请教配置 iptables + redsocks 全局代理，遇到部分网站 SSL 证书错误

V2EX = way to explore

V2EX 是一个关于分享和探索的地方

现在注册

已注册用户请登录

Distributions

› Ubuntu

› Fedora

› CentOS

中文资源站

› 网易开源镜像站

这是一个创建于 2450 天前的主题，其中的信息可能已经有所发展或是发生改变。

我本地 1080 端口是 Socks5 代理，浏览器用它科学上网一切正常，我现在想配置全局代理让所有程序无需配置默认就能 FQ。

实现：

使用 redsocks ( https://github.com/darkk/redsocks) 将 Socks5 代理转成 TCP 透明代理，监听本地 1090 端口。
使用 iptables ( https://www.frozentux.net/iptables-tutorial/cn/iptables-tutorial-cn-1.1.19.html) 将所有流量转发给本地 1090 端口，访问代理服务器的流量除外。

配置 iptables 并启动 redsocks 后，访问 https://www.baidu.com, https://httpbin.org/ip 能正常 FQ，但访问 https:www.google.com, https://www.taobao.com 就报错：

$ curl https://www.google.com                                                          
curl: (7) Failed to connect to www.google.com port 443: Connection refused
$ curl https://www.tmall.com 
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to www.tmall.com:443

搜索了一下，貌似是 多证书 SSL 会出问题 https://serverfault.com/questions/369829/setting-up-a-transparent-ssl-proxy，不知怎么解决。

iptables 配置(iptables-save 返回内容)：

# Generated by iptables-save v1.6.1 on Mon Feb 19 22:42:08 2018
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:DOCKER - [0:0]
:REDSOCKS - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A PREROUTING -p tcp -j REDSOCKS
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT -p tcp -j REDSOCKS
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -s 172.22.0.0/16 ! -o br-baa1469f50f2 -j MASQUERADE
-A POSTROUTING -s 172.18.0.0/16 ! -o br-4ce0135986fe -j MASQUERADE
-A POSTROUTING -s 172.22.0.2/32 -d 172.22.0.2/32 -p tcp -m tcp --dport 29015 -j MASQUERADE
-A POSTROUTING -s 172.22.0.2/32 -d 172.22.0.2/32 -p tcp -m tcp --dport 8080 -j MASQUERADE
-A POSTROUTING -s 172.22.0.2/32 -d 172.22.0.2/32 -p tcp -m tcp --dport 28015 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
-A DOCKER -i br-baa1469f50f2 -j RETURN
-A DOCKER -i br-4ce0135986fe -j RETURN
-A DOCKER ! -i br-baa1469f50f2 -p tcp -m tcp --dport 29015 -j DNAT --to-destination 172.22.0.2:29015
-A DOCKER ! -i br-baa1469f50f2 -p tcp -m tcp --dport 28080 -j DNAT --to-destination 172.22.0.2:8080
-A DOCKER ! -i br-baa1469f50f2 -p tcp -m tcp --dport 28015 -j DNAT --to-destination 172.22.0.2:28015
-A REDSOCKS -d {代理服务器 IP}/32 -j RETURN
-A REDSOCKS -d 0.0.0.0/8 -j RETURN
-A REDSOCKS -d 10.0.0.0/8 -j RETURN
-A REDSOCKS -d 100.64.0.0/10 -j RETURN
-A REDSOCKS -d 127.0.0.0/8 -j RETURN
-A REDSOCKS -d 169.254.0.0/16 -j RETURN
-A REDSOCKS -d 172.16.0.0/12 -j RETURN
-A REDSOCKS -d 192.168.0.0/16 -j RETURN
-A REDSOCKS -d 198.18.0.0/15 -j RETURN
-A REDSOCKS -d 224.0.0.0/4 -j RETURN
-A REDSOCKS -d 240.0.0.0/4 -j RETURN
-A REDSOCKS -p tcp -j REDIRECT --to-ports 1090
COMMIT
# Completed on Mon Feb 19 22:42:08 2018

求各位 V 友指点，谢谢！

第 1 条附言 · 2018-02-20 23:07:19 +08:00

找到了 www.google.com 无法连接的原因是 DHCP 自动设置的 DNS 问题：

$ cat /etc/resolv.conf
# Generated by resolvconf
search DHCP HOST
nameserver 10.72.255.131
nameserver 10.72.255.132

$ dig @10.72.255.131 www.google.com

;; ANSWER SECTION:
www.google.com.		1221	IN	A	127.0.0.1  #错误IP

;; Query time: 13 msec
;; SERVER: 10.72.255.131#53(10.72.255.131)
;; WHEN: Tue Feb 20 22:41:20 CST 2018
;; MSG SIZE  rcvd: 59

$ dig @8.8.8.8 www.google.com

;; ANSWER SECTION:
www.google.com.		93	IN	A	31.13.72.17  #正确IP

;; Query time: 40 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Feb 20 22:42:17 CST 2018
;; MSG SIZE  rcvd: 48

修改 DNS 为 8.8.8.8 后，访问 google 依旧失败，访问 tmall 正常，目测需要代理 DNS 解析，国内DNS解析的IP在国外无法访问：

curl https://www.google.com -v
*   Trying 69.171.248.128...  # 登录VPS发现无法ping通这个IP
* TCP_NODELAY set
* Connected to www.google.com (69.171.248.128) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to www.google.com:443 
* stopped the pause stream!
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to www.google.com:443

curl https://www.tmall.com -I -v    
* Rebuilt URL to: https://www.tmall.com/
*   Trying 118.212.227.100...  # VPS上能ping通这个IP
* TCP_NODELAY set
* Connected to www.tmall.com (118.212.227.100) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
......

13 条回复 • 2018-02-22 13:07:48 +08:00

rrfeng

2018-02-19 23:29:09 +08:00 via Android

curl -v

贴一下

pagxir

2018-02-19 23:31:24 +08:00

需要解决下 DNS 问题吧。

guyskk0x0

2018-02-19 23:42:12 +08:00

@rrfeng #1

https://www.tmall.com
```
curl https://www.tmall.com -v
* Rebuilt URL to: https://www.tmall.com/
* Trying 117.169.80.241...
* TCP_NODELAY set
* Connected to www.tmall.com (117.169.80.241) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1): ##此处会卡住##
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to www.tmall.com:443
* stopped the pause stream!
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to www.tmall.com:443
```

https://www.google.com
```
curl https://www.google.com -v
* Rebuilt URL to: https://www.google.com/
* Trying 127.0.0.1...
* TCP_NODELAY set
* connect to 127.0.0.1 port 443 failed: Connection refused
* Failed to connect to www.google.com port 443: Connection refused
* Closing connection 0
curl: (7) Failed to connect to www.google.com port 443: Connection refused
```

guyskk0x0

2018-02-19 23:48:29 +08:00

@pagxir #2 DNS 一直没配，有什么推荐的轮子吗，不知道选哪个好

pagxir

2018-02-19 23:54:32 +08:00