Jump to content
Как правильно добавить self-test и прочую отладку в тему
Где взять тестовые сборки
Официальное хранилище ПО в виде файлов
  • 4

Не работает TProxy на ipv4

avn

Asked by avn,

 Share

Question

avn Honored Flooder

avn

Posted
Posted

Добрый вечер! Пришло время разобраться с TProxy для ipv4.

Беру любой сервис (например v2ray,ss,squid и т.д.), который слушает определенный порт на роутере, например 9172, и пересылает траффик в режиме tproxy на удаленный сервер.

Пишу симметричные скрипты для ipv4 и для ipv6 траффика.

Скрытый текст

/opt/etc/ndm/netfilter.d/10m-ss4.sh 

#!/bin/sh

[ "$type" != "iptables" ] && exit 0
[ "$table" != "mangle" ] && exit 0

ip4t() {
	if ! iptables -C "$@" &>/dev/null; then
		iptables -A "$@" || exit 0
	fi
}

# V2Ray
ip -4 route add local default dev lo table 233 2>/dev/null
ip -4 route show table main |grep -Ev ^default |while read ROUTE; do ip -4 route add table 233 $ROUTE 2>/dev/null; done
ip -4 rule add fwmark 0x2333 table 233 priority 233 2>/dev/null
iptables -N SSREDIR -t mangle 2>/dev/null
#iptables -F SSREDIR -t mangle 2>/dev/null

# connection-mark -> packet-mark
ip4t SSREDIR -t mangle -m mark --mark 0x2334 -j RETURN
ip4t SSREDIR -t mangle -j CONNMARK --restore-mark
ip4t SSREDIR -t mangle -m mark --mark 0x2333 -j RETURN
ip4t SSREDIR -t mangle -d 0.0.0.0/8 -j RETURN
ip4t SSREDIR -t mangle -d 10.0.0.0/8 -j RETURN
ip4t SSREDIR -t mangle -d 100.64.0.0/10 -j RETURN
ip4t SSREDIR -t mangle -d 127.0.0.0/8 -j RETURN
ip4t SSREDIR -t mangle -d 169.254.0.0/16 -j RETURN
ip4t SSREDIR -t mangle -d 172.16.0.0/12 -j RETURN
ip4t SSREDIR -t mangle -d 192.0.0.0/24 -j RETURN
ip4t SSREDIR -t mangle -d 192.0.2.0/24 -j RETURN
ip4t SSREDIR -t mangle -d 192.168.0.0/16 -j RETURN
ip4t SSREDIR -t mangle -d 198.18.0.0/15 -j RETURN
ip4t SSREDIR -t mangle -d 198.51.100.0/24 -j RETURN
ip4t SSREDIR -t mangle -d 203.0.113.0/24 -j RETURN
ip4t SSREDIR -t mangle -d 224.0.0.0/3 -j RETURN
ip4t SSREDIR -t mangle -p tcp --syn -j MARK --set-mark 0x2333
ip4t SSREDIR -t mangle -p udp -m conntrack --ctstate NEW -j MARK --set-mark 0x2333
ip4t SSREDIR -t mangle -j CONNMARK --save-mark

ip4t PREROUTING -t mangle -i br0 -p tcp -d 34.160.111.145 -j SSREDIR
ip4t PREROUTING -t mangle -i br0 -p tcp -m mark --mark 0x2333 -j TPROXY --on-port 9172
ip4t PREROUTING -t mangle -i br0 -p udp -d 34.160.111.145 -j SSREDIR
ip4t PREROUTING -t mangle -i br0 -p udp -m mark --mark 0x2333 -j TPROXY --on-port 9172

exit 0

/opt/etc/ndm/netfilter.d/10m-ss6.sh 

#!/bin/sh

[ "$type" != "ip6tables" ] && exit 0
[ "$table" != "mangle" ] && exit 0

ip6t() {
	if ! ip6tables -C "$@" &>/dev/null; then
		ip6tables -A "$@" || exit 0
	fi
}

# V2Ray
ip -6 route add local default dev lo table 233 2>/dev/null
ip -6 route show table main |grep -Ev ^default |while read ROUTE; do ip -6 route add table 233 $ROUTE 2>/dev/null; done
ip -6 rule add fwmark 0x2333 table 233 priority 233 2>/dev/null
ip6tables -N SSREDIR -t mangle 2>/dev/null
#ip6tables -F SSREDIR -t mangle 2>/dev/null

# connection-mark -> packet-mark
ip6t SSREDIR -t mangle -m mark --mark 0x2334 -j RETURN
ip6t SSREDIR -t mangle -j CONNMARK --restore-mark
ip6t SSREDIR -t mangle -m mark --mark 0x2333 -j RETURN
ip6t SSREDIR -t mangle -d 0000::/8 -j RETURN
ip6t SSREDIR -t mangle -d 0100::/64 -j RETURN
ip6t SSREDIR -t mangle -d 0200::/7 -j RETURN
ip6t SSREDIR -t mangle -d 2001:0002::/48 -j RETURN
ip6t SSREDIR -t mangle -d 2001:0010::/28 -j RETURN
ip6t SSREDIR -t mangle -d 2001:0db8::/32 -j RETURN
ip6t SSREDIR -t mangle -d 2002::/16 -j RETURN
ip6t SSREDIR -t mangle -d 3ffe::/16 -j RETURN
ip6t SSREDIR -t mangle -d fc00::/7 -j RETURN
ip6t SSREDIR -t mangle -d fe80::/10 -j RETURN
ip6t SSREDIR -t mangle -d fec0::/10 -j RETURN
ip6t SSREDIR -t mangle -d ff00::/8 -j RETURN
ip6t SSREDIR -t mangle -p tcp --syn -j MARK --set-mark 0x2333
ip6t SSREDIR -t mangle -p udp -m conntrack --ctstate NEW -j MARK --set-mark 0x2333
ip6t SSREDIR -t mangle -j CONNMARK --save-mark

ip6t PREROUTING -t mangle -i br0 -p tcp -d 2600:1901:0:b2bd:: -j SSREDIR
ip6t PREROUTING -t mangle -i br0 -p tcp -m mark --mark 0x2333 -j TPROXY --on-port 9172
ip6t PREROUTING -t mangle -i br0 -p udp -d 2600:1901:0:b2bd:: -j SSREDIR
ip6t PREROUTING -t mangle -i br0 -p udp -m mark --mark 0x2333 -j TPROXY --on-port 9172

exit 0

 

