Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Forwarded domains don't work #420

Open
yukipastelcat opened this issue Aug 14, 2024 · 1 comment
Open

Forwarded domains don't work #420

yukipastelcat opened this issue Aug 14, 2024 · 1 comment

Comments

@yukipastelcat
Copy link

yukipastelcat commented Aug 14, 2024
edited
Loading

I have a following server configuration:
image
image
image
Which works in V2BOX on iOS (following JSON is taken from the app):

{
    "tag": "proxy",
    "protocol": "vmess",
    "streamSettings": {
        "tcpSettings": {
            "header": {
                "type": "http",
                "request": {
                    "path": [
                        "/"
                    ],
                    "headers": {
                        "Pragma": [
                            "no-cache"
                        ],
                        "Host": [
                            "/"
                        ],
                        "Accept-Encoding": [
                            "gzip, deflate"
                        ],
                        "User-Agent": [
                            "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.75 Safari/537.36",
                            "Mozilla/5.0 (iPhone; CPU iPhone OS 10_0_2 like Mac OS X) AppleWebKit/601.1 (KHTML, like Gecko) CriOS/53.0.2785.109 Mobile/14A456 Safari/601.1.46"
                        ],
                        "Connection": [
                            "keep-alive"
                        ]
                    },
                    "version": "1.1",
                    "method": "GET"
                }
            }
        },
        "network": "tcp"
    },
    "mux": {
        "concurrency": 50,
        "xudpConcurrency": 128,
        "xudpProxyUDP443": "allow",
        "enabled": false
    },
    "settings": {
        "vnext": [
            {
                "users": [
                    {
                        "level": 8,
                        "security": "aes-128-gcm",
                        "alterId": 0,
                        "email": "",
                        "id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
                    }
                ],
                "port": 8081,
                "address": "xxx.xxx.xxx.xxx"
            }
        ]
    }
}

I am trying to proxy only specified domains (whatismyip.com in my case) via FakeDNS, so no servers are selected in General settings:
image
image
Outbound Routing → Default Ports Policy is set to Forwarded:
image

However if I try to open whatismyip.com (or any forwarded domain) - it doesn't work at all. If I enable global server and try to proxy everything - nothing is working.

Unfortunately there seems to be nothing useful in the logs:

Thu Aug 15 00:52:33 2024 daemon.info xray[14056]: 2024/08/14 16:52:33 [Debug] app/dns: domain www.whatismyip.com matches following rules: [whatismyip.com(DNS idx:0)]
Thu Aug 15 00:52:33 2024 daemon.info xray[14056]: 2024/08/14 16:52:33 [Debug] app/dns: domain www.whatismyip.com will use DNS in order: [FakeDNS UDP:1.1.1.1:53]
Thu Aug 15 00:52:33 2024 daemon.info xray[14056]: 2024/08/14 16:52:33 [Info] app/dns: FakeDNS got answer: www.whatismyip.com -> [198.18.50.41]
Thu Aug 15 00:52:36 2024 daemon.info xray[14056]: 2024/08/14 16:52:36 [Debug] [841503327] proxy/dokodemo: processing connection from: 127.0.0.1:55088
Thu Aug 15 00:52:36 2024 daemon.info xray[14056]: 2024/08/14 16:52:36 [Info] [841503327] proxy/dokodemo: received request for 127.0.0.1:55088
Thu Aug 15 00:52:36 2024 daemon.info xray[14056]: 2024/08/14 16:52:36 [Info] [841503327] app/dispatcher: taking detour [dns_server_outbound] for [udp:1.1.1.1:53]
Thu Aug 15 00:52:36 2024 daemon.info xray[14056]: 2024/08/14 16:52:36 [Info] [841503327] proxy/dns: handling DNS traffic to udp:1.1.1.1:53
Thu Aug 15 00:52:36 2024 daemon.info xray[14056]: 2024/08/14 16:52:36 127.0.0.1:55088 accepted udp:1.1.1.1:53 [dns_server_inbound:5301 -> dns_server_outbound]
Thu Aug 15 00:52:44 2024 daemon.info xray[14056]: 2024/08/14 16:52:44 127.0.0.1:54593 accepted udp:1.1.1.1:53 [dns_server_inbound:5300 -> dns_server_outbound]
Thu Aug 15 00:52:44 2024 daemon.info xray[14056]: 2024/08/14 16:52:44 127.0.0.1:54395 accepted udp:1.1.1.1:53 [dns_server_inbound:5300 -> dns_server_outbound]
Thu Aug 15 00:52:44 2024 daemon.info xray[14056]: 2024/08/14 16:52:44 [Debug] [2440868486] proxy/dokodemo: processing connection from: 127.0.0.1:54395
Thu Aug 15 00:52:44 2024 daemon.info xray[14056]: 2024/08/14 16:52:44 [Info] [2440868486] proxy/dokodemo: received request for 127.0.0.1:54395
Thu Aug 15 00:52:44 2024 daemon.info xray[14056]: 2024/08/14 16:52:44 [Debug] [496843350] proxy/dokodemo: processing connection from: 127.0.0.1:54593
Thu Aug 15 00:52:44 2024 daemon.info xray[14056]: 2024/08/14 16:52:44 [Info] [496843350] proxy/dokodemo: received request for 127.0.0.1:54593
Thu Aug 15 00:52:44 2024 daemon.info xray[14056]: 2024/08/14 16:52:44 [Info] [496843350] app/dispatcher: taking detour [dns_server_outbound] for [udp:1.1.1.1:53]
Thu Aug 15 00:52:44 2024 daemon.info xray[14056]: 2024/08/14 16:52:44 [Info] [2440868486] app/dispatcher: taking detour [dns_server_outbound] for [udp:1.1.1.1:53]
Thu Aug 15 00:52:44 2024 daemon.info xray[14056]: 2024/08/14 16:52:44 [Info] [496843350] proxy/dns: handling DNS traffic to udp:1.1.1.1:53
Thu Aug 15 00:52:44 2024 daemon.info xray[14056]: 2024/08/14 16:52:44 [Info] [2440868486] proxy/dns: handling DNS traffic to udp:1.1.1.1:53
Thu Aug 15 00:52:44 2024 daemon.info xray[14056]: 2024/08/14 16:52:44 [Debug] app/dns: domain m.hotmail.com will use DNS in order: [UDP:1.1.1.1:53]

