@Jinnrry 转发规则主要体现在这两个 chain 上

Chain PREROUTING (policy ACCEPT 7861 packets, 601K bytes)
pkts bytes target prot opt in out source destination
3187 191K SS_SPEC_WAN_AC tcp -- br-lan * 0.0.0.0/0 0.0.0.0/0 /* _SS_SPEC_RULE_ */
693K 54M prerouting_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom prerouting rule chain */
692K 53M zone_lan_prerouting all -- br-lan * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
838 245K zone_wan_prerouting all -- pppoe-wan * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
0 0 zone_wan_prerouting all -- eth1 * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */

Chain SS_SPEC_WAN_AC (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 match-set whitelist dst
0 0 SS_SPEC_WAN_FW all -- * * 0.0.0.0/0 0.0.0.0/0 match-set blacklist dst
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 match-set bplan src
0 0 SS_SPEC_WAN_FW all -- * * 0.0.0.0/0 0.0.0.0/0 match-set fplan src
75 4500 RETURN tcp -- * * 0.0.0.0/0 45.78.45.70 tcp dpt:!53
61 3680 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 match-set ss_spec_wan_ac dst
572 34320 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 match-set china dst
0 0 SS_SPEC_WAN_FW all -- * * 0.0.0.0/0 0.0.0.0/0 match-set gmlan src ! match-set china dst
3242 195K SS_SPEC_WAN_FW all -- * * 0.0.0.0/0 0.0.0.0/0

Chain SS_SPEC_WAN_FW (4 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/8
0 0 RETURN all -- * * 0.0.0.0/0 10.0.0.0/8
0 0 RETURN all -- * * 0.0.0.0/0 127.0.0.0/8
0 0 RETURN all -- * * 0.0.0.0/0 169.254.0.0/16
0 0 RETURN all -- * * 0.0.0.0/0 172.16.0.0/12
0 0 RETURN all -- * * 0.0.0.0/0 192.168.0.0/16
0 0 RETURN all -- * * 0.0.0.0/0 224.0.0.0/4
0 0 RETURN all -- * * 0.0.0.0/0 240.0.0.0/4
3188 191K REDIRECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22,53,587,465,995,993,143,80,443,853,9418 redir ports 1234

从 Chain PREROUTING -> Chain SS_SPEC_WAN_AC -> Chain SS_SPEC_WAN_FW

规则采用目标地址匹配，就是这行 rule
SS_SPEC_WAN_FW all -- * * 0.0.0.0/0 0.0.0.0/0 match-set blacklist dst

blacklist 应该是所有需要科学上网的域名返回的 ip 地址，所有流量包的目标地址只要存在于 blacklist ipset 中，就会进入 Chain SS_SPEC_WAN_AC

你可以用 ipset list blacklist 命令看一下哪些 ip 是目标 ip

而 Chain SS_SPEC_WAN_FW 的最后一行 rule
REDIRECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22,53,587,465,995,993,143,80,443,853,9418 redir ports 1234

再排除了局域网 ip(172.16.0.0/12,192.168.0.0/16.....)后，剩下的都应该是需要科学上网的域名，且如果目标端口是 22,53,587,465,995,993,143,80,443,853,9418,就重定向到 1234 端口(如你所言，是 v2ray 的端口)

所以采用的是目标地址匹配的方法

不过我有点不明白，如果你的路由器使用 FW4 ，iptables 命令应该不能执行吧？如果 iptables 命令能执行成功，那就应该是 FW3 啊

@Jinnrry 如果策略是“非国内 ip 代理”，那么肯定有针对目标地址的转发规则，你现在找到这个是针对目标端口的转发，不是这个

你把 iptables -t nat -L -v -n 的结果全部贴出来看看

说错了

iptables -L 这个命令默认查询的是 filter 表，但一般在 nat 表，所以命令应该这么写

iptables -t nat -L -v -n

@Jinnrry 那就不用 ipv6

gost,v2ray ，现在能用的工具很多。gost 是肯定可以在 ARM 上用的，就是要路由器的内存大点

@Jinnrry iptables 的配置与具体的采用的科学上网的工具有关

比如你使用 gost 作为科学上网工具，在本地开了 18443 作为端口转发，那么整体配置思路如下

在 dnsmasq 中的配置
server=/docker.io/127.0.0.1#10053
nftset=/docker.io/4#inet#wgcross#crs_dst

以上配置的作用是将 docker.io 的域名交给 127.0.0.1#10053 这个域名解析服务器解析，返回的 ip 存到 nft table 名为 wgcross 的 ipset crs_dst 中

说明一下：因为我使用的 openwrt23.05 已经是 firewell 4 了，而 firewell 4 使用 nftables 代替了 iptables ，所以与你使用的 firewell 3 的配置参数不同，但是思路是一样的

然后我的 nftables 的配置中就有如下一项

nft add rule inet wgcross PREROUTING ip daddr @crs_dst meta l4proto {tcp,udp} redirect to :18443

这个命令在 nft table 名为 wgcross 中增加了一条规则，将目标地址在 ipset crs_dst 中的 tcp 和 udp 包都专发到本地的 18443 端口上

所以通过 server ，nftset(firewell 3 是 ipset)解决 DNS 域名污染并存储了对应域名的目标 ip ，再通过 iptables 实现了目标 ip 转发到指定端口

我记得 iptables -L 默认是 NAT 表，一般转发规则在 PREROUTING 表中，你可能对 iptables 的几个表的使用不理解，你看看我写的这篇文章 https://mp.weixin.qq.com/s?__biz=Mzg3OTYwMTE1NA==&mid=2247483967&idx=1&sn=ed36e7007329ad78cf55c91fbed7b0b8&chksm=cf00b152f877384447032ecb2f5500f902941980683977e2d301f6e581599509f20121161889&token=111951293&lang=zh_CN#rd
可能对你有所启发

