luci-app-shadowsocks icon indicating copy to clipboard operation
luci-app-shadowsocks copied to clipboard
verified publisher icon shadowsocks

Wiki中的Gfwlist模式

Open cokebar opened this issue 8 years ago • 10 comments

wiki中新建了一个gfwlist的ipset,然后添加一条命令,match gfwlist这个ipset的转发到SS_SPEC_WAN_FW, 但是有“每次重启 shadowsocks 后 SS_SPEC_WAN_AC 都会被销毁重建”的问题,因为执行ss-rules会首先flush rules。 但为何要建立一个gfwlist的ipset,为什么不直接使用ss_spec_dst_fw,dnsmasq解析后直接添加到ss_spec_dst_fw这个ipset中了,这样就没有这个问题了

cokebar avatar Sep 01 '17 09:09 cokebar

这样就不会把 gfwlist 这个 ipset 销毁,所以不需要重启 dnsmasq 来重新添加 ip.

aa65535 avatar Sep 02 '17 12:09 aa65535

有个人给我反映使用你wiki中的方法,把那条iptables加到/etc/firewall.user,路由器开机无法翻墙。 开机时候,/etc/firewall.user执行的时候可能ss-rules还没执行,SS_SPEC_XXX_XX的链可能还没建立,所以可能导致语句执行出错。即使ss-rules早于/etc/firewall.user执行,但/etc/config/firewall中,下面还有一个shadowsocks.include,这条也会导致之前添加的iptables -t nat -I SS_SPEC_WAN_AC 1 -m set --match-set gfwlist dst -j SS_SPEC_WAN_FW被删掉。 所以,对于合理地完成开机自启动, @aa65535 你有什么建议么

cokebar avatar Sep 03 '17 04:09 cokebar

@cokebar 对于开机自动执行的话,我的目前的做法是在ss-rules里的ipt_nat()函数里面添加$ipt -I SS_SPEC_WAN_AC 1 -m set --match-set gfwlist dst -j SS_SPEC_WAN_FW来解决重启路由后需要执行这个命令。

knlvz avatar Sep 19 '17 15:09 knlvz

我改了一下 ss-rules,加入 gfwlist,请 @aa65535 看一下这样行不行 在 ipset_init() 前加入以下代码

gfwlist_init() {
    ipt="iptables -t nat"
    setname=$(ipset -n list | grep -w "gfwlist")
    if [ ! "$setname" ]; then
        ipset create gfwlist hash:ip
    fi
    $ipt -I SS_SPEC_WAN_AC 1 -m set --match-set gfwlist dst -j SS_SPEC_WAN_FW
    return 0
}

最后改为这样

flush_rules && ipset_init && ipt_nat && ipt_mangle && gfwlist_init && export_ipt_rules

sotux avatar Jan 16 '18 12:01 sotux

@sotux

I tried your script, it works.

one little problem: it can ONLY redirect TCP traffic. To redirect UDP as well, you could add this line iptables -t mangle -I SS_SPEC_WAN_AC 1 -m set --match-set gfwlist dst -j SS_SPEC_WAN_FW

phoniwell avatar Jan 18 '18 10:01 phoniwell

@sotux gfwlist模式下 udp relay 意义不大

cokebar avatar Jan 18 '18 11:01 cokebar

wan口掉线重拨后“iptables -t nat -I SS_SPEC_WAN_AC 1 -m set --match-set gfwlist dst -j SS_SPEC_WAN_FW”失效,需要重新运行才行,请问怎样设置才能wan口掉线重拨后自动运行这条指令?

openlcc avatar Jan 21 '18 12:01 openlcc

@legendchi 不知道下面这种方法行不行,没测试 编写一个脚本,内容为你需要在wan口重连后执行的命令,然后在/etc/config/firewall的末尾添加:

config include 'yourscriptname'
	option type 'script'
	option path '/path/to/yourscript'
	option reload '1'

cokebar avatar Jan 22 '18 07:01 cokebar

@legendchi Why you have this problem? luci-app-shadowsocks will add the firewall reload rule during installation. Thus the firewall rules will re-applied after WAN reconnected.

The following is excerpted from etc/uci-defaults/luci-shadowsocks, which is extracted from luci-app-shadowsocks package:

`uci -q batch <<-EOF >/dev/null

delete ucitrack.@shadowsocks[-1]

add ucitrack shadowsocks

set ucitrack.@shadowsocks[-1].init=shadowsocks

commit ucitrack

delete firewall.shadowsocks

set firewall.shadowsocks=include

set firewall.shadowsocks.type=script

set firewall.shadowsocks.path=/var/etc/shadowsocks.include

set firewall.shadowsocks.reload=1

commit firewall

EOF`

But if you want to use gfwlist scheme, you'd better name the specified ipset name carefully, because /usr/bin/ss-rules (part of the luci-app-shadowsocks package) will only maintain ipset names started with ss_spec_, like ss_spec_gfwlist.

phoniwell avatar Jan 22 '18 12:01 phoniwell

@cokebar 非常感谢,按照你的方法,wan口在发生变化重新完成拨号后顺利的执行了iptables。

openlcc avatar Jan 22 '18 16:01 openlcc