From the logs it seems that request to whatismyip.com hits the FakeDNS, and that's it.

Am I missing something in my configuration? I'm running a fresh installation from https://github.com/yukipastelcat/luci-app-xray.

System info:
image
@yukipastelcat
Copy link
Author

yukipastelcat commented Aug 14, 2024
edited
Loading

Some additional info:

nft list ruleset:

table ip filter {
        chain DOCKER-USER {
                iifname "eth0" oifname "docker0" counter packets 0 bytes 0 xt target "REJECT"
                counter packets 14583 bytes 13019067 return
        }

        chain DOCKER {
        }

        chain DOCKER-ISOLATION-STAGE-1 {
                iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-2
                counter packets 14632 bytes 13025923 return
        }

        chain DOCKER-ISOLATION-STAGE-2 {
                oifname "docker0" counter packets 0 bytes 0 drop
                counter packets 0 bytes 0 return
        }

        chain FORWARD {
                type filter hook forward priority filter; policy accept;
                counter packets 14583 bytes 13019067 jump DOCKER-USER
                counter packets 14587 bytes 13019295 jump DOCKER-ISOLATION-STAGE-1
                oifname "docker0" xt match "conntrack" counter packets 0 bytes 0 accept
                oifname "docker0" counter packets 0 bytes 0 jump DOCKER
                iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 accept
                iifname "docker0" oifname "docker0" counter packets 0 bytes 0 accept
        }
}
table inet nft-qos-monitor {
        chain upload {
                type filter hook postrouting priority filter; policy accept;
        }

        chain download {
                type filter hook prerouting priority filter; policy accept;
        }
}
# Warning: table ip nat is managed by iptables-nft, do not touch!
table ip nat {
        chain DOCKER {
                iifname "docker0" counter packets 0 bytes 0 return
        }

        chain POSTROUTING {
                type nat hook postrouting priority srcnat; policy accept;
                oifname != "docker0" ip saddr 172.17.0.0/16 counter packets 0 bytes 0 xt target "MASQUERADE"
        }

        chain PREROUTING {
                type nat hook prerouting priority dstnat; policy accept;
                xt match "addrtype" counter packets 424 bytes 54872 jump DOCKER
        }

        chain OUTPUT {
                type nat hook output priority -100; policy accept;
                ip daddr != 127.0.0.0/8 xt match "addrtype" counter packets 0 bytes 0 jump DOCKER
        }
}
table inet fw4 {
        ct helper amanda {
                type "amanda" protocol udp
                l3proto inet
        }

        ct helper ftp {
                type "ftp" protocol tcp
                l3proto inet
        }

        ct helper RAS {
                type "RAS" protocol udp
                l3proto inet
        }

        ct helper Q.931 {
                type "Q.931" protocol tcp
                l3proto inet
        }

        ct helper irc {
                type "irc" protocol tcp
                l3proto ip
        }

        ct helper pptp {
                type "pptp" protocol tcp
                l3proto ip
        }

        ct helper sip {
                type "sip" protocol udp
                l3proto inet
        }

        ct helper snmp {
                type "snmp" protocol udp
                l3proto ip
        }

        ct helper tftp {
                type "tftp" protocol udp
                l3proto inet
        }

        set tp_spec_dv4_sp {
                type ipv4_addr
                size 32
                flags interval
                elements = { 0.0.0.0/8, 10.0.0.0/8,
                             100.64.0.0/10, 127.0.0.0/8,
                             169.254.0.0/16, 172.16.0.0/12,
                             192.0.0.0/24, 192.52.193.0/24,
                             192.168.0.0/16, 224.0.0.0/3 }
        }

        set tp_spec_dv6_sp {
                type ipv6_addr
                size 32
                flags interval
                elements = { ::,
                             ::1,
                             ::ffff:0.0.0.0/96,
                             ::ffff:0:0:0/96,
                             64:ff9b::/96,
                             100::/64,
                             2001::/32,
                             2001:20::/28,
                             2001:db8::/32,
                             2002::/16,
                             fc00::/7,
                             fe80::/10,
                             ff00::/8 }
        }

