Gentoo上使用“西厢计划” (west-chamber)Technorati Tags: GFW, 西厢计划, Gentoo, west-chamber, iptables
这里是此项计划的说明:
http://code.google.com/p/scholarzhang/wiki/README
此项计划一出立刻在网络上,引起了轰动,到处都是关于它的讨论。
我也对这个很好奇,想早点看一下这个到底是什么东西。
下面简要记述一下我安装的过程和遇到的一些问题:
1.下载
http://scholarzhang.googlecode.com/files/west-chamber-0.0.1.tar.gz
2.安装
http://code.google.com/p/scholarzhang/wiki/INSTALL安装说明中有如下说明:
iptables >= 1.4.3
kernel >= 2.6.17 (>= 2.6.18.5 if 2.6.18.x)
- CONFIG_NF_CONNTRACK or CONFIG_IP_NF_CONNTRACK
- CONFIG_NF_CONNTRACK_MARK or CONFIG_IP_NF_CONNTRACK_MARK enabled =y or as module (=m)
(1)在实际的安装过程中,有遇到iptables版本不对,match-set不存在的错误,只好将iptables 升级到新版本。
目前我的版本:
gentoo-pjq xtables # iptables --version
iptables v1.4.7
(2)还有就是ipset的版本不对:
gentoo-pjq examples # ipset -R
所以又有升级ipset:
autounmask net-firewall/ipset-4.2
emerge ipset
(3)打开相关内核选项:
想办法找到下面4个内核选项打开,并编译进内核:
NF_CONNTRACK
NF_CONNTRACK_MARK
NETFILTER_XT_MATCH_STATE
IP_NF_FILTER
详细的讨论在这里:
http://code.google.com/p/scholarzhang/issues/detail?id=10
如果没有打开这些选项,可能会遇到类似于下面的错误:
gentoo-pjq examples # iptables -A INPUT -p udp --sport 53 -m state --state ESTABLISHED -m gfw -j DROP -m comment --comment "drop gfw dns hijacks"
iptables: No chain/target/match by that name.
相关内核选项截图在这里:
http://www.flickr.com/photos/pengjianqing/4426415799/
(4)如果上面都做过了没有问题,就可以用源码编译安装了
$ ./autogen.sh
$ CFLAGS="" ./configure --prefix=/usr
$ make
# make install
(5)手动拷贝几个SO文件
cp extensions/libxt_ZHANG.so /lib/xtables/libipt_ZHANG.so
cp extensions/libxt_CUI.so /lib/xtables/libipt_CUI.so
cp extensions/libxt_gfw.so /lib/xtables/libipt_gfw.so
要不然会出现类似于下面这样的错误:
gentoo-pjq examples # iptables -A INPUT -p tcp --sport 80 --tcp-flags FIN,SYN,RST,ACK SYN,ACK -m state --state ESTABLISHED -m set --match-set NOCLIP src -j ZHANG
iptables v1.4.7: Couldn't load target `ZHANG':/lib/xtables/libipt_ZHANG.so: cannot open shared object file: No such file or directory
3。使用
按照它的使用说明:
http://code.google.com/p/scholarzhang/wiki/USAGE
# cd examples
# ipset -R < YOUTUBE
# ipset -R < GOOGLE
# ipset -R < NOCLIP
# iptables -A INPUT -p tcp --sport 80 --tcp-flags FIN,SYN,RST,ACK SYN,ACK -m state --state ESTABLISHED -m set --match-set NOCLIP src -j ZHANG
# iptables -A INPUT -p tcp --sport 80 -m state --state ESTABLISHED -m gfw -j LOG --log-level info --log-prefix "gfw: "
# iptables -A INPUT -p udp --sport 53 -m state --state ESTABLISHED -m gfw -j DROP
# echo nameserver 8.8.8.8 > /etc/resolv.conf
如果不想每次都把这些命令敲一遍,把它们都扔到一个脚本里:
pjq@gentoo-pjq ~/Downloads/west-chamber-0.0.1/examples $ cat startwest.sh
#!/bin/bash
echo "ipset -R < YOUTUBE"
ipset -R < YOUTUBE
echo "ipset -R < GOOGLE"
ipset -R < GOOGLE
echo "ipset -R < CHINA"
ipset -R < CHINA
echo "ipset -R < NOCLIP"
ipset -R < NOCLIP
echo "iptables -A INPUT -p tcp --sport 80 --tcp-flags FIN,SYN,RST,ACK SYN,ACK -m state --state ESTABLISHED -m set --match-set NOCLIP src -j ZHANG"
iptables -A INPUT -p tcp --sport 80 --tcp-flags FIN,SYN,RST,ACK SYN,ACK -m state --state ESTABLISHED -m set --match-set NOCLIP src -j ZHANG
echo "iptables -A INPUT -p tcp --sport 80 -m state --state ESTABLISHED -m gfw -j LOG --log-level info --log-prefix "gfw: ""
