Skip to content

Commit aa49462

Browse files
Andy Yezonyitoo
Andy Ye
authored and
zonyitoo
committed
Document redir iptables setup
1 parent c4d8d18 commit aa49462

1 file changed

Lines changed: 34 additions & 0 deletions

File tree

README.md

Lines changed: 34 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -435,6 +435,40 @@ Redirects connections with `iptables` configurations to the port that `sslocal`
435435
- (optional) `--tcp-redir` sets TCP mode to `REDIRECT` (Linux)
436436
- (optional) `--udp-redir` sets UDP mode to `TPROXY` (Linux)
437437

438+
#### Linux iptables example
439+
440+
`iptables` transparent redirection must point to a `redir` listener. Do not redirect traffic to a `socks` or `http`
441+
listener, because `REDIRECT`/`TPROXY` sends the original TCP/UDP flow without a SOCKS handshake or HTTP `CONNECT`
442+
request. Use `--protocol socks` or `--protocol http` only for applications that can speak those proxy protocols
443+
directly.
444+
445+
For a minimal TCP-only setup on the local machine:
446+
447+
```bash
448+
# Start sslocal in redir mode. The fwmark lets iptables skip sslocal's own
449+
# outbound connection to the Shadowsocks server and avoid a proxy loop.
450+
sudo sslocal -b "127.0.0.1:60080" --protocol redir \
451+
-s "server.example.com:8388" -m "aes-256-gcm" -k "hello-kitty" \
452+
--tcp-redir "redirect" --outbound-fwmark 255
453+
454+
# Redirect locally generated TCP connections to sslocal.
455+
sudo iptables -t nat -N shadowsocks-redir
456+
for addr in 0/8 10/8 100.64/10 127/8 169.254/16 172.16/12 192.168/16 224/4 240/4; do
457+
sudo iptables -t nat -A shadowsocks-redir -d "$addr" -j RETURN
458+
done
459+
sudo iptables -t nat -A shadowsocks-redir -m mark --mark 0xff/0xff -j RETURN
460+
sudo iptables -t nat -A shadowsocks-redir -p tcp -j REDIRECT --to-ports 60080
461+
sudo iptables -t nat -A OUTPUT -p tcp -j shadowsocks-redir
462+
```
463+
464+
For TCP+UDP, LAN gateway, IPv6, or ipset-based routing, adapt the examples in
465+
[`configs/iptables_mixed.sh`](configs/iptables_mixed.sh) or [`configs/iptables_tproxy.sh`](configs/iptables_tproxy.sh)
466+
and run `sslocal` with `--tcp-redir "tproxy" --udp-redir "tproxy"`.
467+
468+
If the Shadowsocks server itself must be reached through an HTTP or SOCKS proxy, combine redir mode with the
469+
`outbound_proxy` configuration option. This routes `sslocal`'s outbound TCP connection through that proxy; UDP traffic
470+
is not proxied by `outbound_proxy`.
471+
438472
### Tun interface client
439473

440474
**NOTE**: It currently only supports

0 commit comments

Comments
 (0)