Jump to content

Iptables — проксирование socks5 на eth0 внутри VPN - нужна помощь в настройке


Recommended Posts

Iptables — проксирование socks5 на eth0 внутри VPN - нужна помощь в настройке

Мне нужна помощь, платная или бесплатная - все равно!

Хочу из расбери пи сделать роутер, но обратный, мануалов таких нет

К интернету расбери подключается по вайфай wlan0
Внутри развернут openvpn и тор поверх vpn, дальше трафик через Тор маршрутизируется на разьем LAN eth0

Комп подключенный по LAN к расбери получает интернет через тор, а тор в свою очередь идет через впн.
При обрыве тора или впн, на eth0 интернет обрывается

Мануалов по обратной настройке, когда к расбери по проводу подключен интернет, а через вайфай раздается впн - много.

В качестве проксируещего ПО я выбрал REDSOCKS

Tor работает на локальном порту 127.0.0.1:1080


Iptables я настроил таким образом, чтобы трафик не шел в обход OpenVPN, поэтому Тор работает только когда подключен ВПН.

Далее я проверил, самый простой вариант без redsocks - маршрутизировал трафик с tun0 на eth0 - комп через eth0 подключился, пинг проходит, но это через vpn.

Осталось правильно маршрутизировать трафик приходящий и исходящий на eth0 в redsocks.

echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf


ipv6 - отключен

 

Рабочий вариант Iptables - маршрутизация VPN на eth0

 

# Generated by xtables-save
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -o tun0 -j MASQUERADE
COMMIT
# Completed
# Generated by xtables-save
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
-A INPUT -s 185.111.111.111/32 -p tcp -m tcp --sport 443 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -i eth0 -o tun0 -j ACCEPT
-A FORWARD -i tun0 -o eth0 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
-A OUTPUT -o tun0 -j ACCEPT
-A OUTPUT -d 185.111.111.111/32 -o wlan0 -p tcp -m tcp --dport 443 -j ACCEPT
-A OUTPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed

 

Не рабочий вариант, когда eth0 должен маршрутизироваться на redsocks


 

# Generated by xtables-save
*nat
:PREROUTING ACCEPT [2:143]
:INPUT ACCEPT [1:67]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [4:268]
:REDSOCKS - [0:0]
-A PREROUTING -i eth0 -p tcp -j REDSOCKS
-A PREROUTING -i eth0 -p udp -m udp --dport 53 -j REDSOCKS
-A POSTROUTING -o tun0 -j MASQUERADE
-A OUTPUT -p tcp -m tcp --dport 53 -j REDSOCKS
-A REDSOCKS -d 0.0.0.0/8 -j RETURN
-A REDSOCKS -d 10.0.0.0/8 -j RETURN
-A REDSOCKS -d 127.0.0.0/8 -j RETURN
-A REDSOCKS -d 169.254.0.0/16 -j RETURN
-A REDSOCKS -d 172.16.0.0/12 -j RETURN
-A REDSOCKS -d 192.168.0.0/16 -j RETURN
-A REDSOCKS -d 224.0.0.0/4 -j RETURN
-A REDSOCKS -d 240.0.0.0/4 -j RETURN
-A REDSOCKS -p tcp -j REDIRECT --to-ports 10080
-A REDSOCKS -p udp -m udp --dport 53 -j REDIRECT --to-ports 1053
COMMIT
# Completed
# Generated by xtables-save
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
-A INPUT -s 185.111.111.111/32 -p tcp -m tcp --sport 443 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -i eth0 -o tun0 -j ACCEPT
-A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
-A OUTPUT -o tun0 -j ACCEPT
-A OUTPUT -d 185.111.111.111/32 -o wlan0 -p tcp -m tcp --dport 443 -j ACCEPT
-A OUTPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed

 

Конфиг REDSOCKS
Редсокс скомплирован без shadowsocks, но для socks5 он и не нужен


 

base {
    // debug: connection progress & client list on SIGUSR1
    log_debug = off;

    // info: start and end of client session
    log_info = on;

    /* possible `log' values are:
     *   stderr
     *   "file:/path/to/file"
     *   syslog:FACILITY  facility is any of "daemon", "local0"..."local7"
     */
    log = stderr;
    // log = "file:/path/to/file";
    // log = "syslog:local7";

    // detach from console
    daemon = off;