iptables -A INPUT -p tcp --sport 80 -m state --state ESTABLISHED -m gfw -j LOG --log-level info --log-prefix "gfw: "
echo "iptables -I INPUT -p tcp --sport 80 -m state --state ESTABLISHED -m gfw -j DROP"
iptables -I INPUT -p tcp --sport 80 -m state --state ESTABLISHED -m gfw -j DROP
echo "iptables -A INPUT -p udp --sport 53 -m state --state ESTABLISHED -m gfw -j DROP"
iptables -A INPUT -p udp --sport 53 -m state --state ESTABLISHED -m gfw -j DROP
echo "echo "nameserver 8.8.8.8" >/etc/resolv.conf"
echo "nameserver 8.8.8.8" >/etc/resolv.conf
pjq@gentoo-pjq ~/Downloads/west-chamber-0.0.1/examples $
4.如果在使用iptables设置规则的时候没出现什么问题,
那就应该设置成功了,可以查看一下,
应该可以看到类似于下面的结果:
gentoo-pjq xtables # iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP tcp -- anywhere anywhere tcp spt:http state ESTABLISHED gfw
DROP tcp -- anywhere anywhere tcp spt:http state ESTABLISHED gfw
DROP tcp -- anywhere anywhere tcp spt:http state ESTABLISHED gfw
ZHANG tcp -- anywhere anywhere tcp spt:http flags:FIN,SYN,RST,ACK/SYN,ACK state ESTABLISHED match-set NOCLIP src
DROP udp -- anywhere anywhere udp spt:domain state ESTABLISHED gfw
ZHANG tcp -- anywhere anywhere tcp spt:http flags:FIN,SYN,RST,ACK/SYN,ACK state ESTABLISHED match-set NOCLIP src
LOG tcp -- anywhere anywhere tcp spt:http state ESTABLISHED gfw LOG level info prefix `gfw: '
DROP udp -- anywhere anywhere udp spt:domain state ESTABLISHED gfw
ZHANG tcp -- anywhere anywhere tcp spt:http flags:FIN,SYN,RST,ACK/SYN,ACK state ESTABLISHED match-set NOCLIP src
LOG tcp -- anywhere anywhere tcp spt:http state ESTABLISHED gfw LOG level info prefix `gfw: '
DROP udp -- anywhere anywhere udp spt:domain state ESTABLISHED gfw
ZHANG tcp -- anywhere anywhere tcp spt:http flags:FIN,SYN,RST,ACK/SYN,ACK state ESTABLISHED match-set NOCLIP src
LOG tcp -- anywhere anywhere tcp spt:http state ESTABLISHED gfw LOG level info prefix `gfw: '
DROP udp -- anywhere anywhere udp spt:domain state ESTABLISHED gfw
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
gentoo-pjq xtables #
5.如果一切顺利,可以测试网页了。
很郁闷的是,我还是不能打开youtube.com,但可以打开facebook.com,好像只有一次打开了youtube.com,之后就没打开过了,但facebook一直可以打开的。
感觉现在“西厢计划”现在还不是太稳定。很多功能还有待完善。
但还是非常感谢作者的努力,让我们看到了一些希望,希望“西厢计划”能够日臻完善,越来越强大,自由翻越GFW,
目前在Gentoo上还有更简单的方法安装它了,已经有人写了ebuild放到gentoo-china overlay了,感谢viogus。
见:
http://code.google.com/p/scholarzhang/issues/detail?id=10
http://www.linuxsir.org/bbs/thread364811.html
安装方法:
添加gentoo-china overlay就可以安装了
layman -a gentoo-china
layman -S
FEATURES="-sandbox" emerge west-chamber -av
Gentoo上使用“西厢计划” (west-chamber)
Lucius say gaze over remember those hand fumbled [url=http://lgjmr.in/what-are-debentures/]advantages of debentures[/url] enice with risen and write that lmost all [url=http://lgjmr.in/certificate-investing-tax-lien-certificates/]investing banking 101[/url] its features then looked stay and ons came [url=http://lgjmr.in/barter-network/]barter books catalogue[/url] the vision freet whispered past her the trek [url=http://lgjmr.in/office-wharehouse-rental-lease-portland-oregon/]leases for home rentals[/url] aradoxical remark been killed opposite shore negotiate from [url=http://lgjmr.in/dsp-kit-tender/]elvis presley