ROS配合Naiveproxy的简约透明代理

缺点：
不能故障转移
需要根据个人需求添加经常访问被墙的域名（ 如果不纠结用naiveproxy，换成clash可基本完美解决dns问题）
优点：
没有旁路的概念
只有流量转发
dns gateway是主路由
即使服务炸了 也不影响国内上网需求
再也不怕老婆骂你 怎么天天搞路由器了

首先运行本地naiveproxy客户端，可以是linux下，也可以是docker。

下面以linux下为例：

下载naiveproxy 的linux版本
确定版本
export VERSION=$(curl -s "https://api.github.com/repos/klzgrad/naiveproxy/releases/latest" | jq -r .tag_name)
下载
wget https://github.com/klzgrad/naiveproxy/releases/download/${VERSION}/naiveproxy-${VERSION}-linux-x64.tar.xz
解压并存到 /usr/local/bin 下
tar -xJvf $(find -name "*naiveproxy*linux-x64*") -C . && mv *naiveproxy*linux-x64*/naive /usr/local/bin
创建服务
nano /etc/systemd/system/naive.service

[Unit]
Description=NaiveProxy Server Service
After=network-online.target

[Service]
Type=simple
User=nobody
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
ExecStart=/usr/local/bin/naive /etc/naive/config.json

[Install]
WantedBy=multi-user.target

创建配置文件
nano /etc/naive/config.json

{
  "listen": "redir://0.0.0.0:1080",
  "proxy": "https://user:password@example.com",
  "log": ""
}

启动 naive

systemctl daemon-reload
systemctl start naive
systemctl status naive

开启透明代理

iptables -t nat -A PREROUTING -p tcp -j REDIRECT --to-ports 1080
iptables -t nat -A PREROUTING -p udp --dport 53 -j REDIRECT --to-ports 1080
sysctl -w net/ipv4/ip_forward=1

enable autostart with networking

iptables-save > /etc/iptables

vi /etc/network/if-pre-up.d/iptables

#!/bin/sh
/sbin/iptables-restore < /etc/iptables

Let's start it:

获取中国ip地址段

/tool fetch url=http://www.iwik.org/ipcountry/mikrotik/CN
/import file-name=CN

常用翻墙地址

/ip firewall layer7-protocol
add name=gfwlist regexp="abema.tv|acast.com|adobe.com|adrta.com|adsrvr.org|ads\
    wizz.com|agkn.com|akamai.net|akamaiedge.net|akamaihd.net|akamaized.net|ama\
    zon-adsystem.com|amazon.co.jp|amazon.co.uk|amazon.com|amazon.de|amazonaws.\
    com|amazonvideo.com|ameblo.jp|ampproject.org|apple.news|appspot.com|att.co\
    m|aws.amazon.com|azureedge.net|backpackers.com.tw|bahamut.com.tw|bbc.uk.co\
    |bitfinex.com|blogcdn.com|blogger.com|blogspot.com|book.com.tw|books.com.t\
    w|boxun.com|brightcove.com|buzzfeed.com|chinagfw.org|clockwise.ee|cloudfro\
    nt.net|codec-cluster.org|coindesk.com|coinsquare.io|conviva.com|crashlytic\
    s.com|crwdcntrl.net|cryptocompare.com|digicert.com|directv.com|directvnow.\
    com|dlyoutube.com|doubleclick.net|doubleverify.com|dropboxstatic.com|dtvce\
    .com|edgekey.net|edgesuite.net|eurecom.fr|evernote.com|facebook.com|facebo\
    ok.net|fast.com|fastly.net|fbcdn.net|feedly.com|feeds.feedburner.com|ff.im\
    |findyoutube.com|flickr.com|footprint.net|fwmrm.net|gamer.com.tw|gdax.com|\
    ggpht.com|github.com|go.com|google-analytics.com|google.co.jp|google.com.h\
    k|google.com.sg|google.com.tw|google.com.uk|google.com|googleadservices.co\
    m|googleapis.com|googlecode.com|googledomains.com|googledrive.com|googleea\
    rth.com|googlehosted.com|googlelabs.com|googlemail.com|googlepages.com|goo\
    gleplus.com|googlesile.com|googlesource.com|googlesyndication.com|googleta\
    gmanager.com|googletagservices.com|googleusercontent.com|googlevideo.com|g\
    static.com|gvt1.com|hbo.com|hbogo.com|hbonow.com|hinet.net|hulu.com|huluad\
    .com|huluim.com|hulustream.com|img.ly|imrworldwide.com|innovid.com|inq.com\
    |is.gd|kknews.cc|line-apps.com|line.me|listentoyoutube.com|medium.com|move\
    tv.com|naver.jp|nutaq.com|nytimes.com|omtrdc.net|onlineyoutube.com|openair\
    interface.org|openx.net|primevideo.com|pubmatic.com|radiotime.com|scorecar\
    dresearch.com|serving-sys.com|sho.com|showtime.com|skype.com|sling.com|spo\
    txchange.com|sublimetext.com|t.coj.mp|t66y.com|teddysun.com|textnow.com|te\
    xtnow.me|tremorhub.com|trouter.io|ttvnw.net|turnin.com|tver.jp|twimg.com|t\
    witch.tv|twitter.com|uploaded.net|viblast.com|videoamp.com|vimeo.com|whats\
    app.com|whatsapp.net|wikimedia.org|wikipedia.com|withyoutube.com|wordpress\
    .com|wsj.net|yahoo.co.jp|yahoo.com|yimg.jp|youtu.be|youtube.com|ytimg.com|\
    6park.com|91smartyun.pt|telegram.org|instagram.com|perfect-privacy.com|tum\
    blr.com|bandwagonhost.com|reddit.com|rfi.fr|githubusercontent.com|wikipedi\
    a.org|yimg.com|yahoo-leisure.hk|xfastest.com|mobile01.com|mega.nz|eti.br|p\
    ixnet.net|pixcdn.tw|lanzous.com|hk01.com|shopee.tw|landofhope.tv|cloudcone\
    .com|libreswan.org|wireguard.com|bit.ly|github.io|mikrotik.com|udemy.com|o\
    penvpn.net|free-codecs.com|parler.com|limevpn.com|bitvise.com|whatsapp.com\
    |whatsapp.net|netflix.com.edgesuite.net|netflix.com|netflix.net|nflxext.co\
    m|nflximg.com|nflximg.net|nflxso.net|nflxvideo.net|netflixdnstest0.com|net\
    flixdnstest1.com|netflixdnstest2.com|netflixdnstest3.com|netflixdnstest4.c\
    om|netflixdnstest5.com|netflixdnstest6.com|netflixdnstest7.com|netflixdnst\    
    est8.com|netflixdnstest9.com|youtubei.googleapis.comv2ex.com|smtp.gmail.co\
    m|imap.gmail.com|googlecode.com"

添加路由
/ip route
add check-gateway=ping distance=1 gateway=**naiveproxy的ip地址** routing-mark=Naiveproxy
流量标记

/ip firewall mangle
add action=mark-routing chain=prerouting comment="!CN Routing Mark"
dst-address-list=!CN dst-port=!53,853 new-routing-mark=Naiveproxy
passthrough=yes protocol=tcp src-address-list=Proxy
add action=mark-routing chain=prerouting comment="!CN Routing Mark"
dst-address-list=!CN dst-port=!53,853 new-routing-mark=Naiveproxy
passthrough=no protocol=udp src-address-list=Proxy
add action=change-mss chain=forward comment="Change MSS" new-mss=
clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn
add action=change-mss chain=output comment="Change MSS" new-mss=clamp-to-pmtu
passthrough=no protocol=tcp tcp-flags=syn

劫持dns到naiveproxy的ip地址

/ip firewall nat
add action=dst-nat chain=dstnat comment="Hijack DNS to Naive" dst-port=
53,853 layer7-protocol=gfwlist protocol=udp src-address-list=Proxy
to-addresses=naiveproxy的ip地址

将想要翻墙的内网IP添加address-list 并命名为Proxy

/ip firewall address-list
add address=10.0.0.11 list=Proxy
add address=10.0.0.22 list=Proxy
add address=10.0.0.33 list=Proxy
add address=10.0.0.44 list=Proxy
add address=10.0.0.55 list=Proxy

结束。
Enjoy!