vernesong
commented
3 years ago Closed madman43 closed 2 years ago
vernesong
commented
3 years ago 
madman43
commented
3 years ago nslookup baidu的时候返回了百度真实地址不是劫持的,这个不知道咋回事,dhcp里面dns已经是openclash的劫持地址了
应该没问题吧, Chain PREROUTING (policy ACCEPT) num target prot opt source destination 1 ACCEPT tcp -- 0.0.0.0/0 8.8.4.4 tcp dpt:53 2 ACCEPT tcp -- 0.0.0.0/0 8.8.8.8 tcp dpt:53 3 CLOUD_MUSIC tcp -- 0.0.0.0/0 0.0.0.0/0 match-set music dst 4 REDIRECT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53 redir ports 53 5 REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 redir ports 53 6 prerouting_rule all -- 0.0.0.0/0 0.0.0.0/0 / !fw3: Custom prerouting rule chain / 7 zone_lan_prerouting all -- 0.0.0.0/0 0.0.0.0/0 / !fw3 / 8 zone_vpn_prerouting all -- 0.0.0.0/0 0.0.0.0/0 / !fw3 / 9 openclash tcp -- 0.0.0.0/0 0.0.0.0/0
vernesong
commented
3 years ago 关ipv6,关DNS加速之类的插件,发调试日志
madman43
commented
3 years ago 没有dns加速插件,设备N1做旁路,不做dhcp,关dhcp/dnsipv6解析 后也是无法访问……
OpenClash 调试日志
生成时间: 2021-01-18 15:19:53 插件版本: v0.41.14-beta 隐私提示: 上传此日志前请注意检查、屏蔽公网IP、节点、密码等相关敏感信息
#===================== 系统信息 =====================#
主机型号: Phicomm N1
固件版本: OpenWrt SNAPSHOT r2976-37836e0c3
LuCI版本: git-20.343.54716-6fc079f-1
内核版本: 5.4.83-flippy-50+o
处理器架构: aarch64_generic
#此项在使用Tun模式时应为ACCEPT
防火墙转发: ACCEPT
#此项有值时建议到网络-接口-lan的设置中禁用IPV6的DHCP
IPV6-DHCP: relay
#此项结果应仅有配置文件的DNS监听地址
Dnsmasq转发设置: 127.0.0.1#7874
#===================== 依赖检查 =====================#
dnsmasq-full: 已安装
coreutils: 已安装
coreutils-nohup: 已安装
bash: 已安装
curl: 已安装
jsonfilter: 已安装
ca-certificates: 已安装
ipset: 已安装
ip-full: 已安装
iptables-mod-tproxy: 已安装
kmod-ipt-tproxy: 已安装
iptables-mod-extra: 已安装
kmod-ipt-extra: 已安装
libcap: 已安装
libcap-bin: 已安装
ruby: 已安装
ruby-yaml: 已安装
ruby-psych: 已安装
ruby-pstore: 已安装
ruby-dbm: 已安装
kmod-tun(TUN模式): 已安装
luci-compat(Luci-19.07): 已安装
#===================== 内核检查 =====================#
运行状态: 运行中
进程pid: 13688
运行权限: 13688: = cap_dac_override,cap_net_bind_service,cap_net_admin,cap_net_raw,cap_sys_resource+eip
运行用户: nobody
已选择的架构: linux-armv8
#下方无法显示内核版本号时请确认您的内核版本是否正确或者有无权限
Tun内核版本: 2021.01.01.g0ab75c5
Tun内核文件: 存在
Tun内核运行权限: 正常
Game内核版本: v0.17.0-232-ge389e33
Game内核文件: 存在
Game内核运行权限: 正常
Dev内核版本: v1.3.5-4-g6fedd7e
Dev内核文件: 存在
Dev内核运行权限: 正常
#===================== 插件设置 =====================#
当前配置文件: /etc/openclash/config/free.yaml
启动配置文件: /etc/openclash/free.yaml
运行模式: fake-ip-mix
默认代理模式: rule
UDP流量转发(tproxy): 停用
DNS劫持: 启用
自定义DNS: 停用
IPV6-DNS解析: 启用
禁用Dnsmasq缓存: 启用
自定义规则: 停用
仅允许内网: 停用
仅代理命中规则流量: 启用
仅允许常用端口流量: 停用
绕过中国大陆IP: 停用
#启动异常时建议关闭此项后重试
混合节点: 停用
保留配置: 停用
#启动异常时建议关闭此项后重试
第三方规则: 停用
#===================== 防火墙设置 =====================#
#NAT chain
# Generated by iptables-save v1.8.4 on Mon Jan 18 15:19:57 2021
*nat
:PREROUTING ACCEPT [697:186631]
:INPUT ACCEPT [480:94550]
:OUTPUT ACCEPT [844:102835]
:POSTROUTING ACCEPT [335:65995]
:CLOUD_MUSIC - [0:0]
:MINIUPNPD - [0:0]
:MINIUPNPD-POSTROUTING - [0:0]
:openclash - [0:0]
:openclash_output - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_vpn_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_vpn_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_vpn_postrouting - [0:0]
:zone_vpn_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -d 8.8.4.4/32 -p tcp -m tcp --dport 53 -j ACCEPT
-A PREROUTING -d 8.8.8.8/32 -p tcp -m tcp --dport 53 -j ACCEPT
-A PREROUTING -p tcp -m set --match-set music dst -j CLOUD_MUSIC
-A PREROUTING -p udp -m udp --dport 53 -j REDIRECT --to-ports 53
-A PREROUTING -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 53
-A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
-A PREROUTING -i eth0 -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i tun0 -m comment --comment "!fw3" -j zone_vpn_prerouting
-A PREROUTING -p tcp -j openclash
-A OUTPUT -j openclash_output
-A POSTROUTING -o eth0 -j MASQUERADE
-A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
-A POSTROUTING -o eth0 -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o tun0 -m comment --comment "!fw3" -j zone_vpn_postrouting
-A CLOUD_MUSIC -d 0.0.0.0/8 -j RETURN
-A CLOUD_MUSIC -d 10.0.0.0/8 -j RETURN
-A CLOUD_MUSIC -d 127.0.0.0/8 -j RETURN
-A CLOUD_MUSIC -d 169.254.0.0/16 -j RETURN
-A CLOUD_MUSIC -d 172.16.0.0/12 -j RETURN
-A CLOUD_MUSIC -d 192.168.0.0/16 -j RETURN
-A CLOUD_MUSIC -d 224.0.0.0/4 -j RETURN
-A CLOUD_MUSIC -d 240.0.0.0/4 -j RETURN
-A CLOUD_MUSIC -p tcp -m set ! --match-set music_http src -m tcp --dport 80 -j DNAT --to-destination 198.18.0.11:30000
-A CLOUD_MUSIC -p tcp -m set ! --match-set music_https src -m tcp --dport 443 -j DNAT --to-destination 198.18.0.11:30001
-A MINIUPNPD -p udp -m udp --dport 48279 -j DNAT --to-destination 192.168.2.20:47999
-A MINIUPNPD -p udp -m udp --dport 48290 -j DNAT --to-destination 192.168.2.20:48010
-A MINIUPNPD -p udp -m udp --dport 48278 -j DNAT --to-destination 192.168.2.20:47998
-A MINIUPNPD -p udp -m udp --dport 48280 -j DNAT --to-destination 192.168.2.20:48000
-A MINIUPNPD -p udp -m udp --dport 48282 -j DNAT --to-destination 192.168.2.20:48002
-A MINIUPNPD -p udp -m udp --dport 35927 -j DNAT --to-destination 192.168.2.124:35927
-A MINIUPNPD-POSTROUTING -s 192.168.2.20/32 -p udp -m udp --sport 47999 -j MASQUERADE --to-ports 48279
-A MINIUPNPD-POSTROUTING -s 192.168.2.20/32 -p udp -m udp --sport 48010 -j MASQUERADE --to-ports 48290
