2643de4 Jul 4, 2016
1 contributor

Users who have contributed to this file

96 lines (72 sloc) 2.01 KB



ss-nat - helper script to setup NAT rules for transparent proxy


ss-nat [-ouUfh] [-s <server_ip>] [-S <server_ip>] [-l <local_port>] [-L <local_port>] [-i <ip_list_file>] [-a <lan_ips>] [-b <wan_ips>] [-w <wan_ips>] [-e <extra_options>]


Shadowsocks-libev is a lightweight and secure socks5 proxy. It is a port of the original shadowsocks created by clowwindy. Shadowsocks-libev is written in pure C and takes advantage of libev to achieve both high performance and low resource consumption.

ss-nat(1) sets up NAT rules for ss-redir(1) to provide traffic redirection. It requires netfilter’s NAT module and iptables(8). For more information, check out shadowsocks-libev(8) and the following EXAMPLE section.


-s <server_ip>

IP address of shadowsocks remote server

-l <local_port>

Port number of shadowsocks local server

-S <server_ip>

IP address of shadowsocks remote UDP server

-L <local_port>

Port number of shadowsocks local UDP server

-i <ip_list_file>

a file whose content is bypassed ip list

-a <lan_ips>

LAN IP of access control, need a prefix to define access control mode

-b <wan_ips>

WAN IP of will be bypassed

-w <wan_ips>

WAN IP of will be forwarded

-e <extra_options>

Extra options for iptables


Apply the rules to the OUTPUT chain


Enable udprelay mode, TPROXY is required


Enable udprelay mode, using different IP and ports for TCP and UDP


Flush the rules


Show this help message and exit


ss-nat requires iptables(8). Here is an example:

# Enable NAT rules for shadowsocks,
# with both TCP and UDP redirection enabled,
# and applied for both PREROUTING and OUTPUT chains
root@Wrt:~# ss-nat -s -l 1080 -u -o

# Disable and flush all NAT rules for shadowsocks
root@Wrt:~# ss-nat -f


ss-local(1), ss-server(1), ss-tunnel(1), ss-manager(1), shadowsocks-libev(8), iptables(8), /etc/shadowsocks-libev/config.json