Skip to content

透明代理入站下如果sing-box监听某个[::]:端口会导致访问其它ip的这个端口的也无法访问 #2967

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
4 of 5 tasks
alexandr2666 opened this issue May 9, 2025 · 1 comment
Closed
4 of 5 tasks

透明代理入站下如果sing-box监听某个[::]:端口会导致访问其它ip的这个端口的也无法访问 #2967

alexandr2666 opened this issue May 9, 2025 · 1 comment
Labels
from end user An end user is asking a developer to fix their problem for free invalid This doesn't seem right

Comments

@alexandr2666
Copy link

alexandr2666 commented May 9, 2025
edited
Loading

操作系统

Linux

系统版本

Debian 12

安装类型

sing-box 原始命令行程序

如果您使用图形客户端程序,请提供该程序版本。

No response

版本

sing-box version 1.12.0-beta.11

描述

如果用direct入站监听[::]:53,那么通过透明代理连接非本机比如223.5.5.5:53的地址查询dns时也连不上

重现方式

最简配置:

{
  "log": {
    "level": "debug",
    "timestamp": true
  },
  "dns": {
    "servers": [
      {
        "type": "h3",
        "tag": "Local",
        "server": "223.5.5.5"
      }
    ],
    "final": "Local",
    "reverse_mapping": true,
    "strategy": "ipv4_only"
  },
  "inbounds": [
    {
      "type": "direct",
      "tag": "dns-in",
      "listen": "::",
      "listen_port": 53
    },
    {
      "type": "redirect",
      "tag": "redirect-in",
      "listen": "::",
      "listen_port": 7895
    },
    {
      "type": "tproxy",
      "tag": "tproxy-in",
      "listen": "::",
      "listen_port": 7895,
      "network": "udp"
    }
  ],
  "outbounds": [
    {
      "type": "direct",
      "tag": "direct"
    }
  ],
  "route": {
    "rules": [
      {
        "action": "sniff"
      },
      {
        "inbound": "dns-in",
        "action": "hijack-dns"
      }
    ],
    "final": "direct",
    "auto_detect_interface": true,
    "default_mark": "0x1000",
    "default_domain_resolver": {
      "server": "Local",
      "rewrite_ttl": 60,
      "client_subnet": "1.1.1.1"
    }
  },
  "experimental": {
    "cache_file": {
      "enabled": true,
      "store_rdrc": true
    },
    "clash_api": {
      "external_controller": "[::]:9090",
      "external_ui": "ui",
      "external_ui_download_detour": "urltest",
      "default_mode": "Rule",
      "access_control_allow_origin": "*"
    }
  }
}

nftables配置:

flush ruleset

table ip filter {
    set proxy_iface {
        type ifname;
        elements = { "lo", "bridge0" }
    }

    set local_ipv4 {
        type ipv4_addr
        flags constant,interval
        elements = {
          0.0.0.0/8,
          10.0.0.0/8,
          100.64.0.0/10,
          127.0.0.0/8,
          169.254.0.0/16,
          172.16.0.0/12,
          192.0.0.0/24,
          192.0.2.0/24,
          192.88.99.0/24,
          192.168.0.0/16,
          198.18.0.0/15,
          198.51.100.0/24,
          203.0.113.0/24,
          224.0.0.0/4,
          240.0.0.0/4
        }
    }

    # UDP使用TPROXY
    chain prerouting {
        type filter hook prerouting priority mangle; policy accept;
        meta l4proto != udp iifname != @proxy_iface return
        meta mark 0x00001000 accept
        ip daddr @local_ipv4 accept
        meta l4proto udp meta mark set 0x00000001 tproxy to :7895 accept
    }

    chain output {
        type route hook output priority filter; policy accept;
        meta l4proto != udp return
        meta mark 0x00001000 accept
        oifname @proxy_iface accept
        ip daddr @local_ipv4 accept
        meta l4proto udp meta mark set 0x00000001 accept
    }
}

table ip nat {
    set proxy_iface {
        type ifname;
        elements = { "lo", "bridge0" }
    }

    set local_ipv4 {
        type ipv4_addr
        flags constant,interval
        elements = {
          0.0.0.0/8,
          10.0.0.0/8,
          100.64.0.0/10,
          127.0.0.0/8,
          169.254.0.0/16,
          172.16.0.0/12,
          192.0.0.0/24,
          192.0.2.0/24,
          192.88.99.0/24,
          192.168.0.0/16,
          198.18.0.0/15,
          198.51.100.0/24,
          203.0.113.0/24,
          224.0.0.0/4,
          240.0.0.0/4
        }
    }
    
