vernesong
commented
4 years ago 你的意思是目标地址是wan的ip?
Closed love4taylor closed 3 years ago
vernesong
commented
4 years ago 你的意思是目标地址是wan的ip?
love4taylor
commented
4 years ago 就是从外网访问映射出来的内网端口,但是路由本机的端口也就是 uhttpd 远程管理正常。
ip route:
default via 192.168.0.1 dev eth1 proto static src 192.168.0.2
10.147.18.0/24 dev ztrfycdmqb proto kernel scope link src 10.147.18.62
172.104.81.54 via 192.168.0.1 dev eth1 proto static
192.168.0.0/24 dev eth1 proto kernel scope link src 192.168.0.2
192.168.2.0/24 dev br-lan proto kernel scope link src 192.168.2.1
198.18.0.0/16 dev utun proto kernel scope link src 198.18.0.1 iptables-save:
# Generated by iptables-save v1.8.3 on Thu Feb 13 01:14:21 2020
*nat
:PREROUTING ACCEPT [517:62904]
:INPUT ACCEPT [173:11284]
:OUTPUT ACCEPT [724:66622]
:POSTROUTING ACCEPT [1474:96185]
:MINIUPNPD - [0:0]
:MINIUPNPD-POSTROUTING - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING ! -i lo -p tcp -m tcp --dport 53 -m comment --comment "DNS hijacking" -j REDIRECT --to-ports 53
-A PREROUTING ! -i lo -p udp -m udp --dport 53 -m comment --comment "DNS hijacking" -j REDIRECT --to-ports 53
-A PREROUTING -d 公网IP/32 -p tcp -m tcp --dport 41144 -m comment --comment "TeamSpeak TSDNS" -j DNAT --to-destination 192.168.2.113
-A PREROUTING -d 公网IP/32 -p tcp -m tcp --dport 30033 -m comment --comment "TeamSpeak File Transfer" -j DNAT --to-destination 192.168.2.113
-A PREROUTING -d 公网IP/32 -p tcp -m tcp --dport 10022 -m comment --comment "TeamSpeak ServerQuery SSH" -j DNAT --to-destination 192.168.2.113
-A PREROUTING -d 公网IP/32 -p tcp -m tcp --dport 10011 -m comment --comment "TeamSpeak ServerQuery raw" -j DNAT --to-destination 192.168.2.113
-A PREROUTING -d 公网IP/32 -p udp -m udp --dport 9987 -m comment --comment "TeamSpeak Default" -j DNAT --to-destination 192.168.2.113
-A PREROUTING -d 公网IP/32 -p udp -m udp --dport 443 -m comment --comment HTTPS -j DNAT --to-destination 192.168.2.113
-A PREROUTING -d 公网IP/32 -p tcp -m tcp --dport 443 -m comment --comment HTTPS -j DNAT --to-destination 192.168.2.113
-A PREROUTING -d 公网IP/32 -p tcp -m tcp --dport 80 -m comment --comment HTTP -j DNAT --to-destination 192.168.2.113
-A PREROUTING -d 公网IP/32 -p tcp -m tcp --dport 22 -m comment --comment SSH -j DNAT --to-destination 192.168.2.113
-A PREROUTING -d 公网IP/32 -p udp -m udp --dport 3389 -m comment --comment RDP -j DNAT --to-destination 192.168.2.112
-A PREROUTING -d 公网IP/32 -p tcp -m tcp --dport 3389 -m comment --comment RDP -j DNAT --to-destination 192.168.2.112
-A PREROUTING -d 公网IP/32 -p tcp -m tcp --dport 1688 -m comment --comment KMS -j DNAT --to-destination 192.168.2.1:22
-A PREROUTING -d 公网IP/32 -p tcp -m tcp --dport 2222 -m comment --comment "Router SSH" -j DNAT --to-destination 192.168.2.1:22
-A PREROUTING -d 公网IP/32 -p tcp -m tcp --dport 9090 -m comment --comment "Clash Web" -j DNAT --to-destination 192.168.2.1
-A PREROUTING -d 公网IP/32 -p tcp -m tcp --dport 4443 -m comment --comment "Router HTTPS" -j DNAT --to-destination 192.168.2.1
