V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
Jinnrry
V2EX  ›  DNS

向资深软路由玩家提问,关于 lede 项目 DNS 的设置

  •  
  •   Jinnrry · 188 天前 · 2870 次点击
    这是一个创建于 188 天前的主题,其中的信息可能已经有所发展或是发生改变。

    背景:基于最新 lede 代码编译,开启 SSR-Plus

    我登录路由器,ps 可以看到

    dns2tcp -L 127.0.0.1#5335 -R 8.8.8.8#53
    chinadns-ng -l 5333 -4 china -p 3 -c 114.114.114.114 -t 127.0.0.1#5335 -N -f -r
    dnsmasq -C /var/etc/dnsmasq.conf.cfg01411c
    

    dnsmasq 的上游服务器配置为resolv-file=/tmp/resolv.conf.d/resolv.conf.auto

    该文件内容: (均为 Wan 下发的 DNS 地址)

    # Interface wan
    nameserver xxxxxxxxxxxxxxx
    nameserverxxxxxxxxxxxxxxx
    # Interface wan6
    nameserver xxxxxxxxxxxxxxx
    # Interface wan_6
    nameserver xxxxxxxxxxxxxxx
    nameserver xxxxxxxxxxxxxxx
    

    这里 chinadns-ng 和 dns2tcp 我能理解,chinadns-ng 将国内 dns 查询分流到 114 ,将海外 dns 查询转到 dns2tcp ,然后 dns2tcp 又去 8.8.8.8 查询 DNS 记录。

    但是!这个 dnsmasq 我就不理解了,53 端口是 dnsmasq 占用的,我电脑默认应该是访问路由器 53 端口查 DNS ,也就是访问 dnsmasq 的 DNS 服务,这样一来,chinadns-ng 的服务不就相当于没用上吗? dnsmasq 上游都是 wan 下发的 DNS 服务器,那这样是如何防止 DNS 污染呢?

    但最终结果好像又不是这样的,实际使用好像又没有出现 DNS 污染,那这样的话 dnsmasq 究竟在哪配置把流量导入 chinadns-ng 的呢?我研究了非常久,dnsmasq 明明就是使用的 wan 下发 DNS 呀,没有其他的上游设置了

    34 条回复    2024-05-20 17:03:28 +08:00
    defunct9
        1
    defunct9  
       188 天前
    看看 iptable
    Jinnrry
        2
    Jinnrry  
    OP
       188 天前
    @defunct9 iptable 我不怎么熟,但是 iptables -S 看起来也没有 53 端口相关的转发吧

    -P INPUT ACCEPT
    -P FORWARD DROP
    -P OUTPUT ACCEPT
    -N MINIUPNPD
    -N forwarding_lan_rule
    -N forwarding_rule
    -N forwarding_wan_rule
    -N input_lan_rule
    -N input_rule
    -N input_wan_rule
    -N output_lan_rule
    -N output_rule
    -N output_wan_rule
    -N reject
    -N syn_flood
    -N zone_lan_dest_ACCEPT
    -N zone_lan_forward
    -N zone_lan_input
    -N zone_lan_output
    -N zone_lan_src_ACCEPT
    -N zone_wan_dest_ACCEPT
    -N zone_wan_dest_REJECT
    -N zone_wan_forward
    -N zone_wan_input
    -N zone_wan_output
    -N zone_wan_src_REJECT
    -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
    -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
    -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
    -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
    -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
    -A INPUT -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_input
    -A INPUT -i eth1 -m comment --comment "!fw3" -j zone_wan_input
    -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
    -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
    -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
    -A FORWARD -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_forward
    -A FORWARD -i eth1 -m comment --comment "!fw3" -j zone_wan_forward
    -A FORWARD -m comment --comment "!fw3" -j reject
    -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
    -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
    -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
    -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
    -A OUTPUT -o pppoe-wan -m comment --comment "!fw3" -j zone_wan_output
    -A OUTPUT -o eth1 -m comment --comment "!fw3" -j zone_wan_output
    -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
    -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
    -A syn_flood -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
    -A syn_flood -m comment --comment "!fw3" -j DROP
    -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
    -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
    -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
    -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
    -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
    -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
    -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
    -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
    -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
    -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
    -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
    -A zone_wan_dest_ACCEPT -o pppoe-wan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
    -A zone_wan_dest_ACCEPT -o pppoe-wan -m comment --comment "!fw3" -j ACCEPT
    -A zone_wan_dest_ACCEPT -o eth1 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
    -A zone_wan_dest_ACCEPT -o eth1 -m comment --comment "!fw3" -j ACCEPT
    -A zone_wan_dest_REJECT -o pppoe-wan -m comment --comment "!fw3" -j reject
    -A zone_wan_dest_REJECT -o eth1 -m comment --comment "!fw3" -j reject
    -A zone_wan_forward -j MINIUPNPD
    -A zone_wan_forward -j MINIUPNPD
    -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
    -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
    -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
    -A zone_wan_forward -p tcp -m tcp --dport 7744 -m comment --comment "!fw3: vpn" -j zone_lan_dest_ACCEPT
    -A zone_wan_forward -p tcp -m tcp --dport 56471 -m comment --comment "!fw3: QBittorrent" -j zone_lan_dest_ACCEPT
    -A zone_wan_forward -p tcp -m tcp --dport 51413 -m comment --comment "!fw3: Transmission" -j zone_lan_dest_ACCEPT
    -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
    -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
    -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
    -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
    -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
    -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
    -A zone_wan_input -p tcp -m tcp --dport 1688 -m comment --comment "!fw3: kms" -j ACCEPT
    -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
    -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
    -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
    -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
    -A zone_wan_src_REJECT -i pppoe-wan -m comment --comment "!fw3" -j reject
    -A zone_wan_src_REJECT -i eth1 -m comment --comment "!fw3" -j reject
    kursk
        3
    kursk  
       188 天前
    简单来说,DNSMASQ 有两个参数 server 和 ipset 发挥的作用

