My centos6 machine ipaddress is 192.168.56.10 (eth0). I have installed strongswan and a tproxy like v2ray with iptables:
iptables:
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:SECGW_IN - [0:0]
-A PREROUTING -j SECGW_IN
-A SECGW_IN -d 127.0.0.1/32 -j RETURN
-A SECGW_IN -d 224.0.0.0/4 -j RETURN
-A SECGW_IN -d 255.255.255.255/32 -j RETURN
-A SECGW_IN -d 192.168.0.0/16 -j RETURN
-A SECGW_IN -d 172.16.0.0/12 -j RETURN
-A SECGW_IN -d 10.0.0.0/8 -j RETURN
-A SECGW_IN -j LOG
-A SECGW_IN -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1360
-A SECGW_IN -p tcp -j TPROXY --on-port 44380 --tproxy-mark 1
-A SECGW_IN -p udp -j TPROXY --on-port 44380 --tproxy-mark 1
-A SECGW_IN -j DROP
COMMIT
route table:
[root@proxy logs]# ip rule
0: from all lookup local
200: from all fwmark 0x1 lookup 200
201: from all iif lo lookup 201
220: from all lookup 220
32766: from all lookup main
32767: from all lookup default
[root@proxy logs]# ip route show table 200
local default dev lo scope host
[root@proxy logs]#
v2ray as a tproxy server , configfile:
[root@proxy logs]# cat /etc/v2ray/config.json
{
"log": {
"loglevel": "debug",
"access": "/tmp/access.log",
"error": "/tmp/error.log"
},
"inbounds": [
{
"tag":"transparent",
"port": 44380,
"protocol": "dokodemo-door",
"settings": {
"network": "tcp,udp",
"followRedirect": true
},
"sniffing": {
"enabled": true,
"destOverride": [
"http",
"tls"
]
},
"streamSettings": {
"sockopt": {
"tproxy": "tproxy"
}
}
}
],
"outbounds": [{
"protocol": "freedom",
"settings": {}
},{
"protocol": "blackhole",
"settings": {},
"tag": "blocked"
}],
"routing": {
"rules": [
{
"type": "field",
"ip": ["geoip:private"],
"outboundTag": "blocked"
}
]
}
}
ipsec.conf
config setup
cachecrls=yes
uniqueids=never
charondebug = "all"
conn %default
ikelifetime=86400s
keylife=86400s
keyingtries=%forever
keyexchange=ikev1
authby=secret
left=192.168.56.10
leftid=192.168.56.10
rightid=192.168.66.10
right=192.168.66.10
auto=start
type=tunnel
leftauth=secret
rightauth=secret
ike=aes256-md5-modp1024
esp=aes256-md5
conn lan2public
leftsubnet=0.0.0.0/0
rightsubnet=192.168.66.0/24
type=tunnel
ipsec tunnel installed successed
[root@proxy logs]# strongswan status
Security Associations (1 up, 0 connecting):
lan2public[1]: ESTABLISHED 64 minutes ago, 192.168.56.10[192.168.56.10]...192.168.66.10[192.168.66.10]
lan2public{1}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: 33c16d9f_i 5c3b6118_o
lan2public{1}: 0.0.0.0/0 === 192.168.66.0/24
when I use another machine (ip: 192.168.56.25,gw:192.168.56.10),do curl 8.8.8.8, on 192.168.56.10,package recieved by v2ray(some information in v2ray‘s log) ,this is correct。I can see log in /var/log/message by iptables:
May 26 09:06:45 proxy kernel: IN=eth0 OUT= MAC=08:00:27:0b:e3:62:08:00:27:10:ce:7b:08:00 SRC=192.168.56.25 DST=8.8.8.8 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=18010 DF PROTO=TCP SPT=59163 DPT=80 WINDOW=0 RES=0x00 ACK RST URGP=0
when I use another machine (ip: 192.168.66.25,gw:192.168.66.10), this machine will use ipsec to 192.168.56.10, on 192.168.56.10, after ipsec decrypt, packetage write to ipsec0 interface, then go to prerouting, I can see it by iptables log:
May 26 10:51:52 proxy kernel: IN=ipsec0 OUT= MAC= SRC=192.168.66.25 DST=8.8.8.8 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=24898 DF PROTO=TCP SPT=51379 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0
the diffrence is no MAC address. i can not see log of v2ray. may be v2ray sockets not return syn\ack?
who can explain this. I’d appreciate some help. what's wrong with me. thanks a lot.
