How to redirect gfwlist related tcp and dns request to your proxy server?|再见理想

Prepare

After you finish setup merlin, please go to router manage page.

enable custom domain with dnsmasq
1. merlin already contain dnsmasq service
2. you can check dnsmasq port netstat -naut|grep 53
3. follow tutorial
setup entware environment
1. entware is a package manage tool for router
2. install entware on /jffs/
3. merlin contain a setup script to install entware, but that script not accept /jffs/ as the target partition at default
4. find out the script find / -name entware-setup.sh
5. copy cp FILE /jffs/
6. modify it to accept /jffs/ as the target partition sed -i "s/|ext4'/|ext4|jffs'/g" /jffs/entware-setup.sh
7. run it /jffs/entware-setup.sh
8. because merlin not expect entware install to jffs partition, so we need fix some scripts
9. add /jffs/scripts/init-start file, insert ln -nsf /jffs/entware /tmp/opt to the beginning
10. please check reason why we choose init-start on this wiki
install proxy soft and utils
1. proxy tcp request opkg install shadowsocks-libev-ss-redir
2. proxy dns request opkg install shadowsocks-libev-ss-tunnel
3. dependence of gfwlist2dnsmasq.sh opkg install coreutils-mktemp coreutils-base64
4. convert tool curl https://raw.githubusercontent.com/cokebar/gfwlist2dnsmasq/master/gfwlist2dn smasq.sh -o /jffs/scripts/gfwlist2dnsmasq.sh

Config

Now let’s config system to intercept tcp and dns request.

dynamic generate dnsmasq rule

you can add custom domain to custom_gfwlist.txt

touch /jffs/config/custom_gfwlist.txt
ipset -N gfwlist iphash
cat >/jffs/scripts/gendnsmasq.sh <<EOF
/jffs/scripts/gfwlist2dnsmasq.sh -s gfwlist -o /jffs/configs/dnsmasq.conf.add  --extra-domain-file /jffs/configs/custom_gfwlist.txt
service restart_dnsmasq
EOF
chmod uga+x /jffs/scripts/gendnsmasq.sh

any time if you want to update rule just run /jffs/scripts/gendnsmasq.sh

config proxy server

you can config the common server info in /jffs/config/ss.json

cat > /jffs/config/ss.json <<EOF
{
"server":"ip",
"server_port":port,
"password":"password",
"method":"aes-256-cfb"
}   
EOF

you can create a script to manage proxy server, let’s call it /opt/etc/init.d/sst

cat > /opt/etc/init.d/sst <<EOF
ENABLED=yes
PROCS=ss-tunnel
ARGS="-c /jffs/configs/ss.json -l 5353 -L 8.8.8.8:53 -U"
PREARGS=""
DESC=$PROCS
PATH=/opt/sbin:/opt/bin:/opt/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
[ -z "$(which $PROCS)" ] && exit 0
. /opt/etc/init.d/rc.func  
EOF
chmod uga+x /opt/etc/init.d/sst

now start proxy server/opt/etc/init.d/sst start

Test dns request=>dnsmasq=>ipset can success
1. no ip in ipsetipset list gfwlist
2. on your laptop dig @router.ip google.com
3. now ipset contain one google ipipset list gfwlist
intercept all dns request to dnsmasq
1. iptables -t nat -N intercept_dns
2. iptables -t nat -A intercept_dns -p udp --dport 53 -j REDIRECT --to-ports 53
3. iptables -t nat -A PREROUTING -p udp -j intercept_dns
Test dns request=>iptable=>dnsmasq can success
1. on your laptop dig google.com, should return result as dig @router.ip google.com
now we already redirect gfwlist related dns request to our proxy server, next tcp request will be easy.

create ssr script and start it /opt/etc/init.d/ssr start

cat >  /opt/etc/init.d/ssr <<EOF
ENABLED=yes
PROCS=ss-redir
ARGS="-c /jffs/configs/ss.json -b 0.0.0.0 -l 1080"
PREARGS=""
DESC=$PROCS
PATH=/opt/sbin:/opt/bin:/opt/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
[ -z "$(which $PROCS)" ] && exit 0
. /opt/etc/init.d/rc.func
EOF
chmod uga+x /opt/etc/init.d/ssr

intercept tcp request to proxy
1. iptables -t nat -N intercept_gfwlist
2. iptables -t nat -A intercept_gfwlist -p tcp -m set --match-set gfwlist dst -j REDIRECT --to-ports 1080
3. iptables -t nat -A PREROUTING -p tcp -j intercept_gfwlist
auto start up proxy server, add action to wlan-start

the best practice is write cru command cru a sst "*/1 * * * * /jffs/scripts/sst_start" and cru a sst "*/1 * * * * /jffs/scripts/ssr_start" to wlan-start, so that system will keep watch your ss-tunnel and ss-redir process per minute.
auto config iptable rules, add action to nat-start, don’t forget ipset -N gfwlist iphash
Done!