Так же сделаны настройки роутера 

system
    set net.ipv4.ip_forward 1
    set net.ipv6.conf.all.forwarding 1
    set net.ipv4.tcp_fwmark_accept 1
!

Тесты:

curl -4v https://ipecho.net/plain -- не работает

curl -6v https://ipecho.net/plain -- работает

Что не так для ipv4? Уже все ядро перелопатил, все должно работать.

  • Upvote 4
Link to comment
Share on other sites

14 answers to this question

Recommended Posts

  • 0
Alexey77 Content Generator

Alexey77

Posted
Posted
В 24.10.2023 в 00:33, avn сказал:

Пришло время разобраться с TProxy для ipv4.

Добрый день. Полностью поддерживаю написанное выше. Тоже сколько не пробовал настроить tproxy не получается. 

Link to comment
Share on other sites
  • 0
avn Honored Flooder

avn

Posted
  • Author
Posted

Трафик на br0. ipv6 - работает, ipv4 - не работает 

tcpdump: listening on br0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
17:21:10.948006 IP6 (flowlabel 0xf7275, hlim 64, next-header TCP (6) payload length: 28)   2a55:dd80:330b:5566:f565:6e54:852d:528c.65152 > 2600:1901:0:b2bd::.https: Flags [S], cksum 0xb5a1 (correct), seq 179399871, win 64800, options [mss 1440,nop,nop,sackOK], length 0
17:21:10.948499 IP6 (flowlabel 0x5b2b9, hlim 64, next-header TCP (6) payload length: 28)   2600:1901:0:b2bd::.https > 2a55:dd80:330b:5566:f565:6e54:852d:528c.65152: Flags [S.], cksum 0x58e7 (incorrect -> 0x99c4), seq 3770140596, ack 179399872, win 28800, options [mss 1440,nop,nop,sackOK], length 0
17:21:10.949554 IP6 (flowlabel 0xf7275, hlim 64, next-header TCP (6) payload length: 20)   2a55:dd80:330b:5566:f565:6e54:852d:528c.65152 > 2600:1901:0:b2bd::.https: Flags [.], cksum 0x39d4 (correct), seq 1, ack 1, win 64800, length 0
17:21:10.970729 IP6 (flowlabel 0xf7275, hlim 64, next-header TCP (6) payload length: 537)  2a55:dd80:330b:5566:f565:6e54:852d:528c.65152 > 2600:1901:0:b2bd::.https: Flags [P.], cksum 0x2a57 (correct), seq 1:518, ack 1, win 64800, length 517
17:21:10.971071 IP6 (flowlabel 0x5b2b9, hlim 64, next-header TCP (6) payload length: 20)   2600:1901:0:b2bd::.https > 2a55:dd80:330b:5566:f565:6e54:852d:528c.65152: Flags [.], cksum 0x58df (incorrect -> 0xc1c7), seq 1, ack 518, win 29480, length 0
17:21:11.445891 IP6 (flowlabel 0x5b2b9, hlim 64, next-header TCP (6) payload length: 4609) 2600:1901:0:b2bd::.https > 2a55:dd80:330b:5566:f565:6e54:852d:528c.65152: Flags [P.], cksum 0x6acc (incorrect -> 0xf9a9), seq 1:4590, ack 518, win 29480, length 4589
17:21:11.448812 IP6 (flowlabel 0xf7275, hlim 64, next-header TCP (6) payload length: 20)   2a55:dd80:330b:5566:f565:6e54:852d:528c.65152 > 2600:1901:0:b2bd::.https: Flags [.], cksum 0x25e2 (correct), seq 518, ack 4590, win 64800, length 0
17:21:11.464933 IP6 (flowlabel 0xf7275, hlim 64, next-header TCP (6) payload length: 100)  2a55:dd80:330b:5566:f565:6e54:852d:528c.65152 > 2600:1901:0:b2bd::.https: Flags [P.], cksum 0x490b (correct), seq 518:598, ack 4590, win 64800, length 80
17:21:11.465092 IP6 (flowlabel 0x5b2b9, hlim 64, next-header TCP (6) payload length: 20)   2600:1901:0:b2bd::.https > 2a55:dd80:330b:5566:f565:6e54:852d:528c.65152: Flags [.], cksum 0x58df (incorrect -> 0xaf8a), seq 4590, ack 598, win 29480, length 0
17:21:11.470381 IP6 (flowlabel 0xf7275, hlim 64, next-header TCP (6) payload length: 106)  2a55:dd80:330b:5566:f565:6e54:852d:528c.65152 > 2600:1901:0:b2bd::.https: Flags [P.], cksum 0x9269 (correct), seq 598:684, ack 4590, win 64800, length 86
17:21:11.470591 IP6 (flowlabel 0x5b2b9, hlim 64, next-header TCP (6) payload length: 20)   2600:1901:0:b2bd::.https > 2a55:dd80:330b:5566:f565:6e54:852d:528c.65152: Flags [.], cksum 0x58df (incorrect -> 0xaf34), seq 4590, ack 684, win 29480, length 0
