香港(运行ss-server提供ss服务) (运行ss-tunnel提供国外解析)
^ ^
| |
| |
通 过 GRE 隧 道 通 信
| |
| |
企业(运行ss-redir提供透明代理) (dnsmasq提供dns缓存 ------> chinadns提供dns国内国外)
# Generated by iptables-save v1.4.21 on Tue Jul 31 14:07:18 2018
*nat
:PREROUTING ACCEPT [21403:2692946]
:INPUT ACCEPT [19319:1147057]
:OUTPUT ACCEPT [15976:1011961]
:POSTROUTING ACCEPT [16288:1056819]
:SHADOWSOCKS - [0:0]
-A PREROUTING -p tcp -j SHADOWSOCKS
-A POSTROUTING -o em1 -j SNAT --to-source 企业公网
-A SHADOWSOCKS -m set --match-set cidr_cn dst -j RETURN
-A SHADOWSOCKS -p tcp -m tcp --dport 26 -j RETURN
-A SHADOWSOCKS -d 0.0.0.0/8 -j RETURN
-A SHADOWSOCKS -d 10.0.0.0/8 -j RETURN
-A SHADOWSOCKS -d 127.0.0.0/8 -j RETURN
-A SHADOWSOCKS -d 169.254.0.0/16 -j RETURN
-A SHADOWSOCKS -d 172.16.0.0/12 -j RETURN
-A SHADOWSOCKS -d 192.168.0.0/16 -j RETURN
-A SHADOWSOCKS -d 224.0.0.0/4 -j RETURN
-A SHADOWSOCKS -d 240.0.0.0/4 -j RETURN
-A SHADOWSOCKS -d 香港公网/32 -j RETURN
-A SHADOWSOCKS -d 香港GRE内网/32 -j RETURN
-A SHADOWSOCKS -p tcp -j REDIRECT --to-ports 1081 (1081:ss-redir)端口
COMMIT
# Completed on Tue Jul 31 14:07:18 2018
# Generated by iptables-save v1.4.21 on Tue Jul 31 14:07:18 2018
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [27922:2279621]
:OUTPUT ACCEPT [1360453:639193656]
-A INPUT -i lo -j ACCEPT
-A INPUT -p gre -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.255.0/24 -j ACCEPT
-A INPUT -s 172.0.0.0/8 -j ACCEPT
-A INPUT -s 10.0.0.0/8 -j ACCEPT
-A INPUT -s 香港公网//32 -j ACCEPT
-A INPUT -s 企业出口IP/29 -j ACCEPT
-A INPUT -s 企业出口IP//29 -j ACCEPT
-A INPUT -j DROP
COMMIT
# Completed on Tue Jul 31 14:07:18 2018
[root@zhongqing-ss-redir ~]# cat /etc/dnsmasq.conf
no-hosts
port=53
strict-order
resolv-file=/etc/resolv.dnsmasq.conf
cache-size=2500
server=127.0.0.1#5353
min-cache-ttl=300
interface="em1"
listen-address=0.0.0.0
conf-dir=/etc/dnsmasq.d,.rpmnew,.rpmsave,.rpmorig
[root@zhongqing-ss-redir ~]# cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 127.0.0.1
#nameserver 202.106.0.20
#nameserver 114.114.114.114
[root@zhongqing-ss-redir ~]# cat /etc/resolv.dnsmasq.conf
nameserver 127.0.0.1