    server 的作用是将指定的域名交给指定的域名服务器解析,并将 ip 存入 ipset 中,iptables 再将目标地址为这个 ipset 的 package 转发到科学上网的端口或线路上

    你研究一下这个参数的说明

    -S, --local, --server=[/[<domain>]/[domain/]][<server>[#<port>]][@<interface>][@<source-ip>[#<port>]]
    Specify upstream servers directly. Setting this flag does not suppress reading of /etc/resolv.conf, use --no-resolv to do that. If one or more optional domains are given, that server is used only for those domains and they are queried only using the specified server. This is intended for private nameservers: if you have a nameserver on your network which deals with names of the form xxx.internal.thekelleys.org.uk at 192.168.1.1 then giving the flag --server=/internal.thekelleys.org.uk/192.168.1.1 will send all queries for internal machines to that nameserver, everything else will go to the servers in /etc/resolv.conf. DNSSEC validation is turned off for such private nameservers, UNLESS a --trust-anchor is specified for the domain in question. An empty domain specification, // has the special meaning of "unqualified names only" ie names without any dots in them. A non-standard port may be specified as part of the IP address using a # character. More than one --server flag is allowed, with repeated domain or ipaddr parts as required.
    More specific domains take precedence over less specific domains, so: --server=/google.com/1.2.3.4 --server=/www.google.com/2.3.4.5 will send queries for google.com and gmail.google.com to 1.2.3.4, but www.google.com will go to 2.3.4.5

    Matching of domains is normally done on complete labels, so /google.com/ matches google.com and www.google.com but NOT supergoogle.com. This can be overridden with a * at the start of a pattern only: /*google.com/ will match google.com and www.google.com AND supergoogle.com. The non-wildcard form has priority, so if /google.com/ and /*google.com/ are both specified then google.com and www.google.com will match /google.com/ and /*google.com/ will only match supergoogle.com.

    For historical reasons, the pattern /.google.com/ is equivalent to /google.com/ if you wish to match any subdomain of google.com but NOT google.com itself, use /*.google.com/

    The special server address '#' means, "use the standard servers", so --server=/google.com/1.2.3.4 --server=/www.google.com/# will send queries for google.com and its subdomains to 1.2.3.4, except www.google.com (and its subdomains) which will be forwarded as usual.

    Also permitted is a -S flag which gives a domain but no IP address; this tells dnsmasq that a domain is local and it may answer queries from /etc/hosts or DHCP but should never forward queries on that domain to any upstream servers. --local is a synonym for --server to make configuration files clearer in this case.

