github
/
Xray-docs-next
mirror of https://github.com/XTLS/Xray-docs-next
1
0
Fork 0
Code Issues Releases Wiki Activity

Fix code style & description

pull/48/head
hmol233 2021-05-26 20:05:44 +08:00
parent b632259605
commit bf007a8a09
No known key found for this signature in database
GPG Key ID: D617A9DAB0C992D5
1 changed files with 45 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

58
docs/en/document/level-2/iptables_gid.md
View File

@ -1,11 +1,10 @@
--- ---
date: "2020-12-23T00:00:00.000Z" title: Transparent proxy via GID
description: Project X Documentation.
title: Transparent proxy to circumvent Xray traffic via gid
weight: 3
--- ---
In the existing transparent proxy configuration(**[New V2Ray vernacular tutorial on transparent proxy](https://guide.v2fly.org/app/transparent_proxy.html)** 、 **[New V2Ray vernacular tutorial on transparent proxy (TProxy)](https://guide.v2fly.org/app/tproxy.html)** 、 **[Transparent proxyTProxyconfiguration tutorial](../tproxy)**)tutorials, the circumvention of Xray traffic is achieved by using mark. That is, mark the Xray outbound traffic and circumvent the Xray traffic by setting up iptables rules for direct connection of the traffic corresponding to the mark to prevent loopback. # Transparent proxy to circumvent Xray traffic via GID
In the existing transparent proxy configuration(**[New V2Ray vernacular tutorial on transparent proxy](https://guide.v2fly.org/app/transparent_proxy.html)** 、 **[New V2Ray vernacular tutorial on transparent proxy (TProxy)](https://guide.v2fly.org/app/tproxy.html)** 、 **[Transparent proxyTProxyconfiguration tutorial](./tproxy.md)**)tutorials, the circumvention of Xray traffic is achieved by using mark. That is, mark outbound traffics and set up iptables rules which directly connect traffics corresponding to the mark, to circumvent the Xray traffic and prevent loop back.
There are several problems with this method: There are several problems with this method:
@ -14,14 +13,18 @@ There are several problems with this method:
2. Android has its own mark mechanism and this solution is not available on Android 2. Android has its own mark mechanism and this solution is not available on Android
The solution in this tutorial does not require a mark setting and has a higher theoretical performance, as well as not having the problems mentioned above. The solution in this tutorial does not require a mark setting and has a higher theoretical performance, as well as not having the problems mentioned above.
## Ideas ## Ideas
TProxy traffic can only be received by users with root privileges (uid==0) or other users with CAP_NET_ADMIN privileges. TProxy traffic can only be received by users with root privileges (uid==0) or other users with CAP_NET_ADMIN privileges.
The iptables rules can separate network traffic by uid (user id) and gid (user group id). The iptables rules can separate network traffic by uid (user id) and gid (user group id).
Let Xray run on a user with uid==0 but gid!=0. Set the iptables rule to not proxy traffic for that gid to circumvent Xray traffic. Let Xray run on a user with uid==0 but gid!=0. Set the iptables rule to not proxy traffic for that gid to circumvent Xray traffic.
## Configuration Procedure ## Configuration Procedure
### 1. Preliminary preparation ### 1. Preliminary preparation
**Android** **Android**
1. System has root privilege. 1. System has root privilege.
@ -35,30 +38,41 @@ Let Xray run on a user with uid==0 but gid!=0. Set the iptables rule to not prox
Need sudo, iptables-tproxy module and iptables-extra module。 Need sudo, iptables-tproxy module and iptables-extra module。
Usually the system comes with these functions. If you are using openwrt, you will need to run the following command: Usually the system comes with these functions. If you are using openwrt, you will need to run the following command:
```bash ```bash
opkg install sudo iptables-mod-tproxy iptables-mod-extra opkg install sudo iptables-mod-tproxy iptables-mod-extra
``` ```
Also attached are some common dependencies for openwrt, the lack of which may prevent Xray from running Also attached are some common dependencies for openwrt, the lack of which may prevent Xray from running
```bash ```bash
opkg install libopenssl ca-certificates opkg install libopenssl ca-certificates
``` ```
### 2. Add user (Android users please ignore this section) ### 2. Add user (Android users please ignore this section)
Android does not support managing users by modifying the /etc/passwd file, please ignore it and go straight to the next step. Android does not support managing users by modifying the /etc/passwd file, please ignore it and go straight to the next step.
