diff --git a/docs/en/document/level-2/iptables_gid.md b/docs/en/document/level-2/iptables_gid.md index e0c71454b..dedc971dd 100644 --- a/docs/en/document/level-2/iptables_gid.md +++ b/docs/en/document/level-2/iptables_gid.md @@ -1,101 +1,96 @@ --- -title: GID 透明代理 +title: Transparent proxy via GID --- -# 透明代理通过 gid 规避 Xray 流量 +# Transparent proxy to circumvent Xray traffic via GID -在现有的 iptables 透明代理白话文(**[新 V2Ray 白话文指南-透明代理](https://guide.v2fly.org/app/transparent_proxy.html)** 、 **[新 V2Ray 白话文指南-透明代理(TPROXY)](https://guide.v2fly.org/app/tproxy.html)** 、 **[透明代理(TProxy)配置教程](./tproxy)**)教程中,对 Xray 流量的规避处理是打 mark 实现的。即对 Xray 出站流量打 mark,通过设置 iptables 规则对对应 mark 的流量直连,来规避 Xray 流量,防止回环。 +In the existing transparent proxy configuration(**[New V2Ray vernacular tutorial on transparent proxy](https://guide.v2fly.org/app/transparent_proxy.html)** 、 **[New V2Ray vernacular tutorial on transparent proxy (TProxy)](https://guide.v2fly.org/app/tproxy.html)** 、 **[Transparent proxy(TProxy)configuration tutorial](./tproxy.md)**)tutorials, the circumvention of Xray traffic is achieved by using mark. That is, mark outbound traffics and set up iptables rules which directly connect traffics corresponding to the mark, to circumvent the Xray traffic and prevent loop back. -这么做有以下几个问题: +There are several problems with this method: -1. **[莫名流量进入 PREROUTING 链](https://github.com/v2ray/v2ray-core/issues/2621)** +1. **[Inexplicable traffic into PREROUTING chain](https://github.com/v2ray/v2ray-core/issues/2621)** -2. 安卓系统有自己的 mark 机制,该方案在安卓上不可用 +2. Android has its own mark mechanism and this solution is not available on Android -本教程的方案不需要设置 mark,理论性能更高,同时也不存在上述问题。 +The solution in this tutorial does not require a mark setting and has a higher theoretical performance, as well as not having the problems mentioned above. -## 思路 +## Ideas -tproxy 流量只能被 root 权限用户(uid==0)或其他有 CAP_NET_ADMIN 权限的用户接收。 +TProxy traffic can only be received by users with root privileges (uid==0) or other users with CAP_NET_ADMIN privileges. -iptables 规则可以通过 uid(用户 id)和 gid(用户组 id)分流。 +The iptables rules can separate network traffic by uid (user id) and gid (user group id). +Let Xray run on a user with uid==0 but gid!=0. Set the iptables rule to not proxy traffic for that gid to circumvent Xray traffic. -让 Xray 运行在一个 uid==0 但 gid!=0 的用户上,设置 iptables 规则不代理该 gid 的流量来规避 Xray 流量。 +## Configuration Procedure -## 配置过程 +### 1. Preliminary preparation -### 1. 前期准备 +**Android** -**安卓系统** +1. System has root privilege. -1. 系统已 root +2. Install **[busybox](https://play.google.com/store/apps/details?id=stericson.busybox)** -2. 安装 **[busybox](https://play.google.com/store/apps/details?id=stericson.busybox)** +3. There is a terminal that can execute commands, you can use adb shell, termux etc. -3. 有一个可以执行命令的终端,可以使用 adb shell,termux 等。 +**Other Linux system** -**其它 Linux 系统** +Need sudo, iptables-tproxy module and iptables-extra module。 -需要依赖 sudo,iptables 的 tproxy 模块和 extra 模块。 - -一般系统都有自带,openwrt 运行: +Usually the system comes with these functions. If you are using openwrt, you will need to run the following command: ```bash opkg install sudo iptables-mod-tproxy iptables-mod-extra ``` -另附上一些 openwrt 常用的依赖,缺少可能导致 Xray 无法运行 +Also attached are some common dependencies for openwrt, the lack of which may prevent Xray from running ```bash opkg install libopenssl ca-certificates ``` -### 2. 