Last active
May 19, 2024 09:37
-
-
Save timercrack/bc758a0021e2ee62a80e0ba5541804dd to your computer and use it in GitHub Desktop.
openwrt + XRAY 使用 iptables 实现 IPV4 / IPV6 透明代理
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| {//服务器使用的方案:VLESS+TLS+WS+NGINX+CDN,看情况替换成自己的 | |
| "log": { | |
| "access": "/dev/null", | |
| "error": "/var/log/xray_error.log", | |
| "loglevel": "warning" | |
| }, | |
| "inbounds": [ | |
| { | |
| "tag":"transparent", | |
| "port": 12345, | |
| "protocol": "dokodemo-door", | |
| "settings": { | |
| "network": "tcp,udp", | |
| "followRedirect": true | |
| }, | |
| "sniffing": { | |
| "enabled": true, | |
| "destOverride": [ | |
| "http", | |
| "tls" | |
| ] | |
| }, | |
| "streamSettings": { | |
| "sockopt": { | |
| "tproxy": "tproxy","mark":255 | |
| } | |
| } | |
| }, | |
| { | |
| "port": 1080, | |
| "protocol": "socks", | |
| "sniffing": { | |
| "enabled": true, | |
| "destOverride": ["http", "tls"] | |
| }, | |
| "settings": { | |
| "auth": "noauth" | |
| } | |
| } | |
| ], | |
| "outbounds": [ | |
| { | |
| "tag": "proxy", | |
| "protocol": "vless", | |
| "settings": { | |
| "vnext": [ | |
| { | |
| "address": "<填入代理服务器域名>", | |
| "port": 443, | |
| "users": [ | |
| { | |
| "id": "<填入实际ID>", | |
| "encryption": "none" | |
| } | |
| ] | |
| } | |
| ] | |
| }, | |
| "streamSettings": { | |
| "network": "ws", | |
| "security": "tls", | |
| "tlsSettings": { | |
| "allowInsecure": false | |
| }, | |
| "wsSettings": { | |
| "path": "<替换实际的路径>" | |
| }, | |
| "sockopt": {"mark": 255} | |
| }, | |
| "mux": { | |
| "enabled": false, | |
| "concurrency": -1 | |
| } | |
| }, | |
| { | |
| "tag": "direct", | |
| "protocol": "freedom", | |
| "settings": {"domainStrategy": "UseIP"}, | |
| "streamSettings":{"sockopt":{"mark": 255}} | |
| }, | |
| { | |
| "tag": "block", | |
| "protocol": "blackhole", | |
| "settings": { | |
| "response": { | |
| "type": "http" | |
| } | |
| } | |
| }, | |
| { | |
| "tag": "dns-out", | |
| "protocol": "dns", | |
| "streamSettings":{"sockopt":{"mark": 255}} | |
| } | |
| ], | |
| "dns": { | |
| "servers": [ | |
| { | |
| "address": "223.5.5.5", //中国大陆域名使用阿里的 DNS | |
| "port": 53, | |
| "domains": [ | |
| "geosite:cn", | |
| "ntp.org", // NTP 服务器 | |
| "<填入代理服务器域名>" // 此处改为你 VPS 的域名 | |
| ] | |
| }, | |
| { | |
| "address": "114.114.114.114", //中国大陆域名使用 114 的 DNS (备用) | |
| "port": 53, | |
| "domains": [ | |
| "geosite:cn", | |
| "ntp.org", // NTP 服务器 | |
| "<填入代理服务器域名>" // 此处改为你 VPS 的域名 | |
| ] | |
| }, | |
| { | |
| "address": "8.8.8.8", //非中国大陆域名使用 Google 的 DNS | |
| "port": 53, | |
| "domains": [ | |
| "geosite:geolocation-!cn" | |
| ] | |
| }, | |
| { | |
| "address": "1.1.1.1", //非中国大陆域名使用 Cloudflare 的 DNS | |
| "port": 53, | |
| "domains": [ | |
| "geosite:geolocation-!cn" | |
| ] | |
| } | |
| ] | |
| }, | |
| "routing": { | |
| "domainStrategy": "IPIfNonMatch", | |
| "domainMatcher": "mph", | |
| "rules": [ | |
| { // 劫持 53 端口 UDP 流量,使用 V2Ray 的 DNS | |
| "type": "field", | |
| "inboundTag": ["transparent"], | |
| "port": 53, | |
| "network": "udp", | |
| "outboundTag": "dns-out" | |
| }, | |
| { // 直连 123 端口 UDP 流量(NTP 协议) | |
| "type": "field", | |
| "inboundTag": ["transparent"], | |
| "port": 123, | |
| "network": "udp", | |
| "outboundTag": "direct" | |
| }, | |
