shadow-tls 处理udp流量

ss shadow-tls

[TOC]

解决方案参考来源 surge community

2025-06-23更新

Ctrl+C 复制 Ctrl+S 导出
# 在ipv6 only的机器下配置<span class="line"> </span>
<span class="line"> </span><span class="line"> </span>
<span class="line"> </span>table ip6 nat {<span class="line"> </span>
<span class="line"> </span>        chain prerouting {<span class="line"> </span>
<span class="line"> </span>                type nat hook prerouting priority dstnat; policy accept;<span class="line"> </span>
<span class="line"> </span>                iifname "eth0" ip6 daddr 公网ipv6 udp dport 21042 dnat to :19569<span class="line"> </span>
<span class="line"> </span>        }<span class="line"> </span>
<span class="line"> </span><span class="line"> </span>
<span class="line"> </span>        chain postrouting {<span class="line"> </span>
<span class="line"> </span>                type nat hook postrouting priority srcnat; policy accept;<span class="line"> </span>
<span class="line"> </span>                oifname "eth0" udp dport 19569 masquerade<span class="line"> </span>
<span class="line"> </span>        }<span class="line"> </span>
<span class="line"> </span>}
13 行

nftables 解决方案

Ctrl+C 复制 Ctrl+S 导出
nft add table inet my_nat_table<span class="line"> </span>
<span class="line"> </span><span class="line"> </span>
<span class="line"> </span>nft add chain inet my_nat_table prerouting { type nat hook prerouting priority filter \; policy accept \; }<span class="line"> </span>
<span class="line"> </span><span class="line"> </span>
<span class="line"> </span>nft add chain inet my_nat_table postrouting { type nat hook postrouting priority srcnat \; policy accept \; }<span class="line"> </span>
<span class="line"> </span><span class="line"> </span>
<span class="line"> </span>nft add rule inet my_nat_table prerouting iifname "eth0" udp dport xxxxx(替换成shadowTLS 的端口) dnat to :xxxxxx(替换成 $$-rust的端口)<span class="line"> </span>
<span class="line"> </span><span class="line"> </span>
<span class="line"> </span>nft add rule inet my_nat_table postrouting oifname "eth0" udp dport xxxxxx(替换成 $$-rust的端口) masquerade
9 行

nftables 部分指令

  1. 输出到文件持久化
Ctrl+C 复制 Ctrl+S 导出
nft list ruleset > /etc/nftables.conf
1 行
  1. 加载规则
Ctrl+C 复制 Ctrl+S 导出
nft -f /etc/nftables.conf
1 行

ss-rust 解决方案

Ctrl+C 复制 Ctrl+S 导出
{<span class="line"> </span>
<span class="line"> </span>    "server": "::",<span class="line"> </span>
<span class="line"> </span>    "server_port": xxxxx(shadow TLS端口,让$$来接管这个端口的 udp 流量),<span class="line"> </span>
<span class="line"> </span>    "password": "xxxxxxxx",<span class="line"> </span>
<span class="line"> </span>    "method": "2022-blake3xxxxxxxx",<span class="line"> </span>
<span class="line"> </span>    "fast_open": true,<span class="line"> </span>
<span class="line"> </span>    "mode": "udp_only",<span class="line"> </span>
<span class="line"> </span>    "user": "nobody",<span class="line"> </span>
<span class="line"> </span>    "timeout": 300<span class="line"> </span>
<span class="line"> </span>}
10 行