17:21:11.474099 IP6 (flowlabel 0xf7275, hlim 64, next-header TCP (6) payload length: 84)   2a55:dd80:330b:5566:f565:6e54:852d:528c.65152 > 2600:1901:0:b2bd::.https: Flags [P.], cksum 0x5015 (correct), seq 684:748, ack 4590, win 64800, length 64
17:21:11.474286 IP6 (flowlabel 0x5b2b9, hlim 64, next-header TCP (6) payload length: 20)   2600:1901:0:b2bd::.https > 2a55:dd80:330b:5566:f565:6e54:852d:528c.65152: Flags [.], cksum 0x58df (incorrect -> 0xaef4), seq 4590, ack 748, win 29480, length 0
17:21:11.533920 IP6 (flowlabel 0x5b2b9, hlim 64, next-header TCP (6) payload length: 638)  2600:1901:0:b2bd::.https > 2a55:dd80:330b:5566:f565:6e54:852d:528c.65152: Flags [P.], cksum 0x5b49 (incorrect -> 0x33c6), seq 4590:5208, ack 748, win 29480, length 618
17:21:11.537602 IP6 (flowlabel 0x5b2b9, hlim 64, next-header TCP (6) payload length: 51)   2600:1901:0:b2bd::.https > 2a55:dd80:330b:5566:f565:6e54:852d:528c.65152: Flags [P.], cksum 0x58fe (incorrect -> 0x601b), seq 5208:5239, ack 748, win 29480, length 31
17:21:11.538576 IP6 (flowlabel 0xf7275, hlim 64, next-header TCP (6) payload length: 20)   2a55:dd80:330b:5566:f565:6e54:852d:528c.65152 > 2600:1901:0:b2bd::.https: Flags [.], cksum 0x24fc (correct), seq 748, ack 5239, win 64151, length 0
17:21:11.539558 IP6 (flowlabel 0xf7275, hlim 64, next-header TCP (6) payload length: 51)   2a55:dd80:330b:5566:f565:6e54:852d:528c.65152 > 2600:1901:0:b2bd::.https: Flags [P.], cksum 0x97f2 (correct), seq 748:779, ack 5239, win 64151, length 31
17:21:11.539668 IP6 (flowlabel 0x5b2b9, hlim 64, next-header TCP (6) payload length: 20)   2600:1901:0:b2bd::.https > 2a55:dd80:330b:5566:f565:6e54:852d:528c.65152: Flags [.], cksum 0x58df (incorrect -> 0xac4c), seq 5239, ack 779, win 29480, length 0
17:21:11.653759 IP6 (flowlabel 0x5b2b9, hlim 64, next-header TCP (6) payload length: 311)  2600:1901:0:b2bd::.https > 2a55:dd80:330b:5566:f565:6e54:852d:528c.65152: Flags [P.], cksum 0x5a02 (incorrect -> 0xb2d7), seq 5239:5530, ack 779, win 29480, length 291
17:21:11.655048 IP6 (flowlabel 0xf7275, hlim 64, next-header TCP (6) payload length: 59)   2a55:dd80:330b:5566:f565:6e54:852d:528c.65152 > 2600:1901:0:b2bd::.https: Flags [P.], cksum 0x4903 (correct), seq 779:818, ack 5530, win 63860, length 39
17:21:11.655288 IP6 (flowlabel 0x5b2b9, hlim 64, next-header TCP (6) payload length: 20)   2600:1901:0:b2bd::.https > 2a55:dd80:330b:5566:f565:6e54:852d:528c.65152: Flags [.], cksum 0x58df (incorrect -> 0xab02), seq 5530, ack 818, win 29480, length 0
17:21:11.668278 IP6 (flowlabel 0xf7275, hlim 64, next-header TCP (6) payload length: 20)   2a55:dd80:330b:5566:f565:6e54:852d:528c.65152 > 2600:1901:0:b2bd::.https: Flags [F.], cksum 0x24b5 (correct), seq 818, ack 5530, win 63860, length 0
17:21:11.716190 IP6 (flowlabel 0x5b2b9, hlim 64, next-header TCP (6) payload length: 20)   2600:1901:0:b2bd::.https > 2a55:dd80:330b:5566:f565:6e54:852d:528c.65152: Flags [.], cksum 0x58df (incorrect -> 0xab01), seq 5530, ack 819, win 29480, length 0
17:21:12.669991 IP6 (flowlabel 0x5b2b9, hlim 64, next-header TCP (6) payload length: 20)   2600:1901:0:b2bd::.https > 2a55:dd80:330b:5566:f565:6e54:852d:528c.65152: Flags [F.], cksum 0x58df (incorrect -> 0xab00), seq 5530, ack 819, win 29480, length 0
17:21:12.671138 IP6 (flowlabel 0xf7275, hlim 64, next-header TCP (6) payload length: 20)   2a55:dd80:330b:5566:f565:6e54:852d:528c.65152 > 2600:1901:0:b2bd::.https: Flags [.], cksum 0x24b4 (correct), seq 819, ack 5531, win 63860, length 0