-A MINIUPNPD-POSTROUTING -s 192.168.2.20/32 -p udp -m udp --sport 47998 -j MASQUERADE --to-ports 48278
-A MINIUPNPD-POSTROUTING -s 192.168.2.20/32 -p udp -m udp --sport 48000 -j MASQUERADE --to-ports 48280
-A MINIUPNPD-POSTROUTING -s 192.168.2.20/32 -p udp -m udp --sport 48002 -j MASQUERADE --to-ports 48282
-A MINIUPNPD-POSTROUTING -s 192.168.2.20/32 -p udp -m udp --sport 47999 -j MASQUERADE --to-ports 48279
-A MINIUPNPD-POSTROUTING -s 192.168.2.20/32 -p udp -m udp --sport 48010 -j MASQUERADE --to-ports 48290
-A MINIUPNPD-POSTROUTING -s 192.168.2.20/32 -p udp -m udp --sport 47998 -j MASQUERADE --to-ports 48278
-A MINIUPNPD-POSTROUTING -s 192.168.2.20/32 -p udp -m udp --sport 48000 -j MASQUERADE --to-ports 48280
-A MINIUPNPD-POSTROUTING -s 192.168.2.20/32 -p udp -m udp --sport 48002 -j MASQUERADE --to-ports 48282
-A MINIUPNPD-POSTROUTING -s 192.168.2.20/32 -p udp -m udp --sport 47999 -j MASQUERADE --to-ports 48279
-A MINIUPNPD-POSTROUTING -s 192.168.2.20/32 -p udp -m udp --sport 48010 -j MASQUERADE --to-ports 48290
-A MINIUPNPD-POSTROUTING -s 192.168.2.20/32 -p udp -m udp --sport 47998 -j MASQUERADE --to-ports 48278
-A MINIUPNPD-POSTROUTING -s 192.168.2.20/32 -p udp -m udp --sport 48000 -j MASQUERADE --to-ports 48280
-A MINIUPNPD-POSTROUTING -s 192.168.2.20/32 -p udp -m udp --sport 48002 -j MASQUERADE --to-ports 48282
-A openclash -m set --match-set localnetwork dst -j RETURN
-A openclash -p tcp -j REDIRECT --to-ports 7892
-A openclash_output -p tcp -m tcp --sport 1194 -j RETURN
-A openclash_output -p tcp -m tcp --sport 1688 -j RETURN
-A openclash_output -p tcp -m tcp --sport 1688 -j RETURN
-A openclash_output -p tcp -m tcp --sport 3389 -j RETURN
-A openclash_output -m set --match-set localnetwork dst -j RETURN
-A openclash_output -d 198.18.0.0/16 -p tcp -m owner ! --uid-owner 65534 -j REDIRECT --to-ports 7892
-A openclash_output -m owner ! --uid-owner 65534 -m set ! --match-set common_ports dst -j RETURN
-A openclash_output -p tcp -m owner ! --uid-owner 65534 -j REDIRECT --to-ports 7892
-A zone_lan_postrouting -j MINIUPNPD-POSTROUTING
-A zone_lan_postrouting -j MINIUPNPD-POSTROUTING
-A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
-A zone_lan_prerouting -j MINIUPNPD
-A zone_lan_prerouting -j MINIUPNPD
-A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
-A zone_lan_prerouting -p tcp -m tcp --dport 3389 -m comment --comment "!fw3: RDP" -j DNAT --to-destination 192.168.2.20:3389
-A zone_lan_prerouting -p udp -m udp --dport 3389 -m comment --comment "!fw3: RDP" -j DNAT --to-destination 192.168.2.20:3389
-A zone_lan_prerouting -p tcp -m tcp --dport 1688 -m comment --comment "!fw3: KMS" -j DNAT --to-destination 192.168.2.2:1688
-A zone_vpn_postrouting -m comment --comment "!fw3: Custom vpn postrouting rule chain" -j postrouting_vpn_rule
-A zone_vpn_postrouting -m comment --comment "!fw3" -j FULLCONENAT
-A zone_vpn_prerouting -m comment --comment "!fw3: Custom vpn prerouting rule chain" -j prerouting_vpn_rule
-A zone_vpn_prerouting -m comment --comment "!fw3" -j FULLCONENAT
-A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
-A zone_wan_postrouting -m comment --comment "!fw3" -j FULLCONENAT
-A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
-A zone_wan_prerouting -m comment --comment "!fw3" -j FULLCONENAT
COMMIT
# Completed on Mon Jan 18 15:19:57 2021
#Mangle chain
# Generated by iptables-save v1.8.4 on Mon Jan 18 15:19:57 2021
*mangle
:PREROUTING ACCEPT [10485:3760786]
:INPUT ACCEPT [10181:3661404]
:FORWARD ACCEPT [287:15804]
:OUTPUT ACCEPT [10484:7665795]
:POSTROUTING ACCEPT [11447:7742980]
:RRDIPT_FORWARD - [0:0]
:RRDIPT_INPUT - [0:0]
:RRDIPT_OUTPUT - [0:0]
:openclash - [0:0]
:openclash_dns_hijack - [0:0]
:openclash_output - [0:0]
:qos_Default - [0:0]
:qos_Default_ct - [0:0]
-A PREROUTING -p udp -j openclash
-A PREROUTING -p tcp -m tcp --dport 53 -j openclash_dns_hijack
-A INPUT -j RRDIPT_INPUT
-A FORWARD -j RRDIPT_FORWARD
-A OUTPUT -j openclash_output
-A OUTPUT -j RRDIPT_OUTPUT
-A RRDIPT_FORWARD -s 192.168.2.20/32 -j RETURN
-A RRDIPT_FORWARD -d 192.168.2.20/32 -j RETURN
-A RRDIPT_FORWARD -s 172.30.32.2/32 -j RETURN
-A RRDIPT_FORWARD -d 172.30.32.2/32 -j RETURN
-A RRDIPT_FORWARD -s 172.30.32.3/32 -j RETURN
-A RRDIPT_FORWARD -d 172.30.32.3/32 -j RETURN
-A RRDIPT_FORWARD -s 172.30.33.0/32 -j RETURN
-A RRDIPT_FORWARD -d 172.30.33.0/32 -j RETURN
-A RRDIPT_FORWARD -s 192.168.2.101/32 -j RETURN
-A RRDIPT_FORWARD -d 192.168.2.101/32 -j RETURN
-A RRDIPT_FORWARD -s 192.168.2.1/32 -j RETURN
-A RRDIPT_FORWARD -d 192.168.2.1/32 -j RETURN
-A RRDIPT_FORWARD -s 192.168.2.120/32 -j RETURN
-A RRDIPT_FORWARD -d 192.168.2.120/32 -j RETURN
-A RRDIPT_FORWARD -s 192.168.2.113/32 -j RETURN
-A RRDIPT_FORWARD -d 192.168.2.113/32 -j RETURN
-A RRDIPT_FORWARD -s 192.168.2.122/32 -j RETURN
-A RRDIPT_FORWARD -d 192.168.2.122/32 -j RETURN
-A RRDIPT_FORWARD -s 192.168.2.125/32 -j RETURN
-A RRDIPT_FORWARD -d 192.168.2.125/32 -j RETURN
-A RRDIPT_FORWARD -s 192.168.2.119/32 -j RETURN
-A RRDIPT_FORWARD -d 192.168.2.119/32 -j RETURN
-A RRDIPT_FORWARD -s 172.31.0.2/32 -j RETURN
-A RRDIPT_FORWARD -d 172.31.0.2/32 -j RETURN
-A RRDIPT_INPUT -i eth0 -j RETURN
-A RRDIPT_OUTPUT -o eth0 -j RETURN
-A openclash -p udp -m udp --dport 1194 -j RETURN
-A openclash -p udp -m udp --dport 4500 -j RETURN
-A openclash -p udp -m udp --dport 500 -j RETURN
