从零开始创建Linux旁路由:结合Xray与nftables
•默认分类
2382
2
作为旁路由、透明代理(网关),大多数人使用的是opewnrt+科学插件,可视化及快速上手。
但我的想法是折腾更多的玩法,最终形成了这篇帖子,希望可以帮到其他爱好者--少踩坑
准备条件:
1.Linux设备*1,本文使用j4125+debian11.6
2.安装xray
3.nftables
1.准备一个U盘启动盘
8G内存以上,下载linux iso镜像,可以在http://mirrors.ustc.edu.cn/获取,我选择的是amd64,dvd
利用写盘工具Rufus,写入到u盘,格式推荐GPT+UEFI
将u盘插入软路由,插入电源之后快速多次按F11,选择带有U盘卷标的回车,开始刷入
详细过程这里就不过多阐述了,可以自行搜索。
2.设置静态ip地址
编辑/etc/network/interfaces
vim /etc/network/interfacesauto enp1s0 ##enp1s0是网卡型号,可以通过命令行ip addr查看
iface enp1s0 inet static
address 10.0.0.2 ##设置一个未被使用的局域网ip地址
netmask 255.255.255.0
gateway 10.0.0.1 ##主路由ip地址作为网关/etc/init.d/networking restart ##重启网卡,未生效可以直接reboot
如果需要自定义dns地址,可以编辑/etc/resolv.conf
添加nameserver 223.5.5.5 ##阿里云公共dns 或者nameserver 10.0.0.1 ##改成主路由的ip
3.安装xray到本地
bash -c "$(curl -L https://github.com/XTLS/Xray-install/raw/main/install-release.sh)" @ install如果安装不动,可以把脚本下载到本地,wget https://github.com/XTLS/Xray-install/raw/main/install-release.sh,然后编辑install-release.sh,在400+行找到“DOWNLOAD_LINK”,在github链接加一个前缀加速,
例如https://ghproxy.com/github.com/XTLS/Xray-core/releases/download/$INSTALL_VERSION/Xray-linux-$MACHINE.zip,保存之后bash install-release.sh
安装完成之后,修改/usr/local/etc/xray/config.json,以下是vmess出口的示例
{
"inbounds": [
{
"tag": "dns-in",
"port": 53, //此处使用xray接管系统dns,不需要的可以删去此部分或更换端口
"protocol": "dokodemo-door",
"settings": {
"network": "tcp,udp",
"address": "8.8.4.4",
"port": 53
}
},
{
"tag": "all-in",
"port": 12345,
"protocol": "dokodemo-door",
"settings": {
"network": "tcp,udp",
"followRedirect": true
},
"sniffing": {
"enabled": true,
"destOverride": ["http", "tls"]
},
"streamSettings": {
"sockopt": {
"tproxy": "tproxy"
}
}
},
{
"tag": "socks-in",
"port": 1080,
"protocol": "socks",
"settings": {
"auth": "password",
"accounts": [
{
"user": "用户名",
"pass": "密码"
}
],
"udp": true
}
}
],
"outbounds": [
{
"tag": "direct",
"protocol": "freedom",
"settings": {
"domainStrategy": "UseIPv4"
},
"streamSettings": {
"sockopt": {
"mark": 2
}
}
},
{
"tag": "proxy",
"protocol": "vmess",
"settings": {
"vnext": [
{
"address": "1.2.3.4",
"port": 80,
"users": [
{
"id": "xxx-xxx-xxx-xxx" //uuid
}
]
}
]
},
"streamSettings": {
"network": "tcp",
"tcpSettings": {
"header": {
"type": "http",
"response": {
"version": "1.1",
"status": "200",
"reason": "OK",
"headers": {
"Content-Type": ["application/octet-stream", "application/x-msdownload", "text/html", "application/x-shockwave-flash"],
"Transfer-Encoding": ["chunked"],
"Connection": ["keep-alive"],
"Pragma": "no-cache"
}
}
}
},
"sockopt": {
"mark": 2
}
}
},
{
"tag": "block",
"protocol": "blackhole",
"settings": {
"response": {
"type": "http"
}
}
},
{
"tag": "dns-out",
"protocol": "dns",
"streamSettings": {
"sockopt": {
"mark": 2
}
}
}
],
"dns": {
"hosts": {
"dns.google.com": "8.8.8.8"
},
"servers": [
{
"address": "223.5.5.5", //阿里云dns,解析国内域名
"port": 53,
"domains": ["geosite:cn"],
"expectIPs": ["geoip:cn"]
},
{
"address": "101.6.6.6", //清华大学dns,解析国外域名
"port": 5353,
"domains": ["geosite:geolocation-!cn"]
},
"8.8.4.4",
"localhost"
]
},
"routing": {
"domainStrategy": "IPIfNonMatch",
"rules": [
{
"type": "field",
"inboundTag": ["dns-in"],
"outboundTag": "dns-out"
},
{
"type": "field",
"ip": ["8.8.4.4", "8.8.8.8"],
"outboundTag": "proxy"
},
{
"type": "field",
"domain": [
"geosite:geolocation-!cn",
"geosite:github",
"geosite:google"
],
"outboundTag": "proxy"
},
{ // 直连中国大陆主流网站域名
"type": "field",
"domain": [
"geosite:cn"
],
"ip": ["223.5.5.5"],
"outboundTag": "direct"
}
]
}
}本配置需要用到geosite,geoip增强版
curl -oL /usr/local/share/xray/geoip.dat https://github.com/Loyalsoldier/v2ray-rules-dat/releases/latest/download/geoip.dat
curl -oL /usr/local/share/xray/geosite.dat https://github.com/Loyalsoldier/v2ray-rules-dat/releases/latest/download/geosite.dat策略路由配置
ip route add local default dev lo table 100 # 添加路由表 100,default也可写成0.0.0.0/0
ip rule add fwmark 1 table 100 # 为路由表 100 设定规则4.nftables
apt update && apt install nftables ##安装nftables
systemctl enables nftables ##开机自启
systemctl start nftables ##启动nftables编辑/etc/nftables.conf,添加以下内容
#!/usr/sbin/nft -f
flush ruleset
define RESERVED_IP = {
10.0.0.0/8,
100.64.0.0/10,
127.0.0.0/8,
169.254.0.0/16,
172.16.0.0/12,
192.0.0.0/24,
192.88.99.0/24,
192.168.0.0/16,
224.0.0.0/4,
240.0.0.0/4,
255.255.255.255/32
}
table ip xray {
chain prerouting {
type filter hook prerouting priority mangle; policy accept;
ip daddr $RESERVED_IP return
meta l4proto {tcp, udp} mark set 1 tproxy to 127.0.0.1:12345 accept
}
chain output {
type route hook output priority mangle; policy accept;
ip daddr $RESERVED_IP return
meta mark 2 return
meta l4proto {tcp, udp} mark set 1 accept
}
}输入nft -f /etc/nftables.conf回车立即生效
配置nftables永久化
编辑 /lib/systemd/system/nftables.service,改成以下
[Unit]
Description=nftables
Documentation=man:nft(8) http://wiki.nftables.org
Wants=network-pre.target
Before=network-pre.target shutdown.target
Conflicts=shutdown.target
DefaultDependencies=no
[Service]
Type=oneshot
RemainAfterExit=yes
StandardInput=null
ProtectSystem=full
ProtectHome=true
ExecStart=/usr/sbin/nft -f /etc/nftables.conf ; /usr/sbin/ip route add local 0.0.0.0/0 dev lo table 100 ; /usr/sbin/ip rule add fwmark 1 table 100
ExecReload=/usr/sbin/nft -f /etc/nftables.conf
ExecStop=/usr/sbin/nft flush ruleset ; /usr/sbin/ip route del local 0.0.0.0/0 dev lo table 100 ; /usr/sbin/ip rule del table 100
[Install]
WantedBy=sysinit.target至此xray+nftables透明代理搭建全部完成,需要fq的设备将网关、dns都改成透明网关的ip即可实现国内外分流上网
参考文章
https://xtls.github.io/document/level-2/tproxy.html
最后更新 2023-04-14
请问一下dae+sing-box该怎么用debian配置
101.6.6.6被ban了,方便出个VPS版本的Linux旁路由方案不?