Docker shadowsocks on Debian

Edwardon

Installation

Grab a VPS dual stack IPv4/IPv6 with Debian 10.

Install docker

apt-get -y install apt-transport-https ca-certificates gnupg lsb-release

curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg

echo \
  "deb [arch=amd64 signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu \
  $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null

apt-get update && apt-get -y install docker-ce docker-ce-cli containerd.io

Setup docker

Source: https://hub.docker.com/r/teddysun/shadowsocks-rust

mkdir vpn/shadowsocks-rust
cd /root/vpn/shadowsocks-rust

cat > config.json <<EOF
{
    "server":"0.0.0.0",
    "server_port":9000,
    "password":"password0",
    "timeout":300,
    "method":"aes-256-gcm",
    "nameserver":"94.140.14.14",
    "mode":"tcp_and_udp"
}
EOF

// start.sh, chmod +x
docker run -d -p 9000:9000 -p 9000:9000/udp --name ss-rust --restart=always -v /root/vpn/shadowsocks-rust:/etc/shadowsocks-rust teddysun/shadowsocks-rust:alpine

Setup iptables firewall

# IPtables v4 and v6
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]

-A INPUT -j ACCEPT
-A INPUT -i lo -j ACCEPT

-A INPUT -p udp  -m udp --dport 9000 -j ACCEPT
-A INPUT -p tcp  -m tcp --dport 9000 -j ACCEPT

-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A DOCKER -p tcp -m tcp --dport 9000 -j ACCEPT
-A DOCKER -p udp -m udp --dport 9000 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
#-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
COMMIT

*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -p tcp -m tcp -j MASQUERADE
-A POSTROUTING -p udp -m udp -j MASQUERADE

COMMIT

Setup IPv6 for docker

# IPv6
nano /etc/docker/daemon.json

# Edit
{
  "ipv6": true,
  "fixed-cidr-v6": "2001:db8:1::/64"
}

# Restart docker
service docker restart