redsocks 全局转发
1、配置redsocks
sudo apt install redsocks
base {
// debug: connection progress
log_debug = off;
// info: start and end of client session
log_info = on;
/* possible `log' values are:
* stderr
* "file:/path/to/file"
* syslog:FACILITY facility is any of "daemon", "local0"..."local7"
*/
log = stderr;
// log = "file:/path/to/file";
// log = "syslog:local7";
// detach from console
daemon = on;
/* Change uid, gid and root directory, these options require root
* privilegies on startup.
* Note, your chroot may requre /etc/localtime if you write log to syslog.
* Log is opened before chroot & uid changing.
* Debian, Ubuntu and some other distributions use `nogroup` instead of
* `nobody`, so change it according to your system if you want redsocks
* to drop root privileges.
*/
// user = nobody;
// group = nobody;
// chroot = "/var/chroot";
/* possible `redirector' values are:
* iptables - for Linux
* ipf - for FreeBSD
* pf - for OpenBSD
* generic - some generic redirector that MAY work
*/
redirector = iptables;
/* Override per-socket values for TCP_KEEPIDLE, TCP_KEEPCNT,
* and TCP_KEEPINTVL. see man 7 tcp for details.
* `redsocks' relies on SO_KEEPALIVE option heavily. */
//tcp_keepalive_time = 0;
//tcp_keepalive_probes = 0;
//tcp_keepalive_intvl = 0;
// Every `redsocks` connection needs two file descriptors for sockets.
// If `splice` is enabled, it also needs four file descriptors for
// pipes. `redudp` is not accounted at the moment. When max number of
// connection is reached, redsocks tries to close idle connections. If
// there are no idle connections, it stops accept()'ing new
// connections, although kernel continues to fill listenq.
// Set maximum number of open file descriptors (also known as `ulimit -n`).
// 0 -- do not modify startup limit (default)
// rlimit_nofile = 0;
// Set maximum number of served connections. Default is to deduce safe
// limit from `splice` setting and RLIMIT_NOFILE.
// redsocks_conn_max = 0;
// Close connections idle for N seconds when/if connection count
// limit is hit.
// 0 -- do not close idle connections
// 7440 -- 2 hours 4 minutes, see RFC 5382 (default)
// connpres_idle_timeout = 7440;
// `max_accept_backoff` is a delay in milliseconds to retry `accept()`
// after failure (e.g. due to lack of file descriptors). It's just a
// safety net for misconfigured `redsocks_conn_max`, you should tune
// redsocks_conn_max if accept backoff happens.
// max_accept_backoff = 60000;
}
redsocks {
/* `local_ip' defaults to 127.0.0.1 for security reasons,
* use 0.0.0.0 if you want to listen on every interface.
* `local_*' are used as port to redirect to.
*/
local_ip = 0.0.0.0;
local_port = 12345;
// listen() queue length. Default value is SOMAXCONN and it should be
// good enough for most of us.
// listenq = 128; // SOMAXCONN equals 128 on my Linux box.
// Enable or disable faster data pump based on splice(2) syscall.
// Default value depends on your kernel version, true for 2.6.27.13+
// splice = false;
// `ip' and `port' are IP and tcp-port of proxy-server
// You can also use hostname instead of IP, only one (random)
// address of multihomed host will be used.
ip = 127.0.0.1;
port = 1080;
// known types: socks4, socks5, http-connect, http-relay
type = socks5;
// login = "foobar";
// password = "baz";
// known ways to disclose client IP to the proxy:
// false -- disclose nothing
// http-connect supports:
// X-Forwarded-For -- X-Forwarded-For: IP
// Forwarded_ip -- Forwarded: for=IP # see RFC7239
// Forwarded_ipport -- Forwarded: for="IP:port" # see RFC7239
// disclose_src = false;
// various ways to handle proxy failure
// close -- just close connection (default)
// forward_http_err -- forward HTTP error page from proxy as-is
// on_proxy_fail = close;
}
//redudp {
// `local_ip' should not be 0.0.0.0 as it's also used for outgoing
// packets that are sent as replies - and it should be fixed
// if we want NAT to work properly.
//local_ip = 127.0.0.1;
//local_port = 10053;
// `ip' and `port' of socks5 proxy server.
//ip = 127.0.0.1;
//port = 1080;
// login = username;
// password = pazzw0rd;
// kernel does not give us this information, so we have to duplicate it
// in both iptables rules and configuration file. By the way, you can
// set `local_ip' to 127.45.67.89 if you need more than 65535 ports to
// forward ;-)
// This limitation may be relaxed in future versions using contrack-tools.
