I'm trying to route all the traffic to my ShadowSocks tproxy access point by configure iptables, however not just the traffic didn't been route to the proxy, I don't think it did anything at all. I did the following commands to configure iptables and start ShadowSocks Tproxy(ss-redir). Note that I was following Shadowsocks's Github page
# Create new chain
iptables -t nat -N SHADOWSOCKS
iptables -t mangle -N SHADOWSOCKS
Ignore your shadowsocks server's addresses
It's very IMPORTANT, just be careful.
iptables -t nat -A SHADOWSOCKS -d ServerIP -j RETURN
Ignore LANs and any other addresses you'd like to bypass the proxy
See Wikipedia and RFC5735 for full list of reserved networks.
See ashi009/bestroutetb for a highly optimized CHN route list.
iptables -t nat -A SHADOWSOCKS -d 0.0.0.0/8 -j RETURN
iptables -t nat -A SHADOWSOCKS -d 10.0.0.0/8 -j RETURN
iptables -t nat -A SHADOWSOCKS -d 127.0.0.0/8 -j RETURN
iptables -t nat -A SHADOWSOCKS -d 169.254.0.0/16 -j RETURN
iptables -t nat -A SHADOWSOCKS -d 172.16.0.0/12 -j RETURN
iptables -t nat -A SHADOWSOCKS -d 192.168.0.0/16 -j RETURN
iptables -t nat -A SHADOWSOCKS -d 224.0.0.0/4 -j RETURN
iptables -t nat -A SHADOWSOCKS -d 240.0.0.0/4 -j RETURN
Anything else should be redirected to shadowsocks's local port
iptables -t nat -A SHADOWSOCKS -p tcp -j REDIRECT --to-ports 12345
Add any UDP rules
ip route add local default dev lo table 100
ip rule add fwmark 1 lookup 100
iptables -t mangle -A SHADOWSOCKS -p udp --dport 53 -j TPROXY --on-port 12345 --tproxy-mark 0x01/0x01
Apply the rules
iptables -t nat -A PREROUTING -p tcp -j SHADOWSOCKS
iptables -t mangle -A PREROUTING -j SHADOWSOCKS
Start the shadowsocks-redir
ss-redir -s SeverIP -p SeverPort -m chacha20-ietf-poly1305 -k 6d2b5b66-0d3f-4189-a547-501eb658879a -b 127.0.0.1 -l 12345 --no-delay -v -u T </dev/null &>>/var/log/ss-redir.log &
All the commands didn't return error, so I did a check to see current configuration
$ iptables -t nat -L -n -v
Chain PREROUTING (policy ACCEPT 524 packets, 204K bytes)
pkts bytes target prot opt in out source destination
0 0 SHADOWSOCKS 6 -- * * 0.0.0.0/0 0.0.0.0/0
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain SHADOWSOCKS (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN 0 -- * * 0.0.0.0/0 120.233.31.53
0 0 RETURN 0 -- * * 0.0.0.0/0 0.0.0.0/8
0 0 RETURN 0 -- * * 0.0.0.0/0 10.0.0.0/8
0 0 RETURN 0 -- * * 0.0.0.0/0 127.0.0.0/8
0 0 RETURN 0 -- * * 0.0.0.0/0 169.254.0.0/16
0 0 RETURN 0 -- * * 0.0.0.0/0 172.16.0.0/12
0 0 RETURN 0 -- * * 0.0.0.0/0 192.168.0.0/16
0 0 RETURN 0 -- * * 0.0.0.0/0 224.0.0.0/4
0 0 RETURN 0 -- * * 0.0.0.0/0 240.0.0.0/4
0 0 REDIRECT 6 -- * * 0.0.0.0/0 0.0.0.0/0 redir ports 12345
After all this configuration, I expected to see the iptables redirecting all my networks to the local shadowsocks server and port 12345, but nothing was rerouted, all the packages is just routed perfectly like before I set the NAT. The NAT config somehow didn't do anything.
