我本地 1080 端口是 Socks5 代理,浏览器用它科学上网一切正常,我现在想配置全局代理让所有程序无需配置默认就能 FQ。
实现:
配置 iptables 并启动 redsocks 后,访问 https://www.baidu.com, https://httpbin.org/ip 能正常 FQ,但访问 https:www.google.com, https://www.taobao.com 就报错:
$ curl https://www.google.com
curl: (7) Failed to connect to www.google.com port 443: Connection refused
$ curl https://www.tmall.com
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to www.tmall.com:443
搜索了一下,貌似是 多证书 SSL 会出问题 https://serverfault.com/questions/369829/setting-up-a-transparent-ssl-proxy,不知怎么解决 。
iptables 配置(iptables-save 返回内容):
# Generated by iptables-save v1.6.1 on Mon Feb 19 22:42:08 2018
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:DOCKER - [0:0]
:REDSOCKS - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A PREROUTING -p tcp -j REDSOCKS
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT -p tcp -j REDSOCKS
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -s 172.22.0.0/16 ! -o br-baa1469f50f2 -j MASQUERADE
-A POSTROUTING -s 172.18.0.0/16 ! -o br-4ce0135986fe -j MASQUERADE
-A POSTROUTING -s 172.22.0.2/32 -d 172.22.0.2/32 -p tcp -m tcp --dport 29015 -j MASQUERADE
-A POSTROUTING -s 172.22.0.2/32 -d 172.22.0.2/32 -p tcp -m tcp --dport 8080 -j MASQUERADE
-A POSTROUTING -s 172.22.0.2/32 -d 172.22.0.2/32 -p tcp -m tcp --dport 28015 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
-A DOCKER -i br-baa1469f50f2 -j RETURN
-A DOCKER -i br-4ce0135986fe -j RETURN
-A DOCKER ! -i br-baa1469f50f2 -p tcp -m tcp --dport 29015 -j DNAT --to-destination 172.22.0.2:29015
-A DOCKER ! -i br-baa1469f50f2 -p tcp -m tcp --dport 28080 -j DNAT --to-destination 172.22.0.2:8080
-A DOCKER ! -i br-baa1469f50f2 -p tcp -m tcp --dport 28015 -j DNAT --to-destination 172.22.0.2:28015
-A REDSOCKS -d {代理服务器 IP}/32 -j RETURN
-A REDSOCKS -d 0.0.0.0/8 -j RETURN
-A REDSOCKS -d 10.0.0.0/8 -j RETURN
-A REDSOCKS -d 100.64.0.0/10 -j RETURN
-A REDSOCKS -d 127.0.0.0/8 -j RETURN
-A REDSOCKS -d 169.254.0.0/16 -j RETURN
-A REDSOCKS -d 172.16.0.0/12 -j RETURN
-A REDSOCKS -d 192.168.0.0/16 -j RETURN
-A REDSOCKS -d 198.18.0.0/15 -j RETURN
-A REDSOCKS -d 224.0.0.0/4 -j RETURN
-A REDSOCKS -d 240.0.0.0/4 -j RETURN
-A REDSOCKS -p tcp -j REDIRECT --to-ports 1090
COMMIT
# Completed on Mon Feb 19 22:42:08 2018
求各位 V 友指点,谢谢!
找到了 www.google.com 无法连接的原因是 DHCP 自动设置的 DNS 问题:
$ cat /etc/resolv.conf
# Generated by resolvconf
search DHCP HOST
nameserver 10.72.255.131
nameserver 10.72.255.132
$ dig @10.72.255.131 www.google.com
;; ANSWER SECTION:
www.google.com. 1221 IN A 127.0.0.1 #错误IP
;; Query time: 13 msec
;; SERVER: 10.72.255.131#53(10.72.255.131)
;; WHEN: Tue Feb 20 22:41:20 CST 2018
;; MSG SIZE rcvd: 59
$ dig @8.8.8.8 www.google.com
;; ANSWER SECTION:
www.google.com. 93 IN A 31.13.72.17 #正确IP
;; Query time: 40 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Feb 20 22:42:17 CST 2018
;; MSG SIZE rcvd: 48
修改 DNS 为 8.8.8.8 后,访问 google 依旧失败,访问 tmall 正常,目测需要代理 DNS 解析,国内DNS解析的IP在国外无法访问:
curl https://www.google.com -v
* Trying 69.171.248.128... # 登录VPS发现无法ping通这个IP
* TCP_NODELAY set
* Connected to www.google.com (69.171.248.128) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to www.google.com:443
* stopped the pause stream!
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to www.google.com:443
curl https://www.tmall.com -I -v
* Rebuilt URL to: https://www.tmall.com/
* Trying 118.212.227.100... # VPS上能ping通这个IP
* TCP_NODELAY set
* Connected to www.tmall.com (118.212.227.100) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
......
1
rrfeng 2018-02-19 23:29:09 +08:00 via Android
curl -v
贴一下 |
2
pagxir 2018-02-19 23:31:24 +08:00
需要解决下 DNS 问题吧。
|
3
guyskk0x0 OP @rrfeng #1
https://www.tmall.com ``` curl https://www.tmall.com -v * Rebuilt URL to: https://www.tmall.com/ * Trying 117.169.80.241... * TCP_NODELAY set * Connected to www.tmall.com (117.169.80.241) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/ssl/certs/ca-certificates.crt CApath: none * TLSv1.2 (OUT), TLS handshake, Client hello (1): ##此处会卡住## * OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to www.tmall.com:443 * stopped the pause stream! * Closing connection 0 curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to www.tmall.com:443 ``` https://www.google.com ``` curl https://www.google.com -v * Rebuilt URL to: https://www.google.com/ * Trying 127.0.0.1... * TCP_NODELAY set * connect to 127.0.0.1 port 443 failed: Connection refused * Failed to connect to www.google.com port 443: Connection refused * Closing connection 0 curl: (7) Failed to connect to www.google.com port 443: Connection refused ``` |
5
pagxir 2018-02-19 23:54:32 +08:00 1
@guyskk0x0 我推荐这个 https://github.com/cachefiles/dnsfix 编译使用方法看 wiki 页面。
|
6
disk 2018-02-20 13:01:25 +08:00 via Android
很奇怪。。。你让 dns 走 tcp 试试?
|
10
alect 2018-02-21 17:08:05 +08:00
虽然已经解决问题了,我还是要说一声别用 8.8.8.8
|
12
Ruiming 2018-02-22 00:33:38 +08:00 via iPhone
推荐用 pcap_dnsproxy 解决下 dns 污染问题
|
13
chinawrj 2018-02-22 13:07:48 +08:00
先弄清楚 TCP 透明底代理和 HTTP/HTTPS 透明代理。
还是看看 DNS 问题吧 |