Я использую Redsocks уже несколько месяцев на машине Ubuntu «18.04.3 LTS (Bionic Beaver)». На этой машине есть iptables, а не nftables. Итак, у меня есть несколько правил перенаправления 80 443 9048, 1935 и так далее.
sudo iptables -t nat -A REDSOCKS -p tcp -j REDIRECT --to-ports 12345
sudo iptables -t nat -A OUTPUT -p tcp --dport 443 -j REDSOCKS
sudo iptables -t nat -A OUTPUT -p tcp --dport 1935 -j REDSOCKS
sudo iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDSOCKS
sudo iptables -t nat -A OUTPUT -p tcp --dport 21 -j REDSOCKS
sudo iptables -t nat -A OUTPUT -p tcp --dport 11371 -j REDSOCKS
sudo iptables -t nat -A OUTPUT -p tcp --dport 9418 -j REDSOCKS
sudo iptables -t nat -A OUTPUT -p tcp --dport 6380 -j REDSOCKS
sudo iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDSOCKS
sudo iptables -t nat -A PREROUTING -p tcp --dport 1935 -j REDSOCKS
sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDSOCKS
sudo iptables -t nat -A PREROUTING -p tcp --dport 21 -j REDSOCKS
sudo iptables -t nat -A PREROUTING -p tcp --dport 11371 -j REDSOCKS
sudo iptables -t nat -A PREROUTING -p tcp --dport 9418 -j REDSOCKS
sudo iptables -t nat -A PREROUTING -p tcp --dport 9418 -j REDSOCKS
sudo iptables -t nat -A PREROUTING -p tcp --dport 6380 -j REDSOCKS
Я экспортировал эти правила на другую машину, работающую под управлением «Debian GNU / Linux 10 (buster)», на которой есть nftables. Я преобразовал существующие правила благодаря
iptables-save > save.txt
iptables-restore-translate -f save.txt > ruleset.nft
nft -f ruleset.nft
Кажется, ничего не работает, так как команда git или что-то еще просто падает по таймауту.
Вот конфигурация, которую я получаю после импорта правил:
table ip filter {
chain INPUT {
type filter hook input priority 0; policy accept;
}
chain FORWARD {
type filter hook forward priority 0; policy accept;
}
chain OUTPUT {
type filter hook output priority 0; policy accept;
}
}
table ip nat {
chain PREROUTING {
type nat hook prerouting priority -100; policy accept;
meta l4proto tcp tcp dport 443 counter packets 0 bytes 0 jump REDSOCKS
meta l4proto tcp tcp dport 1935 counter packets 0 bytes 0 jump REDSOCKS
meta l4proto tcp tcp dport 80 counter packets 0 bytes 0 jump REDSOCKS
meta l4proto tcp tcp dport 21 counter packets 0 bytes 0 jump REDSOCKS
meta l4proto tcp tcp dport 9418 counter packets 0 bytes 0 jump REDSOCKS
tcp dport https counter packets 0 bytes 0 jump REDSOCKS
tcp dport 1935 counter packets 0 bytes 0 jump REDSOCKS
tcp dport http counter packets 0 bytes 0 jump REDSOCKS
tcp dport ftp counter packets 0 bytes 0 jump REDSOCKS
tcp dport git counter packets 0 bytes 0 jump REDSOCKS
}
chain INPUT {
type nat hook input priority 100; policy accept;
}
chain POSTROUTING {
type nat hook postrouting priority 100; policy accept;
}
chain OUTPUT {
type nat hook output priority -100; policy accept;
meta l4proto tcp tcp dport 443 counter packets 0 bytes 0 jump REDSOCKS
meta l4proto tcp tcp dport 1935 counter packets 0 bytes 0 jump REDSOCKS
meta l4proto tcp tcp dport 80 counter packets 0 bytes 0 jump REDSOCKS
meta l4proto tcp tcp dport 21 counter packets 0 bytes 0 jump REDSOCKS
meta l4proto tcp tcp dport 9418 counter packets 0 bytes 0 jump REDSOCKS
tcp dport https counter packets 0 bytes 0 jump REDSOCKS
tcp dport 1935 counter packets 0 bytes 0 jump REDSOCKS
tcp dport http counter packets 0 bytes 0 jump REDSOCKS
tcp dport ftp counter packets 0 bytes 0 jump REDSOCKS
tcp dport git counter packets 0 bytes 0 jump REDSOCKS
}
chain REDSOCKS {
ip daddr 0.0.0.0/8 counter packets 0 bytes 0 return
ip daddr 10.0.0.0/8 counter packets 0 bytes 0 return
ip daddr 127.0.0.0/8 counter packets 0 bytes 0 return
ip daddr 169.254.0.0/16 counter packets 0 bytes 0 return
ip daddr 172.16.0.0/12 counter packets 0 bytes 0 return
ip daddr 192.168.1.0/24 counter packets 0 bytes 0 return
ip daddr 192.168.31.0/24 counter packets 0 bytes 0 return
ip daddr 224.0.0.0/4 counter packets 0 bytes 0 return
ip daddr 240.0.0.0/4 counter packets 0 bytes 0 return
meta l4proto tcp counter packets 0 bytes 0 redirect to :12345
counter packets 0 bytes 0 return
ip daddr 10.0.0.0/8 counter packets 0 bytes 0 return
ip daddr 127.0.0.0/8 counter packets 0 bytes 0 return
ip daddr 169.254.0.0/16 counter packets 0 bytes 0 return
ip daddr 172.16.0.0/12 counter packets 0 bytes 0 return
ip daddr 192.168.1.0/24 counter packets 0 bytes 0 return
ip daddr 192.168.31.0/24 counter packets 0 bytes 0 return
ip daddr 224.0.0.0/4 counter packets 0 bytes 0 return
ip daddr 240.0.0.0/4 counter packets 0 bytes 0 return
ip protocol tcp counter packets 0 bytes 0 redirect to :12345
}
}
table ip mangle {
chain PREROUTING {
type filter hook prerouting priority -150; policy accept;
}
chain INPUT {
type filter hook input priority -150; policy accept;
}
chain FORWARD {
type filter hook forward priority -150; policy accept;
}
chain OUTPUT {
type route hook output priority -150; policy accept;
}
chain POSTROUTING {
type filter hook postrouting priority -150; policy accept;
}
}
Что мне не хватает?
Спасибо.