    IPv6 addresses may include an %interface scope-id, eg fe80::202:a412:4512:7bbf%eth0.

    The optional string after the @ character tells dnsmasq how to set the source of the queries to this nameserver. It can either be an ip-address, an interface name or both. The ip-address should belong to the machine on which dnsmasq is running, otherwise this server line will be logged and then ignored. If an interface name is given, then queries to the server will be forced via that interface; if an ip-address is given then the source address of the queries will be set to that address; and if both are given then a combination of ip-address and interface name will be used to steer requests to the server. The query-port flag is ignored for any servers which have a source address specified but the port may be specified directly as part of the source address. Forcing queries to an interface is not implemented on all platforms supported by dnsmasq.

    Upstream servers may be specified with a hostname rather than an IP address. In this case, dnsmasq will try to use the system resolver to get the IP address of a server during startup. If name resolution fails, starting dnsmasq fails, too. If the system's configuration is such that the system resolver sends DNS queries through the dnsmasq instance which is starting up then this will time-out and fail.

    https://thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html#index
    defunct9
        4
    defunct9  
       188 天前
    dnsmasq.conf 贴出来看看
    kursk
        5
    kursk  
       188 天前
    另外说一下,server 和 ipset 这两个参数一般不在那个/var/etc/dnsmasq.conf.cfg01411c 配置文件中,但是你查看一下配置文件中的 conf-file 参数对应的目录下,应该有使用 server 和 ipset 的配置文件。

    一般使用的是/tmp/dnsmasq.d/
    Jinnrry
        6
    Jinnrry  
    OP
       188 天前
    @defunct9 #4

    # auto-generated config file from /etc/config/dhcp
    conf-file=/etc/dnsmasq.conf
    dhcp-authoritative
    domain-needed
    localise-queries
    read-ethers
    enable-ubus=dnsmasq
    expand-hosts
    bind-dynamic
    local-service
    cache-size=8192
    edns-packet-max=1232
    domain=lan
    local=/lan/
    server=/docker.io/127.0.0.1#5333
    addn-hosts=/tmp/hosts
    dhcp-leasefile=/tmp/dhcp.leases
    resolv-file=/tmp/resolv.conf.d/resolv.conf.auto
    stop-dns-rebind
    rebind-localhost-ok
    dhcp-broadcast=tag:needs-broadcast
    conf-dir=/tmp/dnsmasq.d
    user=dnsmasq
    group=dnsmasq


    dhcp-ignore-names=tag:dhcp_bogus_hostname
    conf-file=/usr/share/dnsmasq/dhcpbogushostname.conf

    srv-host=_vlmcs._tcp,OpenWrt,1688,0,100

    bogus-priv
    conf-file=/usr/share/dnsmasq/rfc6761.conf
    dhcp-range=set:lan,192.168.0.100,192.168.0.249,255.255.0.0,120h
    no-dhcp-interface=pppoe-wan
    Jinnrry
        7
    Jinnrry  
    OP
       188 天前
    @Jinnrry #6 /etc/dnsmasq.conf 这个文件里面只有一行 log-facility=/dev/null ,其他都是注释
    Puteulanus
        8
    Puteulanus  
       188 天前
    /var/etc/dnsmasq.conf.cfg01411c 这个文件里应该有这一行吧
    conf-dir=/tmp/dnsmasq.d

    然后 /tmp/dnsmasq.d 里有
    root@iStoreOS:~# cat /tmp/dnsmasq.d/dnsmasq-ssrplus.conf
    conf-dir=/tmp/dnsmasq.d/dnsmasq-ssrplus.d

    通过这种方式给 dnsmasq 追加了设置
    kursk
        9
    kursk  
       188 天前
    server=/docker.io/127.0.0.1#5333

    这个配置就是将 docker.io 这个域名由 127.0.0.1 5353 端口的域名服务进行解析
    Jinnrry
        10
    Jinnrry  
    OP
       188 天前
    @kursk #5 我靠,大佬厉害,按照你说的,我找到配置了。

