本文介绍在Linux服务器上使用Iptables配置透明tcp代理到ss服务器,并配合pdnsd将域名解析转发到google dns,避免dns污染。
Install shadowsocks-libev
1 2 3 4 5
| git clone https://github.com/shadowsocks/shadowsocks-libev.git cd shadowsocks-libev ./configure --prefix=/usr make sudo make install
|
配置代理服务器:
1
| sudo mkdir -p /etc/shadowsocks
|
edit /etc/shadowsocks/config.json
1 2 3 4 5 6 7 8 9
| { "server": "xxx.xxx.xxx.xxx", "server_port": xxxx, "local_port": 1080, "method": "aes-256-cfb", "password": "xxxxx", "timeout":300, "mode": "tcp_and_udp" }
|
1 2 3 4 5 6 7 8 9 10 11 12 13
| sudo cat >/etc/systemd/system/shadowsocks.service<<EOF [Unit] Description=Shadowsocks Server After=network.target [Service] Type=simple User=nobody ExecStart=/usr/bin/ss-redir -c /etc/shadowsocks/config.json [Install] WantedBy=multi-user.target EOF
|
启动ss-redir
1 2
| sudo systemctl start shadowsocks.service sudo systemctl enable shadowsocks.service
|
if modify /etc/systemd/system/shadowsocks.service
1
| sudo systemctl daemon-reload
|
pdnsd配置
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43
| sudo cp /etc/pdnsd.conf /etc/pdnsd.conf.old sudo cat > /etc/pdnsd.conf<<EOF global { perm_cache=2048; cache_dir="/var/cache/pdnsd"; run_as="pdnsd"; server_ip = 127.0.0.1; // Use eth0 here if you want to allow other // machines on your network to query pdnsd. server_port=53; status_ctl = on; paranoid=on; query_method=tcp_only; // pdnsd must be compiled with tcp // query support for this to work. min_ttl=15m; // Retain cached entries at least 15 minutes. max_ttl=1w; // One week. timeout=10; // Global timeout option (10 seconds). // Don't enable if you don't recurse yourself, can lead to problems // delegation_only="com","net"; } server { label=GoogleDNS; ip=8.8.8.8, 8.8.4.4; timeout=4; interval=10m; uptest=ping; ping_timeout=50; purge_cache=off; } source { owner=localhost; // serve_aliases=on; file="/etc/hosts"; } rr { name=localhost; reverse=on; a=127.0.0.1; owner=localhost; soa=localhost,root.localhost,42,86400,900,86400,86400; } EOF
|
1 2 3 4 5 6 7 8
| sudo cat > /etc/default/pdnsd<<EOF # do we start pdnsd ? START_DAEMON=yes # auto-mode, overrides /etc/pdsnd.conf if set [see /usr/share/pdnsd/] AUTO_MODE= # optional CLI options to pass to pdnsd(8) START_OPTIONS= EOF
|
start pdnsd:
1 2
| sudo /etc/init.d/pdnsd start sudo systemctl enable pdnsd
|
remember to modify resolve.conf to use pdnsd dns proxy
1 2 3 4 5
| sudo cat > /etc/resolv.conf <<EOF # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN nameserver 127.0.0.1 EOF
|
IPtables
could add to rc.local, remember change xxx.xxx.xxx.xxx to your shadowsocks server IP.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
| iptables -t nat -N SHADOWSOCKS iptables -t nat -A SHADOWSOCKS -d xxx.xxx.xxx.xxx -j RETURN iptables -t nat -A SHADOWSOCKS -d 0.0.0.0/8 -j RETURN iptables -t nat -A SHADOWSOCKS -d 10.0.0.0/8 -j RETURN iptables -t nat -A SHADOWSOCKS -d 127.0.0.0/8 -j RETURN iptables -t nat -A SHADOWSOCKS -d 169.254.0.0/16 -j RETURN iptables -t nat -A SHADOWSOCKS -d 172.16.0.0/12 -j RETURN iptables -t nat -A SHADOWSOCKS -d 192.168.0.0/16 -j RETURN iptables -t nat -A SHADOWSOCKS -d 224.0.0.0/4 -j RETURN iptables -t nat -A SHADOWSOCKS -d 240.0.0.0/4 -j RETURN iptables -t nat -A SHADOWSOCKS -p tcp -j REDIRECT --to-ports 1080 iptables -t nat -I PREROUTING -p tcp -j SHADOWSOCKS
|
remember to chmod of rc.local