pf 配合 ipset 进行 forward 的的语法是怎么样的?

2015-08-11 14:29:22 +08:00
 tony1016
我想仿照openwrt的案例,复制一套chinadns+dnsmasq+ipset+pf进行透明代理的翻墙策略。
chinadns,dnsmasq,ipset似乎都能搞定,但时pf怎么配合ipset做forward,没有查到相关资料。有人做过吗?
460 次点击
所在节点    macOS
8 条回复
regeditms
2015-08-11 15:34:21 +08:00
我也想知道, 顶上去, 知道的人来回答.
tony1016
2015-08-11 15:45:12 +08:00
目前查到的资料,pf支持table,难不成得做一个ipset定时向table同步的功能?
cattyhouse
2015-08-12 09:17:15 +08:00
ipset是netfilter的东西吧?Linux独有的,
PF是OS X的防火墙软件,

怎么配合?ipset能运行在OS X?
tony1016
2015-08-12 09:39:28 +08:00
@cattyhouse 好吧,看来资料看少了,ipset也没法解决。
dnsmasq也没法标记域名了,是不是这个方案就over了?
cattyhouse
2015-08-12 09:59:42 +08:00
@tony1016 要想在mac上搞点东西,还是多看看pf文档吧,也许人家就内置了类似ipsec的功能。
cattyhouse
2015-08-12 10:00:20 +08:00
更正楼上 ipsec->ipset
tony1016
2016-01-13 16:57:33 +08:00
最近在想,或许, pf+redsocks+chinaroute ,可以实现一套
tony1016
2016-01-13 23:19:33 +08:00
研究了一晚上,没有成功,但是有所总结

1.首先是 redsocks 的 redirector ,显然不是 iptables ,似乎可以是 generic
```
base {
log_debug = on;
log_info = on;
daemon = off;
redirector = generic;
}

redsocks {
local_ip = 0.0.0.0;
local_port = 1080;
ip = 127.0.0.1;
port = 8964;
type = socks5;
}
```

2.pf 的 rdr 只能对 incoming 做 redirect ,所以,需要先 route-to ,把对外网的请求,变成对内网的请求,再把它重定向到 redsocks 。我以 twitter.com 为目标做了测试
```
rdr pass log on lo0 inet proto tcp from any to 104.244.0.0/16 -> 127.0.0.1 port 1080
pass out on en0 route-to lo0 inet proto tcp from en0 to 104.244.0.0/16
```

3.没有成功,上错误日志:

redsocks 的
```
1452697912.242337 main.c:152 main(...) redsocks started
1452697929.371679 redsocks.c:707 redsocks_accept_client(...) [192.168.2.155:52892->127.0.0.1:1080]: accepted
1452697929.372909 redsocks.c:327 redsocks_start_relay(...) [192.168.2.155:52892->127.0.0.1:1080]: data relaying started
1452697929.730668 redsocks.c:392 redsocks_shutdown(...) [192.168.2.155:52892->127.0.0.1:1080]: shutdown(relay, SHUT_RD): Socket is not connected
1452697929.732500 redsocks.c:400 redsocks_shutdown(...) [192.168.2.155:52892->127.0.0.1:1080]: both client and server disconnected
1452697929.732530 redsocks.c:337 redsocks_drop_client(...) [192.168.2.155:52892->127.0.0.1:1080]: dropping client
^C1452698186.130927 main.c:156 main(...) redsocks goes down
```

pf 的日志
```
No ALTQ support in kernel
ALTQ related functions disabled
ALL tcp 192.168.2.155:52056 -> 38.127.167.37:443 ESTABLISHED:FIN_WAIT_2
ALL tcp 127.0.0.1:1080 <- 38.127.167.37:443 <- 192.168.2.155:52056 FIN_WAIT_2:ESTABLISHED
ALL tcp 192.168.2.155:52370 -> 38.127.167.37:443 ESTABLISHED:FIN_WAIT_2
ALL tcp 127.0.0.1:1080 <- 38.127.167.37:443 <- 192.168.2.155:52370 FIN_WAIT_2:ESTABLISHED
ALL tcp 192.168.2.155:52428 -> 38.127.167.37:443 ESTABLISHED:FIN_WAIT_2
ALL tcp 127.0.0.1:1080 <- 38.127.167.37:443 <- 192.168.2.155:52428 FIN_WAIT_2:ESTABLISHED
ALL tcp 192.168.2.155:52506 -> 38.127.167.37:443 ESTABLISHED:FIN_WAIT_2
ALL tcp 127.0.0.1:1080 <- 38.127.167.37:443 <- 192.168.2.155:52506 FIN_WAIT_2:ESTABLISHED
ALL tcp 192.168.2.155:52561 -> 38.127.167.37:443 ESTABLISHED:FIN_WAIT_2
ALL tcp 127.0.0.1:1080 <- 38.127.167.37:443 <- 192.168.2.155:52561 FIN_WAIT_2:ESTABLISHED
ALL tcp 192.168.2.155:52615 -> 38.127.167.37:443 ESTABLISHED:FIN_WAIT_2
ALL tcp 127.0.0.1:1080 <- 38.127.167.37:443 <- 192.168.2.155:52615 FIN_WAIT_2:ESTABLISHED
ALL tcp 192.168.2.155:52892 -> 104.244.42.1:443 FIN_WAIT_2:FIN_WAIT_2
ALL tcp 127.0.0.1:1080 <- 104.244.42.1:443 <- 192.168.2.155:52892 FIN_WAIT_2:FIN_WAIT_2
```

可以看到 pf 的定向似乎是正确的: 127.0.0.1:1080 <- 104.244.42.1:443 <- 192.168.2.155:52892
我怀疑问题出在 mac 平台的 redsocks 。

希望懂 mac 和 freebsd 的同志,可以继续搞一搞

这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。

https://tanronggui.xyz/t/212375

V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。

V2EX is a community of developers, designers and creative people.

© 2021 V2EX