    在/var/etc/dnsmasq.conf.cfg01411c 这个文件中额外加了一个配置文件路径`conf-dir=/tmp/dnsmasq.d`

    /tmp/dnsmasq.d 这个文件夹里面有完整的分流规则
    Jinnrry
        11
    Jinnrry  
    OP
       188 天前
    @kursk #9 这一条是我自己手动加的
    Jinnrry
        12
    Jinnrry  
    OP
       188 天前
    @Puteulanus 是的,感谢大佬
    Puteulanus
        13
    Puteulanus  
       188 天前
    我没跑 SSR-Plus ,给你看看 Passwall 的,基本也是这么个流程,最后追到 /tmp/dnsmasq.d/dnsmasq-passwall.conf 里:
    conf-dir=/tmp/dnsmasq.d/passwall
    server=127.0.0.1#15354
    all-servers
    no-poll
    no-resolv
    这就把 server 给设置到 ChinaDNS-NG 头上了
    defunct9
        14
    defunct9  
       188 天前
    server=/docker.io/127.0.0.1#5333

    就是这句
    kursk
        15
    kursk  
       188 天前
    @Jinnrry server 参数要配合 ipset 一起使用才能实现科学上网
    Jinnrry
        16
    Jinnrry  
    OP
       188 天前
    @kursk #15 我加 server=/docker.io/127.0.0.1#5333 是为了让 docker.io 走 chinadns 去解析,因为我看 chinadns 是禁止 ipv6 的。dnsmasq 会返回 ipv6 地址,我梯子服务器没有 ipv6 ,linux 默认优先使用 ipv6 ,就导致 docker pull 不能走代理。

    我在 openwrt 好像找不到加 ipset 的地方?只有一个 DNS 转发可以设置 server ,硬编码改配置文件的话感觉不太优雅
    Jinnrry
        17
    Jinnrry  
    OP
       188 天前
    @defunct9 #14 感谢 ssh 哥
    Jinnrry
        18
    Jinnrry  
    OP
       188 天前
    @kursk #3 再请教一下,“iptables 再将目标地址为这个 ipset 的 package 转发到科学上网的端口或线路上” 这个配置是在哪呢? 我用 iptables -L 看,好像没找到相关的配置呢
    Jinnrry
        19
    Jinnrry  
    OP
       188 天前
    @Puteulanus #13
    @kursk #3

    我又研究了一下 SSR-PLUS 的强制代理,我发现设置某个域名强制走代理,其实只是加了一个`server=/docker.io/127.0.0.1#5335` 这样的设置,并没有设置 ipset ,这样强制 dns 使用海外 dns 解析,那如果向 docker 这个域名,返回 ipv6 的解析结果,我服务器不支持 ipv6 的话其实没啥用吧
    kursk
        20
    kursk  
       188 天前
    @Jinnrry iptables 的配置与具体的采用的科学上网的工具有关

    比如你使用 gost 作为科学上网工具,在本地开了 18443 作为端口转发,那么整体配置思路如下

    在 dnsmasq 中的配置
    server=/docker.io/127.0.0.1#10053
    nftset=/docker.io/4#inet#wgcross#crs_dst

    以上配置的作用是将 docker.io 的域名交给 127.0.0.1#10053 这个域名解析服务器解析,返回的 ip 存到 nft table 名为 wgcross 的 ipset crs_dst 中

    说明一下:因为我使用的 openwrt23.05 已经是 firewell 4 了,而 firewell 4 使用 nftables 代替了 iptables ,所以与你使用的 firewell 3 的配置参数不同,但是思路是一样的

    然后我的 nftables 的配置中就有如下一项

    nft add rule inet wgcross PREROUTING ip daddr @crs_dst meta l4proto {tcp,udp} redirect to :18443

    这个命令在 nft table 名为 wgcross 中增加了一条规则,将目标地址在 ipset crs_dst 中的 tcp 和 udp 包都专发到本地的 18443 端口上

    所以通过 server ,nftset(firewell 3 是 ipset)解决 DNS 域名污染并存储了对应域名的目标 ip ,再通过 iptables 实现了目标 ip 转发到指定端口

