利用 iptables 实现透明代理

DNS 方案

dnsmasq 监听 127.0.0.1:53 ;
GFWlist 交给 pdnsd ,上游 DNS : 1.1.1.1:53, TCP, 经过代理;
Chinalist 交给 运营商DNS ;
其余交给 overture, PrimaryDNS: 运营商DNS, 使用China IP过滤, AlternativeDNS: 1.1.1.1:53, TCP, 经过代理.

iptables rules

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
# /etc/iptables/iptables.rules
*nat
:PREROUTING ACCEPT [13:1352]
:INPUT ACCEPT [9:576]
:OUTPUT ACCEPT [556:45507]
:POSTROUTING ACCEPT [712:54867]
:SHADOWSOCKS - [0:0]
-A OUTPUT -p tcp -j SHADOWSOCKS
-A SHADOWSOCKS -d SERVER_IP/32 -j RETURN
-A SHADOWSOCKS -d 0.0.0.0/8 -j RETURN
-A SHADOWSOCKS -d 10.0.0.0/8 -j RETURN
-A SHADOWSOCKS -d 127.0.0.0/8 -j RETURN
-A SHADOWSOCKS -d 169.254.0.0/16 -j RETURN
-A SHADOWSOCKS -d 172.16.0.0/12 -j RETURN
-A SHADOWSOCKS -d 192.168.0.0/16 -j RETURN
-A SHADOWSOCKS -d 224.0.0.0/4 -j RETURN
-A SHADOWSOCKS -d 240.0.0.0/4 -j RETURN
-A SHADOWSOCKS -p tcp -m set --match-set chnroute dst -j RETURN
-A SHADOWSOCKS -p tcp -j REDIRECT --to-ports 1081
COMMIT

配合 /etc/ipset.conf 使用
记得开启 iptables.service

update China IP

1
2
3
4
5
6
#!/bin/bash
curl 'https://ftp.apnic.net/apnic/stats/apnic/delegated-apnic-latest' | grep ipv4 | grep CN | awk -F\| '{ printf("%s/%d\n", $4, 32-log($5)/log(2)) }' > /tmp/chnroute.txt && sudo cp /tmp/chnroute.txt /etc/

sudo sh -c "echo 'create chnroute hash:net family inet hashsize 2048 maxelem 65536' > /etc/ipset.conf"

sudo sh -c "cat /etc/chnroute.txt | sed 's/^/add chnroute &/g' >> /etc/ipset.conf"

update dnsmasq.conf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
#!/bin/bash

echo "
no-resolv
#resolv-file=/etc/resolv.dnsmasq.conf
server=127.0.0.1#1153
listen-address=127.0.0.1
cache-size=1000
min-cache-ttl=600

### bogus-nxdomain
" > /tmp/dnsmasq_tmp.conf

curl "https://raw.githubusercontent.com/felixonmars/dnsmasq-china-list/master/bogus-nxdomain.china.conf" >> /tmp/dnsmasq_tmp.conf

echo "
### my list
server=/hostripples.com/127.0.0.1#1053
server=/hk5.unlimit.fun/223.5.5.5#53
server=/v2ex.com/223.5.5.5#53
server=/store.steampowered.com/223.5.5.5#53
server=/steamstore-a.akamaihd.net/223.5.5.5#53
server=/steamcdn-a.akamaihd.net/223.5.5.5#53
server=/steamcommunity.com/127.0.0.1#1053
server=/nsl-net.ml/127.0.0.1#1053

### China list
" >> /tmp/dnsmasq_tmp.conf

curl "https://raw.githubusercontent.com/felixonmars/dnsmasq-china-list/master/accelerated-domains.china.conf" | sed "s/114.114.114.114/223.5.5.5/g" >> /tmp/dnsmasq_tmp.conf

echo "
### GFWList
" >> /tmp/dnsmasq_tmp.conf

gfwlist2dnsmasq.sh -d 127.0.0.1 -p 1053 -o /tmp/dnsmasq_tmp.conf_gfwlist
cat /tmp/dnsmasq_tmp.conf_gfwlist >> /tmp/dnsmasq_tmp.conf

sudo mv /tmp/dnsmasq_tmp.conf /etc/dnsmasq.conf

gfwlist2dnsmasq.sh 来自 @cokebar on GitHub

shadowsocks up

1
2
3
4
5
6
7
8
9
10
#!/bin/bash

LOCAL_PORT=1081
SERVER_IP=$(host SERVER_HOST | awk '{ print $4; }')

sudo systemctl start shadowsocks-libev-redir@CONF_NAME

sudo iptables -t nat -R SHADOWSOCKS 1 -d $SERVER_IP -j RETURN

sudo iptables -t nat -A OUTPUT -p tcp -j SHADOWSOCKS

shadowsocks down

1
2
3
4
5
#!/bin/bash

sudo iptables -t nat -D OUTPUT -p tcp -j SHADOWSOCKS

sudo systemctl stop shadowsocks-libev-redir@CONF_NAME

https://blog.fiepi.com/archlinux/ss-redir_iptables_ipset_dnsmasq.html
https://github.com/shadowsocks/shadowsocks-libev