# Updated on October 9, 2023
- Added IPV6 settings
UDP Throttling#
It is certain that the three major operators block and throttle UDP traffic, at least there are QoS restrictions. At first, I thought that Southern Unicom was more tolerant, but it turns out that they are all the same. What I encountered was blocking, specifically manifested as "continuous downloads or running large traffic for about 3 minutes, then directly blocked, and the connection is restored after a few minutes". These restrictions are usually only for individual ports. This article will discuss how to set up Hysteria2 port hopping to counteract the blocking and throttling of operators.
Setting up Hysteria 2#
For the setup of Hysteria2 nodes, you can refer to the previous issue of "Hysteria2 & VLESS-gRPC-uTLS-REALITY Comparison Test".
Implementing Port Hopping with Iptables#
According to the Hysteria official website, the Hysteria server cannot listen on multiple ports at the same time, so the above format cannot be used as the listening address on the server. It is recommended to use iptables DNAT to forward the port to the server's listening port. [Source]
The following example demonstrates port hopping on my Hysteria 2: Port 5353 hops between ports 20000-50000.
Install iptables-persistent#
apt install iptables-persistent
Press YES and ENTER continuously.
IPV4 Settings#
Clear default rules and add custom rules#
iptables -F
iptables -X
Allow local access#
iptables -A INPUT -i lo -j ACCEPT
Open SSH port (default 22)#
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
Open HTTP / HTTPS ports#
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
Open UDP port (replace 5353 with your Hysteria listening port)#
iptables -A INPUT -p udp --dport 5353 -j ACCEPT
Open UDP port hopping range (port range 20000-50000)#
iptables -A INPUT -p udp --dport 20000:50000 -j ACCEPT
Allow incoming data after accepting local requests#
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
Block all other incoming traffic#
iptables -P INPUT DROP
Allow all outgoing traffic#
iptables -P OUTPUT ACCEPT
View open ports#
iptables -L
Add NAT rule [Recommended reference]#
Redirect UDP packets with destination ports between 20000 and 50000 to port 5353 on the local server
iptables -t nat -A PREROUTING -p udp --dport 20000:50000 -j DNAT --to-destination :5353
View NAT rules#
iptables -t nat -nL --line
IPV6 Settings#
Clear default rules and add custom rules#
ip6tables -F
ip6tables -X
Allow local access#
ip6tables -A INPUT -i lo -j ACCEPT
Open SSH port (default 22)#
ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT
Open HTTP / HTTPS ports#
ip6tables -A INPUT -p tcp --dport 80 -j ACCEPT
ip6tables -A INPUT -p tcp --dport 443 -j ACCEPT
Open UDP port (replace 5353 with your Hysteria listening port)#
ip6tables -A INPUT -p udp --dport 5353 -j ACCEPT
Open UDP port hopping range (port range 20000-50000)#
ip6tables -A INPUT -p udp --dport 20000:50000 -j ACCEPT
Allow incoming data after accepting local requests#
ip6tables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
Block all other incoming traffic#
ip6tables -P INPUT DROP
Allow all outgoing traffic#
ip6tables -P OUTPUT ACCEPT
View open ports#
ip6tables -L
Add NAT rule [Recommended reference]#
Redirect UDP packets with destination ports between 20000 and 50000 to port 5353 on the local server
ip6tables -t nat -A PREROUTING -p udp --dport 20000:50000 -j DNAT --to-destination :5353
View NAT rules#
ip6tables -t nat -nL --line
Save iptables rules#
netfilter-persistent save
If you make a mistake, you can use the following command to delete iptables rules.
Delete iptables rules#
Delete specified NAT rule:
iptables -t nat -D PREROUTING <line number>
Delete all NAT rules:
iptables -t nat -F
# Delete all rules
sudo ip6tables -F
# Delete all rules in the INPUT chain
sudo ip6tables -F INPUT
# Delete the first rule in the INPUT chain
sudo ip6tables -D INPUT 1
# Disable the first rule in the INPUT chain
sudo ip6tables -I INPUT 1 -j DROP
Server Configuration File#
Domain Name Version#
cat << EOF > /etc/hysteria/config.yaml
listen: :5353 # Listening port
# Use CA certificate
acme:
domains:
- www.igeekbb.com # Your domain name, needs to be resolved to the server IP first
email: [email protected]
# Use self-signed certificate
# tls:
# cert: /etc/hysteria/server.crt
# key: /etc/hysteria/server.key
auth:
type: password
password: 123456 # Set authentication password
masquerade:
type: proxy
proxy:
url: https://bing.com # Masquerade URL
rewriteHost: true
EOF
Self-Signed Certificate Version#
Generate self-signed certificate#
openssl req -x509 -nodes -newkey ec:<(openssl ecparam -name prime256v1) -keyout /etc/hysteria/server.key -out /etc/hysteria/server.crt -subj "/CN=bing.com" -days 36500 && sudo chown hysteria /etc/hysteria/server.key && sudo chown hysteria /etc/hysteria/server.crt
cat << EOF > /etc/hysteria/config.yaml
listen: :5353 # Listening port
# Use CA certificate
# acme:
# domains:
# - www.igeekbb.com # Your domain name, needs to be resolved to the server IP first
# email: [email protected]
# Use self-signed certificate
tls:
cert: /etc/hysteria/server.crt
key: /etc/hysteria/server.key
auth:
type: password
password: 123456 # Set authentication password
masquerade:
type: proxy
proxy:
url: https://bing.com # Masquerade URL
rewriteHost: true
EOF
Here is an example of how to fill in the PassWall client.
The following are the steps to uninstall Iptables.
Uninstall Iptables#
1. Stop the iptables service#
sudo systemctl stop iptables
2. Disable the iptables service#
sudo systemctl disable iptables
3. Uninstall the iptables package#
For Debian systems#
sudo apt-get remove iptables
For CentOS systems#
sudo yum remove iptables
- Delete iptables configuration files and rules
sudo rm -r /etc/iptables/
sudo iptables -F
sudo iptables -X
References: https://github.com/TinrLin/sing-box_-tutorial/tree/main/Hysteria2