透明代理实战
透明代理,其实就是借助代理软件和iptables,用服务器做网关,在局域网中对其他设备的所有流量进行代理。由于其他设备上不需再安装任何代理软件就可以实现代理上网,故称为透明代理。
v2ray 方案
安装v2ray.
运行v2ray --config=/etc/v2ray/config.json类似的命令指定配置文件运行。
使用的config.json示例如下。这种方案中,通过对已经经过一层v2ray代理的流量打上标记,就不会再被iptables重新转发给v2ray。
1{
2 "inbounds": [
3 {
4 "tag":"transparent",
5 "port": 10808,
6 "protocol": "dokodemo-door",
7 "settings": {
8 "network": "tcp,udp",
9 "followRedirect": true
10 },
11 "sniffing": {
12 "enabled": true,
13 "destOverride": [
14 "http",
15 "tls"
16 ]
17 },
18 "streamSettings": {
19 "sockopt": {
20 "tproxy": "tproxy", // 透明代理使用 TPROXY 方式
21 "mark":255
22 }
23 }
24 },
25 {
26 "port": 1080,
27 "protocol": "socks", // 入口协议为 SOCKS 5
28 "sniffing": {
29 "enabled": true,
30 "destOverride": ["http", "tls"]
31 },
32 "settings": {
33 "auth": "noauth"
34 }
35 }
36 ],
37 "outbounds": [
38 {
39 "tag": "proxy",
40 "protocol": "vmess", // 代理服务器
41 "settings": {
42 "vnext":
43 [{
44 "address": "1.2.3.4",
45 "port": 65536,
46 "users": [{ "id": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" }]
47 }]
48 },
49 "streamSettings": {
50 "sockopt": {
51 "mark": 255
52 }
53 },
54 "mux": {
55 "enabled": true
56 }
57 },
58 {
59 "tag": "direct",
60 "protocol": "freedom",
61 "settings": {
62 "domainStrategy": "UseIP"
63 },
64 "streamSettings": {
65 "sockopt": {
66 "mark": 255
67 }
68 }
69 },
70 {
71 "tag": "block",
72 "protocol": "blackhole",
73 "settings": {
74 "response": {
75 "type": "http"
76 }
77 }
78 },
79 {
80 "tag": "dns-out",
81 "protocol": "dns",
82 "streamSettings": {
83 "sockopt": {
84 "mark": 255
85 }
86 }
87 }
88 ],
89 "dns": {
90 "servers": [
91 {
92 "address": "223.5.5.5", //中国大陆域名使用阿里的 DNS
93 "port": 53,
94 "domains": [
95 "geosite:cn",
96 "ntp.org", // NTP 服务器
97 "$myserver.address" // 此处改为你 VPS 的域名
98 ]
99 },
100 {
101 "address": "114.114.114.114", //中国大陆域名使用 114 的 DNS (备用)
102 "port": 53,
103 "domains": [
104 "geosite:cn",
105 "ntp.org", // NTP 服务器
106 "$myserver.address" // 此处改为你 VPS 的域名
107 ]
108 },
109 {
110 "address": "8.8.8.8", //非中国大陆域名使用 Google 的 DNS
111 "port": 53,
112 "domains": [
113 "geosite:geolocation-!cn"
114 ]
115 },
116 {
117 "address": "1.1.1.1", //非中国大陆域名使用 Cloudflare 的 DNS
118 "port": 53,
119 "domains": [
120 "geosite:geolocation-!cn"
121 ]
122 }
123 ]
124 },
125 "routing": {
126 "domainStrategy": "IPOnDemand",
127 "rules": [
128 { // 劫持 53 端口 UDP 流量,使用 V2Ray 的 DNS
129 "type": "field",
130 "inboundTag": [
131 "transparent"
132 ],
133 "port": 53,
134 "network": "udp",
135 "outboundTag": "dns-out"
136 },
137 { // 直连 123 端口 UDP 流量(NTP 协议)
138 "type": "field",
139 "inboundTag": [
140 "transparent"
141 ],
142 "port": 123,
143 "network": "udp",
144 "outboundTag": "direct"
145 },
146 {
147 "type": "field",
148 "ip": [
149 // 设置 DNS 配置中的国内 DNS 服务器地址直连,以达到 DNS 分流目的
150 "223.5.5.5",
151 "114.114.114.114"
152 ],
153 "outboundTag": "direct"
154 },
155 {
156 "type": "field",
157 "ip": [
158 // 设置 DNS 配置中的国外 DNS 服务器地址走代理,以达到 DNS 分流目的
159 "8.8.8.8",
160 "1.1.1.1"
161 ],
162 "outboundTag": "proxy" // 改为你自己代理的出站 tag
163 },
164 { // 广告拦截
165 "type": "field",
166 "domain": [
167 "geosite:category-ads-all"
168 ],
169 "outboundTag": "block"
170 },
171 { // BT 流量直连
172 "type": "field",
173 "protocol":["bittorrent"],
174 "outboundTag": "direct"
175 },
176 { // 直连中国大陆主流网站 ip 和 保留 ip
177 "type": "field",