-A openclash -p udp -m udp --dport 500 -j RETURN
-A openclash -p udp -m udp --dport 546 -j RETURN
-A openclash -p udp -m udp --dport 68 -j RETURN
-A openclash -p udp -m udp --dport 1688 -j RETURN
-A openclash -p udp -m udp --dport 3389 -j RETURN
-A openclash -m set --match-set localnetwork dst -j RETURN
-A openclash -j MARK --set-xmark 0x162/0xffffffff
-A openclash_dns_hijack -d 8.8.8.8/32 -j MARK --set-xmark 0x162/0xffffffff
-A openclash_dns_hijack -d 8.8.4.4/32 -j MARK --set-xmark 0x162/0xffffffff
-A openclash_output -p udp -m udp --sport 1194 -j RETURN
-A openclash_output -p udp -m udp --sport 4500 -j RETURN
-A openclash_output -p udp -m udp --sport 500 -j RETURN
-A openclash_output -p udp -m udp --sport 500 -j RETURN
-A openclash_output -p udp -m udp --sport 546 -j RETURN
-A openclash_output -p udp -m udp --sport 68 -j RETURN
-A openclash_output -p udp -m udp --sport 1688 -j RETURN
-A openclash_output -p udp -m udp --sport 3389 -j RETURN
-A openclash_output -m set --match-set localnetwork dst -j RETURN
-A openclash_output -d 198.18.0.0/16 -p udp -m owner ! --uid-owner 65534 -j MARK --set-xmark 0x162/0xffffffff
-A qos_Default -j CONNMARK --restore-mark --nfmask 0xf --ctmask 0xf
-A qos_Default -m mark --mark 0x0/0xf -j qos_Default_ct
-A qos_Default -p udp -m mark --mark 0x0/0xf0 -m length --length 0:500 -j MARK --set-xmark 0x22/0xff
-A qos_Default -p icmp -j MARK --set-xmark 0x11/0xff
-A qos_Default -p tcp -m mark --mark 0x0/0xf0 -m tcp --sport 1024:65535 --dport 1024:65535 -j MARK --set-xmark 0x44/0xff
-A qos_Default -p udp -m mark --mark 0x0/0xf0 -m udp --sport 1024:65535 --dport 1024:65535 -j MARK --set-xmark 0x44/0xff
-A qos_Default -j CONNMARK --save-mark --nfmask 0xff --ctmask 0xff
-A qos_Default_ct -p tcp -m mark --mark 0x0/0xf -m tcp -m multiport --ports 22,53 -m comment --comment "ssh, dns" -j MARK --set-xmark 0x11/0xff
-A qos_Default_ct -p udp -m mark --mark 0x0/0xf -m udp -m multiport --ports 22,53 -m comment --comment "ssh, dns" -j MARK --set-xmark 0x11/0xff
-A qos_Default_ct -p tcp -m mark --mark 0x0/0xf -m tcp -m multiport --ports 20,21,25,80,110,443,993,995 -m comment --comment "ftp, smtp, http(s), imap" -j MARK --set-xmark 0x33/0xff
-A qos_Default_ct -p tcp -m mark --mark 0x0/0xf -m tcp -m multiport --ports 5190 -m comment --comment "AOL, iChat, ICQ" -j MARK --set-xmark 0x22/0xff
-A qos_Default_ct -p udp -m mark --mark 0x0/0xf -m udp -m multiport --ports 5190 -m comment --comment "AOL, iChat, ICQ" -j MARK --set-xmark 0x22/0xff
-A qos_Default_ct -j CONNMARK --save-mark --nfmask 0xff --ctmask 0xff
COMMIT
# Completed on Mon Jan 18 15:19:57 2021
#===================== IPSET状态 =====================#
Name: cn
Name: ct
Name: cnc
Name: cmcc
Name: crtc
Name: cernet
Name: gwbn
Name: othernet
Name: music
Name: music_http
Name: music_https
Name: mwan3_connected_v4
Name: mwan3_connected_v6
Name: mwan3_source_v6
Name: mwan3_dynamic_v4
Name: mwan3_dynamic_v6
Name: mwan3_custom_v4
Name: mwan3_custom_v6
Name: localnetwork
Name: common_ports
Name: china
Name: mwan3_connected
#===================== 路由表状态 =====================#
#route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.2.1 0.0.0.0 UG 0 0 0 eth0
172.30.32.0 0.0.0.0 255.255.254.0 U 0 0 0 hassio
172.31.0.0 0.0.0.0 255.255.255.0 U 0 0 0 docker0
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
198.18.0.0 0.0.0.0 255.255.0.0 U 0 0 0 utun
#ip route list
default via 192.168.2.1 dev eth0 proto static
172.30.32.0/23 dev hassio proto kernel scope link src 172.30.32.1
172.31.0.0/24 dev docker0 proto kernel scope link src 172.31.0.1
192.168.2.0/24 dev eth0 proto kernel scope link src 192.168.2.2
198.18.0.0/16 dev utun proto kernel scope link src 198.18.0.1
#ip rule show
0: from all lookup local
32765: from all fwmark 0x162 lookup 354
32766: from all lookup main
32767: from all lookup default
#===================== Tun设备状态 =====================#
utun: tun pi filter
#===================== 端口占用状态 =====================#
tcp 0 0 198.18.0.1:7777 0.0.0.0:* LISTEN 13688/clash
tcp 0 0 :::7892 :::* LISTEN 13688/clash
tcp 0 0 :::7893 :::* LISTEN 13688/clash
tcp 0 0 :::9090 :::* LISTEN 13688/clash
tcp 0 0 :::7890 :::* LISTEN 13688/clash
tcp 0 0 :::7891 :::* LISTEN 13688/clash
udp 0 0 198.18.0.1:7777 0.0.0.0:* 13688/clash
udp 0 0 :::50126 :::* 13688/clash
udp 0 0 :::53287 :::* 13688/clash
udp 0 0 :::56388 :::* 13688/clash
udp 0 0 :::7874 :::* 13688/clash
udp 0 0 :::7891 :::* 13688/clash
udp 0 0 :::7892 :::* 13688/clash
udp 0 0 :::7893 :::* 13688/clash
#===================== 测试本机DNS查询 =====================#
Server: 127.0.0.1
Address: 127.0.0.1#53
Name: www.baidu.com
Address 1: 198.18.0.7
*** Can't find www.baidu.com: No answer
#===================== 测试本机网络连接 =====================#
HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
Connection: keep-alive
Content-Length: 277
Content-Type: text/html
Date: Mon, 18 Jan 2021 07:19:58 GMT
Etag: "575e1f72-115"
Last-Modified: Mon, 13 Jun 2016 02:50:26 GMT
Pragma: no-cache
Server: bfe/1.0.8.18
#===================== 测试本机网络下载 =====================#
HTTP/1.1 200 OK
Connection: keep-alive
Content-Length: 80
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
Cache-Control: max-age=300
Content-Type: text/plain; charset=utf-8
ETag: "00cdb0532e41777645c9ad3e0a65a1b1ac87d6afaf72cf6e33d925dbbd05be97"
via: 1.1 varnish (Varnish/6.0), 1.1 varnish
