从零开始创建Linux旁路由:结合Xray与nftables

默认分类
3250 2
作为旁路由、透明代理(网关),大多数人使用的是opewnrt+科学插件,可视化及快速上手。
但我的想法是折腾更多的玩法,最终形成了这篇帖子,希望可以帮到其他爱好者--少踩坑

准备条件:
1.Linux设备*1,本文使用j4125+debian11.6
2.安装xray
3.nftables

1.准备一个U盘启动盘

8G内存以上,下载linux iso镜像,可以在http://mirrors.ustc.edu.cn/获取,我选择的是amd64,dvd
利用写盘工具Rufus,写入到u盘,格式推荐GPT+UEFI
将u盘插入软路由,插入电源之后快速多次按F11,选择带有U盘卷标的回车,开始刷入
详细过程这里就不过多阐述了,可以自行搜索。

2.设置静态ip地址

编辑/etc/network/interfaces

vim /etc/network/interfaces
auto enp1s0    ##enp1s0是网卡型号,可以通过命令行ip addr查看
iface enp1s0 inet static
address 10.0.0.2    ##设置一个未被使用的局域网ip地址
netmask 255.255.255.0
gateway 10.0.0.1    ##主路由ip地址作为网关

/etc/init.d/networking restart ##重启网卡,未生效可以直接reboot
如果需要自定义dns地址,可以编辑/etc/resolv.conf
添加nameserver 223.5.5.5 ##阿里云公共dns 或者nameserver 10.0.0.1 ##改成主路由的ip

3.安装xray到本地

bash -c "$(curl -L https://github.com/XTLS/Xray-install/raw/main/install-release.sh)" @ install

如果安装不动,可以把脚本下载到本地,wget https://github.com/XTLS/Xray-install/raw/main/install-release.sh,然后编辑install-release.sh,在400+行找到“DOWNLOAD_LINK”,在github链接加一个前缀加速,
例如https://ghproxy.com/github.com/XTLS/Xray-core/releases/download/$INSTALL_VERSION/Xray-linux-$MACHINE.zip,保存之后bash install-release.sh

安装完成之后,修改/usr/local/etc/xray/config.json,以下是vmess出口的示例

{
  "inbounds": [
  {
      "tag": "dns-in",
      "port": 53, //此处使用xray接管系统dns,不需要的可以删去此部分或更换端口
      "protocol": "dokodemo-door",
      "settings": {
        "network": "tcp,udp",
        "address": "8.8.4.4",
        "port": 53
        }
        },
    {
      "tag": "all-in",
      "port": 12345,
      "protocol": "dokodemo-door",
      "settings": {
        "network": "tcp,udp",
        "followRedirect": true
      },
      "sniffing": {
        "enabled": true,
        "destOverride": ["http", "tls"]
      },
      "streamSettings": {
        "sockopt": {
          "tproxy": "tproxy"
        }
      }
    },
    {
    "tag": "socks-in",
        "port": 1080,
        "protocol": "socks",
        "settings": {
            "auth": "password",
            "accounts": [
                {
                    "user": "用户名",
                    "pass": "密码"
                }
            ],
            "udp": true
        }
    }
  ],
  "outbounds": [
    {
      "tag": "direct",
      "protocol": "freedom",
      "settings": {
        "domainStrategy": "UseIPv4"
      },
      "streamSettings": {
        "sockopt": {
          "mark": 2
        }
      }
    },
    {
      "tag": "proxy",
      "protocol": "vmess",
      "settings": {
        "vnext": [
          {
            "address": "1.2.3.4",
            "port": 80,
            "users": [
              {
                "id": "xxx-xxx-xxx-xxx" //uuid
              }
            ]
          }
        ]
      },
      "streamSettings": {
        "network": "tcp",
        "tcpSettings": {
          "header": {
            "type": "http",
            "response": {
              "version": "1.1",
              "status": "200",
              "reason": "OK",
              "headers": {
                "Content-Type": ["application/octet-stream", "application/x-msdownload", "text/html", "application/x-shockwave-flash"],
                "Transfer-Encoding": ["chunked"],
                "Connection": ["keep-alive"],
                "Pragma": "no-cache"
              }
            }
          }
        },
        "sockopt": {
          "mark": 2
        }
      }
    },
    {
      "tag": "block",
      "protocol": "blackhole",
      "settings": {
        "response": {
          "type": "http"
        }
      }
    },
    {
      "tag": "dns-out",
      "protocol": "dns",
      "streamSettings": {
        "sockopt": {
          "mark": 2
        }
      }
    }
  ],
  "dns": {
    "hosts": {
        "dns.google.com": "8.8.8.8"
    },
    "servers": [
      {
        "address": "223.5.5.5", //阿里云dns,解析国内域名
        "port": 53,
        "domains": ["geosite:cn"],
        "expectIPs": ["geoip:cn"]
      },
    {
        "address": "101.6.6.6", //清华大学dns,解析国外域名
        "port": 5353,
        "domains": ["geosite:geolocation-!cn"]
    },
      "8.8.4.4",
      "localhost"
    ]
  },
  "routing": {
    "domainStrategy": "IPIfNonMatch",
    "rules": [
      {
        "type": "field",
        "inboundTag": ["dns-in"],
        "outboundTag": "dns-out"
      },
      {
        "type": "field",
        "ip": ["8.8.4.4", "8.8.8.8"],
        "outboundTag": "proxy"
      },
      {
        "type": "field",
        "domain": [
            "geosite:geolocation-!cn",
            "geosite:github",
            "geosite:google"
            ],
        "outboundTag": "proxy"
      },
      { // 直连中国大陆主流网站域名
        "type": "field", 
        "domain": [
          "geosite:cn"
        ],
        "ip": ["223.5.5.5"],
        "outboundTag": "direct"
      }
    ]
  }
}

本配置需要用到geosite,geoip增强版

curl -oL /usr/local/share/xray/geoip.dat https://github.com/Loyalsoldier/v2ray-rules-dat/releases/latest/download/geoip.dat
curl -oL /usr/local/share/xray/geosite.dat https://github.com/Loyalsoldier/v2ray-rules-dat/releases/latest/download/geosite.dat

策略路由配置

ip route add local default dev lo table 100 # 添加路由表 100,default也可写成0.0.0.0/0
ip rule add fwmark 1 table 100 # 为路由表 100 设定规则

4.nftables

apt update && apt install nftables ##安装nftables
systemctl enables nftables ##开机自启
systemctl start nftables ##启动nftables

编辑/etc/nftables.conf,添加以下内容

#!/usr/sbin/nft -f

flush ruleset

define RESERVED_IP = {
    10.0.0.0/8,
    100.64.0.0/10,
    127.0.0.0/8,
    169.254.0.0/16,
    172.16.0.0/12,
    192.0.0.0/24,
    192.88.99.0/24,
    192.168.0.0/16,
    224.0.0.0/4,
    240.0.0.0/4,
    255.255.255.255/32
}

table ip xray {
        chain prerouting {
                type filter hook prerouting priority mangle; policy accept;
                ip daddr $RESERVED_IP return
                meta l4proto {tcp, udp} mark set 1 tproxy to 127.0.0.1:12345 accept
        }
        chain output {
                type route hook output priority mangle; policy accept;
                ip daddr $RESERVED_IP return
                meta mark 2 return
                meta l4proto {tcp, udp} mark set 1 accept
        }
}

输入nft -f /etc/nftables.conf回车立即生效

配置nftables永久化

编辑 /lib/systemd/system/nftables.service,改成以下

[Unit]
Description=nftables
Documentation=man:nft(8) http://wiki.nftables.org
Wants=network-pre.target
Before=network-pre.target shutdown.target
Conflicts=shutdown.target
DefaultDependencies=no

[Service]
Type=oneshot
RemainAfterExit=yes
StandardInput=null
ProtectSystem=full
ProtectHome=true
ExecStart=/usr/sbin/nft -f /etc/nftables.conf ; /usr/sbin/ip route add local 0.0.0.0/0 dev lo table 100 ; /usr/sbin/ip rule add fwmark 1 table 100
ExecReload=/usr/sbin/nft -f /etc/nftables.conf
ExecStop=/usr/sbin/nft flush ruleset ; /usr/sbin/ip route del local 0.0.0.0/0 dev lo table 100 ; /usr/sbin/ip rule del table 100

[Install]
WantedBy=sysinit.target

至此xray+nftables透明代理搭建全部完成,需要fq的设备将网关、dns都改成透明网关的ip即可实现国内外分流上网

参考文章
https://xtls.github.io/document/level-2/tproxy.html
最后更新 2023-04-14
评论 ( 2 )
OωO
隐私评论
  1. 请问一下dae+sing-box该怎么用debian配置

    2个月前美国回复
  2. bensonlai

    101.6.6.6被ban了,方便出个VPS版本的Linux旁路由方案不?

    7个月前广东省江门市回复