local-redir could not receive udp response from server

[ruantu]

environment

archlinxux
linux 6.0.10-arch2-1
shadowsocks-rust 1.15.0-alpha.9
openwrt 22.03

iptables script

ip rule add fwmark 0x1 table 100
ip route add local 0.0.0.0/0 dev lo table 100

iptables -t mangle -N SSREDIR

iptables -t mangle -A SSREDIR -d 0.0.0.0/8 -j RETURN
iptables -t mangle -A SSREDIR -d 10.0.0.0/8 -j RETURN
iptables -t mangle -A SSREDIR -d 100.64.0.0/10 -j RETURN
iptables -t mangle -A SSREDIR -d 127.0.0.0/8 -j RETURN
iptables -t mangle -A SSREDIR -d 169.254.0.0/16 -j RETURN
iptables -t mangle -A SSREDIR -d 172.16.0.0/12 -j RETURN
iptables -t mangle -A SSREDIR -d 192.0.0.0/24 -j RETURN
iptables -t mangle -A SSREDIR -d 192.0.2.0/24 -j RETURN
iptables -t mangle -A SSREDIR -d 192.88.99.0/24 -j RETURN
iptables -t mangle -A SSREDIR -d 192.168.0.0/16 -j RETURN
iptables -t mangle -A SSREDIR -d 198.18.0.0/15 -j RETURN
iptables -t mangle -A SSREDIR -d 198.51.100.0/24 -j RETURN
iptables -t mangle -A SSREDIR -d 203.0.113.0/24 -j RETURN
iptables -t mangle -A SSREDIR -d 224.0.0.0/4 -j RETURN
iptables -t mangle -A SSREDIR -d 240.0.0.0/4 -j RETURN
iptables -t mangle -A SSREDIR -d 255.255.255.255/32 -j RETURN

iptables -t mangle -A SSREDIR -d xxx.xxx.xxx.xxx/28 -j RETURN

iptables -t mangle -A SSREDIR -p tcp -j TPROXY --on-port 60080 --tproxy-mark 0x01/0x01
iptables -t mangle -A SSREDIR -p udp -j TPROXY --on-port 60080 --tproxy-mark 0x01/0x01

iptables -t mangle -A PREROUTING -p tcp -m addrtype ! --src-type LOCAL ! --dst-type LOCAL,BROADCAST -j SSREDIR
iptables -t mangle -A PREROUTING -p udp -m addrtype ! --src-type LOCAL ! --dst-type LOCAL,BROADCAST -j SSREDIR

client log

Dec 03 00:32:01 ssservice[341]: TRACE [341:140530457507520] [shadowsocks_service::local::redir::udprelay] received UDP packet from 192.168.1.102:55596, destination 1.1.1.1:53, length 32 bytes
Dec 03 00:32:01 ssservice[341]: DEBUG [341:140530457507520] [shadowsocks_service::local::net::udp::association] created udp association for 192.168.1.102:55596
Dec 03 00:32:01 ssservice[341]: TRACE [341:140530457507520] [shadowsocks_service::local::net::udp::association] udp relay 192.168.1.102:55596 -> 1.1.1.1:53 (proxied) with 32 bytes
Dec 03 00:32:01 ssservice[341]: TRACE [341:140530457507520] [mio::poll] registering event source with poller: token=Token(100663315), interests=READABLE | WRITABLE
Dec 03 00:32:01 ssservice[341]: TRACE [341:140530457507520] [shadowsocks::relay::udprelay::proxy_socket] connected udp remote 103.51.142.180:4000 with ConnectOpts { fwmark: None, bind_local_addr: None, bind_interface: None, tcp: TcpSocketOpts { send_buffer_size: None, recv_buffer_size: None, nodelay: false, fastopen: false, keepalive: Some(15s) } }
Dec 03 00:32:01 ssservice[341]: TRACE [341:140530457507520] [shadowsocks::relay::udprelay::proxy_socket] UDP server client send to 1.1.1.1:53, control: UdpSocketControlData { client_session_id: 18052496432250909976, server_session_id: 0, packet_id: 1, user: None }, payload length 32 bytes, packet length 82 bytes
Dec 03 00:32:36 ssservice[341]: TRACE [341:140530583385792] [mio::poll] registering event source with poller: token=Token(33554459), interests=READABLE | WRITABLE
Dec 03 00:32:36 ssservice[341]: TRACE [341:140530583385792] [shadowsocks_service::local::redir::tcprelay] got connection 192.168.1.102:11838
Dec 03 00:32:36 ssservice[341]: TRACE [341:140530583385792] [mio::poll] registering event source with poller: token=Token(67108869), interests=READABLE | WRITABLE
Dec 03 00:32:36 ssservice[341]: TRACE [341:140530583385792] [mio::poll] deregistering event source from poller
Dec 03 00:32:36 ssservice[341]: TRACE [341:140530583385792] [mio::poll] deregistering event source from poller