tcpdump: listening on br0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
17:22:46.023806 IP (tos 0x0, ttl 128, id 1824, offset 0, flags [DF], proto TCP (6), length 48)     192.168.97.123.65160 > 145.111.160.34.bc.googleusercontent.com.https: Flags [S], cksum 0x42cc (correct), seq 2528311830, win 64240, options [mss 1460,nop,nop,sackOK], length 0
17:22:46.024221 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 48)         145.111.160.34.bc.googleusercontent.com.https > 192.168.97.123.65160: Flags [S.], cksum 0xb477 (incorrect -> 0xaed0), seq 1110301341, ack 2528311831, win 29200, options [mss 1460,nop,nop,sackOK], length 0
17:22:46.025140 IP (tos 0x0, ttl 128, id 1825, offset 0, flags [DF], proto TCP (6), length 40)     192.168.97.123.65160 > 145.111.160.34.bc.googleusercontent.com.https: Flags [.], cksum 0x52b4 (correct), seq 1, ack 1, win 64240, length 0
17:22:46.055902 IP (tos 0x0, ttl 128, id 1826, offset 0, flags [DF], proto TCP (6), length 557)    192.168.97.123.65160 > 145.111.160.34.bc.googleusercontent.com.https: Flags [P.], cksum 0x6918 (correct), seq 1:518, ack 1, win 64240, length 517
17:22:46.362233 IP (tos 0x0, ttl 128, id 1827, offset 0, flags [DF], proto TCP (6), length 557)    192.168.97.123.65160 > 145.111.160.34.bc.googleusercontent.com.https: Flags [P.], cksum 0x6918 (correct), seq 1:518, ack 1, win 64240, length 517
17:22:46.975580 IP (tos 0x0, ttl 128, id 1828, offset 0, flags [DF], proto TCP (6), length 557)    192.168.97.123.65160 > 145.111.160.34.bc.googleusercontent.com.https: Flags [P.], cksum 0x6918 (correct), seq 1:518, ack 1, win 64240, length 517
17:22:48.183102 IP (tos 0x0, ttl 128, id 1829, offset 0, flags [DF], proto TCP (6), length 557)    192.168.97.123.65160 > 145.111.160.34.bc.googleusercontent.com.https: Flags [P.], cksum 0x6918 (correct), seq 1:518, ack 1, win 64240, length 517
17:22:50.582709 IP (tos 0x0, ttl 128, id 1830, offset 0, flags [DF], proto TCP (6), length 557)    192.168.97.123.65160 > 145.111.160.34.bc.googleusercontent.com.https: Flags [P.], cksum 0x6918 (correct), seq 1:518, ack 1, win 64240, length 517
17:22:55.397875 IP (tos 0x0, ttl 128, id 1831, offset 0, flags [DF], proto TCP (6), length 557)    192.168.97.123.65160 > 145.111.160.34.bc.googleusercontent.com.https: Flags [P.], cksum 0x6918 (correct), seq 1:518, ack 1, win 64240, length 517
17:22:57.022852 IP (tos 0x0, ttl 64, id 31512, offset 0, flags [DF], proto TCP (6), length 40)     145.111.160.34.bc.googleusercontent.com.https > 192.168.97.123.65160: Flags [F.], cksum 0xb46f (incorrect -> 0xdb93), seq 1, ack 1, win 29200, length 0
17:22:57.025255 IP (tos 0x0, ttl 128, id 1832, offset 0, flags [DF], proto TCP (6), length 40)     192.168.97.123.65160 > 145.111.160.34.bc.googleusercontent.com.https: Flags [.], cksum 0x50ae (correct), seq 518, ack 2, win 64240, length 0
17:22:57.028114 IP (tos 0x0, ttl 128, id 1833, offset 0, flags [DF], proto TCP (6), length 40)     192.168.97.123.65160 > 145.111.160.34.bc.googleusercontent.com.https: Flags [F.], cksum 0x50ad (correct), seq 518, ack 2, win 64240, length 0
17:22:57.036032 IP (tos 0x0, ttl 128, id 1834, offset 0, flags [DF], proto TCP (6), length 40)     192.168.97.123.65160 > 145.111.160.34.bc.googleusercontent.com.https: Flags [R.], cksum 0x4b9a (correct), seq 519, ack 2, win 0, length 0
17:22:57.228226 IP (tos 0x0, ttl 64, id 31513, offset 0, flags [DF], proto TCP (6), length 40)     145.111.160.34.bc.googleusercontent.com.https > 192.168.97.123.65160: Flags [F.], cksum 0xb46f (incorrect -> 0xdb93), seq 1, ack 1, win 29200, length 0
17:22:57.436229 IP (tos 0x0, ttl 64, id 31514, offset 0, flags [DF], proto TCP (6), length 40)     145.111.160.34.bc.googleusercontent.com.https > 192.168.97.123.65160: Flags [F.], cksum 0xb46f (incorrect -> 0xdb93), seq 1, ack 1, win 29200, length 0
17:22:57.848250 IP (tos 0x0, ttl 64, id 31515, offset 0, flags [DF], proto TCP (6), length 40)     145.111.160.34.bc.googleusercontent.com.https > 192.168.97.123.65160: Flags [F.], cksum 0xb46f (incorrect -> 0xdb93), seq 1, ack 1, win 29200, length 0
17:22:58.680246 IP (tos 0x0, ttl 64, id 31516, offset 0, flags [DF], proto TCP (6), length 40)     145.111.160.34.bc.googleusercontent.com.https > 192.168.97.123.65160: Flags [F.], cksum 0xb46f (incorrect -> 0xdb93), seq 1, ack 1, win 29200, length 0
17:23:00.344196 IP (tos 0x0, ttl 64, id 31517, offset 0, flags [DF], proto TCP (6), length 40)     145.111.160.34.bc.googleusercontent.com.https > 192.168.97.123.65160: Flags [F.], cksum 0xb46f (incorrect -> 0xdb93), seq 1, ack 1, win 29200, length 0
17:23:03.644257 IP (tos 0x0, ttl 64, id 31518, offset 0, flags [DF], proto TCP (6), length 40)     145.111.160.34.bc.googleusercontent.com.https > 192.168.97.123.65160: Flags [F.], cksum 0xb46f (incorrect -> 0xdb93), seq 1, ack 1, win 29200, length 0
17:23:10.296219 IP (tos 0x0, ttl 64, id 31519, offset 0, flags [DF], proto TCP (6), length 40)     145.111.160.34.bc.googleusercontent.com.https > 192.168.97.123.65160: Flags [F.], cksum 0xb46f (incorrect -> 0xdb93), seq 1, ack 1, win 29200, length 0
17:23:23.612229 IP (tos 0x0, ttl 64, id 31520, offset 0, flags [DF], proto TCP (6), length 40)     145.111.160.34.bc.googleusercontent.com.https > 192.168.97.123.65160: Flags [F.], cksum 0xb46f (incorrect -> 0xdb93), seq 1, ack 1, win 29200, length 0

