Summary:
- Use cgroup with systemd slice and iptables to setup a TCP transparent proxy.
- Use stubby and dnsmasq to provide secure, reliable and fast DNS response.
The Proxy Slice
Run the proxy server in a specific systemd slice, such that the packets from the proxy won’t go loop.
A classic clash service file can be like following. Choose ${SLICE_NAME}
as you like (such as clash.slice
).
|
|
iptables
and Transparent Proxy
Edit the iptables.rules
properly. Remember to replce the ${ENV_VARIABLES}
.
|
|
Enable and start our iptables.service
. Now we are able to TCP transparently just in shell.
Try telnet google.com 443
, we will fail because we have to fix the DNS issue.
DNS
Of course we can just use a NORMAL DNS (not poisoned one). Better, we can also use DoT or DoH.
Stubby
Use stubby for example.
Edit the stubby config file.
|
|
Ensure that these servers can be connected without the proxy.
Then edit the stubby service file to put it into the proxy slice, such that it will not use the proxy.
|
|
dnsmasq
stubby does not provide DNS cache, so we have to setup a local DNS cache for a better experience. We use dnsmasq
here.
Edit the config file.
|
|
Resolver Configuration
Config your local resolver properly to query at 127.0.0.1:53
.
Done. Now you can try curl -L google.com
.
Refs
- https://blog.outv.im/2020/cgroups-systemd-iptables-redir/
- https://wiki.archlinux.org/index.php/Stubby
Last Modified On Aug 22, 2025