178 "ip": [
179 "geoip:private",
180 "geoip:cn"
181 ],
182 "outboundTag": "direct"
183 },
184 { // 直连中国大陆主流网站域名
185 "type": "field",
186 "domain": [
187 "geosite:cn"
188 ],
189 "outboundTag": "direct"
190 }
191 ]
192 }
193}
然后借助iptables进行流量过滤。iptables设置的脚本如下:
1# 设置策略路由
2ip rule add fwmark 1 table 100
3ip route add local 0.0.0.0/0 dev lo table 100
4
5# 代理局域网设备
6iptables -t mangle -N V2RAY
7iptables -t mangle -A V2RAY -d 127.0.0.1/32 -j RETURN
8iptables -t mangle -A V2RAY -d 224.0.0.0/4 -j RETURN
9iptables -t mangle -A V2RAY -d 255.255.255.255/32 -j RETURN
10iptables -t mangle -A V2RAY -d 192.168.0.0/16 -p tcp -j RETURN # 直连局域网,避免 V2Ray 无法启动时无法连网关的 SSH,如果你配置的是其他网段(如 10.x.x.x 等),则修改成自己的
11iptables -t mangle -A V2RAY -d 192.168.0.0/16 -p udp ! --dport 53 -j RETURN # 直连局域网,53 端口除外(因为要使用 V2Ray 的 DNS)
12iptables -t mangle -A V2RAY -j RETURN -m mark --mark 0xff # 直连 SO_MARK 为 0xff 的流量(0xff 是 16 进制数,数值上等同与上面V2Ray 配置的 255),此规则目的是解决v2ray占用大量CPU(https://github.com/v2ray/v2ray-core/issues/2621)
13iptables -t mangle -A V2RAY -p udp -j TPROXY --on-ip 127.0.0.1 --on-port 10808 --tproxy-mark 1 # 给 UDP 打标记 1,转发至 12345 端口
14iptables -t mangle -A V2RAY -p tcp -j TPROXY --on-ip 127.0.0.1 --on-port 10808 --tproxy-mark 1 # 给 TCP 打标记 1,转发至 12345 端口
15iptables -t mangle -A PREROUTING -j V2RAY # 应用规则
16
17# 代理网关本机
18iptables -t mangle -N V2RAY_MASK
19iptables -t mangle -A V2RAY_MASK -d 224.0.0.0/4 -j RETURN
20iptables -t mangle -A V2RAY_MASK -d 255.255.255.255/32 -j RETURN
21iptables -t mangle -A V2RAY_MASK -d 192.168.0.0/16 -p tcp -j RETURN # 直连局域网
22iptables -t mangle -A V2RAY_MASK -d 192.168.0.0/16 -p udp ! --dport 53 -j RETURN # 直连局域网,53 端口除外(因为要使用 V2Ray 的 DNS)
23iptables -t mangle -A V2RAY_MASK -j RETURN -m mark --mark 0xff # 直连 SO_MARK 为 0xff 的流量(0xff 是 16 进制数,数值上等同与上面V2Ray 配置的 255),此规则目的是避免代理本机(网关)流量出现回环问题
24iptables -t mangle -A V2RAY_MASK -p udp -j MARK --set-mark 1 # 给 UDP 打标记,重路由
25iptables -t mangle -A V2RAY_MASK -p tcp -j MARK --set-mark 1 # 给 TCP 打标记,重路由
26iptables -t mangle -A OUTPUT -j V2RAY_MASK # 应用规则
27
28# 新建 DIVERT 规则,避免已有连接的包二次通过 TPROXY,理论上有一定的性能提升
29iptables -t mangle -N DIVERT
30iptables -t mangle -A DIVERT -j MARK --set-mark 1
31iptables -t mangle -A DIVERT -j ACCEPT
32iptables -t mangle -I PREROUTING -p tcp -m socket -j DIVERT
clash 方案
这个clash方案本来还可以做DNS的,但是我在实际使用过程中发现,只要一用自己的DNS就没法上网了。。所以DNS还是用114.114.114.114算了。
clash去github上下载Premium版的。链接:Release (dreamacro.workers.dev)
1# port: 7890
2
3# socks-port: 7891
4
5tproxy-port: 7892
6
7allow-lan: true
8
9# This is only applicable when `allow-lan` is `true`
10bind-address: '*'
11
12# Clash router working mode
13# rule: rule-based packet routing
14# global: all packets will be forwarded to a single endpoint
15# direct: directly forward the packets to the Internet
16mode: rule
17
18# Clash by default prints logs to STDOUT
19# info / warning / error / debug / silent
20# log-level: info
21
22# When set to false, resolver won't translate hostnames to IPv6 addresses
23ipv6: false
24
25# hosts:
26# "assets1.xboxlive.cn": 117.185.135.35
27# "assets2.xboxlive.cn": 117.185.135.35
28# "dlassets.xboxlive.cn": 117.185.135.35
29# "dlassets2.xboxlive.cn": 117.185.135.35
30# "d1.xboxlive.cn": 117.185.135.35
31# "d2.xboxlive.cn": 117.185.135.35
32
33# "dl.delivery.mp.microsoft.com": 117.185.135.35