| { | |
| "type": "field", | |
| "ip": [ | |
| // 设置 DNS 配置中的国内 DNS 服务器地址直连,以达到 DNS 分流目的 | |
| "223.5.5.5", | |
| "114.114.114.114" | |
| ], | |
| "outboundTag": "direct" | |
| }, | |
| { | |
| "type": "field", | |
| "ip": [ | |
| // 设置 DNS 配置中的国外 DNS 服务器地址走代理,以达到 DNS 分流目的 | |
| "8.8.8.8", | |
| "1.1.1.1" | |
| ], | |
| "outboundTag": "proxy" | |
| }, | |
| { | |
| "type": "field", | |
| "outboundTag": "block", | |
| "domain": [ | |
| "mousegesturesapi.com", | |
| "geosite:category-ads-all" | |
| ] | |
| }, | |
| { | |
| "type": "field", | |
| "inboundTag": [], | |
| "outboundTag": "proxy", | |
| "ip": ["geoip:telegram"] | |
| }, | |
| { | |
| "type": "field", | |
| "outboundTag": "proxy", | |
| "domain": [ | |
| "geosite:gfw", | |
| "geosite:greatfire", | |
| "geosite:google", | |
| "geosite:github", | |
| "v2fly.org" | |
| ] | |
| }, | |
| { // BT 流量直连 | |
| "type": "field", | |
| "protocol":["bittorrent"], | |
| "outboundTag": "direct" | |
| }, | |
| { | |
| "type": "field", | |
| "outboundTag": "direct", | |
| "domain": [ | |
| "bitwarden.com", | |
| "bitwarden.net", | |
| "baiyunju.cc", | |
| "letsencrypt.org", | |
| "adblockplus.org", | |
| "safesugar.net", | |
| "googleads.g.doubleclick.net", | |
| "adservice.google.com", | |
| "geosite:private", | |
| "geosite:cn", | |
| "geosite:adobe", | |
| "geosite:adobe-activation", | |
| "geosite:microsoft", | |
| "geosite:msn", | |
| "geosite:apple", | |
| "geosite:category-ads-all", | |
| "geosite:google-cn", | |
| "geosite:apple-cn" | |
| ] | |
| }, | |
| { // 直连中国大陆主流网站 ip 和 保留 ip | |
| "type": "field", | |
| "ip": [ | |
| "geoip:private", | |
| "geoip:cn" | |
| ], | |
| "outboundTag": "direct" | |
| }, | |
| { | |
| "type": "field", | |
| "network": "tcp,udp", | |
| "outboundTag": "direct" | |
| } | |
| ] | |
| } | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| #路由器地址:192.168.123.1 | |
| #创建一张IPV4路由表,表名:"100" 添加一条规则 | |
| ip rule add fwmark 1 table 100 | |
| ip route add local 0.0.0.0/0 dev lo table 100 | |
| # 创建一张IPV6路由表,表名:"106" 添加一条规则 删除:ip -6 ru del table 106 查看:ip -6 ru list | |
| #ip -6 rule add fwmark 1 table 106 | |
| #ip -6 route add local ::/0 dev lo table 106 | |
| ip route flush cache | |
| # 代理IPV4局域网设备 | |
| iptables -t mangle -N XRAY | |
| iptables -t mangle -A XRAY -d 127.0.0.1/32 -j RETURN | |
| iptables -t mangle -A XRAY -d 224.0.0.0/4 -j RETURN | |
| iptables -t mangle -A XRAY -d 255.255.255.255/32 -j RETURN | |
| iptables -t mangle -A XRAY -d 192.168.123.1/24 -p tcp -j RETURN | |
| iptables -t mangle -A XRAY -d 192.168.123.1/24 -p udp ! --dport 53 -j RETURN | |
| iptables -t mangle -A XRAY -j RETURN -m mark --mark 0xff | |
| iptables -t mangle -A XRAY -p tcp -j TPROXY --on-ip 127.0.0.1 --on-port 12345 --tproxy-mark 1 | |
| iptables -t mangle -A XRAY -p udp -j TPROXY --on-ip 127.0.0.1 --on-port 12345 --tproxy-mark 1 | |
| # 代理IPV4网关本机 | |
| iptables -t mangle -N XRAY_MASK | |
| iptables -t mangle -A XRAY_MASK -d 224.0.0.0/4 -j RETURN | |
| iptables -t mangle -A XRAY_MASK -d 255.255.255.255/32 -j RETURN | |
| iptables -t mangle -A XRAY_MASK -d 192.168.123.1/24 -p tcp -j RETURN | |
| iptables -t mangle -A XRAY_MASK -d 192.168.123.1/24 -p udp ! --dport 53 -j RETURN | |
| iptables -t mangle -A XRAY_MASK -m mark --mark 0xff -j RETURN | |