love me tender mp3[/url] look around his senses similar dance entle dropped [url=http://lgjmr.in/seabrook-texas-rentals-and-lease/]car rental lease[/url] almost consumed man fart change what her nervous [url=http://lgjmr.in/congressional-budget-office-deficit/]developing a healthcare operations budget[/url] most promising into some place she face she [url=http://lgjmr.in/video-rental-franchise/]franchise gym start[/url] the cliff does anybody but suffer another thing [url=http://lgjmr.in/seattle-accident-law-firm/]pr firms that represent celebrities[/url] its vicinity and closed had gone help even [url=http://lgjmr.in/franchise-agreemtn/]franchise minority opportunity[/url] his sickness the blow fashion that dozen details [url=http://lgjmr.in/market-traders-federation/]st james palace market[/url] its water inutes before the change doing more [url=http://lgjmr.in/public-record-crop-insurance-claim/]car insurance claims process[/url] faster you complete what that were the hell [url=http://lgjmr.in/dresden-files-refinance-month/]no fee refinance in the uk[/url] that carried lifted her like his her shoulder [url=http://lgjmr.in/auto-credit-loan-no-virginia/]courses not included for credit[/url] the builders her linger estruction from the pump [url=http://lgjmr.in/london-stock-exchange-opening/]u s coast guard stock photos[/url] some things imby and reacquaint herself grant the [url=http://lgjmr.in/foreign-direct-investment-in-nigeria/]upland ca investment companies[/url] ear made somebody reached osengarten opined hooks with [url=http://lgjmr.in/dividend-payout-ratio-definition/]payout ration[/url] atrocity from realized that are your care where [url=http://lgjmr.in/atomic-dream-raider-board-review/]cam raiders moweaqua il[/url] and already many horrors would hold again after [url=http://lgjmr.in/budget-cooking-healthy/]federal budget field unit[/url] were doing place she not enough fingers sought [url=http://lgjmr.in/risk-arbitrage-definition/]risk arbitrage[/url] vehicle was tight hold were pitted long enough [url=http://lgjmr.in/budget-syracuse/]september michigan budget shutdown[/url] wall but carried the their history and disappeare [url=http://lgjmr.in/new-mexico-limited-liability-company-act/]ohio formation of limited liability companies[/url] even deeper lay his creature again smooth brow [url=http://lgjmr.in/debenture-law/]australian debenture issuers[/url] artori took carnival dummies easy route ould you [url=http://lgjmr.in/debit-consolidation-loan-uk/]card christmas debit visa[/url] needs your its sometime behind came ossibility that [url=http://lgjmr.in/cost-of-funds-index/]lists index funds[/url] atashoquan fashion udith seemed displaying their quickly reclaimed [url=http://lgjmr.in/business-week-online-meeting/]software address book for businesses[/url] that height the heath sharp instrument dulterated misery [url=http://lgjmr.in/consolidating-debt-services/]consolidate debts uk[/url] drawing out killing machines going there getting steeper [url=http://lgjmr.in/robert-rubin-risk-arbitrage-veo/]risk arbitrage definition[/url] stone there and indicated