环境

Debian “testing” Vultr

ChangeLog

# 2017.04
* 升级到debian 9+ (stretch/testing)

# 2017.06
* squid 不再劫持流量,使用sstunel转发。
+ 使用gfwlist生成proxy.pac
+ 使用privoxy将socks5转化成http 

[========]

1. 安装

版本的选择

根据官方文档:Feature Comparison across Different Versions

  • go和node.js:已被抛弃,选择在python和libev中间。
  • python版支持的Multiple Users/Workers/Graceful Restart,更适合商业化运营。
  • libev资源占用低,适合个人使用

通过源安装Shadowsocks-libev

apt update 
apt install shadowsocks-libev

2. 安全配置

以非root运行shadowsocks

开源程序,不怕后门怕漏洞 新建低权限系统用户shadowsocks

adduser --system --disabled-password --disabled-login --no-create-home shadowsocks

修改 /lib/systemd/system/shadowsocks-libev.service

USER=shadowsocks
GROUP=nogroup

输入systemctl daemon-reloadservice shadowsocks-libev restart生效。

允许shadowsocks运行在1024以下端口

机房的网络往往有QOS,低位端口的优先级往往比高位端口的优先级高。

apt install libcap2-bin
setcap 'cap_net_bind_service=+ep' /usr/bin/ss-server

禁止shadowsocks访问本地网络

禁止shadowsocks访问vps本地服务,避免shadowsocks成为防火墙的后门。缘起:v2ex的一个帖子

# 新建一个名为SHADOWSOCKS的Chain,应用在OUTPUT上。
iptables -N SHADOWSOCKS
iptables -A OUTPUT -j SHADOWSOCKS
# 相应本地请求
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -m state --state ESTABLISHED,RELATED -j ACCEPT
# 禁止主动访问本机
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d 127.0.0.0/8 -j RETURN
# 禁止访问本地网络
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d 0.0.0.0/8 -j RETURN
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d 10.0.0.0/8 -j RETURN
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d 169.254.0.0/16 -j RETURN
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d 172.16.0.0/12 -j RETURN
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d 192.168.0.0/16 -j RETURN
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d 224.0.0.0/4 -j RETURN
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d 240.0.0.0/4 -j RETURN
# 禁止SMTP发垃圾邮件
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -p tcp --dport 25 -j RETURN
# 允许访问DNS、HTTP、HTTPS
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -p udp --dport 53 -j ACCEPT
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -p tcp --dport 53 -j ACCEPT
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -p tcp --dport 80 -j ACCEPT
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -p tcp --dport 443 -j ACCEPT
## 允许访问其他资源
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -j ACCEPT
# OR 禁止访问其他资源
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -p tcp -j REJECT --reject-with tcp-reset
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -p udp -j REJECT

