V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
V2EX  ›  Jinnrry  ›  全部回复第 36 页 / 共 44 页
回复总数  862
1 ... 28  29  30  31  32  33  34  35  36  37 ... 44  
@kursk 哦哦,我这下明白了,dnsmasq 解析域名的时候通过 ipset 给 ip 打了 blacklist tag ,然后再通过 iptabls 这里的规则做了转发

感谢大佬,整个流程瞬间清晰明了
@Zizpop 还不如自己写一个,百来行代码就行了。拿 python 写可能都要不了 100 行,python 操作防火墙,搭建 http 服务,都是几行代码搞定,自己在糊一个 http 页面完事
我觉得你这种不知名面板出漏洞的可能性比密码工具出漏洞的可能性高多了。

甚至你找个不知名面板本身就自带后面

真要 ui 控制的话,你用阿里腾讯云吧,服务器网络管理里面可以开关端口,阿里云好像还有 app ,可能都不需要登录 web ,app 上就能操作
没主密码肯定解不开,你有看源码的时间还不如多试试你常用的密码,自己设的密码多试试总能试出来
@kursk #29 好像确实是 fw3 ,我之前看网上说最新版本是 fw4 了,可能是我编译的时候哪里配置没勾选把,还是 fw3
@kursk #28

Chain PREROUTING (policy ACCEPT 7861 packets, 601K bytes)
pkts bytes target prot opt in out source destination
3187 191K SS_SPEC_WAN_AC tcp -- br-lan * 0.0.0.0/0 0.0.0.0/0 /* _SS_SPEC_RULE_ */
693K 54M prerouting_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom prerouting rule chain */
692K 53M zone_lan_prerouting all -- br-lan * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
838 245K zone_wan_prerouting all -- pppoe-wan * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
0 0 zone_wan_prerouting all -- eth1 * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */

Chain INPUT (policy ACCEPT 6615 packets, 455K bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 2812 packets, 202K bytes)
pkts bytes target prot opt in out source destination
763 45780 SS_SPEC_WAN_AC tcp -- * * 0.0.0.0/0 0.0.0.0/0 /* _SS_SPEC_RULE_ */

Chain POSTROUTING (policy ACCEPT 3366 packets, 233K bytes)
pkts bytes target prot opt in out source destination
737K 56M postrouting_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom postrouting rule chain */
35025 3178K zone_lan_postrouting all -- * br-lan 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
517K 39M zone_wan_postrouting all -- * pppoe-wan 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
0 0 zone_wan_postrouting all -- * eth1 0.0.0.0/0 0.0.0.0/0 /* !fw3 */

Chain MINIUPNPD (2 references)
pkts bytes target prot opt in out source destination

Chain MINIUPNPD-POSTROUTING (2 references)
pkts bytes target prot opt in out source destination

Chain SS_SPEC_WAN_AC (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 match-set whitelist dst
0 0 SS_SPEC_WAN_FW all -- * * 0.0.0.0/0 0.0.0.0/0 match-set blacklist dst
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 match-set bplan src
0 0 SS_SPEC_WAN_FW all -- * * 0.0.0.0/0 0.0.0.0/0 match-set fplan src
75 4500 RETURN tcp -- * * 0.0.0.0/0 45.78.45.70 tcp dpt:!53
61 3680 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 match-set ss_spec_wan_ac dst
572 34320 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 match-set china dst
0 0 SS_SPEC_WAN_FW all -- * * 0.0.0.0/0 0.0.0.0/0 match-set gmlan src ! match-set china dst
3242 195K SS_SPEC_WAN_FW all -- * * 0.0.0.0/0 0.0.0.0/0

Chain SS_SPEC_WAN_FW (4 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/8
0 0 RETURN all -- * * 0.0.0.0/0 10.0.0.0/8
0 0 RETURN all -- * * 0.0.0.0/0 127.0.0.0/8
0 0 RETURN all -- * * 0.0.0.0/0 169.254.0.0/16
0 0 RETURN all -- * * 0.0.0.0/0 172.16.0.0/12
0 0 RETURN all -- * * 0.0.0.0/0 192.168.0.0/16
0 0 RETURN all -- * * 0.0.0.0/0 224.0.0.0/4
0 0 RETURN all -- * * 0.0.0.0/0 240.0.0.0/4
3188 191K REDIRECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22,53,587,465,995,993,143,80,443,853,9418 redir ports 1234