    # TCP使用REDIRECT
    chain prerouting {
        type nat hook prerouting priority dstnat; policy accept;
        meta l4proto != tcp iifname != @proxy_iface return
        meta mark 0x00001000 accept
        ip daddr @local_ipv4 accept
        meta l4proto tcp redirect to :7895
    }
    
    chain output {
        type nat hook output priority -100; policy accept;
        meta l4proto != tcp return
        meta mark 0x00001000 accept
        ip daddr @local_ipv4 accept
        oifname @proxy_iface accept
        meta l4proto tcp redirect to :7895
    }
}

table ip6 filter {
    set proxy_iface {
        type ifname;
        elements = { "lo", "bridge0" }
    }

    set local_ipv6 {
        type ipv6_addr
        flags constant,interval
        elements = {
          ::/128,
          ::1/128,
          ::ffff:0:0/96,
          ::ffff:0:0:0/96,
          64:ff9b::/96,
          100::/64,
          2001::/32,
          2001:20::/28,
          2001:db8::/32,
          2002::/16,
          3fff::/20,
          5f00::/16,
          fc00::/7,
          fe80::/10,
          ff00::/8
        }
    }

    # UDP使用TPROXY
    chain prerouting {
        type filter hook prerouting priority mangle; policy accept;
        meta l4proto != udp iifname != @proxy_iface return
        meta mark 0x00001000 accept
        ip6 daddr @local_ipv6 accept
        meta l4proto udp meta mark set 0x00000001 tproxy to :7895 accept
    }

    chain output {
        type route hook output priority filter; policy accept;
        meta l4proto != udp return
        meta mark 0x00001000 accept
        oifname @proxy_iface accept
        ip6 daddr @local_ipv6 accept
        meta l4proto udp meta mark set 0x00000001 accept
    }
}

table ip6 nat {
    set proxy_iface {
        type ifname;
        elements = { "lo", "bridge0" }
    }

    set local_ipv6 {
        type ipv6_addr
        flags constant,interval
        elements = {
          ::/128,
          ::1/128,
          ::ffff:0:0/96,
          ::ffff:0:0:0/96,
          64:ff9b::/96,
          100::/64,
          2001::/32,
          2001:20::/28,
          2001:db8::/32,
          2002::/16,
          3fff::/20,
          5f00::/16,
          fc00::/7,
          fe80::/10,
          ff00::/8
        }
    }
    
    # TCP使用REDIRECT
    chain prerouting {
        type nat hook prerouting priority dstnat; policy accept;
        meta l4proto != tcp iifname != @proxy_iface return
        meta mark 0x00001000 accept
        ip6 daddr @local_ipv6 accept
        meta l4proto tcp redirect to :7895
    }
    
    chain output {
        type nat hook output priority -100; policy accept;
        meta l4proto != tcp return
        meta mark 0x00001000 accept
        ip6 daddr @local_ipv6 accept
        oifname @proxy_iface accept
        meta l4proto tcp redirect to :7895
    }
}

