vernesong
commented
2 years ago 调试日志,我看看防火墙
Closed DKingAlpha closed 2 years ago
vernesong
commented
2 years ago 调试日志,我看看防火墙
DKingAlpha
commented
2 years ago 开启clash,且开启UDP流量转发功能。防火墙设置转发27015到内网机器192.168.1.xx。
内网机器192.168.1.xx监听27015。VPS访问
OpenClash 调试日志
生成时间: 2022-02-18 00:43:02 插件版本: v0.44.25-beta
#===================== 系统信息 =====================#
主机型号: Microsoft Corporation Virtual Machine
固件版本: OpenWrt 21.02.1 r16325-88151b8303
LuCI版本: git-20.074.84698-ead5e81
内核版本: 5.4.154
处理器架构: x86_64
#此项有值时,如不使用IPv6,建议到网络-接口-lan的设置中禁用IPV6的DHCP
IPV6-DHCP: server
#此项结果应仅有配置文件的DNS监听地址
Dnsmasq转发设置: 127.0.0.1#7874
#===================== 依赖检查 =====================#
dnsmasq-full: 已安装
coreutils: 已安装
coreutils-nohup: 已安装
bash: 已安装
curl: 已安装
ca-certificates: 已安装
ipset: 已安装
ip-full: 已安装
iptables-mod-tproxy: 已安装
kmod-ipt-tproxy: 已安装
iptables-mod-extra: 已安装
kmod-ipt-extra: 已安装
libcap: 已安装
libcap-bin: 已安装
ruby: 已安装
ruby-yaml: 已安装
ruby-psych: 已安装
ruby-pstore: 已安装
ruby-dbm: 已安装
kmod-tun(TUN模式): 已安装
luci-compat(Luci-19.07): 已安装
#===================== 内核检查 =====================#
运行状态: 运行中
进程pid: 18078
运行权限: 18078: cap_dac_override,cap_net_bind_service,cap_net_admin,cap_net_raw,cap_sys_resource=eip
运行用户:
已选择的架构: linux-amd64
#下方无法显示内核版本号时请确认您的内核版本是否正确或者有无权限
Tun内核版本: 2022.01.27
Tun内核文件: 存在
Tun内核运行权限: 正常
Dev内核版本: v1.9.0-7-gb1a639f
Dev内核文件: 存在
Dev内核运行权限: 正常
#===================== 插件设置 =====================#
当前配置文件: /etc/openclash/config/TigerCloud.yaml
启动配置文件: /etc/openclash/TigerCloud.yaml
运行模式: redir-host
默认代理模式: rule
UDP流量转发(tproxy): 启用
DNS劫持: 启用
自定义DNS: 停用
IPV6代理: 启用
IPV6-DNS解析: 启用
禁用Dnsmasq缓存: 停用
自定义规则: 停用
仅允许内网: 停用
仅代理命中规则流量: 停用
仅允许常用端口流量: 停用
绕过中国大陆IP: 停用
DNS远程解析: 启用
#启动异常时建议关闭此项后重试
混合节点: 停用
保留配置: 停用
#启动异常时建议关闭此项后重试
第三方规则: 停用
#===================== 配置文件 =====================#
port: 7890
socks-port: 7891
allow-lan: true
mode: rule
log-level: silent
external-controller: 0.0.0.0:9090
proxy-groups:
略
#===================== 防火墙设置 =====================#
#IPv4 NAT chain
# Generated by iptables-save v1.8.7 on Fri Feb 18 00:43:03 2022
*nat
:PREROUTING ACCEPT [323160:19492786]
:INPUT ACCEPT [1961:204120]
:OUTPUT ACCEPT [5438:344764]
:POSTROUTING ACCEPT [989:61119]
:MINIUPNPD - [0:0]
:MINIUPNPD-POSTROUTING - [0:0]
:openclash - [0:0]
:openclash_output - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -d 8.8.4.4/32 -p tcp -m comment --comment "OpenClash Google DNS Hijack" -m tcp --dport 53 -j REDIRECT --to-ports 7892
-A PREROUTING -d 8.8.8.8/32 -p tcp -m comment --comment "OpenClash Google DNS Hijack" -m tcp --dport 53 -j REDIRECT --to-ports 7892
-A PREROUTING -p tcp -m tcp --dport 53 -m comment --comment "OpenClash DNS Hijack" -j REDIRECT --to-ports 53
-A PREROUTING -p udp -m udp --dport 53 -m comment --comment "OpenClash DNS Hijack" -j REDIRECT --to-ports 53
-A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
-A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_prerouting
-A PREROUTING -i eth1 -m comment --comment "!fw3" -j zone_wan_prerouting
-A PREROUTING -p tcp -j openclash
-A OUTPUT -j openclash_output
-A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
-A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o pppoe-wan -m comment --comment "!fw3" -j zone_wan_postrouting
-A POSTROUTING -o eth1 -m comment --comment "!fw3" -j zone_wan_postrouting
-A openclash -m set --match-set localnetwork dst -j RETURN
