V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
Distributions
Ubuntu
Fedora
CentOS
中文资源站
网易开源镜像站
guyskk0x0
V2EX  ›  Linux

请教配置 iptables + redsocks 全局代理,遇到部分网站 SSL 证书错误

  •  
  •   guyskk0x0 ·
    guyskk · 2018-02-19 23:21:58 +08:00 · 922 次点击
    这是一个创建于 2450 天前的主题,其中的信息可能已经有所发展或是发生改变。

    我本地 1080 端口是 Socks5 代理,浏览器用它科学上网一切正常,我现在想配置全局代理让所有程序无需配置默认就能 FQ。

    实现:

    配置 iptables 并启动 redsocks 后,访问 https://www.baidu.com, https://httpbin.org/ip 能正常 FQ,但访问 https:www.google.com, https://www.taobao.com 就报错:

    $ curl https://www.google.com                                                          
    curl: (7) Failed to connect to www.google.com port 443: Connection refused
    $ curl https://www.tmall.com 
    curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to www.tmall.com:443 
    

    搜索了一下,貌似是 多证书 SSL 会出问题 https://serverfault.com/questions/369829/setting-up-a-transparent-ssl-proxy,不知怎么解决

    iptables 配置(iptables-save 返回内容):

    # Generated by iptables-save v1.6.1 on Mon Feb 19 22:42:08 2018
    *nat
    :PREROUTING ACCEPT [0:0]
    :INPUT ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    :POSTROUTING ACCEPT [0:0]
    :DOCKER - [0:0]
    :REDSOCKS - [0:0]
    -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
    -A PREROUTING -p tcp -j REDSOCKS
    -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
    -A OUTPUT -p tcp -j REDSOCKS
    -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
    -A POSTROUTING -s 172.22.0.0/16 ! -o br-baa1469f50f2 -j MASQUERADE
    -A POSTROUTING -s 172.18.0.0/16 ! -o br-4ce0135986fe -j MASQUERADE
    -A POSTROUTING -s 172.22.0.2/32 -d 172.22.0.2/32 -p tcp -m tcp --dport 29015 -j MASQUERADE
    -A POSTROUTING -s 172.22.0.2/32 -d 172.22.0.2/32 -p tcp -m tcp --dport 8080 -j MASQUERADE
    -A POSTROUTING -s 172.22.0.2/32 -d 172.22.0.2/32 -p tcp -m tcp --dport 28015 -j MASQUERADE
    -A DOCKER -i docker0 -j RETURN
    -A DOCKER -i br-baa1469f50f2 -j RETURN
    -A DOCKER -i br-4ce0135986fe -j RETURN
    -A DOCKER ! -i br-baa1469f50f2 -p tcp -m tcp --dport 29015 -j DNAT --to-destination 172.22.0.2:29015
    -A DOCKER ! -i br-baa1469f50f2 -p tcp -m tcp --dport 28080 -j DNAT --to-destination 172.22.0.2:8080
    -A DOCKER ! -i br-baa1469f50f2 -p tcp -m tcp --dport 28015 -j DNAT --to-destination 172.22.0.2:28015
    -A REDSOCKS -d {代理服务器 IP}/32 -j RETURN
    -A REDSOCKS -d 0.0.0.0/8 -j RETURN
    -A REDSOCKS -d 10.0.0.0/8 -j RETURN
    -A REDSOCKS -d 100.64.0.0/10 -j RETURN
    -A REDSOCKS -d 127.0.0.0/8 -j RETURN
    -A REDSOCKS -d 169.254.0.0/16 -j RETURN
    -A REDSOCKS -d 172.16.0.0/12 -j RETURN
    -A REDSOCKS -d 192.168.0.0/16 -j RETURN
    -A REDSOCKS -d 198.18.0.0/15 -j RETURN
    -A REDSOCKS -d 224.0.0.0/4 -j RETURN
    -A REDSOCKS -d 240.0.0.0/4 -j RETURN
    -A REDSOCKS -p tcp -j REDIRECT --to-ports 1090
    COMMIT
    # Completed on Mon Feb 19 22:42:08 2018
    

    求各位 V 友指点,谢谢!

    第 1 条附言  ·  2018-02-20 23:07:19 +08:00

    找到了 www.google.com 无法连接的原因是 DHCP 自动设置的 DNS 问题:

    $ cat /etc/resolv.conf
    # Generated by resolvconf
    search DHCP HOST
    nameserver 10.72.255.131
    nameserver 10.72.255.132
    
    $ dig @10.72.255.131 www.google.com
    
    ;; ANSWER SECTION:
    www.google.com.		1221	IN	A	127.0.0.1  #错误IP
    
    ;; Query time: 13 msec
    ;; SERVER: 10.72.255.131#53(10.72.255.131)
    ;; WHEN: Tue Feb 20 22:41:20 CST 2018
    ;; MSG SIZE  rcvd: 59
    