X-GitHub-Request-Id: 6AF8:43AA:1975E3:1CD103:60052F21
Accept-Ranges: bytes
Date: Mon, 18 Jan 2021 07:19:58 GMT
X-Served-By: cache-hkg17929-HKG
X-Cache: HIT, HIT
X-Cache-Hits: 1, 1
X-Timer: S1610954398.414181,VS0,VE1
Vary: Authorization,Accept-Encoding
Access-Control-Allow-Origin: *
X-Fastly-Request-ID: 40cdfd0f6d22ebff8f5a7ade09cbfeaee21b3470
Expires: Mon, 18 Jan 2021 07:24:58 GMT
Source-Age: 161mwan3和qos关了
madman43
commented
3 years ago mwan3和qos关了
这两个没有开呀
vernesong
commented
3 years ago 没开哪来的防火墙规则啊,这些插件逻辑真奇怪
madman43
commented
3 years ago 没开哪来的防火墙规则啊,这些插件逻辑真奇怪
我把mwan3卸载了还是不行,qos这玩意没起用,负载均衡都卸载了
vernesong
commented
3 years ago 调试日志看看
madman43
commented
3 years ago 调试日志看看
OpenClash 调试日志
生成时间: 2021-01-22 20:59:49 插件版本: v0.41.14-beta 隐私提示: 上传此日志前请注意检查、屏蔽公网IP、节点、密码等相关敏感信息
#===================== 系统信息 =====================#
主机型号: Phicomm N1
固件版本: OpenWrt SNAPSHOT r2976-37836e0c3
LuCI版本: git-20.343.54716-6fc079f-1
内核版本: 5.4.83-flippy-50+o
处理器架构: aarch64_generic
#此项在使用Tun模式时应为ACCEPT
防火墙转发: ACCEPT
#此项有值时建议到网络-接口-lan的设置中禁用IPV6的DHCP
IPV6-DHCP: relay
#此项结果应仅有配置文件的DNS监听地址
Dnsmasq转发设置: 127.0.0.1#7874
#===================== 依赖检查 =====================#
dnsmasq-full: 已安装
coreutils: 已安装
coreutils-nohup: 已安装
bash: 已安装
curl: 已安装
jsonfilter: 已安装
ca-certificates: 已安装
ipset: 已安装
ip-full: 已安装
iptables-mod-tproxy: 已安装
kmod-ipt-tproxy: 已安装
iptables-mod-extra: 已安装
kmod-ipt-extra: 已安装
libcap: 已安装
libcap-bin: 已安装
ruby: 已安装
ruby-yaml: 已安装
ruby-psych: 已安装
ruby-pstore: 已安装
ruby-dbm: 已安装
kmod-tun(TUN模式): 已安装
luci-compat(Luci-19.07): 已安装
#===================== 内核检查 =====================#
运行状态: 运行中
进程pid: 10535
运行权限: 10535: = cap_dac_override,cap_net_bind_service,cap_net_admin,cap_net_raw,cap_sys_resource+eip
运行用户: nobody
已选择的架构: linux-armv8
#下方无法显示内核版本号时请确认您的内核版本是否正确或者有无权限
Tun内核版本: 2021.01.01.g0ab75c5
Tun内核文件: 存在
Tun内核运行权限: 正常
Game内核版本: v0.17.0-232-ge389e33
Game内核文件: 存在
Game内核运行权限: 正常
Dev内核版本: v1.3.5-4-g6fedd7e
Dev内核文件: 存在
Dev内核运行权限: 正常
#===================== 插件设置 =====================#
当前配置文件: /etc/openclash/config/free.yaml
启动配置文件: /etc/openclash/free.yaml
运行模式: fake-ip-mix
默认代理模式: rule
UDP流量转发(tproxy): 停用
DNS劫持: 启用
自定义DNS: 停用
IPV6-DNS解析: 启用
禁用Dnsmasq缓存: 启用
自定义规则: 停用
仅允许内网: 停用
仅代理命中规则流量: 启用
仅允许常用端口流量: 停用
绕过中国大陆IP: 停用
#启动异常时建议关闭此项后重试
混合节点: 停用
保留配置: 停用
#启动异常时建议关闭此项后重试
第三方规则: 停用
nameserver:
- 114.114.114.114
- 119.29.29.29
fallback:
- https://cloudflare-dns.com/dns-query
- https://dns.google/dns-query
- https://1.1.1.1/dns-query
- tls://8.8.8.8:853
fallback-filter:
geoip: false
ipcidr:
- 0.0.0.0/8
- 10.0.0.0/8
- 100.64.0.0/10
- 127.0.0.0/8
- 169.254.0.0/16
- 172.16.0.0/12
- 192.0.0.0/24
- 192.0.2.0/24
- 192.88.99.0/24
- 192.168.0.0/16
- 198.18.0.0/15
- 198.51.100.0/24
- 203.0.113.0/24
- 224.0.0.0/4
- 240.0.0.0/4
- 255.255.255.255/32
domain:
- "+.google.com"
- "+.facebook.com"
- "+.youtube.com"
- "+.githubusercontent.com"
ipv6: true
tun:
enable: true
stack: system
dns-hijack:
- tcp://8.8.8.8:53
- tcp://8.8.4.4:53
#===================== 防火墙设置 =====================#
#NAT chain
# Generated by iptables-save v1.8.4 on Fri Jan 22 20:59:53 2021
*nat
:PREROUTING ACCEPT [5980:2013623]
:INPUT ACCEPT [5509:902049]
:OUTPUT ACCEPT [9303:1141889]
:POSTROUTING ACCEPT [4035:788815]
:CLOUD_MUSIC - [0:0]
:MINIUPNPD - [0:0]
:MINIUPNPD-POSTROUTING - [0:0]
:openclash - [0:0]
:openclash_output - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
-A PREROUTING -d 8.8.4.4/32 -p tcp -m tcp --dport 53 -j ACCEPT
-A PREROUTING -d 8.8.8.8/32 -p tcp -m tcp --dport 53 -j ACCEPT
-A PREROUTING -p tcp -m set --match-set music dst -j CLOUD_MUSIC
-A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
-A PREROUTING -i eth0 -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -p udp -m udp --dport 53 -j REDIRECT --to-ports 53
-A PREROUTING -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 53
-A PREROUTING -p tcp -j openclash
-A OUTPUT -j openclash_output
-A POSTROUTING -o eth0 -j MASQUERADE
-A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
-A POSTROUTING -o eth0 -m comment --comment "!fw3" -j zone_lan_postrouting
-A CLOUD_MUSIC -d 0.0.0.0/8 -j RETURN
-A CLOUD_MUSIC -d 10.0.0.0/8 -j RETURN
-A CLOUD_MUSIC -d 127.0.0.0/8 -j RETURN
-A CLOUD_MUSIC -d 169.254.0.0/16 -j RETURN
-A CLOUD_MUSIC -d 172.16.0.0/12 -j RETURN
-A CLOUD_MUSIC -d 192.168.0.0/16 -j RETURN
-A CLOUD_MUSIC -d 224.0.0.0/4 -j RETURN
-A CLOUD_MUSIC -d 240.0.0.0/4 -j RETURN
-A CLOUD_MUSIC -p tcp -m set ! --match-set music_http src -m tcp --dport 80 -j DNAT --to-destination 198.18.1.253:30000
-A CLOUD_MUSIC -p tcp -m set ! --match-set music_https src -m tcp --dport 443 -j DNAT --to-destination 198.18.1.253:30001
-A MINIUPNPD -p udp -m udp --dport 48279 -j DNAT --to-destination 192.168.2.20:47999
-A MINIUPNPD -p udp -m udp --dport 48290 -j DNAT --to-destination 192.168.2.20:48010
-A MINIUPNPD -p udp -m udp --dport 48278 -j DNAT --to-destination 192.168.2.20:47998
-A MINIUPNPD -p udp -m udp --dport 48280 -j DNAT --to-destination 192.168.2.20:48000
-A MINIUPNPD -p udp -m udp --dport 48282 -j DNAT --to-destination 192.168.2.20:48002
-A MINIUPNPD -p udp -m udp --dport 48354 -j DNAT --to-destination 192.168.2.21:48354
-A MINIUPNPD -p udp -m udp --dport 50110 -j DNAT --to-destination 192.168.2.21:50110
-A MINIUPNPD -p udp -m udp --dport 50158 -j DNAT --to-destination 192.168.2.21:50158
