偶尔日志提示重置 OpenClash 防火墙规则

不知道有没有什么影响，想着以前好像不会这样，不知道哪里的原因？ QQ截图20220520221009
OpenClash 调试日志
生成时间: 2022-05-20 22:12:19 插件版本: 隐私提示: 上传此日志前请注意检查、屏蔽公网IP、节点、密码等相关敏感信息


#===================== 系统信息 =====================#

主机型号: Phicomm N1
固件版本: OpenWrt SNAPSHOT r4507-6a5775c5c
LuCI版本: git-22.121.65028-2a5da72-1
内核版本: 5.17.6-flippy-72+
处理器架构: aarch64_cortex-a53

#此项有值时,如不使用IPv6,建议到网络-接口-lan的设置中禁用IPV6的DHCP
IPV6-DHCP: 

#此项结果应仅有配置文件的DNS监听地址
Dnsmasq转发设置: 127.0.0.1#1314

#===================== 依赖检查 =====================#

dnsmasq-full: 已安装
coreutils: 已安装
coreutils-nohup: 已安装
bash: 已安装
curl: 已安装
ca-certificates: 已安装
ipset: 已安装
ip-full: 已安装
iptables-mod-tproxy: 已安装
kmod-ipt-tproxy: 已安装
iptables-mod-extra: 已安装
kmod-ipt-extra: 已安装
libcap: 已安装
libcap-bin: 已安装
ruby: 已安装
ruby-yaml: 已安装
ruby-psych: 已安装
ruby-pstore: 已安装
ruby-dbm: 未安装
kmod-tun(TUN模式): 已安装
luci-compat(Luci-19.07): 已安装
kmod-inet-diag(PROCESS-NAME): 已安装

#===================== 内核检查 =====================#

运行状态: 运行中
进程pid: 13449
运行权限: 13449: cap_dac_override,cap_net_bind_service,cap_net_admin,cap_net_raw,cap_sys_ptrace,cap_sys_resource=eip
运行用户: nobody
已选择的架构: linux-armv8

#下方无法显示内核版本号时请确认您的内核版本是否正确或者有无权限
Tun内核版本: 2022.04.17
Tun内核文件: 存在
Tun内核运行权限: 正常

Dev内核版本: v1.10.6
Dev内核文件: 存在
Dev内核运行权限: 正常
Meta内核版本: alpha-g7136d14
Meta内核文件: 存在
Meta内核运行权限: 正常

#===================== 插件设置 =====================#

当前配置文件: /etc/openclash/config/Fly Airport.yaml
启动配置文件: /etc/openclash/Fly Airport.yaml
运行模式: redir-host
默认代理模式: rule
UDP流量转发(tproxy): 停用
DNS劫持: 停用
自定义DNS: 启用
IPV6代理: 停用
IPV6-DNS解析: 停用
禁用Dnsmasq缓存: 启用
自定义规则: 启用
仅允许内网: 启用
仅代理命中规则流量: 启用
仅允许常用端口流量: 启用
绕过中国大陆IP: 启用
DNS远程解析: 启用
路由本机代理: 停用

#启动异常时建议关闭此项后重试
混合节点: 停用
保留配置: 停用

#启动异常时建议关闭此项后重试
第三方规则: 停用

#===================== 自定义规则 一 =====================#
script:
##  shortcuts:
##    Notice: The core timezone is UTC
##    CST 20:00-24:00 = time.now().hour > 12 and time.now().hour < 16
##    内核时区为UTC,故以下time.now()函数的取值需要根据本地时区进行转换
##    北京时间(CST) 20:00-24:00 = time.now().hour > 12 and time.now().hour < 16
##    quic: network == 'udp' and dst_port == 443 and (geoip(resolve_ip(host)) != 'CN' or geoip(dst_ip) != 'CN')
##    time-limit: in_cidr(src_ip,'192.168.1.2/32') and time.now().hour < 20 or time.now().hour > 21
##    time-limit: src_ip == '192.168.1.2' and time.now().hour < 20 or time.now().hour > 21

##  code: |
##    def main(ctx, metadata):
##        directkeywordlist = ["baidu"]
##        for directkeyword in directkeywordlist:
##          if directkeyword in metadata["host"]:
##            ctx.log('[Script] matched keyword %s use direct' % directkeyword)
##            return "DIRECT"

rules:
##- SCRIPT,quic,REJECT #shortcuts rule
##- SCRIPT,time-limit,REJECT #shortcuts rule

#IP直连
- IP-CIDR,13.107.59.0/24,DIRECT
- IP-CIDR,13.107.60.0/22,DIRECT
- IP-CIDR,13.107.64.0/18,DIRECT
- IP-CIDR,13.107.128.0/19,DIRECT
- IP-CIDR,13.107.160.0/23,DIRECT
- IP-CIDR,52.105.217.0/24,DIRECT

##- PROCESS-NAME,curl,DIRECT #匹配路由自身进程(curl直连)
##- DOMAIN-SUFFIX,google.com,Proxy #匹配域名后缀(交由Proxy代理服务器组)
##- DOMAIN-KEYWORD,google,Proxy #匹配域名关键字(交由Proxy代理服务器组)
##- DOMAIN,google.com,Proxy #匹配域名(交由Proxy代理服务器组)
##- DOMAIN-SUFFIX,ad.com,REJECT #匹配域名后缀(拒绝)
##- IP-CIDR,127.0.0.0/8,DIRECT #匹配数据目标IP(直连)
##- SRC-IP-CIDR,192.168.1.201/32,DIRECT #匹配数据发起IP(直连)
##- DST-PORT,80,DIRECT #匹配数据目标端口(直连)
##- SRC-PORT,7777,DIRECT #匹配数据源端口(直连)

