You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

673 lines
24 KiB

9 years ago
12 years ago
5 years ago
9 years ago
11 years ago
11 years ago
11 years ago
4 years ago
9 years ago
9 years ago
12 years ago
7 years ago
11 years ago
12 years ago
7 years ago
7 years ago
7 years ago
7 years ago
4 years ago
9 years ago
8 years ago
4 years ago
11 years ago
12 years ago
12 years ago
11 years ago
12 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
8 years ago
11 years ago
9 years ago
9 years ago
12 years ago
10 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
7 years ago
5 years ago
7 years ago
12 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
5 years ago
5 years ago
11 years ago
11 years ago
11 years ago
7 years ago
6 years ago
11 years ago
7 years ago
  1. # shadowsocks-libev
  2. [![Build Status](https://travis-ci.com/shadowsocks/shadowsocks-libev.svg?branch=master)](https://travis-ci.com/shadowsocks/shadowsocks-libev) [![Snap Status](https://build.snapcraft.io/badge/shadowsocks/shadowsocks-libev.svg)](https://build.snapcraft.io/user/shadowsocks/shadowsocks-libev)
  3. ## Intro
  4. [Shadowsocks-libev](https://shadowsocks.org) is a lightweight secured SOCKS5
  5. proxy for embedded devices and low-end boxes.
  6. It is a port of [Shadowsocks](https://github.com/shadowsocks/shadowsocks)
  7. created by [@clowwindy](https://github.com/clowwindy), and maintained by
  8. [@madeye](https://github.com/madeye) and [@linusyang](https://github.com/linusyang).
  9. Current version: 3.3.5 | [Changelog](debian/changelog)
  10. ## Features
  11. Shadowsocks-libev is written in pure C and depends on [libev](http://software.schmorp.de/pkg/libev.html). It's designed
  12. to be a lightweight implementation of shadowsocks protocol, in order to keep the resource usage as low as possible.
  13. For a full list of feature comparison between different versions of shadowsocks,
  14. refer to the [Wiki page](https://github.com/shadowsocks/shadowsocks/wiki/Feature-Comparison-across-Different-Versions).
  15. ## Quick Start
  16. Snap is the recommended way to install the latest binaries.
  17. ### Install snap core
  18. https://snapcraft.io/core
  19. ### Install from snapcraft.io
  20. Stable channel:
  21. ```bash
  22. sudo snap install shadowsocks-libev
  23. ```
  24. Edge channel:
  25. ```bash
  26. sudo snap install shadowsocks-libev --edge
  27. ```
  28. ## Installation
  29. ### Distribution-specific guide
  30. - [Debian & Ubuntu](#debian--ubuntu)
  31. + [Install from repository](#install-from-repository-not-recommended)
  32. + [Build deb package from source](#build-deb-package-from-source)
  33. + [Configure and start the service](#configure-and-start-the-service)
  34. - [Fedora & RHEL](#fedora--rhel)
  35. + [Build from source with centos](#build-from-source-with-centos)
  36. - [Archlinux & Manjaro](#archlinux--manjaro)
  37. - [NixOS](#nixos)
  38. - [Nix](#nix)
  39. - [Directly build and install on UNIX-like system](#linux)
  40. - [FreeBSD](#freebsd)
  41. + [Install](#install)
  42. + [Configuration](#configuration)
  43. + [Run](#run)
  44. + [Run as client](#run-as-client)
  45. - [OpenWRT](#openwrt)
  46. - [OS X](#os-x)
  47. - [Windows (MinGW)](#windows-mingw)
  48. - [Docker](#docker)
  49. * * *
  50. ### Initialise the build environment
  51. This repository uses submodules, so you should pull them before you start, using:
  52. ```bash
  53. git submodule update --init --recursive
  54. ```
  55. ### Pre-build configure guide
  56. For a complete list of available configure-time option,
  57. try `configure --help`.