//dest_ip = 8.8.8.8;
//dest_port = 53;
//udp_timeout = 30;
//udp_timeout_stream = 180;
//}
//dnstc {
// fake and really dumb DNS server that returns "truncated answer" to
// every query via UDP, RFC-compliant resolver should repeat same query
// via TCP in this case.
// local_ip = 127.0.0.1;
// local_port = 5300;
//}
// you can add more `redsocks' and `redudp' sections if you need.
2、检查监听端口12345
sudo systemctl stop redsocks.service
sudo systemctl start redsocks.service
sudo systemctl status redsocks.service
netstat -anltp | grep 12345
3、全局启动和停止
#!/bin/bash
#不重定向目的地址为服务器的包
#请用你的shadowsocks服务器的地址替换$SERVER_IP
sudo iptables -t nat -A OUTPUT -d 104.27.162.110 -j RETURN
#不重定向私有地址的流量
sudo iptables -t nat -A OUTPUT -d 10.0.0.0/8 -j RETURN
sudo iptables -t nat -A OUTPUT -d 172.16.0.0/16 -j RETURN
sudo iptables -t nat -A OUTPUT -d 192.168.0.0/16 -j RETURN
#不重定向保留地址的流量,这一步很重要
sudo iptables -t nat -A OUTPUT -d 127.0.0.0/8 -j RETURN
#重定向所有不满足以上条件的流量到redsocks监听的12345端口
#12345是你的redsocks运行的端口,请根据你的情况替换它
sudo iptables -t nat -A OUTPUT -p tcp -j REDIRECT --to-ports 12345
#!/bin/bash
#不重定向目的地址为服务器的包
#请用你的shadowsocks服务器的地址替换$SERVER_IP
sudo iptables -t nat -D OUTPUT -d 104.27.162.110 -j RETURN
#不重定向私有地址的流量
sudo iptables -t nat -D OUTPUT -d 10.0.0.0/8 -j RETURN
sudo iptables -t nat -D OUTPUT -d 172.16.0.0/16 -j RETURN
sudo iptables -t nat -D OUTPUT -d 192.168.0.0/16 -j RETURN
#不重定向保留地址的流量,这一步很重要
sudo iptables -t nat -D OUTPUT -d 127.0.0.0/8 -j RETURN
#重定向所有不满足以上条件的流量到redsocks监听的12345端口
#12345是你的redsocks运行的端口,请根据你的情况替换它
sudo iptables -t nat -D OUTPUT -p tcp -j REDIRECT --to-ports 12345
sudo apt install redsocks
base {
// debug: connection progress
log_debug = off;
// info: start and end of client session
log_info = on;
/* possible `log' values are:
* stderr
* "file:/path/to/file"
* syslog:FACILITY facility is any of "daemon", "local0"..."local7"
*/
log = stderr;
// log = "file:/path/to/file";
// log = "syslog:local7";
// detach from console
daemon = on;
/* Change uid, gid and root directory, these options require root
* privilegies on startup.
* Note, your chroot may requre /etc/localtime if you write log to syslog.
* Log is opened before chroot & uid changing.
* Debian, Ubuntu and some other distributions use `nogroup` instead of
* `nobody`, so change it according to your system if you want redsocks
* to drop root privileges.
*/
// user = nobody;
// group = nobody;
// chroot = "/var/chroot";
/* possible `redirector' values are:
* iptables - for Linux
* ipf - for FreeBSD
* pf - for OpenBSD
* generic - some generic redirector that MAY work
*/
redirector = iptables;
/* Override per-socket values for TCP_KEEPIDLE, TCP_KEEPCNT,
* and TCP_KEEPINTVL. see man 7 tcp for details.
* `redsocks' relies on SO_KEEPALIVE option heavily. */
//tcp_keepalive_time = 0;
//tcp_keepalive_probes = 0;
//tcp_keepalive_intvl = 0;
// Every `redsocks` connection needs two file descriptors for sockets.
// If `splice` is enabled, it also needs four file descriptors for
// pipes. `redudp` is not accounted at the moment. When max number of
// connection is reached, redsocks tries to close idle connections. If
// there are no idle connections, it stops accept()'ing new
// connections, although kernel continues to fill listenq.
// Set maximum number of open file descriptors (also known as `ulimit -n`).
// 0 -- do not modify startup limit (default)
// rlimit_nofile = 0;
// Set maximum number of served connections. Default is to deduce safe
// limit from `splice` setting and RLIMIT_NOFILE.
// redsocks_conn_max = 0;
// Close connections idle for N seconds when/if connection count
// limit is hit.
// 0 -- do not close idle connections
// 7440 -- 2 hours 4 minutes, see RFC 5382 (default)
// connpres_idle_timeout = 7440;
// `max_accept_backoff` is a delay in milliseconds to retry `accept()`
// after failure (e.g. due to lack of file descriptors). It's just a
// safety net for misconfigured `redsocks_conn_max`, you should tune
// redsocks_conn_max if accept backoff happens.
