使用 debian 12 搭建旁路由网关\透明代理

2024-05-16

步骤 1: 安装 debian 12

我这边就跳过了

步骤 2: 配置网络接口

安装完成后，打开终端并编辑网络配置文件：
根据我的示例修改 enp3s0为我的示例网卡根据自己的网卡进行修改

sudo vim /etc/network/interfaces

在文件中，您可以配置您的网卡接口。

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

source /etc/network/interfaces.d/*

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto enp3s0
#iface eht1 inet dhcp
iface enp3s0 inet static
        address 192.168.31.2
        netmask 255.255.255.0
        gateway 192.168.31.1

iface enp3s0 inet6 auto

保存并关闭文件

步骤 3: 启用IP转发

需要修改sysctl.conf文件

sudo vim /etc/sysctl.conf

找到下面的行并取消注释

net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1

保存并关闭文件执行

sudo systemctl restart networking.service

步骤 4: 设置防火墙规则

debian 自带了nft防火墙, 我们只需要编辑nftables.conf文件

sudo vim /etc/nftables.conf

并把我下面的规则粘贴到nftables.conf文件中

table inet filter {
        chain input {
                type filter hook input priority filter; policy drop;
                ct state established,related accept
                iifname "lo" accept
                iifname "enp3s0" accept
        }

        chain forward {
                type filter hook forward priority filter; policy accept;
                ct state established,related accept
        }

        chain output {
                type filter hook output priority filter; policy accept;
        }
}
table inet nat {
        chain postrouting {
                type nat hook postrouting priority srcnat; policy accept;
        }

        chain prerouting {
                type nat hook prerouting priority dstnat; policy accept;
        }
}

注意修改enp3s0网卡为自己的网卡，如果你需要默认放行则为

table inet filter {
        chain input {
                type filter hook input priority filter; policy accept;
                ct state established,related accept
        }

        chain forward {
                type filter hook forward priority filter; policy accept;
                ct state established,related accept
        }

        chain output {
                type filter hook output priority filter; policy accept;
        }
}
table inet nat {
        chain postrouting {
                type nat hook postrouting priority srcnat; policy accept;
        }

        chain prerouting {
                type nat hook prerouting priority dstnat; policy accept;
        }
}

启动nft防火墙

sudo systemctl start nftables.service

如果提示nftables.service 错误就是nft不完整,安装一下就好了

sudo apt update
sudo apt install nft

步骤 5: 修改默认网关

在路由器管理页面吧，默认网关修改为旁路由的ip
dns的也要设置成旁路由的ip 注意: dns只能设置成旁路由的ip, 不能设置成其他的, 不然后面代理会出现问题

步骤 6: 安装代理

我这里使用的是mihomo

下载代理软件

wget https://github.com/MetaCubeX/mihomo/releases/download/v1.18.4/mihomo-linux-amd64-go120-v1.18.4.gz

解压

gunzip mihomo-linux-amd64-go120-v1.18.4.gz

将文件移动到bin修改名称并设置权限

sudo mv mihomo-linux-amd64-go120-v1.18.4 /usr/local/bin/mihomo
sudo chmod +x /usr/local/bin/mihomo

执行查看是否安装成功

mihomo -v

安装成功后编写Systemd脚本来自启

sudo vim /lib/systemd/system/mihomo@.service

复制下面粘贴就行

[Unit]
Description=mihomo Daemon, Another Clash Kernel.
After=systemd-networkd.service

[Service]
Type=simple
LimitNPROC=500
LimitNOFILE=1000000
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_SYS_TIME CAP_SYS_PTRACE CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_SYS_TIME CAP_SYS_PTRACE CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE
Restart=always
ExecStartPre=/usr/bin/sleep 1s
ExecStart=/usr/local/bin/mihomo -d /etc/mihomo
ExecReload=/bin/kill -HUP $MAINPID

[Install]
WantedBy=multi-user.target

重新加载systemd模块

sudo systemctl daemon-reload

设置 mihomo 开机自启动

sudo systemctl enable mihomo.server

配置基本的mihomo配置文件

sudo vim /etc/mihomo/config

mixed-port: 7890

allow-lan: true
bind-address: "*"
lan-disallowed-ips:
  - 172.16.10.0/24

find-process-mode: off

mode: rule

geox-url: 
  geoip: "https://fastly.jsdelivr.net/gh/MetaCubeX/meta-rules-dat@release/geoip.dat"
  geosite: "https://fastly.jsdelivr.net/gh/MetaCubeX/meta-rules-dat@release/geosite.dat"
  mmdb: "https://fastly.jsdelivr.net/gh/MetaCubeX/meta-rules-dat@release/geoip.metadb"
geo-auto-update: true
geo-update-interval: 24