  58. ### Debian & Ubuntu
  59. #### Install from repository (not recommended)
  60. Shadowsocks-libev is available in the official repository for following distributions:
  61. * Debian 8 or higher, including oldoldstable (jessie), old stable (stretch), stable (buster), testing (bullseye) and unstable (sid)
  62. * Ubuntu 16.10 or higher
  63. ```bash
  64. sudo apt update
  65. sudo apt install shadowsocks-libev
  66. ```
  67. #### Build deb package from source
  68. Supported distributions:
  69. * Debian 8, 9 or higher
  70. * Ubuntu 14.04 LTS, 16.04 LTS, 16.10 or higher
  71. You can build shadowsocks-libev and all its dependencies by script:
  72. ```bash
  73. mkdir -p ~/build-area/
  74. cp ./scripts/build_deb.sh ~/build-area/
  75. cd ~/build-area
  76. ./build_deb.sh
  77. ```
  78. For older systems, building `.deb` packages is not supported.
  79. Please try to build and install directly from source. See the [Linux](#linux) section below.
  80. **Note for Debian 8 (Jessie) users to build their own deb packages**:
  81. We strongly encourage you to install shadowsocks-libev from `jessie-backports-sloppy`. If you insist on building from source, you will need to manually install libsodium from `jessie-backports-sloppy`, **NOT** libsodium in main repository.
  82. For more info about backports, you can refer [Debian Backports](https://backports.debian.org).
  83. ``` bash
  84. cd shadowsocks-libev
  85. sudo sh -c 'printf "deb http://deb.debian.org/debian jessie-backports main" > /etc/apt/sources.list.d/jessie-backports.list'
  86. sudo sh -c 'printf "deb http://deb.debian.org/debian jessie-backports-sloppy main" >> /etc/apt/sources.list.d/jessie-backports.list'
  87. sudo apt-get install --no-install-recommends devscripts equivs
  88. mk-build-deps --root-cmd sudo --install --tool "apt-get -o Debug::pkgProblemResolver=yes --no-install-recommends -y"
  89. ./autogen.sh && dpkg-buildpackage -b -us -uc
  90. cd ..
  91. sudo dpkg -i shadowsocks-libev*.deb
  92. ```
  93. **Note for Debian 9 (Stretch) users to build their own deb packages**:
  94. We strongly encourage you to install shadowsocks-libev from `stretch-backports`. If you insist on building from source, you will need to manually install libsodium from `stretch-backports`, **NOT** libsodium in main repository.
  95. For more info about backports, you can refer [Debian Backports](https://backports.debian.org).
  96. ``` bash
  97. cd shadowsocks-libev
  98. sudo sh -c 'printf "deb http://deb.debian.org/debian stretch-backports main" > /etc/apt/sources.list.d/stretch-backports.list'
  99. sudo apt-get install --no-install-recommends devscripts equivs
  100. mk-build-deps --root-cmd sudo --install --tool "apt-get -o Debug::pkgProblemResolver=yes --no-install-recommends -y"
  101. ./autogen.sh && dpkg-buildpackage -b -us -uc
  102. cd ..
  103. sudo dpkg -i shadowsocks-libev*.deb
  104. ```
  105. #### Configure and start the service
  106. ```
  107. # Edit the configuration file
  108. sudo vim /etc/shadowsocks-libev/config.json
  109. # Edit the default configuration for debian
  110. sudo vim /etc/default/shadowsocks-libev
  111. # Start the service
  112. sudo /etc/init.d/shadowsocks-libev start # for sysvinit, or
  113. sudo systemctl start shadowsocks-libev # for systemd
  114. ```
  115. ### Fedora & RHEL
  116. Supported distributions:
  117. * Recent Fedora versions (until EOL)
  118. * RHEL 6, 7 and derivatives (including CentOS, Scientific Linux)
  119. #### Build from source with centos
  120. If you are using CentOS 7, you need to install these prerequirements to build from source code:
  121. ```bash
  122. yum install epel-release -y
  123. yum install gcc gettext autoconf libtool automake make pcre-devel asciidoc xmlto c-ares-devel libev-devel libsodium-devel mbedtls-devel -y
  124. ```
  125. ### Archlinux & Manjaro
  126. ```bash
  127. sudo pacman -S shadowsocks-libev
  128. ```
  129. Please refer to downstream [PKGBUILD](https://github.com/archlinux/svntogit-community/blob/packages/shadowsocks-libev/trunk/PKGBUILD)
  130. script for extra modifications and distribution-specific bugs.
