我正在尝试通过 SSH 隧道/SOCKS5 代理路由所有流量。我配置了一些 IP 表规则,将(几乎)所有流量重定向到基于套接字的程序,然后该程序协商并将流量重定向到 SOCKS5 代理。我发现并非所有流量都得到了正确的重新路由,我怀疑是我的iptables规则不起作用。有人愿意再帮我看看吗?
例如,我可以运行nc 8.8.8.8 80 2>&1,并在基于套接字的程序中看到重定向正在发生。但是当我 时curl google.com,我收到解析错误:curl: (6) Could not resolve host: google.com。基于套接字的程序中没有任何日志显示尝试了任何重定向。
例如,我有一个基于套接字的程序在监听0.0.0.0:9900,SOCKS5代理在端口9901上启动。我正在Docker容器中运行所有这些,以防万一(但我认为这没什么大不了的……)。
我像这样启动 SOCKS5 代理:
#!/usr/bin/env bash
ssh -D 127.0.0.1:9901 -N [email protected]
以下是iptables我使用的规则:
#!/usr/bin/env bash
# Create a new chain in the NAT table.
iptables -t nat --new-chain CUSTOM
# Create a rule for leaving localhost destined packets alone.
iptables -t nat --append CUSTOM --destination 127.0.0.0/8 --jump RETURN
# Create a rule for leaving the tunnel we will create alone.
# 192.168.0.25 is the static IP of the machine running the SOCKS5 server.
iptables -t nat --append CUSTOM --destination 192.168.0.25 --protocol tcp --destination-port 22 --jump RETURN
# Create a rule for redirecting all other TCP traffic through the SSH tunnel.
iptables -t nat --append CUSTOM --protocol tcp --jump LOG --log-level info --log-prefix='[iptables] '
iptables -t nat --append CUSTOM --protocol tcp --jump REDIRECT --to-ports 9900
# Link the OUTPUT and PREROUTING chains of the NAT table to our custom user-defined chain.
iptables -t nat -I OUTPUT 1 --jump CUSTOM
iptables -t nat -I PREROUTING 1 --jump CUSTOM
完整输出如下iptables -t nat -L -v:
Chain PREROUTING (policy ACCEPT 165 packets, 21537 bytes)
pkts bytes target prot opt in out source destination
165 21537 CUSTOM all -- any any anywhere anywhere
5129 389K DOCKER all -- any any anywhere anywhere ADDRTYPE match dst-type LOCAL
6987 1026K delegate_prerouting all -- any any anywhere anywhere
Chain INPUT (policy ACCEPT 114 packets, 8854 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 40 packets, 2369 bytes)
pkts bytes target prot opt in out source destination
40 2369 CUSTOM all -- any any anywhere anywhere
0 0 DOCKER all -- any any anywhere !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT 39 packets, 2301 bytes)
pkts bytes target prot opt in out source destination
72 9027 MASQUERADE all -- any !docker0 172.17.0.0/16 anywhere
1614 99565 delegate_postrouting all -- any any anywhere anywhere
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- docker0 any anywhere anywhere
Chain CUSTOM (2 references)
pkts bytes target prot opt in out source destination
39 2301 RETURN all -- any any anywhere 127.0.0.0/8
0 0 RETURN tcp -- any any anywhere 192.168.0.25 tcp dpt:ssh
0 0 LOG tcp -- any any anywhere anywhere LOG level info prefix "[iptables] "
0 0 REDIRECT tcp -- any any anywhere anywhere redir ports 9900
Chain MINIUPNPD (2 references)
pkts bytes target prot opt in out source destination
Chain delegate_postrouting (1 references)
pkts bytes target prot opt in out source destination
1614 99565 postrouting_rule all -- any any anywhere anywhere /* user chain for postrouting */
0 0 zone_lan_postrouting all -- any br-lan anywhere anywhere
0 0 zone_wifi_postrouting all -- any br-wifi anywhere anywhere
55 5757 zone_wan_postrouting all -- any eth0 anywhere anywhere
Chain delegate_prerouting (1 references)
pkts bytes target prot opt in out source destination
6987 1026K prerouting_rule all -- any any anywhere anywhere /* user chain for prerouting */
4545 342K zone_lan_prerouting all -- br-lan any anywhere anywhere
1 32 zone_wifi_prerouting all -- br-wifi any anywhere anywhere
2441 684K zone_wan_prerouting all -- eth0 any anywhere anywhere
Chain postrouting_lan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain postrouting_rule (1 references)
pkts bytes target prot opt in out source destination
Chain postrouting_wan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain postrouting_wifi_rule (1 references)
pkts bytes target prot opt in out source destination
Chain prerouting_lan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain prerouting_rule (1 references)
pkts bytes target prot opt in out source destination
Chain prerouting_wan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain prerouting_wifi_rule (1 references)
pkts bytes target prot opt in out source destination
Chain zone_lan_postrouting (1 references)
pkts bytes target prot opt in out source destination
0 0 postrouting_lan_rule all -- any any anywhere anywhere /* user chain for postrouting */
Chain zone_lan_prerouting (1 references)
pkts bytes target prot opt in out source destination
4545 342K prerouting_lan_rule all -- any any anywhere anywhere /* user chain for prerouting */
Chain zone_wan_postrouting (1 references)
pkts bytes target prot opt in out source destination
55 5757 postrouting_wan_rule all -- any any anywhere anywhere /* user chain for postrouting */
55 5757 MASQUERADE all -- any any anywhere anywhere
Chain zone_wan_prerouting (1 references)
pkts bytes target prot opt in out source destination
2441 684K MINIUPNPD all -- any any anywhere anywhere
2441 684K MINIUPNPD all -- any any anywhere anywhere
2441 684K prerouting_wan_rule all -- any any anywhere anywhere /* user chain for prerouting */
Chain zone_wifi_postrouting (1 references)
pkts bytes target prot opt in out source destination
0 0 postrouting_wifi_rule all -- any any anywhere anywhere /* user chain for postrouting */
Chain zone_wifi_prerouting (1 references)
pkts bytes target prot opt in out source destination
1 32 prerouting_wifi_rule all -- any any anywhere anywhere /* user chain for prerouting */
如果还有任何其他我应该包含的信息,请告诉我,提前谢谢!
答案1
欢迎来到 StackOverflow!
根据您的 curl 请求中的错误,似乎在尝试连接 google.com 之前 DNS 请求就已经失败了。
在 POSIX 系统中,DNS 解析由 /etc/resolv.conf 文件控制。如果该文件不包含任何名称服务器行,您的系统将无法解析主机。添加一个名称服务器行非常简单,只需添加以下行:
nameserver 8.8.8.8
在较新的 Linux 系统上,分辨率可能由 systemd-resolved 控制,您将看到如下一行:
nameserver 127.0.0.53
在这种情况下,编辑/etc/resolv.conf文件只是一个临时解决方案,因为 systemd 会定期覆盖该文件。在这种情况下,您需要编辑 netplan 配置/etc/netplan/或禁用 systemd-resolved。
参考: