tells dnsmasq how to set the source of the queries to this nameserver. It can either be an ip-address, an interface name or both. The ip-address should belong to the machine on which dnsmasq is running, otherwise this server line will be logged and then ignored. If an interface name is given, then queries to the server will be forced via that interface; if an ip-address is given then the source address of the queries will be set to that address; and if both are given then a combination of ip-address and interface name will be used to steer requests to the server. The query-port flag is ignored for any servers which have a source address specified but the port may be specified directly as part of the source address. Forcing queries to an interface is not implemented on all platforms supported by dnsmasq. Upstream servers may be specified with a hostname rather than an IP address. In this case, dnsmasq will try to use the system resolver to get the IP address of a server during startup. If name resolution fails, starting dnsmasq fails, too. If the system's configuration is such that the system resolver sends DNS queries through the dnsmasq instance which is starting up then this will time-out and fail. https://thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html#index |
4
defunct9 199 天前
dnsmasq.conf 贴出来看看
|
5
kursk 199 天前
另外说一下,server 和 ipset 这两个参数一般不在那个/var/etc/dnsmasq.conf.cfg01411c 配置文件中,但是你查看一下配置文件中的 conf-file 参数对应的目录下,应该有使用 server 和 ipset 的配置文件。
一般使用的是/tmp/dnsmasq.d/ |
6
Jinnrry OP @defunct9 #4
# auto-generated config file from /etc/config/dhcp conf-file=/etc/dnsmasq.conf dhcp-authoritative domain-needed localise-queries read-ethers enable-ubus=dnsmasq expand-hosts bind-dynamic local-service cache-size=8192 edns-packet-max=1232 domain=lan local=/lan/ server=/docker.io/127.0.0.1#5333 addn-hosts=/tmp/hosts dhcp-leasefile=/tmp/dhcp.leases resolv-file=/tmp/resolv.conf.d/resolv.conf.auto stop-dns-rebind rebind-localhost-ok dhcp-broadcast=tag:needs-broadcast conf-dir=/tmp/dnsmasq.d user=dnsmasq group=dnsmasq dhcp-ignore-names=tag:dhcp_bogus_hostname conf-file=/usr/share/dnsmasq/dhcpbogushostname.conf srv-host=_vlmcs._tcp,OpenWrt,1688,0,100 bogus-priv conf-file=/usr/share/dnsmasq/rfc6761.conf dhcp-range=set:lan,192.168.0.100,192.168.0.249,255.255.0.0,120h no-dhcp-interface=pppoe-wan |
8
Puteulanus 199 天前
/var/etc/dnsmasq.conf.cfg01411c 这个文件里应该有这一行吧
conf-dir=/tmp/dnsmasq.d 然后 /tmp/dnsmasq.d 里有 root@iStoreOS:~# cat /tmp/dnsmasq.d/dnsmasq-ssrplus.conf conf-dir=/tmp/dnsmasq.d/dnsmasq-ssrplus.d 通过这种方式给 dnsmasq 追加了设置 |
9
kursk 199 天前
|
10
Jinnrry OP @kursk #5 我靠,大佬厉害,按照你说的,我找到配置了。
在/var/etc/dnsmasq.conf.cfg01411c 这个文件中额外加了一个配置文件路径`conf-dir=/tmp/dnsmasq.d` /tmp/dnsmasq.d 这个文件夹里面有完整的分流规则 |
12
Jinnrry OP @Puteulanus 是的,感谢大佬
|
13
Puteulanus 199 天前
我没跑 SSR-Plus ,给你看看 Passwall 的,基本也是这么个流程,最后追到 /tmp/dnsmasq.d/dnsmasq-passwall.conf 里:
conf-dir=/tmp/dnsmasq.d/passwall server=127.0.0.1#15354 all-servers no-poll no-resolv 这就把 server 给设置到 ChinaDNS-NG 头上了 |
14
defunct9 199 天前
|
16
Jinnrry OP @kursk #15 我加 server=/docker.io/127.0.0.1#5333 是为了让 docker.io 走 chinadns 去解析,因为我看 chinadns 是禁止 ipv6 的。dnsmasq 会返回 ipv6 地址,我梯子服务器没有 ipv6 ,linux 默认优先使用 ipv6 ,就导致 docker pull 不能走代理。
我在 openwrt 好像找不到加 ipset 的地方?只有一个 DNS 转发可以设置 server ,硬编码改配置文件的话感觉不太优雅 |
18