阻止shadowsocks访问中国网站

iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  1.24.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  1.48.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  1.50.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  1.56.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  1.68.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  1.80.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  1.92.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  1.180.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  1.188.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  1.192.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  1.202.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  1.204.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  14.16.0.0/12 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  14.104.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  14.112.0.0/12 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  14.134.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  14.144.0.0/12 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  14.204.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  14.208.0.0/12 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  23.80.54.0/24 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  23.104.141.0/24 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  23.105.14.0/24 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  23.226.208.0/24 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  27.8.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  27.16.0.0/12 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  27.36.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  27.40.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  27.50.128.0/17 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  27.54.192.0/18 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  27.106.128.0/18 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  27.115.0.0/17 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  27.148.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  27.152.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  27.184.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  27.192.0.0/11 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  27.224.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  36.1.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  36.4.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  36.32.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  36.36.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  36.40.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  36.48.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  36.56.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  36.96.0.0/11 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  36.128.0.0/11 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  36.248.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  39.64.0.0/11 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  39.128.0.0/10 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  42.4.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  42.48.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  42.52.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  42.56.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  42.84.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  42.88.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  42.96.128.0/17 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  42.100.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  42.120.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  42.156.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  42.176.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  42.185.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  42.202.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  42.224.0.0/12 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  42.242.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  42.248.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  43.255.0.0/20 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  43.255.16.0/22 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  43.255.48.0/22 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  43.255.60.0/22 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  43.255.64.0/20 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  43.255.96.0/20 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  43.255.144.0/22 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  43.255.168.0/22 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  43.255.176.0/22 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  43.255.184.0/22 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  43.255.192.0/22 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  43.255.200.0/21 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  43.255.208.0/21 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  43.255.224.0/21 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  43.255.232.0/22 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  43.255.244.0/22 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  47.92.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  49.5.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  49.64.0.0/11 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  49.112.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  54.222.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  58.16.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  58.20.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  58.21.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  58.22.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  58.34.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  58.37.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  58.38.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  58.40.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  58.42.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  58.44.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  58.48.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  58.56.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  58.60.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  58.68.128.0/17 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  58.82.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  58.100.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  58.116.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  58.128.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  58.208.0.0/12 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  58.240.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  58.248.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  59.32.0.0/12 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  59.48.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  59.52.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  59.56.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  59.72.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  59.108.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  59.172.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  60.0.0.0/12 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  60.11.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  60.12.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  60.16.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  60.24.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  60.160.0.0/11 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  60.194.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  60.205.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  60.208.0.0/12 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  60.253.128.0/17 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  61.4.64.0/20 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  61.4.80.0/22 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  61.4.176.0/20 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  61.48.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  61.128.0.0/10 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  61.135.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  61.136.0.0/18 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  61.139.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  61.145.73.208/28 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  61.147.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  61.150.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  61.152.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  61.154.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  61.160.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  61.162.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  61.164.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  61.172.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  61.175.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  61.177.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  61.179.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  61.183.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  61.184.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  61.185.219.232/29 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  61.187.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  61.188.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  61.232.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  61.236.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  61.240.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  101.16.0.0/12 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  101.37.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  101.64.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  101.72.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  101.76.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  101.80.0.0/12 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  101.200.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  101.224.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  101.248.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  101.254.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  103.253.4.0/22 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  106.4.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  106.16.0.0/12 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  106.32.0.0/12 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  106.43.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  106.56.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  106.80.0.0/12 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  106.108.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  106.112.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  106.120.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  110.6.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  110.16.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  110.51.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  110.52.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  110.80.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  110.88.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  110.96.0.0/11 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  110.152.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  110.156.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  110.173.0.0/19 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  110.173.32.0/20 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  110.173.64.0/18 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  110.176.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  110.184.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  110.192.0.0/11 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  110.240.0.0/12 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  111.0.0.0/10 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  111.72.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  111.85.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  111.112.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  111.120.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  111.124.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  111.126.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  111.128.0.0/11 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  111.160.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  111.172.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  111.176.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  111.192.0.0/12 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  111.224.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  111.228.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  112.0.0.0/10 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  112.64.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  112.73.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  112.74.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  112.80.0.0/12 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  112.98.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  112.100.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  112.109.128.0/17 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  112.111.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  112.112.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  112.116.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  112.122.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  112.192.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  112.224.0.0/11 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  113.0.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  113.8.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  113.12.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  113.16.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  113.18.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  113.54.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  113.56.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  113.58.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  113.59.0.0/17 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  113.62.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  113.64.0.0/10 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  113.120.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  113.128.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  113.136.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  113.194.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  113.200.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  113.204.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  113.218.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  113.220.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  113.224.0.0/12 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  113.240.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  113.248.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  114.28.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  114.80.0.0/12 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  114.96.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  114.104.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  114.112.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  114.135.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  114.138.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  114.215.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  114.216.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  114.224.0.0/11 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  115.24.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  115.28.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  115.32.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  115.48.0.0/12 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  115.84.0.0/18 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  115.100.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  115.148.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  115.152.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  115.159.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  115.166.64.0/19 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  115.168.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  115.192.0.0/11 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  115.224.0.0/12 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  116.1.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  116.2.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  116.4.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  116.8.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  116.16.0.0/12 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  116.52.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  116.56.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  116.60.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  116.76.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  116.90.80.0/20 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  116.95.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  116.112.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  116.116.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  116.128.0.0/10 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  116.204.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  116.207.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  116.208.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  116.213.64.0/18 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  116.213.128.0/17 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  116.224.0.0/12 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  116.248.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  116.254.128.0/18 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  117.8.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  117.21.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  117.22.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  117.24.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  117.32.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  117.40.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  117.44.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  117.60.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  117.64.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  117.79.224.0/20 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  117.80.0.0/12 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  117.106.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  117.112.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  117.128.0.0/10 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  118.26.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  118.72.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  118.80.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  118.112.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  118.120.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  118.132.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  118.144.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  118.180.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  118.186.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  118.192.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  118.213.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  118.244.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  118.248.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  119.0.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  119.8.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  119.10.0.0/17 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  119.18.192.0/20 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  119.23.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  119.28.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  119.32.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  119.36.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  119.44.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  119.48.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  119.57.