-A MINIUPNPD -p udp -m udp --dport 50499 -j DNAT --to-destination 192.168.2.21:50499
-A MINIUPNPD -p udp -m udp --dport 50517 -j DNAT --to-destination 192.168.2.21:50517
-A MINIUPNPD -p udp -m udp --dport 53001 -j DNAT --to-destination 192.168.2.21:53001
-A MINIUPNPD -p udp -m udp --dport 53312 -j DNAT --to-destination 192.168.2.21:53312
-A MINIUPNPD -p udp -m udp --dport 53432 -j DNAT --to-destination 192.168.2.21:53432
-A MINIUPNPD-POSTROUTING -s 192.168.2.20/32 -p udp -m udp --sport 47999 -j MASQUERADE --to-ports 48279
-A MINIUPNPD-POSTROUTING -s 192.168.2.20/32 -p udp -m udp --sport 48010 -j MASQUERADE --to-ports 48290
-A MINIUPNPD-POSTROUTING -s 192.168.2.20/32 -p udp -m udp --sport 47998 -j MASQUERADE --to-ports 48278
-A MINIUPNPD-POSTROUTING -s 192.168.2.20/32 -p udp -m udp --sport 48000 -j MASQUERADE --to-ports 48280
-A MINIUPNPD-POSTROUTING -s 192.168.2.20/32 -p udp -m udp --sport 48002 -j MASQUERADE --to-ports 48282
-A openclash -m set --match-set localnetwork dst -j RETURN
-A openclash -p tcp -j REDIRECT --to-ports 7892
-A openclash_output -p tcp -m tcp --sport 1688 -j RETURN
-A openclash_output -p tcp -m tcp --sport 3389 -j RETURN
-A openclash_output -m set --match-set localnetwork dst -j RETURN
-A openclash_output -d 198.18.0.0/16 -p tcp -m owner ! --uid-owner 65534 -j REDIRECT --to-ports 7892
-A openclash_output -m owner ! --uid-owner 65534 -m set ! --match-set common_ports dst -j RETURN
-A openclash_output -p tcp -m owner ! --uid-owner 65534 -j REDIRECT --to-ports 7892
-A zone_lan_postrouting -j MINIUPNPD-POSTROUTING
-A zone_lan_postrouting -j MINIUPNPD-POSTROUTING
-A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
-A zone_lan_prerouting -j MINIUPNPD
-A zone_lan_prerouting -j MINIUPNPD
-A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
-A zone_lan_prerouting -p tcp -m tcp --dport 3389 -m comment --comment "!fw3: RDP" -j DNAT --to-destination 192.168.2.20:3389
-A zone_lan_prerouting -p udp -m udp --dport 3389 -m comment --comment "!fw3: RDP" -j DNAT --to-destination 192.168.2.20:3389
-A zone_lan_prerouting -p tcp -m tcp --dport 1688 -m comment --comment "!fw3: KMS" -j DNAT --to-destination 192.168.2.2:1688
COMMIT
# Completed on Fri Jan 22 20:59:53 2021
#Mangle chain
# Generated by iptables-save v1.8.4 on Fri Jan 22 20:59:53 2021
*mangle
:PREROUTING ACCEPT [4170496:3807145090]
:INPUT ACCEPT [2859255:3310656327]
:FORWARD ACCEPT [1312373:491885404]
:OUTPUT ACCEPT [2261087:3006253555]
:POSTROUTING ACCEPT [3589450:3501183370]
:RRDIPT_FORWARD - [0:0]
:RRDIPT_INPUT - [0:0]
:RRDIPT_OUTPUT - [0:0]
:openclash - [0:0]
:openclash_dns_hijack - [0:0]
:openclash_output - [0:0]
-A PREROUTING -p udp -j openclash
-A PREROUTING -p tcp -m tcp --dport 53 -j openclash_dns_hijack
-A INPUT -j RRDIPT_INPUT
-A FORWARD -j RRDIPT_FORWARD
-A OUTPUT -j openclash_output
-A OUTPUT -j RRDIPT_OUTPUT
-A RRDIPT_FORWARD -s 192.168.2.20/32 -j RETURN
-A RRDIPT_FORWARD -d 192.168.2.20/32 -j RETURN
-A RRDIPT_FORWARD -s 172.30.32.2/32 -j RETURN
-A RRDIPT_FORWARD -d 172.30.32.2/32 -j RETURN
-A RRDIPT_FORWARD -s 172.30.32.3/32 -j RETURN
-A RRDIPT_FORWARD -d 172.30.32.3/32 -j RETURN
-A RRDIPT_FORWARD -s 172.30.33.0/32 -j RETURN
-A RRDIPT_FORWARD -d 172.30.33.0/32 -j RETURN
-A RRDIPT_FORWARD -s 192.168.2.1/32 -j RETURN
-A RRDIPT_FORWARD -d 192.168.2.1/32 -j RETURN
-A RRDIPT_FORWARD -s 192.168.2.101/32 -j RETURN
-A RRDIPT_FORWARD -d 192.168.2.101/32 -j RETURN
-A RRDIPT_FORWARD -s 192.168.2.120/32 -j RETURN
-A RRDIPT_FORWARD -d 192.168.2.120/32 -j RETURN
-A RRDIPT_FORWARD -s 192.168.2.122/32 -j RETURN
-A RRDIPT_FORWARD -d 192.168.2.122/32 -j RETURN
-A RRDIPT_FORWARD -s 192.168.2.119/32 -j RETURN
-A RRDIPT_FORWARD -d 192.168.2.119/32 -j RETURN
-A RRDIPT_FORWARD -s 172.31.0.2/32 -j RETURN
-A RRDIPT_FORWARD -d 172.31.0.2/32 -j RETURN
-A RRDIPT_INPUT -i eth0 -j RETURN
-A RRDIPT_OUTPUT -o eth0 -j RETURN
-A openclash -p udp -m udp --dport 1688 -j RETURN
-A openclash -p udp -m udp --dport 3389 -j RETURN
-A openclash -m set --match-set localnetwork dst -j RETURN
-A openclash -j MARK --set-xmark 0x162/0xffffffff
-A openclash_dns_hijack -d 8.8.8.8/32 -j MARK --set-xmark 0x162/0xffffffff
-A openclash_dns_hijack -d 8.8.4.4/32 -j MARK --set-xmark 0x162/0xffffffff
-A openclash_output -p udp -m udp --sport 1688 -j RETURN
-A openclash_output -p udp -m udp --sport 3389 -j RETURN
-A openclash_output -m set --match-set localnetwork dst -j RETURN
-A openclash_output -d 198.18.0.0/16 -p udp -m owner ! --uid-owner 65534 -j MARK --set-xmark 0x162/0xffffffff
COMMIT
# Completed on Fri Jan 22 20:59:53 2021
#===================== IPSET状态 =====================#
Name: music
Name: localnetwork
Name: common_ports
Name: music_http
Name: music_https
Name: china
#===================== 路由表状态 =====================#
#route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.2.1 0.0.0.0 UG 0 0 0 eth0
172.30.32.0 0.0.0.0 255.255.254.0 U 0 0 0 hassio
172.31.0.0 0.0.0.0 255.255.255.0 U 0 0 0 docker0
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
198.18.0.0 0.0.0.0 255.255.0.0 U 0 0 0 utun
#ip route list
default via 192.168.2.1 dev eth0 proto static
172.30.32.0/23 dev hassio proto kernel scope link src 172.30.32.1
172.31.0.0/24 dev docker0 proto kernel scope link src 172.31.0.1
192.168.2.0/24 dev eth0 proto kernel scope link src 192.168.2.2
