backup/cgproxy
1
0
Fork 0
mirror of https://github.com/springzfx/cgproxy.git synced 2026-02-09 21:14:57 +08:00
Code Issues 1 Projects Releases Wiki Activity

fix two situation: active incomming connection and local doh(dns over https) query

Browse Source 
1. return incoming connection directly, v2ray tproxy seems not work for this situation, maybe a v2ray bug
2. exclude lo to avoid local bind problem, for example if your dns is 127.0.0.1:53 for doh, then v2ray can't bind to reply back result
This commit is contained in:
fancy
2020-04-22 14:40:31 +08:00
parent 8957aa5f04
commit e8684c936f
2 changed files with 25 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
cgproxy.conf
View File

@@ -11,12 +11,14 @@ enable_udp=true
enable_ipv4=true
enable_ipv6=true
## v2ray outbound mark
## v2ray outbound mark, depend on your v2ray setting
## only useful if v2ray process is also in proxy_cgroup, for example, you want to proxy whole userspace,
## and v2ray is also running in userspace
## and v2ray is also running in the same userspace
## otherwise ignore this
v2ray_so_mark=255
## do not modify this if you don't known what you are doing
mark=2333
table=100
table=100
mark=100
mark_newin=1
v2ray_so_mark=255

26
cgroup-tproxy.sh
View File

@@ -41,8 +41,9 @@ enable_ipv4=true
enable_ipv6=true
## do not modify this if you don't known what you are doing
mark=2333
mark=100
table=100
mark_newin=101
v2ray_so_mark=255
## cgroup things
@@ -67,6 +68,8 @@ case $i in
ip route flush table $table
ip -6 rule delete fwmark $mark lookup $table
ip -6 route flush table $table
iptables -t nat -A OUTPUT -F
ip6tables -t nat -A OUTPUT -F
exit 0
;;
--config=*)
@@ -91,14 +94,16 @@ ip route add local default dev lo table $table
iptables -t mangle -N TPROXY_PRE
iptables -t mangle -A TPROXY_PRE -p udp -m mark --mark $mark -j TPROXY --on-ip 127.0.0.1 --on-port $port --tproxy-mark $mark
iptables -t mangle -A TPROXY_PRE -p tcp -m mark --mark $mark -j TPROXY --on-ip 127.0.0.1 --on-port $port --tproxy-mark $mark
iptables -t mangle -A TPROXY_PRE -m conntrack --ctstate NEW -j CONNMARK --set-mark $mark_newin
iptables -t mangle -A TPROXY_PRE -m conntrack --ctstate NEW -j CONNMARK --restore-mark
iptables -t mangle -A PREROUTING -j TPROXY_PRE
iptables -t mangle -N TPROXY_OUT
iptables -t mangle -A TPROXY_OUT -p udp -o lo -j RETURN
iptables -t mangle -A TPROXY_OUT -m connmark --mark $mark_newin -j RETURN # return incoming connection directly, v2ray tproxy seems not work for this situation, maybe a v2ray bug
iptables -t mangle -A TPROXY_OUT -m mark --mark $v2ray_so_mark -j RETURN
iptables -t mangle -A TPROXY_OUT -p udp -m cgroup --path $proxy_cgroup -j MARK --set-mark $mark
iptables -t mangle -A TPROXY_OUT -p tcp -o lo -j RETURN
iptables -t mangle -A TPROXY_OUT -p tcp -m cgroup --path $proxy_cgroup -j MARK --set-mark $mark
iptables -t mangle -A OUTPUT -m mark ! --mark $v2ray_so_mark -j TPROXY_OUT
iptables -t mangle -A OUTPUT ! -o lo -j TPROXY_OUT # exclude lo to avoid local bind problem, for example if your dns is 127.0.0.1:53, then v2ray can't bind to reply back result
#ipv6#
ip -6 rule add fwmark $mark table $table
@@ -106,14 +111,21 @@ ip -6 route add local default dev lo table $table
ip6tables -t mangle -N TPROXY_PRE
ip6tables -t mangle -A TPROXY_PRE -p udp -m mark --mark $mark -j TPROXY --on-ip ::1 --on-port $port --tproxy-mark $mark
ip6tables -t mangle -A TPROXY_PRE -p tcp -m mark --mark $mark -j TPROXY --on-ip ::1 --on-port $port --tproxy-mark $mark
ip6tables -t mangle -A TPROXY_PRE -m conntrack --ctstate NEW -j CONNMARK --set-mark $mark_newin
ip6tables -t mangle -A TPROXY_PRE -m conntrack --ctstate NEW -j CONNMARK --restore-mark
ip6tables -t mangle -A PREROUTING -j TPROXY_PRE
ip6tables -t mangle -N TPROXY_OUT
ip6tables -t mangle -A TPROXY_OUT -p udp -o lo -j RETURN
ip6tables -t mangle -A TPROXY_OUT -m connmark --mark $mark_newin -j RETURN
ip6tables -t mangle -A TPROXY_OUT -m mark --mark $v2ray_so_mark -j RETURN
ip6tables -t mangle -A TPROXY_OUT -p udp -m cgroup --path $proxy_cgroup -j MARK --set-mark $mark
ip6tables -t mangle -A TPROXY_OUT -p tcp -o lo -j RETURN
ip6tables -t mangle -A TPROXY_OUT -p tcp -m cgroup --path $proxy_cgroup -j MARK --set-mark $mark
ip6tables -t mangle -A OUTPUT -m mark ! --mark $v2ray_so_mark -j TPROXY_OUT
ip6tables -t mangle -A OUTPUT ! -o lo -j TPROXY_OUT
## use REDIRECT
# iptables -t nat -A OUTPUT -p tcp -m cgroup --path $proxy_cgroup -j DNAT --to-destination 127.0.0.1:12345
# ip6tables -t nat -A OUTPUT -p tcp -m cgroup --path $proxy_cgroup -j DNAT --to-destination [::1]:12345
## allow to disable, order is important
$enable_udp || iptables -t mangle -I TPROXY_OUT -p udp -j RETURN