添加用户(安卓用户请忽略) +### 2. Add user (Android users please ignore this section) -安卓系统不支持/etc/passwd 文件来管理用户,请忽略,直接下一步。 +Android does not support managing users by modifying the /etc/passwd file, please ignore it and go straight to the next step. ```bash grep -qw xray_tproxy /etc/passwd || echo "xray_tproxy:x:0:23333:::" >> /etc/passwd ``` -其中 xray_tproxy 是用户名,0 是 uid,23333 是 gid,用户名和 gid 可以自己定,uid 必须为 0。 -检查用户是否添加成功,运行 +where xray_tproxy is the username, 0 is the uid and 23333 is the gid, the username and gid can be set by yourself, the uid must be 0. +To check if the user was added successfully, run ```bash sudo -u xray_tproxy id ``` -显示的结果应该是 uid 为 0,gid 为 23333 +The result displayed should be uid 0 and gid 23333. -### 3. 配置运行 Xray,配置 iptables 规则 +### 3. Configure and run Xray, and configure iptables rules -在现有的 iptables 透明代理白话文(**[新 V2Ray 白话文指南-透明代理](https://guide.v2fly.org/app/transparent_proxy.html)** 、 **[新 V2Ray 白话文指南-透明代理(TPROXY)](https://guide.v2fly.org/app/tproxy.html)** 、 **[透明代理(TProxy)配置教程](./tproxy)**)教程的基础上修改: +In the existing transparent proxy configuration(**[New V2Ray vernacular tutorial on transparent proxy](https://guide.v2fly.org/app/transparent_proxy.html)** 、 **[New V2Ray vernacular tutorial on transparent proxy (TProxy)](https://guide.v2fly.org/app/tproxy.html)** 、 **[Transparent proxy(TProxy)configuration tutorial](../tproxy)**)tutorials, modify: -1. 修改 json 配置文件,删除 mark 相关内容 +1. Modify the json configuration file: remove mark-related content -2. 修改 iptables 规则,删除 mark 相关内容,并在 OUTPUT 链应用规则处添加选项"-m owner ! --gid-owner 23333"。 +2. Modify the iptables rule to remove the mark-related content and add the option at the OUTPUT chain application rule: `-m owner ! --gid-owner 23333` -如: +e.g.: -```bash -iptables -t mangle -A OUTPUT -j XRAY_SELF -``` +`iptables -t mangle -A OUTPUT -j XRAY_SELF` -改为 +Change to -```bash -iptables -t mangle -A OUTPUT -m owner ! --gid-owner 23333 -j XRAY_SELF -``` +`iptables -t mangle -A OUTPUT -m owner ! --gid-owner 23333 -j XRAY_SELF` -3. 修改运行 Xray 的方式,使其运行在 uid 为 0,gid 为 23333 的用户上,参考[这里](#3-配置最大文件大开数运行xray客户端)。 +1. Modify the way you run Xray so that it runs on a user with uid 0 and gid 23333, refer to [here](#_3-configure-and-run-xray-and-configure-iptables-rules). -## 下面提供一个实现 tproxy 全局代理的完整配置过程 +## The following provides a complete configuration process for implementing the tproxy global proxy -### 1. 完成 **[前期准备](#1-前期准备)** 和 **[添加用户](#2-添加用户安卓用户请忽略)** +### 1. Finish **[Preliminary preparation](#_1-preliminary-preparation)** 和 **[Add user](#_2-add-user-android-users-please-ignore-this-section)** -### 2. 准备 Xray 配置文件 +### 2. Preparing Xray profiles -配置 Xray 任意门监听 12345,开启 followRedirect 和 tproxy,不需要设置 sniffing: +Configure Xray to listen to 12345 at dokodemo-door, turn on followRedirect and tproxy, no sniffing required: ```json { @@ -116,120 +111,116 @@ iptables -t mangle -A OUTPUT -m owner ! --gid-owner 23333 -j XRAY_SELF ], "outbounds": [ { - 你的服务器配置 + // Your server configuration } ] } ``` -### 3. 