当前位置: 首页 > Linux相关 > 正文

Linux利用Redsocks实现shadowsocks全局代-理

     shadowsocks是由网友开发的开源代理软件,项目的源代码托管在github.com, 当然你也可以到shadowsocks的主页下载编译好的客户端程序,目前shadowsocks支持windows,linux,Android以及Mac OS.

    不同于VP-N,shadowsocks和ssh代-理一样,是局部的代理,因此如果要将局部代-理配置成全局的,需要额外的配置,本文就结合自己的在linux系统上配置全局代-理的过程,总结后发表出来,希望能够帮助到有需要的朋友.

   第一步,安装redsocks

redsocks的代码同样托管在github.com,下载源码后编译即可:

git clone https://github.com/darkk/redsocks
cd redsocks
make

需要注意的是,redsocks依赖libevent,如果没有安装的话,make的时候将会报错:

ubuntu/debain系统通过以下命令安装:

#Ubuntu/Debain
sudo apt-get install libevent-dev

Redhat/Centos通过以下命令安装

#CentOS/RedHat
sudo yum install libevent-dev

第二步:运行shadowsocks

    如果你已经运行了shadowsocks,跳过即可,具体的shadowssocks服务器部署教程可以参考官方的文档,本文默认你已经部署好了shadowsocks服务器

第三步: 配置redsocks

        将redsocks源码目录下的redsocks.conf.example复制为redsocks.conf,编辑redsocks.conf

base {

	// debug: connection progress & client list on SIGUSR1
	log_debug = on;

	// info: start and end of client session
	log_info = on;

	/* possible `log' values are:
	 *   stderr
	 *   "file:/path/to/file"
	 *   syslog:FACILITY  facility is any of "daemon", "local0"..."local7"
	 */
	log = stderr;
	// log = "file:/path/to/file";
	// log = "syslog:local7";

	// detach from console
	daemon = off;

	/* Change uid, gid and root directory, these options require root
	 * privilegies on startup.
	 * Note, your chroot may requre /etc/localtime if you write log to syslog.
	 * Log is opened before chroot & uid changing.
	 */
	// user = nobody;
	// group = nobody;
	// chroot = "/var/chroot";

	/* possible `redirector' values are:
	 *   iptables   - for Linux
	 *   ipf        - for FreeBSD
	 *   pf         - for OpenBSD
	 *   generic    - some generic redirector that MAY work
	 */
	redirector = iptables;
}

redsocks {
	/* `local_ip' defaults to 127.0.0.1 for security reasons,
	 * use 0.0.0.0 if you want to listen on every interface.
	 * `local_*' are used as port to redirect to.
	 */
	local_ip = 127.0.0.1;
	local_port = 12345;   //记住这个端口,这个是redsocks运行的端口

	// listen() queue length. Default value is SOMAXCONN and it should be
	// good enough for most of us.
	// listenq = 128; // SOMAXCONN equals 128 on my Linux box.

	// `max_accept_backoff` is a delay to retry `accept()` after accept
	// failure (e.g. due to lack of file descriptors). It's measured in
	// milliseconds and maximal value is 65535. `min_accept_backoff` is
	// used as initial backoff value and as a damper for `accept() after
	// close()` logic.
	// min_accept_backoff = 100;
	// max_accept_backoff = 60000;

	// `ip' and `port' are IP and tcp-port of proxy-server
	// You can also use hostname instead of IP, only one (random)
	// address of multihomed host will be used.
	ip = 127.0.0.1; //这个是代-理服务器的端口,如果你本地运行shadows,需要将ip设置为127.0.0.1
	port = 1080; //编辑这个端口值,修改为本地shadowsocks运行的端口


	// known types: socks4, socks5, http-connect, http-relay
	type = socks5;

	// login = "foobar";
	// password = "baz";
}

redudp {
	// `local_ip' should not be 0.0.0.0 as it's also used for outgoing
	// packets that are sent as replies - and it should be fixed
	// if we want NAT to work properly.
	local_ip = 127.0.0.1;
	local_port = 10053;