 

Link to comment
Share on other sites
  • 0
avn Honored Flooder

avn

Posted
  • Author
Posted (edited)

Если по протоколу ipv4 без https (curl -4v http://ipecho.net/plain) - все работает. 

~ # tcpdump -i br0 -vv host 34.160.111.145
tcpdump: listening on br0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
17:33:40.554071 IP (tos 0x0, ttl 128, id 1840, offset 0, flags [DF], proto TCP (6), length 48)    192.168.97.123.65203 > 145.111.160.34.bc.googleusercontent.com.http: Flags [S], cksum 0xdcf3 (correct), seq 1370138167, win 64240, options [mss 1460,nop,nop,sackOK], length 0
17:33:40.554503 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 48)        145.111.160.34.bc.googleusercontent.com.http > 192.168.97.123.65203: Flags [S.], cksum 0xb477 (incorrect -> 0xbf73), seq 88121615, ack 1370138168, win 29200, options [mss 1460,nop,nop,sackOK], length 0
17:33:40.556456 IP (tos 0x0, ttl 128, id 1841, offset 0, flags [DF], proto TCP (6), length 40)    192.168.97.123.65203 > 145.111.160.34.bc.googleusercontent.com.http: Flags [.], cksum 0x6357 (correct), seq 1, ack 1, win 64240, length 0
17:33:40.558893 IP (tos 0x0, ttl 128, id 1842, offset 0, flags [DF], proto TCP (6), length 118)   192.168.97.123.65203 > 145.111.160.34.bc.googleusercontent.com.http: Flags [P.], cksum 0x0e68 (correct), seq 1:79, ack 1, win 64240, length 78: HTTP, length: 78        GET /plain HTTP/1.1        Host: ipecho.net        User-Agent: curl/8.2.1        Accept: */*
17:33:40.559165 IP (tos 0x0, ttl 64, id 937, offset 0, flags [DF], proto TCP (6), length 40)      145.111.160.34.bc.googleusercontent.com.http > 192.168.97.123.65203: Flags [.], cksum 0xb46f (incorrect -> 0xebe9), seq 1, ack 79, win 29200, length 0
17:33:41.126494 IP (tos 0x0, ttl 64, id 938, offset 0, flags [DF], proto TCP (6), length 346)     145.111.160.34.bc.googleusercontent.com.http > 192.168.97.123.65203: Flags [P.], cksum 0xb5a1 (incorrect -> 0x24ca), seq 1:307, ack 79, win 29200, length 306: HTTP, length: 306        HTTP/1.1 200 OK        server: istio-envoy        date: Thu, 09 Nov 2023 14:33:50 GMT        content-type: text/plain; charset=utf-8        content-length: 22        access-control-allow-origin: *        x-envoy-upstream-service-time: 1        strict-transport-security: max-age=2592000; includeSubDomains        Via: 1.1 google        2a00:1022::1 [|http]
17:33:41.138142 IP (tos 0x0, ttl 128, id 1843, offset 0, flags [DF], proto TCP (6), length 40)    192.168.97.123.65203 > 145.111.160.34.bc.googleusercontent.com.http: Flags [F.], cksum 0x6308 (correct), seq 79, ack 307, win 63934, length 0
17:33:41.184199 IP (tos 0x0, ttl 64, id 939, offset 0, flags [DF], proto TCP (6), length 40)      145.111.160.34.bc.googleusercontent.com.http > 192.168.97.123.65203: Flags [.], cksum 0xb46f (incorrect -> 0xeab6), seq 307, ack 80, win 29200, length 0
17:33:42.139804 IP (tos 0x0, ttl 64, id 940, offset 0, flags [DF], proto TCP (6), length 40)      145.111.160.34.bc.googleusercontent.com.http > 192.168.97.123.65203: Flags [F.], cksum 0xb46f (incorrect -> 0xeab5), seq 307, ack 80, win 29200, length 0
17:33:42.141353 IP (tos 0x0, ttl 128, id 1844, offset 0, flags [DF], proto TCP (6), length 40)    192.168.97.123.65203 > 145.111.160.34.bc.googleusercontent.com.http: Flags [.], cksum 0x6307 (correct), seq 80, ack 308, win 63934, length 0

 

Edited by avn
Link to comment
Share on other sites
  • 0
Skrill0 Content Generator

Skrill0

Posted
Posted (edited)
36 минут назад, avn сказал:

Если по протоколу ipv4 без https (curl -4v http://ipecho.net/plain) - все работает. 

