Skip to content

Instantly share code, notes, and snippets.

@zfl9
Created July 18, 2020 12:41
Show Gist options
  • Save zfl9/d52482118f38ce2c16195583dffc44d2 to your computer and use it in GitHub Desktop.
Save zfl9/d52482118f38ce2c16195583dffc44d2 to your computer and use it in GitHub Desktop.
ss-redir pure tproxy transparent proxy
#!/bin/bash
start_ssredir() {
# please modify MyIP, MyPort, etc.
(ss-redir -s MyIP -p MyPort -m MyMethod -k MyPasswd -b 127.0.0.1 -l 60080 --no-delay -u -T -v </dev/null &>>/var/log/ss-redir.log &)
}
stop_ssredir() {
kill -9 $(pidof ss-redir) &>/dev/null
}
start_iptables() {
##################### SSREDIR #####################
iptables -t mangle -N SSREDIR
# connection-mark -> packet-mark
iptables -t mangle -A SSREDIR -j CONNMARK --restore-mark
iptables -t mangle -A SSREDIR -m mark --mark 0x2333 -j RETURN
# please modify MyIP, MyPort, etc.
# ignore traffic sent to ss-server
iptables -t mangle -A SSREDIR -p tcp -d MyIP --dport MyPort -j RETURN
iptables -t mangle -A SSREDIR -p udp -d MyIP --dport MyPort -j RETURN
# ignore traffic sent to reserved addresses
iptables -t mangle -A SSREDIR -d 0.0.0.0/8 -j RETURN
iptables -t mangle -A SSREDIR -d 10.0.0.0/8 -j RETURN
iptables -t mangle -A SSREDIR -d 100.64.0.0/10 -j RETURN
iptables -t mangle -A SSREDIR -d 127.0.0.0/8 -j RETURN
iptables -t mangle -A SSREDIR -d 169.254.0.0/16 -j RETURN
iptables -t mangle -A SSREDIR -d 172.16.0.0/12 -j RETURN
iptables -t mangle -A SSREDIR -d 192.0.0.0/24 -j RETURN
iptables -t mangle -A SSREDIR -d 192.0.2.0/24 -j RETURN
iptables -t mangle -A SSREDIR -d 192.88.99.0/24 -j RETURN
iptables -t mangle -A SSREDIR -d 192.168.0.0/16 -j RETURN
iptables -t mangle -A SSREDIR -d 198.18.0.0/15 -j RETURN
iptables -t mangle -A SSREDIR -d 198.51.100.0/24 -j RETURN
iptables -t mangle -A SSREDIR -d 203.0.113.0/24 -j RETURN
iptables -t mangle -A SSREDIR -d 224.0.0.0/4 -j RETURN
iptables -t mangle -A SSREDIR -d 240.0.0.0/4 -j RETURN
iptables -t mangle -A SSREDIR -d 255.255.255.255/32 -j RETURN
# mark the first packet of the connection
iptables -t mangle -A SSREDIR -p tcp --syn -j MARK --set-mark 0x2333
iptables -t mangle -A SSREDIR -p udp -m conntrack --ctstate NEW -j MARK --set-mark 0x2333
# packet-mark -> connection-mark
iptables -t mangle -A SSREDIR -j CONNMARK --save-mark
##################### OUTPUT #####################
# proxy the outgoing traffic from this machine
iptables -t mangle -A OUTPUT -p tcp -m addrtype --src-type LOCAL ! --dst-type LOCAL -j SSREDIR
iptables -t mangle -A OUTPUT -p udp -m addrtype --src-type LOCAL ! --dst-type LOCAL -j SSREDIR
##################### PREROUTING #####################
# proxy traffic passing through this machine (other->other)
iptables -t mangle -A PREROUTING -p tcp -m addrtype ! --src-type LOCAL ! --dst-type LOCAL -j SSREDIR
iptables -t mangle -A PREROUTING -p udp -m addrtype ! --src-type LOCAL ! --dst-type LOCAL -j SSREDIR
# hand over the marked package to TPROXY for processing
iptables -t mangle -A PREROUTING -p tcp -m mark --mark 0x2333 -j TPROXY --on-ip 127.0.0.1 --on-port 60080
iptables -t mangle -A PREROUTING -p udp -m mark --mark 0x2333 -j TPROXY --on-ip 127.0.0.1 --on-port 60080
}
stop_iptables() {
##################### PREROUTING #####################
iptables -t mangle -D PREROUTING -p tcp -m mark --mark 0x2333 -j TPROXY --on-ip 127.0.0.1 --on-port 60080 &>/dev/null
iptables -t mangle -D PREROUTING -p udp -m mark --mark 0x2333 -j TPROXY --on-ip 127.0.0.1 --on-port 60080 &>/dev/null
iptables -t mangle -D PREROUTING -p tcp -m addrtype ! --src-type LOCAL ! --dst-type LOCAL -j SSREDIR &>/dev/null
iptables -t mangle -D PREROUTING -p udp -m addrtype ! --src-type LOCAL ! --dst-type LOCAL -j SSREDIR &>/dev/null
##################### OUTPUT #####################
iptables -t mangle -D OUTPUT -p tcp -m addrtype --src-type LOCAL ! --dst-type LOCAL -j SSREDIR &>/dev/null
iptables -t mangle -D OUTPUT -p udp -m addrtype --src-type LOCAL ! --dst-type LOCAL -j SSREDIR &>/dev/null
##################### SSREDIR #####################
iptables -t mangle -F SSREDIR &>/dev/null
iptables -t mangle -X SSREDIR &>/dev/null
}
start_iproute2() {
ip route add local default dev lo table 100
ip rule add fwmark 0x2333 table 100
}
stop_iproute2() {
ip rule del table 100 &>/dev/null
ip route flush table 100 &>/dev/null
}
start_resolvconf() {
# or nameserver 8.8.8.8, etc.
echo "nameserver 1.1.1.1" >/etc/resolv.conf
}
stop_resolvconf() {
echo "nameserver 114.114.114.114" >/etc/resolv.conf
}
start() {
echo "start ..."
start_ssredir
start_iptables
start_iproute2
start_resolvconf
echo "start end"
}
stop() {
echo "stop ..."
stop_resolvconf
stop_iproute2
stop_iptables
stop_ssredir
echo "stop end"
}
restart() {
stop
sleep 1
start
}
main() {
if [ $# -eq 0 ]; then
echo "usage: $0 start|stop|restart ..."
return 1
fi
for funcname in "$@"; do
if [ "$(type -t $funcname)" != 'function' ]; then
echo "'$funcname' not a shell function"
return 1
fi
done
for funcname in "$@"; do
$funcname
done
return 0
}
main "$@"
@zfl9
Copy link
Author

zfl9 commented Jul 18, 2020

Executing this script on the linux host can proxy all outgoing traffic of this machine (except the traffic sent to the reserved address). Other hosts under the same LAN can also change their default gateway to the ip of this linux host (at the same time change the dns server to 1.1.1.1 or 8.8.8.8, etc.) to proxy their outgoing traffic.

Of course, the ipv6 proxy is similar, just change iptables to ip6tables, ip to ip -6, 127.0.0.1 to ::1, and other details.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment