graftcp icon indicating copy to clipboard operation
graftcp copied to clipboard

Published 20 hours ago verified publisher icon hmgle

Linux上另外一种实现更简单的重定向方法

Open heiher opened this issue 5 years ago • 4 comments

基于iptables + network classifier cgroup的,用于实现per app的TCP、DNS重定向,支持子进程自动继承,实现更简单。

具体实现:https://hev.cc/2813.html

heiher avatar Mar 26 '19 11:03 heiher

安装试了下,用 tproxy 尝试请求 Google 失败了,连接 Baidu 是成功的。

tproxy curl --verbose https://www.google.com
* Rebuilt URL to: https://www.google.com/
* Hostname was NOT found in DNS cache
*   Trying 172.217.20.100...
* connect to 172.217.20.100 port 443 failed: Connection timed out
* Failed to connect to www.google.com port 443: Connection timed out
* Closing connection 0
curl: (7) Failed to connect to www.google.com port 443: Connection timed out

看了下是流量没有重定向,没有生效。

hmgle avatar Mar 26 '19 14:03 hmgle

使用 iptables 的话也可以参考依云的使用 cgroups net_cls 来让 docker 走代理

hmgle avatar Mar 26 '19 15:03 hmgle

安装试了下,用 tproxy 尝试请求 Google 失败了,连接 Baidu 是成功的。

tproxy curl --verbose https://www.google.com
* Rebuilt URL to: https://www.google.com/
* Hostname was NOT found in DNS cache
*   Trying 172.217.20.100...
* connect to 172.217.20.100 port 443 failed: Connection timed out
* Failed to connect to www.google.com port 443: Connection timed out
* Closing connection 0
curl: (7) Failed to connect to www.google.com port 443: Connection timed out

看了下是流量没有重定向,没有生效。

确认两个点:

  1. 进程是否成功加入 tproxy cgroup。(可以把当前的bash进程加进去,它fork子进程来执行的外部命令都会被重定向)
  2. iptables tproxy rules是否成功导入,且cgroup match和redirect对不对。(配合ss-redir吗?ss-redir没用过,它对DNS是如何处理的?)

heiher avatar Mar 27 '19 01:03 heiher

看了下是我本机的 iptables 版本太低,还不支持 cgroup

hmgle avatar Mar 29 '19 14:03 hmgle