diff --git a/README.md b/README.md index 34e105d5..d83d076e 100644 --- a/README.md +++ b/README.md @@ -351,8 +351,7 @@ More information about the image can be found [here](docker/alpine/README.md). For a detailed and complete list of all supported arguments, you may refer to the man pages of the applications, respectively. -``` -    ss-[local|redir|server|tunnel|manager] + ss-[local|redir|server|tunnel|manager] -s host name or ip address of your remote server @@ -423,51 +422,44 @@ you may refer to the man pages of the applications, respectively. [-v] verbose mode -notes: - - ss-redir provides a transparent proxy function and only works on the - Linux platform with iptables. - -``` - -## Advanced usage +## Transparent proxy -The latest shadowsocks-libev has provided a *redir* mode. You can configure your Linux-based box or router to proxy all TCP traffic transparently. +The latest shadowsocks-libev has provided a *redir* mode. You can configure your Linux-based box or router to proxy all TCP traffic transparently, which is handy if you use a OpenWRT-powered router. # Create new chain - root@Wrt:~# iptables -t nat -N SHADOWSOCKS - root@Wrt:~# iptables -t mangle -N SHADOWSOCKS + iptables -t nat -N SHADOWSOCKS + iptables -t mangle -N SHADOWSOCKS # Ignore your shadowsocks server's addresses # It's very IMPORTANT, just be careful. - root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 123.123.123.123 -j RETURN + iptables -t nat -A SHADOWSOCKS -d 123.123.123.123 -j RETURN # Ignore LANs and any other addresses you'd like to bypass the proxy # See Wikipedia and RFC5735 for full list of reserved networks. # See ashi009/bestroutetb for a highly optimized CHN route list. - root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 0.0.0.0/8 -j RETURN - root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 10.0.0.0/8 -j RETURN - root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 127.0.0.0/8 -j RETURN - root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 169.254.0.0/16 -j RETURN - root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 172.16.0.0/12 -j RETURN - root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 192.168.0.0/16 -j RETURN - root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 224.0.0.0/4 -j RETURN - root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 240.0.0.0/4 -j RETURN + iptables -t nat -A SHADOWSOCKS -d 0.0.0.0/8 -j RETURN + iptables -t nat -A SHADOWSOCKS -d 10.0.0.0/8 -j RETURN + iptables -t nat -A SHADOWSOCKS -d 127.0.0.0/8 -j RETURN + iptables -t nat -A SHADOWSOCKS -d 169.254.0.0/16 -j RETURN + iptables -t nat -A SHADOWSOCKS -d 172.16.0.0/12 -j RETURN + iptables -t nat -A SHADOWSOCKS -d 192.168.0.0/16 -j RETURN + iptables -t nat -A SHADOWSOCKS -d 224.0.0.0/4 -j RETURN + iptables -t nat -A SHADOWSOCKS -d 240.0.0.0/4 -j RETURN # Anything else should be redirected to shadowsocks's local port - root@Wrt:~# iptables -t nat -A SHADOWSOCKS -p tcp -j REDIRECT --to-ports 12345 + iptables -t nat -A SHADOWSOCKS -p tcp -j REDIRECT --to-ports 12345 # Add any UDP rules - root@Wrt:~# ip route add local default dev lo table 100 - root@Wrt:~# ip rule add fwmark 1 lookup 100 - root@Wrt:~# iptables -t mangle -A SHADOWSOCKS -p udp --dport 53 -j TPROXY --on-port 12345 --tproxy-mark 0x01/0x01 + ip route add local default dev lo table 100 + ip rule