home..

把centos打造成旁路由之配置透明网关

wanmyj / February 2023 (361 Words, 3 Minutes)

iptables tproxy config

透明网关的配置(只代理本机)

记得把 /proc/sys/net/ipv4/ip_forward 设置成1

开始设置iptables和路由表,ip rule 在这之前,先去了解下这个问题

莫名流量进入进入xray,导致循环,引起性能问题。

归根结底,就是要保证xray出来的流量就不能再进xray。这一点已经在配置xray的文章里通过配置GUID完成规避了。

iptables命令设置生效后,不会立即持久化保存,这给了用户一剂后悔药。比如在设置了一堆iptables,发现设置错了,此时还没有写入持久化,可以用systemctl restart iptables 重启一下就好了,注意reload不行

# 将带有标记63的流量指向路由表36
ip rule add fwmark 63 table 36
# 向路由表36添加了一条路由规则,将所有的0.0.0.0/0(即所有IP地址)的流量路由到本地回环设备"lo"上。
ip route add local 0.0.0.0/0 dev lo table 36

# 代理局域网设备
# 新建一个位于mangle表的XRAY chain
iptables -t mangle -N XRAY 
#  "网关所在ipv4网段" 通过运行命令"ip address | grep -w inet | awk '{print $2}'"获得,一般有多个 
# 只代理部分端口就可以,其他端口都return
iptables -t mangle -A XRAY -p tcp -m multiport ! --dports 443,80,53 -j RETURN
iptables -t mangle -A XRAY -p udp -m multiport ! --dports 443,80,53 -j RETURN
iptables -t mangle -A XRAY -d 192.168.0.0/16 -p tcp ! --dport 53 -j RETURN 
iptables -t mangle -A XRAY -d 192.168.0.0/16 -p udp ! --dport 53 -j RETURN 
iptables -t mangle -A XRAY -d 10.0.0.0/8 -j RETURN 
iptables -t mangle -A XRAY -d 100.64.0.0/10 -j RETURN 
iptables -t mangle -A XRAY -d 127.0.0.0/8 -j RETURN 
iptables -t mangle -A XRAY -d 169.254.0.0/16 -j RETURN 
iptables -t mangle -A XRAY -d 172.16.0.0/12 -j RETURN 
iptables -t mangle -A XRAY -d 192.0.0.0/24 -j RETURN 
# 组播地址/E类地址/广播地址直连 
iptables -t mangle -A XRAY -d 224.0.0.0/4 -j RETURN 
iptables -t mangle -A XRAY -d 240.0.0.0/4 -j RETURN 
iptables -t mangle -A XRAY -d 255.255.255.255/32 -j RETURN 
# 给 TCP 打标记 63,转发至 12345 端口 
# mark只有设置为63,流量才能被Xray任意门接受 
iptables -t mangle -A XRAY -p tcp -j TPROXY --on-port 12345 --tproxy-mark 63 
iptables -t mangle -A XRAY -p udp -j TPROXY --on-port 12345 --tproxy-mark 63 
# 应用规则 
iptables -t mangle -A PREROUTING -j XRAY
iptables -I INPUT -s 192.168.0.0/16 -j ACCEPT

配置完成测试没问题的话,用service iptables save 命令完成iptables持久化

/usr/local/etc/xray/config.json 文件配置

{
  "log": {
    "loglevel": "info",
    "error": "/var/log/xray/error.log",
    "access": "/var/log/xray/access.log"
  },
  "inbounds": [
    {
      "tag": "all-in",
      "port": 12345,
      "protocol": "dokodemo-door",
      "settings": {
        "network": "tcp,udp",
        "followRedirect": true
      },
      "sniffing": {
        "enabled": true,
        "destOverride": ["http", "tls"]
      },
      "streamSettings": {
        "sockopt": {
          "tproxy": "tproxy"
        }
      }
    },
    {
      "port": 12346,
      "protocol": "socks",
      "settings": {
        "auth": "noauth",
        "accounts": [
          {
            "user": "",
            "pass": ""
          }
        ],
        "udp": false,
        "ip": "127.0.0.1",
        "userLevel": 0
      }
    }
  ],
  "outbounds": [
    {
      "tag": "proxy",
      "protocol": "trojan",
      "settings": {
        "servers": [
          {
            "your_config": your_config
          }
        ]
      },
      "streamSettings": {
        "network": "tcp",
        "security": "tls",
        "tlsSettings": {
          "allowInsecure": true,
          "serverName": "v12.kwaicdn.com"
        }
      },
      "mux": {
        "enabled": false,
        "concurrency": -1
      }
    },
    {
      "tag": "block",
      "protocol": "blackhole",
      "settings": {
        "response": {
          "type": "http"
        }
      }
    },
    {
      "tag": "direct",
      "protocol": "freedom",
      "settings": {
        "domainStrategy": "UseIPv4"
      }
    },
    {
      "tag": "dns-out",
      "protocol": "dns",
      "settings": {
        "address": "8.8.8.8"
      },
      "proxySettings": {
        "tag": "proxy"
      },
      "streamSettings": {
        "sockopt": {
          "mark": 63
        }
      }
    }
  ],
  "dns": {
    "hosts": {
      "sfasdf.sdagsaf": "196.0.0.1"
    },
    "servers": [
      {
        "address": "8.8.8.8",
        "domains": ["geosite:geolocation-!cn"]
      },
      {
        "address": "192.168.1.1",
        "port": 53,
        "domains": ["geosite:cn"]
      },
      "1.1.1.1"
    ]
  },
  "routing": {
    "domainStrategy": "IPIfNonMatch",
    "rules": [
      {
        "type": "field",
        "inboundTag": ["all-in"],
        "port": 53,
        "outboundTag": "dns-out"
      },
      {
        "type": "field",
        "port": 53,
        "outboundTag": "dns-out"
      },
      {
        "type": "field",
        "ip": ["8.8.8.8", "1.1.1.1"],
        "outboundTag": "proxy"
      },
      {
        "type": "field",
        "domain": ["geosite:category-ads-all"],
        "outboundTag": "block"
      },
      {
        "type": "field",
        "domain": ["geosite:cn"],
        "outboundTag": "direct"
      },
      {
        "type": "field",
        "ip": ["geoip:cn", "geoip:private"],
        "outboundTag": "direct"
      },
      {
        "type": "field",
        "domain": ["geosite:geolocation-!cn"],
        "outboundTag": "proxy"
      },
      {
        "type": "field",
        "ip": ["geoip:telegram"],
        "outboundTag": "proxy"
      }
    ]
  }
}

The source code for this article can be found here. If you find any errors or have any comments, please click on the link to raise an issue in the corresponding GitHub repo.

© 2024 wanmyj   •  Powered by Soopr   •  Theme  Moonwalk