[Feature Request] 限制入站源 IP

[BrandonStudio]

我希望开启一个 只允许本机访问 的 socks 入站。

通常，这是通过只监听 127.0.0.1 来实现的。
但是，我希望在本机运行的 docker 容器和其它 VM 也可以访问该 socks 服务，因此，该服务必须监听本机的局域网 IP 地址之一（例如 192.168.1.2）。
这引发一个安全性问题，即，所有局域网设备都可以访问该服务。

是否可以增加一个配置选项，限制入站的源 IP 只能是本机（192.168.1.2）而不能是局域网中的其它设备（如 192.168.1.3）？

[mmmray]

If you run ip addr, you should find a network device docker0 and an IP address. On my machine this IP is 172.19.0.1. This IP is reachable to docker containers but not the host's LAN.

On MacOS and Windows those may be under the name host.docker.internal

[BrandonStudio]

You can do that in normal docker, but not in rootless docker.

Rootless docker uses slirp4netns to virtualize network. When using ip addr externally, only physical (eth, wifi, eno, etc.) and lo (loopback) adapters are shown.

[BrandonStudio]

I would like to set a system-wide xray service that can be accessed by rootless docker engines of all users.

[TrajanBenn]

奇怪的场景，限制IP访问应该设置防火墙(IPtables、UFW或者Windows自带的防火墙)，Xray的设置应该监听0.0.0.0

[BrandonStudio]

idiot me...

[TrajanBenn]

Docker的话还是用虚拟机装个OpenWRT运行透明代理吧，防火墙设置在OpenWRT上

[flowerinsnowdh]

1. 防火墙，可以直接从网络层隔绝
2. 配置分流路由，例如下

{
    "rules": [
        {
            "type": "field",
            "inboundTag": [
                "in-socks"
            ],
            "source": [
                // 允许的 IP 列表
                "127.0.0.1",
                "::1",
                "192.168.1.2"
            ],
            "outboundTag": "out-source-split" // 使其回到路由执行其他判断
        },
        {
            // 来自其他来源的 socks 代理请求
            "type": "field",
            "inboundTag": [
                "in-socks"
            ],
            "outboundTag": "out-block" // 拒绝访问
        },
        {
            // ...... 其他路由
            "type": "field",
            "inboundTag": [
                "in-source-split"
            ],
            "ip": [
                "geoip:private"
            ],
            "outboundTag": "out-direct"
        }
        // ...... 其他路由
    ]
}

{
    "outbounds": [
        {
            "protocol": "freedom",
            "tag": "out-direct"
        },
        {
            "protocol": "blackhole",
            "tag": "out-block"
        },
        {
            "protocol": "loopback",
            "tag": "out-source-split",
            "inboundTag": "in-source-split"
        }
    ]
}

入站监听 IP 应该是 0.0.0.0 或 :: 而非 127.0.0.1

[BrandonStudio]

BTW, You may want to use jsonc or json5 instead of json to avoid syntax errors

[flowerinsnowdh]

Thank you, edited.

I used to think that GitHub didn't support jsonc for code blocks.