Chain postrouting_lan_rule (1 references)
pkts bytes target prot opt in out source destination

Chain postrouting_rule (1 references)
pkts bytes target prot opt in out source destination

Chain postrouting_wan_rule (1 references)
pkts bytes target prot opt in out source destination

Chain prerouting_lan_rule (1 references)
pkts bytes target prot opt in out source destination

Chain prerouting_rule (1 references)
pkts bytes target prot opt in out source destination

Chain prerouting_wan_rule (1 references)
pkts bytes target prot opt in out source destination

Chain zone_lan_postrouting (1 references)
pkts bytes target prot opt in out source destination
35025 3178K postrouting_lan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom lan postrouting rule chain */

Chain zone_lan_prerouting (1 references)
pkts bytes target prot opt in out source destination
692K 53M prerouting_lan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom lan prerouting rule chain */

Chain zone_wan_postrouting (2 references)
pkts bytes target prot opt in out source destination
517K 39M MINIUPNPD-POSTROUTING all -- * * 0.0.0.0/0 0.0.0.0/0
517K 39M MINIUPNPD-POSTROUTING all -- * * 0.0.0.0/0 0.0.0.0/0
517K 39M postrouting_wan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom wan postrouting rule chain */
517K 39M MASQUERADE all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */ mode: fullcone

Chain zone_wan_prerouting (2 references)
pkts bytes target prot opt in out source destination
838 245K MINIUPNPD all -- * * 0.0.0.0/0 0.0.0.0/0
838 245K MINIUPNPD all -- * * 0.0.0.0/0 0.0.0.0/0
838 245K prerouting_wan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom wan prerouting rule chain */
Chain SS_SPEC_WAN_FW (4 references)
pkts bytes target prot opt in out source destination
49 2940 REDIRECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22,53,587,465,995,993,143,80,443,853,9418 redir ports 1234

通过 iptables -t nat -L -v -n 可以找到这样一条转发规则,我 ssr-plus 里面目前设置的仅常用端口代理,这时通过 iptables 把这些常用端口的流量转发到了 1234 端口,1234 端口是 xray 的端口,这样就把流量都给 xray 代理了


@kursk #23 大佬,再请教下,我目前设置的是非国内 ip 代理,那这个 ip 分流又是在哪做的呢,我检查了 xray 的配置文件,发现 xray 配置文件里面没有路由字段,说明 xray 仅仅是把 input 流量转发到 output 里面去,并没有利用 xray 的分流能力。

除此之外,naive 客户端应该是没有分流能力的,因此 ssr-plus 肯定不是利用各个代理程序做的分流,所以这个 ip 分流策略又是在哪呢

这个 iptable 规则看起来,也没有什么分流设置呢,而且我看了 1234 端口,确实是 xray 处理了,这中间应该也没其他分流程序了
219 天前
回复了 xlinux 创建的主题 Android 2024 年 Android 开发大家用啥模拟器?
真机,国产系统魔改不用真机调试会遇到各种奇奇怪怪的问题
@kursk 好的,感谢
@kursk 感谢回复,我也是 firewell4 ,nftables 和 iptables 我确实都不怎么熟悉,我照着你的思路研究一下先
@Puteulanus #13
@kursk #3

我又研究了一下 SSR-PLUS 的强制代理,我发现设置某个域名强制走代理,其实只是加了一个`server=/docker.io/127.0.0.1#5335` 这样的设置,并没有设置 ipset ,这样强制 dns 使用海外 dns 解析,那如果向 docker 这个域名,返回 ipv6 的解析结果,我服务器不支持 ipv6 的话其实没啥用吧
@kursk #3 再请教一下,“iptables 再将目标地址为这个 ipset 的 package 转发到科学上网的端口或线路上” 这个配置是在哪呢? 我用 iptables -L 看,好像没找到相关的配置呢
@defunct9 #14 感谢 ssh 哥
@kursk #15 我加 server=/docker.io/127.0.0.1#5333 是为了让 docker.io 走 chinadns 去解析,因为我看 chinadns 是禁止 ipv6 的。dnsmasq 会返回 ipv6 地址,我梯子服务器没有 ipv6 ,linux 默认优先使用 ipv6 ,就导致 docker pull 不能走代理。