配置最大文件大开数&运行 Xray 客户端 +### 3. Configuring the maximum number of open files and run the Xray client + +About the maximum number of open files, see: **[too many open files issues](https://guide.v2fly.org/app/tproxy.html#解决-too-many-open-files-问题)** + +The current Xray server installed with the official script has the maximum number of open files automatically configured, so no further changes are required. -关于最大文件大开数问题见: **[too many open files 问题](https://guide.v2fly.org/app/tproxy.html#解决-too-many-open-files-问题)** +**Android** -目前 Xray 服务端使用官方脚本安装的已经自动配置了最大文件大开数,无需再修改。 +```bash +ulimit -SHn 1000000 +setuidgid 0:23333 "Command to run Xray"& +``` -**安卓系统** +**Other Linux system** ```bash ulimit -SHn 1000000 -setuidgid 0:23333 "运行Xray的命令"& +sudo -u xray_tproxy "Command to run Xray"& ``` -**其它 Linux 系统** +e.g.: ```bash ulimit -SHn 1000000 -sudo -u xray_tproxy "运行Xray的命令"& +sudo -u xray_tproxy xray -c /etc/xray/config.json & ``` -_第一条命令:_ +_The first command:_ -改变最大打开文件数,只对当前终端有效,每次启动 Xray 前都要运行,该命令是设置客户端的最大文件大开数 +Change the maximum number of open files, valid only for the current terminal and to be run every time before starting Xray, this command is to set the maximum number of open files for the client. -_第二条命令:_ +_The second command:_ -以 uid 为 0,gid 不为 0 的用户来运行 Xray 客户端,后面加&代表放在后台运行 +Run the Xray client as a user with uid 0 and gid not 0, followed by & for running in the background. -**检查最大文件大开数是否设置成功** +**Check if the maximum number of open files is set successfully** ```bash -cat /proc/Xray的pid/limits +cat /proc/"Xray's pid"/limits ``` -找到 max open files 一项,应该是你设置的数值。pid 的获取方法为运行`ps`或`ps -aux`或`ps -a` +Find max open files, which should be the value you set. Xray's pid can be obtained by running `ps` or `ps -aux` or `ps -a` -服务端和客户端都要检查 +Both the server and client side should be checked. -### 4. 设置 iptables 规则 +### 4. Setting up iptables rules -**代理 ipv4** +**Proxy ipv4** ```bash ip rule add fwmark 1 table 100 ip route add local 0.0.0.0/0 dev lo table 100 -# 代理局域网设备 +# Proxy LAN devices iptables -t mangle -N XRAY -# "网关所在ipv4网段" 通过运行命令"ip address | grep -w inet | awk '{print $2}'"获得,一般有多个 -iptables -t mangle -A XRAY -d 网关所在ipv4网段1 -j RETURN -iptables -t mangle -A XRAY -d 网关所在ipv4网段2 -j RETURN -... - -# 组播地址/E类地址/广播地址直连 -iptables -t mangle -A XRAY -d 224.0.0.0/3 -j RETURN +# "ipv4 segment where the gateway is located" is obtained by running the command "ip address | grep -w inet | awk '{print $2}'", usually there are multiple +iptables -t mangle -A XRAY -d "first ipv4 segment where the gateway is located" -j RETURN +iptables -t mangle -A XRAY -d "second ipv4 segment where the gateway is located" -j RETURN +# If the gateway is used as the primary router, add this line, see: [Other considerations for transparent proxy of iptables](https://xtls.github.io/en/documents/level-2/transparent_proxy/transparent_proxy/#proxy-ipv6) +# The "gateway LAN_IPv4 address segment", obtained by running the command "ip address | grep -w "inet" | awk '{print $2}'", is one of the results +iptables -t mangle -A XRAY ! -s "gateway LAN_IPv4 address segment" -j RETURN -#如果网关作为主路由,则加上这一句,见:https://xtls.github.io/documents/level-2/transparent_proxy/transparent_proxy.md#iptables透明代理的其它注意事项 -#网关LAN_IPv4地址段,运行命令"ip address | grep -w "inet" | awk '{print $2}'"获得,是其中的一个 -iptables -t mangle -A XRAY ! -s 网关LAN_IPv4地址段 -j RETURN - -# 给 TCP 打标记 1,转发至 12345 端口 -# mark只有设置为1,流量才能被Xray任意门接受 +# Mark 1 for TCP and forward to port 12345 +# mark can only be set to 1 for the traffic to be accepted by the Xray dokodemo-door