joebloest Posted September 24, 2021 Report Share Posted September 24, 2021 Iptables — проксирование socks5 на eth0 внутри VPN - нужна помощь в настройке Мне нужна помощь, платная или бесплатная - все равно! Хочу из расбери пи сделать роутер, но обратный, мануалов таких нет К интернету расбери подключается по вайфай wlan0 Внутри развернут openvpn и тор поверх vpn, дальше трафик через Тор маршрутизируется на разьем LAN eth0 Комп подключенный по LAN к расбери получает интернет через тор, а тор в свою очередь идет через впн. При обрыве тора или впн, на eth0 интернет обрывается Мануалов по обратной настройке, когда к расбери по проводу подключен интернет, а через вайфай раздается впн - много. В качестве проксируещего ПО я выбрал REDSOCKS Tor работает на локальном порту 127.0.0.1:1080 Iptables я настроил таким образом, чтобы трафик не шел в обход OpenVPN, поэтому Тор работает только когда подключен ВПН. Далее я проверил, самый простой вариант без redsocks - маршрутизировал трафик с tun0 на eth0 - комп через eth0 подключился, пинг проходит, но это через vpn. Осталось правильно маршрутизировать трафик приходящий и исходящий на eth0 в redsocks. echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf ipv6 - отключен Рабочий вариант Iptables - маршрутизация VPN на eth0 # Generated by xtables-save *nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A POSTROUTING -o tun0 -j MASQUERADE COMMIT # Completed # Generated by xtables-save *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -i eth0 -j ACCEPT -A INPUT -s 185.111.111.111/32 -p tcp -m tcp --sport 443 -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -i eth0 -j ACCEPT -A FORWARD -i eth0 -o tun0 -j ACCEPT -A FORWARD -i tun0 -o eth0 -j ACCEPT -A FORWARD -j REJECT --reject-with icmp-host-prohibited -A OUTPUT -o lo -j ACCEPT -A OUTPUT -o eth0 -j ACCEPT -A OUTPUT -o tun0 -j ACCEPT -A OUTPUT -d 185.111.111.111/32 -o wlan0 -p tcp -m tcp --dport 443 -j ACCEPT -A OUTPUT -j REJECT --reject-with icmp-host-prohibited COMMIT # Completed Не рабочий вариант, когда eth0 должен маршрутизироваться на redsocks # Generated by xtables-save *nat :PREROUTING ACCEPT [2:143] :INPUT ACCEPT [1:67] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [4:268] :REDSOCKS - [0:0] -A PREROUTING -i eth0 -p tcp -j REDSOCKS -A PREROUTING -i eth0 -p udp -m udp --dport 53 -j REDSOCKS -A POSTROUTING -o tun0 -j MASQUERADE -A OUTPUT -p tcp -m tcp --dport 53 -j REDSOCKS -A REDSOCKS -d 0.0.0.0/8 -j RETURN -A REDSOCKS -d 10.0.0.0/8 -j RETURN -A REDSOCKS -d 127.0.0.0/8 -j RETURN -A REDSOCKS -d 169.254.0.0/16 -j RETURN -A REDSOCKS -d 172.16.0.0/12 -j RETURN -A REDSOCKS -d 192.168.0.0/16 -j RETURN -A REDSOCKS -d 224.0.0.0/4 -j RETURN -A REDSOCKS -d 240.0.0.0/4 -j RETURN -A REDSOCKS -p tcp -j REDIRECT --to-ports 10080 -A REDSOCKS -p udp -m udp --dport 53 -j REDIRECT --to-ports 1053 COMMIT # Completed # Generated by xtables-save *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -i eth0 -j ACCEPT -A INPUT -s 185.111.111.111/32 -p tcp -m tcp --sport 443 -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -i eth0 -j ACCEPT -A FORWARD -i eth0 -o tun0 -j ACCEPT -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -j REJECT --reject-with icmp-host-prohibited -A OUTPUT -o lo -j ACCEPT -A OUTPUT -o eth0 -j ACCEPT -A OUTPUT -o tun0 -j ACCEPT -A OUTPUT -d 185.111.111.111/32 -o wlan0 -p tcp -m tcp --dport 443 -j ACCEPT -A OUTPUT -j REJECT --reject-with icmp-host-prohibited COMMIT # Completed Конфиг REDSOCKS Редсокс скомплирован без shadowsocks, но для socks5 он и не нужен base { // debug: connection progress & client list on SIGUSR1 log_debug = off; // info: start and end of client session log_info = on; /* possible `log' values are: * stderr * "file:/path/to/file" * syslog:FACILITY facility is any of "daemon", "local0"..."local7" */ log = stderr; // log = "file:/path/to/file"; // log = "syslog:local7"; // detach from console daemon = off; /* Change uid, gid and root