forked from shadowsocks/shadowsocks-libev
-
Notifications
You must be signed in to change notification settings - Fork 12
/
Copy pathshadowsocks-libev.8
183 lines (158 loc) · 5.97 KB
/
shadowsocks-libev.8
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
.ig
. manual page for shadowsocks-libev
.
. Copyright (c) 2012-2015, by: Max Lv
. All rights reserved.
.
. Permission is granted to copy, distribute and/or modify this document
. under the terms of the GNU Free Documentation License, Version 1.1 or
. any later version published by the Free Software Foundation;
. with no Front-Cover Texts, no Back-Cover Texts, and with the following
. Invariant Sections (and any sub-sections therein):
. all .ig sections, including this one
. STUPID TRICKS Sampler
. AUTHOR
.
. A copy of the Free Documentation License is included in the section
. entitled "GNU Free Documentation License".
.
..
\# - these two are for chuckles, makes great grammar
.ds Lo \fBss-local\fR
.ds Re \fBss-redir\fR
.ds Se \fBss-server\fR
.ds Tu \fBss-tunnel\fR
.ds Ma \fBss-manager\fR
.ds Me \fBShadowsocks\fR
.TH SHADOWSOCKS-LIBEV 8 "January 7, 2015"
.SH NAME
shadowsocks-libev \- a lightweight and secure socks5 proxy
.SH SYNOPSIS
\*(Lo|\*(Re|\*(Se|\*(Tu|\*(Ma
\-s server_host \-p server_port
\-l local_port \-k password
\-m encrypt_method \-f pid_file
\-t timeout \-c config_file
.SH DESCRIPTION
\*(Me is a lightweight and secure socks5 proxy. It is a port of the original
shadowsocks created by clowwindy. \*(Me is written in pure C and takes advantage
of \fBlibev\fP to achieve both high performance and low resource consumption.
.PP
\*(Me consists of four components. One is \*(Se that runs on a remote server
to provide secured tunnel service. \*(Lo and \*(Re are clients on your local
machines to proxy TCP traffic. \*(Tu is a tool for local port forwarding.
.PP
While \*(Lo works as a standard socks5 proxy, \*(Re works as a transparent proxy
and requires netfilter's NAT module. For more information, check out the example
section.
.PP
\*(Ma is a controller for multi-user management and traffic statistics, using UNIX
domain socket to talk with \*(Se. Also, it provides a UNIX domain socket or IP based
API for other software. About the details of this API, please refer to the protocol
section.
.SH OPTIONS
.TP
.B \-s \fIserver_host\fP
Set the server's hostname or IP.
.TP
.B \-p \fIserver_port\fP
Set the server's port number.
.TP
.B \-l \fIlocal_port\fP
Set the local port number.
.TP
.B \-k \fIpassword\fP
Set the password. The server and the client should use the same password.
.TP
.B \-m \fIencrypt_method\fP
Set the cipher. Shadowsocks accepts 16 different ciphers: table, rc4, rc4-md5,
aes-128-cfb, aes-192-cfb, aes-256-cfb, bf-cfb, camellia-128-cfb,
camellia-192-cfb, camellia-256-cfb, cast5-cfb, des-cfb, idea-cfb, rc2-cfb,
seed-cfb, salsa20 and chacha20. The default cipher is \fItable\fP. If
built with PolarSSL or custom OpenSSL libraries, some of these ciphers may
not work.
.TP
.B \-f \fIpid_file\fP
Start shadowsocks as a daemon with specific pid file.
.TP
.B \-t \fItimeout\fP
Set the socket timeout in seconds. The default value is 10.
.TP
.B \-c \fIconfig_file\fP
Use a configuration file.
.TP
.B \-a \fIuser_name\fP
Run as a specific user.
.TP
.B \-d \fIaddr\fP
Setup the name servers for libudns. The default server is fetched from
/etc/resolv.conf.
.TP
.B \-u
Enable UDP relay.
.TP
.B \-v
Enable verbose mode.
.TP
.B \--fast-open
Enable TCP fast open.
.TP
.B \--acl \fIacl_config\fP
Enable ACL (Access Control List).
.TP
.B \--manager-address \fIpath_to_unix_domain\fP
Enable manager mode.
.TP
.B \--executable \fIpath_to_server_executable\fP
Specify the executable path of ss-server for manager mode.
.SH EXAMPLE
\*(Re requires netfilter's NAT function. Here is an example:
# Create new chain
root@Wrt:~# iptables -t nat -N SHADOWSOCKS
# Ignore your shadowsocks server's addresses
# It's very IMPORTANT, just be careful.
root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 123.123.123.123 -j RETURN
# Ignore LANs and any other addresses you'd like to bypass the proxy
# See Wikipedia and RFC5735 for full list of reserved networks.
# See ashi009/bestroutetb for a highly optimized CHN route list.
root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 0.0.0.0/8 -j RETURN
root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 10.0.0.0/8 -j RETURN
root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 127.0.0.0/8 -j RETURN
root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 169.254.0.0/16 -j RETURN
root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 172.16.0.0/12 -j RETURN
root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 192.168.0.0/16 -j RETURN
root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 224.0.0.0/4 -j RETURN
root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 240.0.0.0/4 -j RETURN
# Anything else should be redirected to shadowsocks's local port
root@Wrt:~# iptables -t nat -A SHADOWSOCKS -p tcp -j REDIRECT --to-ports 12345
# Add any UDP rules
root@Wrt:~# ip rule add fwmark 0x01/0x01 table 100
root@Wrt:~# ip route add local 0.0.0.0/0 dev lo table 100
root@Wrt:~# iptables -t mangle -A SHADOWSOCKS -p udp --dport 53 -j TPROXY --on-port 12345 --tproxy-mark 0x01/0x01
# Apply the rules
root@Wrt:~# iptables -t nat -A PREROUTING -p tcp -j SHADOWSOCKS
root@Wrt:~# iptables -t mangle -A PREROUTING -j SHADOWSOCKS
# Start the shadowsocks-redir
root@Wrt:~# ss-redir -u -c /etc/config/shadowsocks.json -f /var/run/shadowsocks.pid
.SH PROTOCOL
\*(Ma provides several APIs through UDP protocol:
Send UDP commands in the following format to the manager-address provided to \*(Ma.
command: [JSON data]
To add a port:
add: {"server_port": 8001, "password":"7cd308cc059"}
To remove a port:
remove: {"server_port": 8001}
To receive a pong:
ping
Then \*(Ma will send back the traffic statistics:
stat: {"8001":11370}
.SH SEE ALSO
.BR iptables (8),
/etc/shadowsocks-libev/config.json
.br
.SH AUTHOR
shadowsocks was created by clowwindy <[email protected]> and
shadowsocks-libev was maintained by Max Lv <[email protected]> and Linus Yang
.PP
This manual page was written by Max Lv <[email protected]>.