[Level2/gid] Add English translate (#48)

2025-01-19 17:21:41 +03:00 · 2021-05-26 20:18:01 +08:00 · 2021-05-26 20:18:01 +08:00 · 4f5302953d
commit 4f5302953d
parent 0264764579
1 changed files with 96 additions and 105 deletions
--- a/docs/en/document/level-2/iptables_gid.md
+++ b/docs/en/document/level-2/iptables_gid.md
@ -1,101 +1,96 @@
 ---
-title: GID 透明代理
+title: Transparent proxy via GID
 ---
-# 透明代理通过 gid 规避 Xray 流量
+# Transparent proxy to circumvent Xray traffic via GID
-在现有的 iptables 透明代理白话文(**[新 V2Ray 白话文指南-透明代理](https://guide.v2fly.org/app/transparent_proxy.html)** 、 **[新 V2Ray 白话文指南-透明代理(TPROXY)](https://guide.v2fly.org/app/tproxy.html)** 、 **[透明代理（TProxy）配置教程](./tproxy)**)教程中，对 Xray 流量的规避处理是打 mark 实现的。即对 Xray 出站流量打 mark，通过设置 iptables 规则对对应 mark 的流量直连，来规避 Xray 流量，防止回环。
+In the existing transparent proxy configuration(**[New V2Ray vernacular tutorial on transparent proxy](https://guide.v2fly.org/app/transparent_proxy.html)** 、 **[New V2Ray vernacular tutorial on transparent proxy (TProxy)](https://guide.v2fly.org/app/tproxy.html)** 、 **[Transparent proxy（TProxy）configuration tutorial](./tproxy.md)**)tutorials, the circumvention of Xray traffic is achieved by using mark. That is, mark outbound traffics and set up iptables rules which directly connect traffics corresponding to the mark, to circumvent the Xray traffic and prevent loop back.
-这么做有以下几个问题：
+There are several problems with this method:
-1. **[莫名流量进入 PREROUTING 链](https://github.com/v2ray/v2ray-core/issues/2621)**
+1. **[Inexplicable traffic into PREROUTING chain](https://github.com/v2ray/v2ray-core/issues/2621)**
-2. 安卓系统有自己的 mark 机制，该方案在安卓上不可用
+2. Android has its own mark mechanism and this solution is not available on Android
-本教程的方案不需要设置 mark，理论性能更高，同时也不存在上述问题。
+The solution in this tutorial does not require a mark setting and has a higher theoretical performance, as well as not having the problems mentioned above.
-## 思路
+## Ideas
-tproxy 流量只能被 root 权限用户(uid==0)或其他有 CAP_NET_ADMIN 权限的用户接收。
+TProxy traffic can only be received by users with root privileges (uid==0) or other users with CAP_NET_ADMIN privileges.
-iptables 规则可以通过 uid(用户 id)和 gid(用户组 id)分流。
+The iptables rules can separate network traffic by uid (user id) and gid (user group id).
 Let Xray run on a user with uid==0 but gid!=0. Set the iptables rule to not proxy traffic for that gid to circumvent Xray traffic.
-让 Xray 运行在一个 uid==0 但 gid!=0 的用户上，设置 iptables 规则不代理该 gid 的流量来规避 Xray 流量。
+## Configuration Procedure
-## 配置过程
+### 1. Preliminary preparation
-### 1. 前期准备
+**Android**
-**安卓系统**
+1. System has root privilege.
-1. 系统已 root
+2. Install **[busybox](https://play.google.com/store/apps/details?id=stericson.busybox)**
-2. 安装 **[busybox](https://play.google.com/store/apps/details?id=stericson.busybox)**
+3. There is a terminal that can execute commands, you can use adb shell, termux etc.
-3. 有一个可以执行命令的终端，可以使用 adb shell，termux 等。
+**Other Linux system**
-**其它 Linux 系统**
+Need sudo, iptables-tproxy module and iptables-extra module。
-需要依赖 sudo，iptables 的 tproxy 模块和 extra 模块。
+Usually the system comes with these functions. If you are using openwrt, you will need to run the following command:
 一般系统都有自带，openwrt 运行：
 ```bash
 opkg install sudo iptables-mod-tproxy iptables-mod-extra
 ```
-另附上一些 openwrt 常用的依赖，缺少可能导致 Xray 无法运行
+Also attached are some common dependencies for openwrt, the lack of which may prevent Xray from running
 ```bash
 opkg install libopenssl ca-certificates
 ```
-### 2. 添加用户(安卓用户请忽略)
+### 2. Add user (Android users please ignore this section)
-安卓系统不支持/etc/passwd 文件来管理用户，请忽略，直接下一步。
+Android does not support managing users by modifying the /etc/passwd file, please ignore it and go straight to the next step.