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  119.60.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  119.84.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  119.88.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  119.96.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  119.108.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  119.112.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  119.120.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  119.128.0.0/12 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  119.144.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  119.162.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  119.164.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  119.176.0.0/12 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  119.233.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  119.248.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  120.0.0.0/12 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  120.24.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  120.32.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  120.40.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  120.68.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  120.76.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  120.80.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  120.92.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  120.192.0.0/10 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  121.0.16.0/20 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  121.8.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  121.16.0.0/12 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  121.32.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  121.40.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  121.56.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  121.60.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  121.68.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  121.76.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  121.100.128.0/17 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  121.196.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  121.201.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  121.204.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  121.224.0.0/12 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  122.4.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  122.10.128.0/17 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  122.51.128.0/17 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  122.64.0.0/11 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  122.96.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  122.119.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  122.136.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  122.156.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  122.188.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  122.192.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  122.198.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  122.200.64.0/18 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  122.224.0.0/12 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  122.240.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  123.4.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  123.8.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  123.52.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  123.56.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  123.64.0.0/11 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  123.97.128.0/17 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  123.100.0.0/19 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  123.112.0.0/12 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  123.128.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  123.138.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  123.144.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  123.148.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  123.150.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  123.152.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  123.160.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  123.164.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  123.178.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  123.180.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  123.184.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  123.196.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  123.206.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  123.232.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  123.244.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  123.249.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  124.42.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  124.64.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  124.66.0.0/17 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  124.67.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  124.72.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  124.88.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  124.92.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  124.114.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  124.117.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  124.126.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  124.128.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  124.152.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  124.160.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  124.192.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  124.200.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  124.224.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  124.226.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  124.228.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  124.234.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  124.236.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  124.240.0.0/17 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  124.240.128.0/18 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  124.248.0.0/17 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  125.32.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  125.36.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  125.40.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  125.64.0.0/12 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  125.79.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  125.80.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  125.88.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  125.104.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  125.112.0.0/12 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  125.210.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  125.216.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  139.129.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  139.170.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  139.189.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  139.199.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  139.206.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  139.208.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  139.217.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  139.224.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  139.226.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  140.206.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  140.224.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  140.237.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  140.240.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  140.246.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  140.249.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  142.4.117.0/30 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  144.0.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  144.52.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  144.255.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  150.138.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  153.0.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  153.99.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  159.226.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  162.209.168.0/24 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  171.8.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  171.34.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  171.36.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  171.40.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  171.80.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  171.88.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  171.104.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  171.112.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  171.116.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  171.120.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  171.208.0.0/12 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  175.0.0.0/12 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  175.16.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  175.24.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  175.30.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  175.42.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  175.44.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  175.46.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  175.48.0.0/12 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  175.64.0.0/11 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  175.102.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  175.106.128.0/17 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  175.146.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  175.148.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  175.152.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  175.160.0.0/12 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  175.178.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  175.184.128.0/18 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  175.185.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  175.186.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  175.188.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  180.76.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  180.96.0.0/11 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  180.136.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  180.152.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  180.160.0.0/12 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  180.208.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  180.212.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  182.18.0.0/17 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  182.32.0.0/12 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  182.50.112.0/20 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  182.61.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  182.84.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  182.88.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  182.96.0.0/12 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  182.112.0.0/12 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  182.128.0.0/12 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  182.144.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  182.200.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  182.240.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  183.0.0.0/10 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  183.64.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  183.92.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  183.128.0.0/11 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  183.160.0.0/12 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  183.184.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  183.192.0.0/10 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  192.34.109.224/28 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  198.2.203.64/28 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  198.2.212.160/28 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  198.15.171.64/26 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  202.43.144.0/22 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  202.46.32.0/19 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  202.66.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  202.75.208.0/20 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  202.96.0.0/12 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  202.111.160.0/19 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  202.112.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  202.117.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  202.127.112.0/20 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  202.165.176.0/20 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  202.196.80.0/20 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  203.69.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  203.81.16.0/20 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  203.86.0.0/18 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  203.86.64.0/19 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  203.93.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  203.169.160.0/19 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  203.171.224.0/20 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  203.195.160.0/23 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  210.5.0.0/19 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  210.12.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  210.14.128.0/19 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  210.21.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  210.22.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  210.32.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  210.51.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  210.52.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  210.77.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  210.79.64.0/18 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  210.192.96.0/19 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  211.76.96.0/20 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  211.78.208.0/20 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  211.80.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  211.86.144.0/20 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  211.90.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  211.92.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  211.96.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  211.136.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  211.144.0.0/12 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  211.160.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  211.233.70.0/24 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  218.0.0.0/11 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  218.56.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  218.64.0.0/11 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  218.84.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  218.88.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  218.96.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  218.102.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  218.104.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  218.108.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  218.194.80.0/20 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  218.200.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  218.240.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  218.249.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  219.128.0.0/11 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  219.154.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  219.223.192.0/18 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  219.232.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  219.234.80.0/20 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  219.235.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  219.238.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  220.112.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  220.154.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  220.160.0.0/11 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  220.181.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  220.191.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  220.192.0.0/12 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  220.228.70.0/24 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  220.242.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  220.248.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  220.250.0.0/19 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  220.252.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  221.0.0.0/12 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  221.122.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  221.136.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  221.172.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  221.176.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  221.192.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  221.196.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  221.198.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  221.199.0.0/17 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  221.200.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  221.204.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  221.206.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  221.207.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  221.208.0.0/12 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  221.212.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  221.214.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  221.216.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  221.224.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  221.228.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  221.232.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  222.32.0.0/11 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  222.64.0.0/12 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  222.80.0.0/12 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  222.128.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  222.132.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  222.136.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  222.160.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  222.168.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  222.172.222.0/24 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  222.176.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  222.184.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  222.200.0.0/16 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  222.208.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  222.216.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  222.220.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  222.222.0.0/15 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  222.240.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  223.4.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  223.8.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  223.64.0.0/11 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  223.96.0.0/12 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  223.112.0.0/14 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  223.144.0.0/12 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  223.255.0.0/17 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d  223.240.0.0/13 -j REJECT 
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -p udp --dport 53 -j ACCEPT
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -p tcp --dport 53 -j ACCEPT
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -p tcp --dport 80 -j ACCEPT
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -p tcp --dport 443 -j ACCEPT
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -j RETURN

