ss-redir(1) shadowsocks client as transparent proxy, libev port


    [-AuUv]          [-h|--help]
    [-s server_host] [-p server_port]    [-l local_port]
    [-k password]    [-m encrypt_method] [-f pid_file]
    [-t timeout]     [-c config_file]    [-b local_address]
    [-a user_name]   [-n nofile]


Shadowsocks-libev is a lightweight and secure socks5 proxy. It is a port of the original shadowsocks created by clowwindy. Shadowsocks-libev is written in pure C and takes advantage of libev to achieve both high performance and low resource consumption.

Shadowsocks-libev consists of five components. ss-redir(1) works as a transparent proxy on local machines to proxy TCP traffic and requires netfilter's NAT module. For more information, check out shadowsocks-libev(8) and the following EXAMPLE section.


-s server_host
Set the server's hostname or IP.
-p server_port
Set the server's port number.
-l local_port
Set the local port number.
-k password
Set the password. The server and the client should use the same password.
-m encrypt_method
Set the cipher.

Shadowsocks-libev accepts 18 different ciphers: table, rc4, rc4-md5, aes-128-cfb, aes-192-cfb, aes-256-cfb, bf-cfb, camellia-128-cfb, camellia-192-cfb, camellia-256-cfb, cast5-cfb, des-cfb, idea-cfb, rc2-cfb, seed-cfb, salsa20, chacha20 and chacha20-ietf. The default cipher is table.

If built with PolarSSL or custom OpenSSL libraries, some of these ciphers may not work.

-a user_name
Run as a specific user.
-f pid_file
Start shadowsocks as a daemon with specific pid file.
-t timeout
Set the socket timeout in seconds. The default value is 60.
-c config_file
Use a configuration file.
-n number
Specify max number of open files.

Only available on Linux.

-b local_address
Specify local address to bind.
Enable UDP relay.

TPROXY is required in redir mode. You may need root permission.

Enable UDP relay and disable TCP relay.
Enable onetime authentication.
Enable verbose mode.
-h, --help
Print help message.


ss-redir requires netfilter's NAT function. Here is an example:

    # Create new chain
    [email protected]:~# iptables -t nat -N SHADOWSOCKS
    # Ignore your shadowsocks server's addresses
    # It's very IMPORTANT, just be careful.
    [email protected]:~# iptables -t nat -A SHADOWSOCKS -d -j RETURN
    # Ignore LANs and any other addresses you'd like to bypass the proxy
    # See Wikipedia and RFC5735 for full list of reserved networks.
    # See ashi009/bestroutetb for a highly optimized CHN route list.
    [email protected]:~# iptables -t nat -A SHADOWSOCKS -d -j RETURN
    [email protected]:~# iptables -t nat -A SHADOWSOCKS -d -j RETURN
    [email protected]:~# iptables -t nat -A SHADOWSOCKS -d -j RETURN
    [email protected]:~# iptables -t nat -A SHADOWSOCKS -d -j RETURN
    [email protected]:~# iptables -t nat -A SHADOWSOCKS -d -j RETURN
    [email protected]:~# iptables -t nat -A SHADOWSOCKS -d -j RETURN
    [email protected]:~# iptables -t nat -A SHADOWSOCKS -d -j RETURN
    [email protected]:~# iptables -t nat -A SHADOWSOCKS -d -j RETURN
    # Anything else should be redirected to shadowsocks's local port
    [email protected]:~# iptables -t nat -A SHADOWSOCKS -p tcp -j REDIRECT --to-ports 12345
    # Add any UDP rules
    [email protected]:~# ip rule add fwmark 0x01/0x01 table 100
    [email protected]:~# ip route add local dev lo table 100
    [email protected]:~# iptables -t mangle -A SHADOWSOCKS -p udp --dport 53 -j TPROXY --on-port 12345 --tproxy-mark 0x01/0x01
    # Apply the rules
    [email protected]:~# iptables -t nat -A PREROUTING -p tcp -j SHADOWSOCKS
    [email protected]:~# iptables -t mangle -A PREROUTING -j SHADOWSOCKS
    # Start the shadowsocks-redir
    [email protected]:~# ss-redir -u -c /etc/config/shadowsocks.json -f /var/run/


shadowsocks was created by clowwindy <[email protected]> and shadowsocks-libev was maintained by Max Lv <[email protected]> and Linus Yang <[email protected]>.

This manual page was written by Max Lv <[email protected]>.

The manual pages were rearranged by hosiet <[email protected]>.