  131. ### NixOS
  132. ```bash
  133. nix-env -iA nixos.shadowsocks-libev
  134. ```
  135. ### Nix
  136. ```bash
  137. nix-env -iA nixpkgs.shadowsocks-libev
  138. ```
  139. ### Linux
  140. In general, you need the following build dependencies:
  141. * autotools (autoconf, automake, libtool)
  142. * gettext
  143. * pkg-config
  144. * libmbedtls
  145. * libsodium
  146. * libpcre3 (old pcre library)
  147. * libev
  148. * libc-ares
  149. * asciidoc (for documentation only)
  150. * xmlto (for documentation only)
  151. Notes: Fedora 26 libsodium version >= 1.0.12, so you can install via dnf install libsodium instead build from source.
  152. If your system is too old to provide libmbedtls and libsodium (later than **v1.0.8**), you will need to either install those libraries manually or upgrade your system.
  153. If your system provides with those libraries, you **should not** install them from source. You should jump this section and install them from distribution repository instead.
  154. For some of the distributions, you might install build dependencies like this:
  155. ```bash
  156. # Installation of basic build dependencies
  157. ## Debian / Ubuntu
  158. sudo apt-get install --no-install-recommends gettext build-essential autoconf libtool libpcre3-dev asciidoc xmlto libev-dev libc-ares-dev automake libmbedtls-dev libsodium-dev
  159. ## CentOS / Fedora / RHEL
  160. sudo yum install gettext gcc autoconf libtool automake make asciidoc xmlto c-ares-devel libev-devel
  161. ## Arch
  162. sudo pacman -S gettext gcc autoconf libtool automake make asciidoc xmlto c-ares libev
  163. # Installation of libsodium
  164. export LIBSODIUM_VER=1.0.16
  165. wget https://download.libsodium.org/libsodium/releases/old/libsodium-$LIBSODIUM_VER.tar.gz
  166. tar xvf libsodium-$LIBSODIUM_VER.tar.gz
  167. pushd libsodium-$LIBSODIUM_VER
  168. ./configure --prefix=/usr && make
  169. sudo make install
  170. popd
  171. sudo ldconfig
  172. # Installation of MbedTLS
  173. export MBEDTLS_VER=2.6.0
  174. wget https://tls.mbed.org/download/mbedtls-$MBEDTLS_VER-gpl.tgz
  175. tar xvf mbedtls-$MBEDTLS_VER-gpl.tgz
  176. pushd mbedtls-$MBEDTLS_VER
  177. make SHARED=1 CFLAGS="-O2 -fPIC"
  178. sudo make DESTDIR=/usr install
  179. popd
  180. sudo ldconfig
  181. # Start building
  182. ./autogen.sh && ./configure && make
  183. sudo make install
  184. ```
  185. You may need to manually install missing softwares.
  186. ### FreeBSD
  187. #### Install
  188. Shadowsocks-libev is available in FreeBSD Ports Collection. You can install it in either way, `pkg` or `ports`.
  189. **pkg (recommended)**
  190. ```bash
  191. pkg install shadowsocks-libev
  192. ```
  193. **ports**
  194. ```bash
  195. cd /usr/ports/net/shadowsocks-libev
  196. make install
  197. ```
  198. #### Configuration
  199. Edit your `config.json` file. By default, it's located in `/usr/local/etc/shadowsocks-libev`.
  200. To enable shadowsocks-libev, add the following rc variable to your `/etc/rc.conf` file:
  201. ```
  202. shadowsocks_libev_enable="YES"
  203. ```
  204. #### Run
  205. Start the Shadowsocks server:
  206. ```bash
  207. service shadowsocks_libev start
  208. ```
  209. #### Run as client
  210. By default, shadowsocks-libev is running as a server in FreeBSD. If you would like to start shadowsocks-libev in client mode, you can modify the rc script (`/usr/local/etc/rc.d/shadowsocks_libev`) manually.
  211. ```
  212. # modify the following line from "ss-server" to "ss-local"
  213. command="/usr/local/bin/ss-local"
  214. ```
  215. Note that is simply a workaround, each time you upgrade the port your changes will be overwritten by the new version.