        set tp_spec_dv4_bp {
                type ipv4_addr
                size 3
                flags interval
                elements = { 223.5.5.5 }
        }

        set tp_spec_dv4_fw {
                type ipv4_addr
                size 3
                flags interval
                elements = { 8.8.8.8 }
        }

        set tp_spec_dv4_dg {
                type ipv4_addr
                size 16
                flags interval
                elements = { 10.9.84.33, 10.9.84.254 }
        }

        set tp_spec_dv6_dg {
                type ipv6_addr
                size 16
                flags interval
        }

        chain xray_transparent_proxy {
                type filter hook prerouting priority filter + 10; policy accept;
                meta mark 0x000000fb counter packets 11848 bytes 10354853 goto tp_spec_wan_fw
                ip protocol tcp counter packets 888 bytes 124622 accept
                ip protocol udp counter packets 1218 bytes 117729 accept
                ip6 nexthdr tcp counter packets 1 bytes 84 accept
                ip6 nexthdr udp counter packets 72 bytes 22288 accept
                counter packets 441 bytes 96148 accept
        }

        chain tp_spec_wan_fw {
                ip protocol tcp ip daddr 198.18.0.0/15 counter packets 12 bytes 752 tproxy ip to :1086 accept
                ip protocol udp ip daddr 198.18.0.0/15 counter packets 6 bytes 7368 tproxy ip to :1088 accept
                ip6 nexthdr tcp ip6 daddr fc00::/18 counter packets 0 bytes 0 tproxy ip6 to :1087 accept
                ip6 nexthdr udp ip6 daddr fc00::/18 counter packets 0 bytes 0 tproxy ip6 to :1089 accept
                ip protocol tcp counter packets 5157 bytes 3052338 meta mark set 0x000000ff accept
                ip protocol udp counter packets 6645 bytes 7292085 meta mark set 0x000000ff accept
                ip6 nexthdr tcp counter packets 0 bytes 0 meta mark set 0x000000ff accept
                ip6 nexthdr udp counter packets 0 bytes 0 meta mark set 0x000000ff accept
                counter packets 28 bytes 2310 accept
        }

        chain xray_prerouting {
                type filter hook prerouting priority mangle + 10; policy accept;
                counter packets 14468 bytes 10715724 meta mark set ct mark
                meta mark 0x000000fb counter packets 11511 bytes 10289959 accept comment "Xray remarked from output"
                counter packets 2957 bytes 425765 jump tp_spec_lan_mf comment "Xray FakeDNS / manual transparent proxy"
                ip protocol tcp iifname "br-lan" counter packets 868 bytes 109052 goto tp_spec_lan_ac
                ip protocol udp iifname "br-lan" counter packets 405 bytes 78448 goto tp_spec_lan_ac
                ip6 nexthdr tcp iifname "br-lan" counter packets 1 bytes 84 goto tp_spec_lan_ac
                ip6 nexthdr udp iifname "br-lan" counter packets 72 bytes 22288 goto tp_spec_lan_ac
                ip protocol tcp counter packets 180 bytes 35981 accept
                ip protocol udp counter packets 986 bytes 81180 accept
                ip6 nexthdr tcp counter packets 0 bytes 0 accept
                ip6 nexthdr udp counter packets 0 bytes 0 accept
                counter packets 441 bytes 96148 accept
        }

        chain xray_output {
                type route hook output priority mangle + 10; policy accept;
                ip protocol tcp counter packets 838 bytes 474854 goto tp_spec_wan_ac
                ip protocol udp counter packets 963 bytes 74297 goto tp_spec_wan_ac
                ip6 nexthdr tcp counter packets 1 bytes 60 goto tp_spec_wan_ac
                ip6 nexthdr udp counter packets 8 bytes 1080 goto tp_spec_wan_ac
                counter packets 379 bytes 55278 accept
        }

        chain tp_spec_wan_ac {
                ip protocol tcp meta mark 0x000000fc counter packets 0 bytes 0 accept comment "Xray direct outbound TCP4"
                ip protocol udp meta mark 0x000000fc counter packets 39 bytes 2492 accept comment "Xray direct outbound UDP4"
                ip6 nexthdr tcp meta mark 0x000000fc counter packets 0 bytes 0 accept comment "Xray direct outbound TCP6"
                ip6 nexthdr udp meta mark 0x000000fc counter packets 0 bytes 0 accept comment "Xray direct outbound UDP6"
                meta mark 0x000000fd counter packets 0 bytes 0 accept comment "Xray transparent proxy outbound"
                meta mark 0x000000fe counter packets 4 bytes 256 accept comment "Xray non-IP DNS query outbound"
                meta mark 0x000000ff counter packets 0 bytes 0 accept comment "Xray specified mark 255 outbound"
                counter packets 1767 bytes 547543 jump tp_spec_lan_mf
                counter packets 1767 bytes 547543 goto tp_spec_lan_ac
        }