    我记得 iptables -L 默认是 NAT 表,一般转发规则在 PREROUTING 表中,你可能对 iptables 的几个表的使用不理解,你看看我写的这篇文章 https://mp.weixin.qq.com/s?__biz=Mzg3OTYwMTE1NA==&mid=2247483967&idx=1&sn=ed36e7007329ad78cf55c91fbed7b0b8&chksm=cf00b152f877384447032ecb2f5500f902941980683977e2d301f6e581599509f20121161889&token=111951293&lang=zh_CN#rd
    可能对你有所启发
    Puteulanus
        21
    Puteulanus  
       188 天前
    @Jinnrry SSR-PLUS 我不清楚,像 Passwall ( xray ?)默认情况下解析的 IP 是没用的,可能只是用作“走代理还是直连”的判定,实际被判定成走代理的话请求好像是会被发到代理服务器再去解析的,我在本地 hosts 里把谷歌域名指向 1.1.1.1 或者随手乱输的 IP ,它都能照常上
    kursk
        22
    kursk  
       188 天前
    @Jinnrry 那就不用 ipv6

    gost,v2ray ,现在能用的工具很多。gost 是肯定可以在 ARM 上用的,就是要路由器的内存大点
    kursk
        23
    kursk  
       188 天前
    说错了

    iptables -L 这个命令默认查询的是 filter 表,但一般在 nat 表,所以命令应该这么写

    iptables -t nat -L -v -n
    Jinnrry
        24
    Jinnrry  
    OP
       188 天前 via Android
    @kursk 感谢回复,我也是 firewell4 ,nftables 和 iptables 我确实都不怎么熟悉,我照着你的思路研究一下先
    Jinnrry
        25
    Jinnrry  
    OP
       188 天前 via Android
    @kursk 好的,感谢
    yyzh
        26
    yyzh  
       188 天前 via Android
    @kursk LEDE 也是用的 FW4 的,都没差 https://github.com/coolsnowwolf/lede/commits/master/
    Jinnrry
        27
    Jinnrry  
    OP
       188 天前
    Chain SS_SPEC_WAN_FW (4 references)
    pkts bytes target prot opt in out source destination
    49 2940 REDIRECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22,53,587,465,995,993,143,80,443,853,9418 redir ports 1234

    通过 iptables -t nat -L -v -n 可以找到这样一条转发规则,我 ssr-plus 里面目前设置的仅常用端口代理,这时通过 iptables 把这些常用端口的流量转发到了 1234 端口,1234 端口是 xray 的端口,这样就把流量都给 xray 代理了


    @kursk #23 大佬,再请教下,我目前设置的是非国内 ip 代理,那这个 ip 分流又是在哪做的呢,我检查了 xray 的配置文件,发现 xray 配置文件里面没有路由字段,说明 xray 仅仅是把 input 流量转发到 output 里面去,并没有利用 xray 的分流能力。

    除此之外,naive 客户端应该是没有分流能力的,因此 ssr-plus 肯定不是利用各个代理程序做的分流,所以这个 ip 分流策略又是在哪呢

    这个 iptable 规则看起来,也没有什么分流设置呢,而且我看了 1234 端口,确实是 xray 处理了,这中间应该也没其他分流程序了
    kursk
        28
    kursk  
       188 天前
    @Jinnrry 如果策略是“非国内 ip 代理”,那么肯定有针对目标地址的转发规则,你现在找到这个是针对目标端口的转发,不是这个

    你把 iptables -t nat -L -v -n 的结果全部贴出来看看
    kursk
        29
    kursk  
       188 天前
    不过我有点不明白,如果你的路由器使用 FW4 ,iptables 命令应该不能执行吧?如果 iptables 命令能执行成功,那就应该是 FW3 啊
    xiaoranj
        30
    xiaoranj  
       188 天前
    直接用 nextdns.io
    Jinnrry
        31
    Jinnrry  
    OP
       188 天前
    @kursk #28

    Chain PREROUTING (policy ACCEPT 7861 packets, 601K bytes)
    pkts bytes target prot opt in out source destination
    3187 191K SS_SPEC_WAN_AC tcp -- br-lan * 0.0.0.0/0 0.0.0.0/0 /* _SS_SPEC_RULE_ */
    693K 54M prerouting_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom prerouting rule chain */
    692K 53M zone_lan_prerouting all -- br-lan * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
    838 245K zone_wan_prerouting all -- pppoe-wan * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
    0 0 zone_wan_prerouting all -- eth1 * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */

    Chain INPUT (policy ACCEPT 6615 packets, 455K bytes)
    pkts bytes target prot opt in out source destination

    Chain OUTPUT (policy ACCEPT 2812 packets, 202K bytes)
    pkts bytes target prot opt in out source destination
    763 45780 SS_SPEC_WAN_AC tcp -- * * 0.0.0.0/0 0.0.0.0/0 /* _SS_SPEC_RULE_ */