server log

Dec 03 00:32:01 ssservice[588]: TRACE [588:139730526680768] [shadowsocks::relay::udprelay::proxy_socket] UDP server client receive from xxx.xxx.xxx.xxx:49793, addr 1.1.1.1:53, control: Some(UdpSocketControlData { client_session_id: 18052496432250909976, server_session_id: 0, packet_id: 1, user: None }), packet length 82 bytes, payload length 32 bytes
Dec 03 00:32:01 ssservice[588]: DEBUG [588:139730526685952] [shadowsocks_service::server::udprelay] created udp association for xxx.xxx.xxx.xxx:49793 with session 18052496432250909976
Dec 03 00:32:01 ssservice[588]: TRACE [588:139730316420800] [shadowsocks_service::server::udprelay] udp relay xxx.xxx.xxx.xxx:49793 -> 1.1.1.1:53 with 32 bytes, control: Some(UdpSocketControlData { client_session_id: 18052496432250909976, server_session_id: 0, packet_id: 1, user: None })
Dec 03 00:32:01 ssservice[588]: TRACE [588:139730316420800] [mio::poll] registering event source with poller: token=Token(201326623), interests=READABLE | WRITABLE
Dec 03 00:32:01 ssservice[588]: TRACE [588:139730318522048] [shadowsocks_service::server::udprelay] udp relay xxx.xxx.xxx.xxx:49793 <- [::ffff:1.1.1.1]:53 received 60 bytes
Dec 03 00:32:01 ssservice[588]: TRACE [588:139730318522048] [shadowsocks::relay::udprelay::proxy_socket] UDP server client send to, addr 1.1.1.1:53, control: UdpSocketControlData { client_session_id: 18052496432250909976, server_session_id: 13967809433173445492, packet_id: 1, user: None }, payload length 60 bytes, packet length 118 bytes
Dec 03 00:32:01 ssservice[588]: TRACE [588:139730318522048] [shadowsocks_service::server::udprelay] udp relay xxx.xxx.xxx.xxx:49793 <- 1.1.1.1:53 with 60 bytes, control UdpSocketControlData { client_session_id: 18052496432250909976, server_session_id: 13967809433173445492, packet_id: 1, user: None }

[ruantu]

client config

{
  "no_delay": false,
  "fast_open": false,
  "ipv6_first": false,
  "ipv6_only": false,
  "nofile": 10240,
  "servers": [
    {
      "server": "xxx.xxx.xxx.xxx",
      "server_port": 4000,
      "password": "-------",
      "method": "2022-blake3-aes-256-gcm",
      "timeout": 300,
      "mode": "tcp_and_udp"
    }
  ],
  "locals": [
    {
      "protocol": "redir",
      "tcp_redir": "tproxy",
      "udp_redir": "tproxy",
      "local_address": "0.0.0.0",
      "local_port": 60080,
      "mode": "tcp_and_udp"
    }
  ],
  "log": {
    "level": 5,
    "format": {
      "without_time": false
    }
  }
}

server config

{
  "no_delay": false,
  "fast_open": false,
  "ipv6_first": false,
  "ipv6_only": false,
  "nofile": 10240,
  "servers": [
    {
      "server": "0.0.0.0",
      "server_port": 4000,
      "password": "-------",
      "method": "2022-blake3-aes-256-gcm",
      "timeout": 300,
      "mode": "tcp_and_udp"
    }
  ],
  "log": {
    "level": 5,
    "format": {
      "without_time": false
    }
  }
}

[zonyitoo]

Well, it seems that the sslocal couldn't receive the send-back packet from ssserver. You may try to change these two lines:

iptables -t mangle -A PREROUTING -p tcp -m addrtype ! --src-type LOCAL ! --dst-type LOCAL,BROADCAST -j SSREDIR
iptables -t mangle -A PREROUTING -p udp -m addrtype ! --src-type LOCAL ! --dst-type LOCAL,BROADCAST -j SSREDIR

to

iptables -t mangle -A PREROUTING -p tcp -j SSREDIR
iptables -t mangle -A PREROUTING -p udp -j SSREDIR

I was encountered that months ago, but couldn't remember how did I solve that in details. The config in example works perfectly. You could try to take some commands from this script and see which one actually solves the problem.

[ruantu]

iptables -t mangle -A PREROUTING -p tcp -j SSREDIR
iptables -t mangle -A PREROUTING -p udp -j SSREDIR

Because the router is only responsible for forwarding the data that flows through it.

[zonyitoo]

I have no idea, my friend. Everything looks correct.

BTW, data that respond from the remote server should also go into PREROUTING chain, right? So it should also be passed to sslocal's port.

[actck]

I have no idea, my friend. Everything looks correct.

BTW, data that respond from the remote server should also go into PREROUTING chain, right? So it should also be passed to sslocal's port.

You mention that example config , but I have a small question:
This line: "iptables -t mangle -A shadowsocks-tproxy-mark -m owner --uid-owner shadowsocks -j RETURN"

Shadowsocks-rush need root to run with udp-tproxy, and how these [--uid-owner shadowsocks] work ?

[zonyitoo]

IP_TRANSPARENT only requires CAP_NET_ADMIN, so any users that have this capability could work.

[liubog2008]

I have similar problem and only UDP is not worked. Both TCP and local-dns is worked as expected. = =