```bash ```bash
grep -qw xray_tproxy /etc/passwd || echo "xray_tproxy:x:0:23333:::" >> /etc/passwd grep -qw xray_tproxy /etc/passwd || echo "xray_tproxy:x:0:23333:::" >> /etc/passwd
``` ```
where xray_tproxy is the username, 0 is the uid and 23333 is the gid, the username and gid can be set by yourself, the uid must be 0. where xray_tproxy is the username, 0 is the uid and 23333 is the gid, the username and gid can be set by yourself, the uid must be 0.
To check if the user was added successfully, run To check if the user was added successfully, run
```bash ```bash
sudo -u xray_tproxy id sudo -u xray_tproxy id
``` ```
The result displayed should be uid 0 and gid 23333. The result displayed should be uid 0 and gid 23333.
### 3. Configure and run Xray, and configure iptables rules ### 3. Configure and run Xray, and configure iptables rules
In the existing transparent proxy configuration(**[New V2Ray vernacular tutorial on transparent proxy](https://guide.v2fly.org/app/transparent_proxy.html)** 、 **[New V2Ray vernacular tutorial on transparent proxy (TProxy)](https://guide.v2fly.org/app/tproxy.html)** 、 **[Transparent proxyTProxyconfiguration tutorial](../tproxy)**)tutorials, modify: In the existing transparent proxy configuration(**[New V2Ray vernacular tutorial on transparent proxy](https://guide.v2fly.org/app/transparent_proxy.html)** 、 **[New V2Ray vernacular tutorial on transparent proxy (TProxy)](https://guide.v2fly.org/app/tproxy.html)** 、 **[Transparent proxyTProxyconfiguration tutorial](../tproxy)**)tutorials, modify:
1. Modify the json configuration file: remove mark-related content 1. Modify the json configuration file: remove mark-related content
2. Modify the iptables rule to remove the mark-related content and add the option at the OUTPUT chain application rule: "-m owner ! --gid-owner 23333" 2. Modify the iptables rule to remove the mark-related content and add the option at the OUTPUT chain application rule: `-m owner ! --gid-owner 23333`
e.g.: e.g.:
@ -68,11 +82,16 @@ Change to
`iptables -t mangle -A OUTPUT -m owner ! --gid-owner 23333 -j XRAY_SELF` `iptables -t mangle -A OUTPUT -m owner ! --gid-owner 23333 -j XRAY_SELF`
1. Modify the way you run Xray so that it runs on a user with uid 0 and gid 23333, refer to [here](#3-the_maximum_number_of_file_wide_openings). 1. Modify the way you run Xray so that it runs on a user with uid 0 and gid 23333, refer to [here](#_3-configure-and-run-xray-and-configure-iptables-rules).
## The following provides a complete configuration process for implementing the tproxy global proxy ## The following provides a complete configuration process for implementing the tproxy global proxy
### 1. Finish **[Preliminary preparation](#1-Preliminary_preparation)** 和 **[Add user](#2-Add_user)**
### 1. Finish **[Preliminary preparation](#_1-preliminary-preparation)** 和 **[Add user](#_2-add-user-android-users-please-ignore-this-section)**
### 2. Preparing Xray profiles ### 2. Preparing Xray profiles
Configure Xray to listen to 12345 at dokodemo-door, turn on followRedirect and tproxy, no sniffing required: Configure Xray to listen to 12345 at dokodemo-door, turn on followRedirect and tproxy, no sniffing required:
```json ```json
{ {
"inbounds": [ "inbounds": [
@ -92,49 +111,61 @@ Configure Xray to listen to 12345 at dokodemo-door, turn on followRedirect and t
], ],
"outbounds": [ "outbounds": [
{ {
# Your server configuration // Your server configuration
} }
] ]
} }
``` ```
### 3. Configuring the maximum number of open files and run the Xray client ### 3. Configuring the maximum number of open files and run the Xray client
About the maximum number of open files, see: **[too many open files issues](https://guide.v2fly.org/app/tproxy.html#解决-too-many-open-files-问题)** About the maximum number of open files, see: **[too many open files issues](https://guide.v2fly.org/app/tproxy.html#解决-too-many-open-files-问题)**
The current Xray server installed with the official script has the maximum number of open files automatically configured, so no further changes are required. The current Xray server installed with the official script has the maximum number of open files automatically configured, so no further changes are required.