198.18.0.0/16 dev utun proto kernel scope link src 198.18.0.1
#ip rule show
0: from all lookup local
32765: from all fwmark 0x162 lookup 354
32766: from all lookup main
32767: from all lookup default
#===================== Tun设备状态 =====================#
utun: tun pi filter
#===================== 端口占用状态 =====================#
tcp 0 0 198.18.0.1:7777 0.0.0.0:* LISTEN 10535/clash
tcp 0 0 :::7890 :::* LISTEN 10535/clash
tcp 0 0 :::7891 :::* LISTEN 10535/clash
tcp 0 0 :::7892 :::* LISTEN 10535/clash
tcp 0 0 :::7893 :::* LISTEN 10535/clash
tcp 0 0 :::9090 :::* LISTEN 10535/clash
udp 0 0 198.18.0.1:7777 0.0.0.0:* 10535/clash
udp 0 0 :::41681 :::* 10535/clash
udp 0 0 :::7891 :::* 10535/clash
udp 0 0 :::7892 :::* 10535/clash
udp 0 0 :::7893 :::* 10535/clash
udp 0 0 :::55039 :::* 10535/clash
udp 0 0 :::35804 :::* 10535/clash
udp 0 0 :::55271 :::* 10535/clash
udp 0 0 :::53275 :::* 10535/clash
udp 0 0 :::48185 :::* 10535/clash
udp 0 0 :::37972 :::* 10535/clash
udp 0 0 :::49373 :::* 10535/clash
udp 0 0 :::41183 :::* 10535/clash
udp 0 0 :::50412 :::* 10535/clash
udp 0 0 :::36170 :::* 10535/clash
udp 0 0 :::54915 :::* 10535/clash
udp 0 0 :::7874 :::* 10535/clash
#===================== 测试本机DNS查询 =====================#
Server: 127.0.0.1
Address: 127.0.0.1#53
Name: www.baidu.com
Address 1: 198.18.1.30
*** Can't find www.baidu.com: No answer
#===================== resolv.conf.d =====================#
# Interface lan6
nameserver fe80::3646:ecff:fe99:8e26%eth0
#===================== 测试本机网络连接 =====================#
HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
Connection: keep-alive
Content-Length: 277
Content-Type: text/html
Date: Fri, 22 Jan 2021 12:59:54 GMT
Etag: "575e1f71-115"
Last-Modified: Mon, 13 Jun 2016 02:50:25 GMT
Pragma: no-cache
Server: bfe/1.0.8.18
#===================== 测试本机网络下载 =====================#
HTTP/1.1 200 OK
Connection: keep-alive
Content-Length: 80
Content-Type: text/plain; charset=utf-8
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
ETag: "00cdb0532e41777645c9ad3e0a65a1b1ac87d6afaf72cf6e33d925dbbd05be97"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
via: 1.1 varnish (Varnish/6.0), 1.1 varnish
X-GitHub-Request-Id: 34A2:148F:D78AC:ECFF9:600A694B
Accept-Ranges: bytes
Date: Fri, 22 Jan 2021 12:59:54 GMT
X-Served-By: cache-hnd18720-HND
X-Cache: MISS, HIT
X-Cache-Hits: 0, 1
X-Timer: S1611320395.746178,VS0,VE1
Vary: Authorization,Accept-Encoding, Accept-Encoding
Access-Control-Allow-Origin: *
X-Fastly-Request-ID: 318504be77741ad34233dd7bfc054ae12bcfbb06
Expires: Fri, 22 Jan 2021 13:04:54 GMT
Source-Age: 90哪个插件开大陆白名单了?
madman43
commented
3 years ago 哪个插件开大陆白名单了?
都没有开,能够出墙的只有clash,我换了个路由固件,使用了acl4ssr OL full后youtube能上,但google提示超时, 有些网站提示证书错误查看证书全是VMware steam提示ssl问题
madman43
commented
3 years ago OpenClash 调试日志
生成时间: 2021-01-23 14:33:31 插件版本: v0.41.14-beta 隐私提示: 上传此日志前请注意检查、屏蔽公网IP、节点、密码等相关敏感信息
#===================== 系统信息 =====================#
主机型号: Phicomm N1
固件版本: OpenWrt SNAPSHOT r3032-95dfd326a
LuCI版本: git-20.343.54716-6fc079f-1
内核版本: 5.4.86-flippy-51+o
处理器架构: aarch64_cortex-a53
#此项在使用Tun模式时应为ACCEPT
防火墙转发: ACCEPT
#此项有值时建议到网络-接口-lan的设置中禁用IPV6的DHCP
IPV6-DHCP: relay
#此项结果应仅有配置文件的DNS监听地址
Dnsmasq转发设置: 127.0.0.1#7874
#===================== 依赖检查 =====================#
dnsmasq-full: 已安装
coreutils: 已安装
coreutils-nohup: 已安装
bash: 已安装
curl: 已安装
jsonfilter: 已安装
ca-certificates: 已安装
ipset: 已安装
ip-full: 已安装
iptables-mod-tproxy: 已安装
kmod-ipt-tproxy: 已安装
iptables-mod-extra: 已安装
kmod-ipt-extra: 已安装
libcap: 已安装
libcap-bin: 已安装
ruby: 已安装
ruby-yaml: 已安装
ruby-psych: 已安装
ruby-pstore: 已安装
ruby-dbm: 已安装
kmod-tun(TUN模式): 已安装
luci-compat(Luci-19.07): 已安装
#===================== 内核检查 =====================#
运行状态: 运行中
进程pid: 19882
运行权限: 19882: = cap_dac_override,cap_net_bind_service,cap_net_admin,cap_net_raw,cap_sys_resource+eip
运行用户: nobody
已选择的架构: linux-armv8
#下方无法显示内核版本号时请确认您的内核版本是否正确或者有无权限
Tun内核版本: 2021.01.01.g0ab75c5
Tun内核文件: 存在
Tun内核运行权限: 正常
Game内核版本: v0.17.0-232-ge389e33
Game内核文件: 存在
Game内核运行权限: 正常
Dev内核版本: v1.3.5-4-g6fedd7e
Dev内核文件: 存在
Dev内核运行权限: 正常
#===================== 插件设置 =====================#
当前配置文件: /etc/openclash/config/free.yaml
启动配置文件: /etc/openclash/free.yaml
运行模式: fake-ip-mix
默认代理模式: rule
UDP流量转发(tproxy): 停用
DNS劫持: 启用
自定义DNS: 停用
IPV6-DNS解析: 启用
禁用Dnsmasq缓存: 启用
自定义规则: 停用
仅允许内网: 停用
仅代理命中规则流量: 启用
仅允许常用端口流量: 停用
绕过中国大陆IP: 停用
#启动异常时建议关闭此项后重试
混合节点: 停用
保留配置: 停用
#启动异常时建议关闭此项后重试
第三方规则: 停用
#===================== 防火墙设置 =====================#
#NAT chain
# Generated by iptables-save v1.8.4 on Sat Jan 23 14:33:41 2021
*nat
:PREROUTING ACCEPT [54:46174]
:INPUT ACCEPT [125:28831]
:OUTPUT ACCEPT [562:49150]
:POSTROUTING ACCEPT [378:56783]
:CLOUD_MUSIC - [0:0]
:MINIUPNPD - [0:0]
:MINIUPNPD-POSTROUTING - [0:0]
:openclash - [0:0]
:openclash_output - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -d 8.8.4.4/32 -p tcp -m tcp --dport 53 -j ACCEPT
-A PREROUTING -d 8.8.8.8/32 -p tcp -m tcp --dport 53 -j ACCEPT
-A PREROUTING -p tcp -m set --match-set music dst -j CLOUD_MUSIC
-A PREROUTING -p udp -m udp --dport 53 -j REDIRECT --to-ports 53
-A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
-A PREROUTING -i eth0 -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -p tcp -j openclash
-A OUTPUT -j openclash_output
-A POSTROUTING -o eth0 -j MASQUERADE
-A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