	// `ip' and `port' of socks5 proxy server.
	ip = 10.0.0.1;
	port = 1080;
	login = username;
	password = pazzw0rd;

	// redsocks knows about two options while redirecting UDP packets at
	// linux: TPROXY and REDIRECT.  TPROXY requires more complex routing
	// configuration and fresh kernel (>= 2.6.37 according to squid
	// developers[1]) but has hack-free way to get original destination
	// address, REDIRECT is easier to configure, but requires `dest_ip` and
	// `dest_port` to be set, limiting packet redirection to single
	// destination.
	// [1] http://wiki.squid-cache.org/Features/Tproxy4
	dest_ip = 8.8.8.8;
	dest_port = 53;

	udp_timeout = 30;
	udp_timeout_stream = 180;
}

dnstc {
	// fake and really dumb DNS server that returns "truncated answer" to
	// every query via UDP, RFC-compliant resolver should repeat same query
	// via TCP in this case.
	local_ip = 127.0.0.1;
	local_port = 5300;
}

// you can add more `redsocks' and `redudp' sections if you need.

需要特别注意的是,如果你使用的是普通的代-理,那么需要修改redsocks里面的ip为你的服务器的地址

第四步:配置Iptables

           全局代-理是核心就是iptables规则了,这里首先假定 $SERVIER_IP为你的shadowsocks服务器的IP地址

特别注意,这里是你部署过shadowsocks服务器的地址.不是你本地shadowsocks的地址

将以下的shell命令复制粘贴到到bash中即可完成配置:

注意,请使用你的shadowsocks服务器地址替换shell命令中的$SERVER_IP)

#不重定向目的地址为服务器的包
sudo iptables -t nat -A OUTPUT -d $SERVER_IP -j RETURN  #请用你的shadowsocks服务器的地址替换$SERVER_IP

#不重定向私有地址的流量
sudo iptables -t nat -A OUTPUT -d 10.0.0.0/8 -j RETURN
sudo iptables -t nat -A OUTPUT -d 172.16.0.0/16 -j RETURN
sudo iptables -t nat -A OUTPUT -d 192.168.0.0/16 -j RETURN

#不重定向保留地址的流量,这一步很重要
sudo iptables -t nat -A OUTPUT -d 127.0.0.0/8 -j RETURN

#重定向所有不满足以上条件的流量到redsocks监听的12345端口
sudo iptables -t nat -A OUTPUT -p tcp -j REDIRECT --to-ports 12345 #12345是你的redsocks运行的端口,请根据你的情况替换它

接下来,将上面的shell保存为sh脚本,依次运行shadowsocks客户端,redsocks客户端和sh脚本即可.

需要额外说明的是:  如果你关闭了redsocks后,需要将之前配置的iptables规则删除,将下面的shell命令保持为sh脚本,运行即可

#/bin/bash
sudo iptables -t nat -D OUTPUT 6
sudo iptables -t nat -D OUTPUT 5
sudo iptables -t nat -D OUTPUT 4
sudo iptables -t nat -D OUTPUT 3
sudo iptables -t nat -D OUTPUT 2
sudo iptables -t nat -D OUTPUT 1

这一步很重要,如果不删除之前的iptables配置,将直接导致你退出redsocks后再也不能上网

好的,教程就这么多了,如果遇到什么问题,欢迎留言.



本文固定链接: http://kuaile.in/archives/1370 | 蒲公英的博客

该日志由 蒲公英 于2014年10月31日发表在 Linux相关 分类下, 你可以发表评论,并在保留原文地址及作者的情况下引用到你的网站或博客。
原创文章转载请注明: Linux利用Redsocks实现shadowsocks全局代-理 | 蒲公英的博客
关键字:

Linux利用Redsocks实现shadowsocks全局代-理:目前有1 条留言

  1. 沙发
    x:

    单网卡,把这个做成网关可行么?iptables不知道怎么设置。
    意思是局域网上的这台linux电脑192.168.1.2,能改造成网关么?那就可以让其他机器也可以全局了。

    2015-05-04 下午 3:00 [回复]

发表评论


You must enable javascript to see captcha here!

快捷键:Ctrl+Enter