        chain tp_spec_lan_mf {
                ip protocol tcp ip daddr 198.18.0.0/15 counter packets 2 bytes 128 goto tp_spec_lan_fw comment "Xray FakeDNS IPv4 Pool TCP"
                ip protocol udp ip daddr 198.18.0.0/15 counter packets 2 bytes 2456 goto tp_spec_lan_fw comment "Xray FakeDNS IPv4 Pool UDP"
                ip6 nexthdr tcp ip6 daddr fc00::/18 counter packets 0 bytes 0 goto tp_spec_lan_fw comment "Xray FakeDNS IPv6 Pool TCP"
                ip6 nexthdr udp ip6 daddr fc00::/18 counter packets 0 bytes 0 goto tp_spec_lan_fw comment "Xray FakeDNS IPv6 Pool UDP"
                counter packets 4720 bytes 970724 return
        }

        chain tp_spec_lan_ac {
                ip daddr @tp_spec_dv4_fw counter packets 0 bytes 0 goto tp_spec_lan_fw
                ip daddr @tp_spec_dv4_dg counter packets 0 bytes 0 accept
                ip6 daddr @tp_spec_dv6_dg counter packets 0 bytes 0 accept
                ip daddr @tp_spec_dv4_bp counter packets 0 bytes 0 accept
                ip daddr @tp_spec_dv4_sp counter packets 2495 bytes 662154 accept
                ip6 daddr @tp_spec_dv6_sp counter packets 82 bytes 23512 accept
                counter packets 536 bytes 71749 goto tp_spec_lan_re
        }

        chain tp_spec_lan_re {
                meta l4proto tcp counter packets 310 bytes 26411 goto tp_spec_lan_dd
                meta l4proto udp counter packets 226 bytes 45338 goto tp_spec_lan_dd
                counter packets 0 bytes 0 accept
        }

        chain tp_spec_lan_dd {
                counter packets 536 bytes 71749 goto tp_spec_lan_fw
        }

        chain tp_spec_lan_fw {
                counter packets 540 bytes 74333 meta mark set 0x000000fb goto tp_spec_lan_ct
        }

        chain tp_spec_lan_ct {
                counter packets 540 bytes 74333 ct mark set meta mark accept
        }

        chain input {
                type filter hook input priority filter; policy accept;
                iifname "lo" accept comment "!fw4: Accept traffic from loopback"
                ct state established,related accept comment "!fw4: Allow inbound established and related flows"
                tcp flags syn / fin,syn,rst,ack jump syn_flood comment "!fw4: Rate limit TCP syn packets"
                iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
                iifname "eth0" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
                iifname "docker0" jump input_docker comment "!fw4: Handle docker IPv4/IPv6 input traffic"
        }

        chain forward {
                type filter hook forward priority filter; policy accept;
                ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
                iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
                iifname "eth0" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
                iifname "docker0" jump forward_docker comment "!fw4: Handle docker IPv4/IPv6 forward traffic"
                jump upnp_forward comment "Hook into miniupnpd forwarding chain"
        }

        chain output {
                type filter hook output priority filter; policy accept;
                oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
                ct state established,related accept comment "!fw4: Allow outbound established and related flows"
                oifname "br-lan" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"
                oifname "eth0" jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic"
                oifname "docker0" jump output_docker comment "!fw4: Handle docker IPv4/IPv6 output traffic"
        }

        chain prerouting {
                type filter hook prerouting priority filter; policy accept;
                iifname "br-lan" jump helper_lan comment "!fw4: Handle lan IPv4/IPv6 helper assignment"
                iifname "docker0" jump helper_docker comment "!fw4: Handle docker IPv4/IPv6 helper assignment"
        }

        chain handle_reject {
                meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
                reject comment "!fw4: Reject any other traffic"
        }

        chain syn_flood {
                limit rate 25/second burst 50 packets return comment "!fw4: Accept SYN packets below rate-limit"
                drop comment "!fw4: Drop excess packets"
        }

        chain input_lan {
                jump accept_from_lan
        }

        chain output_lan {
                jump accept_to_lan
        }

        chain forward_lan {
                jump accept_to_wan comment "!fw4: Accept lan to wan forwarding"
                jump accept_to_lan
        }

        chain helper_lan {
                udp dport 10080 ct helper set "amanda" comment "!fw4: Amanda backup and archiving proto"
                tcp dport 21 ct helper set "ftp" comment "!fw4: FTP passive connection tracking"
                udp dport 1719 ct helper set "RAS" comment "!fw4: RAS proto tracking"
                tcp dport 1720 ct helper set "Q.931" comment "!fw4: Q.931 proto tracking"
                meta nfproto ipv4 tcp dport 6667 ct helper set "irc" comment "!fw4: IRC DCC connection tracking"
                meta nfproto ipv4 tcp dport 1723 ct helper set "pptp" comment "!fw4: PPTP VPN connection tracking"
                udp dport 5060 ct helper set "sip" comment "!fw4: SIP VoIP connection tracking"
                meta nfproto ipv4 udp dport 161 ct helper set "snmp" comment "!fw4: SNMP monitoring connection tracking"
                udp dport 69 ct helper set "tftp" comment "!fw4: TFTP connection tracking"
        }