  216. ### OpenWRT
  217. The OpenWRT project is maintained here:
  218. [openwrt-shadowsocks](https://github.com/shadowsocks/openwrt-shadowsocks).
  219. ### OS X
  220. For OS X, use [Homebrew](http://brew.sh) to install or build.
  221. Install Homebrew:
  222. ```bash
  223. ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"
  224. ```
  225. Install shadowsocks-libev:
  226. ```bash
  227. brew install shadowsocks-libev
  228. ```
  229. ### Windows (MinGW)
  230. To build Windows native binaries, the recommended method is to use Docker:
  231. * On Windows: double-click `make.bat` in `docker\mingw`
  232. * On Unix-like system:
  233. cd shadowsocks-libev/docker/mingw
  234. make
  235. A tarball with 32-bit and 64-bit binaries will be generated in the same directory.
  236. You could also manually use MinGW-w64 compilers to build in Unix-like shell (MSYS2/Cygwin), or cross-compile on Unix-like systems (Linux/MacOS). Please refer to build scripts in `docker/mingw`.
  237. Currently you need to use a patched libev library for MinGW:
  238. * https://github.com/shadowsocks/libev/archive/mingw.zip
  239. Notice that TCP Fast Open (TFO) is only available on **Windows 10**, **1607** or later version (precisely, build >= 14393). If you are using **1709** (build 16299) or later version, you also need to run the following command in PowerShell/Command Prompt **as Administrator** and **reboot** to use TFO properly:
  240. netsh int tcp set global fastopenfallback=disabled
  241. ### Docker
  242. As you expect, simply pull the image and run.
  243. ```
  244. docker pull shadowsocks/shadowsocks-libev
  245. docker run -e PASSWORD=<password> -p<server-port>:8388 -p<server-port>:8388/udp -d shadowsocks/shadowsocks-libev
  246. ```
  247. More information about the image can be found [here](docker/alpine/README.md).
  248. ## Usage
  249. For a detailed and complete list of all supported arguments,
  250. you may refer to the man pages of the applications, respectively.
  251. ss-[local|redir|server|tunnel|manager]
  252. -s <server_host> Host name or IP address of your remote server.
  253. -p <server_port> Port number of your remote server.
  254. -l <local_port> Port number of your local server.
  255. -k <password> Password of your remote server.
  256. -m <encrypt_method> Encrypt method: rc4-md5,
  257. aes-128-gcm, aes-192-gcm, aes-256-gcm,
  258. aes-128-cfb, aes-192-cfb, aes-256-cfb,
  259. aes-128-ctr, aes-192-ctr, aes-256-ctr,
  260. camellia-128-cfb, camellia-192-cfb,
  261. camellia-256-cfb, bf-cfb,
  262. chacha20-ietf-poly1305,
  263. xchacha20-ietf-poly1305,
  264. salsa20, chacha20 and chacha20-ietf.
  265. The default cipher is chacha20-ietf-poly1305.
  266. [-a <user>] Run as another user.
  267. [-f <pid_file>] The file path to store pid.
  268. [-t <timeout>] Socket timeout in seconds.
  269. [-c <config_file>] The path to config file.
  270. [-n <number>] Max number of open files.
  271. [-i <interface>] Network interface to bind.
  272. (not available in redir mode)
  273. [-b <local_address>] Local address to bind.
  274. For servers: Specify the local address to use
  275. while this server is making outbound
  276. connections to remote servers on behalf of the
  277. clients.
  278. For clients: Specify the local address to use
  279. while this client is making outbound
  280. connections to the server.
  281. [-u] Enable UDP relay.
  282. (TPROXY is required in redir mode)
  283. [-U] Enable UDP relay and disable TCP relay.
  284. (not available in local mode)
  285. [-T] Use tproxy instead of redirect. (for tcp)
  286. (only available in redir mode)
  287. [-L <addr>:<port>] Destination server address and port
  288. for local port forwarding.
  289. (only available in tunnel mode)
  290. [-6] Resolve hostname to IPv6 address first.
  291. [-d <addr>] Name servers for internal DNS resolver.
  292. (only available in server mode)
  293. [--reuse-port] Enable port reuse.
  294. [--fast-open] Enable TCP fast open.
