Openwrt下配置iptables将shadowsocks连接随机DNAT到特定端口:
1
2
3
4
| iptables -t nat -A OUTPUT -p tcp --dport 5688 -m state --state NEW -m statistic --mode nth --every 4 --packet 0 -j DNAT --to-destination serverip:5688iptables -t nat -A OUTPUT -p tcp --dport 5688 -m state --state NEW -m statistic --mode nth --every 4 --packet 1 -j DNAT --to-destination serverip:5689iptables -t nat -A OUTPUT -p tcp --dport 5688 -m state --state NEW -m statistic --mode nth --every 4 --packet 2 -j DNAT --to-destination serverip:5690iptables -t nat -A OUTPUT -p tcp --dport 5688 -m state --state NEW -m statistic --mode nth --every 4 --packet 3 -j DNAT --to-destination serverip:5691 |
服务器端将客户端连接的端口DNAT到shadowsocks监听的端口:
1
2
3
| iptables -t nat -A PREROUTING -p tcp --dport 5689:5691 -j DNAT --to-destination serverip:5688#如果是分散的端口:iptables -t nat -A PREROUTING -p tcp -m multiport --dports 3000,10000 -j DNAT --to-destination serverip:5688 |
-----------
可以直接用端口范围的. 这样更方便.
iptables -t nat -A OUTPUT -p tcp --dport 5688 -m state --state NEW -m statistic --mode nth --every 4 --packet 0 -j DNAT --to-destination 1.2.3.4:10000-12000
iptables -t nat -A OUTPUT -p tcp --dport 5688 -m state --state NEW -m statistic --mode nth --every 4 --packet 0 -j DNAT --to-destination 1.2.3.4:10000-12000
-----------
较新的内核可以这样写
iptables -t nat -A OUTPUT -p tcp -m tcp --dport $DPORT -m state --state NEW -j DNAT --random --to-destination :$PORTSTART-$PORTEND
iptables -t nat -A OUTPUT -p tcp -m tcp --dport $DPORT -m state --state NEW -j DNAT --random --to-destination :$PORTSTART-$PORTEND