-A POSTROUTING -o eth0 -m comment --comment "!fw3" -j zone_lan_postrouting
-A CLOUD_MUSIC -d 0.0.0.0/8 -j RETURN
-A CLOUD_MUSIC -d 10.0.0.0/8 -j RETURN
-A CLOUD_MUSIC -d 127.0.0.0/8 -j RETURN
-A CLOUD_MUSIC -d 169.254.0.0/16 -j RETURN
-A CLOUD_MUSIC -d 172.16.0.0/12 -j RETURN
-A CLOUD_MUSIC -d 192.168.0.0/16 -j RETURN
-A CLOUD_MUSIC -d 224.0.0.0/4 -j RETURN
-A CLOUD_MUSIC -d 240.0.0.0/4 -j RETURN
-A CLOUD_MUSIC -p tcp -m set ! --match-set music_http src -m tcp --dport 80 -j DNAT --to-destination 127.0.0.1:30000
-A CLOUD_MUSIC -p tcp -m set ! --match-set music_https src -m tcp --dport 443 -j DNAT --to-destination 127.0.0.1:30001
-A MINIUPNPD -p udp -m udp --dport 60037 -j DNAT --to-destination 192.168.2.21:60037
-A MINIUPNPD -p udp -m udp --dport 32940 -j DNAT --to-destination 192.168.2.21:32940
-A MINIUPNPD -p udp -m udp --dport 33247 -j DNAT --to-destination 192.168.2.21:33247
-A MINIUPNPD -p udp -m udp --dport 48279 -j DNAT --to-destination 192.168.2.20:47999
-A MINIUPNPD -p udp -m udp --dport 48290 -j DNAT --to-destination 192.168.2.20:48010
-A MINIUPNPD -p udp -m udp --dport 48278 -j DNAT --to-destination 192.168.2.20:47998
-A MINIUPNPD -p udp -m udp --dport 48280 -j DNAT --to-destination 192.168.2.20:48000
-A MINIUPNPD -p udp -m udp --dport 48282 -j DNAT --to-destination 192.168.2.20:48002
-A MINIUPNPD -p udp -m udp --dport 37411 -j DNAT --to-destination 192.168.2.21:37411
-A MINIUPNPD -p udp -m udp --dport 37665 -j DNAT --to-destination 192.168.2.21:37665
-A MINIUPNPD -p udp -m udp --dport 37769 -j DNAT --to-destination 192.168.2.21:37769
-A MINIUPNPD -p udp -m udp --dport 38242 -j DNAT --to-destination 192.168.2.21:38242
-A MINIUPNPD -p udp -m udp --dport 38611 -j DNAT --to-destination 192.168.2.21:38611
-A MINIUPNPD -p udp -m udp --dport 38743 -j DNAT --to-destination 192.168.2.21:38743
-A MINIUPNPD -p udp -m udp --dport 38790 -j DNAT --to-destination 192.168.2.21:38790
-A MINIUPNPD -p udp -m udp --dport 39024 -j DNAT --to-destination 192.168.2.21:39024
-A MINIUPNPD -p udp -m udp --dport 39173 -j DNAT --to-destination 192.168.2.21:39173
-A MINIUPNPD -p udp -m udp --dport 39610 -j DNAT --to-destination 192.168.2.21:39610
-A MINIUPNPD -p udp -m udp --dport 40136 -j DNAT --to-destination 192.168.2.21:40136
-A MINIUPNPD-POSTROUTING -s 192.168.2.20/32 -p udp -m udp --sport 47999 -j MASQUERADE --to-ports 48279
-A MINIUPNPD-POSTROUTING -s 192.168.2.20/32 -p udp -m udp --sport 48010 -j MASQUERADE --to-ports 48290
-A MINIUPNPD-POSTROUTING -s 192.168.2.20/32 -p udp -m udp --sport 47998 -j MASQUERADE --to-ports 48278
-A MINIUPNPD-POSTROUTING -s 192.168.2.20/32 -p udp -m udp --sport 48000 -j MASQUERADE --to-ports 48280
-A MINIUPNPD-POSTROUTING -s 192.168.2.20/32 -p udp -m udp --sport 48002 -j MASQUERADE --to-ports 48282
-A openclash -m set --match-set localnetwork dst -j RETURN
-A openclash -p tcp -j REDIRECT --to-ports 7892
-A openclash_output -p tcp -m tcp --sport 1688 -j RETURN
-A openclash_output -p tcp -m tcp --sport 1688 -j RETURN
-A openclash_output -p tcp -m tcp --sport 3389 -j RETURN
-A openclash_output -m set --match-set localnetwork dst -j RETURN
-A openclash_output -d 198.18.0.0/16 -p tcp -m owner ! --uid-owner 65534 -j REDIRECT --to-ports 7892
-A openclash_output -m owner ! --uid-owner 65534 -m set ! --match-set common_ports dst -j RETURN
-A openclash_output -p tcp -m owner ! --uid-owner 65534 -j REDIRECT --to-ports 7892
-A zone_lan_postrouting -j MINIUPNPD-POSTROUTING
-A zone_lan_postrouting -j MINIUPNPD-POSTROUTING
-A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
-A zone_lan_prerouting -j MINIUPNPD
-A zone_lan_prerouting -j MINIUPNPD
-A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
-A zone_lan_prerouting -p tcp -m tcp --dport 3389 -m comment --comment "!fw3: RDP" -j DNAT --to-destination 192.168.2.20:3389
-A zone_lan_prerouting -p udp -m udp --dport 3389 -m comment --comment "!fw3: RDP" -j DNAT --to-destination 192.168.2.20:3389
-A zone_lan_prerouting -p tcp -m tcp --dport 1688 -m comment --comment "!fw3: KMS" -j DNAT --to-destination 192.168.2.2:1688
-A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
-A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Sat Jan 23 14:33:41 2021
#Mangle chain
# Generated by iptables-save v1.8.4 on Sat Jan 23 14:33:41 2021
*mangle
:PREROUTING ACCEPT [3343402:1721545960]
:INPUT ACCEPT [1938003:1500620921]
:FORWARD ACCEPT [1405379:220915729]
:OUTPUT ACCEPT [1917725:1034482332]
:POSTROUTING ACCEPT [3323215:1255446515]
:RRDIPT_FORWARD - [0:0]
:RRDIPT_INPUT - [0:0]
:RRDIPT_OUTPUT - [0:0]
:openclash - [0:0]
:openclash_dns_hijack - [0:0]
:openclash_output - [0:0]
-A PREROUTING -p udp -j openclash
-A PREROUTING -p tcp -m tcp --dport 53 -j openclash_dns_hijack
-A INPUT -j RRDIPT_INPUT
-A FORWARD -j RRDIPT_FORWARD
-A OUTPUT -j openclash_output
-A OUTPUT -j RRDIPT_OUTPUT
-A RRDIPT_FORWARD -s 192.168.2.1/32 -j RETURN
-A RRDIPT_FORWARD -d 192.168.2.1/32 -j RETURN
-A RRDIPT_FORWARD -s 192.168.2.120/32 -j RETURN
-A RRDIPT_FORWARD -d 192.168.2.120/32 -j RETURN
-A RRDIPT_FORWARD -s 192.168.2.122/32 -j RETURN
-A RRDIPT_FORWARD -d 192.168.2.122/32 -j RETURN
-A RRDIPT_INPUT -i eth0 -j RETURN
-A RRDIPT_OUTPUT -o eth0 -j RETURN
-A openclash -p udp -m udp --dport 500 -j RETURN
-A openclash -p udp -m udp --dport 546 -j RETURN
-A openclash -p udp -m udp --dport 68 -j RETURN