add fwmark 1 lookup 100 + iptables -t mangle -A SHADOWSOCKS -p udp --dport 53 -j TPROXY --on-port 12345 --tproxy-mark 0x01/0x01 # Apply the rules - root@Wrt:~# iptables -t nat -A PREROUTING -p tcp -j SHADOWSOCKS - root@Wrt:~# iptables -t mangle -A PREROUTING -j SHADOWSOCKS + iptables -t nat -A PREROUTING -p tcp -j SHADOWSOCKS + iptables -t mangle -A PREROUTING -j SHADOWSOCKS # Start the shadowsocks-redir - root@Wrt:~# ss-redir -u -c /etc/config/shadowsocks.json -f /var/run/shadowsocks.pid + ss-redir -u -c /etc/config/shadowsocks.json -f /var/run/shadowsocks.pid ## Shadowsocks over KCP diff --git a/doc/shadowsocks-libev.asciidoc b/doc/shadowsocks-libev.asciidoc index 5a62f669..71b6bccd 100644 --- a/doc/shadowsocks-libev.asciidoc +++ b/doc/shadowsocks-libev.asciidoc @@ -198,39 +198,39 @@ EXAMPLE .... # Create new chain -root@Wrt:~# iptables -t nat -N SHADOWSOCKS -root@Wrt:~# iptables -t mangle -N SHADOWSOCKS +iptables -t nat -N SHADOWSOCKS +iptables -t mangle -N SHADOWSOCKS # Ignore your shadowsocks server's addresses # It's very IMPORTANT, just be careful. -root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 123.123.123.123 -j RETURN +iptables -t nat -A SHADOWSOCKS -d 123.123.123.123 -j RETURN # Ignore LANs and any other addresses you'd like to bypass the proxy # See Wikipedia and RFC5735 for full list of reserved networks. # See ashi009/bestroutetb for a highly optimized CHN route list. -root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 0.0.0.0/8 -j RETURN -root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 10.0.0.0/8 -j RETURN -root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 127.0.0.0/8 -j RETURN -root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 169.254.0.0/16 -j RETURN -root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 172.16.0.0/12 -j RETURN -root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 192.168.0.0/16 -j RETURN -root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 224.0.0.0/4 -j RETURN -root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 240.0.0.0/4 -j RETURN +iptables -t nat -A SHADOWSOCKS -d 0.0.0.0/8 -j RETURN +iptables -t nat -A SHADOWSOCKS -d 10.0.0.0/8 -j RETURN +iptables -t nat -A SHADOWSOCKS -d 127.0.0.0/8 -j RETURN +iptables -t nat -A SHADOWSOCKS -d 169.254.0.0/16 -j RETURN +iptables -t nat -A SHADOWSOCKS -d 172.16.0.0/12 -j RETURN +iptables -t nat -A SHADOWSOCKS -d 192.168.0.0/16 -j RETURN +iptables -t nat -A SHADOWSOCKS -d 224.0.0.0/4 -j RETURN +iptables -t nat -A SHADOWSOCKS -d 240.0.0.0/4 -j RETURN # Anything else should be redirected to shadowsocks's local port -root@Wrt:~# iptables -t nat -A SHADOWSOCKS -p tcp -j REDIRECT --to-ports 12345 +iptables -t nat -A SHADOWSOCKS -p tcp -j REDIRECT --to-ports 12345 # Add any UDP rules -root@Wrt:~# ip rule add fwmark 0x01/0x01 table 100 -root@Wrt:~# ip route add local 0.0.0.0/0 dev lo table 100 -root@Wrt:~# iptables -t mangle -A SHADOWSOCKS -p udp --dport 53 -j TPROXY --on-port 12345 --tproxy-mark 0x01/0x01 +ip rule add fwmark 0x01/0x01 table 100 +ip route add local 0.0.0.0/0 dev lo table 100 +iptables -t mangle -A SHADOWSOCKS -p udp --dport 53 -j TPROXY --on-port 12345 --tproxy-mark 0x01/0x01 # Apply the rules -root@Wrt:~# iptables -t nat -A PREROUTING -p tcp -j SHADOWSOCKS -root@Wrt:~# iptables -t mangle -A PREROUTING -j SHADOWSOCKS +iptables -t nat -A PREROUTING -p tcp -j SHADOWSOCKS +iptables -t mangle -A PREROUTING -j SHADOWSOCKS # Start the shadowsocks-redir -root@Wrt:~# ss-redir -u -c /etc/config/shadowsocks.json -f /var/run/shadowsocks.pid +ss-redir -u -c /etc/config/shadowsocks.json -f /var/run/shadowsocks.pid .... PROTOCOL diff --git a/doc/ss-redir.asciidoc b/doc/ss-redir.asciidoc index f9195b31..9355de1c 100644 --- a/doc/ss-redir.asciidoc +++ b/doc/ss-redir.asciidoc @@ -130,39 +130,39 @@ ss-redir requires netfilter's NAT function. Here is an example: .... # Create new chain -root@Wrt:~# iptables -t nat -N SHADOWSOCKS -root@Wrt:~# iptables -t mangle -N SHADOWSOCKS +iptables -t nat -N SHADOWSOCKS +iptables -t mangle -N SHADOWSOCKS # Ignore your shadowsocks server's addresses # It's very IMPORTANT, just be careful. -root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 123.123.123.123 -j RETURN +iptables -t nat -A SHADOWSOCKS -d 123.123.123.123 -j RETURN # Ignore LANs and any other addresses you'd like to bypass the proxy # See Wikipedia and RFC5735 for full list of reserved networks. # See ashi009/bestroutetb for a highly optimized CHN route list. -root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 0.0.0.0/8 -j RETURN -root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 10.0.0.0/8 -j RETURN -root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 127.0.0.0/8 -j RETURN -root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 169.254.0.0/16 -j RETURN -root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 172.16.0.0/12 -j RETURN -root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 192.168.0.0/16 -j RETURN -root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 224.0.0.0/4 -j RETURN -root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 240.0.0.0/4 -j RETURN +iptables -t nat -A SHADOWSOCKS -d 0.0.0.0/8 -j RETURN +iptables -t nat -A SHADOWSOCKS -d 10.0.0.0/8 -j RETURN +iptables -t nat -A SHADOWSOCKS -d 127.0.0.0/8 -j RETURN +iptables -t nat -A SHADOWSOCKS -d 169.254.0.0/16 -j RETURN +iptables -t nat -A SHADOWSOCKS -d 172.16.0.0/12 -j RETURN +iptables -t nat -A SHADOWSOCKS -d 192.168.0.0/16 -j RETURN +iptables -t nat -A SHADOWSOCKS -d 224.0.0.0/4 -j RETURN +iptables -t nat -A SHADOWSOCKS -d 240.0.0.0/4 -j RETURN # Anything else should be redirected to shadowsocks's local port -root@Wrt:~# iptables -t nat -A SHADOWSOCKS -p tcp -j REDIRECT --to-ports 12345 +iptables -t nat -A SHADOWSOCKS -p tcp -j REDIRECT --to-ports 12345 # Add any UDP rules -root@Wrt:~# ip route add local default dev lo table 100 -root@Wrt:~# ip rule add fwmark 1 lookup 100 -root@Wrt:~# iptables -t mangle -A SHADOWSOCKS -p udp --dport 53 -j TPROXY --on-port 12345 --tproxy-mark 0x01/0x01 +ip route add local default dev lo table 100 +ip rule add fwmark 1 lookup 100 +iptables -t mangle -A SHADOWSOCKS -p udp --dport 53 -j TPROXY --on-port 12345 --tproxy-mark 0x01/0x01 # Apply the rules -root@Wrt:~# iptables -t nat -A PREROUTING -p tcp -j SHADOWSOCKS -root@Wrt:~# iptables -t mangle -A PREROUTING -j SHADOWSOCKS +iptables -t nat -A PREROUTING -p tcp -j SHADOWSOCKS +iptables -t mangle -A PREROUTING -j SHADOWSOCKS # Start the shadowsocks-redir -root@Wrt:~# ss-redir -u -c /etc/config/shadowsocks.json -f /var/run/shadowsocks.pid +ss-redir -u -c /etc/config/shadowsocks.json -f /var/run/shadowsocks.pid .... SEE ALSO