 ```bash
 grep -qw xray_tproxy /etc/passwd || echo "xray_tproxy:x:0:23333:::" >> /etc/passwd
 ```
-其中 xray_tproxy 是用户名，0 是 uid，23333 是 gid，用户名和 gid 可以自己定，uid 必须为 0。
+where xray_tproxy is the username, 0 is the uid and 23333 is the gid, the username and gid can be set by yourself, the uid must be 0.
-检查用户是否添加成功，运行
+To check if the user was added successfully, run
 ```bash
 sudo -u xray_tproxy id
 ```
-显示的结果应该是 uid 为 0，gid 为 23333
+The result displayed should be uid 0 and gid 23333.
-### 3. 配置运行 Xray，配置 iptables 规则
+### 3. Configure and run Xray, and configure iptables rules
-在现有的 iptables 透明代理白话文(**[新 V2Ray 白话文指南-透明代理](https://guide.v2fly.org/app/transparent_proxy.html)** 、 **[新 V2Ray 白话文指南-透明代理(TPROXY)](https://guide.v2fly.org/app/tproxy.html)** 、 **[透明代理（TProxy）配置教程](./tproxy)**)教程的基础上修改：
+In the existing transparent proxy configuration(**[New V2Ray vernacular tutorial on transparent proxy](https://guide.v2fly.org/app/transparent_proxy.html)** 、 **[New V2Ray vernacular tutorial on transparent proxy (TProxy)](https://guide.v2fly.org/app/tproxy.html)** 、 **[Transparent proxy（TProxy）configuration tutorial](../tproxy)**)tutorials, modify:
-1. 修改 json 配置文件，删除 mark 相关内容
+1. Modify the json configuration file: remove mark-related content
-2. 修改 iptables 规则，删除 mark 相关内容，并在 OUTPUT 链应用规则处添加选项"-m owner ! --gid-owner 23333"。
+2. Modify the iptables rule to remove the mark-related content and add the option at the OUTPUT chain application rule: `-m owner ! --gid-owner 23333`
-如：
+e.g.:
-```bash
+`iptables -t mangle -A OUTPUT -j XRAY_SELF`
 iptables -t mangle -A OUTPUT -j XRAY_SELF
 ```
-改为
+Change to
-```bash
+`iptables -t mangle -A OUTPUT -m owner ! --gid-owner 23333 -j XRAY_SELF`
 iptables -t mangle -A OUTPUT -m owner ! --gid-owner 23333 -j XRAY_SELF
 ```
-3. 修改运行 Xray 的方式，使其运行在 uid 为 0，gid 为 23333 的用户上，参考[这里](#3-配置最大文件大开数运行xray客户端)。
+1. Modify the way you run Xray so that it runs on a user with uid 0 and gid 23333, refer to [here](#_3-configure-and-run-xray-and-configure-iptables-rules).
-## 下面提供一个实现 tproxy 全局代理的完整配置过程
+## The following provides a complete configuration process for implementing the tproxy global proxy
-### 1. 完成 **[前期准备](#1-前期准备)** 和 **[添加用户](#2-添加用户安卓用户请忽略)**
+### 1. Finish **[Preliminary preparation](#_1-preliminary-preparation)** 和 **[Add user](#_2-add-user-android-users-please-ignore-this-section)**
-### 2. 准备 Xray 配置文件
+### 2. Preparing Xray profiles
-配置 Xray 任意门监听 12345，开启 followRedirect 和 tproxy，不需要设置 sniffing：
+Configure Xray to listen to 12345 at dokodemo-door, turn on followRedirect and tproxy, no sniffing required:
 ```json
 {
@ -116,120 +111,116 @@ iptables -t mangle -A OUTPUT -m owner ! --gid-owner 23333 -j XRAY_SELF
  ],
  "outbounds": [
    {
-      你的服务器配置
+      // Your server configuration
    }
  ]
 }
 ```
-### 3. 配置最大文件大开数&运行 Xray 客户端
+### 3. Configuring the maximum number of open files and run the Xray client
-关于最大文件大开数问题见： **[too many open files 问题](https://guide.v2fly.org/app/tproxy.html#解决-too-many-open-files-问题)**
+About the maximum number of open files, see: **[too many open files issues](https://guide.v2fly.org/app/tproxy.html#解决-too-many-open-files-问题)**
-目前 Xray 服务端使用官方脚本安装的已经自动配置了最大文件大开数，无需再修改。
+The current Xray server installed with the official script has the maximum number of open files automatically configured, so no further changes are required.