| iptables -t mangle -A XRAY_MASK -p tcp -j MARK --set-mark 1 | |
| iptables -t mangle -A XRAY_MASK -p udp -j MARK --set-mark 1 | |
| # 代理IPV6局域网设备 | |
| #ip6tables -t mangle -N XRAY6 | |
| #ip6tables -t mangle -A XRAY6 -d ::1/128 -j RETURN | |
| #ip6tables -t mangle -A XRAY6 -d fd07:22f2:2eb9::1/60 -p tcp -j RETURN | |
| #ip6tables -t mangle -A XRAY6 -d fd07:22f2:2eb9::1/60 -p udp ! --dport 53 -j RETURN | |
| #ip6tables -t mangle -A XRAY6 -j RETURN -m mark --mark 0xff | |
| #ip6tables -t mangle -A XRAY6 -p tcp -j TPROXY --on-ip ::1 --on-port 12345 --tproxy-mark 1 | |
| #ip6tables -t mangle -A XRAY6 -p udp -j TPROXY --on-ip ::1 --on-port 12345 --tproxy-mark 1 | |
| # 新建 DIVERT 规则,避免已有连接的包二次通过 TPROXY,理论上有一定的性能提升 | |
| iptables -t mangle -N DIVERT | |
| iptables -t mangle -A DIVERT -j MARK --set-mark 1 | |
| iptables -t mangle -A DIVERT -j ACCEPT | |
| # 代理IPV6网关本机 | |
| #ip6tables -t mangle -N XRAY6_MASK | |
| #ip6tables -t mangle -A XRAY6_MASK -d fd07:22f2:2eb9::1/60 -p tcp -j RETURN | |
| #ip6tables -t mangle -A XRAY6_MASK -d fd07:22f2:2eb9::1/60 -p udp ! --dport 53 -j RETURN | |
| #ip6tables -t mangle -A XRAY6_MASK -m mark --mark 0xff -j RETURN | |
| #ip6tables -t mangle -A XRAY6_MASK -p tcp -j MARK --set-mark 1 | |
| #ip6tables -t mangle -A XRAY6_MASK -p udp -j MARK --set-mark 1 | |
| # 新建 DIVERT6 规则,避免已有连接的包二次通过 TPROXY,理论上有一定的性能提升 | |
| #ip6tables -t mangle -N DIVERT6 | |
| #ip6tables -t mangle -A DIVERT6 -j MARK --set-mark 1 | |
| #ip6tables -t mangle -A DIVERT6 -j ACCEPT | |
| # 应用IPV4规则 | |
| iptables -t mangle -A PREROUTING -j XRAY | |
| iptables -t mangle -I PREROUTING -p tcp -m socket -j DIVERT | |
| iptables -t mangle -A OUTPUT -j XRAY_MASK | |
| iptables -t mangle -I XRAY -m mark --mark 0xff -j RETURN | |
| # 应用IPV6规则 | |
| #ip6tables -t mangle -A PREROUTING -j XRAY6 | |
| #ip6tables -t mangle -I PREROUTING -p tcp -m socket -j DIVERT6 | |
| #ip6tables -t mangle -A OUTPUT -p tcp -j XRAY6_MASK | |
| #ip6tables -t mangle -I XRAY6 -m mark --mark 0xff -j RETURN |
你得软路由需要开启代理转发:
echo net.ipv4.ip_forward=1 >> /etc/sysctl.conf && sysctl -p
谢谢您的回复。我的是OPENWRT,所以默认是打开转发的。因于脚本没弄好,我最好装了PASSWALL。现在回想,应该是我的DNS链没设好造成不能正常访问。您的IPTABLES规则没问题。
root@OpenWrt:~# iptables -t mangle -A XRAY -p tcp -j TPROXY --on-ip 127.0.0.1 --on-port 2099 --tproxy-mark 1
iptables v1.8.7 (legacy): unknown option "--on-ip"
Try `iptables -h' or 'iptables --help' for more information.
请问这个是啥情况,我的OpenWrt是最新的官方稳定版本22.03
root@OpenWrt:~# iptables -t mangle -A XRAY -p tcp -j TPROXY --on-ip 127.0.0.1 --on-port 2099 --tproxy-mark 1 iptables v1.8.7 (legacy): unknown option "--on-ip" Try `iptables -h' or 'iptables --help' for more information.
请问这个是啥情况,我的OpenWrt是最新的官方稳定版本22.03
22.03由fw4代替了fw3,默认是不带iptables的。你应该是自行安装了iptables包。但可能还需要安装iptables-mod-conntrack-extra、iptables-mod-extra、iptables-mod-tproxy等。
请问如何指定某个IP通过XRAY上网, 某个IP直联路由,谢谢
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
您好。我尝试了这个设置。我的网段是192.168.31.1/24。当我把xray和iptables脚本布置在家庭主路由192.168.31.1上时(它同时也是dhcp服务器),它工作得非常好。
但当我把它布置在同网段的另一台软路由(192.168.31.10),并在一台工作电脑上手动指定ip地址和网关(ip:192.168.31.150, 掩码:255.255.255.0,网关-在我的mac电脑上显示是路由器:192.168.31.10)。就不能透明代理了。此时,指定1080端口仍然可以完全正常代理国内和国外的,所以xray是没问题的。
2种情形,惟一的区别:一次安装在主路由(靠dhcp让客户端自动指定主路由为网关),一次安装在网段内的另一台主机上(并手动指定该主机为网关)。前者工作完好,后者不能工作(国内外都不能正常访问)。
您方便的时候可以提供一个布置在非主路由上的版本吗?谢谢!