directory, these options require root * privilegies on startup. * Note, your chroot may requre /etc/localtime if you write log to syslog. * Log is opened before chroot & uid changing. * Debian, Ubuntu and some other distributions use `nogroup` instead of * `nobody`, so change it according to your system if you want redsocks * to drop root privileges. */ // user = nobody; // group = nobody; // chroot = "/var/chroot"; /* possible `redirector' values are: * iptables - for Linux * ipf - for FreeBSD * pf - for OpenBSD * generic - some generic redirector that MAY work */ redirector = iptables; /* Override per-socket values for TCP_KEEPIDLE, TCP_KEEPCNT, * and TCP_KEEPINTVL. see man 7 tcp for details. * `redsocks' relies on SO_KEEPALIVE option heavily. */ //tcp_keepalive_time = 0; //tcp_keepalive_probes = 0; //tcp_keepalive_intvl = 0; /* Enable or disable Linux 3.9+ specific socket option SO_REUSEPORT. * Some older versions of Linux like CentOS 6.5 (Kernel 2.6.32) also # support this option. * Default to off. */ reuseport = off; } redsocks { /* `bind' defaults to 127.0.0.1:0 for security reasons, * use 0.0.0.0 if you want to listen on every interface. * `bind' are used as ip:port to redirect to. */ bind = "0.0.0.0:10080"; // listen() queue length. Default value is SOMAXCONN and it should be // good enough for most of us. // listenq = 128; // SOMAXCONN equals 128 on my Linux box. // `max_accept_backoff` is a delay to retry `accept()` after accept // failure (e.g. due to lack of file descriptors). It's measured in // milliseconds and maximal value is 65535. `min_accept_backoff` is // used as initial backoff value and as a damper for `accept() after // close()` logic. // min_accept_backoff = 100; // max_accept_backoff = 60000; // `relay` is IP address and port of proxy-server. Domain name is not // supported yet. // Can be: // [IPv6Address]:port // [IPv6Address] // IPv6Address // IPv4Address:port // IPv4Address // If no port is given, 0 is used. Usually, a valid port is required. relay = "127.0.0.1:1080"; // known types: socks4, socks5, http-connect, http-relay // New types: direct, shadowsocks, https-connect // For type direct: // if `relay` is not specified, connections will be forwarded to // original destinations. // if `relay` is filled with valid IP address, connections will be // forwarded to IP address defined in `relay`. It is useful when you // just want to forward connections to a specific IP address without // transparent proxy. E.g. forward IPv4:port to IPv6:port. type = socks5; // Specify interface for outgoing connections. // This is useful when you have multiple connections to // internet or when you have VPN connections. // interface = tun0; // Change this parameter to 1 if you want auto proxy feature. // When autoproxy is set to non-zero, the connection to target // will be made directly first. If direct connection to target // fails for timeout/connection refuse, redsocks will try to // connect to target via the proxy. autoproxy = 0; // timeout is meaningful when 'autoproxy' is non-zero. // It specified timeout value when trying to connect to destination // directly. Default is 10 seconds. When it is set to 0, default // timeout value will be used. timeout = 10; // login = "foobar";// field 'login' is reused as encryption // method of shadowsocks // password = "baz"; } tcpdns { // Transform UDP DNS requests into TCP DNS requests. // You can also redirect connections to external TCP DNS server to // REDSOCKS transparent proxy via iptables. bind = "0.0.0.0:1053"; // Local server to act as DNS server tcpdns1 = "8.8.4.4:53"; // DNS server that supports TCP DNS requests tcpdns2 = "8.8.8.8" ; // DNS server that supports TCP DNS requests timeout = 4; // Timeout value for TCP DNS requests } Как правильно настроить iptables для второго нерабочего варианта или дело в чем то другом? Кто может помочь в решинии задачи? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.