Alfred's spAcE



Filed under: Linux, misc — Tags: , , , , — Alfred Yang @ 20:20

I’ve just setup ss-redir on my Linksys E3000.

  1. Install entware on my router, it is using shibby tomato rom;
  2. Install shadowsocks-libev;
  3. Refer to here to setup iptables rules; I don’t redirect UDP traffic;
  4. If your DNS will be poisoned, you should manage to fix it first;

Let’s f**k GFW.

Some notes:

I prefer to use ipset, so we don’t need many iptable rules, below is my part of iptables setup script:


# clear ss rules
iptables-save -c | grep -v "SHADOWSOCKS" | \
 grep -v "gfwlist" | \
 iptables-restore -c 2>/dev/null

IPTA='iptables -t nat -A SHADOWSOCKS'

# create ss chain in table - NAT
iptables -t nat -N SHADOWSOCKS

# ignore not in gfwlist
$IPTA -m set ! --set gfwlist dst -j RETURN

# redirect ss-redir
$IPTA -p tcp -j REDIRECT --to-ports 1081

# redirect NAT output to ss chain
iptables -t nat -I PREROUTING -p tcp -j SHADOWSOCKS

# redirect local output traffic to ss chain
iptables -t nat -I OUTPUT -p tcp -j SHADOWSOCKS

Of coz, using ipset imply that your router has ipset kernel module; I add below init script to my router:

for module in ipt_REDIRECT ip_set ipt_set ip_set_nethash ip_set_iphash 
 modprobe $module
ipset -N gfwlist iphash

My dnsmasq can support gfwlist, so ipset “gfwlist”‘s entries do not need to manual enter, but my dnsmasq config file will be a bit big. Below is part of my script to generate DNS and ipset related things:

URL=<some url to get gfwlist.conf>
# below change to your secure DNS

set -e

[ -d $DNSMASQ ] || mkdir -p $DNSMASQ

curl -s $URL > $TMPFILE

# change to our dns
sed -i "s|^\(server.*\)/[^/]*$|\1/$DNS|" $TMPFILE

echo . > $TMPLIST
grep "^server" $TMPFILE >> $TMPLIST
grep "^ipset" $TMPFILE >> $TMPLIST
sed "1d" -i $TMPLIST

# update conf file
echo Update done.

# flush ipset
echo flush ipset.
ipset -F gfwlist

# restart dnsmasq
echo restart dnsmasq.
service dnsmasq restart


Leave a Comment »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: