shadowsocks是由网友开发的开源代理软件,项目的源代码托管在github.com, 当然你也可以到shadowsocks的主页下载编译好的客户端程序,目前shadowsocks支持windows,linux,Android以及Mac OS.
不同于VP-N,shadowsocks和ssh代-理一样,是局部的代理,因此如果要将局部代-理配置成全局的,需要额外的配置,本文就结合自己的在linux系统上配置全局代-理的过程,总结后发表出来,希望能够帮助到有需要的朋友.
第一步,安装redsocks
redsocks的代码同样托管在github.com,下载源码后编译即可:
123 | git clone https: //github .com /darkk/redsocks cd redsocks make |
需要注意的是,redsocks依赖libevent,如果没有安装的话,make的时候将会报错:
wget https://github.com/DNSCrypt/dnscrypt-proxy/releases/download/2.0.34-beta.1/dnscrypt-proxy-linux_x86_64-2.0.34-beta.1.tar.gz
ubuntu/debain系统通过以下命令安装:
12 | #Ubuntu/Debain sudo apt-get install libevent-dev |
Redhat/Centos通过以下命令安装
12 | #CentOS/RedHat sudo yum install libevent-dev |
第二步:运行shadowsocks
如果你已经运行了shadowsocks,跳过即可,具体的shadowssocks服务器部署教程可以参考官方的文档,本文默认你已经部署好了shadowsocks服务器
第三步: 配置redsocks
将redsocks源码目录下的redsocks.conf.example复制为redsocks.conf,编辑redsocks.conf
base { // debug: connection progress & client list on SIGUSR1 log_debug = on; // info: start and end of client session log_info = on; /* possible `log' values are: * stderr * "file:/path/to/file" * syslog:FACILITY facility is any of "daemon", "local0"..."local7" */ log = stderr; // log = "file:/path/to/file"; // log = "syslog:local7"; // detach from console daemon = off; /* Change uid, gid and root directory, these options require root * privilegies on startup. * Note, your chroot may requre /etc/localtime if you write log to syslog. * Log is opened before chroot & uid changing. */ // user = nobody; // group = nobody; // chroot = "/var/chroot"; /* possible `redirector' values are: * iptables - for Linux * ipf - for FreeBSD * pf - for OpenBSD * generic - some generic redirector that MAY work */ redirector = iptables; } redsocks { /* `local_ip' defaults to 127.0.0.1 for security reasons, * use 0.0.0.0 if you want to listen on every interface. * `local_*' are used as port to redirect to. */ local_ip = 127.0.0.1; local_port = 12345; //记住这个端口,这个是redsocks运行的端口 // listen() queue length. Default value is SOMAXCONN and it should be // good enough for most of us. // listenq = 128; // SOMAXCONN equals 128 on my Linux box. // `max_accept_backoff` is a delay to retry `accept()` after accept // failure (e.g. due to lack of file descriptors). It's measured in // milliseconds and maximal value is 65535. `min_accept_backoff` is // used as initial backoff value and as a damper for `accept() after // close()` logic. // min_accept_backoff = 100; // max_accept_backoff = 60000; // `ip' and `port' are IP and tcp-port of proxy-server // You can also use hostname instead of IP, only one (random) // address of multihomed host will be used. ip = 127.0.0.1; //这个是代-理服务器的端口,如果你本地运行shadows,需要将ip设置为127.0.0.1 port = 1080; //编辑这个端口值,修改为本地shadowsocks运行的端口 // known types: socks4, socks5, http-connect, http-relay type = socks5; // login = "foobar"; // password = "baz"; } redudp { // `local_ip' should not be 0.0.0.0 as it's also used for outgoing // packets that are sent as replies - and it should be fixed // if we want NAT to work properly. local_ip = 127.0.0.1; local_port = 10053; // `ip' and `port' of socks5 proxy server. ip = 10.0.0.1; port = 1080; login = username; password = pazzw0rd; // redsocks knows about two options while redirecting UDP packets at // linux: TPROXY and REDIRECT. TPROXY requires more complex routing // configuration and fresh kernel (>= 2.6.37 according to squid // developers[1]) but has hack-free way to get original destination // address, REDIRECT is easier to configure, but requires `dest_ip` and // `dest_port` to be set, limiting packet redirection to single // destination. // [1] http://wiki.squid-cache.org/Features/Tproxy4 dest_ip = 8.8.8.8; dest_port = 53; udp_timeout = 30; udp_timeout_stream = 180; } dnstc { // fake and really dumb DNS server that returns "truncated answer" to // every query via UDP, RFC-compliant resolver should repeat same query // via TCP in this case. local_ip = 127.0.0.1; local_port = 5300; } // you can add more `redsocks' and `redudp' sections if you need.
需要特别注意的是,如果你使用的是普通的代-理,那么需要修改redsocks里面的ip为你的服务器的地址
第四步:配置Iptables
全局代-理是核心就是iptables规则了,这里首先假定 $SERVIER_IP为你的shadowsocks服务器的IP地址
特别注意,这里是你部署过shadowsocks服务器的地址.不是你本地shadowsocks的地址
将以下的shell命令复制粘贴到到bash中即可完成配置:
注意,请使用你的shadowsocks服务器地址替换shell命令中的$SERVER_IP)
12345678910111213 | #不重定向目的地址为服务器的包 sudo iptables -t nat -A OUTPUT -d $SERVER_IP -j RETURN #请用你的shadowsocks服务器的地址替换$SERVER_IP #不重定向私有地址的流量 sudo iptables -t nat -A OUTPUT -d 10.0.0.0 /8 -j RETURN sudo iptables -t nat -A OUTPUT -d 172.16.0.0 /16 -j RETURN sudo iptables -t nat -A OUTPUT -d 192.168.0.0 /16 -j RETURN #不重定向保留地址的流量,这一步很重要 sudo iptables -t nat -A OUTPUT -d 127.0.0.0 /8 -j RETURN #重定向所有不满足以上条件的流量到redsocks监听的12345端口 sudo iptables -t nat -A OUTPUT -p tcp -j REDIRECT --to-ports 12345 #12345是你的redsocks运行的端口,请根据你的情况替换它 |
接下来,将上面的shell保存为sh脚本,依次运行shadowsocks客户端,redsocks客户端和sh脚本即可.
需要额外说明的是: 如果你关闭了redsocks后,需要将之前配置的iptables规则删除,将下面的shell命令保持为sh脚本,运行即可
1234567 | #/bin/bash sudo iptables -t nat -D OUTPUT 6 sudo iptables -t nat -D OUTPUT 5 sudo iptables -t nat -D OUTPUT 4 sudo iptables -t nat -D OUTPUT 3 sudo iptables -t nat -D OUTPUT 2 sudo iptables -t nat -D OUTPUT 1 |
这一步很重要,如果不删除之前的iptables配置,将直接导致你退出redsocks后再也不能上网
好的,教程就这么多了,如果遇到什么问题,欢迎留言.
来自:http://kuaile.in/archives/1370