Jinnrry OP @kursk #3 再请教一下,“iptables 再将目标地址为这个 ipset 的 package 转发到科学上网的端口或线路上” 这个配置是在哪呢? 我用 iptables -L 看,好像没找到相关的配置呢
|
19
Jinnrry OP @Puteulanus #13
@kursk #3 我又研究了一下 SSR-PLUS 的强制代理,我发现设置某个域名强制走代理,其实只是加了一个`server=/docker.io/127.0.0.1#5335` 这样的设置,并没有设置 ipset ,这样强制 dns 使用海外 dns 解析,那如果向 docker 这个域名,返回 ipv6 的解析结果,我服务器不支持 ipv6 的话其实没啥用吧 |
20
kursk 199 天前
@Jinnrry iptables 的配置与具体的采用的科学上网的工具有关
比如你使用 gost 作为科学上网工具,在本地开了 18443 作为端口转发,那么整体配置思路如下 在 dnsmasq 中的配置 server=/docker.io/127.0.0.1#10053 nftset=/docker.io/4#inet#wgcross#crs_dst 以上配置的作用是将 docker.io 的域名交给 127.0.0.1#10053 这个域名解析服务器解析,返回的 ip 存到 nft table 名为 wgcross 的 ipset crs_dst 中 说明一下:因为我使用的 openwrt23.05 已经是 firewell 4 了,而 firewell 4 使用 nftables 代替了 iptables ,所以与你使用的 firewell 3 的配置参数不同,但是思路是一样的 然后我的 nftables 的配置中就有如下一项 nft add rule inet wgcross PREROUTING ip daddr @crs_dst meta l4proto {tcp,udp} redirect to :18443 这个命令在 nft table 名为 wgcross 中增加了一条规则,将目标地址在 ipset crs_dst 中的 tcp 和 udp 包都专发到本地的 18443 端口上 所以通过 server ,nftset(firewell 3 是 ipset)解决 DNS 域名污染并存储了对应域名的目标 ip ,再通过 iptables 实现了目标 ip 转发到指定端口 我记得 iptables -L 默认是 NAT 表,一般转发规则在 PREROUTING 表中,你可能对 iptables 的几个表的使用不理解,你看看我写的这篇文章 https://mp.weixin.qq.com/s?__biz=Mzg3OTYwMTE1NA==&mid=2247483967&idx=1&sn=ed36e7007329ad78cf55c91fbed7b0b8&chksm=cf00b152f877384447032ecb2f5500f902941980683977e2d301f6e581599509f20121161889&token=111951293&lang=zh_CN#rd 可能对你有所启发 |
21
Puteulanus 199 天前
@Jinnrry SSR-PLUS 我不清楚,像 Passwall ( xray ?)默认情况下解析的 IP 是没用的,可能只是用作“走代理还是直连”的判定,实际被判定成走代理的话请求好像是会被发到代理服务器再去解析的,我在本地 hosts 里把谷歌域名指向 1.1.1.1 或者随手乱输的 IP ,它都能照常上
|
23
kursk 199 天前
说错了
iptables -L 这个命令默认查询的是 filter 表,但一般在 nat 表,所以命令应该这么写 iptables -t nat -L -v -n |
24
Jinnrry OP @kursk 感谢回复,我也是 firewell4 ,nftables 和 iptables 我确实都不怎么熟悉,我照着你的思路研究一下先
|
26
yyzh 199 天前 via Android
@kursk LEDE 也是用的 FW4 的,都没差 https://github.com/coolsnowwolf/lede/commits/master/
|
27
Jinnrry OP Chain SS_SPEC_WAN_FW (4 references)
pkts bytes target prot opt in out source destination 49 2940 REDIRECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22,53,587,465,995,993,143,80,443,853,9418 redir ports 1234 通过 iptables -t nat -L -v -n 可以找到这样一条转发规则,我 ssr-plus 里面目前设置的仅常用端口代理,这时通过 iptables 把这些常用端口的流量转发到了 1234 端口,1234 端口是 xray 的端口,这样就把流量都给 xray 代理了 @kursk #23 大佬,再请教下,我目前设置的是非国内 ip 代理,那这个 ip 分流又是在哪做的呢,我检查了 xray 的配置文件,发现 xray 配置文件里面没有路由字段,说明 xray 仅仅是把 input 流量转发到 output 里面去,并没有利用 xray 的分流能力。 除此之外,naive 客户端应该是没有分流能力的,因此 ssr-plus 肯定不是利用各个代理程序做的分流,所以这个 ip 分流策略又是在哪呢 这个 iptable 规则看起来,也没有什么分流设置呢,而且我看了 1234 端口,确实是 xray 处理了,这中间应该也没其他分流程序了 |
28
kursk 199 天前
@Jinnrry 如果策略是“非国内 ip 代理”,那么肯定有针对目标地址的转发规则,你现在找到这个是针对目标端口的转发,不是这个
你把 iptables -t nat -L -v -n 的结果全部贴出来看看 |
29
kursk 199 天前
不过我有点不明白,如果你的路由器使用 FW4 ,iptables 命令应该不能执行吧?如果 iptables 命令能执行成功,那就应该是 FW3 啊
|
30
xiaoranj 199 天前
直接用 nextdns.io
|
31
Jinnrry OP @kursk #28
Chain PREROUTING (policy ACCEPT 7861 packets, 601K bytes) pkts bytes target prot opt in out source destination 3187 191K SS_SPEC_WAN_AC tcp -- br-lan * 0.0.0.0/0 0.0.0.0/0 /* _SS_SPEC_RULE_ */ 693K 54M prerouting_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom prerouting rule chain */ 692K 53M zone_lan_prerouting all -- br-lan * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */ 838 245K zone_wan_prerouting all -- pppoe-wan * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */ 0 0 zone_wan_prerouting all -- eth1 * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */ Chain INPUT (policy ACCEPT 6615 packets, 455K bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 2812 packets, 202K bytes) pkts bytes target prot opt in out source destination 763 45780 SS_SPEC_WAN_AC tcp -- * * 0.0.0.0/0 0.0.0.0/0 /* _SS_SPEC_RULE_ */ Chain POSTROUTING (policy ACCEPT 3366 packets, 233K bytes) pkts bytes target prot opt in out source destination 737K 56M postrouting_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom postrouting rule chain */ 35025 3178K zone_lan_postrouting all -- * br-lan 0.0.0.0/0 0.0.0.0/0 /* !fw3 */ 517K 39M zone_wan_postrouting all -- * pppoe-wan 0.0.0.0/0 0.0.0.0/0 /* !fw3 */ 0 0 zone_wan_postrouting all -- * eth1 0.0.0.0/0 0.0.0.0/0 /* !fw3 */ Chain MINIUPNPD (2 references) pkts bytes target prot opt in out source destination Chain MINIUPNPD-POSTROUTING (2 references) pkts bytes target prot opt in out source destination Chain SS_SPEC_WAN_AC (2 references) pkts bytes target prot opt in out source destination 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 match-set whitelist dst 0 0 SS_SPEC_WAN_FW all -- * * 0.0.0.0/0 0.0.0.0/0 match-set blacklist dst 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 match-set bplan src 0 0 SS_SPEC_WAN_FW all -- * * 0.0.0.0/0 0.0.0.0/0 match-set fplan src 75 4500 RETURN tcp -- * * 0.0.0.0/0 45.78.45.70 tcp dpt:!53 61 3680 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 match-set ss_spec_wan_ac dst 572 34320 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 match-set china dst 0 0 SS_SPEC_WAN_FW all -- * * 0.0.0.0/0 0.0.0.0/0 match-set gmlan src ! match-set china dst 3242 195K SS_SPEC_WAN_FW all -- * * 0.0.0.0/0 0.0.0.0/0 Chain SS_SPEC_WAN_FW (4 references) pkts bytes target prot opt in out source destination 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/8 0 0 RETURN all -- * * 0.0.0.0/0 10.0.0.0/8 0 0 RETURN all -- * * 0.0.0.0/0 127.0.0.0/8 0 0 RETURN all -- * * 0.0.0.0/0 169.254.0.0/16 0 0 RETURN all -- * * 0.0.0.0/0 172.16.0.0/12 0 0 RETURN all -- * * 0.0.0.0/0 192.168.0.0/16 0 0 RETURN all -- * * 0.0.0.0/0 224.0.0.0/4 0 0 RETURN all -- * * 0.0.0.0/0 240.0.0.0/4 3188 191K REDIRECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22,53,587,465,995,993,143,80,443,853,9418 redir ports 1234 Chain postrouting_lan_rule (1 references) pkts bytes target prot opt in out source destination Chain postrouting_rule (1 references) pkts bytes target prot opt in out source destination Chain postrouting_wan_rule (1 references) pkts bytes target prot opt in out source destination Chain prerouting_lan_rule (1 references) pkts bytes target prot opt in out source destination Chain prerouting_rule (1 references) pkts bytes target prot opt in out source destination Chain prerouting_wan_rule (1 references) pkts bytes target prot opt in out source destination Chain zone_lan_postrouting (1 references) pkts bytes target prot opt in out source destination 35025 3178K postrouting_lan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom lan postrouting rule chain */ Chain zone_lan_prerouting (1 references) pkts bytes target prot opt in out source destination 692K 53M prerouting_lan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom lan prerouting rule chain */ Chain zone_wan_postrouting (2 