SanCoder-Q/file

## file
# 新建一个无密码，无法登陆，没home的系统用户，就叫shadowsocks
adduser --system --disabled-password --disabled-login --no-create-home shadowsocks

# 修改 /etc/default/shadowsocks-libev
USER=shadowsocks
GROUP=nogroup

# 使用setcap，允许非root用户无法监听低位端口
apt-get install libcap2-bin
setcap 'cap_net_bind_service=+ep' /usr/bin/ss-server


iptables -N SHADOWSOCKS


# 转发80流量到squid
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d 127.0.0.0/8 -p tcp --dport 3128 -j ACCEPT
# Disable localhost
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d 127.0.0.0/8 -j REJECT
# Disable Private Network
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d 0.0.0.0/8 -j REJECT
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d 10.0.0.0/8 -j REJECT
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d 169.254.0.0/16 -j REJECT
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d 172.16.0.0/12 -j REJECT
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d 192.168.0.0/16 -j REJECT
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d 224.0.0.0/4 -j REJECT
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d 240.0.0.0/4 -j REJECT

# 开放对DNS、HTTP、HTTPS的访问，DNS有TCP和UDP两种哦！
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -p udp --dport 53 -j ACCEPT
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -p tcp --dport 53 -j ACCEPT
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -p tcp --dport 80 -j ACCEPT
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -p tcp --dport 443 -j ACCEPT

# 下面这条，将允许SS对客户端请求的回访。
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -m state --state ESTABLISHED,RELATED -j ACCEPT

# 下面两条，将不允许其他目标端口的访问
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -p tcp -j REJECT --reject-with tcp-reset
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -p udp -j REJECT

# 最后，把SHADOWSOCKS这个Chain，打到OUTPUT上去
iptables -A OUTPUT -j SHADOWSOCKS
	# 新建一个无密码，无法登陆，没home的系统用户，就叫shadowsocks
	adduser --system --disabled-password --disabled-login --no-create-home shadowsocks

	# 修改 /etc/default/shadowsocks-libev
	USER=shadowsocks
	GROUP=nogroup

	# 使用setcap，允许非root用户无法监听低位端口
	apt-get install libcap2-bin
	setcap 'cap_net_bind_service=+ep' /usr/bin/ss-server


	iptables -N SHADOWSOCKS


	# 转发80流量到squid
	iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d 127.0.0.0/8 -p tcp --dport 3128 -j ACCEPT
	# Disable localhost
	iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d 127.0.0.0/8 -j REJECT
	# Disable Private Network
	iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d 0.0.0.0/8 -j REJECT
	iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d 10.0.0.0/8 -j REJECT
	iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d 169.254.0.0/16 -j REJECT
	iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d 172.16.0.0/12 -j REJECT
	iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d 192.168.0.0/16 -j REJECT
	iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d 224.0.0.0/4 -j REJECT
	iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d 240.0.0.0/4 -j REJECT

	# 开放对DNS、HTTP、HTTPS的访问，DNS有TCP和UDP两种哦！
	iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -p udp --dport 53 -j ACCEPT
	iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -p tcp --dport 53 -j ACCEPT
	iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -p tcp --dport 80 -j ACCEPT
	iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -p tcp --dport 443 -j ACCEPT

	# 下面这条，将允许SS对客户端请求的回访。
	iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -m state --state ESTABLISHED,RELATED -j ACCEPT

	# 下面两条，将不允许其他目标端口的访问
	iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -p tcp -j REJECT --reject-with tcp-reset
	iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -p udp -j REJECT

	# 最后，把SHADOWSOCKS这个Chain，打到OUTPUT上去
	iptables -A OUTPUT -j SHADOWSOCKS