  295. with Linux kernel > 3.7.0.
  296. (only available in local and server mode)
  297. [--acl <acl_file>] Path to ACL (Access Control List).
  298. (only available in local and server mode)
  299. [--manager-address <addr>] UNIX domain socket address.
  300. (only available in server and manager mode)
  301. [--mtu <MTU>] MTU of your network interface.
  302. [--mptcp] Enable Multipath TCP on MPTCP Kernel.
  303. [--no-delay] Enable TCP_NODELAY.
  304. [--executable <path>] Path to the executable of ss-server.
  305. (only available in manager mode)
  306. [-D <path>] Path to the working directory of ss-manager.
  307. (only available in manager mode)
  308. [--key <key_in_base64>] Key of your remote server.
  309. [--plugin <name>] Enable SIP003 plugin. (Experimental)
  310. [--plugin-opts <options>] Set SIP003 plugin options. (Experimental)
  311. [-v] Verbose mode.
  312. ## Transparent proxy
  313. The latest shadowsocks-libev has provided a *redir* mode. You can configure your Linux-based box or router to proxy all TCP traffic transparently, which is handy if you use an OpenWRT-powered router.
  314. # Create new chain
  315. iptables -t nat -N SHADOWSOCKS
  316. iptables -t mangle -N SHADOWSOCKS
  317. # Ignore your shadowsocks server's addresses
  318. # It's very IMPORTANT, just be careful.
  319. iptables -t nat -A SHADOWSOCKS -d 123.123.123.123 -j RETURN
  320. # Ignore LANs and any other addresses you'd like to bypass the proxy
  321. # See Wikipedia and RFC5735 for full list of reserved networks.
  322. # See ashi009/bestroutetb for a highly optimized CHN route list.
  323. iptables -t nat -A SHADOWSOCKS -d 0.0.0.0/8 -j RETURN
  324. iptables -t nat -A SHADOWSOCKS -d 10.0.0.0/8 -j RETURN
  325. iptables -t nat -A SHADOWSOCKS -d 127.0.0.0/8 -j RETURN
  326. iptables -t nat -A SHADOWSOCKS -d 169.254.0.0/16 -j RETURN
  327. iptables -t nat -A SHADOWSOCKS -d 172.16.0.0/12 -j RETURN
  328. iptables -t nat -A SHADOWSOCKS -d 192.168.0.0/16 -j RETURN
  329. iptables -t nat -A SHADOWSOCKS -d 224.0.0.0/4 -j RETURN
  330. iptables -t nat -A SHADOWSOCKS -d 240.0.0.0/4 -j RETURN
  331. # Anything else should be redirected to shadowsocks's local port
  332. iptables -t nat -A SHADOWSOCKS -p tcp -j REDIRECT --to-ports 12345
  333. # Add any UDP rules
  334. ip route add local default dev lo table 100
  335. ip rule add fwmark 1 lookup 100
  336. iptables -t mangle -A SHADOWSOCKS -p udp --dport 53 -j TPROXY --on-port 12345 --tproxy-mark 0x01/0x01
  337. # Apply the rules
  338. iptables -t nat -A PREROUTING -p tcp -j SHADOWSOCKS
  339. iptables -t mangle -A PREROUTING -j SHADOWSOCKS
  340. # Start the shadowsocks-redir
  341. ss-redir -u -c /etc/config/shadowsocks.json -f /var/run/shadowsocks.pid
  342. ## Transparent proxy (pure tproxy)
  343. Executing this script on the linux host can proxy all outgoing traffic of this machine (except the traffic sent to the reserved address). Other hosts under the same LAN can also change their default gateway to the ip of this linux host (at the same time change the dns server to 1.1.1.1 or 8.8.8.8, etc.) to proxy their outgoing traffic.
  344. > Of course, the ipv6 proxy is similar, just change `iptables` to `ip6tables`, `ip` to `ip -6`, `127.0.0.1` to `::1`, and other details.
  345. ```shell
  346. #!/bin/bash
  347. start_ssredir() {
  348. # please modify MyIP, MyPort, etc.