3. 速度优化

使用Squid

注意:

  • 20170602更新,不再使用粗暴方式劫持
  • 20170602更新,更新到debian stretch。
  • 客户端需要使用ss-tunnel
apt install squid
cd /etc/squid
mv squid.conf squid.conf.old

编辑配置文件/etc/squid3/squid.conf

# 监听127.0.0.1:3128
http_port 127.0.0.1:3128
# 允许所有流量
http_access allow all
# 64M内存缓存,2G硬盘做缓存,可自行调整
cache_mem 64 MB
cache_dir ufs /var/spool/squid 2000 16 256
# 不保存日志
cache_log /dev/null
# 一些优化参数
maximum_object_size 4096 KB
maximum_object_size_in_memory 64 KB
hierarchy_stoplist cgi-bin ?
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern \.(jpg|png|gif|mp3|xml|html|htm|css|js) 1440 50% 2880 ignore-reload
refresh_pattern . 0 20% 4320


# 禁止代理识别
via off
forwarded_for off

request_header_access From deny all
request_header_access Server deny all
request_header_access WWW-Authenticate deny all
request_header_access Link deny all
request_header_access Cache-Control deny all
request_header_access Proxy-Connection deny all
request_header_access X-Cache deny all
request_header_access X-Cache-Lookup deny all
request_header_access Via deny all
request_header_access X-Forwarded-For deny all
request_header_access Pragma deny all
request_header_access Keep-Alive deny all

配置iptables

# 允许shadowsocks访问本地3128端口
iptables -t filter -m owner --uid-owner shadowsocks -I SHADOWSOCKS 2 -p tcp -d 127.0.0.0/8 --dport 3128 -j ACCEPT

本地配置:

修改 /lib/systemd/system/shadowsocks-libev.service
替换
ExecStart=/usr/bin/ss-server -c $CONFFILE $DAEMON_ARGS

ExecStart=/usr/bin/ss-tunnel -c $CONFFILE $DAEMON_ARGS

使用单边TCP优化工具

使用Google BBR

编辑/etc/sysctl.d/local.conf

# max open files
fs.file-max = 51200
# max read buffer
net.core.rmem_max = 67108864
# max write buffer
net.core.wmem_max = 67108864
# default read buffer
net.core.rmem_default = 65536
# default write buffer
net.core.wmem_default = 65536
# max processor input queue
net.core.netdev_max_backlog = 4096
# max backlog
net.core.somaxconn = 4096
# resist SYN flood attacks
net.ipv4.tcp_syncookies = 1
# reuse timewait sockets when safe
net.ipv4.tcp_tw_reuse = 1
# turn off fast timewait sockets recycling
net.ipv4.tcp_tw_recycle = 0
# short FIN timeout
net.ipv4.tcp_fin_timeout = 30
# short keepalive time
net.ipv4.tcp_keepalive_time = 1200
# outbound port range
net.ipv4.ip_local_port_range = 10000 65000
# max SYN backlog
net.ipv4.tcp_max_syn_backlog = 4096
# max timewait sockets held by system simultaneously
net.ipv4.tcp_max_tw_buckets = 5000
# turn on TCP Fast Open on both client and server side
net.ipv4.tcp_fastopen = 3
# TCP receive buffer
net.ipv4.tcp_rmem = 4096 87380 67108864
# TCP write buffer
net.ipv4.tcp_wmem = 4096 65536 67108864
# turn on path MTU discovery
net.ipv4.tcp_mtu_probing = 1
net.core.default_qdisc=fq  
net.ipv4.tcp_congestion_control=bbr

编辑完成后sysctl --system 生效,并sysctl net.ipv4.tcp_available_congestion_controllsmod | grep bbr命令测试`

# sysctl net.ipv4.tcp_available_congestion_control
net.ipv4.tcp_available_congestion_control = bbr hybla cubic reno
# lsmod | grep bbr
tcp_bbr                20480  45 

4. 加强混淆

注意,这些方法未必真的有效,毕竟gfw也不是开源的。

使用随机端口 ##

注意:

  • 随机端口并不能提高SS对gfw认证的免疫能力。
  • 仅针对路由器内的SS生效,对局域网无效。

监听在23,将4000-4999端口的流量转发到23端口。

iptables -t nat -A PREROUTING -p tcp -m multiport --dport 4000:4999 -j REDIRECT --to-ports 23
iptables -t nat -A PREROUTING -p udp -m multiport --dport 4000:4999 -j REDIRECT --to-ports 23

在基于openwrt的路由器上

echo "iptables -t nat -I OUTPUT 1 -d 【VPS IP】 -p tcp --dport 23 -j DNAT --to-destination 【VPS IP】:4000-4999 --random" >>/etc/firewall.user
echo "iptables -t nat -I OUTPUT 1 -d 【VPS IP】 -p udp --dport 23 -j DNAT --to-destination【VPS IP】:4000-4999 --random" >>/etc/firewall.user
reboot

5. 客户端本地

使用privoxy将socks转化为http代理

安装privoxy

apt install privoxy

修改配置文件

cd /etc/privoxy/
mv config config.bak
touch config

编辑/etc/privoxy/config

listen-address 127.0.0.1:8118
confdir /etc/privoxy
logdir /var/log/privoxy
actionsfile default.action
actionsfile user.action
filterfile default.filter
logfile logfile
forward-socks5 / 127.0.0.1:1080 .
debug   4096
debug   8192
toggle  1
enable-remote-toggle 0
enable-edit-actions 0
enable-remote-http-toggle 0
buffer-limit 4096

重启privoxy

/etc/init.d/privoxy restart

使用gfwlist

安装genpac

(venv) $ pip2 install genpac

生成socks5 proxy的pac:

genpac  --pac-proxy="SOCKS5 127.0.0.1:1080"  --pac-compress -o proxy.pac

生成http proxy的pac:

genpac --pac-proxy="PROXY 127.0.0.1:8118"  --pac-compress -o proxy.pac