    /* Change uid, gid and root directory, these options require root
     * privilegies on startup.
     * Note, your chroot may requre /etc/localtime if you write log to syslog.
     * Log is opened before chroot & uid changing.
     * Debian, Ubuntu and some other distributions use `nogroup` instead of
     * `nobody`, so change it according to your system if you want redsocks
     * to drop root privileges.
     */
    // user = nobody;
    // group = nobody;
    // chroot = "/var/chroot";

    /* possible `redirector' values are:
     *   iptables   - for Linux
     *   ipf        - for FreeBSD
     *   pf         - for OpenBSD
     *   generic    - some generic redirector that MAY work
     */
    redirector = iptables;

    /* Override per-socket values for TCP_KEEPIDLE, TCP_KEEPCNT,
     * and TCP_KEEPINTVL. see man 7 tcp for details.
     * `redsocks' relies on SO_KEEPALIVE option heavily. */
    //tcp_keepalive_time = 0;
    //tcp_keepalive_probes = 0;
    //tcp_keepalive_intvl = 0;

    /* Enable or disable Linux 3.9+ specific socket option SO_REUSEPORT.
     * Some older versions of Linux like CentOS 6.5 (Kernel 2.6.32) also
     # support this option.
     * Default to off.
     */
    reuseport = off;
}

redsocks {
    /* `bind' defaults to 127.0.0.1:0 for security reasons,
     * use 0.0.0.0 if you want to listen on every interface.
     * `bind' are used as ip:port to redirect to.
     */
    bind = "0.0.0.0:10080";

    // listen() queue length. Default value is SOMAXCONN and it should be
    // good enough for most of us.
    // listenq = 128; // SOMAXCONN equals 128 on my Linux box.

    // `max_accept_backoff` is a delay to retry `accept()` after accept
    // failure (e.g. due to lack of file descriptors). It's measured in
    // milliseconds and maximal value is 65535. `min_accept_backoff` is
    // used as initial backoff value and as a damper for `accept() after
    // close()` logic.
    // min_accept_backoff = 100;
    // max_accept_backoff = 60000;

    // `relay` is IP address and port of proxy-server. Domain name is not
    // supported yet.
    // Can be:
    //     [IPv6Address]:port
    //     [IPv6Address]
    //     IPv6Address
    //     IPv4Address:port
    //     IPv4Address
    // If no port is given, 0 is used. Usually, a valid port is required.
    relay = "127.0.0.1:1080";

    // known types: socks4, socks5, http-connect, http-relay
    // New types: direct, shadowsocks, https-connect
    // For type direct:
    //     if `relay` is not specified, connections will be forwarded to
    // original destinations.
    //     if `relay` is filled with valid IP address, connections will be
    // forwarded to IP address defined in `relay`. It is useful when you
    // just want to forward connections to a specific IP address without
    // transparent proxy. E.g. forward IPv4:port to IPv6:port.
    type = socks5;

    // Specify interface for outgoing connections.
    // This is useful when you have multiple connections to
    // internet or when you have VPN connections.
    // interface = tun0;

    // Change this parameter to 1 if you want auto proxy feature.
    // When autoproxy is set to non-zero, the connection to target
    // will be made directly first. If direct connection to target
    // fails for timeout/connection refuse, redsocks will try to
    // connect to target via the proxy.
    autoproxy = 0;
    // timeout is meaningful when 'autoproxy' is non-zero.
    // It specified timeout value when trying to connect to destination
    // directly. Default is 10 seconds. When it is set to 0, default
    // timeout value will be used.
    timeout = 10;

    // login = "foobar";// field 'login' is reused as encryption
                       // method of shadowsocks
    // password = "baz";
}


tcpdns {
    // Transform UDP DNS requests into TCP DNS requests.
    // You can also redirect connections to external TCP DNS server to
    // REDSOCKS transparent proxy via iptables.
    bind = "0.0.0.0:1053"; // Local server to act as DNS server
    tcpdns1 = "8.8.4.4:53";    // DNS server that supports TCP DNS requests
    tcpdns2 = "8.8.8.8" ;      // DNS server that supports TCP DNS requests
    timeout = 4;               // Timeout value for TCP DNS requests
}

 


Как правильно настроить iptables для второго нерабочего варианта или дело в чем то другом?
Кто может помочь в решинии задачи?

 

 

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
 Share

×
×
  • Create New...