  349. (ss-redir -s MyIP -p MyPort -m MyMethod -k MyPasswd -b 127.0.0.1 -l 60080 --no-delay -u -T -v </dev/null &>>/var/log/ss-redir.log &)
  350. }
  351. stop_ssredir() {
  352. kill -9 $(pidof ss-redir) &>/dev/null
  353. }
  354. start_iptables() {
  355. ##################### SSREDIR #####################
  356. iptables -t mangle -N SSREDIR
  357. # connection-mark -> packet-mark
  358. iptables -t mangle -A SSREDIR -j CONNMARK --restore-mark
  359. iptables -t mangle -A SSREDIR -m mark --mark 0x2333 -j RETURN
  360. # please modify MyIP, MyPort, etc.
  361. # ignore traffic sent to ss-server
  362. iptables -t mangle -A SSREDIR -p tcp -d MyIP --dport MyPort -j RETURN
  363. iptables -t mangle -A SSREDIR -p udp -d MyIP --dport MyPort -j RETURN
  364. # ignore traffic sent to reserved addresses
  365. iptables -t mangle -A SSREDIR -d 0.0.0.0/8 -j RETURN
  366. iptables -t mangle -A SSREDIR -d 10.0.0.0/8 -j RETURN
  367. iptables -t mangle -A SSREDIR -d 100.64.0.0/10 -j RETURN
  368. iptables -t mangle -A SSREDIR -d 127.0.0.0/8 -j RETURN
  369. iptables -t mangle -A SSREDIR -d 169.254.0.0/16 -j RETURN
  370. iptables -t mangle -A SSREDIR -d 172.16.0.0/12 -j RETURN
  371. iptables -t mangle -A SSREDIR -d 192.0.0.0/24 -j RETURN
  372. iptables -t mangle -A SSREDIR -d 192.0.2.0/24 -j RETURN
  373. iptables -t mangle -A SSREDIR -d 192.88.99.0/24 -j RETURN
  374. iptables -t mangle -A SSREDIR -d 192.168.0.0/16 -j RETURN
  375. iptables -t mangle -A SSREDIR -d 198.18.0.0/15 -j RETURN
  376. iptables -t mangle -A SSREDIR -d 198.51.100.0/24 -j RETURN
  377. iptables -t mangle -A SSREDIR -d 203.0.113.0/24 -j RETURN
  378. iptables -t mangle -A SSREDIR -d 224.0.0.0/4 -j RETURN
  379. iptables -t mangle -A SSREDIR -d 240.0.0.0/4 -j RETURN
  380. iptables -t mangle -A SSREDIR -d 255.255.255.255/32 -j RETURN
  381. # mark the first packet of the connection
  382. iptables -t mangle -A SSREDIR -p tcp --syn -j MARK --set-mark 0x2333
  383. iptables -t mangle -A SSREDIR -p udp -m conntrack --ctstate NEW -j MARK --set-mark 0x2333
  384. # packet-mark -> connection-mark
  385. iptables -t mangle -A SSREDIR -j CONNMARK --save-mark
  386. ##################### OUTPUT #####################
  387. # proxy the outgoing traffic from this machine
  388. iptables -t mangle -A OUTPUT -p tcp -m addrtype --src-type LOCAL ! --dst-type LOCAL -j SSREDIR
  389. iptables -t mangle -A OUTPUT -p udp -m addrtype --src-type LOCAL ! --dst-type LOCAL -j SSREDIR
  390. ##################### PREROUTING #####################
  391. # proxy traffic passing through this machine (other->other)
  392. iptables -t mangle -A PREROUTING -p tcp -m addrtype ! --src-type LOCAL ! --dst-type LOCAL -j SSREDIR
  393. iptables -t mangle -A PREROUTING -p udp -m addrtype ! --src-type LOCAL ! --dst-type LOCAL -j SSREDIR
  394. # hand over the marked package to TPROXY for processing
  395. iptables -t mangle -A PREROUTING -p tcp -m mark --mark 0x2333 -j TPROXY --on-ip 127.0.0.1 --on-port 60080
  396. iptables -t mangle -A PREROUTING -p udp -m mark --mark 0x2333 -j TPROXY --on-ip 127.0.0.1 --on-port 60080
  397. }
  398. stop_iptables() {
  399. ##################### PREROUTING #####################
  400. iptables -t mangle -D PREROUTING -p tcp -m mark --mark 0x2333 -j TPROXY --on-ip 127.0.0.1 --on-port 60080 &>/dev/null
  401. iptables -t mangle -D PREROUTING -p udp -m mark --mark 0x2333 -j TPROXY --on-ip 127.0.0.1 --on-port 60080 &>/dev/null