    Chain POSTROUTING (policy ACCEPT 3366 packets, 233K bytes)
    pkts bytes target prot opt in out source destination
    737K 56M postrouting_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom postrouting rule chain */
    35025 3178K zone_lan_postrouting all -- * br-lan 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
    517K 39M zone_wan_postrouting all -- * pppoe-wan 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
    0 0 zone_wan_postrouting all -- * eth1 0.0.0.0/0 0.0.0.0/0 /* !fw3 */

    Chain MINIUPNPD (2 references)
    pkts bytes target prot opt in out source destination

    Chain MINIUPNPD-POSTROUTING (2 references)
    pkts bytes target prot opt in out source destination

    Chain SS_SPEC_WAN_AC (2 references)
    pkts bytes target prot opt in out source destination
    0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 match-set whitelist dst
    0 0 SS_SPEC_WAN_FW all -- * * 0.0.0.0/0 0.0.0.0/0 match-set blacklist dst
    0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 match-set bplan src
    0 0 SS_SPEC_WAN_FW all -- * * 0.0.0.0/0 0.0.0.0/0 match-set fplan src
    75 4500 RETURN tcp -- * * 0.0.0.0/0 45.78.45.70 tcp dpt:!53
    61 3680 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 match-set ss_spec_wan_ac dst
    572 34320 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 match-set china dst
    0 0 SS_SPEC_WAN_FW all -- * * 0.0.0.0/0 0.0.0.0/0 match-set gmlan src ! match-set china dst
    3242 195K SS_SPEC_WAN_FW all -- * * 0.0.0.0/0 0.0.0.0/0

    Chain SS_SPEC_WAN_FW (4 references)
    pkts bytes target prot opt in out source destination
    0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/8
    0 0 RETURN all -- * * 0.0.0.0/0 10.0.0.0/8
    0 0 RETURN all -- * * 0.0.0.0/0 127.0.0.0/8
    0 0 RETURN all -- * * 0.0.0.0/0 169.254.0.0/16
    0 0 RETURN all -- * * 0.0.0.0/0 172.16.0.0/12
    0 0 RETURN all -- * * 0.0.0.0/0 192.168.0.0/16
    0 0 RETURN all -- * * 0.0.0.0/0 224.0.0.0/4
    0 0 RETURN all -- * * 0.0.0.0/0 240.0.0.0/4
    3188 191K REDIRECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22,53,587,465,995,993,143,80,443,853,9418 redir ports 1234

    Chain postrouting_lan_rule (1 references)
    pkts bytes target prot opt in out source destination

    Chain postrouting_rule (1 references)
    pkts bytes target prot opt in out source destination

    Chain postrouting_wan_rule (1 references)
    pkts bytes target prot opt in out source destination

    Chain prerouting_lan_rule (1 references)
    pkts bytes target prot opt in out source destination

    Chain prerouting_rule (1 references)
    pkts bytes target prot opt in out source destination

    Chain prerouting_wan_rule (1 references)
    pkts bytes target prot opt in out source destination

    Chain zone_lan_postrouting (1 references)
    pkts bytes target prot opt in out source destination
    35025 3178K postrouting_lan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom lan postrouting rule chain */

    Chain zone_lan_prerouting (1 references)
    pkts bytes target prot opt in out source destination
    692K 53M prerouting_lan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom lan prerouting rule chain */

    Chain zone_wan_postrouting (2 references)
    pkts bytes target prot opt in out source destination
    517K 39M MINIUPNPD-POSTROUTING all -- * * 0.0.0.0/0 0.0.0.0/0
    517K 39M MINIUPNPD-POSTROUTING all -- * * 0.0.0.0/0 0.0.0.0/0
    517K 39M postrouting_wan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom wan postrouting rule chain */
    517K 39M MASQUERADE all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */ mode: fullcone

    Chain zone_wan_prerouting (2 references)
    pkts bytes target prot opt in out source destination
    838 245K MINIUPNPD all -- * * 0.0.0.0/0 0.0.0.0/0
    838 245K MINIUPNPD all -- * * 0.0.0.0/0 0.0.0.0/0
    838 245K prerouting_wan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom wan prerouting rule chain */
    Jinnrry
        32
    Jinnrry  
    OP
       188 天前
    @kursk #29 好像确实是 fw3 ,我之前看网上说最新版本是 fw4 了,可能是我编译的时候哪里配置没勾选把,还是 fw3
    kursk
        33
    kursk  
       185 天前
    @Jinnrry 转发规则主要体现在这两个 chain 上

