I’ve just setup ss-redir on my Linksys E3000.
- Install entware on my router, it is using shibby tomato rom;
- Install shadowsocks-libev;
- Refer to here to setup iptables rules; I don’t redirect UDP traffic;
- If your DNS will be poisoned, you should manage to fix it first;
Let’s f**k GFW.
Some notes:
I prefer to use ipset, so we don’t need many iptable rules, below is my part of iptables setup script:
#!/bin/sh # clear ss rules iptables-save -c | grep -v "SHADOWSOCKS" | \ grep -v "gfwlist" | \ iptables-restore -c 2>/dev/null IPTA='iptables -t nat -A SHADOWSOCKS' # create ss chain in table - NAT iptables -t nat -N SHADOWSOCKS # ignore not in gfwlist $IPTA -m set ! --set gfwlist dst -j RETURN # redirect ss-redir $IPTA -p tcp -j REDIRECT --to-ports 1081 # redirect NAT output to ss chain iptables -t nat -I PREROUTING -p tcp -j SHADOWSOCKS # redirect local output traffic to ss chain iptables -t nat -I OUTPUT -p tcp -j SHADOWSOCKS
Of coz, using ipset imply that your router has ipset kernel module; I add below init script to my router:
for module in ipt_REDIRECT ip_set ipt_set ip_set_nethash ip_set_iphash do modprobe $module done ipset -N gfwlist iphash
My dnsmasq can support gfwlist, so ipset “gfwlist”‘s entries do not need to manual enter, but my dnsmasq config file will be a bit big. Below is part of my script to generate DNS and ipset related things:
#!/bin/sh BASE=/opt/shadowsocks DNSMASQ=$BASE/dnsmasq.d GFWLIST=$DNSMASQ/gfwlist.conf TMPFILE=/tmp/gfwlist.tmp TMPLIST=/tmp/gfwlist.conf URL=<some url to get gfwlist.conf> # below change to your secure DNS DNS=127.0.0.1#5353 set -e [ -d $DNSMASQ ] || mkdir -p $DNSMASQ curl -s $URL > $TMPFILE # change to our dns sed -i "s|^\(server.*\)/[^/]*$|\1/$DNS|" $TMPFILE echo . > $TMPLIST grep "^server" $TMPFILE >> $TMPLIST grep "^ipset" $TMPFILE >> $TMPLIST sed "1d" -i $TMPLIST # update conf file mv $TMPLIST $GFWLIST echo Update done. # flush ipset echo flush ipset. ipset -F gfwlist # restart dnsmasq echo restart dnsmasq. service dnsmasq restart
Leave a comment