-**安卓系统**
+**Android**
 ```bash
 ulimit -SHn 1000000
-setuidgid 0:23333 "运行Xray的命令"&
+setuidgid 0:23333 "Command to run Xray"&
 ```
-**其它 Linux 系统**
+**Other Linux system**
 ```bash
 ulimit -SHn 1000000
-sudo -u xray_tproxy "运行Xray的命令"&
+sudo -u xray_tproxy "Command to run Xray"&
 ```
-_第一条命令：_
+e.g.:
 改变最大打开文件数，只对当前终端有效，每次启动 Xray 前都要运行，该命令是设置客户端的最大文件大开数
 _第二条命令：_
 以 uid 为 0，gid 不为 0 的用户来运行 Xray 客户端，后面加&代表放在后台运行
 **检查最大文件大开数是否设置成功**
 ```bash
-cat /proc/Xray的pid/limits
+ulimit -SHn 1000000
 sudo -u xray_tproxy xray -c /etc/xray/config.json &
 ```
-找到 max open files 一项，应该是你设置的数值。pid 的获取方法为运行`ps`或`ps -aux`或`ps -a`
+_The first command:_
-服务端和客户端都要检查
+Change the maximum number of open files, valid only for the current terminal and to be run every time before starting Xray, this command is to set the maximum number of open files for the client.
-### 4. 设置 iptables 规则
+_The second command:_
-**代理 ipv4**
+Run the Xray client as a user with uid 0 and gid not 0, followed by & for running in the background.
 **Check if the maximum number of open files is set successfully**
 ```bash
 cat /proc/"Xray's pid"/limits
 ```
 Find max open files, which should be the value you set. Xray's pid can be obtained by running `ps` or `ps -aux` or `ps -a`
 Both the server and client side should be checked.
 ### 4. Setting up iptables rules
 **Proxy ipv4**
 ```bash
 ip rule add fwmark 1 table 100
 ip route add local 0.0.0.0/0 dev lo table 100
-# 代理局域网设备
+# Proxy LAN devices
 iptables -t mangle -N XRAY
-#  "网关所在ipv4网段" 通过运行命令"ip address | grep -w inet | awk '{print $2}'"获得，一般有多个
+# "ipv4 segment where the gateway is located" is obtained by running the command "ip address | grep -w inet | awk '{print $2}'", usually there are multiple
-iptables -t mangle -A XRAY -d 网关所在ipv4网段1 -j RETURN
+iptables -t mangle -A XRAY -d "first ipv4 segment where the gateway is located" -j RETURN
-iptables -t mangle -A XRAY -d 网关所在ipv4网段2 -j RETURN
+iptables -t mangle -A XRAY -d "second ipv4 segment where the gateway is located" -j RETURN
 ...
-# 组播地址/E类地址/广播地址直连
+# If the gateway is used as the primary router, add this line, see: [Other considerations for transparent proxy of iptables](https://xtls.github.io/en/documents/level-2/transparent_proxy/transparent_proxy/#proxy-ipv6)
-iptables -t mangle -A XRAY -d 224.0.0.0/3 -j RETURN
+# The "gateway LAN_IPv4 address segment", obtained by running the command "ip address | grep -w "inet" | awk '{print $2}'", is one of the results
 iptables -t mangle -A XRAY ! -s "gateway LAN_IPv4 address segment" -j RETURN
-
+# Mark 1 for TCP and forward to port 12345
-#如果网关作为主路由，则加上这一句，见：https://xtls.github.io/documents/level-2/transparent_proxy/transparent_proxy.md#iptables透明代理的其它注意事项
+# mark can only be set to 1 for the traffic to be accepted by the Xray dokodemo-door
 #网关LAN_IPv4地址段，运行命令"ip address | grep -w "inet" | awk '{print $2}'"获得，是其中的一个
 iptables -t mangle -A XRAY ! -s 网关LAN_IPv4地址段 -j RETURN
 # 给 TCP 打标记 1，转发至 12345 端口
 # mark只有设置为1，流量才能被Xray任意门接受
 iptables -t mangle -A XRAY -p tcp -j TPROXY --on-port 12345 --tproxy-mark 1
 iptables -t mangle -A XRAY -p udp -j TPROXY --on-port 12345 --tproxy-mark 1
-# 应用规则
+# Apply rules
 iptables -t mangle -A PREROUTING -j XRAY
-# 代理网关本机
+# Proxy gateway itself
 iptables -t mangle -N XRAY_MASK
-iptables -t mangle -A XRAY_MASK -m owner --gid-owner 23333 -j RETURN
+iptables -t mangle -A XRAY_MASK -d "the first ipv4 segment where the gateway is located" -j RETURN
-iptables -t mangle -A XRAY_MASK -d 网关所在ipv4网段1 -j RETURN
+iptables -t mangle -A XRAY_MASK -d "the second ipv4 segment where the gateway is located" -j RETURN
-iptables -t mangle -A XRAY_MASK -d 网关所在ipv4网段2 -j RETURN
+
 ...