// max_accept_backoff = 60000;
}
redsocks {
/* `local_ip' defaults to 127.0.0.1 for security reasons,
* use 0.0.0.0 if you want to listen on every interface.
* `local_*' are used as port to redirect to.
*/
local_ip = 0.0.0.0;
local_port = 12345;
// listen() queue length. Default value is SOMAXCONN and it should be
// good enough for most of us.
// listenq = 128; // SOMAXCONN equals 128 on my Linux box.
// Enable or disable faster data pump based on splice(2) syscall.
// Default value depends on your kernel version, true for 2.6.27.13+
// splice = false;
// `ip' and `port' are IP and tcp-port of proxy-server
// You can also use hostname instead of IP, only one (random)
// address of multihomed host will be used.
ip = 127.0.0.1;
port = 1080;
// known types: socks4, socks5, http-connect, http-relay
type = socks5;
// login = "foobar";
// password = "baz";
// known ways to disclose client IP to the proxy:
// false -- disclose nothing
// http-connect supports:
// X-Forwarded-For -- X-Forwarded-For: IP
// Forwarded_ip -- Forwarded: for=IP # see RFC7239
// Forwarded_ipport -- Forwarded: for="IP:port" # see RFC7239
// disclose_src = false;
// various ways to handle proxy failure
// close -- just close connection (default)
// forward_http_err -- forward HTTP error page from proxy as-is
// on_proxy_fail = close;
}
//redudp {
// `local_ip' should not be 0.0.0.0 as it's also used for outgoing
// packets that are sent as replies - and it should be fixed
// if we want NAT to work properly.
//local_ip = 127.0.0.1;
//local_port = 10053;
// `ip' and `port' of socks5 proxy server.
//ip = 127.0.0.1;
//port = 1080;
// login = username;
// password = pazzw0rd;
// kernel does not give us this information, so we have to duplicate it
// in both iptables rules and configuration file. By the way, you can
// set `local_ip' to 127.45.67.89 if you need more than 65535 ports to
// forward ;-)
// This limitation may be relaxed in future versions using contrack-tools.
//dest_ip = 8.8.8.8;
//dest_port = 53;
//udp_timeout = 30;
//udp_timeout_stream = 180;
//}
//dnstc {
// fake and really dumb DNS server that returns "truncated answer" to
// every query via UDP, RFC-compliant resolver should repeat same query
// via TCP in this case.
// local_ip = 127.0.0.1;
// local_port = 5300;
//}
// you can add more `redsocks' and `redudp' sections if you need.
2、检查监听端口12345
sudo systemctl stop redsocks.service
sudo systemctl start redsocks.service
sudo systemctl status redsocks.service
netstat -anltp | grep 12345
3、全局启动和停止
#!/bin/bash
#不重定向目的地址为服务器的包
#请用你的shadowsocks服务器的地址替换$SERVER_IP
sudo iptables -t nat -A OUTPUT -d 104.27.162.110 -j RETURN
#不重定向私有地址的流量
sudo iptables -t nat -A OUTPUT -d 10.0.0.0/8 -j RETURN
sudo iptables -t nat -A OUTPUT -d 172.16.0.0/16 -j RETURN
sudo iptables -t nat -A OUTPUT -d 192.168.0.0/16 -j RETURN
#不重定向保留地址的流量,这一步很重要
sudo iptables -t nat -A OUTPUT -d 127.0.0.0/8 -j RETURN
#重定向所有不满足以上条件的流量到redsocks监听的12345端口
#12345是你的redsocks运行的端口,请根据你的情况替换它
sudo iptables -t nat -A OUTPUT -p tcp -j REDIRECT --to-ports 12345
#!/bin/bash
#不重定向目的地址为服务器的包
#请用你的shadowsocks服务器的地址替换$SERVER_IP
sudo iptables -t nat -D OUTPUT -d 104.27.162.110 -j RETURN
#不重定向私有地址的流量
sudo iptables -t nat -D OUTPUT -d 10.0.0.0/8 -j RETURN
sudo iptables -t nat -D OUTPUT -d 172.16.0.0/16 -j RETURN
sudo iptables -t nat -D OUTPUT -d 192.168.0.0/16 -j RETURN
#不重定向保留地址的流量,这一步很重要
sudo iptables -t nat -D OUTPUT -d 127.0.0.0/8 -j RETURN
#重定向所有不满足以上条件的流量到redsocks监听的12345端口
#12345是你的redsocks运行的端口,请根据你的情况替换它
sudo iptables -t nat -D OUTPUT -p tcp -j REDIRECT --to-ports 12345
评论
发表评论