        chain accept_from_lan {
                iifname "br-lan" counter packets 443 bytes 74793 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
        }

        chain accept_to_lan {
                oifname "br-lan" counter packets 22 bytes 3038 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
        }

        chain input_wan {
                meta nfproto ipv4 udp dport 68 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCP-Renew"
                icmp type echo-request counter packets 0 bytes 0 accept comment "!fw4: Allow-Ping"
                meta nfproto ipv4 meta l4proto igmp counter packets 2 bytes 64 accept comment "!fw4: Allow-IGMP"
                meta nfproto ipv6 udp dport 546 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCPv6"
                ip6 saddr fe80::/10 icmpv6 type . icmpv6 code { mld-listener-query . no-route, mld-listener-report . no-route, mld-listener-done . no-route, mld2-listener-report . no-route } counter packets 0 bytes 0 accept comment "!fw4: Allow-MLD"
                icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply, nd-router-solicit, nd-router-advert } limit rate 1000/second counter packets 3 bytes 160 accept comment "!fw4: Allow-ICMPv6-Input"
                icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, nd-neighbor-solicit . no-route, nd-neighbor-advert . no-route, parameter-problem . admin-prohibited } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Input"
                jump reject_from_wan
        }

        chain output_wan {
                jump accept_to_wan
        }

        chain forward_wan {
                icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
                icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, parameter-problem . admin-prohibited } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
                meta l4proto esp counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-IPSec-ESP"
                udp dport 500 counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-ISAKMP"
                jump reject_to_wan
        }

        chain accept_to_wan {
                meta nfproto ipv4 oifname "eth0" ct state invalid counter packets 90 bytes 6503 drop comment "!fw4: Prevent NAT leakage"
                oifname "eth0" counter packets 404 bytes 63213 accept comment "!fw4: accept wan IPv4/IPv6 traffic"
        }

        chain reject_from_wan {
                iifname "eth0" counter packets 295 bytes 47327 jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
        }

        chain reject_to_wan {
                oifname "eth0" counter packets 0 bytes 0 jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
        }

        chain input_docker {
                jump accept_from_docker
        }

        chain output_docker {
                jump accept_to_docker
        }

        chain forward_docker {
                jump accept_to_docker
        }

        chain helper_docker {
                udp dport 10080 ct helper set "amanda" comment "!fw4: Amanda backup and archiving proto"
                tcp dport 21 ct helper set "ftp" comment "!fw4: FTP passive connection tracking"
                udp dport 1719 ct helper set "RAS" comment "!fw4: RAS proto tracking"
                tcp dport 1720 ct helper set "Q.931" comment "!fw4: Q.931 proto tracking"
                meta nfproto ipv4 tcp dport 6667 ct helper set "irc" comment "!fw4: IRC DCC connection tracking"
                meta nfproto ipv4 tcp dport 1723 ct helper set "pptp" comment "!fw4: PPTP VPN connection tracking"
                udp dport 5060 ct helper set "sip" comment "!fw4: SIP VoIP connection tracking"
                meta nfproto ipv4 udp dport 161 ct helper set "snmp" comment "!fw4: SNMP monitoring connection tracking"
                udp dport 69 ct helper set "tftp" comment "!fw4: TFTP connection tracking"
        }

        chain accept_from_docker {
                iifname "docker0" counter packets 0 bytes 0 accept comment "!fw4: accept docker IPv4/IPv6 traffic"
        }

        chain accept_to_docker {
                oifname "docker0" counter packets 0 bytes 0 accept comment "!fw4: accept docker IPv4/IPv6 traffic"
        }

        chain dstnat {
                type nat hook prerouting priority dstnat; policy accept;
                jump upnp_prerouting comment "Hook into miniupnpd prerouting chain"
        }

        chain srcnat {
                type nat hook postrouting priority srcnat; policy accept;
                oifname "eth0" jump srcnat_wan comment "!fw4: Handle wan IPv4/IPv6 srcnat traffic"
                jump upnp_postrouting comment "Hook into miniupnpd postrouting chain"
        }

        chain srcnat_wan {
                meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 wan traffic"
        }

        chain raw_prerouting {
                type filter hook prerouting priority raw; policy accept;
        }

        chain raw_output {
                type filter hook output priority raw; policy accept;
        }

        chain mangle_prerouting {
                type filter hook prerouting priority mangle; policy accept;
        }

        chain mangle_postrouting {
                type filter hook postrouting priority mangle; policy accept;
        }

        chain mangle_input {
                type filter hook input priority mangle; policy accept;
        }

        chain mangle_output {
                type route hook output priority mangle; policy accept;
        }

        chain mangle_forward {
                type filter hook forward priority mangle; policy accept;
                iifname "eth0" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 ingress MTU fixing"
                oifname "eth0" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 egress MTU fixing"
        }

        chain upnp_forward {
        }

        chain upnp_prerouting {
        }

        chain upnp_postrouting {
        }
}

fw4 check:

