From e8684c936f7e5f9471c9cc52866628ef3ee30d75 Mon Sep 17 00:00:00 2001 From: fancy Date: Wed, 22 Apr 2020 14:40:31 +0800 Subject: [PATCH] fix two situation: active incomming connection and local doh(dns over https) query 1. return incoming connection directly, v2ray tproxy seems not work for this situation, maybe a v2ray bug 2. exclude lo to avoid local bind problem, for example if your dns is 127.0.0.1:53 for doh, then v2ray can't bind to reply back result --- cgproxy.conf | 10 ++++++---- cgroup-tproxy.sh | 26 +++++++++++++++++++------- 2 files changed, 25 insertions(+), 11 deletions(-) diff --git a/cgproxy.conf b/cgproxy.conf index 9964e62..a5b39d8 100644 --- a/cgproxy.conf +++ b/cgproxy.conf @@ -11,12 +11,14 @@ enable_udp=true enable_ipv4=true enable_ipv6=true -## v2ray outbound mark +## v2ray outbound mark, depend on your v2ray setting ## only useful if v2ray process is also in proxy_cgroup, for example, you want to proxy whole userspace, -## and v2ray is also running in userspace +## and v2ray is also running in the same userspace ## otherwise ignore this v2ray_so_mark=255 ## do not modify this if you don't known what you are doing -mark=2333 -table=100 \ No newline at end of file +table=100 +mark=100 +mark_newin=1 +v2ray_so_mark=255 \ No newline at end of file diff --git a/cgroup-tproxy.sh b/cgroup-tproxy.sh index 8b428de..57e5ecc 100644 --- a/cgroup-tproxy.sh +++ b/cgroup-tproxy.sh @@ -41,8 +41,9 @@ enable_ipv4=true enable_ipv6=true ## do not modify this if you don't known what you are doing -mark=2333 +mark=100 table=100 +mark_newin=101 v2ray_so_mark=255 ## cgroup things @@ -67,6 +68,8 @@ case $i in ip route flush table $table ip -6 rule delete fwmark $mark lookup $table ip -6 route flush table $table + iptables -t nat -A OUTPUT -F + ip6tables -t nat -A OUTPUT -F exit 0 ;; --config=*) @@ -91,14 +94,16 @@ ip route add local default dev lo table $table iptables -t mangle -N TPROXY_PRE iptables -t mangle -A TPROXY_PRE -p udp -m mark --mark $mark -j TPROXY --on-ip 127.0.0.1 --on-port $port --tproxy-mark $mark iptables -t mangle -A TPROXY_PRE -p tcp -m mark --mark $mark -j TPROXY --on-ip 127.0.0.1 --on-port $port --tproxy-mark $mark +iptables -t mangle -A TPROXY_PRE -m conntrack --ctstate NEW -j CONNMARK --set-mark $mark_newin +iptables -t mangle -A TPROXY_PRE -m conntrack --ctstate NEW -j CONNMARK --restore-mark iptables -t mangle -A PREROUTING -j TPROXY_PRE iptables -t mangle -N TPROXY_OUT -iptables -t mangle -A TPROXY_OUT -p udp -o lo -j RETURN +iptables -t mangle -A TPROXY_OUT -m connmark --mark $mark_newin -j RETURN # return incoming connection directly, v2ray tproxy seems not work for this situation, maybe a v2ray bug +iptables -t mangle -A TPROXY_OUT -m mark --mark $v2ray_so_mark -j RETURN iptables -t mangle -A TPROXY_OUT -p udp -m cgroup --path $proxy_cgroup -j MARK --set-mark $mark -iptables -t mangle -A TPROXY_OUT -p tcp -o lo -j RETURN iptables -t mangle -A TPROXY_OUT -p tcp -m cgroup --path $proxy_cgroup -j MARK --set-mark $mark -iptables -t mangle -A OUTPUT -m mark ! --mark $v2ray_so_mark -j TPROXY_OUT +iptables -t mangle -A OUTPUT ! -o lo -j TPROXY_OUT # exclude lo to avoid local bind problem, for example if your dns is 127.0.0.1:53, then v2ray can't bind to reply back result #ipv6# ip -6 rule add fwmark $mark table $table @@ -106,14 +111,21 @@ ip -6 route add local default dev lo table $table ip6tables -t mangle -N TPROXY_PRE ip6tables -t mangle -A TPROXY_PRE -p udp -m mark --mark $mark -j TPROXY --on-ip ::1 --on-port $port --tproxy-mark $mark ip6tables -t mangle -A TPROXY_PRE -p tcp -m mark --mark $mark -j TPROXY --on-ip ::1 --on-port $port --tproxy-mark $mark +ip6tables -t mangle -A TPROXY_PRE -m conntrack --ctstate NEW -j CONNMARK --set-mark $mark_newin +ip6tables -t mangle -A TPROXY_PRE -m conntrack --ctstate NEW -j CONNMARK --restore-mark ip6tables -t mangle -A PREROUTING -j TPROXY_PRE ip6tables -t mangle -N TPROXY_OUT -ip6tables -t mangle -A TPROXY_OUT -p udp -o lo -j RETURN +ip6tables -t mangle -A TPROXY_OUT -m connmark --mark $mark_newin -j RETURN +ip6tables -t mangle -A TPROXY_OUT -m mark --mark $v2ray_so_mark -j RETURN ip6tables -t mangle -A TPROXY_OUT -p udp -m cgroup --path $proxy_cgroup -j MARK --set-mark $mark -ip6tables -t mangle -A TPROXY_OUT -p tcp -o lo -j RETURN ip6tables -t mangle -A TPROXY_OUT -p tcp -m cgroup --path $proxy_cgroup -j MARK --set-mark $mark -ip6tables -t mangle -A OUTPUT -m mark ! --mark $v2ray_so_mark -j TPROXY_OUT +ip6tables -t mangle -A OUTPUT ! -o lo -j TPROXY_OUT + + +## use REDIRECT +# iptables -t nat -A OUTPUT -p tcp -m cgroup --path $proxy_cgroup -j DNAT --to-destination 127.0.0.1:12345 +# ip6tables -t nat -A OUTPUT -p tcp -m cgroup --path $proxy_cgroup -j DNAT --to-destination [::1]:12345 ## allow to disable, order is important $enable_udp || iptables -t mangle -I TPROXY_OUT -p udp -j RETURN