diff --git a/cgproxy.conf b/cgproxy.conf index b12b115..4b01af1 100644 --- a/cgproxy.conf +++ b/cgproxy.conf @@ -7,6 +7,7 @@ ## cgroup must start with slash '/' # cgroup_proxy="/" cgroup_proxy="/proxy.slice" +# cgroup_noproxy="/system.slice/v2ray.service" cgroup_noproxy="/noproxy.slice" ######################################################################## diff --git a/cgroup-tproxy.sh b/cgroup-tproxy.sh index 514ed63..665549b 100644 --- a/cgroup-tproxy.sh +++ b/cgroup-tproxy.sh @@ -84,8 +84,8 @@ case $i in ip -6 rule delete fwmark $fwmark lookup $table ip -6 route flush table $table ## may not exist, just ignore, and tracking their existence is not reliable - iptables -t nat -D POSTROUTING -m addrtype ! --src-type LOCAL -j MASQUERADE &> /dev/null - ip6tables -t nat -D POSTROUTING -m addrtype ! --src-type LOCAL -j MASQUERADE &> /dev/null + iptables -t nat -D POSTROUTING -m owner ! --socket-exists -j MASQUERADE &> /dev/null + ip6tables -t nat -D POSTROUTING -m owner ! --socket-exists -j MASQUERADE &> /dev/null exit 0 ;; --config=*) @@ -128,6 +128,8 @@ iptables -t mangle -N TPROXY_OUT iptables -t mangle -A TPROXY_OUT -o lo -j RETURN iptables -t mangle -A TPROXY_OUT -p icmp -j RETURN iptables -t mangle -A TPROXY_OUT -m connmark --mark $make_newin -j RETURN +iptables -t mangle -A TPROXY_OUT -m pkttype --pkt-type broadcast -j RETURN +iptables -t mangle -A TPROXY_OUT -m pkttype --pkt-type multicast -j RETURN iptables -t mangle -A TPROXY_OUT -m mark --mark $mark_noproxy -j RETURN iptables -t mangle -A TPROXY_OUT -m cgroup --path $cgroup_noproxy -j RETURN iptables -t mangle -A TPROXY_OUT -m cgroup --path $cgroup_proxy -j MARK --set-mark $fwmark @@ -155,6 +157,8 @@ ip6tables -t mangle -A PREROUTING -j TPROXY_PRE ip6tables -t mangle -N TPROXY_OUT ip6tables -t mangle -A TPROXY_OUT -o lo -j RETURN ip6tables -t mangle -A TPROXY_OUT -p icmp -j RETURN +ip6tables -t mangle -A TPROXY_OUT -m pkttype --pkt-type broadcast -j RETURN +ip6tables -t mangle -A TPROXY_OUT -m pkttype --pkt-type multicast -j RETURN ip6tables -t mangle -A TPROXY_OUT -m connmark --mark $make_newin -j RETURN ip6tables -t mangle -A TPROXY_OUT -m mark --mark $mark_noproxy -j RETURN ip6tables -t mangle -A TPROXY_OUT -m cgroup --path $cgroup_noproxy -j RETURN @@ -193,13 +197,14 @@ ip6tables -t mangle -I TPROXY_PRE -m addrtype ! --src-type LOCAL -m conntrack -- ## message for user cat << DOC +noproxy cgroup: $cgroup_noproxy proxied cgroup: $cgroup_proxy DOC if $enable_gateway; then - iptables -t nat -A POSTROUTING -m addrtype ! --src-type LOCAL -j MASQUERADE - ip6tables -t nat -A POSTROUTING -m addrtype ! --src-type LOCAL -j MASQUERADE + iptables -t nat -A POSTROUTING -m owner ! --socket-exists -j MASQUERADE + ip6tables -t nat -A POSTROUTING -m owner ! --socket-exists -j MASQUERADE sysctl -w net.ipv4.ip_forward=1 sysctl -w net.ipv6.conf.all.forwarding=1 echo "gateway enabled" diff --git a/readme.md b/readme.md index 85e8f17..bc9577b 100644 --- a/readme.md +++ b/readme.md @@ -129,8 +129,9 @@ sudo systemctl restart cgproxy.service ## Gateway proxy -- set **enable_gateway=true** in `/etc/cgproxy.conf` and restart service -- other device set this host as gateway, and set public dns if necessary +- Set **enable_gateway=true** in `/etc/cgproxy.conf` and restart service +- Run your proxy software in cgroup_noproxy to allow direct to internet as above. This is necessary when you use global transparent proxy the same time. +- Other device set this host as gateway, and set public dns if necessary ## Other useful tools provided in this project @@ -166,6 +167,8 @@ sudo systemctl restart cgproxy.service sudo setcap "cap_net_admin,cap_net_bind_service=ep" /usr/lib/v2ray/v2ray ``` +- Why not outbound mark solution, because in v2ray [when `"localhost"` is used, out-going DNS traffic is not controlled by V2Ray](https://www.v2fly.org/en/configuration/dns.html), so no mark at all, that's pitty. + ## TIPS - `systemd-cgls` to see the cgroup hierarchical tree.