{"id":13775616,"url":"https://github.com/witee/note-shadowsocks","last_synced_at":"2025-05-11T08:32:36.182Z","repository":{"id":26500794,"uuid":"29953249","full_name":"Witee/Note-shadowsocks","owner":"Witee","description":"公司网关使用 shadowsocks 搭建翻墙网络","archived":false,"fork":false,"pushed_at":"2018-12-16T03:28:51.000Z","size":107,"stargazers_count":66,"open_issues_count":0,"forks_count":16,"subscribers_count":4,"default_branch":"master","last_synced_at":"2024-11-17T10:40:05.857Z","etag":null,"topics":["dnsmasq","dnsmasq-ipset","ipset","iptables","shadowsocks"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Witee.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2015-01-28T06:01:35.000Z","updated_at":"2023-09-15T08:57:19.000Z","dependencies_parsed_at":"2022-08-17T17:05:26.169Z","dependency_job_id":null,"html_url":"https://github.com/Witee/Note-shadowsocks","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Witee%2FNote-shadowsocks","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Witee%2FNote-shadowsocks/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Witee%2FNote-shadowsocks/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Witee%2FNote-shadowsocks/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Witee","download_url":"https://codeload.github.com/Witee/Note-shadowsocks/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253540092,"owners_count":21924518,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["dnsmasq","dnsmasq-ipset","ipset","iptables","shadowsocks"],"created_at":"2024-08-03T17:01:42.664Z","updated_at":"2025-05-11T08:32:35.908Z","avatar_url":"https://github.com/Witee.png","language":"Shell","funding_links":[],"categories":["\u003ca id=\"af9d2b4988d35a2a634c042a1c66bb8c\"\u003e\u003c/a\u003e工具"],"sub_categories":["\u003ca id=\"6e28befd418dc5b22fb3fd234db322d3\"\u003e\u003c/a\u003e翻墙"],"readme":"## 笔记：使用 shadowsocks + dnsmasq + ipset + iptables 实现公办网络透明代理（智能翻墙）\n\n\n\n\u003e update: \n\u003e 根据 《中华人民共和国网络安全法》的相关规定，“翻墙”是违法行为，本文仅作为学习、交流使用。\n\n\n\u003e 网上大多数写的都是关于 `openWRT` 路由器关于 `shadowsocks` 的配置，\n我这里写的是关于办公网络的配置，希望对大家有所帮助。\n\n\n- 所用到的软件\n\n  - `shadowsocks` : https://github.com/shadowsocks/shadowsocks-libev\n\n  - `dnsmasq`: http://www.thekelleys.org.uk/dnsmasq/doc.html\n\n\n- 网络拓扑\n\n    ![images](https://github.com/Witee/shadowsocks/blob/master/imgs/tuopu1.png)\n\n\n  - 网关服务器有两块网卡，`eth1`为内网，`eth0`为外网，通过`iptables nat`转发将内网包转发到外网，\n\n    ```\n      -A POSTROUTING ! -s 192.168.2.1/32 -j SNAT --to-source xxx.xxx.xxx.xxx\n    ```\n\n    以下是 `iptables` 相关表与链的图，帮助理解 `iptables` 的设置:\n\n    ![iptables](https://github.com/Witee/shadowsocks/blob/master/imgs/iptables.png)\n\n\n  - 网关安装 `dnsmasq` 提供本地dns服务\n\n\n- 通过代理服务器访问国外网站的结构图\n\n  ![tuopu2](https://github.com/Witee/shadowsocks/blob/master/imgs/tuopu2.png)\n\n\n\n- 代理服务器上安装：\n\n  - 安装依赖包\n\n    ```\n      yum install build-essential autoconf libtool openssl-devel gcc git -y\n\n    ```\n\n  - 安装 `shadowsocks`\n\n    ```\n      git clone https://github.com/shadowsocks/shadowsocks-libev.git  \n      cd shadowsocks ; ./configure —prefix=/usr/local/shadowsocks\n      make; make install; mkdir /usr/local/shadowsocks/etc/\n    ```\n\n  - `shadowsocks` 