Linux利用Redsocks实现shadowsocks全局代-理

183次阅读

共计 4965 个字符，预计需要花费 13 分钟才能阅读完成。

shadowsocks是由网友开发的开源代理软件,项目的源代码托管在github.com, 当然你也可以到shadowsocks的主页下载编译好的客户端程序,目前shadowsocks支持windows,linux,Android以及Mac OS.

不同于VP-N,shadowsocks和ssh代-理一样,是局部的代理,因此如果要将局部代-理配置成全局的,需要额外的配置,本文就结合自己的在linux系统上配置全局代-理的过程,总结后发表出来,希望能够帮助到有需要的朋友.

redsocks的代码同样托管在github.com,下载源码后编译即可:

?

123	`git clone https://github.com/darkk/redsockscd` `redsocksmake`

需要注意的是,redsocks依赖libevent,如果没有安装的话,make的时候将会报错:

wget https://github.com/DNSCrypt/dnscrypt-proxy/releases/download/2.0.34-beta.1/dnscrypt-proxy-linux_x86_64-2.0.34-beta.1.tar.gz

ubuntu/debain系统通过以下命令安装:

?

12	`#Ubuntu/Debainsudo` `apt-get` `install` `libevent-dev`

Redhat/Centos通过以下命令安装

?

12	`#CentOS/RedHatsudo` `yum` `install` `libevent-dev`

如果你已经运行了shadowsocks,跳过即可,具体的shadowssocks服务器部署教程可以参考官方的文档,本文默认你已经部署好了shadowsocks服务器

将redsocks源码目录下的redsocks.conf.example复制为redsocks.conf,编辑redsocks.conf

base {
 
    // debug: connection progress & client list on SIGUSR1
    log_debug = on;
 
    // info: start and end of client session
    log_info = on;
 
    /* possible `log' values are:
     *   stderr
     *   "file:/path/to/file"
     *   syslog:FACILITY  facility is any of "daemon", "local0"..."local7"
     */
    log = stderr;
    // log = "file:/path/to/file";
    // log = "syslog:local7";
 
    // detach from console
    daemon = off;
 
    /* Change uid, gid and root directory, these options require root
     * privilegies on startup.
     * Note, your chroot may requre /etc/localtime if you write log to syslog.
     * Log is opened before chroot & uid changing.
     */
    // user = nobody;
    // group = nobody;
    // chroot = "/var/chroot";
 
    /* possible `redirector' values are:
     *   iptables   - for Linux
     *   ipf        - for FreeBSD
     *   pf         - for OpenBSD
     *   generic    - some generic redirector that MAY work
     */
    redirector = iptables;
}
 
redsocks {
    /* `local_ip' defaults to 127.0.0.1 for security reasons,
     * use 0.0.0.0 if you want to listen on every interface.
     * `local_*' are used as port to redirect to.
     */
    local_ip = 127.0.0.1;
    local_port = 12345;   //记住这个端口,这个是redsocks运行的端口
 
    // listen() queue length. Default value is SOMAXCONN and it should be
    // good enough for most of us.
    // listenq = 128; // SOMAXCONN equals 128 on my Linux box.
 
    // `max_accept_backoff` is a delay to retry `accept()` after accept
    // failure (e.g. due to lack of file descriptors). It's measured in
    // milliseconds and maximal value is 65535. `min_accept_backoff` is
    // used as initial backoff value and as a damper for `accept() after
    // close()` logic.
    // min_accept_backoff = 100;
    // max_accept_backoff = 60000;
 
    // `ip' and `port' are IP and tcp-port of proxy-server
    // You can also use hostname instead of IP, only one (random)
    // address of multihomed host will be used.
    ip = 127.0.0.1; //这个是代-理服务器的端口,如果你本地运行shadows,需要将ip设置为127.0.0.1
    port = 1080; //编辑这个端口值,修改为本地shadowsocks运行的端口
 
 
    // known types: socks4, socks5, http-connect, http-relay
    type = socks5;
 
    // login = "foobar";
    // password = "baz";
}
 
redudp {
    // `local_ip' should not be 0.0.0.0 as it's also used for outgoing
    // packets that are sent as replies - and it should be fixed
    // if we want NAT to work properly.
    local_ip = 127.0.0.1;
    local_port = 10053;
 
    // `ip' and `port' of socks5 proxy server.
    ip = 10.0.0.1;
    port = 1080;
    login = username;
    password = pazzw0rd;
 
    // redsocks knows about two options while redirecting UDP packets at
    // linux: TPROXY and REDIRECT.  TPROXY requires more complex routing
    // configuration and fresh kernel (>= 2.6.37 according to squid
    // developers[1]) but has hack-free way to get original destination
    // address, REDIRECT is easier to configure, but requires `dest_ip` and
    // `dest_port` to be set, limiting packet redirection to single
    // destination.
    // [1] http://wiki.squid-cache.org/Features/Tproxy4
    dest_ip = 8.8.8.8;
    dest_port = 53;
 
    udp_timeout = 30;
    udp_timeout_stream = 180;
}
 
dnstc {
    // fake and really dumb DNS server that returns "truncated answer" to
    // every query via UDP, RFC-compliant resolver should repeat same query
    // via TCP in this case.
    local_ip = 127.0.0.1;
    local_port = 5300;
}
 
// you can add more `redsocks' and `redudp' sections if you need.

需要特别注意的是,如果你使用的是普通的代-理,那么需要修改redsocks里面的ip为你的服务器的地址

全局代-理是核心就是iptables规则了,这里首先假定 $SERVIER_IP为你的shadowsocks服务器的IP地址

特别注意,这里是你部署过shadowsocks服务器的地址.不是你本地shadowsocks的地址

将以下的shell命令复制粘贴到到bash中即可完成配置:

注意,请使用你的shadowsocks服务器地址替换shell命令中的$SERVER_IP)

?

12345678910111213 #不重定向目的地址为服务器的包sudo iptables -t nat -A OUTPUT -d $SERVER_IP -j RETURN #请用你的shadowsocks服务器的地址替换$SERVER_IP
#不重定向私有地址的流量sudo iptables -t nat -A OUTPUT -d 10.0.0.0/8 -j RETURNsudo iptables -t nat -A OUTPUT -d 172.16.0.0/16 -j RETURNsudo iptables -t nat -A OUTPUT -d 192.168.0.0/16 -j RETURN
#不重定向保留地址的流量,这一步很重要sudo iptables -t nat -A OUTPUT -d 127.0.0.0/8 -j RETURN
#重定向所有不满足以上条件的流量到redsocks监听的12345端口sudo iptables -t nat -A OUTPUT -p tcp -j REDIRECT --to-ports 12345 #12345是你的redsocks运行的端口,请根据你的情况替换它

接下来,将上面的shell保存为sh脚本,依次运行shadowsocks客户端,redsocks客户端和sh脚本即可.

需要额外说明的是: 如果你关闭了redsocks后,需要将之前配置的iptables规则删除,将下面的shell命令保持为sh脚本,运行即可

?

1234567 #/bin/bashsudo iptables -t nat -D OUTPUT 6sudo iptables -t nat -D OUTPUT 5sudo iptables -t nat -D OUTPUT 4sudo iptables -t nat -D OUTPUT 3sudo iptables -t nat -D OUTPUT 2sudo iptables -t nat -D OUTPUT 1