The dnsmasq is enables rebind protection by default, this reject DNS records that contains reserved address (RFC1918).
Remove argument to disable it:
--stop-dns-rebind
OpenWrt
LUCI
Menu: Network->DHCP and DNS
Unchecked Rebind protection.
Category: 网络相关
网络相关
Transparent proxy with nftables
This is an example of configuring transparent proxy(tproxy) with nftables. The tproxy application is hev-socks5-tproxy
Netfilter rules
DON’T FORGOT TO ADD UPSTREAM ADDRESS TO BYPASS IPSET!!
Or use nftables skuid/skgid match to exclude proxy process.
table inet mangle {
set byp4 {
typeof ip daddr
flags interval
elements = { 0.0.0.0/8, 10.0.0.0/8,
127.0.0.0/8, 169.254.0.0/16,
172.16.0.0/12, 192.0.0.0/24,
192.0.2.0/24, 192.88.99.0/24,
192.168.0.0/16, 198.18.0.0/15,
198.51.100.0/24, 203.0.113.0/24,
224.0.0.0/4, 240.0.0.0-255.255.255.255 }
}
set byp6 {
typeof ip6 daddr
flags interval
elements = { ::,
::1,
::ffff:0:0:0/96,
64:ff9b::/96,
100::/64,
2001::/32,
2001:20::/28,
2001:db8::/32,
2002::/16,
fc00::/7,
fe80::/10,
ff00::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff }
}
chain prerouting {
type filter hook prerouting priority mangle; policy accept;
ip daddr @byp4 return
ip6 daddr @byp6 return
tcp dport { 0-65535 } tproxy to :1088 meta mark set 0x00000440 accept
udp dport { 0-65535 } tproxy to :1088 meta mark set 0x00000440 accept
}
# Only for local mode
chain output {
type route hook output priority mangle; policy accept;
ip daddr @byp4 return
ip6 daddr @byp6 return
tcp dport { 0-65535 } meta mark set 0x00000440
udp dport { 0-65535 } meta mark set 0x00000440
}
}
Routing rules
ip rule add fwmark 1088 table 100 ip route add local default dev lo table 100 ip -6 rule add fwmark 1088 table 100 ip -6 route add local default dev lo table 100 |
See also: https://github.com/heiher/hev-socks5-tproxy/blob/master/README.md
The nftables config file that bypass all IPv4 and IPv6 sets of China: https://gist.githubusercontent.com/heiher/fd001c69eda8d1f87bb66c3f44509c11/raw/nftables.conf
Netfilter hooks into Linux networking packet flows
Introduction to Linux interfaces for virtual networking
Reserved IP addresses
IPv4:
0.0.0.0/8 10.0.0.0/8 100.64.0.0/10 127.0.0.0/8 169.254.0.0/16 172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 192.88.99.0/24 192.168.0.0/16 198.18.0.0/15 198.51.100.0/24 203.0.113.0/24 224.0.0.0/4 240.0.0.0/4
IPv6:
::/128 ::1/128 ::ffff:0:0/96 ::ffff:0:0:0/96 64:ff9b::/96 100::/64 2001::/32 2001:20::/28 2001:db8::/32 2002::/16 fc00::/7 fe80::/10 ff00::/8
Nginx WebDAV Service
0x01 Installation
git clone --depth 1 https://github.com/heiher/nginx cd nginx git clone --depth 1 https://github.com/heiher/nginx-dav-ext-module ./auto/configure --prefix=/opt/nginx \ --with-compat \ --with-file-aio \ --with-http_addition_module \ --with-http_auth_request_module \ --with-http_dav_module \ --with-http_degradation_module \ --with-http_flv_module \ --with-http_geoip_module \ --with-http_gunzip_module \ --with-http_gzip_static_module \ --with-http_mp4_module \ --with-http_realip_module \ --with-http_secure_link_module \ --with-http_slice_module \ --with-http_ssl_module \ --with-http_stub_status_module \ --with-http_sub_module \ --with-http_v2_module \ --with-pcre-jit \ --with-threads \ --add-module=nginx-dav-ext-module make sudo make install |
0x02 Configuration
Main: /opt/nginx/conf/nginx.conf:
#user nobody;
worker_processes 1;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
#access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
#gzip on;
dav_ext_lock_zone zone=foo:10m;
server {
listen 80;
server_name localhost;
#charset koi8-r;
#access_log logs/host.access.log main;
location / {
root html;
auth_basic Restricted;
auth_basic_user_file htpasswd;
dav_methods PUT DELETE MKCOL COPY MOVE;
dav_ext_methods PROPFIND PROPPATCH OPTIONS LOCK UNLOCK;
dav_ext_lock zone=foo;
dav_access user:rw group:rw all:r;
client_max_body_size 0;
create_full_put_path on;
}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
} |
Auth: /opt/nginx/conf/htpasswd:
htpasswd -b -c /opt/nginx/conf/htpasswd YOUR_USERNAME YOUR_PASSWORD |
Start, Stop and Reload:
# Start sudo /opt/nginx/sbin/nginx # Stop sudo /opt/nginx/sbin/nginx -s stop # Reload sudo /opt/nginx/sbin/nginx -s reload |
0x03 Clients
Nautils
Windows 10
Fix authentication and file size limits, open regedit and modify:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WebClient\Parameters\ BasicAuthLevel = 2 FileSizeLimitInBytes = 0xffffffff |
Over!