-A openclash -p tcp -j REDIRECT --to-ports 7892
-A openclash_output -p tcp -m tcp --sport 33890 -j RETURN
-A openclash_output -p tcp -m tcp --sport 44333 -j RETURN
-A openclash_output -p tcp -m tcp --sport 32400 -j RETURN
-A openclash_output -p tcp -m tcp --sport 5353 -j RETURN
-A openclash_output -p tcp -m tcp --sport 7777 -j RETURN
-A openclash_output -p tcp -m tcp --sport 9 -j RETURN
-A openclash_output -p tcp -m tcp --sport 3389 -j RETURN
-A openclash_output -m set --match-set localnetwork dst -j RETURN
-A openclash_output -p tcp -m owner ! --uid-owner 65534 -j REDIRECT --to-ports 7892
-A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
-A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.86/32 -p tcp -m tcp --dport 3389 -m comment --comment "!fw3: RDP (reflection)" -j SNAT --to-source 192.168.1.1
-A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.86/32 -p udp -m udp --dport 3389 -m comment --comment "!fw3: RDP (reflection)" -j SNAT --to-source 192.168.1.1
-A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.100/32 -p tcp -m tcp --dport 9 -m comment --comment "!fw3: WOL (reflection)" -j SNAT --to-source 192.168.1.1
-A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.100/32 -p udp -m udp --dport 9 -m comment --comment "!fw3: WOL (reflection)" -j SNAT --to-source 192.168.1.1
-A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.86/32 -p tcp -m tcp --dport 27015:27030 -m comment --comment "!fw3: ARK (reflection)" -j SNAT --to-source 192.168.1.1
-A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.86/32 -p udp -m udp --dport 27015:27030 -m comment --comment "!fw3: ARK (reflection)" -j SNAT --to-source 192.168.1.1
-A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.86/32 -p tcp -m tcp --dport 7777 -m comment --comment "!fw3: ARK2 (reflection)" -j SNAT --to-source 192.168.1.1
-A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.86/32 -p udp -m udp --dport 7777 -m comment --comment "!fw3: ARK2 (reflection)" -j SNAT --to-source 192.168.1.1
-A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.100/32 -p tcp -m tcp --dport 47984:48010 -m comment --comment "!fw3: Moonlight (reflection)" -j SNAT --to-source 192.168.1.1
-A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.100/32 -p udp -m udp --dport 47984:48010 -m comment --comment "!fw3: Moonlight (reflection)" -j SNAT --to-source 192.168.1.1
-A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.100/32 -p tcp -m tcp --dport 5353 -m comment --comment "!fw3: Moonlight2 (reflection)" -j SNAT --to-source 192.168.1.1
-A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.100/32 -p udp -m udp --dport 5353 -m comment --comment "!fw3: Moonlight2 (reflection)" -j SNAT --to-source 192.168.1.1
-A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.86/32 -p tcp -m tcp --dport 32400 -m comment --comment "!fw3: PLEX (reflection)" -j SNAT --to-source 192.168.1.1
-A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.86/32 -p udp -m udp --dport 32400 -m comment --comment "!fw3: PLEX (reflection)" -j SNAT --to-source 192.168.1.1
-A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.1/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: RemoteHttps (reflection)" -j SNAT --to-source 192.168.1.1
-A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.1/32 -p udp -m udp --dport 443 -m comment --comment "!fw3: RemoteHttps (reflection)" -j SNAT --to-source 192.168.1.1
-A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.86/32 -p tcp -m tcp --dport 2302:2306 -m comment --comment "!fw3: ARMA3-Client (reflection)" -j SNAT --to-source 192.168.1.1
-A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.86/32 -p udp -m udp --dport 2302:2306 -m comment --comment "!fw3: ARMA3-Client (reflection)" -j SNAT --to-source 192.168.1.1
-A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.86/32 -p tcp -m tcp --dport 2344:2345 -m comment --comment "!fw3: ARMA3-BE (reflection)" -j SNAT --to-source 192.168.1.1
-A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.86/32 -p udp -m udp --dport 2344:2345 -m comment --comment "!fw3: ARMA3-BE (reflection)" -j SNAT --to-source 192.168.1.1
-A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.100/32 -p tcp -m tcp --dport 3389 -m comment --comment "!fw3: RDP PC (reflection)" -j SNAT --to-source 192.168.1.1
-A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.100/32 -p udp -m udp --dport 3389 -m comment --comment "!fw3: RDP PC (reflection)" -j SNAT --to-source 192.168.1.1
-A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.86/32 -p udp -m udp --dport 37015:37020 -m comment --comment "!fw3: APEX (reflection)" -j SNAT --to-source 192.168.1.1
-A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
-A zone_lan_prerouting -s 192.168.1.0/24 -d <WAN_PUBLIC_IP>/32 -p tcp -m tcp --dport 3389 -m comment --comment "!fw3: RDP (reflection)" -j DNAT --to-destination 192.168.1.86:3389
-A zone_lan_prerouting -s 192.168.1.0/24 -d <WAN_PUBLIC_IP>/32 -p udp -m udp --dport 3389 -m comment --comment "!fw3: RDP (reflection)" -j DNAT --to-destination 192.168.1.86:3389
-A zone_lan_prerouting -s 192.168.1.0/24 -d <WAN_PUBLIC_IP>/32 -p tcp -m tcp --dport 9 -m comment --comment "!fw3: WOL (reflection)" -j DNAT --to-destination 192.168.1.100:9
-A zone_lan_prerouting -s 192.168.1.0/24 -d <WAN_PUBLIC_IP>/32 -p udp -m udp --dport 9 -m comment --comment "!fw3: WOL (reflection)" -j DNAT --to-destination 192.168.1.100:9
-A zone_lan_prerouting -s 192.168.1.0/24 -d <WAN_PUBLIC_IP>/32 -p tcp -m tcp --dport 27015:27030 -m comment --comment "!fw3: ARK (reflection)" -j DNAT --to-destination 192.168.1.86:27015-27030
-A zone_lan_prerouting -s 192.168.1.0/24 -d <WAN_PUBLIC_IP>/32 -p udp -m udp --dport 27015:27030 -m comment --comment "!fw3: ARK (reflection)" -j DNAT --to-destination 192.168.1.86:27015-27030
-A zone_lan_prerouting -s 192.168.1.0/24 -d <WAN_PUBLIC_IP>/32 -p tcp -m tcp --dport 7777 -m comment --comment "!fw3: ARK2 (reflection)" -j DNAT --to-destination 192.168.1.86:7777
-A zone_lan_prerouting -s 192.168.1.0/24 -d <WAN_PUBLIC_IP>/32 -p udp -m udp --dport 7777 -m comment --comment "!fw3: ARK2 (reflection)" -j DNAT --to-destination 192.168.1.86:7777
-A zone_lan_prerouting -s 192.168.1.0/24 -d <WAN_PUBLIC_IP>/32 -p tcp -m tcp --dport 47984:48010 -m comment --comment "!fw3: Moonlight (reflection)" -j DNAT --to-destination 192.168.1.100:47984-48010
-A zone_lan_prerouting -s 192.168.1.0/24 -d <WAN_PUBLIC_IP>/32 -p udp -m udp --dport 47984:48010 -m comment --comment "!fw3: Moonlight (reflection)" -j DNAT --to-destination 192.168.1.100:47984-48010
-A zone_lan_prerouting -s 192.168.1.0/24 -d <WAN_PUBLIC_IP>/32 -p tcp -m tcp --dport 5353 -m comment --comment "!fw3: Moonlight2 (reflection)" -j DNAT --to-destination 192.168.1.100:5353
-A zone_lan_prerouting -s 192.168.1.0/24 -d <WAN_PUBLIC_IP>/32 -p udp -m udp --dport 5353 -m comment --comment "!fw3: Moonlight2 (reflection)" -j DNAT --to-destination 192.168.1.100:5353
-A zone_lan_prerouting -s 192.168.1.0/24 -d <WAN_PUBLIC_IP>/32 -p tcp -m tcp --dport 32400 -m comment --comment "!fw3: PLEX (reflection)" -j DNAT --to-destination 192.168.1.86:32400
-A zone_lan_prerouting -s 192.168.1.0/24 -d <WAN_PUBLIC_IP>/32 -p udp -m udp --dport 32400 -m comment --comment "!fw3: PLEX (reflection)" -j DNAT --to-destination 192.168.1.86:32400
-A zone_lan_prerouting -s 192.168.1.0/24 -d <WAN_PUBLIC_IP>/32 -p tcp -m tcp --dport 44333 -m comment --comment "!fw3: RemoteHttps (reflection)" -j DNAT --to-destination 192.168.1.1:443
-A zone_lan_prerouting -s 192.168.1.0/24 -d <WAN_PUBLIC_IP>/32 -p udp -m udp --dport 44333 -m comment --comment "!fw3: RemoteHttps (reflection)" -j DNAT --to-destination 192.168.1.1:443
-A zone_lan_prerouting -s 192.168.1.0/24 -d <WAN_PUBLIC_IP>/32 -p tcp -m tcp --dport 2302:2306 -m comment --comment "!fw3: ARMA3-Client (reflection)" -j DNAT --to-destination 192.168.1.86:2302-2306
-A zone_lan_prerouting -s 192.168.1.0/24 -d <WAN_PUBLIC_IP>/32 -p udp -m udp --dport 2302:2306 -m comment --comment "!fw3: ARMA3-Client (reflection)" -j DNAT --to-destination 192.168.1.86:2302-2306
-A zone_lan_prerouting -s 192.168.1.0/24 -d <WAN_PUBLIC_IP>/32 -p tcp -m tcp --dport 2344:2345 -m comment --comment "!fw3: ARMA3-BE (reflection)" -j DNAT --to-destination 192.168.1.86:2344-2345
-A zone_lan_prerouting -s 192.168.1.0/24 -d <WAN_PUBLIC_IP>/32 -p udp -m udp --dport 2344:2345 -m comment --comment "!fw3: ARMA3-BE (reflection)" -j DNAT --to-destination 192.168.1.86:2344-2345
-A zone_lan_prerouting -s 192.168.1.0/24 -d <WAN_PUBLIC_IP>/32 -p tcp -m tcp --dport 33890 -m comment --comment "!fw3: RDP PC (reflection)" -j DNAT --to-destination 192.168.1.100:3389
-A zone_lan_prerouting -s 192.168.1.0/24 -d <WAN_PUBLIC_IP>/32 -p udp -m udp --dport 33890 -m comment --comment "!fw3: RDP PC (reflection)" -j DNAT --to-destination 192.168.1.100:3389
-A zone_lan_prerouting -s 192.168.1.0/24 -d <WAN_PUBLIC_IP>/32 -p udp -m udp --dport 37015:37020 -m comment --comment "!fw3: APEX (reflection)" -j DNAT --to-destination 192.168.1.86:37015-37020
-A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
-A zone_wan_postrouting -j MINIUPNPD-POSTROUTING
-A zone_wan_postrouting -j MINIUPNPD-POSTROUTING
-A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
-A zone_wan_prerouting -p tcp -m tcp --dport 3389 -m comment --comment "!fw3: RDP" -j DNAT --to-destination 192.168.1.86:3389
-A zone_wan_prerouting -p udp -m udp --dport 3389 -m comment --comment "!fw3: RDP" -j DNAT --to-destination 192.168.1.86:3389
-A zone_wan_prerouting -p tcp -m tcp --dport 9 -m comment --comment "!fw3: WOL" -j DNAT --to-destination 192.168.1.100:9
-A zone_wan_prerouting -p udp -m udp --dport 9 -m comment --comment "!fw3: WOL" -j DNAT --to-destination 192.168.1.100:9
-A zone_wan_prerouting -p tcp -m tcp --dport 27015:27030 -m comment --comment "!fw3: ARK" -j DNAT --to-destination 192.168.1.86:27015-27030
-A zone_wan_prerouting -p udp -m udp --dport 27015:27030 -m comment --comment "!fw3: ARK" -j DNAT --to-destination 192.168.1.86:27015-27030
-A zone_wan_prerouting -p tcp -m tcp --dport 7777 -m comment --comment "!fw3: ARK2" -j DNAT --to-destination 192.168.1.86:7777
-A zone_wan_prerouting -p udp -m udp --dport 7777 -m comment --comment "!fw3: ARK2" -j DNAT --to-destination 192.168.1.86:7777
-A zone_wan_prerouting -p tcp -m tcp --dport 47984:48010 -m comment --comment "!fw3: Moonlight" -j DNAT --to-destination 192.168.1.100:47984-48010
-A zone_wan_prerouting -p udp -m udp --dport 47984:48010 -m comment --comment "!fw3: Moonlight" -j DNAT --to-destination 192.168.1.100:47984-48010
-A zone_wan_prerouting -p tcp -m tcp --dport 5353 -m comment --comment "!fw3: Moonlight2" -j DNAT --to-destination 192.168.1.100:5353
-A zone_wan_prerouting -p udp -m udp --dport 5353 -m comment --comment "!fw3: Moonlight2" -j DNAT --to-destination 192.168.1.100:5353
-A zone_wan_prerouting -p tcp -m tcp --dport 32400 -m comment --comment "!fw3: PLEX" -j DNAT --to-destination 192.168.1.86:32400
-A zone_wan_prerouting -p udp -m udp --dport 32400 -m comment --comment "!fw3: PLEX" -j DNAT --to-destination 192.168.1.86:32400
-A zone_wan_prerouting -p tcp -m tcp --dport 44333 -m comment --comment "!fw3: RemoteHttps" -j DNAT --to-destination 192.168.1.1:443
-A zone_wan_prerouting -p udp -m udp --dport 44333 -m comment --comment "!fw3: RemoteHttps" -j DNAT --to-destination 192.168.1.1:443
-A zone_wan_prerouting -p tcp -m tcp --dport 2302:2306 -m comment --comment "!fw3: ARMA3-Client" -j DNAT --to-destination 192.168.1.86:2302-2306
-A zone_wan_prerouting -p udp -m udp --dport 2302:2306 -m comment --comment "!fw3: ARMA3-Client" -j DNAT --to-destination 192.168.1.86:2302-2306
-A zone_wan_prerouting -p tcp -m tcp --dport 2344:2345 -m comment --comment "!fw3: ARMA3-BE" -j DNAT --to-destination 192.168.1.86:2344-2345
-A zone_wan_prerouting -p udp -m udp --dport 2344:2345 -m comment --comment "!fw3: ARMA3-BE" -j DNAT --to-destination 192.168.1.86:2344-2345
-A zone_wan_prerouting -p tcp -m tcp --dport 33890 -m comment --comment "!fw3: RDP PC" -j DNAT --to-destination 192.168.1.100:3389
-A zone_wan_prerouting -p udp -m udp --dport 33890 -m comment --comment "!fw3: RDP PC" -j DNAT --to-destination 192.168.1.100:3389
-A zone_wan_prerouting -p udp -m udp --dport 37015:37020 -m comment --comment "!fw3: APEX" -j DNAT --to-destination 192.168.1.86:37015-37020
-A zone_wan_prerouting -j MINIUPNPD
-A zone_wan_prerouting -j MINIUPNPD
COMMIT
# Completed on Fri Feb 18 00:43:03 2022
#IPv4 Mangle chain
# Generated by iptables-save v1.8.7 on Fri Feb 18 00:43:03 2022
*mangle
:PREROUTING ACCEPT [374785:30525795]
:INPUT ACCEPT [371337:29109233]
:FORWARD ACCEPT [5576:1591574]
:OUTPUT ACCEPT [49687:15792693]
:POSTROUTING ACCEPT [55148:17379390]
:openclash - [0:0]
-A PREROUTING -p udp -j openclash
-A FORWARD -o pppoe-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i pppoe-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A openclash -p udp -m udp --sport 500 -j RETURN
-A openclash -p udp -m udp --sport 68 -j RETURN
-A openclash -p udp -m udp --dport 33890 -j RETURN
-A openclash -p udp -m udp --dport 44333 -j RETURN
-A openclash -p udp -m udp --dport 32400 -j RETURN
-A openclash -p udp -m udp --dport 5353 -j RETURN
-A openclash -p udp -m udp --dport 7777 -j RETURN
-A openclash -p udp -m udp --dport 9 -j RETURN
-A openclash -p udp -m udp --dport 3389 -j RETURN
-A openclash -m set --match-set localnetwork dst -j RETURN
-A openclash -p udp -m udp --dport 53 -j RETURN
-A openclash -p udp -j TPROXY --on-port 7892 --on-ip 0.0.0.0 --tproxy-mark 0x162/0xffffffff
COMMIT
# Completed on Fri Feb 18 00:43:03 2022
#IPv6 NAT chain
#IPv6 Mangle chain
# Generated by ip6tables-save v1.8.7 on Fri Feb 18 00:43:03 2022
*mangle
:PREROUTING ACCEPT [2504:358293]
:INPUT ACCEPT [3250:410534]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [5846:1859811]
:POSTROUTING ACCEPT [5828:1858731]
:openclash - [0:0]
:openclash_output - [0:0]
-A PREROUTING -j openclash
-A FORWARD -o pppoe-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i pppoe-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A OUTPUT -j openclash_output
-A openclash -p udp -m udp --sport 500 -j RETURN
-A openclash -s fc00::/6 -p udp -m udp --sport 546 -j RETURN
-A openclash -p udp -m udp --dport 33890 -j RETURN
-A openclash -p tcp -m tcp --dport 33890 -j RETURN
-A openclash -p udp -m udp --dport 44333 -j RETURN
-A openclash -p tcp -m tcp --dport 44333 -j RETURN
-A openclash -p udp -m udp --dport 32400 -j RETURN
-A openclash -p tcp -m tcp --dport 32400 -j RETURN
-A openclash -p udp -m udp --dport 5353 -j RETURN
-A openclash -p tcp -m tcp --dport 5353 -j RETURN
-A openclash -p udp -m udp --dport 7777 -j RETURN
-A openclash -p tcp -m tcp --dport 7777 -j RETURN
-A openclash -p udp -m udp --dport 9 -j RETURN
-A openclash -p tcp -m tcp --dport 9 -j RETURN
-A openclash -p udp -m udp --dport 3389 -j RETURN
-A openclash -p tcp -m tcp --dport 3389 -j RETURN
-A openclash -m set --match-set localnetwork6 dst -j RETURN
-A openclash -p tcp -m comment --comment "OpenClash TCP Mark" -j TPROXY --on-port 7895 --on-ip :: --tproxy-mark 0x162/0xffffffff
-A openclash -p udp -m comment --comment OpenClash -j TPROXY --on-port 7895 --on-ip :: --tproxy-mark 0x162/0xffffffff
-A openclash_output -p udp -m udp --sport 500 -j RETURN
-A openclash_output -p udp -m udp --sport 546 -j RETURN
-A openclash_output -p udp -m udp --sport 33890 -j RETURN
-A openclash_output -p tcp -m tcp --sport 33890 -j RETURN
-A openclash_output -p udp -m udp --sport 44333 -j RETURN
-A openclash_output -p tcp -m tcp --sport 44333 -j RETURN
-A openclash_output -p udp -m udp --sport 32400 -j RETURN
-A openclash_output -p tcp -m tcp --sport 32400 -j RETURN
-A openclash_output -p udp -m udp --sport 5353 -j RETURN
-A openclash_output -p tcp -m tcp --sport 5353 -j RETURN
-A openclash_output -p udp -m udp --sport 7777 -j RETURN
-A openclash_output -p tcp -m tcp --sport 7777 -j RETURN
-A openclash_output -p udp -m udp --sport 9 -j RETURN
-A openclash_output -p tcp -m tcp --sport 9 -j RETURN
-A openclash_output -p udp -m udp --sport 3389 -j RETURN
-A openclash_output -p tcp -m tcp --sport 3389 -j RETURN
-A openclash_output -m set --match-set localnetwork6 dst -j RETURN
-A openclash_output -p tcp -m owner ! --uid-owner 65534 -j MARK --set-xmark 0x162/0xffffffff
-A openclash_output -p udp -m owner ! --uid-owner 65534 -j MARK --set-xmark 0x162/0xffffffff
COMMIT
# Completed on Fri Feb 18 00:43:03 2022
#===================== IPSET状态 =====================#
Name: china_ip_route
Name: localnetwork
Name: china_ip6_route
Name: localnetwork6
#===================== 路由表状态 =====================#
#route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 <GATEWAY_IP> 0.0.0.0 UG 0 0 0 pppoe-wan