iptables -t mangle -A XRAY -p tcp -j TPROXY --on-port 12345 --tproxy-mark 1 iptables -t mangle -A XRAY -p udp -j TPROXY --on-port 12345 --tproxy-mark 1 -# 应用规则 +# Apply rules iptables -t mangle -A PREROUTING -j XRAY -# 代理网关本机 +# Proxy gateway itself iptables -t mangle -N XRAY_MASK -iptables -t mangle -A XRAY_MASK -m owner --gid-owner 23333 -j RETURN -iptables -t mangle -A XRAY_MASK -d 网关所在ipv4网段1 -j RETURN -iptables -t mangle -A XRAY_MASK -d 网关所在ipv4网段2 -j RETURN -... -iptables -t mangle -A XRAY_MASK -d 224.0.0.0/3 -j RETURN +iptables -t mangle -A XRAY_MASK -d "the first ipv4 segment where the gateway is located" -j RETURN +iptables -t mangle -A XRAY_MASK -d "the second ipv4 segment where the gateway is located" -j RETURN + iptables -t mangle -A XRAY_MASK -j MARK --set-mark 1 -iptables -t mangle -A OUTPUT -p tcp -j XRAY_MASK -iptables -t mangle -A OUTPUT -p udp -j XRAY_MASK +iptables -t mangle -A OUTPUT -m owner ! --gid-owner 23333 ! -p icmp -j XRAY_MASK ``` -**代理 ipv6(可选)** +**Proxy ipv6 (optional)** ```bash ip -6 rule add fwmark 1 table 106 ip -6 route add local ::/0 dev lo table 106 -# 代理局域网设备 +# Proxy LAN devices ip6tables -t mangle -N XRAY6 -# "网关所在ip6网段" 通过运行命令"ip address | grep -w inet6 | awk '{print $2}'"获得。 -ip6tables -t mangle -A XRAY6 -d 网关所在ipv6网段1 -j RETURN -ip6tables -t mangle -A XRAY6 -d 网关所在ipv6网段2 -j RETURN -... +# The "ipv6 segment where the gateway is located" is obtained by running the command "ip address | grep -w inet6 | awk '{print $2}'". +ip6tables -t mangle -A XRAY6 -d "the first ipv6 segment where the gateway is located" -j RETURN +ip6tables -t mangle -A XRAY6 -d "the second ipv6 segment where the gateway is located" -j RETURN -# 如果网关作为主路由,则加上这一句,见:https://xtls.github.io/documents/level-2/transparent_proxy/transparent_proxy.md#iptables透明代理的其它注意事项 -# 网关LAN_IPv6地址段,运行命令"ip address | grep -w "inet6" | awk '{print $2}'"获得,是其中的一个 -ip6tables -t mangle -A XRAY6 ! -s 网关LAN_IPv6地址段 -j RETURN +# If the gateway is used as the primary router, add this line, see: [Other considerations for transparent proxy of iptables](https://xtls.github.io/en/documents/level-2/transparent_proxy/transparent_proxy/#proxy-ipv6) +# The "gateway LAN_IPv6 address segment", obtained by running the command "ip address | grep -w "inet6" | awk '{print $2}'", is one of the results +ip6tables -t mangle -A XRAY6 ! -s "gateway LAN_IPv6 address segment" -j RETURN ip6tables -t mangle -A XRAY6 -p udp -j TPROXY --on-port 12345 --tproxy-mark 1 ip6tables -t mangle -A XRAY6 -p tcp -j TPROXY --on-port 12345 --tproxy-mark 1 ip6tables -t mangle -A PREROUTING -j XRAY6 -# 代理网关本机 +# Proxy gateway itself ip6tables -t mangle -N XRAY6_MASK -ip6tables -t mangle -A XRAY6_MASK -m owner --gid-owner 23333 -j RETURN -ip6tables -t mangle -A XRAY6_MASK -d 网关所在ipv6网段1 -j RETURN -ip6tables -t mangle -A XRAY6_MASK -d 网关所在ipv6网段2 -j RETURN -... +ip6tables -t mangle -A XRAY6_MASK -d "the first ipv6 segment where the gateway is located" -j RETURN +ip6tables -t mangle -A XRAY6_MASK -d "the second ipv6 segment where the gateway is located" -j RETURN + ip6tables -t mangle -A XRAY6_MASK -j MARK --set-mark 1 -ip6tables -t mangle -A OUTPUT -p tcp -j XRAY6_MASK -ip6tables -t mangle -A OUTPUT -p udp -j XRAY6_MASK +ip6tables -t mangle -A OUTPUT -m owner ! --gid-owner 23333 ! -p icmp -j XRAY6_MASK ```