配置文件，`ss-local`、`ss-server`、`ss-redir` 都是同样的配置\n\n    ```\n      cat /usr/local/shadowsocks/etc/config.json\n      {\n        \"server\":”your.server.ip.x\",\n        \"server_port”:1194,\n        \"local_port\":1080,\n        \"password”:”your_passwd\",\n        \"timeout\":600,\n        \"method\":\"aes-256-cfb\"\n      }\n      解释：\n          \"server\":\"[服务器IP地址]\",\n          \"server_port\":[服务器端口],\n          \"local_port\":[本地端口],\n          \"password\":\"[密码]\",\n          \"timeout\":600,\n          \"method\":\"[加密方式]\"\n      }\n    ```\n\n  - 启动脚本\n\n    ```\n      [root@localhost ~]# cat /etc/init.d/shadowsocks\n\n      start() {\n          echo \"Starting ss-server...\"\n          /usr/bin/nohup /usr/local/shadowsocks/bin/ss-server -c /usr/local/shadowsocks/etc/config.json \u003e\u003e/tmp/shadowsock.log 2\u003e\u00261 \u0026\n\n      }\n      stop() {\n          echo \"Stopping ss-server...\"\n          killall ss-server\n      }\n\n      case $1 in\n              start)\n           start\n           ;;\n           stop)\n           stop\n           ;;\n           *)\n           echo \"Usage : $0 start|stop\"\n           ;;\n      esac\n\n      chmod 755 /etc/init.d/shadowsocks\n      /etc/init.d/shadowsocks start\n\n    ```\n\n\n- 网关服务器上安装：\n\n  - `shadowsocks`安装方法同上，配置文件一致，启动脚本有所修改：\n\n    ```\n      [root@localhost ~]# cat /etc/init.d/shadowsocks\n       #!/bin/bash\n\n      start() {\n          echo \"Starting ss-redir...\"\n          /usr/bin/nohup /usr/local/shadowsocks/bin/ss-redir -c /usr/local/shadowsocks/etc/config.json \u003e\u003e/tmp/shadowsock.log 2\u003e\u00261 \u0026\n\n      }\n      stop() {\n          echo \"Stopping ss-redir...\"\n          killall ss-redir\n      }\n\n      case $1 in\n              start)\n           start\n           ;;\n           stop)\n           stop\n           ;;\n           *)\n           echo \"Usage : $0 start|stop\"\n           ;;\n      esac\n\n    ```\n\n  - 网关服务器上使用的是 `ss-redir`，也就是透明代理会使用到的程序，如果只是本地用来上网的话，使用 `ss-local`。\n    到此代理服务器与网关服务器的隧道就建立好了。\n\n\n  - 将经过网关服务器的请求转发至本地的隧道，也就是 `1080` 端口，达到代理的目的，但是这样的话，所有的请求都会使用代理，所以要反过来做，将指定IP的请求转发至隧道。\n\n    ```\n      [root@localhost tmp]# cat ss-black.sh\n      #!/bin/sh\n\n      #create a new chain named SHADOWSOCKS\n      iptables -t nat -N SHADOWSOCKS\n\n      #Redirect what you want\n\n      #Google\n      iptables -t nat -A SHADOWSOCKS -p tcp -d 74.125.0.0/16 -j REDIRECT --to-ports 1080\n      iptables -t nat -A SHADOWSOCKS -p tcp -d 173.194.0.0/16 -j REDIRECT --to-ports 1080\n\n      #Youtube\n      iptables -t nat -A SHADOWSOCKS -p tcp -d 208.117.224.0/19 -j REDIRECT --to-ports 1080\n      iptables -t nat -A SHADOWSOCKS -p tcp -d 209.85.128.0/17 -j REDIRECT --to-ports 1080\n\n      #Twitter\n      iptables -t nat -A SHADOWSOCKS -p tcp -d 199.59.148.0/22 -j REDIRECT --to-ports 1080\n      iptables -t nat -A SHADOWSOCKS -p tcp -d 205.164.0.0/16 -j REDIRECT --to-ports 1080\n\n      #Shadowsocks.org\n      iptables -t nat -A SHADOWSOCKS -p tcp -d 199.27.76.133/32 -j REDIRECT --to-ports 1080\n\n      #1024\n      iptables -t nat -A SHADOWSOCKS -p tcp -d 184.154.128.246/32 -j REDIRECT --to-ports 1080\n\n      #Anything else should be ignore\n      iptables -t nat -A SHADOWSOCKS -p tcp -j RETURN\n\n      # Apply the rules\n      iptables -t nat -A PREROUTING -p tcp -j SHADOWSOCKS\n\n    ```\n\n  以上是网上的脚本，只有列表中的地址会使用代理。