liantian-cn · October 26, 2022 18:51
diff --git a/file b/file
 # 新建一个无密码，无法登陆，没home的系统用户，就叫shadowsocks
 adduser --system --disabled-password --disabled-login --no-create-home shadowsocks

 # 修改 /etc/default/shadowsocks-libev
 USER=shadowsocks
 GROUP=nogroup

 # 使用setcap，允许非root用户无法监听低位端口
 apt-get install libcap2-bin
 setcap 'cap_net_bind_service=+ep' /usr/bin/ss-server


 iptables -N SHADOWSOCKS


 # 转发80流量到squid
 iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d 127.0.0.0/8 -p tcp --dport 3128 -j ACCEPT
 # Disable localhost
 iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d 127.0.0.0/8 -j REJECT
 # Disable Private Network
 iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d 0.0.0.0/8 -j REJECT
 iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d 10.0.0.0/8 -j REJECT
 iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d 169.254.0.0/16 -j REJECT
 iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d 172.16.0.0/12 -j REJECT
 iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d 192.168.0.0/16 -j REJECT
 iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d 224.0.0.0/4 -j REJECT
 iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d 240.0.0.0/4 -j REJECT

 # 开放对DNS、HTTP、HTTPS的访问，DNS有TCP和UDP两种哦！
 iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -p udp --dport 53 -j ACCEPT
 iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -p tcp --dport 53 -j ACCEPT
 iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -p tcp --dport 80 -j ACCEPT
 iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -p tcp --dport 443 -j ACCEPT

 # 下面这条，将允许SS对客户端请求的回访。
 iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -m state --state ESTABLISHED,RELATED -j ACCEPT

 # 下面两条，将不允许其他目标端口的访问
 iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -p tcp -j REJECT --reject-with tcp-reset
 iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -p udp -j REJECT

 # 最后，把SHADOWSOCKS这个Chain，打到OUTPUT上去
 iptables -A OUTPUT -j SHADOWSOCKS
	# 新建一个无密码，无法登陆，没home的系统用户，就叫shadowsocks
	adduser --system --disabled-password --disabled-login --no-create-home shadowsocks

	# 修改 /etc/default/shadowsocks-libev
	USER=shadowsocks
	GROUP=nogroup

	# 使用setcap，允许非root用户无法监听低位端口
	apt-get install libcap2-bin
	setcap 'cap_net_bind_service=+ep' /usr/bin/ss-server


	iptables -N SHADOWSOCKS


	# 转发80流量到squid
	iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d 127.0.0.0/8 -p tcp --dport 3128 -j ACCEPT
	# Disable localhost
	iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d 127.0.0.0/8 -j REJECT
	# Disable Private Network
	iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d 0.0.0.0/8 -j REJECT
	iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d 10.0.0.0/8 -j REJECT
	iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d 169.254.0.0/16 -j REJECT
	iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d 172.16.0.0/12 -j REJECT
	iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d 192.168.0.0/16 -j REJECT
	iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d 224.0.0.0/4 -j REJECT
	iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d 240.0.0.0/4 -j REJECT

	# 开放对DNS、HTTP、HTTPS的访问，DNS有TCP和UDP两种哦！
	iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -p udp --dport 53 -j ACCEPT
	iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -p tcp --dport 53 -j ACCEPT
	iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -p tcp --dport 80 -j ACCEPT
	iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -p tcp --dport 443 -j ACCEPT

	# 下面这条，将允许SS对客户端请求的回访。
	iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -m state --state ESTABLISHED,RELATED -j ACCEPT

	# 下面两条，将不允许其他目标端口的访问
	iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -p tcp -j REJECT --reject-with tcp-reset
	iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -p udp -j REJECT

	# 最后，把SHADOWSOCKS这个Chain，打到OUTPUT上去
	iptables -A OUTPUT -j SHADOWSOCKS