@Jinnrry server 参数要配合 ipset 一起使用才能实现科学上网

server=/docker.io/127.0.0.1#5333

这个配置就是将 docker.io 这个域名由 127.0.0.1 5353 端口的域名服务进行解析

另外说一下，server 和 ipset 这两个参数一般不在那个/var/etc/dnsmasq.conf.cfg01411c 配置文件中，但是你查看一下配置文件中的 conf-file 参数对应的目录下，应该有使用 server 和 ipset 的配置文件。

一般使用的是/tmp/dnsmasq.d/

简单来说，DNSMASQ 有两个参数 server 和 ipset 发挥的作用

server 的作用是将指定的域名交给指定的域名服务器解析，并将 ip 存入 ipset 中，iptables 再将目标地址为这个 ipset 的 package 转发到科学上网的端口或线路上

你研究一下这个参数的说明

-S, --local, --server=[/[<domain>]/[domain/]][<server>[#<port>]][@<interface>][@<source-ip>[#<port>]]
Specify upstream servers directly. Setting this flag does not suppress reading of /etc/resolv.conf, use --no-resolv to do that. If one or more optional domains are given, that server is used only for those domains and they are queried only using the specified server. This is intended for private nameservers: if you have a nameserver on your network which deals with names of the form xxx.internal.thekelleys.org.uk at 192.168.1.1 then giving the flag --server=/internal.thekelleys.org.uk/192.168.1.1 will send all queries for internal machines to that nameserver, everything else will go to the servers in /etc/resolv.conf. DNSSEC validation is turned off for such private nameservers, UNLESS a --trust-anchor is specified for the domain in question. An empty domain specification, // has the special meaning of "unqualified names only" ie names without any dots in them. A non-standard port may be specified as part of the IP address using a # character. More than one --server flag is allowed, with repeated domain or ipaddr parts as required.
More specific domains take precedence over less specific domains, so: --server=/google.com/1.2.3.4 --server=/www.google.com/2.3.4.5 will send queries for google.com and gmail.google.com to 1.2.3.4, but www.google.com will go to 2.3.4.5

Matching of domains is normally done on complete labels, so /google.com/ matches google.com and www.google.com but NOT supergoogle.com. This can be overridden with a * at the start of a pattern only: /*google.com/ will match google.com and www.google.com AND supergoogle.com. The non-wildcard form has priority, so if /google.com/ and /*google.com/ are both specified then google.com and www.google.com will match /google.com/ and /*google.com/ will only match supergoogle.com.

For historical reasons, the pattern /.google.com/ is equivalent to /google.com/ if you wish to match any subdomain of google.com but NOT google.com itself, use /*.google.com/

The special server address '#' means, "use the standard servers", so --server=/google.com/1.2.3.4 --server=/www.google.com/# will send queries for google.com and its subdomains to 1.2.3.4, except www.google.com (and its subdomains) which will be forwarded as usual.

Also permitted is a -S flag which gives a domain but no IP address; this tells dnsmasq that a domain is local and it may answer queries from /etc/hosts or DHCP but should never forward queries on that domain to any upstream servers. --local is a synonym for --server to make configuration files clearer in this case.

IPv6 addresses may include an %interface scope-id, eg fe80::202:a412:4512:7bbf%eth0.

The optional string after the @ character tells dnsmasq how to set the source of the queries to this nameserver. It can either be an ip-address, an interface name or both. The ip-address should belong to the machine on which dnsmasq is running, otherwise this server line will be logged and then ignored. If an interface name is given, then queries to the server will be forced via that interface; if an ip-address is given then the source address of the queries will be set to that address; and if both are given then a combination of ip-address and interface name will be used to steer requests to the server. The query-port flag is ignored for any servers which have a source address specified but the port may be specified directly as part of the source address. Forcing queries to an interface is not implemented on all platforms supported by dnsmasq.

Upstream servers may be specified with a hostname rather than an IP address. In this case, dnsmasq will try to use the system resolver to get the IP address of a server during startup. If name resolution fails, starting dnsmasq fails, too. If the system's configuration is such that the system resolver sends DNS queries through the dnsmasq instance which is starting up then this will time-out and fail.

https://thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html#index

第 4 篇 也是最后一篇 https://mp.weixin.qq.com/s/yneYcKjZvAldRCpcaYmFGA

第 3 篇 https://mp.weixin.qq.com/s/1foakbjt6ZjUltBgLL0LvQ

第 2 篇来了 https://mp.weixin.qq.com/s/YM7WBWI7jdyw7wvDzdZPgw

@buffzty 现在哪个云厂商能开出 11 元/月的云主机？如果您可以真希望能提供链接，不要仅仅是煞有其事地泛泛而谈，也让我们也一起薅羊毛

@buffzty
1 、你举出这只是理论费用，带宽都没有算进去吧，我自己局域网的带宽可以达到 1000M ，使用云服务能达到么？相应的费用要多少？
2 、我就是要通过搭建过程来理解每个组件的作用，一键脚本简单，但失去了学习的过程。
3 、你没有算云盘费用，相比自己买的 TF 卡可以永久持有，性价比肯定更高。
4 、以后的各种二手 pi 也可以废旧利用上

其实最大的问题是，除了用于学习 K8S 的命令和各种操作，有没有实际的应用功能，比如家庭的什么功能，其实我是有想法的，但是还是要先尝试了再来给各位分享

@wsseo 我没有使用离线安装，我把网关变成了透明代理

@shen13176101 非常感谢，我研究一下 ngrok