首页 注册 登录
V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
tony1016
V2EX  ›  macOS

pf 配合 ipset 进行 forward 的的语法是怎么样的?

  •   
  •   tony1016 · 2015-08-11 14:29:22 +08:00 · 432 次点击
    这是一个创建于 3390 天前的主题,其中的信息可能已经有所发展或是发生改变。
    我想仿照openwrt的案例,复制一套chinadns+dnsmasq+ipset+pf进行透明代理的翻墙策略。
    chinadns,dnsmasq,ipset似乎都能搞定,但时pf怎么配合ipset做forward,没有查到相关资料。有人做过吗?
    第 1 条附言  ·  2016-01-13 23:21:33 +08:00

    研究了一晚上,没有成功,但是有所总结

    1.首先是 redsocks 的 redirector ,显然不是 iptables ,似乎可以是 generic
    ```
    base {
    log_debug = on;
    log_info = on;
    daemon = off;
    redirector = generic;
    }

    redsocks {
    local_ip = 0.0.0.0;
    local_port = 1080;
    ip = 127.0.0.1;
    port = 8964;
    type = socks5;
    }
    ```

    2.pf 的 rdr 只能对 incoming 做 redirect ,所以,需要先 route-to ,把对外网的请求,变成对内网的请求,再把它重定向到 redsocks 。我以 twitter.com 为目标做了测试

    rdr pass log on lo0 inet proto tcp from any to 104.244.0.0/16 -> 127.0.0.1 port 1080
    pass out on en0 route-to lo0 inet proto tcp from en0 to 104.244.0.0/16

    第 2 条附言  ·  2016-01-13 23:22:12 +08:00

    3.没有成功,上错误日志:

    redsocks 的

    1452697912.242337 main.c:152 main(...) redsocks started
    1452697929.371679 redsocks.c:707 redsocks_accept_client(...) [192.168.2.155:52892->127.0.0.1:1080]: accepted
    1452697929.372909 redsocks.c:327 redsocks_start_relay(...) [192.168.2.155:52892->127.0.0.1:1080]: data relaying started
    1452697929.730668 redsocks.c:392 redsocks_shutdown(...) [192.168.2.155:52892->127.0.0.1:1080]: shutdown(relay, SHUT_RD): Socket is not connected
    1452697929.732500 redsocks.c:400 redsocks_shutdown(...) [192.168.2.155:52892->127.0.0.1:1080]: both client and server disconnected
    1452697929.732530 redsocks.c:337 redsocks_drop_client(...) [192.168.2.155:52892->127.0.0.1:1080]: dropping client
    ^C1452698186.130927 main.c:156 main(...) redsocks goes down

    第 3 条附言  ·  2016-01-13 23:22:24 +08:00

    pf 的日志

    No ALTQ support in kernel
    ALTQ related functions disabled
    ALL tcp 192.168.2.155:52056 -> 38.127.167.37:443 ESTABLISHED:FIN_WAIT_2
    ALL tcp 127.0.0.1:1080 <- 38.127.167.37:443 <- 192.168.2.155:52056 FIN_WAIT_2:ESTABLISHED
    ALL tcp 192.168.2.155:52370 -> 38.127.167.37:443 ESTABLISHED:FIN_WAIT_2
    ALL tcp 127.0.0.1:1080 <- 38.127.167.37:443 <- 192.168.2.155:52370 FIN_WAIT_2:ESTABLISHED
    ALL tcp 192.168.2.155:52428 -> 38.127.167.37:443 ESTABLISHED:FIN_WAIT_2
    ALL tcp 127.0.0.1:1080 <- 38.127.167.37:443 <- 192.168.2.155:52428 FIN_WAIT_2:ESTABLISHED
    ALL tcp 192.168.2.155:52506 -> 38.127.167.37:443 ESTABLISHED:FIN_WAIT_2
    ALL tcp 127.0.0.1:1080 <- 38.127.167.37:443 <- 192.168.2.155:52506 FIN_WAIT_2:ESTABLISHED
    ALL tcp 192.168.2.155:52561 -> 38.127.167.37:443 ESTABLISHED:FIN_WAIT_2
    ALL tcp 127.0.0.1:1080 <- 38.127.167.37:443 <- 192.168.2.155:52561 FIN_WAIT_2:ESTABLISHED
    ALL tcp 192.168.2.155:52615 -> 38.127.167.37:443 ESTABLISHED:FIN_WAIT_2
    ALL tcp 127.0.0.1:1080 <- 38.127.167.37:443 <- 192.168.2.155:52615 FIN_WAIT_2:ESTABLISHED
    ALL tcp 192.168.2.155:52892 -> 104.244.42.1:443 FIN_WAIT_2:FIN_WAIT_2
    ALL tcp 127.0.0.1:1080 <- 104.244.42.1:443 <- 192.168.2.155:52892 FIN_WAIT_2:FIN_WAIT_2

    可以看到 pf 的定向似乎是正确的: 127.0.0.1:1080 <- 104.244.42.1:443 <- 192.168.2.155:52892
    我怀疑问题出在 mac 平台的 redsocks 。

    希望懂 mac 和 freebsd 的同志,可以继续搞一搞

  • ipset
  • 搞定
  • dnsmasq
    8 条回复    2016-01-13 23:19:33 +08:00
    regeditms
        1
    regeditms  
       2015-08-11 15:34:21 +08:00
    我也想知道, 顶上去, 知道的人来回答.
    tony1016
        2
    tony1016  
    OP
       2015-08-11 15:45:12 +08:00
    目前查到的资料,pf支持table,难不成得做一个ipset定时向table同步的功能?
    cattyhouse
        3
    cattyhouse  
       2015-08-12 09:17:15 +08:00 via iPhone
    ipset是netfilter的东西吧?Linux独有的,
    PF是OS X的防火墙软件,

    怎么配合?ipset能运行在OS X?
    tony1016
        4
    tony1016  
    OP
       2015-08-12 09:39:28 +08:00
    @cattyhouse 好吧,看来资料看少了,ipset也没法解决。
    dnsmasq也没法标记域名了,是不是这个方案就over了?
    cattyhouse
        5
    cattyhouse  
       2015-08-12 09:59:42 +08:00 via iPhone
    @tony1016 要想在mac上搞点东西,还是多看看pf文档吧,也许人家就内置了类似ipsec的功能。
    cattyhouse
        6
    cattyhouse  
       2015-08-12 10:00:20 +08:00 via iPhone
    更正楼上 ipsec->ipset
    tony1016
        7
    tony1016  
    OP
       2016-01-13 16:57:33 +08:00
    最近在想,或许, pf+redsocks+chinaroute ,可以实现一套
    tony1016
        8
    tony1016  
    OP
       2016-01-13 23:19:33 +08:00
    研究了一晚上,没有成功,但是有所总结

    1.首先是 redsocks 的 redirector ,显然不是 iptables ,似乎可以是 generic
    ```
    base {
    log_debug = on;
    log_info = on;
    daemon = off;
    redirector = generic;
    }

    redsocks {
    local_ip = 0.0.0.0;
    local_port = 1080;
    ip = 127.0.0.1;
    port = 8964;
    type = socks5;
    }
    ```

    2.pf 的 rdr 只能对 incoming 做 redirect ,所以,需要先 route-to ,把对外网的请求,变成对内网的请求,再把它重定向到 redsocks 。我以 twitter.com 为目标做了测试
    ```
    rdr pass log on lo0 inet proto tcp from any to 104.244.0.0/16 -> 127.0.0.1 port 1080
    pass out on en0 route-to lo0 inet proto tcp from en0 to 104.244.0.0/16
    ```

    3.没有成功,上错误日志:

    redsocks 的
    ```
    1452697912.242337 main.c:152 main(...) redsocks started
    1452697929.371679 redsocks.c:707 redsocks_accept_client(...) [192.168.2.155:52892->127.0.0.1:1080]: accepted
    1452697929.372909 redsocks.c:327 redsocks_start_relay(...) [192.168.2.155:52892->127.0.0.1:1080]: data relaying started
    1452697929.730668 redsocks.c:392 redsocks_shutdown(...) [192.168.2.155:52892->127.0.0.1:1080]: shutdown(relay, SHUT_RD): Socket is not connected
    1452697929.732500 redsocks.c:400 redsocks_shutdown(...) [192.168.2.155:52892->127.0.0.1:1080]: both client and server disconnected
    1452697929.732530 redsocks.c:337 redsocks_drop_client(...) [192.168.2.155:52892->127.0.0.1:1080]: dropping client
    ^C1452698186.130927 main.c:156 main(...) redsocks goes down
    ```

    pf 的日志
    ```
    No ALTQ support in kernel
    ALTQ related functions disabled
    ALL tcp 192.168.2.155:52056 -> 38.127.167.37:443 ESTABLISHED:FIN_WAIT_2
    ALL tcp 127.0.0.1:1080 <- 38.127.167.37:443 <- 192.168.2.155:52056 FIN_WAIT_2:ESTABLISHED
    ALL tcp 192.168.2.155:52370 -> 38.127.167.37:443 ESTABLISHED:FIN_WAIT_2
    ALL tcp 127.0.0.1:1080 <- 38.127.167.37:443 <- 192.168.2.155:52370 FIN_WAIT_2:ESTABLISHED
    ALL tcp 192.168.2.155:52428 -> 38.127.167.37:443 ESTABLISHED:FIN_WAIT_2
    ALL tcp 127.0.0.1:1080 <- 38.127.167.37:443 <- 192.168.2.155:52428 FIN_WAIT_2:ESTABLISHED
    ALL tcp 192.168.2.155:52506 -> 38.127.167.37:443 ESTABLISHED:FIN_WAIT_2
    ALL tcp 127.0.0.1:1080 <- 38.127.167.37:443 <- 192.168.2.155:52506 FIN_WAIT_2:ESTABLISHED
    ALL tcp 192.168.2.155:52561 -> 38.127.167.37:443 ESTABLISHED:FIN_WAIT_2
    ALL tcp 127.0.0.1:1080 <- 38.127.167.37:443 <- 192.168.2.155:52561 FIN_WAIT_2:ESTABLISHED
    ALL tcp 192.168.2.155:52615 -> 38.127.167.37:443 ESTABLISHED:FIN_WAIT_2
    ALL tcp 127.0.0.1:1080 <- 38.127.167.37:443 <- 192.168.2.155:52615 FIN_WAIT_2:ESTABLISHED
    ALL tcp 192.168.2.155:52892 -> 104.244.42.1:443 FIN_WAIT_2:FIN_WAIT_2
    ALL tcp 127.0.0.1:1080 <- 104.244.42.1:443 <- 192.168.2.155:52892 FIN_WAIT_2:FIN_WAIT_2
    ```

    可以看到 pf 的定向似乎是正确的: 127.0.0.1:1080 <- 104.244.42.1:443 <- 192.168.2.155:52892
    我怀疑问题出在 mac 平台的 redsocks 。

    希望懂 mac 和 freebsd 的同志,可以继续搞一搞
    关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   实用小工具   ·   3869 人在线   最高记录 6679   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 31ms · UTC 05:18 · PVG 13:18 · LAX 21:18 · JFK 00:18
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.