Section @zone[0] (lan) fullcone in defaults not enabled, ignore zone fullcone settings
Section @zone[1] (wan) fullcone in defaults not enabled, ignore zone fullcone settings
Section docker (docker) fullcone in defaults not enabled, ignore zone fullcone settings
Section @rule[9] (Reject-IPv6) is disabled, ignoring section
Automatically including '/usr/share/nftables.d/table-pre/xray_core.nft'
Automatically including '/usr/share/nftables.d/table-post/20-miniupnpd.nft'
Automatically including '/usr/share/nftables.d/chain-post/dstnat/20-miniupnpd.nft'
Automatically including '/usr/share/nftables.d/chain-post/forward/20-miniupnpd.nft'
Automatically including '/usr/share/nftables.d/chain-post/srcnat/20-miniupnpd.nft'

xray config in /var/etc/xray/config.json:

{
    "inbounds": [
        {
            "listen": "0.0.0.0",
            "port": 1080,
            "protocol": "socks",
            "tag": "socks_inbound",
            "settings": {
                "auth": "noauth",
                "accounts": null,
                "udp": true
            }
        },
        {
            "listen": "0.0.0.0",
            "port": 1081,
            "protocol": "http",
            "tag": "http_inbound",
            "settings": {
                "accounts": null,
                "allowTransparent": false
            }
        },
        {
            "port": 1082,
            "protocol": "dokodemo-door",
            "tag": "tproxy_tcp_inbound_v4",
            "sniffing": null,
            "settings": {
                "network": "tcp",
                "followRedirect": true,
                "timeout": 300
            },
            "streamSettings": {
                "sockopt": {
                    "tproxy": "tproxy"
                }
            },
            "listen": "0.0.0.0"
        },
        {
            "port": 1083,
            "protocol": "dokodemo-door",
            "tag": "tproxy_tcp_inbound_v6",
            "sniffing": null,
            "settings": {
                "network": "tcp",
                "followRedirect": true,
                "timeout": 300
            },
            "streamSettings": {
                "sockopt": {
                    "tproxy": "tproxy"
                }
            },
            "listen": "0.0.0.0"
        },
        {
            "port": 1084,
            "protocol": "dokodemo-door",
            "tag": "tproxy_udp_inbound_v4",
            "sniffing": null,
            "settings": {
                "network": "udp",
                "followRedirect": true,
                "timeout": 300
            },
            "streamSettings": {
                "sockopt": {
                    "tproxy": "tproxy"
                }
            },
            "listen": "0.0.0.0"
        },
        {
            "port": 1085,
            "protocol": "dokodemo-door",
            "tag": "tproxy_udp_inbound_v6",
            "sniffing": null,
            "settings": {
                "network": "udp",
                "followRedirect": true,
                "timeout": 300
            },
            "streamSettings": {
                "sockopt": {
                    "tproxy": "tproxy"
                }
            },
            "listen": "0.0.0.0"
        },
        {
            "port": 5300,
            "protocol": "dokodemo-door",
            "tag": "dns_server_inbound:5300",
            "settings": {
                "address": "1.1.1.1",
                "port": 53,
                "network": "tcp,udp"
            }
        },
        {
            "port": 5301,
            "protocol": "dokodemo-door",
            "tag": "dns_server_inbound:5301",
            "settings": {
                "address": "1.1.1.1",
                "port": 53,
                "network": "tcp,udp"
            }
        },
        {
            "port": 5302,
            "protocol": "dokodemo-door",
            "tag": "dns_server_inbound:5302",
            "settings": {
                "address": "1.1.1.1",
                "port": 53,
                "network": "tcp,udp"
            }
        },
        {
            "port": 5303,
            "protocol": "dokodemo-door",
            "tag": "dns_server_inbound:5303",
            "settings": {
                "address": "1.1.1.1",
                "port": 53,
                "network": "tcp,udp"
            }
        },
        {
            "port": 1086,
            "protocol": "dokodemo-door",
            "tag": "tproxy_tcp_inbound_f4",
            "sniffing": {
                "enabled": true,
                "routeOnly": false,
                "destOverride": [
                    "fakedns"
                ],
                "metadataOnly": true
            },
            "settings": {
                "network": "tcp",
                "followRedirect": true,
                "timeout": 300
            },
            "streamSettings": {
                "sockopt": {
                    "tproxy": "tproxy"
                }
            },
            "listen": "0.0.0.0"
        },
        {
            "port": 1087,
            "protocol": "dokodemo-door",
            "tag": "tproxy_tcp_inbound_f6",
            "sniffing": {
                "enabled": true,
                "routeOnly": false,
                "destOverride": [
                    "fakedns"
                ],
                "metadataOnly": true
            },
            "settings": {
                "network": "tcp",
                "followRedirect": true,
                "timeout": 300
            },
            "streamSettings": {
                "sockopt": {
                    "tproxy": "tproxy"
                }
            },
            "listen": "0.0.0.0"
        },
        {
            "port": 1088,
            "protocol": "dokodemo-door",
            "tag": "tproxy_udp_inbound_f4",
            "sniffing": {
                "enabled": true,
                "routeOnly": false,
                "destOverride": [
                    "fakedns"
                ],
                "metadataOnly": true
            },
            "settings": {
                "network": "udp",
                "followRedirect": true,
                "timeout": 300
            },
            "streamSettings": {
                "sockopt": {
                    "tproxy": "tproxy"
                }
            },
            "listen": "0.0.0.0"
        },
        {
            "port": 1089,
            "protocol": "dokodemo-door",
            "tag": "tproxy_udp_inbound_f6",
            "sniffing": {
                "enabled": true,
                "routeOnly": false,
                "destOverride": [
                    "fakedns"
                ],
                "metadataOnly": true
            },
            "settings": {
                "network": "udp",
                "followRedirect": true,
                "timeout": 300
