Category: 网络相关
网络相关
OpenWrt: Set policy routing
function put_route() {
ip route del default dev pppoe-wanct proto static table 100
ip route add default dev pppoe-wanct proto static table 100
ip rule del pref 32760
ip rule add pref 32760 from ${1} lookup 100
}
put_route ${ip}SSH: Use legacy SCP protocol
Issue
/usr/libexec/sftp-server: not found
-O Use the legacy SCP protocol for file transfers instead of the SFTP protocol. Forcing the use of the SCP protocol may be necessary for servers that do not implement SFTP, for backwards-compatibility for particular filename wildcard patterns and for expanding paths with a ‘~’ prefix for older SFTP servers.
Block QUIC
nftables
udp dport { 80, 443 } reject with icmpx port-unreachableiptables
-p udp --match multiport --dports 80,443 -j REJECTSystemd network DHCP and Static at same time
/etc/systemd/network/eth0.network
[Match] Name=eth0 [Network] DHCP=yes [Address] Address=104.21.64.95/32 [Address] Address=2606:4700:3037::ac43::1/64
Linux socket bind IPv6 only
Socket options
IPv6 support some protocol-specific socket options that can be set with setsockopt and read with getsockopt. The socket option level for IPv6 is IPPROTO_IPV6. A boolean integer flag is zero with it is false, otherwise true.
IPV6_V6ONLY
If this flag is set to true (nonzero), then the socket is restricted to sending and receiving IPv6 packets only. In this case, an IPv4 and an IPv6 application can bind to a single port at the same time.
If this flag is set to false (zero), then the socket can be used to send and receive packets to and from an IPv6 address or an IPv4-mapped IPv6 address.
The argument is a pointer to a boolean value in an integer.
The default value for this flag is defined by the contents of the file /proc/sys/net/ipv6/bindv6only. The default value for that file is 0 (false).
Example
int one = 1; setsockopt (fd, IPPROTO_IPV6, IPV6_V6ONLY, &one, sizeof (one));
IP addr-label persistent by systemd
This is an example shows how to make IP address label persistent by systemd-networkd.
/etc/systemd/network/eth0.network :
[Match] Name=eth0 [Network] Address=192.168.0.1/24 Gateway=192.168.0.254 DNS=192.168.0.254 [IPv6AddressLabel] Label=100 Prefix=2409::/16 [IPv6AddressLabel] Label=100 Prefix=2606::/16
It’s successful if you can see labels that you configured :
$ ip addrlprefix ::1/128 label 0 prefix ::/96 label 3 prefix ::ffff:0.0.0.0/96 label 4 prefix 2001::/32 label 6 prefix 2001:10::/28 label 7 prefix 2606::/16 dev br0 label 100 prefix 2409::/16 dev br0 label 100 prefix 3ffe::/16 label 12 prefix 2002::/16 label 2 prefix fec0::/10 label 11 prefix fc00::/7 label 5 prefix ::/0 label 1
dnsmasq can’t resolve domains that points to reserved addresses
The dnsmasq is enables rebind protection by default, this reject DNS records that contains reserved address (RFC1918).
Remove argument to disable it:
--stop-dns-rebind
OpenWrt
LUCI
Menu: Network->DHCP and DNS
Unchecked Rebind protection.
Transparent proxy with nftables
This is an example of configuring transparent proxy(tproxy) with nftables. The tproxy application is hev-socks5-tproxy
Netfilter rules
DON’T FORGOT TO ADD UPSTREAM ADDRESS TO BYPASS IPSET!!
Or use nftables skuid/skgid match to exclude proxy process.
table inet mangle {
set byp4 {
typeof ip daddr
flags interval
elements = { 0.0.0.0/8, 10.0.0.0/8,
127.0.0.0/8, 169.254.0.0/16,
172.16.0.0/12, 192.0.0.0/24,
192.0.2.0/24, 192.88.99.0/24,
192.168.0.0/16, 198.18.0.0/15,
198.51.100.0/24, 203.0.113.0/24,
224.0.0.0/4, 240.0.0.0-255.255.255.255 }
}
set byp6 {
typeof ip6 daddr
flags interval
elements = { ::,
::1,
::ffff:0:0:0/96,
64:ff9b::/96,
100::/64,
2001::/32,
2001:20::/28,
2001:db8::/32,
2002::/16,
fc00::/7,
fe80::/10,
ff00::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff }
}
chain prerouting {
type filter hook prerouting priority mangle; policy accept;
ip daddr @byp4 return
ip6 daddr @byp6 return
tcp dport { 0-65535 } tproxy to :1088 meta mark set 0x00000440 accept
udp dport { 0-65535 } tproxy to :1088 meta mark set 0x00000440 accept
}
# Only for local mode
chain output {
type route hook output priority mangle; policy accept;
ip daddr @byp4 return
ip6 daddr @byp6 return
tcp dport { 0-65535 } meta mark set 0x00000440
udp dport { 0-65535 } meta mark set 0x00000440
}
}
Routing rules
ip rule add fwmark 1088 table 100
ip route add local default dev lo table 100
ip -6 rule add fwmark 1088 table 100
ip -6 route add local default dev lo table 100
See also: https://github.com/heiher/hev-socks5-tproxy/blob/master/README.md
The nftables config file that bypass all IPv4 and IPv6 sets of China: https://gist.githubusercontent.com/heiher/fd001c69eda8d1f87bb66c3f44509c11/raw/nftables.conf