 iptables -t mangle -A XRAY_MASK -d 224.0.0.0/3 -j RETURN
 iptables -t mangle -A XRAY_MASK -j MARK --set-mark 1
-iptables -t mangle -A OUTPUT -p tcp -j XRAY_MASK
+iptables -t mangle -A OUTPUT -m owner ! --gid-owner 23333 ! -p icmp -j XRAY_MASK
 iptables -t mangle -A OUTPUT -p udp -j XRAY_MASK
 ```
-**代理 ipv6(可选)**
+**Proxy ipv6 (optional)**
 ```bash
 ip -6 rule add fwmark 1 table 106
 ip -6 route add local ::/0 dev lo table 106
-# 代理局域网设备
+# Proxy LAN devices
 ip6tables -t mangle -N XRAY6
-# "网关所在ip6网段" 通过运行命令"ip address | grep -w inet6 | awk '{print $2}'"获得。
+# The "ipv6 segment where the gateway is located" is obtained by running the command "ip address | grep -w inet6 | awk '{print $2}'".
-ip6tables -t mangle -A XRAY6 -d 网关所在ipv6网段1 -j RETURN
+ip6tables -t mangle -A XRAY6 -d "the first ipv6 segment where the gateway is located" -j RETURN
-ip6tables -t mangle -A XRAY6 -d 网关所在ipv6网段2 -j RETURN
+ip6tables -t mangle -A XRAY6 -d "the second ipv6 segment where the gateway is located" -j RETURN
 ...
-# 如果网关作为主路由，则加上这一句，见：https://xtls.github.io/documents/level-2/transparent_proxy/transparent_proxy.md#iptables透明代理的其它注意事项
+# If the gateway is used as the primary router, add this line, see: [Other considerations for transparent proxy of iptables](https://xtls.github.io/en/documents/level-2/transparent_proxy/transparent_proxy/#proxy-ipv6)
-# 网关LAN_IPv6地址段，运行命令"ip address | grep -w "inet6" | awk '{print $2}'"获得，是其中的一个
+# The "gateway LAN_IPv6 address segment", obtained by running the command "ip address | grep -w "inet6" | awk '{print $2}'", is one of the results
-ip6tables -t mangle -A XRAY6 ! -s 网关LAN_IPv6地址段 -j RETURN
+ip6tables -t mangle -A XRAY6 ! -s "gateway LAN_IPv6 address segment" -j RETURN
 ip6tables -t mangle -A XRAY6 -p udp -j TPROXY --on-port 12345 --tproxy-mark 1
 ip6tables -t mangle -A XRAY6 -p tcp -j TPROXY --on-port 12345 --tproxy-mark 1
 ip6tables -t mangle -A PREROUTING -j XRAY6
-# 代理网关本机
+# Proxy gateway itself
 ip6tables -t mangle -N XRAY6_MASK
-ip6tables -t mangle -A XRAY6_MASK -m owner --gid-owner 23333 -j RETURN
+ip6tables -t mangle -A XRAY6_MASK -d "the first ipv6 segment where the gateway is located" -j RETURN
-ip6tables -t mangle -A XRAY6_MASK -d 网关所在ipv6网段1 -j RETURN
+ip6tables -t mangle -A XRAY6_MASK -d "the second ipv6 segment where the gateway is located" -j RETURN
-ip6tables -t mangle -A XRAY6_MASK -d 网关所在ipv6网段2 -j RETURN
+
 ...
 ip6tables -t mangle -A XRAY6_MASK -j MARK --set-mark 1
-ip6tables -t mangle -A OUTPUT -p tcp -j XRAY6_MASK
+ip6tables -t mangle -A OUTPUT -m owner ! --gid-owner 23333 ! -p icmp -j XRAY6_MASK
 ip6tables -t mangle -A OUTPUT -p udp -j XRAY6_MASK
 ```