            },
            "streamSettings": {
                "sockopt": {
                    "tproxy": "tproxy"
                }
            },
            "listen": "0.0.0.0"
        }
    ],
    "outbounds": [
        {
            "tag": "blackhole_outbound",
            "protocol": "blackhole"
        },
        {
            "protocol": "freedom",
            "tag": "direct",
            "settings": {
                "domainStrategy": "UseIPv4",
                "redirect": ""
            },
            "streamSettings": {
                "sockopt": {
                    "mark": 252
                }
            }
        },
        {
            "protocol": "dns",
            "settings": {
                "nonIPQuery": "skip"
            },
            "streamSettings": {
                "sockopt": {
                    "mark": 254
                }
            },
            "tag": "dns_server_outbound"
        },
        {
            "protocol": "vmess",
            "tag": "fake_dns_tcp:cfg038f81@balancer_outbound:cfg024a8f",
            "settings": {
                "vnext": [
                    {
                        "address": "xxx.xxx.xxx.xxx",
                        "port": 8081,
                        "users": [
                            {
                                "email": null,
                                "id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
                                "alterId": 0,
                                "security": "aes-128-gcm"
                            }
                        ]
                    }
                ]
            },
            "streamSettings": {
                "network": "tcp",
                "sockopt": {
                    "mark": 253,
                    "domainStrategy": "UseIP",
                    "dialerProxy": null
                },
                "security": "none",
                "tlsSettings": null,
                "realitySettings": null,
                "quicSettings": null,
                "tcpSettings": {
                    "header": {
                        "type": "http",
                        "request": {
                            "version": "1.1",
                            "method": "GET",
                            "path": [
                                "/"
                            ],
                            "headers": {
                                "Host": [
                                    "google.com"
                                ],
                                "User-Agent": [
                                    "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36",
                                    "Mozilla/5.0 (iPhone; CPU iPhone OS 10_0_2 like Mac OS X) AppleWebKit/601.1 (KHTML, like Gecko) CriOS/53.0.2785.109 Mobile/14A456 Safari/601.1.46"
                                ],
                                "Accept-Encoding": [
                                    "gzip, deflate"
                                ],
                                "Connection": [
                                    "keep-alive"
                                ],
                                "Pragma": "no-cache"
                            }
                        },
                        "response": {
                            "version": "1.1",
                            "status": "200",
                            "reason": "OK",
                            "headers": {
                                "Content_Type": [
                                    "application/octet-stream",
                                    "video/mpeg"
                                ],
                                "Transfer_Encoding": [
                                    "chunked"
                                ],
                                "Connection": [
                                    "keep-alive"
                                ],
                                "Pragma": "no-cache"
                            }
                        }
                    }
                },
                "kcpSettings": null,
                "wsSettings": null,
                "grpcSettings": null,
                "httpSettings": null
            }
        },
        {
            "protocol": "vmess",
            "tag": "fake_dns_udp:cfg038f81@balancer_outbound:cfg024a8f",
            "settings": {
                "vnext": [
                    {
                        "address": "xxx.xxx.xxx.xxx",
                        "port": 8081,
                        "users": [
                            {
                                "email": null,
                                "id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
                                "alterId": 0,
                                "security": "aes-128-gcm"
                            }
                        ]
                    }
                ]
            },
            "streamSettings": {
                "network": "tcp",
                "sockopt": {
                    "mark": 253,
                    "domainStrategy": "UseIP",
                    "dialerProxy": null
                },
                "security": "none",
                "tlsSettings": null,
                "realitySettings": null,
                "quicSettings": null,
                "tcpSettings": {
                    "header": {
                        "type": "http",
                        "request": {
                            "version": "1.1",
                            "method": "GET",
                            "path": [
                                "/"
                            ],
                            "headers": {
                                "Host": [
                                    "google.com"
                                ],
                                "User-Agent": [
                                    "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36",
                                    "Mozilla/5.0 (iPhone; CPU iPhone OS 10_0_2 like Mac OS X) AppleWebKit/601.1 (KHTML, like Gecko) CriOS/53.0.2785.109 Mobile/14A456 Safari/601.1.46"
                                ],
                                "Accept-Encoding": [
                                    "gzip, deflate"
                                ],
                                "Connection": [
                                    "keep-alive"
                                ],
                                "Pragma": "no-cache"
                            }
                        },
                        "response": {
                            "version": "1.1",
                            "status": "200",
                            "reason": "OK",
                            "headers": {