\n  但是这样就得手工维护这个地址，所以要使用更智能的方法，也就是自动获得这些IP地址。\n\n  方法是：通过无污染的DNS请求域名，把解析后的IP写到列表中。\n\n  - 具体实施：\n\n    - `yum install ipset`: `ipset` 的使用方法及 `ipset` 与 `iptables` 的关系请自行 `google`\n\n    - `ipset -N setmefree iphash`:新建一个 `IP` 的池子，通过 `ipset list` 命令可以查到池中的 `IP`，现在是空的\n\n    - 添加 `iptables`\n\n      ```\n        iptables -t nat -A PREROUTING -p tcp -m multiport --dports 443 -m set --match-set setmefree dst -j REDIRECT --to-ports 1080\n        iptables -t nat -A PREROUTING -p tcp -m multiport --dports 80 -m set --match-set setmefree dst -j REDIRECT --to-ports 1080\n        iptables -t nat -A PREROUTING -p tcp -j RETURN\n      ```\n\n      将 `tcp` 请求的 `80 443` 端口并且是在池中的目的地址转发至 `1080` 端口（使用代理）；其它不使用代理。\n      其中 `setmefree` 名称要与 `ipset -N` 时使用的名称一致。\n\n    - 现在池中的地址是空的，所以不会请求通过代理，可以手工添加，方法为：`ipset -A setmefree ip/mask` ，\n      然后 `ipset list` 就可以看到了，但这个方法还是很不智能，所以要配合 `dnsmasq` 来自动添加 `IP` 地址到池中。\n\n    - 具体方法：\n\n        从官网下载 `dnsmasq` 源码包并安装，不能直接 `yum` 安装，因为 `yum` 装的不会支持 `ipset`，\n        编写文档时 `dnsmasq` 的版本是：`dnsmasq-2.72.tar.gz` 如无重大更新，请下载最新版本。\n\n        ```\n          tar -zxf dnsmasq-2.72.tar.gz; cd dnsmasq-2.72\n        ```\n\n       安装方法在此文件夹的 `setup.html` 中，也就是直接 `make install` ,\n       会把程序安装到 `/usr/local/sbin/dnsmasq` ，然后 `cp dnsmasq.conf.example /etc/dnsmasq.conf`;\n       直接执行 `dnsmasq` 就可以直接启动，配置文件读取 `/etc/dnsmasq.conf` ，\n       配置文件中打开并指定文件 `conf-file=/etc/dnsmasq.d/xxx.conf`\n       修改 `xxx.conf` 内容为：\n\n        ```\n          #Google and Youtube\n          server=/.google.com/208.67.222.222#443\n          server=/.google.com.hk/208.67.222.222#443\n          server=/.gstatic.com/208.67.222.222#443\n          server=/.ggpht.com/208.67.222.222#443\n          server=/.googleusercontent.com/208.67.222.222#443\n          server=/.appspot.com/208.67.222.222#443\n          server=/.googlecode.com/208.67.222.222#443\n          server=/.googleapis.com/208.67.222.222#443\n          server=/.gmail.com/208.67.222.222#443\n          server=/.google-analytics.com/208.67.222.222#443\n          server=/.youtube.com/208.67.222.222#443\n          server=/.googlevideo.com/208.67.222.222#443\n          server=/.youtube-nocookie.com/208.67.222.222#443\n          server=/.ytimg.com/208.67.222.222#443\n          server=/.blogspot.com/208.67.222.222#443\n          server=/.blogger.com/208.67.222.222#443\n\n          #FaceBook\n          server=/.facebook.com/208.67.222.222#443\n          server=/.thefacebook.com/208.67.222.222#443\n          server=/.facebook.net/208.67.222.222#443\n          server=/.fbcdn.net/208.67.222.222#443\n          server=/.akamaihd.net/208.67.222.222#443\n\n          #Twitter\n          server=/.twitter.com/208.67.222.222#443\n          server=/.t.co/208.67.222.222#443\n          server=/.bitly.com/208.67.222.222#443\n          server=/.twimg.com/208.67.222.222#443\n          server=/.tinypic.com/208.67.222.222#443\n          server=/.yfrog.com/208.67.222.222#443\n\n          #Dropbox\n          server=/.dropbox.com/208.67.222.222#443\n\n          #1024\n          