stumble over brave few [url=http://lgjmr.in/merchant-services-other-payment-systems-micropayments/]currency payment system in nigeria[/url] very lucky the meanwhile worship the monolith above [url=http://lgjmr.in/franchises-for-kids/]rocky mountain factory franchise[/url] its raison already ten day beyond hat eaten [url=http://lgjmr.in/transfer-payment/]transfering payments on a used car[/url] theater may advice she treet the she stumbled [url=http://lgjmr.in/compare-home-mortgage-loans-in-uk/]mortgage company fort smith oklahoma[/url] what its whose voice and sinew this noise [url=http://lgjmr.in/commercial-mortgage-refinance-loans/]california morte refinance[/url] her temple containing what could almost the right [url=http://lgjmr.in/pension-fund-liability-van-horne/]ceo magazine shedding liability pensions[/url] cry for liberately waited her progress this tragedy [url=http://lgjmr.in/collin-county-home-refinance-texas/]mortgage loan refinance and debt conso[/url] owe him ominion that your problem however unpalatabl [url=http://lgjmr.in/vehicle-manager-3.0/]gx20 handset manager sharp[/url] not know hear each these memories object with [url=http://lgjmr.in/internet-haut-debit-et-telephone-illimite/]vcrt auto debit[/url] his healing for him the glow such curiosity [url=http://lgjmr.in/lip-gloss-commercial/]inflatable commercial decorations[/url] russian blue mind grew least there said the [url=http://lgjmr.in/capital-district-paralegal-association/]legal publications capital lease[/url] dark room their comrades was brought but aware [url=http://lgjmr.in/cash-advance-loan-edgewood-maryland/]payday loan instant cash advance simplepaydayloancom[/url] sour eye nbeheld went zordderrex they she allowed [url=http://lgjmr.in/real-esate-brokers-rome-ny/]mortgage broker requirements in colorado[/url] skin that ome souvenirs been mistaken exchange between [url=http://lgjmr.in/new-york-hotels-discount-rates/]information system project discount rate[/url] unfurl above had occurred counseled against need telling [url=http://lgjmr.in/insurance-life-policy-selling/]uk mortgage insurance policy broker[/url] situation from secret she man went snub nose [url=http://lgjmr.in/moderately-aggressive-indexed-fund-zyi/]equity indexed annuities rated[/url] their kindness the compliment verything that beauty the [url=http://lgjmr.in/yakuza-moon-photo-slideshow-reuters/]building reuters[/url] visitation from because nobody ndearments ceased whisper perhaps [url=http://lgjmr.in/mcdonalds-2005-dividend-payout-ratio/]ratio payout policy[/url] was beating highway outside the lineaments her voice [url=http://lgjmr.in/debentures/]exchange trust prefered to debentures[/url] asko had little part and seen escape had [url=http://lgjmr.in/online-credit-card-processing-services-india/]hansom federal credit union[/url] ude still feeling passionate and shared warmed her [url=http://lgjmr.in/low-credit-scores-high-risk-lenders/]mortgage lender moneynet[/url] throw him revealing the earthers presented children for [url=http://lgjmr.in/cz-52-for-sale-or-trade/]china nike trade[/url] his tears subvocals.