-A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
-A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i eth1 -m comment --comment "!fw3" -j zone_wan_prerouting
-A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
-A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o eth1 -m comment --comment "!fw3" -j zone_wan_postrouting
-A MINIUPNPD -p tcp -m tcp --dport 36477 -j DNAT --to-destination 192.168.2.113:36477
-A MINIUPNPD -p udp -m udp --dport 38174 -j DNAT --to-destination 192.168.2.113:38174
-A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
-A zone_lan_postrouting -s 192.168.2.0/24 -d 192.168.2.112/32 -p tcp -m tcp --dport 3389 -m comment --comment "!fw3: RDP (reflection)" -j SNAT --to-source 192.168.2.1
-A zone_lan_postrouting -s 192.168.2.0/24 -d 192.168.2.112/32 -p udp -m udp --dport 3389 -m comment --comment "!fw3: RDP (reflection)" -j SNAT --to-source 192.168.2.1
-A zone_lan_postrouting -s 192.168.2.0/24 -d 192.168.2.112/32 -p tcp -m tcp --dport 3389 -m comment --comment "!fw3: RDP in School (reflection)" -j SNAT --to-source 192.168.2.1
-A zone_lan_postrouting -s 192.168.2.0/24 -d 192.168.2.112/32 -p udp -m udp --dport 3389 -m comment --comment "!fw3: RDP in School (reflection)" -j SNAT --to-source 192.168.2.1
-A zone_lan_postrouting -s 192.168.2.0/24 -d 192.168.2.113/32 -p tcp -m tcp --dport 22 -m comment --comment "!fw3: SSH (reflection)" -j SNAT --to-source 192.168.2.1
-A zone_lan_postrouting -s 192.168.2.0/24 -d 192.168.2.113/32 -p tcp -m tcp --dport 22 -m comment --comment "!fw3: SSH in School (reflection)" -j SNAT --to-source 192.168.2.1
-A zone_lan_postrouting -s 192.168.2.0/24 -d 192.168.2.113/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: HTTP (reflection)" -j SNAT --to-source 192.168.2.1
-A zone_lan_postrouting -s 192.168.2.0/24 -d 192.168.2.113/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: HTTPS (reflection)" -j SNAT --to-source 192.168.2.1
-A zone_lan_postrouting -s 192.168.2.0/24 -d 192.168.2.113/32 -p udp -m udp --dport 443 -m comment --comment "!fw3: HTTPS (reflection)" -j SNAT --to-source 192.168.2.1
-A zone_lan_postrouting -s 192.168.2.0/24 -d 192.168.2.113/32 -p udp -m udp --dport 52520 -m comment --comment "!fw3: WireGuard (reflection)" -j SNAT --to-source 192.168.2.1
-A zone_lan_postrouting -s 192.168.2.0/24 -d 192.168.2.113/32 -p tcp -m tcp --dport 58850 -m comment --comment "!fw3: AnyConnect (reflection)" -j SNAT --to-source 192.168.2.1
-A zone_lan_postrouting -s 192.168.2.0/24 -d 192.168.2.113/32 -p udp -m udp --dport 58850 -m comment --comment "!fw3: AnyConnect (reflection)" -j SNAT --to-source 192.168.2.1
-A zone_lan_postrouting -s 192.168.2.0/24 -d 192.168.2.166/32 -p tcp -m tcp --dport 22 -m comment --comment "!fw3: AndroidBuilder-SSH (reflection)" -j SNAT --to-source 192.168.2.1
-A zone_lan_postrouting -s 192.168.2.0/24 -d 192.168.2.113/32 -p udp -m udp --dport 9987 -m comment --comment "!fw3: TeamSpeak Default (reflection)" -j SNAT --to-source 192.168.2.1