server=/.t66y.com/208.67.222.222#443\n\n          #shadowsocks.org\n          server=/.shadowsocks.org/208.67.222.222#443\n\n          #btdigg\n          server=/.btdigg.org/208.67.222.222#443\n\n          #sf.net\n          server=/.sourceforge.net/208.67.222.222#443\n\n          #feedly\n          server=/.feedly.com/208.67.222.222#443\n\n          # Here Comes The ipset\n\n          #Google and Youtube\n          ipset=/.google.com/setmefree\n          ipset=/.google.com.hk/setmefree\n          ipset=/.gstatic.com/setmefree\n          ipset=/.ggpht.com/setmefree\n          ipset=/.googleusercontent.com/setmefree\n          ipset=/.appspot.com/setmefree\n          ipset=/.googlecode.com/setmefree\n          ipset=/.googleapis.com/setmefree\n          ipset=/.gmail.com/setmefree\n          ipset=/.google-analytics.com/setmefree\n          ipset=/.youtube.com/setmefree\n          ipset=/.googlevideo.com/setmefree\n          ipset=/.youtube-nocookie.com/setmefree\n          ipset=/.ytimg.com/setmefree\n          ipset=/.blogspot.com/setmefree\n          ipset=/.blogger.com/setmefree\n\n          #FaceBook\n          ipset=/.facebook.com/setmefree\n          ipset=/.thefacebook.com/setmefree\n          ipset=/.facebook.net/setmefree\n          ipset=/.fbcdn.net/setmefree\n          ipset=/.akamaihd.net/setmefree\n\n          #Twitter\n          ipset=/.twitter.com/setmefree\n          ipset=/.t.co/setmefree\n          ipset=/.bitly.com/setmefree\n          ipset=/.twimg.com/setmefree\n          ipset=/.tinypic.com/setmefree\n          ipset=/.yfrog.com/setmefree\n\n          #Dropbox\n          ipset=/.dropbox.com/setmefree\n\n          #1024\n          ipset=/.t66y.com/setmefree\n\n          #shadowsocks.org\n          ipset=/.shadowsocks.org/setmefree\n\n          #btdigg\n          ipset=/.btdigg.org/setmefree\n\n          #sf.net\n          ipset=/.sourceforge.net/setmefree\n\n          #feedly\n          ipset=/.feedly.com/setmefree\n\n        ```\n\n      注意 `server=` 与 `ipset=` 是一一对应的，意思就是通过 `dnsmasq` 解析出来的 `IP` 写到地址池 (`setmefree`) 中。\n\n      启动 `dnsmasq`，当有访问的时候 `ipset list` 才会显示出地址，此时访问此列表中的地址的 `80 443` 端口的语法就会通过代理了。\n\n\n- 注意事项\n\n  - `xxx.conf` 中使用的 `dns` 必须是无污染的，也就是没有被强制解析到错误的地址，`208.67.222.222` 为 `Opendns`，\n    支持使用非标准端口（443,5353），据说不稳定，当不稳定的时候访问没有在列表中的域名时会不能解析出地址，\n    所以还可以在代理服务器上安装另外一个 `dnsmasq`，设置缓存大一点（`cache-size=1000000`），\n    并通过设置 `resolv-file=/etc/dnsmasq.resolv.conf` 中的 `opendns` 来解析国外 `IP`，\n    网关服务器再使用代理服务器上的 `dns` 来解析，这样如果 `opendns` 如果不稳定的时候还可以使用代理服务器上的 `dns` 缓存来解析。\n\n  - 代理服务器上安装 `dnsmasq` 方法一致，只是配置不同：\n\n    ```\n      cache-size=1000000\n      resolv-file=/etc/dnsmasq.resolv.conf\n      # cat  /etc/dnsmasq.resolv.conf\n      # nameserver 208.67.222.222     # 但默认是使用53端口，请自行google如何使用443端口来查询\n    ```\n\n  - `ipset list` 中的地址是不会自动删除的，所以最好定期执行 `ipset flush setmefree` 来清空 `setmefree` 中的 `IP`以保证都是正常的。\n\n  - 网关服务器上还可以安装 `squid` 正向代理。\n\n\n- 至此配置完成\n\n\n如果对你有所帮助，请点击右上角的 `Star`\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fwitee%2Fnote-shadowsocks","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fwitee%2Fnote-shadowsocks","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fwitee%2Fnote-shadowsocks/lists"}