34# "tlu.dl.delivery.mp.microsoft.com": 117.185.135.35
35
36# "assets1.xboxlive.com": 192.168.1.104
37# "assets2.xboxlive.com": 192.168.1.104
38# "dlassets.xboxlive.com": 192.168.1.104
39# "dlassets2.xboxlive.com": 192.168.1.104
40# "d1.xboxlive.com": 192.168.1.104
41# "d2.xboxlive.com": 192.168.1.104
42
43# "atum.hac.lp1.d4c.nintendo.net": 184.28.218.89
44# "ctest.cdn.nintendo.net.akamaized.net": 184.28.223.179
45 # 'mtalk.google.com': 108.177.125.188
46 # '*.clash.dev': 127.0.0.1
47 # '.dev': 127.0.0.1
48 # 'alpha.clash.dev': '::1'
49
50# DNS server settings
51# This section is optional. When not present, DNS server will be disabled.
52dns:
53 enable: true
54 listen: 0.0.0.0:53
55 ipv6: false
56
57 default-nameserver:
58 - 223.5.5.5
59
60 nameserver:
61 - 114.114.114.114
62 - 223.5.5.5
63 - 119.29.29.29
64
65
66 fallback:
67 - 1.1.1.1
68 # - https://1.1.1.1/dns-query
69 # - https://1.1.1.1/resolve
70
71 fallback-filter:
72 geoip: true
73 geoip-code: CN
74 domain:
75 - '+.google.com'
76 - '+.facebook.com'
77 - '+.youtube.com'
78
79 nameserver-policy:
80 # '+.jsdelivr.net': 'https://1.1.1.1/dns-query'
81 '+.zhihu.com': '114.114.114.114'
82 '+.zhimg.com': '114.114.114.114'
83 # '+.apple.com': '223.5.5.5'
84 # '+.apple.com.cn': '223.5.5.5'
85 # '+.akadns.net': '223.5.5.5'
86 # - '+.youtube.com'
87
88proxies:
89 - name: "IPLC"
90 type: vmess
91 server: 1.2.3.4
92 port: 65536
93 uuid: aaaaaaaa-ffff-dddd-cccc-xxxxxxxxxxx
94 alterId: 0
95 cipher: auto
96 udp: true
97
98
99proxy-groups:
100
101 - name: "PROXY"
102 type: select
103 proxies:
104 - IPLC
105
106rule-providers:
107 reject:
108 type: http
109 behavior: domain
110 url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/reject.txt"
111 path: ./ruleset/reject.yaml
112 interval: 86400
113
114 icloud:
115 type: http
116 behavior: domain
117 url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/icloud.txt"
118 path: ./ruleset/icloud.yaml
119 interval: 86400
120
121 apple:
122 type: http
123 behavior: domain
124 url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/apple.txt"
125 path: ./ruleset/apple.yaml
126 interval: 86400
127
128 google:
129 type: http
130 behavior: domain
131 url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/google.txt"
132 path: ./ruleset/google.yaml
133 interval: 86400
134
135 proxy:
136 type: http
137 behavior: domain
138 url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/proxy.txt"
139 path: ./ruleset/proxy.yaml
140 interval: 86400
141
142 direct:
143 type: http
144 behavior: domain
145 url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/direct.txt"
146 path: ./ruleset/direct.yaml
147 interval: 86400
148
149 private:
150 type: http
151 behavior: domain
152 url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/private.txt"
153 path: ./ruleset/private.yaml
154 interval: 86400
155
156 gfw:
157 type: http
158 behavior: domain
159 url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/gfw.txt"
160 path: ./ruleset/gfw.yaml
161 interval: 86400
162
163 greatfire:
164 type: http
165 behavior: domain
166 url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/greatfire.txt"
167 path: ./ruleset/greatfire.yaml
168 interval: 86400
169
170 tld-not-cn:
171 type: http
172 behavior: domain
173 url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/tld-not-cn.txt"
