Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

redir_tun 模式好像会把向公共 DNS 的请求也给重定向到 $FORWARD_DNS_REDIRECT #1

Closed
xuhuanxxx opened this issue Apr 5, 2021 · 2 comments
Closed

redir_tun 模式好像会把向公共 DNS 的请求也给重定向到 $FORWARD_DNS_REDIRECT #1

xuhuanxxx opened this issue Apr 5, 2021 · 2 comments

Comments

@xuhuanxxx
Copy link

我测试下来发现,有的应用会无视系统 DNS ,直接查询 8.8.8.8、114.114.114.114,然后也会被重定向成 8.8.8.8$FORWARD_DNS_REDIRECT,稍微改一下好像可以解决这种问题。

ip daddr \$LOCAL_SUBNET tcp dport 53 dnat $FORWARD_DNS_REDIRECT
ip daddr \$LOCAL_SUBNET udp dport 53 dnat $FORWARD_DNS_REDIRECT

另外想请教一下,如果是tproxy 转发tcp,udp 还是tun处理,应该怎么写?下面的写法测试了一下发现没有生效。

table clash {
    chain forward {
        type filter hook prerouting priority 0; policy accept;           
        ip protocol != { tcp, udp } accept
        iif utun accept
        ip daddr \$LOCAL_SUBNET accept
        ip protocol udp mark set $NETFILTER_MARK accept
        ip protocol tcp tproxy to 127.0.0.1$FORWARD_PROXY_REDIREC
    }

    chain forward-dns-redirect {
        type nat hook prerouting priority 0; policy accept;        
        ip protocol != { tcp, udp } accept       
        ip daddr \$LOCAL_SUBNET tcp dport 53 dnat $FORWARD_DNS_REDIRECT
        ip daddr \$LOCAL_SUBNET udp dport 53 dnat $FORWARD_DNS_REDIRECT
    }
}
@yangliu
Copy link
Owner

yangliu commented Jul 20, 2021

我测试下来发现,有的应用会无视系统 DNS ,直接查询 8.8.8.8、114.114.114.114,然后也会被重定向成 8.8.8.8$FORWARD_DNS_REDIRECT,稍微改一下好像可以解决这种问题。

ip daddr \$LOCAL_SUBNET tcp dport 53 dnat $FORWARD_DNS_REDIRECT
ip daddr \$LOCAL_SUBNET udp dport 53 dnat $FORWARD_DNS_REDIRECT

另外想请教一下,如果是tproxy 转发tcp,udp 还是tun处理,应该怎么写?下面的写法测试了一下发现没有生效。

table clash {
    chain forward {
        type filter hook prerouting priority 0; policy accept;           
        ip protocol != { tcp, udp } accept
        iif utun accept
        ip daddr \$LOCAL_SUBNET accept
        ip protocol udp mark set $NETFILTER_MARK accept
        ip protocol tcp tproxy to 127.0.0.1$FORWARD_PROXY_REDIREC
    }

    chain forward-dns-redirect {
        type nat hook prerouting priority 0; policy accept;        
        ip protocol != { tcp, udp } accept       
        ip daddr \$LOCAL_SUBNET tcp dport 53 dnat $FORWARD_DNS_REDIRECT
        ip daddr \$LOCAL_SUBNET udp dport 53 dnat $FORWARD_DNS_REDIRECT
    }
}

tproxy 我也没搞定,我也不是很熟悉nftables,也是摸索着写。谢谢提供的修改,看到晚了很抱歉。

@yangliu
Copy link
Owner

yangliu commented Jul 20, 2021

另外还有一个问题就是,不确定alpine linux 里面的 nftable 可以使用 tproxy,曾经尝试过,忘记了是卡在哪一步就放弃了。。。感觉 tun + redir 的模式性能还可以就没再往下研究了

yangliu added a commit that referenced this issue Jul 20, 2021
@yangliu
update nftable rules #1
b695723
@yangliu yangliu closed this as completed Jul 20, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@yangliu @xuhuanxxx