-A zone_lan_postrouting -s 192.168.2.0/24 -d 192.168.2.113/32 -p tcp -m tcp --dport 10011 -m comment --comment "!fw3: TeamSpeak ServerQuery raw (reflection)" -j SNAT --to-source 192.168.2.1
-A zone_lan_postrouting -s 192.168.2.0/24 -d 192.168.2.113/32 -p tcp -m tcp --dport 10022 -m comment --comment "!fw3: TeamSpeak ServerQuery SSH (reflection)" -j SNAT --to-source 192.168.2.1
-A zone_lan_postrouting -s 192.168.2.0/24 -d 192.168.2.113/32 -p tcp -m tcp --dport 30033 -m comment --comment "!fw3: TeamSpeak File Transfer (reflection)" -j SNAT --to-source 192.168.2.1
-A zone_lan_postrouting -s 192.168.2.0/24 -d 192.168.2.113/32 -p tcp -m tcp --dport 41144 -m comment --comment "!fw3: TeamSpeak TSDNS (reflection)" -j SNAT --to-source 192.168.2.1
-A zone_lan_postrouting -s 192.168.2.0/24 -d 192.168.2.112/32 -p tcp -m tcp --dport 25565 -m comment --comment "!fw3: Minecraft (reflection)" -j SNAT --to-source 192.168.2.1
-A zone_lan_postrouting -s 192.168.2.0/24 -d 192.168.2.112/32 -p udp -m udp --dport 25565 -m comment --comment "!fw3: Minecraft (reflection)" -j SNAT --to-source 192.168.2.1
-A zone_lan_postrouting -s 192.168.2.0/24 -d 192.168.2.205/32 -p udp -m udp --dport 987 -m comment --comment "!fw3: PS4 (reflection)" -j SNAT --to-source 192.168.2.1
-A zone_lan_postrouting -s 192.168.2.0/24 -d 192.168.2.205/32 -p tcp -m tcp --dport 9295 -m comment --comment "!fw3: PS4 (reflection)" -j SNAT --to-source 192.168.2.1
-A zone_lan_postrouting -s 192.168.2.0/24 -d 192.168.2.205/32 -p udp -m udp --dport 9296 -m comment --comment "!fw3: PS4 (reflection)" -j SNAT --to-source 192.168.2.1
-A zone_lan_postrouting -s 192.168.2.0/24 -d 192.168.2.113/32 -p tcp -m tcp --dport 1688 -m comment --comment "!fw3: KMS (reflection)" -j SNAT --to-source 192.168.2.1
-A zone_lan_postrouting -s 192.168.2.0/24 -d 192.168.2.113/32 -p tcp -m tcp --dport 52330 -m comment --comment "!fw3: HentaiAtHome (reflection)" -j SNAT --to-source 192.168.2.1
-A zone_lan_postrouting -s 192.168.2.0/24 -d 192.168.2.113/32 -p udp -m udp --dport 52330 -m comment --comment "!fw3: HentaiAtHome (reflection)" -j SNAT --to-source 192.168.2.1
-A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
-A zone_lan_prerouting -s 192.168.2.0/24 -d 192.168.0.2/32 -p tcp -m tcp --dport 3389 -m comment --comment "!fw3: RDP (reflection)" -j DNAT --to-destination 192.168.2.112:3389
-A zone_lan_prerouting -s 192.168.2.0/24 -d 192.168.0.2/32 -p udp -m udp --dport 3389 -m comment --comment "!fw3: RDP (reflection)" -j DNAT --to-destination 192.168.2.112:3389
-A zone_lan_prerouting -s 192.168.2.0/24 -d 192.168.0.2/32 -p tcp -m tcp --dport 587 -m comment --comment "!fw3: RDP in School (reflection)" -j DNAT --to-destination 192.168.2.112:3389
-A zone_lan_prerouting -s 192.168.2.0/24 -d 192.168.0.2/32 -p udp -m udp --dport 587 -m comment --comment "!fw3: RDP in School (reflection)" -j DNAT --to-destination 192.168.2.112:3389
-A zone_lan_prerouting -s 192.168.2.0/24 -d 192.168.0.2/32 -p tcp -m tcp --dport 22 -m comment --comment "!fw3: SSH (reflection)" -j DNAT --to-destination 192.168.2.113:22
-A zone_lan_prerouting -s 192.168.2.0/24 -d 192.168.0.2/32 -p tcp -m tcp --dport 465 -m comment --comment "!fw3: SSH in School (reflection)" -j DNAT --to-destination 192.168.2.113:22
-A zone_lan_prerouting -s 192.168.2.0/24 -d 192.168.0.2/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: HTTP (reflection)" -j DNAT --to-destination 192.168.2.113:80
-A zone_lan_prerouting -s 192.168.2.0/24 -d 192.168.0.2/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: HTTPS (reflection)" -j DNAT --to-destination 192.168.2.113:443
-A zone_lan_prerouting -s 192.168.2.0/24 -d 192.168.0.2/32 -p udp -m udp --dport 443 -m comment --comment "!fw3: HTTPS (reflection)" -j DNAT --to-destination 192.168.2.113:443
-A zone_lan_prerouting -s 192.168.2.0/24 -d 192.168.0.2/32 -p udp -m udp --dport 52520 -m comment --comment "!fw3: WireGuard (reflection)" -j DNAT --to-destination 192.168.2.113:52520
-A zone_lan_prerouting -s 192.168.2.0/24 -d 192.168.0.2/32 -p tcp -m tcp --dport 58850 -m comment --comment "!fw3: AnyConnect (reflection)" -j DNAT --to-destination 192.168.2.113:58850
-A zone_lan_prerouting -s 192.168.2.0/24 -d 192.168.0.2/32 -p udp -m udp --dport 58850 -m comment --comment "!fw3: AnyConnect (reflection)" -j DNAT --to-destination 192.168.2.113:58850
-A zone_lan_prerouting -s 192.168.2.0/24 -d 192.168.0.2/32 -p tcp -m tcp --dport 2233 -m comment --comment "!fw3: AndroidBuilder-SSH (reflection)" -j DNAT --to-destination 192.168.2.166:22
-A zone_lan_prerouting -s 192.168.2.0/24 -d 192.168.0.2/32 -p udp -m udp --dport 9987 -m comment --comment "!fw3: TeamSpeak Default (reflection)" -j DNAT --to-destination 192.168.2.113:9987
-A zone_lan_prerouting -s 192.168.2.0/24 -d 192.168.0.2/32 -p tcp -m tcp --dport 10011 -m comment --comment "!fw3: TeamSpeak ServerQuery raw (reflection)" -j DNAT --to-destination 192.168.2.113:10011
-A zone_lan_prerouting -s 192.168.2.0/24 -d 192.168.0.2/32 -p tcp -m tcp --dport 10022 -m comment --comment "!fw3: TeamSpeak ServerQuery SSH (reflection)" -j DNAT --to-destination 192.168.2.113:10022
-A zone_lan_prerouting -s 192.168.2.0/24 -d 192.168.0.2/32 -p tcp -m tcp --dport 30033 -m comment --comment "!fw3: TeamSpeak File Transfer (reflection)" -j DNAT --to-destination 192.168.2.113:30033
-A zone_lan_prerouting -s 192.168.2.0/24 -d 192.168.0.2/32 -p tcp -m tcp --dport 41144 -m comment --comment "!fw3: TeamSpeak TSDNS (reflection)" -j DNAT --to-destination 192.168.2.113:41144
-A zone_lan_prerouting -s 192.168.2.0/24 -d 192.168.0.2/32 -p tcp -m tcp --dport 25565 -m comment --comment "!fw3: Minecraft (reflection)" -j DNAT --to-destination 192.168.2.112:25565
-A zone_lan_prerouting -s 192.168.2.0/24 -d 192.168.0.2/32 -p udp -m udp --dport 25565 -m comment --comment "!fw3: Minecraft (reflection)" -j DNAT --to-destination 192.168.2.112:25565
-A zone_lan_prerouting -s 192.168.2.0/24 -d 192.168.0.2/32 -p udp -m udp --dport 987 -m comment --comment "!fw3: PS4 (reflection)" -j DNAT --to-destination 192.168.2.205:987
-A zone_lan_prerouting -s 192.168.2.0/24 -d 192.168.0.2/32 -p tcp -m tcp --dport 9295 -m comment --comment "!fw3: PS4 (reflection)" -j DNAT --to-destination 192.168.2.205:9295
-A zone_lan_prerouting -s 192.168.2.0/24 -d 192.168.0.2/32 -p udp -m udp --dport 9296 -m comment --comment "!fw3: PS4 (reflection)" -j DNAT --to-destination 192.168.2.205:9296
-A zone_lan_prerouting -s 192.168.2.0/24 -d 192.168.0.2/32 -p tcp -m tcp --dport 1688 -m comment --comment "!fw3: KMS (reflection)" -j DNAT --to-destination 192.168.2.113:1688
-A zone_lan_prerouting -s 192.168.2.0/24 -d 192.168.0.2/32 -p tcp -m tcp --dport 52330 -m comment --comment "!fw3: HentaiAtHome (reflection)" -j DNAT --to-destination 192.168.2.113:52330
-A zone_lan_prerouting -s 192.168.2.0/24 -d 192.168.0.2/32 -p udp -m udp --dport 52330 -m comment --comment "!fw3: HentaiAtHome (reflection)" -j DNAT --to-destination 192.168.2.113:52330
-A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
-A zone_wan_postrouting -j MINIUPNPD-POSTROUTING
-A zone_wan_postrouting -j MINIUPNPD-POSTROUTING
-A zone_wan_postrouting -m comment --comment "!fw3" -j FULLCONENAT
-A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
-A zone_wan_prerouting -p tcp -m tcp --dport 3389 -m comment --comment "!fw3: RDP" -j DNAT --to-destination 192.168.2.112:3389
-A zone_wan_prerouting -p udp -m udp --dport 3389 -m comment --comment "!fw3: RDP" -j DNAT --to-destination 192.168.2.112:3389
-A zone_wan_prerouting -p tcp -m tcp --dport 587 -m comment --comment "!fw3: RDP in School" -j DNAT --to-destination 192.168.2.112:3389
-A zone_wan_prerouting -p udp -m udp --dport 587 -m comment --comment "!fw3: RDP in School" -j DNAT --to-destination 192.168.2.112:3389
-A zone_wan_prerouting -p tcp -m tcp --dport 22 -m comment --comment "!fw3: SSH" -j DNAT --to-destination 192.168.2.113:22
-A zone_wan_prerouting -p tcp -m tcp --dport 465 -m comment --comment "!fw3: SSH in School" -j DNAT --to-destination 192.168.2.113:22
-A zone_wan_prerouting -p tcp -m tcp --dport 80 -m comment --comment "!fw3: HTTP" -j DNAT --to-destination 192.168.2.113:80
-A zone_wan_prerouting -p tcp -m tcp --dport 443 -m comment --comment "!fw3: HTTPS" -j DNAT --to-destination 192.168.2.113:443
-A zone_wan_prerouting -p udp -m udp --dport 443 -m comment --comment "!fw3: HTTPS" -j DNAT --to-destination 192.168.2.113:443
-A zone_wan_prerouting -p udp -m udp --dport 52520 -m comment --comment "!fw3: WireGuard" -j DNAT --to-destination 192.168.2.113:52520
-A zone_wan_prerouting -p tcp -m tcp --dport 58850 -m comment --comment "!fw3: AnyConnect" -j DNAT --to-destination 192.168.2.113:58850
-A zone_wan_prerouting -p udp -m udp --dport 58850 -m comment --comment "!fw3: AnyConnect" -j DNAT --to-destination 192.168.2.113:58850
-A zone_wan_prerouting -p tcp -m tcp --dport 2233 -m comment --comment "!fw3: AndroidBuilder-SSH" -j DNAT --to-destination 192.168.2.166:22
-A zone_wan_prerouting -p udp -m udp --dport 9987 -m comment --comment "!fw3: TeamSpeak Default" -j DNAT --to-destination 192.168.2.113:9987
-A zone_wan_prerouting -p tcp -m tcp --dport 10011 -m comment --comment "!fw3: TeamSpeak ServerQuery raw" -j DNAT --to-destination 192.168.2.113:10011
-A zone_wan_prerouting -p tcp -m tcp --dport 10022 -m comment --comment "!fw3: TeamSpeak ServerQuery SSH" -j DNAT --to-destination 192.168.2.113:10022
-A zone_wan_prerouting -p tcp -m tcp --dport 30033 -m comment --comment "!fw3: TeamSpeak File Transfer" -j DNAT --to-destination 192.168.2.113:30033
-A zone_wan_prerouting -p tcp -m tcp --dport 41144 -m comment --comment "!fw3: TeamSpeak TSDNS" -j DNAT --to-destination 192.168.2.113:41144
-A zone_wan_prerouting -p tcp -m tcp --dport 25565 -m comment --comment "!fw3: Minecraft" -j DNAT --to-destination 192.168.2.112:25565
-A zone_wan_prerouting -p udp -m udp --dport 25565 -m comment --comment "!fw3: Minecraft" -j DNAT --to-destination 192.168.2.112:25565
-A zone_wan_prerouting -p udp -m udp --dport 987 -m comment --comment "!fw3: PS4" -j DNAT --to-destination 192.168.2.205:987
-A zone_wan_prerouting -p tcp -m tcp --dport 9295 -m comment --comment "!fw3: PS4" -j DNAT --to-destination 192.168.2.205:9295
-A zone_wan_prerouting -p udp -m udp --dport 9296 -m comment --comment "!fw3: PS4" -j DNAT --to-destination 192.168.2.205:9296
-A zone_wan_prerouting -p tcp -m tcp --dport 1688 -m comment --comment "!fw3: KMS" -j DNAT --to-destination 192.168.2.113:1688
-A zone_wan_prerouting -p tcp -m tcp --dport 52330 -m comment --comment "!fw3: HentaiAtHome" -j DNAT --to-destination 192.168.2.113:52330
-A zone_wan_prerouting -p udp -m udp --dport 52330 -m comment --comment "!fw3: HentaiAtHome" -j DNAT --to-destination 192.168.2.113:52330
-A zone_wan_prerouting -m comment --comment "!fw3" -j FULLCONENAT
-A zone_wan_prerouting -j MINIUPNPD
-A zone_wan_prerouting -j MINIUPNPD
COMMIT
# Completed on Thu Feb 13 01:14:21 2020
# Generated by iptables-save v1.8.3 on Thu Feb 13 01:14:21 2020
*mangle
:PREROUTING ACCEPT [13528:29486494]
:INPUT ACCEPT [8998:29186721]
:FORWARD ACCEPT [4370:261748]
:OUTPUT ACCEPT [6557:2168704]
:POSTROUTING ACCEPT [10899:2429332]
:openclash - [0:0]
-A PREROUTING -m set ! --match-set localnetwork dst -j MARK --set-xmark 0x162/0xffffffff
-A FORWARD -o eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A OUTPUT -j openclash
-A openclash -p tcp -m set --match-set router dst -j MARK --set-xmark 0x162/0xffffffff
-A openclash -m set --match-set localnetwork dst -j RETURN
COMMIT
# Completed on Thu Feb 13 01:14:21 2020
# Generated by iptables-save v1.8.3 on Thu Feb 13 01:14:21 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [281:20312]
:OUTPUT ACCEPT [234:38610]
:MINIUPNPD - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i eth1 -m comment --comment "!fw3" -j zone_wan_input