                                "Content_Type": [
                                    "application/octet-stream",
                                    "video/mpeg"
                                ],
                                "Transfer_Encoding": [
                                    "chunked"
                                ],
                                "Connection": [
                                    "keep-alive"
                                ],
                                "Pragma": "no-cache"
                            }
                        }
                    }
                },
                "kcpSettings": null,
                "wsSettings": null,
                "grpcSettings": null,
                "httpSettings": null
            }
        }
    ],
    "dns": {
        "hosts": {
            "geosite:category-ads": [
                "127.127.127.127",
                "100::6c62:636f:656b:2164"
            ]
        },
        "servers": [
            {
                "address": "fakedns",
                "domains": [
                    "whatismyip.com"
                ],
                "skipFallback": true
            },
            {
                "address": "1.1.1.1",
                "port": 53
            },
            {
                "address": "223.5.5.5",
                "port": 53,
                "domains": [],
                "skipFallback": true
            }
        ],
        "tag": "dns_conf_inbound",
        "queryStrategy": "UseIP"
    },
    "fakedns": [
        {
            "ipPool": "198.18.0.0/15",
            "poolSize": 65535
        },
        {
            "ipPool": "fc00::/18",
            "poolSize": 65535
        }
    ],
    "api": null,
    "metrics": null,
    "policy": {
        "levels": {
            "0": {
                "handshake": 4,
                "connIdle": 300,
                "uplinkOnly": 2,
                "downlinkOnly": 5,
                "bufferSize": 4,
                "statsUserUplink": false,
                "statsUserDownlink": false
            }
        },
        "system": {
            "statsInboundUplink": false,
            "statsInboundDownlink": false,
            "statsOutboundUplink": false,
            "statsOutboundDownlink": false
        }
    },
    "log": {
        "access": "",
        "loglevel": "warning",
        "dnsLog": true
    },
    "stats": null,
    "observatory": null,
    "reverse": {
        "bridges": []
    },
    "routing": {
        "domainStrategy": "AsIs",
        "rules": [
            {
                "type": "field",
                "inboundTag": [
                    "tproxy_tcp_inbound_f4",
                    "tproxy_tcp_inbound_f6"
                ],
                "domain": [
                    "whatismyip.com"
                ],
                "balancerTag": "fake_dns_balancer:cfg038f81@tcp_balancer"
            },
            {
                "type": "field",
                "inboundTag": [
                    "tproxy_udp_inbound_f4",
                    "tproxy_udp_inbound_f6"
                ],
                "domain": [
                    "whatismyip.com"
                ],
                "balancerTag": "fake_dns_balancer:cfg038f81@udp_balancer"
            },
            {
                "type": "field",
                "inboundTag": [
                    "dns_server_inbound:5300",
                    "dns_server_inbound:5301",
                    "dns_server_inbound:5302",
                    "dns_server_inbound:5303"
                ],
                "outboundTag": "dns_server_outbound"
            },
            {
                "type": "field",
                "inboundTag": [
                    "tproxy_tcp_inbound_v6",
                    "tproxy_udp_inbound_v6",
                    "tproxy_tcp_inbound_v4",
                    "socks_inbound",
                    "https_inbound",
                    "http_inbound",
                    "tproxy_udp_inbound_v4",
                    "dns_conf_inbound"
                ],
                "outboundTag": "direct",
                "ip": [
                    "geoip:private"
                ]
            },
            {
                "type": "field",
                "inboundTag": [
                    "tproxy_tcp_inbound_v6"
                ],
                "balancerTag": "tcp_outbound_v6"
            },
            {
                "type": "field",
                "inboundTag": [
                    "tproxy_udp_inbound_v6"
                ],
                "balancerTag": "udp_outbound_v6"
            },
            {
                "type": "field",
                "inboundTag": [
                    "tproxy_tcp_inbound_v4",
                    "socks_inbound",
                    "https_inbound",
                    "http_inbound"
                ],
                "balancerTag": "tcp_outbound_v4"
            },
            {
                "type": "field",
                "inboundTag": [
                    "tproxy_udp_inbound_v4",
                    "dns_conf_inbound"
                ],
                "balancerTag": "udp_outbound_v4"
            }
        ],
        "balancers": [
            {
                "tag": "tcp_outbound_v4",
                "selector": [
                    "direct"
                ],
                "strategy": {
                    "type": "random"
                }
            },
            {
                "tag": "udp_outbound_v4",
                "selector": [
                    "direct"
                ],
                "strategy": {
                    "type": "random"
                }
            },
            {
                "tag": "tcp_outbound_v6",
                "selector": [
                    "direct"
                ],
                "strategy": {
                    "type": "random"
                }
            },
            {
                "tag": "udp_outbound_v6",
                "selector": [
                    "direct"
                ],
                "strategy": {
                    "type": "random"
                }
            },
            {
                "tag": "fake_dns_balancer:cfg038f81@tcp_balancer",
                "selector": [
                    "fake_dns_tcp:cfg038f81@balancer_outbound:cfg024a8f"
                ],
                "strategy": {
                    "type": "random"
                }
            },
            {
                "tag": "fake_dns_balancer:cfg038f81@udp_balancer",
                "selector": [
                    "fake_dns_udp:cfg038f81@balancer_outbound:cfg024a8f"
                ],
                "strategy": {
                    "type": "random"
                }
            }
        ]
    }
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@yukipastelcat