Trojan 转发

Trojan Forward

Posted by BlueFat on Wednesday, October 21, 2020

iptables转发

目前使用统计,trojan最多被封端口(如443),ip没太大问题。 这里使用iptables实现最简单的的动态端口!

将40000~50000的端口流量转发到(被Q)443端口 (注:防火墙不需要放行40000~50000端口,因为是PREROUTING)

iptables 命令

iptables -t nat -A PREROUTING -p tcp --dport 40000:50000 -j REDIRECT --to-ports 443

ubuntu ufw 配置

cat /etc/ufw/before.rules

#
# rules.before
#
# Rules that should be run before the ufw command line added rules. Custom
# rules should be added to one of these chains:
#   ufw-before-input
#   ufw-before-output
#   ufw-before-forward
#
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]

-A PREROUTING -p tcp --dport 40000:50000 -j REDIRECT --to-ports 443
# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT

# Don't delete these required lines, otherwise there will be errors
*filter
:ufw-before-input - [0:0]
:ufw-before-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-not-local - [0:0]
# End required lines
... 以下省略

使用nat转发流量,在本机上是不会监听端口的,也就是netstat看不到
执行之后就可以客户端使用40000至50000的任意端口和trojan通信了

生成随机数把原443端口进行替换再base64编码变成客户端订阅可接受的格式 最后将这个订阅放在网站目录下

订阅脚本

v2ray和clash客户端配置文件不同

V2ray

mkdir -p /data/shell/ /www/sub

cat > /data/shell/v2ray_sub.sh << \EOF
#!/bin/bash

# 生成的v2ray订阅文件放在网站根目录下
filePath='/www/sub/v2ray_sub'

# 随机生成40000~50000之间的一个随机数
randPort=$((RANDOM % 10000 + 40000 ))   

# 下面是节点信息
echo -e \
"
trojan://xxxxxxx@domain.com:443#AWS-SG01
trojan://xxxxxxx@domain.com:443#AWS-SG02
" \
| sed "s/443/$randPort/g" | base64 > $filePath

chmod +x /data/shell/v2ray_sub.sh

Clash

# /data/shell/trojan_sub.sh
#!/bin/bash
export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:$PATH

config_file=/data/shell/clash_config.yaml
gen_file=/www/sub/trojan_sub
count=`cat $config_file | grep RANDOM_PORT | wc -l`

cat ${config_file} > ${gen_file}

for i in `seq ${count}`;do 
  rand_port=$((RANDOM % 10000 + 40000 ))
  sed -i "s/RANDOM_PORT$i/$rand_port/" $gen_file
done

echo "Generated path: $gen_file"

chmod +x /data/shell/trojan_sub.sh
# /data/shell/clash_config.yaml
mixed-port: 7890
allow-lan: true
mode: Rule
log-level: info

proxies:
# trojan
  - {name: kr, type: trojan, server: kr.example.com, port: RANDOM_PORT1, password: EXAMPLE_PASS, udp: true}
  - {name: us, type: trojan, server: us.example.com, port: RANDOM_PORT2, password: EXAMPLE_PASS, udp: true}
  - {name: cf-trojan, type: trojan, server: cf.example.com, port: 443, password: EXAMPLE_PASS, udp: true, sni: "", network: ws, ws-opts: {path: /ff0d4286, headers: {Host: "us.example.com"}}}
  - {name: cf-v2ray, type: vmess, server: cloudflare.co, port: 443, uuid: ff0d4286-7056-4e74-913a-c5ee14cc2014, alterId: 0, cipher: auto, tls: true, skip-cert-verify: true, network: ws, ws-opts: {path: /ff0d4286, headers: {Host: "us.example.com"}}}

proxy-groups:
  - name: Proxy
    type: select
    proxies:
      - us
      - kr
  - { name: "PortProxy", type: select, proxies: ["DIRECT","us","kr"]}

rules:
  - RULE-SET,AdBlock,REJECT
  - RULE-SET,Proxy,Proxy
  - RULE-SET,Apple,Proxy
  - RULE-SET,Adobe,Proxy
  - RULE-SET,Amazon,Proxy
  - RULE-SET,Dler,Proxy
  - RULE-SET,Facebook,Proxy
  - RULE-SET,GitHub,Proxy
  - RULE-SET,Google,Proxy
  - RULE-SET,Microsoft,Proxy
  - RULE-SET,Netflix,Proxy
  - RULE-SET,Speedtest,Proxy
  - RULE-SET,Steam,Proxy
  - RULE-SET,Spotify,Proxy
  - RULE-SET,Telegram,Proxy
  - RULE-SET,Twitter,Proxy 
  - RULE-SET,Tencent,DIRECT
  - RULE-SET,TencentVideo,DIRECT
  - RULE-SET,YouTube,Proxy
  - RULE-SET,PayPal,Proxy
  - RULE-SET,Discord,Proxy
  - DOMAIN-SUFFIX,live.cn,Proxy
  - DOMAIN-SUFFIX,sub.dler.io,Proxy
  - DOMAIN-SUFFIX,api.suo.yt,Proxy
  - DOMAIN-SUFFIX,dlercloud.com,Proxy
  - DOMAIN-KEYWORD,dlercloud,Proxy
  - DOMAIN-SUFFIX,wps.com,DIRECT
  - DOMAIN-SUFFIX,hktv03.com,DIRECT
  - DOMAIN-SUFFIX,tvyb03.com,DIRECT
  - DOMAIN-SUFFIX,ai.com,Warp
  - DOMAIN-SUFFIX,openai.com,Warp
  - DOMAIN-SUFFIX,local,DIRECT
  - IP-CIDR,192.168.0.0/16,DIRECT
  - IP-CIDR,10.0.0.0/8,DIRECT
  - IP-CIDR,172.16.0.0/12,DIRECT
  - IP-CIDR,127.0.0.0/8,DIRECT
  - IP-CIDR,100.64.0.0/10,DIRECT
  - IP-CIDR,172.13.1.32/32,DIRECT
  - DST-PORT,24790,PortProxy
  - GEOIP,CN,DIRECT
  - MATCH,Proxy

rule-providers:
  AdBlock: {type: http, behavior: classical, path: ./Filter/AdBlock, url: https://raw.fastgit.org/Semporia/Clash/master/Rule/AdBlock.yaml, interval: 3600}
  Apple: {type: http, behavior: classical, path: ./Filter/Apple, url: https://raw.fastgit.org/Semporia/Clash/master/Rule/Apple.yaml, interval: 3600}
  Adobe: {type: http, behavior: classical, path: ./Filter/Adobe, url: https://raw.fastgit.org/Semporia/Clash/master/Rule/Adobe.yaml, interval: 3600}
  Amazon: {type: http, behavior: classical, path: ./Filter/Amazon, url: https://raw.fastgit.org/Semporia/Clash/master/Rule/Amazon.yaml, interval: 3600}
  China: {type: http, behavior: classical, path: ./Filter/China, url: https://raw.fastgit.org/Semporia/Clash/master/Rule/China.yaml, interval: 3600}
  Dler: {type: http, behavior: classical, path: ./Filter/Dler, url: https://raw.fastgit.org/Semporia/Clash/master/Rule/Dler.yaml, interval: 3600}
  Facebook: {type: http, behavior: classical, path: ./Filter/Facebook, url: https://raw.fastgit.org/Semporia/Clash/master/Rule/Facebook.yaml, interval: 3600}
  GitHub: {type: http, behavior: classical, path: ./Filter/GitHub, url: https://raw.fastgit.org/Semporia/Clash/master/Rule/GitHub.yaml, interval: 3600}
  Google: {type: http, behavior: classical, path: ./Filter/Google, url: https://raw.fastgit.org/Semporia/Clash/master/Rule/Google.yaml, interval: 3600}
  Microsoft: {type: http, behavior: classical, path: ./Filter/Microsoft, url: https://raw.fastgit.org/Semporia/Clash/master/Rule/Microsoft.yaml, interval: 3600}
  Netflix: {type: http, behavior: classical, path: ./Filter/Netflix, url: https://raw.fastgit.org/Semporia/Clash/master/Rule/Netflix.yaml, interval: 3600}
  Spotify: {type: http, behavior: classical, path: ./Filter/Spotify, url: https://raw.fastgit.org/Semporia/Clash/master/Rule/Spotify.yaml, interval: 3600}
  Speedtest: {type: http, behavior: classical, path: ./Filter/Speedtest, url: https://raw.fastgit.org/Semporia/Clash/master/Rule/Speedtest.yaml, interval: 3600}
  Steam: {type: http, behavior: classical, path: ./Filter/Steam, url: https://raw.fastgit.org/Semporia/Clash/master/Rule/Steam.yaml, interval: 3600}
  Telegram: {type: http, behavior: classical, path: ./Filter/Telegram, url: https://raw.fastgit.org/Semporia/Clash/master/Rule/Telegram.yaml, interval: 3600}
  Twitter: {type: http, behavior: classical, path: ./Filter/Twitter, url: https://raw.fastgit.org/Semporia/Clash/master/Rule/Twitter.yaml, interval: 3600}
  Tencent: {type: http, behavior: classical, path: ./Filter/Tencent, url: https://raw.fastgit.org/Semporia/Clash/master/Rule/Tencent.yaml, interval: 3600}
  TencentVideo: {type: http, behavior: classical, path: ./Filter/TencentVideo, url: https://raw.fastgit.org/Semporia/Clash/master/Rule/TencentVideo.yaml, interval: 3600}
  YouTube: {type: http, behavior: classical, path: ./Filter/YouTube, url: https://raw.fastgit.org/Semporia/Clash/master/Rule/YouTube.yaml, interval: 3600}
  PayPal: {type: http, behavior: classical, path: ./Filter/PayPal, url: https://raw.fastgit.org/Semporia/Clash/master/Rule/PayPal.yaml, interval: 3600}
  Discord: {type: http, behavior: classical, path: ./Filter/Discord, url: https://raw.fastgit.org/Semporia/Clash/master/Rule/Discord.yaml, interval: 3600}
  Proxy: {type: http, behavior: classical, path: ./Filter/Proxy, url: https://raw.fastgit.org/Semporia/Clash/master/Rule/Proxy.yaml, interval: 3600}

定时切换端口


root@us:~$ crontab -e
# m h  dom mon dow   command
*/30 * * * * /data/shell/v2ray_sub.sh
*/30 * * * * /data/shell/clash_sub.sh

Docker Web

docker run -d --name nginx -v /www/sub:/usr/share/nginx/html/ -p 90:80 nginx

客户端添加订阅

v2ray: http://domain:90/v2ray_sub
clash: http://domain:90/trojan_sub

OK,搞定。每30分钟刷新的订阅都是不同的端口

来源

trojan-443端口被封的简单解决思路