我在 openwrt 好像找不到加 ipset 的地方?只有一个 DNS 转发可以设置 server ,硬编码改配置文件的话感觉不太优雅
@Puteulanus 是的,感谢大佬
@kursk #9 这一条是我自己手动加的
@kursk #5 我靠,大佬厉害,按照你说的,我找到配置了。

在/var/etc/dnsmasq.conf.cfg01411c 这个文件中额外加了一个配置文件路径`conf-dir=/tmp/dnsmasq.d`

/tmp/dnsmasq.d 这个文件夹里面有完整的分流规则
@Jinnrry #6 /etc/dnsmasq.conf 这个文件里面只有一行 log-facility=/dev/null ,其他都是注释
@defunct9 #4

# auto-generated config file from /etc/config/dhcp
conf-file=/etc/dnsmasq.conf
dhcp-authoritative
domain-needed
localise-queries
read-ethers
enable-ubus=dnsmasq
expand-hosts
bind-dynamic
local-service
cache-size=8192
edns-packet-max=1232
domain=lan
local=/lan/
server=/docker.io/127.0.0.1#5333
addn-hosts=/tmp/hosts
dhcp-leasefile=/tmp/dhcp.leases
resolv-file=/tmp/resolv.conf.d/resolv.conf.auto
stop-dns-rebind
rebind-localhost-ok
dhcp-broadcast=tag:needs-broadcast
conf-dir=/tmp/dnsmasq.d
user=dnsmasq
group=dnsmasq


dhcp-ignore-names=tag:dhcp_bogus_hostname
conf-file=/usr/share/dnsmasq/dhcpbogushostname.conf

srv-host=_vlmcs._tcp,OpenWrt,1688,0,100

bogus-priv
conf-file=/usr/share/dnsmasq/rfc6761.conf
dhcp-range=set:lan,192.168.0.100,192.168.0.249,255.255.0.0,120h
no-dhcp-interface=pppoe-wan
@defunct9 iptable 我不怎么熟,但是 iptables -S 看起来也没有 53 端口相关的转发吧

-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-N MINIUPNPD
-N forwarding_lan_rule
-N forwarding_rule
-N forwarding_wan_rule
-N input_lan_rule
-N input_rule
-N input_wan_rule
-N output_lan_rule
-N output_rule
-N output_wan_rule
-N reject
-N syn_flood
-N zone_lan_dest_ACCEPT
-N zone_lan_forward
-N zone_lan_input
-N zone_lan_output
-N zone_lan_src_ACCEPT
-N zone_wan_dest_ACCEPT
-N zone_wan_dest_REJECT
-N zone_wan_forward
-N zone_wan_input
-N zone_wan_output
-N zone_wan_src_REJECT
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i eth1 -m comment --comment "!fw3" -j zone_wan_input
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i eth1 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o pppoe-wan -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o eth1 -m comment --comment "!fw3" -j zone_wan_output
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o pppoe-wan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o pppoe-wan -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o eth1 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o eth1 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_REJECT -o pppoe-wan -m comment --comment "!fw3" -j reject
-A zone_wan_dest_REJECT -o eth1 -m comment --comment "!fw3" -j reject
-A zone_wan_forward -j MINIUPNPD
-A zone_wan_forward -j MINIUPNPD
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p tcp -m tcp --dport 7744 -m comment --comment "!fw3: vpn" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p tcp -m tcp --dport 56471 -m comment --comment "!fw3: QBittorrent" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p tcp -m tcp --dport 51413 -m comment --comment "!fw3: Transmission" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
-A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
-A zone_wan_input -p tcp -m tcp --dport 1688 -m comment --comment "!fw3: kms" -j ACCEPT
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_REJECT -i pppoe-wan -m comment --comment "!fw3" -j reject
-A zone_wan_src_REJECT -i eth1 -m comment --comment "!fw3" -j reject
1 ... 28  29  30  31  32  33  34  35  36  37 ... 44  
关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   实用小工具   ·   2939 人在线   最高记录 6679   ·     Select Language
创意工作者们的社区
World is powered by solitude
VERSION: 3.9.8.5 · 20ms · UTC 13:03 · PVG 21:03 · LAX 05:03 · JFK 08:03
Developed with CodeLauncher
♥ Do have faith in what you're doing.