江苏电信IPTV组播列表
802.11Q VLAN packet processing
| Tagged packet | Untagged packet | |||
|---|---|---|---|---|
| IN | OUT | IN | OUT | |
| Tagged Port | Unmodified | Unmodified | Tag by PVID | Tag by PVID |
| Untagged Port | Drop | Untag | Tag by PVID | Unmodified |
Over!
Systemd.networkd example
Network setup is performed by systemd.networkd. e.g.
/etc/systemd/network/tun0.network
[Match] Name=tun0 [Network] Address=fc00::2/126 [Route] Destination=::/0
Over!
Transparent proxy per application on Linux
This is a transparent proxy per app based on iptables + network classifier cgroup on Linux, and it’s more general than proxychains.
Build and install tproxy
git clone --recursive https://github.com/heiher/hev-socks5-tproxy cd hev-socks5-tproxy make sudo cp bin/hev-socks5-tproxy /usr/local/bin/ sudo cp conf/main.ini /usr/local/etc/hev-socks5-tproxy.conf |
Install systemd serivce
# /etc/systemd/system/hev-socks5-tproxy.service [Unit] Description=HevSocks5TProxy [Service] User=nobody ExecStart=/usr/local/bin/hev-socks5-tproxy /usr/local/etc/hev-socks5-tproxy.conf KillMode=process Restart=always LimitNOFILE=65536 [Install] WantedBy=multi-user.target |
Install tproxy wrapper
#!/bin/bash # /usr/local/bin/tproxy NET_CLS_DIR="/sys/fs/cgroup/net_cls/tproxy" NET_CLS_ID=88 TP_TCP_PORT=1088 TP_DNS_PORT=5300 if [ ! -e ${NET_CLS_DIR} ]; then sudo sh -c "mkdir -p ${NET_CLS_DIR}; \ chmod 0666 ${NET_CLS_DIR}/cgroup.procs; \ echo ${NET_CLS_ID} > ${NET_CLS_DIR}/net_cls.classid; \ iptables -t nat -D OUTPUT -p tcp \ -m cgroup --cgroup ${NET_CLS_ID} \ -j REDIRECT --to-ports ${TP_TCP_PORT}; \ iptables -t nat -D OUTPUT -p udp --dport 53 \ -m cgroup --cgroup ${NET_CLS_ID} \ -j REDIRECT --to-ports ${TP_DNS_PORT}; \ ip6tables -t nat -D OUTPUT -p tcp \ -m cgroup --cgroup ${NET_CLS_ID} \ -j REDIRECT --to-ports ${TP_TCP_PORT}; \ ip6tables -t nat -D OUTPUT -p udp --dport 53 \ -m cgroup --cgroup ${NET_CLS_ID} \ -j REDIRECT --to-ports ${TP_DNS_PORT}; \ iptables -t nat -I OUTPUT -p tcp \ -m cgroup --cgroup ${NET_CLS_ID} \ -j REDIRECT --to-ports ${TP_TCP_PORT}; \ iptables -t nat -I OUTPUT -p udp --dport 53 \ -m cgroup --cgroup ${NET_CLS_ID} \ -j REDIRECT --to-ports ${TP_DNS_PORT}; \ ip6tables -t nat -I OUTPUT -p tcp \ -m cgroup --cgroup ${NET_CLS_ID} \ -j REDIRECT --to-ports ${TP_TCP_PORT}; \ ip6tables -t nat -I OUTPUT -p udp --dport 53 \ -m cgroup --cgroup ${NET_CLS_ID} \ -j REDIRECT --to-ports ${TP_DNS_PORT};" 2>&1 2> /dev/null fi echo $$ > ${NET_CLS_DIR}/cgroup.procs exec "$@" |
How to use?
tproxy COMMAND # For example tproxy wget http://xxx.com/xxx tproxy makepkg |
Over!