~ # tcpdump -i br0 -vv host 34.160.111.145
tcpdump: listening on br0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
17:33:40.554071 IP (tos 0x0, ttl 128, id 1840, offset 0, flags [DF], proto TCP (6), length 48)    192.168.97.123.65203 > 145.111.160.34.bc.googleusercontent.com.http: Flags [S], cksum 0xdcf3 (correct), seq 1370138167, win 64240, options [mss 1460,nop,nop,sackOK], length 0
17:33:40.554503 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 48)        145.111.160.34.bc.googleusercontent.com.http > 192.168.97.123.65203: Flags [S.], cksum 0xb477 (incorrect -> 0xbf73), seq 88121615, ack 1370138168, win 29200, options [mss 1460,nop,nop,sackOK], length 0
17:33:40.556456 IP (tos 0x0, ttl 128, id 1841, offset 0, flags [DF], proto TCP (6), length 40)    192.168.97.123.65203 > 145.111.160.34.bc.googleusercontent.com.http: Flags [.], cksum 0x6357 (correct), seq 1, ack 1, win 64240, length 0
17:33:40.558893 IP (tos 0x0, ttl 128, id 1842, offset 0, flags [DF], proto TCP (6), length 118)   192.168.97.123.65203 > 145.111.160.34.bc.googleusercontent.com.http: Flags [P.], cksum 0x0e68 (correct), seq 1:79, ack 1, win 64240, length 78: HTTP, length: 78        GET /plain HTTP/1.1        Host: ipecho.net        User-Agent: curl/8.2.1        Accept: */*
17:33:40.559165 IP (tos 0x0, ttl 64, id 937, offset 0, flags [DF], proto TCP (6), length 40)      145.111.160.34.bc.googleusercontent.com.http > 192.168.97.123.65203: Flags [.], cksum 0xb46f (incorrect -> 0xebe9), seq 1, ack 79, win 29200, length 0
17:33:41.126494 IP (tos 0x0, ttl 64, id 938, offset 0, flags [DF], proto TCP (6), length 346)     145.111.160.34.bc.googleusercontent.com.http > 192.168.97.123.65203: Flags [P.], cksum 0xb5a1 (incorrect -> 0x24ca), seq 1:307, ack 79, win 29200, length 306: HTTP, length: 306        HTTP/1.1 200 OK        server: istio-envoy        date: Thu, 09 Nov 2023 14:33:50 GMT        content-type: text/plain; charset=utf-8        content-length: 22        access-control-allow-origin: *        x-envoy-upstream-service-time: 1        strict-transport-security: max-age=2592000; includeSubDomains        Via: 1.1 google        2a00:1022::1 [|http]
17:33:41.138142 IP (tos 0x0, ttl 128, id 1843, offset 0, flags [DF], proto TCP (6), length 40)    192.168.97.123.65203 > 145.111.160.34.bc.googleusercontent.com.http: Flags [F.], cksum 0x6308 (correct), seq 79, ack 307, win 63934, length 0
17:33:41.184199 IP (tos 0x0, ttl 64, id 939, offset 0, flags [DF], proto TCP (6), length 40)      145.111.160.34.bc.googleusercontent.com.http > 192.168.97.123.65203: Flags [.], cksum 0xb46f (incorrect -> 0xeab6), seq 307, ack 80, win 29200, length 0
17:33:42.139804 IP (tos 0x0, ttl 64, id 940, offset 0, flags [DF], proto TCP (6), length 40)      145.111.160.34.bc.googleusercontent.com.http > 192.168.97.123.65203: Flags [F.], cksum 0xb46f (incorrect -> 0xeab5), seq 307, ack 80, win 29200, length 0
17:33:42.141353 IP (tos 0x0, ttl 128, id 1844, offset 0, flags [DF], proto TCP (6), length 40)    192.168.97.123.65203 > 145.111.160.34.bc.googleusercontent.com.http: Flags [.], cksum 0x6307 (correct), seq 80, ack 308, win 63934, length 0

 

Доброго Вам вечера.

Может на 443 мешают сервисы самого keenetic?

Edited by Skrill0
  • Upvote 1
Link to comment
Share on other sites
  • 0
avn Honored Flooder

avn

Posted
  • Author
Posted (edited)
39 минут назад, Skrill0 сказал:

Доброго Вам вечера.

Может на 443 мешают сервисы самого keenetic?

Причина найдена.

Нормальной работе мешает правило 

-A INPUT -p tcp -m tcp --dport 443 -j _NDM_HTTP_INPUT_TLS_

Если его удалить, то все работает 

iptables -t mangle -D INPUT -p tcp -m tcp --dport 443 -j _NDM_HTTP_INPUT_TLS_

Админы, подскажите решение...

@vst  @Le ecureuil

Edited by avn
  • Upvote 3
Link to comment
Share on other sites
  • 0
Skrill0 Content Generator

Skrill0

Posted
Posted
2 минуты назад, avn сказал:

Причина найдена.

Нормальной работе мешает правило 

-A INPUT -p tcp -m tcp --dport 443 -j _NDM_HTTP_INPUT_TLS_

Если его удалить, то все работает 

iptables -t mangle -D INPUT -p tcp -m tcp --dport 443 -j _NDM_HTTP_INPUT_TLS_

Админы, подскажите решение...

