Complete setup of Shadowsocks (2)
Security and optimization

This post was auto converted and may contain formatting errors.

This is the continuation of the last post and is about the security and optimizations.

Security

Use iptables to allow only necessary ports:

# Delete all rules
iptables --flush
iptables --delete-chain
iptables --table mangle --flush
iptables --table mangle --delete-chain

# Allow SSH, HTTP, HTTPS
iptables --append INPUT --protocol tcp --dport 22 -j ACCEPT
iptables --append INPUT --protocol tcp --dport 80 -j ACCEPT
iptables --append INPUT --protocol tcp --dport 443 -j ACCEPT

# Allow Shadowsocks port
iptables --append INPUT -p tcp --match multiport --dports 50000:50100 -j ACCEPT

# Allow Shadowsocks-manager port
iptables --append INPUT -p tcp --match multiport --dports 6000:6005 -j ACCEPT

# Allow valid inputs
iptables --append INPUT --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT

# Default rules
iptables --policy INPUT DROP
iptables --policy OUTPUT ACCEPT
iptables --policy FORWARD DROP

# Save
iptables-save > /etc/iptables_rules
echo "/sbin/iptables-restore < /etc/iptables_rules" >> /etc/rc.local

Optimizations

Update 12-15-2019

Enable BBR optimization:

git clone https://github.com/yuluyan/ss-fly.git
ss-fly/ss-fly.sh -bbr

Test if it works:

sysctl net.ipv4.tcp_available_congestion_control

The return value should be

net.ipv4.tcp_available_congestion_control = bbr cubic reno

Update 12-27-2019

V2ray-plugin

Install shadowsocks with v2ray-plugin. Script by @M3chD09.

wget -O ubuntu-ss-install.sh https://github.com/M3chD09/shadowsocks-with-v2ray-plugin-install/raw/master/ubuntu-ss-install.sh
chmod +x ubuntu-ss-install.sh
./ubuntu-ss-install.sh

Configuration file at /etc/shadowsocks-libev/config.json

{
    "server":"0.0.0.0",
    "server_port":443,
    "password":"password",
    "timeout":300,
    "method":"aes-256-gcm",
    "plugin":"v2ray-plugin",
    "plugin_opts":"server;tls;fastopen;cert=/etc/letsencrypt/live/<DOMAIN.COM>/fullchain.pem;key=/etc/letsencrypt/live/<DOMAIN.COM>/privkey.pem;host=<DOMAIN.COM>;loglevel=none"
}

Add support within shadowsocks-manager

See the post here. Start with additional command:

screen -dmS ssserver ss-manager -m aes-256-gcm -u --manager-address 127.0.0.1:4005 --plugin /usr/local/bin/v2ray-plugin --plugin-opt "server;tls;fastopen;cert=/etc/letsencrypt/live/<DOMAIN.COM>/fullchain.pem;key=/etc/letsencrypt/live/<DOMAIN.COM>/privkey.pem;host=<DOMAIN.COM>;loglevel=none"
screen -dmS ssmgr ssmgr -c ~/.ssmgr/ss.yml -r libev:aes-256-gcm --plugin /usr/local/bin/v2ray-plugin --plugin-opts "server;tls;fastopen;cert=/etc/letsencrypt/live/<DOMAIN.COM>/fullchain.pem;key=/etc/letsencrypt/live/<DOMAIN.COM>/privkey.pem;host=<DOMAIN.COM>;loglevel=none"

Set the config of client side with plugin as v2ray-plugin and plugin opts as tls;fast-open;host=DOMAIN.COM

Other

The webgui front-end is in directory

/usr/local/node/lib/node_modules/shadowsocks-manager/plugins/webgui/public