**Android** **Android**
```bash ```bash
ulimit -SHn 1000000 ulimit -SHn 1000000
setuidgid 0:23333 "Command to run Xray"& setuidgid 0:23333 "Command to run Xray"&
``` ```
**Other Linux system** **Other Linux system**
```bash ```bash
ulimit -SHn 1000000 ulimit -SHn 1000000
sudo -u xray_tproxy "Command to run Xray"& sudo -u xray_tproxy "Command to run Xray"&
``` ```
e.g.: e.g.:
```bash ```bash
ulimit -SHn 1000000 ulimit -SHn 1000000
sudo -u xray_tproxy xray -c /etc/xray/config.json & sudo -u xray_tproxy xray -c /etc/xray/config.json &
``` ```
*The first command:*
_The first command:_
Change the maximum number of open files, valid only for the current terminal and to be run every time before starting Xray, this command is to set the maximum number of open files for the client. Change the maximum number of open files, valid only for the current terminal and to be run every time before starting Xray, this command is to set the maximum number of open files for the client.
*The second command:* _The second command:_
Run the Xray client as a user with uid 0 and gid not 0, followed by & for running in the background. Run the Xray client as a user with uid 0 and gid not 0, followed by & for running in the background.
**Check that the maximum number of open files is set successfully** **Check if the maximum number of open files is set successfully**
```bash ```bash
cat /proc/"Xray's pid"/limits cat /proc/"Xray's pid"/limits
``` ```
Find max open files, which should be the value you set. Xray's pid can be obtained by running `ps` or `ps -aux` or `ps -a` Find max open files, which should be the value you set. Xray's pid can be obtained by running `ps` or `ps -aux` or `ps -a`
Both the server and client side should be checked. Both the server and client side should be checked.
### 4. Setting up iptables rules ### 4. Setting up iptables rules
**Proxy ipv4** **Proxy ipv4**
```bash ```bash
ip rule add fwmark 1 table 100 ip rule add fwmark 1 table 100
ip route add local 0.0.0.0/0 dev lo table 100 ip route add local 0.0.0.0/0 dev lo table 100
@ -166,6 +197,7 @@ iptables -t mangle -A OUTPUT -m owner ! --gid-owner 23333 ! -p icmp -j XRAY_MASK
``` ```
**Proxy ipv6 (optional)** **Proxy ipv6 (optional)**
```bash ```bash
ip -6 rule add fwmark 1 table 106 ip -6 rule add fwmark 1 table 106
ip -6 route add local ::/0 dev lo table 106 ip -6 route add local ::/0 dev lo table 106
@ -185,7 +217,7 @@ ip6tables -t mangle -A XRAY6 -p tcp -j TPROXY --on-port 12345 --tproxy-mark 1
ip6tables -t mangle -A PREROUTING -j XRAY6 ip6tables -t mangle -A PREROUTING -j XRAY6
# Proxy gateway itself # Proxy gateway itself
ip6tables -t mangle -N XRAY6_MASK ip6tables -t mangle -N XRAY6_MASK
ip6tables -t mangle -A XRAY6_MASK -d "the first ipv6 segment where the gateway is located" -j RETURN ip6tables -t mangle -A XRAY6_MASK -d "the first ipv6 segment where the gateway is located" -j RETURN
ip6tables -t mangle -A XRAY6_MASK -d "the second ipv6 segment where the gateway is located" -j RETURN ip6tables -t mangle -A XRAY6_MASK -d "the second ipv6 segment where the gateway is located" -j RETURN