我似乎抓到劫持包了
似乎所有的劫持包都有一个变量"_atn_obj_"
于是用 iptables 关键字匹配：
iptables -A forwarding_rule -i pppoe-wan -p tcp --sport 80 -m string --string "_atn_obj_" --algo bm -j LOG
同时后台开着 tcpdump
直到内核日志中出现一条：
[54945.458949] IN=pppoe-wan OUT=ct MAC= SRC=119.23.80.130 DST=10.2.1.2 LEN=894 TOS=0x00 PREC=0x00 TTL=56 ID=9997 DF PROTO=TCP SPT=80 DPT=45021 WINDOW=256 RES=0x00 ACK PSH URGP=0

然后我过滤抓包结果：
00:35:20.051969 IP 10.2.1.2.45021 > 119.23.80.130.80: Flags [S], seq 296045250, win 64240, options [mss 1432,sackOK,TS val 3110253 ecr 0,nop,wscale 8], length 0
00:35:20.060124 IP 119.23.80.130.80 > 10.2.1.2.45021: Flags [S.], seq 4085280, ack 296045251, win 14600, options [mss 1444,nop,nop,sackOK,nop,wscale 7], length 0
00:35:20.071531 IP 10.2.1.2.45021 > 119.23.80.130.80: Flags [.], ack 1, win 251, length 0
00:35:20.073405 IP 10.2.1.2.45021 > 119.23.80.130.80: Flags [P.], seq 1:1530, ack 1, win 251, length 1529: HTTP: GET /static/image/mobile/styletouch.css HTTP/1.1
00:35:20.081913 IP 119.23.80.130.80 > 10.2.1.2.45021: Flags [.], ack 1433, win 137, length 0
00:35:20.082025 IP 119.23.80.130.80 > 10.2.1.2.45021: Flags [.], ack 1530, win 137, length 0
00:35:20.094693 IP 119.23.80.130.80 > 10.2.1.2.45021: Flags [P.], seq 1:245, ack 1530, win 137, length 244: HTTP: HTTP/1.1 304 Not Modified
00:35:20.106128 IP 10.2.1.2.45021 > 119.23.80.130.80: Flags [.], ack 245, win 256, length 0
00:35:20.110373 IP 10.2.1.2.45021 > 119.23.80.130.80: Flags [.], seq 1530:2962, ack 245, win 256, length 1432: HTTP: GET /static/assets/js/amazeui.min.js HTTP/1.1
00:35:20.110765 IP 10.2.1.2.45021 > 119.23.80.130.80: Flags [P.], seq 2962:3040, ack 245, win 256, length 78: HTTP
00:35:20.129094 IP 119.23.80.130.80 > 10.2.1.2.45021: Flags [P.], seq 245:1099, ack 2962, win 256, length 854: HTTP: HTTP/1.1 200 OK
00:35:20.129715 IP 119.23.80.130.80 > 10.2.1.2.45021: Flags [.], ack 3040, win 159, length 0
00:35:20.143467 IP 119.23.80.130.80 > 10.2.1.2.45021: Flags [P.], seq 245:490, ack 3040, win 159, length 245: HTTP: HTTP/1.1 304 Not Modified
00:35:20.150041 IP 10.2.1.2.45021 > 119.23.80.130.80: Flags [F.], seq 3040, ack 1099, win 262, length 0
00:35:20.154660 IP 10.2.1.2.45021 > 119.23.80.130.80: Flags [.], ack 1099, win 262, options [nop,nop,sack 1 {245:490}], length 0
00:35:20.361116 IP 10.2.1.2.45021 > 119.23.80.130.80: Flags [F.], seq 3040, ack 1099, win 262, length 0
00:35:20.361483 IP 119.23.80.130.80 > 10.2.1.2.45021: Flags [P.], seq 245:490, ack 3040, win 159, length 245: HTTP: HTTP/1.1 304 Not Modified
00:35:20.394913 IP 10.2.1.2.45021 > 119.23.80.130.80: Flags [.], ack 1099, win 262, options [nop,nop,sack 1 {245:490}], length 0
00:35:20.582203 IP 10.2.1.2.45021 > 119.23.80.130.80: Flags [F.], seq 3040, ack 1099, win 262, length 0
00:35:20.799507 IP 119.23.80.130.80 > 10.2.1.2.45021: Flags [P.], seq 245:490, ack 3040, win 159, length 245: HTTP: HTTP/1.1 304 Not Modified
00:35:20.817570 IP 10.2.1.2.45021 > 119.23.80.130.80: Flags [.], ack 1099, win 262, options [nop,nop,sack 1 {245:490}], length 0
00:35:21.021165 IP 10.2.1.2.45021 > 119.23.80.130.80: Flags [F.], seq 3040, ack 1099, win 262, length 0
00:35:21.675574 IP 119.23.80.130.80 > 10.2.1.2.45021: Flags [P.], seq 245:490, ack 3040, win 159, length 245: HTTP: HTTP/1.1 304 Not Modified
00:35:21.715799 IP 10.2.1.2.45021 > 119.23.80.130.80: Flags [.], ack 1099, win 262, options [nop,nop,sack 1 {245:490}], length 0
00:35:21.904377 IP 10.2.1.2.45021 > 119.23.80.130.80: Flags [F.], seq 3040, ack 1099, win 262, length 0
00:35:23.427507 IP 119.23.80.130.80 > 10.2.1.2.45021: Flags [P.], seq 245:490, ack 3040, win 159, length 245: HTTP: HTTP/1.1 304 Not Modified
00:35:23.454270 IP 10.2.1.2.45021 > 119.23.80.130.80: Flags [.], ack 1099, win 262, options [nop,nop,sack 1 {245:490}], length 0
00:35:26.931735 IP 119.23.80.130.80 > 10.2.1.2.45021: Flags [P.], seq 245:490, ack 3040, win 159, length 245: HTTP: HTTP/1.1 304 Not Modified
00:35:27.118104 IP 10.2.1.2.45021 > 119.23.80.130.80: Flags [R], seq 296048290, win 0, length 0

可以看到
00:35:20.129094 IP 119.23.80.130.80 > 10.2.1.2.45021: Flags [P.], seq 245:1099, ack 2962, win 256, length 854: HTTP: HTTP/1.1 200 OK
这个就是返回的 200 劫持，而真正的服务器返回的是
00:35:20.143467 IP 119.23.80.130.80 > 10.2.1.2.45021: Flags [P.], seq 245:490, ack 3040, win 159, length 245: HTTP: HTTP/1.1 304 Not Modified

根据关键字、TCP FLAGS 和 TTL 匹配包并 DROP 掉
iptables -A forwarding_rule -i pppoe-wan -p tcp --sport 80 -m ttl --ttl-eq 55 --tcp-flags ALL PSH,ACK -m string --string "_atn_obj_" --algo bm -j DROP

存放广告内容的服务器 IP 有 183.59.53.187 183.59.53.188 183.59.53.224 ，po 主的是 183.59.53.197 ，看来可以放心地把整段 IP 屏蔽了

路由器 LAN 口百兆？

我套了一层 IP-in-IP …

WR1200JS

@aceralon SYSU?

打开 SNI

如果是光猫拨号，在设置里打开几个 IPv6 选项，然后观察是否获取到 240e 开头的地址

http://speedtest.xfinity.com/results/JH0FYHXUXGQW2P5
广州电信 500M

倒是可以直连 6plat 中转到 VPS

最基本人工智能之 A*算法

端口转发

如果把虚拟机网卡改成桥接呢？

Java 重写父类方法
https://www.tutorialspoint.com/java/java_overriding.htm

墙内部分地区到某些热门 VPS/CDN 的带 SNI 的 SSL Client Hello 在经过某墙时被丢弃，这个跟证书无关
已知受影响的有：香港阿里云、DigitalOcean、CloudFront 以及部分 Akamai

曾把网件 GS116E 塞进弱电箱里的路过

github Amazon 服务器禁 ping 而已

@hlz0812 有公网 IP 就去用 6in4 吧