log-level: debug
ipv6: true
external-controller: :9999                        
#external-controller-tls: 0.0.0.0:9443
#secret: "123456" # `Authorization:Bearer ${secret}`
external-ui: ui
external-ui-name: xd              
#external-ui-url: "https://github.com/MetaCubeX/metacubexd/archive/refs/heads/gh-pag
#profile:
#  store-selected: true
#  store-fake-ip: true

tcp-concurrent: true

#global-client-fingerprint: chrome

routing-mark: 6666

tun:
  enable: true
  stack: gvisor
  auto-route: true
  auto-detect-interface: true
  dns-hijack:
    - any:53
    #- any:1053
    - tcp://any:53
      #- tcp://1053
  table-index: 2022
    #    - fe80::ced8:43ff:fec7:1173%enp3s0

sniffer:
  enable: true
  ## 对 redir-host 类型识别的流量进行强制嗅探
  ## 如：Tun、Redir 和 TProxy 并 DNS 为 redir-host 皆属于
  force-dns-mapping: true
  ## 对所有未获取到域名的流量进行强制嗅探
  parse-pure-ip: false
  # 是否使用嗅探结果作为实际访问，默认 true
  # 全局配置，优先级低于 sniffer.sniff 实际配置
  override-destination: false
  sniff: # TLS 和 QUIC 默认如果不配置 ports 默认嗅探 443
    QUIC:
      ports: [443, 8443 ]
    TLS:
      ports: [443, 8443]

    # 默认嗅探 80
    HTTP: # 需要嗅探的端口
      ports: [80, 8080-8880]
      # 可覆盖 sniffer.override-destination
      override-destination: true
  force-domain:
    - +.v2ex.com
  ## 对嗅探结果进行跳过
  skip-domain:
    - Mijia Cloud

dns:
  enable: true
  prefer-h3: true
  use-hosts: true
  use-system-hosts: true
  listen: 0.0.0.0:53
  ipv6: true
  default-nameserver:
    - 223.5.5.5
  enhanced-mode: fake-ip
  fake-ip-range: 198.18.0.1/16
  fake-ip-filter:
    - '*.lan'
    - localhost.ptlogin2.qq.com
  nameserver-policy:
    'www.baidu.com': '114.114.114.114'
    '+.internal.crop.com': '10.0.0.1'
    'geosite:geolocation-!cn': [tls://8.8.8.8, https://1.0.0.1/dns-query]
    'www.baidu.com,+.google.cn': https://doh.pub/dns-query
    'geosite:private,apple': https://dns.alidns.com/dns-query
      #'rule-set:google,cloudflare': 8.8.8.8
  nameserver:
    - https://doh.pub/dns-query
    - https://dns.alidns.com/dns-query
  fallback:
    - tls://8.8.8.8
    - tls://1.1.1.1
  proxy-server-nameserver:
    - https://doh.pub/dns-query
  fallback-filter:
  geoip: true
  geoip-code: CN
  geosite:
    - gfw
  ipcidr:
    - 240.0.0.0/4
  domain:
    - '+.google.com'
    - '+.facebook.com'
    - '+.youtube.com'

proxies: 复制过来

proxy-groups:

Rule:
  - IP-CIDR,127.0.0.0/8,DIRECT
  - IP-CIDR,192.168.0.0/16,DIRECT
  - GEOIP,CN,DIRECT
  - MATCH,Proxy

然后执行

sudo systemctl start mihomo

由于我用的tun模式所以不用再为mihomo设置防火墙注意：tun stack 设置为system可能导致连不上网络, 改为gvisor就好了由于设置的tun模式默认所有设备都会使用代理,如果需要部分设备不使用代理,那么在配置文件里加入

- SRC-IP-CIDR,192.168.31.31/32,DIRECT,no-resolve

如果需要默认连接wifi的设备不能使用代理则通过路由器设置dhcp的范围

注意：dhcp范围必须在ip起始前,

比如你的旁路由网关为192.168.31.2
则：
设置dhcp范围为192.168.31.3到192.168.31.127
然后在 mihomo 配置文件添加
- SRC-IP-CIDR,192.168.31.0/25,DIRECT,no-resolve

SRC-IP-CIDR 要写在Rule开头

这样一个旁路由网关加透明代理就设置好了

设置开机自动登录

方便使用ssh 首先创建getty@tty1.service.d文件夹

mkdir /etc/systemd/getty@tty1.service.d

然后创建tty文件

sudo vim /etc/systemd/getty@tty1.service.d/override.conf

文件填写

[Service]
ExecStart=-/sbin/agetty -o '-p -f -- \\u' --noclear --autologin user %I $TERM

user为要自动登录的用户名,

发现新版本