    $ dig @8.8.8.8 www.google.com
    
    ;; ANSWER SECTION:
    www.google.com.		93	IN	A	31.13.72.17  #正确IP
    
    ;; Query time: 40 msec
    ;; SERVER: 8.8.8.8#53(8.8.8.8)
    ;; WHEN: Tue Feb 20 22:42:17 CST 2018
    ;; MSG SIZE  rcvd: 48
    

    修改 DNS 为 8.8.8.8 后,访问 google 依旧失败,访问 tmall 正常,目测需要代理 DNS 解析,国内DNS解析的IP在国外无法访问:

    curl https://www.google.com -v
    *   Trying 69.171.248.128...  # 登录VPS发现无法ping通这个IP
    * TCP_NODELAY set
    * Connected to www.google.com (69.171.248.128) port 443 (#0)
    * ALPN, offering h2
    * ALPN, offering http/1.1
    * successfully set certificate verify locations:
    *   CAfile: /etc/ssl/certs/ca-certificates.crt
      CApath: none
    * TLSv1.2 (OUT), TLS handshake, Client hello (1):
    * OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to www.google.com:443 
    * stopped the pause stream!
    * Closing connection 0
    curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to www.google.com:443 
    
    curl https://www.tmall.com -I -v    
    * Rebuilt URL to: https://www.tmall.com/
    *   Trying 118.212.227.100...  # VPS上能ping通这个IP
    * TCP_NODELAY set
    * Connected to www.tmall.com (118.212.227.100) port 443 (#0)
    * ALPN, offering h2
    * ALPN, offering http/1.1
    * successfully set certificate verify locations:
    ......
    
    13 条回复    2018-02-22 13:07:48 +08:00
    rrfeng
        1
    rrfeng  
       2018-02-19 23:29:09 +08:00 via Android
    curl -v

    贴一下
    pagxir
        2
    pagxir  
       2018-02-19 23:31:24 +08:00
    需要解决下 DNS 问题吧。
    guyskk0x0
        3
    guyskk0x0  
    OP
       2018-02-19 23:42:12 +08:00
    @rrfeng #1

    https://www.tmall.com
    ```
    curl https://www.tmall.com -v
    * Rebuilt URL to: https://www.tmall.com/
    * Trying 117.169.80.241...
    * TCP_NODELAY set
    * Connected to www.tmall.com (117.169.80.241) port 443 (#0)
    * ALPN, offering h2
    * ALPN, offering http/1.1
    * successfully set certificate verify locations:
    * CAfile: /etc/ssl/certs/ca-certificates.crt
    CApath: none
    * TLSv1.2 (OUT), TLS handshake, Client hello (1): ##此处会卡住##
    * OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to www.tmall.com:443
    * stopped the pause stream!
    * Closing connection 0
    curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to www.tmall.com:443
    ```

    https://www.google.com
    ```
    curl https://www.google.com -v
    * Rebuilt URL to: https://www.google.com/
    * Trying 127.0.0.1...
    * TCP_NODELAY set
    * connect to 127.0.0.1 port 443 failed: Connection refused
    * Failed to connect to www.google.com port 443: Connection refused
    * Closing connection 0
    curl: (7) Failed to connect to www.google.com port 443: Connection refused
    ```
    guyskk0x0
        4
    guyskk0x0  
    OP
       2018-02-19 23:48:29 +08:00
    @pagxir #2 DNS 一直没配,有什么推荐的轮子吗,不知道选哪个好
    pagxir
        5
    pagxir  
       2018-02-19 23:54:32 +08:00   ❤️ 1
    @guyskk0x0 我推荐这个 https://github.com/cachefiles/dnsfix 编译使用方法看 wiki 页面。
    disk
        6
    disk  
       2018-02-20 13:01:25 +08:00 via Android
    很奇怪。。。你让 dns 走 tcp 试试?
    guyskk0x0
        7
    guyskk0x0  
    OP
       2018-02-20 23:09:32 +08:00
    @rrfeng @pagxir @disk
    感谢各位 V 友,问题已解决
    cc123
        8
    cc123  
       2018-02-21 08:10:23 +08:00 via iPhone
    @guyskk0x0 是什么问题了
    guyskk0x0
        9
    guyskk0x0  
    OP
       2018-02-21 11:15:48 +08:00 via Android
    @cc123 DNS 问题,在帖子附言里
    alect
        10
    alect  
       2018-02-21 17:08:05 +08:00
    虽然已经解决问题了,我还是要说一声别用 8.8.8.8
    guyskk0x0
        11
    guyskk0x0  
    OP
       2018-02-21 17:22:38 +08:00
    @alect #10 不懂,用 8.8.8.8 有什么问题吗
    Ruiming
        12
    Ruiming  
       2018-02-22 00:33:38 +08:00 via iPhone
    推荐用 pcap_dnsproxy 解决下 dns 污染问题
    chinawrj
        13
    chinawrj  
       2018-02-22 13:07:48 +08:00
    先弄清楚 TCP 透明底代理和 HTTP/HTTPS 透明代理。
    还是看看 DNS 问题吧
    关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   实用小工具   ·   5544 人在线   最高记录 6679   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 25ms · UTC 07:52 · PVG 15:52 · LAX 23:52 · JFK 02:52
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.