174 path: ./ruleset/tld-not-cn.yaml
175 interval: 86400
176
177 telegramcidr:
178 type: http
179 behavior: ipcidr
180 url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/telegramcidr.txt"
181 path: ./ruleset/telegramcidr.yaml
182 interval: 86400
183
184 cncidr:
185 type: http
186 behavior: ipcidr
187 url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/cncidr.txt"
188 path: ./ruleset/cncidr.yaml
189 interval: 86400
190
191 lancidr:
192 type: http
193 behavior: ipcidr
194 url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/lancidr.txt"
195 path: ./ruleset/lancidr.yaml
196 interval: 86400
197
198 applications:
199 type: http
200 behavior: classical
201 url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/applications.txt"
202 path: ./ruleset/applications.yaml
203 interval: 86400
204
205
206rules:
207 - IP-CIDR,120.226.29.0/24,DIRECT
208 - IP-CIDR,23.216.159.0/24,DIRECT
209 - IP-CIDR,112.65.203.0/24,DIRECT
210 - IP-CIDR,106.38.179.0/24,DIRECT
211 - IP-CIDR,223.119.50.0/24,PROXY
212 - DOMAIN-SUFFIX,xboxlive.cn,DIRECT
213
214 - DOMAIN,dl.delivery.mp.microsoft.com,DIRECT
215 - DOMAIN,tlu.dl.delivery.mp.microsoft.com,DIRECT
216 - DOMAIN,assets1.xboxlive.com,DIRECT
217 - DOMAIN,assets2.xboxlive.com,DIRECT
218 - DOMAIN,dlassets.xboxlive.com,DIRECT
219 - DOMAIN,dlassets2.xboxlive.com,DIRECT
220 - DOMAIN,d1.xboxlive.com,DIRECT
221 - DOMAIN,d2.xboxlive.com,DIRECT
222
223 - DOMAIN,ctest.cdn.nintendo.net.akamaized.net,DIRECT
224 - DOMAIN,atum.hac.lp1.d4c.nintendo.net,DIRECT
225 - IP-CIDR,184.28.218.89/24,DIRECT
226
227 - RULE-SET,applications,DIRECT
228 - DOMAIN,clash.razord.top,DIRECT
229 - DOMAIN,yacd.haishan.me,DIRECT
230 - RULE-SET,private,DIRECT
231 - RULE-SET,reject,REJECT
232 - RULE-SET,icloud,DIRECT
233 - RULE-SET,apple,DIRECT
234 - RULE-SET,google,DIRECT
235 - RULE-SET,proxy,PROXY
236 - RULE-SET,direct,DIRECT
237 - RULE-SET,lancidr,DIRECT
238 - RULE-SET,cncidr,DIRECT
239 - RULE-SET,telegramcidr,PROXY
240 - GEOIP,CN,DIRECT
241 - MATCH,PROXY
需要时将上面的配置文件中的服务器配置更换为自己的即可。
使用的iptables规则如下:
1#!/bin/bash
2# ROUTE RULES
3ip rule add fwmark 1 table 100
4ip route add local 0.0.0.0/0 dev lo table 100
5
6# CREATE TABLE
7iptables -t mangle -N clash
8
9# RETURN LOCAL AND LANS
10iptables -t mangle -A clash -d 0.0.0.0/8 -j RETURN
11iptables -t mangle -A clash -d 10.0.0.0/8 -j RETURN
12iptables -t mangle -A clash -d 127.0.0.0/8 -j RETURN
13iptables -t mangle -A clash -d 169.254.0.0/16 -j RETURN
14iptables -t mangle -A clash -d 172.16.0.0/12 -j RETURN
15iptables -t mangle -A clash -d 192.168.0.0/16 -j RETURN
16iptables -t mangle -A clash -d 192.0.0.0/24 -j RETURN
17iptables -t mangle -A clash -d 192.0.2.0/24 -j RETURN
18iptables -t mangle -A clash -d 198.18.0.0/15 -j RETURN
19iptables -t mangle -A clash -d 198.51.100.0/24 -j RETURN
20iptables -t mangle -A clash -d 203.0.113.0/24 -j RETURN
21iptables -t mangle -A clash -d 255.255.255.255/32 -j RETURN
22iptables -t mangle -A clash -d 100.64.0.0/10 -j RETURN
23iptables -t mangle -A clash -d 224.0.0.0/4 -j RETURN
24iptables -t mangle -A clash -d 240.0.0.0/4 -j RETURN
25
26# FORWARD ALL
27iptables -t mangle -A clash -p udp -j TPROXY --on-port 7892 --tproxy-mark 1
28iptables -t mangle -A clash -p tcp -j TPROXY --on-port 7892 --tproxy-mark 1
29
30# REDIRECT
31iptables -t mangle -A PREROUTING -j clash