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m comment --comment "!fw3: Traffic offloading" -m conntrack --ctstate RELATED,ESTABLISHED -j FLOWOFFLOAD
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i eth1 -m comment --comment "!fw3" -j zone_wan_forward
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o eth1 -m comment --comment "!fw3" -j zone_wan_output
-A MINIUPNPD -d 192.168.2.113/32 -p tcp -m tcp --dport 36477 -j ACCEPT
-A MINIUPNPD -d 192.168.2.113/32 -p udp -m udp --dport 38174 -j ACCEPT
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o eth1 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o eth1 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_REJECT -o eth1 -m comment --comment "!fw3" -j reject
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_wan_forward -j MINIUPNPD
-A zone_wan_forward -j MINIUPNPD
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
-A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
-A zone_wan_input -p udp -m udp --dport 52510 -m comment --comment "!fw3: WireGuard-Router" -j ACCEPT
-A zone_wan_input -p tcp -m tcp --dport 2222 -m comment --comment "!fw3: Router SSH" -j ACCEPT
-A zone_wan_input -p tcp -m tcp --dport 4443 -m comment --comment "!fw3: Router HTTPS" -j ACCEPT
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_REJECT -i eth1 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Thu Feb 13 01:14:21 2020看一下ipset list localnetwork里有没有公网ip
love4taylor
commented
4 years ago root@WRT1900AC:~# ipset list localnetwork
Name: localnetwork
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 760
References: 2
Number of entries: 8
Members:
224.0.0.0/4
10.0.0.0/8
127.0.0.0/8
240.0.0.0/4
192.168.0.0/16
192.168.0.2
169.254.0.0/16
172.16.0.0/12网络架构是 客户端(国内) -- 中日国际光缆 -- 光猫 -- 运营商路由(开启 DMZ 并且因为需要 802.1X 认证不可替换) -- WRT1900AC(端口映射) -- 服务器(内网IP)
192.168.0.2 是 WRT1900AC 的 WAN IP
vernesong
commented
4 years ago 那就奇怪了,实际并没有mark这部分的流量,clash日志里有没有记录?
love4taylor
commented
4 years ago ~解决了(大概~
~我按照猜测把配置里 - SRC-IP-CIDR,192.168.2.113/32,DIRECT 这句删了就好了,这实属蛋疼。~
然而并没有,好了几秒钟然后问题依旧,日志里 debug 也只是一堆 connect: connection refused 和 i/o timeout
vernesong
commented
4 years ago 首先你要确认访问192.168.2.113的流量有没有到clash,正常情况是不会经过clash,如果到了clash里,那你改用- IP-CIDR,192.168.2.113/32,DIRECT而不是- SRC-IP-CIDR,192.168.2.113/32,DIRECT
love4taylor
commented
4 years ago clash 的日志里我是看不到我国内客户端 IP 的,所以应该是没走吧?另外 SRC-IP-CIDR 只是我之前为了不让服务器走回国代理而设置的规则,即便是 IP-CIDR 也是不通。(更新了下楼上的描述
vernesong
commented
4 years ago 没有发现问题所在,日志如果有的话,流量说由192.168.0.2发出,目的地址是192.168.2.113 你可以追踪一下路由找找问题
vernesong
commented
4 years ago 如果SRC-IP-CIDR不行的话,就只能绕过机器了,启动后尝试以下规则,并确保它在第一个 iptables -t mangle -I PREROUTING -s 192.168.2.113 -j RETURN
love4taylor
commented
4 years ago 暂时只能这样了。
vernesong
commented
4 years ago 运营商路由(端口转发) -> WRT1900AC(端口映射) -> 服务器(内网IP)
rikki
commented
4 years ago 看一下
ipset list localnetwork里有没有公网ip
我这边有相同的现象 localnetwork 列表里面有一行 是当前的公网IP,请问这种情况要怎么处理一下?
vernesong
commented
4 years ago mangle表return掉目标是wan的转发端口的流量
回国规则任意 tun 模式,会发现外网连不通路由上设置转发的端口。iptables 表忘了截了。