    Chain PREROUTING (policy ACCEPT 7861 packets, 601K bytes)
    pkts bytes target prot opt in out source destination
    3187 191K SS_SPEC_WAN_AC tcp -- br-lan * 0.0.0.0/0 0.0.0.0/0 /* _SS_SPEC_RULE_ */
    693K 54M prerouting_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom prerouting rule chain */
    692K 53M zone_lan_prerouting all -- br-lan * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
    838 245K zone_wan_prerouting all -- pppoe-wan * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
    0 0 zone_wan_prerouting all -- eth1 * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */

    Chain SS_SPEC_WAN_AC (2 references)
    pkts bytes target prot opt in out source destination
    0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 match-set whitelist dst
    0 0 SS_SPEC_WAN_FW all -- * * 0.0.0.0/0 0.0.0.0/0 match-set blacklist dst
    0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 match-set bplan src
    0 0 SS_SPEC_WAN_FW all -- * * 0.0.0.0/0 0.0.0.0/0 match-set fplan src
    75 4500 RETURN tcp -- * * 0.0.0.0/0 45.78.45.70 tcp dpt:!53
    61 3680 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 match-set ss_spec_wan_ac dst
    572 34320 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 match-set china dst
    0 0 SS_SPEC_WAN_FW all -- * * 0.0.0.0/0 0.0.0.0/0 match-set gmlan src ! match-set china dst
    3242 195K SS_SPEC_WAN_FW all -- * * 0.0.0.0/0 0.0.0.0/0

    Chain SS_SPEC_WAN_FW (4 references)
    pkts bytes target prot opt in out source destination
    0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/8
    0 0 RETURN all -- * * 0.0.0.0/0 10.0.0.0/8
    0 0 RETURN all -- * * 0.0.0.0/0 127.0.0.0/8
    0 0 RETURN all -- * * 0.0.0.0/0 169.254.0.0/16
    0 0 RETURN all -- * * 0.0.0.0/0 172.16.0.0/12
    0 0 RETURN all -- * * 0.0.0.0/0 192.168.0.0/16
    0 0 RETURN all -- * * 0.0.0.0/0 224.0.0.0/4
    0 0 RETURN all -- * * 0.0.0.0/0 240.0.0.0/4
    3188 191K REDIRECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22,53,587,465,995,993,143,80,443,853,9418 redir ports 1234

    从 Chain PREROUTING -> Chain SS_SPEC_WAN_AC -> Chain SS_SPEC_WAN_FW

    规则采用目标地址匹配,就是这行 rule
    SS_SPEC_WAN_FW all -- * * 0.0.0.0/0 0.0.0.0/0 match-set blacklist dst

    blacklist 应该是所有需要科学上网的域名返回的 ip 地址,所有流量包的目标地址只要存在于 blacklist ipset 中,就会进入 Chain SS_SPEC_WAN_AC

    你可以用 ipset list blacklist 命令看一下哪些 ip 是目标 ip

    而 Chain SS_SPEC_WAN_FW 的最后一行 rule
    REDIRECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22,53,587,465,995,993,143,80,443,853,9418 redir ports 1234

    再排除了局域网 ip(172.16.0.0/12,192.168.0.0/16.....)后,剩下的都应该是需要科学上网的域名,且如果目标端口是 22,53,587,465,995,993,143,80,443,853,9418,就重定向到 1234 端口(如你所言,是 v2ray 的端口)

    所以采用的是目标地址匹配的方法
    Jinnrry
        34
    Jinnrry  
    OP
       185 天前 via Android
    @kursk 哦哦,我这下明白了,dnsmasq 解析域名的时候通过 ipset 给 ip 打了 blacklist tag ,然后再通过 iptabls 这里的规则做了转发

    感谢大佬,整个流程瞬间清晰明了
    关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   实用小工具   ·   3106 人在线   最高记录 6679   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 21ms · UTC 12:46 · PVG 20:46 · LAX 04:46 · JFK 07:46
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.