references) pkts bytes target prot opt in out source destination 517K 39M MINIUPNPD-POSTROUTING all -- * * 0.0.0.0/0 0.0.0.0/0 517K 39M MINIUPNPD-POSTROUTING all -- * * 0.0.0.0/0 0.0.0.0/0 517K 39M postrouting_wan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom wan postrouting rule chain */ 517K 39M MASQUERADE all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */ mode: fullcone Chain zone_wan_prerouting (2 references) pkts bytes target prot opt in out source destination 838 245K MINIUPNPD all -- * * 0.0.0.0/0 0.0.0.0/0 838 245K MINIUPNPD all -- * * 0.0.0.0/0 0.0.0.0/0 838 245K prerouting_wan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom wan prerouting rule chain */ |
33
kursk 196 天前
@Jinnrry 转发规则主要体现在这两个 chain 上
Chain PREROUTING (policy ACCEPT 7861 packets, 601K bytes) pkts bytes target prot opt in out source destination 3187 191K SS_SPEC_WAN_AC tcp -- br-lan * 0.0.0.0/0 0.0.0.0/0 /* _SS_SPEC_RULE_ */ 693K 54M prerouting_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom prerouting rule chain */ 692K 53M zone_lan_prerouting all -- br-lan * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */ 838 245K zone_wan_prerouting all -- pppoe-wan * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */ 0 0 zone_wan_prerouting all -- eth1 * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */ Chain SS_SPEC_WAN_AC (2 references) pkts bytes target prot opt in out source destination 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 match-set whitelist dst 0 0 SS_SPEC_WAN_FW all -- * * 0.0.0.0/0 0.0.0.0/0 match-set blacklist dst 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 match-set bplan src 0 0 SS_SPEC_WAN_FW all -- * * 0.0.0.0/0 0.0.0.0/0 match-set fplan src 75 4500 RETURN tcp -- * * 0.0.0.0/0 45.78.45.70 tcp dpt:!53 61 3680 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 match-set ss_spec_wan_ac dst 572 34320 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 match-set china dst 0 0 SS_SPEC_WAN_FW all -- * * 0.0.0.0/0 0.0.0.0/0 match-set gmlan src ! match-set china dst 3242 195K SS_SPEC_WAN_FW all -- * * 0.0.0.0/0 0.0.0.0/0 Chain SS_SPEC_WAN_FW (4 references) pkts bytes target prot opt in out source destination 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/8 0 0 RETURN all -- * * 0.0.0.0/0 10.0.0.0/8 0 0 RETURN all -- * * 0.0.0.0/0 127.0.0.0/8 0 0 RETURN all -- * * 0.0.0.0/0 169.254.0.0/16 0 0 RETURN all -- * * 0.0.0.0/0 172.16.0.0/12 0 0 RETURN all -- * * 0.0.0.0/0 192.168.0.0/16 0 0 RETURN all -- * * 0.0.0.0/0 224.0.0.0/4 0 0 RETURN all -- * * 0.0.0.0/0 240.0.0.0/4 3188 191K REDIRECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22,53,587,465,995,993,143,80,443,853,9418 redir ports 1234 从 Chain PREROUTING -> Chain SS_SPEC_WAN_AC -> Chain SS_SPEC_WAN_FW 规则采用目标地址匹配,就是这行 rule SS_SPEC_WAN_FW all -- * * 0.0.0.0/0 0.0.0.0/0 match-set blacklist dst blacklist 应该是所有需要科学上网的域名返回的 ip 地址,所有流量包的目标地址只要存在于 blacklist ipset 中,就会进入 Chain SS_SPEC_WAN_AC 你可以用 ipset list blacklist 命令看一下哪些 ip 是目标 ip 而 Chain SS_SPEC_WAN_FW 的最后一行 rule REDIRECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22,53,587,465,995,993,143,80,443,853,9418 redir ports 1234 再排除了局域网 ip(172.16.0.0/12,192.168.0.0/16.....)后,剩下的都应该是需要科学上网的域名,且如果目标端口是 22,53,587,465,995,993,143,80,443,853,9418,就重定向到 1234 端口(如你所言,是 v2ray 的端口) 所以采用的是目标地址匹配的方法 |