  402. iptables -t mangle -D PREROUTING -p tcp -m addrtype ! --src-type LOCAL ! --dst-type LOCAL -j SSREDIR &>/dev/null
  403. iptables -t mangle -D PREROUTING -p udp -m addrtype ! --src-type LOCAL ! --dst-type LOCAL -j SSREDIR &>/dev/null
  404. ##################### OUTPUT #####################
  405. iptables -t mangle -D OUTPUT -p tcp -m addrtype --src-type LOCAL ! --dst-type LOCAL -j SSREDIR &>/dev/null
  406. iptables -t mangle -D OUTPUT -p udp -m addrtype --src-type LOCAL ! --dst-type LOCAL -j SSREDIR &>/dev/null
  407. ##################### SSREDIR #####################
  408. iptables -t mangle -F SSREDIR &>/dev/null
  409. iptables -t mangle -X SSREDIR &>/dev/null
  410. }
  411. start_iproute2() {
  412. ip route add local default dev lo table 100
  413. ip rule add fwmark 0x2333 table 100
  414. }
  415. stop_iproute2() {
  416. ip rule del table 100 &>/dev/null
  417. ip route flush table 100 &>/dev/null
  418. }
  419. start_resolvconf() {
  420. # or nameserver 8.8.8.8, etc.
  421. echo "nameserver 1.1.1.1" >/etc/resolv.conf
  422. }
  423. stop_resolvconf() {
  424. echo "nameserver 114.114.114.114" >/etc/resolv.conf
  425. }
  426. start() {
  427. echo "start ..."
  428. start_ssredir
  429. start_iptables
  430. start_iproute2
  431. start_resolvconf
  432. echo "start end"
  433. }
  434. stop() {
  435. echo "stop ..."
  436. stop_resolvconf
  437. stop_iproute2
  438. stop_iptables
  439. stop_ssredir
  440. echo "stop end"
  441. }
  442. restart() {
  443. stop
  444. sleep 1
  445. start
  446. }
  447. main() {
  448. if [ $# -eq 0 ]; then
  449. echo "usage: $0 start|stop|restart ..."
  450. return 1
  451. fi
  452. for funcname in "$@"; do
  453. if [ "$(type -t $funcname)" != 'function' ]; then
  454. echo "'$funcname' not a shell function"
  455. return 1
  456. fi
  457. done
  458. for funcname in "$@"; do
  459. $funcname
  460. done
  461. return 0
  462. }
  463. main "$@"
  464. ```
  465. ## Security Tips
  466. For any public server, to avoid users accessing localhost of your server, please add `--acl acl/server_block_local.acl` to the command line.
  467. Although shadowsocks-libev can handle thousands of concurrent connections nicely, we still recommend
  468. setting up your server's firewall rules to limit connections from each user:
  469. # Up to 32 connections are enough for normal usage
  470. iptables -A INPUT -p tcp --syn --dport ${SHADOWSOCKS_PORT} -m connlimit --connlimit-above 32 -j REJECT --reject-with tcp-reset
  471. ## License
  472. ```
  473. Copyright: 2013-2015, Clow Windy <clowwindy42@gmail.com>
  474. 2013-2018, Max Lv <max.c.lv@gmail.com>
  475. 2014, Linus Yang <linusyang@gmail.com>
  476. This program is free software: you can redistribute it and/or modify
  477. it under the terms of the GNU General Public License as published by
  478. the Free Software Foundation, either version 3 of the License, or
  479. (at your option) any later version.
  480. This program is distributed in the hope that it will be useful,
  481. but WITHOUT ANY WARRANTY; without even the implied warranty of
  482. MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  483. GNU General Public License for more details.
  484. You should have received a copy of the GNU General Public License
  485. along with this program. If not, see <http://www.gnu.org/licenses/>.
  486. ```