环境介绍

routeros网关: 192.168.100.1
centos服务器: 192.168.100.100

原理介绍

实现类似于梅林固件的SS代理服务
ros:

防火墙将访问外网的80,443端口的数据包标记后,通过路由指向centos服务器

centos服务器:

shadowsocks-libev:提供dns转发代理,以及透明代理
dnsmasq: 提供dns解析以及ipset标记

routeros 设置

/ip firewall mangle add chain=prerouting protocol=tcp src-address=192.168.100.100 dst-port=80,443 action=accept

/ip firewall mangle add chain=prerouting action=mark-routing new-routing-mark=to_proxy passthrough=yes protocol=tcp dst-port=80,443

/ip firewall mangle add chain=prerouting chain=prerouting action=accept routing-mark=to_proxy

/ip route add dst-address=0.0.0.0/0 gateway=192.168.100.100 check-gateway=ping routing-mark=to_proxy

centos 设置

安装shadowsocks dnsmasq

wget https://copr.fedorainfracloud.org/coprs/librehat/shadowsocks/repo/epel-7/librehat-shadowsocks-epel-7.repo -O /etc/yum.repos.d/librehat-shadowsocks-epel-7.repo

yum install shadowsocks-libev dnsmasq -y

mkdir /data/bin/gfwlist2dnsmasq -pv

cd /data/bin/gfwlist2dnsmasq

git clone https://github.com/cokebar/gfwlist2dnsmasq.git ./

生成dnsmasq配置

./gfwlist2dnsmasq.sh -d 127.0.0.1 -p 8853 -o /etc/dnsmasq.d/dnsmasq_gfwlist.conf -s gfwlist

添加ipset

ipset create gfwlist hash:ip

cat << "EOF" >> /etc/rc.local
ipset create gfwlist hash:ip
EOF

dnsmasq 配置

cat << "EOF" > /etc/dnsmasq.conf
port=53
resolv-file=/etc/dnsmasq.resolv.conf 
conf-dir=/etc/dnsmasq.d
EOF
cat << "EOF" > /etc/dnsmasq.resolv.conf 
nameserver 114.114.114.114
EOF

systemctl enable dnsmasq

systemctl start dnsmasq

*将局域网dns服务器指向192.168.100.100

shadowsocks配置

谷歌dns查询转发

cat << "EOF" > /etc/systemd/system/ss-tunnel-8853.service
[Unit]
Description=ss-tunnel-53
After=syslog.target network.target

[Service]
ExecStart=/usr/bin/ss-tunnel -s ss服务器 -k ss密匙 -p ss端口 -m  aes-256-cfb -u -l 8853 -b 0.0.0.0 -L 8.8.8.8:53

[Install]
WantedBy=multi-user.target
EOF

systemctl start ss-tunnel-8853

systemctl enable ss-tunnel-8853

SS透明代理服务

cat << "EOF" > /etc/systemd/system/ss-redir-8888.service 
[Unit]
Description=ss-redir-8888
After=syslog.target network.target

[Service]
ExecStart=/usr/bin/ss-redir -s ss服务器 -k ss密匙 -p ss端口 -m  aes-256-cfb  -l 8888 -b 0.0.0.0

[Install]
WantedBy=multi-user.target
EOF

systemctl start ss-redir-8888

systemctl enable ss-redir-8888

设置防火墙

cat << "EOF" >  /etc/firewalld/direct.xml
<?xml version="1.0" encoding="utf-8"?>
<direct>
    <rule ipv="ipv4" table="nat" chain="PREROUTING" priority="0">-p tcp  -m set --match-set gfwlist dst -j REDIRECT --to-port 8888</rule>
    <rule ipv="ipv4" table="nat" chain="OUTPUT" priority="0">-p tcp  -m set --match-set gfwlist dst -j REDIRECT --to-port 8888</rule>
</direct>
EOF

或者

iptables -t nat -A PREROUTING -p tcp -m set --match-set gfwlist dst -j REDIRECT --to-port 8888
iptables -t nat -A OUTPUT -p tcp -m set --match-set gfwlist dst -j REDIRECT --to-port 8888