<GATEWAY_IP> 0.0.0.0 255.255.255.255 UH 0 0 0 pppoe-wan
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br-lan
#ip route list
default via <GATEWAY_IP> dev pppoe-wan proto static
<GATEWAY_IP> dev pppoe-wan proto kernel scope link src <WAN_PUBLIC_IP>
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
#ip rule show
0: from all lookup local
32765: from all fwmark 0x162 lookup 354
32766: from all lookup main
32767: from all lookup default
#===================== 端口占用状态 =====================#
tcp 0 0 198.18.0.1:7777 0.0.0.0:* LISTEN 18078/clash
tcp 0 0 :::7891 :::* LISTEN 18078/clash
tcp 0 0 :::7892 :::* LISTEN 18078/clash
tcp 0 0 :::7893 :::* LISTEN 18078/clash
tcp 0 0 :::7895 :::* LISTEN 18078/clash
tcp 0 0 :::9090 :::* LISTEN 18078/clash
tcp 0 0 :::7890 :::* LISTEN 18078/clash
udp 0 0 198.18.0.1:7777 0.0.0.0:* 18078/clash
udp 0 0 :::33827 :::* 18078/clash
udp 0 0 :::60479 :::* 18078/clash
udp 0 0 :::40384 :::* 18078/clash
udp 0 0 :::7874 :::* 18078/clash
udp 0 0 :::7891 :::* 18078/clash
udp 0 0 :::7892 :::* 18078/clash
udp 0 0 :::7893 :::* 18078/clash
udp 0 0 :::7895 :::* 18078/clash
udp 0 0 :::41711 :::* 18078/clash
#===================== 测试本机DNS查询 =====================#
Server: 127.0.0.1
Address: 127.0.0.1#53
Name: www.baidu.com
www.baidu.com canonical name = www.a.shifen.com
Name: www.a.shifen.com
Address 1: 14.215.177.39
Address 2: 14.215.177.38
www.baidu.com canonical name = www.a.shifen.com
#===================== resolv.conf.d =====================#
# Interface wan
nameserver 202.96.134.133
nameserver 202.96.128.166
# Interface wan_6
nameserver 240e:1f:1::1
#===================== 测试本机网络连接 =====================#
HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
Connection: keep-alive
Content-Length: 277
Content-Type: text/html
Date: Thu, 17 Feb 2022 16:43:04 GMT
Etag: "575e1f72-115"
Last-Modified: Mon, 13 Jun 2016 02:50:26 GMT
Pragma: no-cache
Server: bfe/1.0.8.18
#===================== 测试本机网络下载 =====================#
HTTP/2 200
cache-control: max-age=300
content-security-policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
content-type: text/plain; charset=utf-8
etag: "3328243d8f1fb3169128dad81c6d1fd2a760927ffe06628758cff1449a1028fd"
strict-transport-security: max-age=31536000
x-content-type-options: nosniff
x-frame-options: deny
x-xss-protection: 1; mode=block
x-github-request-id: 3CC2:3495:18E893:294935:62097C72
accept-ranges: bytes
date: Thu, 17 Feb 2022 16:43:05 GMT
via: 1.1 varnish
x-served-by: cache-hkg17932-HKG
x-cache: HIT
x-cache-hits: 1
x-timer: S1645116185.111277,VS0,VE1
vary: Authorization,Accept-Encoding,Origin
access-control-allow-origin: *
x-fastly-request-id: 5666ae05c159293177d57add2e753391afc05ece
expires: Thu, 17 Feb 2022 16:48:05 GMT
source-age: 183
content-length: 80
#===================== 最近运行日志 =====================#
time="2022-02-17T16:42:44Z" level=info msg="[UDP] <WAN_PUBLIC_IP>:27015 --> <VPS_IP>:55008 match GeoIP(CN) using 🎯 全球直连[DIRECT]"
#===================== 活动连接信息 =====================#
12. SourceIP:【<WAN_PUBLIC_IP>】 - Host:【Empty】 - DestinationIP:【<VPS_IP>】 - Network:【udp】 - RulePayload:【CN】 - Lastchain:【DIRECT】
复现步骤:
nc -vulp 33333nc -vu S_ADDRESS 33333关闭clash: C->S 成功, S->C 成功 开启clash,且开启UDP流量转发功能:C->S成功,S->C失败 开启clash,且关闭UDP流量转发功能:C->S成功,S->C成功
yacd面板可以看到开启UDP流量转发功能后,udp回包经过了clash,规则DIRECT。
openwrt本机作为S直接监听udp端口,表现一切正常。排除了网络环境因素。