日志

May 09 router sing-box[2802]: +0800 2025-05-09 INFO [626323480 0ms] inbound/tproxy[tproxy-in]: inbound packet connection to 223.5.5.5:53
May 09 router sing-box[2802]: +0800 2025-05-09 DEBUG [626323480 0ms] router: match[0] => sniff
May 09 router sing-box[2802]: +0800 2025-05-09 DEBUG [626323480 0ms] router: sniffed packet protocol: dns
May 09 router sing-box[2802]: +0800 2025-05-09 INFO [626323480 0ms] outbound/direct[direct]: outbound packet connection
May 09 router sing-box[2802]: +0800 2025-05-09 DEBUG [626323480 19ms] connection: packet download finished
May 09 router sing-box[2802]: +0800 2025-05-09 INFO [4067530356 0ms] inbound/direct[dns-in]: inbound packet connection from 192.168.1.28:57199
--
May 09 router sing-box[2802]: +0800 2025-05-09 INFO [2339393813 0ms] inbound/tproxy[tproxy-in]: inbound packet connection to 223.5.5.5:53
May 09 router sing-box[2802]: +0800 2025-05-09 DEBUG [2339393813 0ms] router: match[0] => sniff
May 09 router sing-box[2802]: +0800 2025-05-09 DEBUG [2339393813 0ms] router: sniffed packet protocol: dns
May 09 router sing-box[2802]: +0800 2025-05-09 INFO [2339393813 0ms] outbound/direct[direct]: outbound packet connection
May 09 router sing-box[2802]: +0800 2025-05-09 DEBUG [2339393813 18ms] connection: packet download finished
May 09 router sing-box[2802]: +0800 2025-05-09 ERROR [593658326 5.0s] connection: open connection to 142.250.217.106:443 using outbound/direct[direct]: dial tcp 142.250.217.106:443: i/o timeout
--
May 09 router sing-box[2802]: +0800 2025-05-09 INFO [772394767 0ms] inbound/tproxy[tproxy-in]: inbound packet connection to 223.5.5.5:53
May 09 router sing-box[2802]: +0800 2025-05-09 DEBUG [772394767 0ms] router: match[0] => sniff
May 09 router sing-box[2802]: +0800 2025-05-09 DEBUG [772394767 0ms] router: sniffed packet protocol: dns
May 09 router sing-box[2802]: +0800 2025-05-09 INFO [772394767 0ms] outbound/direct[direct]: outbound packet connection
May 09 router sing-box[2802]: +0800 2025-05-09 DEBUG [772394767 14ms] connection: packet download finished
May 09 router sing-box[2802]: +0800 2025-05-09 INFO [1514742975 0ms] inbound/tproxy[tproxy-in]: inbound packet connection from 192.168.1.28:53116
--
May 09 router sing-box[2802]: +0800 2025-05-09 INFO [119213376 0ms] inbound/tproxy[tproxy-in]: inbound packet connection to 223.5.5.5:53
May 09 router sing-box[2802]: +0800 2025-05-09 DEBUG [119213376 0ms] router: match[0] => sniff
May 09 router sing-box[2802]: +0800 2025-05-09 DEBUG [119213376 0ms] router: sniffed packet protocol: dns
May 09 router sing-box[2802]: +0800 2025-05-09 INFO [119213376 0ms] outbound/direct[direct]: outbound packet connection
May 09 router sing-box[2802]: +0800 2025-05-09 DEBUG [119213376 18ms] connection: packet download finished
May 09 router sing-box[2802]: +0800 2025-05-09 INFO [451625065 0ms] inbound/redirect[redirect-in]: inbound connection from 192.168.1.28:64516

支持我们

完整性要求

  • 我保证阅读了文档,了解所有我编写的配置文件项的含义,而不是大量堆砌看似有用的选项或默认值。
  • 我保证提供了可以在本地重现该问题的服务器、客户端配置文件与流程,而不是一个脱敏的复杂客户端配置文件。
  • 我保证提供了可用于重现我报告的错误的最简配置,而不是依赖远程服务器、TUN、图形界面客户端或者其他闭源软件。
  • 我保证提供了完整的配置文件与日志,而不是出于对自身智力的自信而仅提供了部分认为有用的部分。
@alexandr2666 alexandr2666 changed the title 透明代理入站下如果sing-box监听某个[::]:端口会导致访问这个端口的其它ip也无法访问 透明代理入站下如果sing-box监听某个[::]:端口会导致访问这个端口的其它ip也无法访问 May 9, 2025
@alexandr2666 alexandr2666 changed the title 透明代理入站下如果sing-box监听某个[::]:端口会导致访问这个端口的其它ip也无法访问 透明代理入站下如果sing-box监听某个[::]:端口会导致访问这个端口的其它ip也无法访问 May 9, 2025
@alexandr2666 alexandr2666 changed the title 透明代理入站下如果sing-box监听某个[::]:端口会导致访问这个端口的其它ip也无法访问 透明代理入站下如果sing-box监听某个[::]:端口会导致访问其它ip的这个端口的也无法访问 May 9, 2025
@nekohasekai nekohasekai added invalid This doesn't seem right from end user An end user is asking a developer to fix their problem for free labels May 12, 2025
@nekohasekai
Copy link
Member

不接受有关自行配置的防火墙规则的问题,改为使用 auto_redirect。

@nekohasekai nekohasekai closed this as not planned Won't fix, can't repro, duplicate, stale May 12, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
from end user An end user is asking a developer to fix their problem for free invalid This doesn't seem right
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nekohasekai @alexandr2666