Setup ipset on OpenWrt

通过下面的操作, 可以让ipset工作, 实现数据包分流.

  • ipset can work with dnsmasq-full to block disturbing ADs. (GOOD)
  • ipset can work with privoxy to inject annoying ADs. (BAD)
$ opkg update
$ opkg install ip ipset
$ echo '/etc/iproute2/rt_tables' >> /etc/sysupgrade.conf
$ echo '/etc/ipset.conf' >> /etc/sysupgrade.conf

$ vi # do some editing

$ chmod +x /etc/init.d/ipset
$ /etc/init.d/ipset gen # VERY SLOW
$ /etc/init.d/ipset start # VERY SLOW
$ /etc/init.d/ipset list
# /etc/init.d/ipset enable # DO NOT DO IT

$ reload_config

/etc/init.d/ipset

#!/bin/sh /etc/rc.common

START=99  
STOP=01

EXTRA_COMMANDS="gen list save"  
EXTRA_HELP="\  
        gen     Generate /etc/ipset.conf
        list    List all setnames
        save    Save to /etc/ipset.conf
"

start() {  
    echo -n "Starting ... "
    ipset -f /etc/ipset.conf restore
    iptables -t mangle -A PREROUTING -m set --match-set cn dst -j MARK --set-mark 9
    echo "[OK]"
}

stop() {  
    echo -n "Stopping ... "
    iptables -t mangle -D PREROUTING -m set --match-set cn dst -j MARK --set-mark 9
    ipset destroy
    echo "[OK]"
}

gen() {  
    stop
    echo -n "Generating ... "
    mkdir -p /tmp/ipset && cd /tmp/ipset
    wget -qO- http://ftp.apnic.net/apnic/stats/apnic/delegated-apnic-latest > delegated-apnic-latest
    awk -F\| 'NF==7 && length($2)==2 && $3=="ipv4" {printf("%s/%d\n", $4, 32-log($5)/log(2)) > tolower($2)}' delegated-apnic-latest
    for i in ??; do ipset -! create $i hash:net; cat $i | while read j; do ipset -! add $i $j; done; done
    ipset -f /etc/ipset.conf save
    ipset destroy
    cd -
    rm -rf /tmp/ipset
    echo "[OK]"
}

list() {  
    ipset -n list | awk 'BEGIN{print "# begin"}; {printf "%d\t%s\n", NR, $0}; END{print "# end"}'
}

save() {  
    echo -n "Saving ... "
    ipset -f /etc/ipset.conf save
    echo "[OK]"
}

/etc/ipset.conf (generated)

# ...

create cn hash:net family inet hashsize 2048 maxelem 65536  
add cn 103.229.216.0/22  
add cn 114.119.200.0/22  
add cn 43.236.132.0/22  
add cn 59.43.0.0/16  
add cn 103.236.8.0/22  
add cn 202.38.64.0/19  
add cn 202.81.184.0/22  
add cn 202.96.80.0/20  
add cn 42.1.48.0/21

# ...

/etc/iproute2/rt_tables

#
# reserved values
#
255    local  
254    main  
253    default  
0    unspec  
#
# local
#
#1    inr.ruhep
9    cn  

/etc/config/network (Network → Static Routes)

# ...

config interface 'wwan'  
    option proto 'dhcp'

config rule  
    option mark '0x09'
    option in 'lan'
    option lookup 'cn'

config route  
    option interface 'wwan'
    option target '5.6.7.8'
    option gateway '10.123.64.1'

config route  
    option interface 'wwan'
    option target '114.114.114.114'
    option gateway '10.123.64.1'

config route 'cn'  
    option interface 'wwan'
    option target '0.0.0.0'
    option netmask '0.0.0.0'
    option gateway '10.123.64.1'
    option table 'cn'
  • 5.6.7.8 is a foreign socks5 proxy, I need to access it directly!
  • Local traffic cannot be split yet, I add chinese DNS server (114.114.114.114) to white-list explicitly.
  • Please reference the correct interface name (wwan) for direct access.

/etc/firewall.user (Network → Firewall → Custom Rules )

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

iptables -t mangle -D PREROUTING -m set --match-set cn dst -j MARK --set-mark 9  
iptables -t mangle -A PREROUTING -m set --match-set cn dst -j MARK --set-mark 9  

/etc/rc.local (System → Startup → Local Startup)

# Put your custom commands here that should be executed once
# the system init finished. By default this file does nothing.

ipset -f /etc/ipset.conf restore

exit 0  

/etc/config/dhcp (Network → DHCP and DNS)

  • 默认使用境外DNS解析
    • 8.8.8.8
    • 8.8.4.4
    • 208.67.222.222
    • 208.67.220.220
  • 使用境内DNS解决CDN问题 (白名单)
    • 114.114.114.114
    • 223.5.5.5
    • 223.6.6.6
config dnsmasq  
    option domainneeded '1'
    option boguspriv '1'
    option localise_queries '1'
    option rebind_protection '1'
    option rebind_localhost '1'
    option local '/lan/'
    option domain 'lan'
    option expandhosts '1'
    option authoritative '1'
    option readethers '1'
    option leasefile '/tmp/dhcp.leases'
    option localservice '1'
    option noresolv '1'
    list server '208.67.222.222'
    list server '208.67.220.220'
    list server '/alicdn.com/114.114.114.114'
    list server '/bdstatic.com/114.114.114.114'
    list server '/360buyimg.com/114.114.114.114'

# ...

Read More