-A openclash -p udp -m udp --dport 1688 -j RETURN
-A openclash -p udp -m udp --dport 3389 -j RETURN
-A openclash -m set --match-set localnetwork dst -j RETURN
-A openclash -j MARK --set-xmark 0x162/0xffffffff
-A openclash_dns_hijack -d 8.8.8.8/32 -j MARK --set-xmark 0x162/0xffffffff
-A openclash_dns_hijack -d 8.8.4.4/32 -j MARK --set-xmark 0x162/0xffffffff
-A openclash_output -p udp -m udp --sport 500 -j RETURN
-A openclash_output -p udp -m udp --sport 546 -j RETURN
-A openclash_output -p udp -m udp --sport 68 -j RETURN
-A openclash_output -p udp -m udp --sport 1688 -j RETURN
-A openclash_output -p udp -m udp --sport 3389 -j RETURN
-A openclash_output -m set --match-set localnetwork dst -j RETURN
-A openclash_output -d 198.18.0.0/16 -p udp -m owner ! --uid-owner 65534 -j MARK --set-xmark 0x162/0xffffffff
COMMIT
# Completed on Sat Jan 23 14:33:41 2021
#===================== IPSET状态 =====================#
Name: music
Name: music_http
Name: music_https
Name: mwan3_connected_v4
Name: mwan3_connected_v6
Name: mwan3_source_v6
Name: mwan3_dynamic_v4
Name: mwan3_dynamic_v6
Name: mwan3_custom_v4
Name: mwan3_custom_v6
Name: localnetwork
Name: common_ports
Name: china
Name: mwan3_connected
#===================== 路由表状态 =====================#
#route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.2.1 0.0.0.0 UG 0 0 0 eth0
172.30.32.0 0.0.0.0 255.255.254.0 U 0 0 0 hassio
172.31.0.0 0.0.0.0 255.255.255.0 U 0 0 0 docker0
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
198.18.0.0 0.0.0.0 255.255.0.0 U 0 0 0 utun
#ip route list
default via 192.168.2.1 dev eth0 proto static
172.30.32.0/23 dev hassio proto kernel scope link src 172.30.32.1
172.31.0.0/24 dev docker0 proto kernel scope link src 172.31.0.1
192.168.2.0/24 dev eth0 proto kernel scope link src 192.168.2.2
198.18.0.0/16 dev utun proto kernel scope link src 198.18.0.1
#ip rule show
0: from all lookup local
32765: from all fwmark 0x162 lookup 354
32766: from all lookup main
32767: from all lookup default
#===================== Tun设备状态 =====================#
utun: tun pi filter
#===================== 端口占用状态 =====================#
tcp 0 0 198.18.0.1:7777 0.0.0.0:* LISTEN 19882/clash
tcp 0 0 :::7891 :::* LISTEN 19882/clash
tcp 0 0 :::7892 :::* LISTEN 19882/clash
tcp 0 0 :::7893 :::* LISTEN 19882/clash
tcp 0 0 :::9090 :::* LISTEN 19882/clash
tcp 0 0 :::7890 :::* LISTEN 19882/clash
udp 0 0 198.18.0.1:7777 0.0.0.0:* 19882/clash
udp 0 0 :::42490 :::* 19882/clash
udp 0 0 :::7874 :::* 19882/clash
udp 0 0 :::7891 :::* 19882/clash
udp 0 0 :::7892 :::* 19882/clash
udp 0 0 :::7893 :::* 19882/clash
udp 0 0 :::43750 :::* 19882/clash
udp 0 0 :::56222 :::* 19882/clash
udp 0 0 :::36812 :::* 19882/clash
udp 0 0 :::38995 :::* 19882/clash
udp 0 0 :::41075 :::* 19882/clash
udp 0 0 :::46291 :::* 19882/clash
udp 0 0 :::55517 :::* 19882/clash
udp 0 0 :::56579 :::* 19882/clash
udp 0 0 :::49438 :::* 19882/clash
udp 0 0 :::41317 :::* 19882/clash
#===================== 测试本机DNS查询 =====================#
Server: 127.0.0.1
Address: 127.0.0.1#53
Name: www.baidu.com
Address 1: 198.18.0.188
*** Can't find www.baidu.com: No answer
#===================== resolv.conf.d =====================#
# Interface lan6
nameserver fe80::3646:ecff:fe99:8e26%eth0
#===================== 测试本机网络连接 =====================#
HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
Connection: keep-alive
Content-Length: 277
Content-Type: text/html
Date: Sat, 23 Jan 2021 06:33:42 GMT
Etag: "575e1f72-115"
Last-Modified: Mon, 13 Jun 2016 02:50:26 GMT
Pragma: no-cache
Server: bfe/1.0.8.18
#===================== 测试本机网络下载 =====================#
HTTP/1.1 200 OK
Connection: keep-alive
Content-Length: 80
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "00cdb0532e41777645c9ad3e0a65a1b1ac87d6afaf72cf6e33d925dbbd05be97"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: 37DA:7976:0005:0020:600B6703
Accept-Ranges: bytes
Date: Sat, 23 Jan 2021 06:33:42 GMT
Via: 1.1 varnish
X-Served-By: cache-hkg17933-HKG
X-Cache: HIT
X-Cache-Hits: 4
X-Timer: S1611383623.840281,VS0,VE0
Vary: Authorization,Accept-Encoding
Access-Control-Allow-Origin: *
X-Fastly-Request-ID: 82fb349ef53dbc2b80b4d2c5f1ac68df86af2b28
Expires: Sat, 23 Jan 2021 06:38:42 GMT
Source-Age: 85
#===================== 最近运行日志 =====================#
time="2021-01-23T12:09:05+08:00" level=info msg="Start initial compatible provider Proxies"
time="2021-01-23T12:09:05+08:00" level=info msg="Start initial compatible provider Domestic"
time="2021-01-23T12:09:05+08:00" level=info msg="Start initial compatible provider GlobalTV"
time="2021-01-23T12:09:05+08:00" level=info msg="Start initial compatible provider Others"
time="2021-01-23T12:09:05+08:00" level=info msg="Start initial compatible provider Special"
time="2021-01-23T12:09:05+08:00" level=info msg="DNS server listening at: 0.0.0.0:7874"
{"message":"Selector update error: proxy not exist"}
2021-01-23 12:09:11 History:【free.yaml】 Restore Successful
2021-01-23 12:08:48 Warning: OpenClash Start Successful, Please Note That Network May Abnormal With IPV6's DHCP Server
2021-01-23 12:09:12 History:【free.yaml】 Update Successful
2021-01-23 12:15:30 Config 【free】 Update Successful
github-actions[bot]
commented
2 years ago This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days
fake-ip黑名单里面有条*.lan我注释掉也不行,这是咋回事