@vst

Можно переназначить порт 443 на 8443, к примеру. 

ip http ssl port {port}


В таком случае будет 

~ # iptables -t mangle -nL _NDM_HTTP_INPUT_TLS_
Chain _NDM_HTTP_INPUT_TLS_ (1 references)
target     prot opt source               destination
CONNNDMMARK  tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:8443 flags:0x02/0x02 CONNNDMMARK xor 0x20
RETURN     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:8443 flags:0x02/0x02
CONNNDMMARK  tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:8443 flags:0x10/0x10 CONNNDMMARK xor 0x20
RETURN     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:8443 flags:0x10/0x10 connskip 2
_NDM_HTTP_INPUT_TLS_PASS_  all  --  0.0.0.0/0            0.0.0.0/0

 

  • Thanks 1
Link to comment
Share on other sites
  • 0
avn Honored Flooder

avn

Posted
  • Author
Posted
2 минуты назад, Skrill0 сказал:

Можно переназначить порт 443 на 8443, к примеру. 

ip http ssl port {port}


В таком случае будет 

~ # iptables -t mangle -nL _NDM_HTTP_INPUT_TLS_
Chain _NDM_HTTP_INPUT_TLS_ (1 references)
target     prot opt source               destination
CONNNDMMARK  tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:8443 flags:0x02/0x02 CONNNDMMARK xor 0x20
RETURN     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:8443 flags:0x02/0x02
CONNNDMMARK  tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:8443 flags:0x10/0x10 CONNNDMMARK xor 0x20
RETURN     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:8443 flags:0x10/0x10 connskip 2
_NDM_HTTP_INPUT_TLS_PASS_  all  --  0.0.0.0/0            0.0.0.0/0

 

Т.е. если сторонний сайт будет висеть на порту 8443, то будем опять разбираться, почему не работает.

  • Upvote 1
Link to comment
Share on other sites
  • 0
Skrill0 Content Generator

Skrill0

Posted
Posted (edited)
13 минуты назад, avn сказал:

Т.е. если сторонний сайт будет висеть на порту 8443, то будем опять разбираться, почему не работает.

Это да, но, полагаю, можно не только 8443 использовать, а любой другой.
Интересны только потенциальные проблемы этого решения.

Если я правильно понимаю, то все домены 4-го уровня от KeenDNS, приложение и прочие службы работающие через ssl переедут на этот порт (возможно заблуждаюсь).

Edited by Skrill0
Link to comment
Share on other sites
  • 0
avn Honored Flooder

avn

Posted
  • Author
Posted

Остановился пока на такой конфигурации. Работают как запросы с bridge так и локальный траффик. Это просто магия какая-то.

/opt/etc/ndm/netfilter.d/10m-v2ray.sh

Скрытый текст 
#!/bin/sh

[ "$type" != "iptables" -a "$type" != "ip6tables" ] && exit 0
[ "$table" != "mangle" ] && exit 0

ipt4() {
	if ! iptables -C "$@" &>/dev/null; then
		iptables -A "$@" || exit 0
	fi
}

ipt6() {
	if ! ip6tables -C "$@" &>/dev/null; then
		ip6tables -A "$@" || exit 0
	fi
}

ipt() {
	local F=ipt4
	[ "$type" == "iptables" ] || F=ipt6
	"$F" "$@"
}

# V2Ray
TABLE_ID=233
MARK_PROXY=233
MARK_DONE=234
PROXY_PORT=9172
if [ "$type" == "iptables" ]; then
	PROXY_IP=127.0.0.1
	EXCLUDE_NETS='0.0.0.0/8 10.0.0.0/8 100.64.0.0/10 127.0.0.0/8 169.254.0.0/16 172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 192.168.0.0/16 198.18.0.0/15 198.51.100.0/24 203.0.113.0/24 224.0.0.0/3'
	EXCLUDE_NETS_LOOP=255.255.255.255/32
	IPSET=unblock4-ssp
	IPFAMILY=4
	iptables -N V2RAY_REDIRECT -t mangle 2>/dev/null
	iptables -N V2RAY_LOOP -t mangle 2>/dev/null
else
	PROXY_IP=::1
	EXCLUDE_NETS='0000::/8 0100::/64 0200::/7 2001:0002::/48 2001:0010::/28 2001:0db8::/32 2002::/16 3ffe::/16 fc00::/7 fe80::/10 fec0::/10 ff00::/8'
	EXCLUDE_NETS_LOOP=::/128
	IPSET=unblock6-ssp
	IPFAMILY=6
	ip6tables -N V2RAY_REDIRECT -t mangle 2>/dev/null
	ip6tables -N V2RAY_LOOP -t mangle 2>/dev/null
fi;

ip -$IPFAMILY route add local default dev lo table "$TABLE_ID" 2>/dev/null
ip -$IPFAMILY route show table main |grep -Ev ^default |while read ROUTE; do ip -$IPFAMILY route add table "$TABLE_ID" $ROUTE 2>/dev/null; done
ip -$IPFAMILY rule add fwmark "$MARK_PROXY" table "$TABLE_ID" priority "$TABLE_ID" 2>/dev/null

ipt V2RAY_REDIRECT -t mangle -m mark --mark "$MARK_DONE" -j RETURN
for net in $EXCLUDE_NETS; do ipt V2RAY_REDIRECT -t mangle -d "$net" -j RETURN; done
ipt V2RAY_REDIRECT -t mangle -p tcp -j TPROXY --tproxy-mark "$MARK_PROXY/$MARK_PROXY" --on-ip "$PROXY_IP" --on-port "$PROXY_PORT"
ipt V2RAY_REDIRECT -t mangle -p udp -j TPROXY --tproxy-mark "$MARK_PROXY/$MARK_PROXY" --on-ip "$PROXY_IP" --on-port "$PROXY_PORT"

ipt V2RAY_LOOP -t mangle -m mark --mark "$MARK_DONE" -j RETURN
for net in $EXCLUDE_NETS; do ipt V2RAY_LOOP -t mangle -d "$net" -j RETURN; done
ipt V2RAY_LOOP -t mangle -d "$EXCLUDE_NETS_LOOP" -j RETURN
ipt V2RAY_LOOP -t mangle -j MARK --set-mark "$MARK_PROXY"

ipt PREROUTING -t mangle -p tcp -m set --match-set "$IPSET" dst -j V2RAY_REDIRECT
ipt PREROUTING -t mangle -p udp -m set --match-set "$IPSET" dst -j V2RAY_REDIRECT
ipt PREROUTING -t mangle -m mark --mark "$MARK_DONE" -j CONNMARK --save-mark

ipt OUTPUT     -t mangle -m connmark --mark "$MARK_DONE" -j CONNMARK --restore-mark
ipt OUTPUT     -t mangle -p tcp -m set --match-set "$IPSET" dst -j V2RAY_LOOP
ipt OUTPUT     -t mangle -p udp -m set --match-set "$IPSET" dst -j V2RAY_LOOP
ipt OUTPUT     -t mangle -m mark --mark "$MARK_DONE" -j MARK --set-mark 0

exit 0

 

/opt/etc/v2ray/10-tproxy.json

Скрытый текст 
{
	"inbounds": [
		{
			"listen": "127.0.0.1",
			"port": 9172,
			"protocol": "dokodemo-door",
			"settings": {
				"network": "tcp,udp",
				"followRedirect": true
			},
			"streamSettings": {
				"sockopt": {
					"tproxy": "tproxy"
				}
			},
			"sniffing": {
				"enabled": true,
				"destOverride": [
					"http",
					"tls",
					"quic"
				]
			},
			"tag": "tproxy4"
		},
		{
			"listen": "::1",
			"port": 9172,
			"protocol": "dokodemo-door",
			"settings": {
				"network": "tcp,udp",
				"followRedirect": true
			},
			"streamSettings": {
				"sockopt": {
					"tproxy": "tproxy"
				}
			},
			"sniffing": {
				"enabled": true,
				"destOverride": [
					"http",
					"tls",
					"quic"
				]
			},
			"tag": "tproxy6"
		}
	]
}

 

/opt/etc/v2ray/outgoing*

Скрытый текст 
	"outbounds": [
		{
			"protocol": "vmess",
			"settings": {

			},
			"streamSettings": {
				"sockopt": {
					~~~~"mark": 234~~~~~
				},

 

 

  • Thanks 2
  • Upvote 2
Link to comment
Share on other sites
  • 0
bigpu Honored Flooder

bigpu

Posted
Posted
1 минуту назад, Alexey77 сказал:

Добрый вечер интересная у вас идея и её реализация! 

Мне больше зашло, что с багом и проблемой разобралось сообщество, а разрабов мы тупо не услышали даже)

Link to comment
Share on other sites
  • 0
jameszero Content Generator

jameszero

Posted
Posted

@avn Поясните, пожалуйста, по поводу 

IPSET=unblock4-ssp
IPSET=unblock6-ssp

Это как в КВАСе - dnsmasq+ipset и отключение системного dns - opkg dns-override? Не хотелось бы к этому возвращаться), тем более у xray свой выборочный роутинг из коробки.

Link to comment
Share on other sites
  • 0
avn Honored Flooder

avn

Posted
  • Author
Posted (edited)
2 часа назад, jameszero сказал:

@avn Поясните, пожалуйста, по поводу 

IPSET=unblock4-ssp
IPSET=unblock6-ssp

Это как в КВАСе - dnsmasq+ipset и отключение системного dns - opkg dns-override? Не хотелось бы к этому возвращаться), тем более у xray свой выборочный роутинг из коробки.

Да, учитываю, что роутеры у большинства это не aarch64, это отличная идея гнать весь траффик через v2ray\xray. Это правила, которые работают у меня, под себя модифицируем их самостоятельно.

Мой выбор xray+dnsmasq+ipset

 

217647342_.png.e899507d2e5f44e3a8a70498295498d4.png

Edited by avn
Link to comment
Share on other sites
  • 0
avn Honored Flooder

avn

Posted
  • Author
Posted (edited)

@slomblobov @Le ecureuil 

Версия 4.2 beta 3 не исправлено. 

*mangle
:_NDM_HTTP_INPUT_TLS_ - [0:0]
:_NDM_HTTP_INPUT_TLS_PASS_ - [0:0]

-A INPUT -p tcp -m tcp --dport 443 -j _NDM_HTTP_INPUT_TLS_

-A _NDM_HTTP_INPUT_TLS_ -p tcp -m tcp --dport 443 --tcp-flags SYN SYN -j CONNNDMMARK --set-xmark 0x20/0x0
-A _NDM_HTTP_INPUT_TLS_ -p tcp -m tcp --dport 443 --tcp-flags SYN SYN -j RETURN
-A _NDM_HTTP_INPUT_TLS_ -p tcp -m tcp --dport 443 --tcp-flags ACK ACK -j CONNNDMMARK --set-xmark 0x20/0x0
-A _NDM_HTTP_INPUT_TLS_ -p tcp -m tcp --dport 443 --tcp-flags ACK ACK -m connskip --connskip 2 -j RETURN
-A _NDM_HTTP_INPUT_TLS_ -j _NDM_HTTP_INPUT_TLS_PASS_
-A _NDM_HTTP_INPUT_TLS_PASS_ -p tcp -m tls  --tls-sni "*61413ac0945b6ece48b952e2.keenetic.io" -j CONNNDMMARK --set-xmark 0x0/0x0
-A _NDM_HTTP_INPUT_TLS_PASS_ -p tcp -m tls  --tls-sni "*61413ac0945b6ece48b952e2.keenetic.io" -j RETURN
-A _NDM_HTTP_INPUT_TLS_PASS_ -j DROP

4.2b4 не исправлено

Edited by avn
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Answer this question...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to question listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...