##排序在上的规则优先生效,如添加（去除规则前的#号）：
##IP段：192.168.1.2-192.168.1.200 直连
##- SRC-IP-CIDR,192.168.1.2/31,DIRECT
##- SRC-IP-CIDR,192.168.1.4/30,DIRECT
##- SRC-IP-CIDR,192.168.1.8/29,DIRECT
##- SRC-IP-CIDR,192.168.1.16/28,DIRECT
##- SRC-IP-CIDR,192.168.1.32/27,DIRECT
##- SRC-IP-CIDR,192.168.1.64/26,DIRECT
##- SRC-IP-CIDR,192.168.1.128/26,DIRECT
##- SRC-IP-CIDR,192.168.1.192/29,DIRECT
##- SRC-IP-CIDR,192.168.1.200/32,DIRECT

##IP段：192.168.1.202-192.168.1.255 直连
##- SRC-IP-CIDR,192.168.1.202/31,DIRECT
##- SRC-IP-CIDR,192.168.1.204/30,DIRECT
##- SRC-IP-CIDR,192.168.1.208/28,DIRECT
##- SRC-IP-CIDR,192.168.1.224/27,DIRECT

##此时IP为192.168.1.1和192.168.1.201的客户端流量走代理（策略），其余客户端不走代理
##因为Fake-IP模式下，IP地址为192.168.1.1的路由器自身流量可走代理（策略），所以需要排除

##仅设置路由器自身直连：
##- SRC-IP-CIDR,192.168.1.1/32,DIRECT
##- SRC-IP-CIDR,198.18.0.1/32,DIRECT

##DDNS
##- DOMAIN-SUFFIX,checkip.dyndns.org,DIRECT
##- DOMAIN-SUFFIX,checkipv6.dyndns.org,DIRECT
##- DOMAIN-SUFFIX,checkip.synology.com,DIRECT
##- DOMAIN-SUFFIX,ifconfig.co,DIRECT
##- DOMAIN-SUFFIX,api.myip.com,DIRECT
##- DOMAIN-SUFFIX,ip-api.com,DIRECT
##- DOMAIN-SUFFIX,ipapi.co,DIRECT
##- DOMAIN-SUFFIX,ip6.seeip.org,DIRECT
##- DOMAIN-SUFFIX,members.3322.org,DIRECT

##在线IP段转CIDR地址：http://ip2cidr.com
#===================== 自定义规则 二 =====================#
script:
##  shortcuts:
##    common_port: dst_port not in [21, 22, 23, 53, 80, 123, 143, 194, 443, 465, 587, 853, 993, 995, 998, 2052, 2053, 2082, 2083, 2086, 2095, 2096, 5222, 5228, 5229, 5230, 8080, 8443, 8880, 8888, 8889]

##  code: |
##    def main(ctx, metadata):
##        directkeywordlist = ["baidu"]
##        for directkeyword in directkeywordlist:
##          if directkeyword in metadata["host"]:
##            ctx.log('[Script] matched keyword %s use direct' % directkeyword)
##            return "DIRECT"

rules:
##- SCRIPT,common_port,DIRECT #shortcuts rule

##- DOMAIN-SUFFIX,google.com,Proxy #匹配域名后缀(交由Proxy代理服务器组)
##- DOMAIN-KEYWORD,google,Proxy #匹配域名关键字(交由Proxy代理服务器组)
##- DOMAIN,google.com,Proxy #匹配域名(交由Proxy代理服务器组)
##- DOMAIN-SUFFIX,ad.com,REJECT #匹配域名后缀(拒绝)
##- IP-CIDR,127.0.0.0/8,DIRECT #匹配数据目标IP(直连)
##- SRC-IP-CIDR,192.168.1.201/32,DIRECT #匹配数据发起IP(直连)
##- DST-PORT,80,DIRECT #匹配数据目标端口(直连)
##- SRC-PORT,7777,DIRECT #匹配数据源端口(直连)

#===================== 配置文件 =====================#

port: 7890
socks-port: 7891
allow-lan: true
mode: rule
log-level: silent
external-controller: 0.0.0.0:9090
proxy-groups:
- name: "\U0001F680 节点选择"
  type: select
  proxies:
  - "♻️ 自动选择"
  - DIRECT
  - 俄罗斯 莫斯科
  - 印度 孟买01 [v1|云|1x]
  - 台湾 Hinet2 [v1|Relay|Unblock|1.2x]
  - 土耳其 伊斯坦布尔 [v1|Relay|0.8x]
  - 新加坡 01 [v1|云|1x]
  - 日本 Azure [v1]
  - 日本 东京01 [v1|云|1x]
  - 美国 CUVIP5 [v1|0.7x]
  - 美国 INAP
  - 美国 Ryana捐赠的西雅图1
  - 美国 洛杉矶1 x0.9
  - 美国 洛杉矶2 x0.9
  - 美国 西雅图CUVIP3
  - 韩国 春川01 [v1|Relay]
  - 韩国 首尔01 [v1|云|1x]
  - 香港 HGC [v1|Relay|Unlock|1.2x]
- name: "♻️ 自动选择"
  type: url-test
  url: http://www.gstatic.com/generate_204
  interval: 300
  tolerance: 50
  proxies:
  - 俄罗斯 莫斯科
  - 印度 孟买01 [v1|云|1x]
  - 台湾 Hinet2 [v1|Relay|Unblock|1.2x]
  - 土耳其 伊斯坦布尔 [v1|Relay|0.8x]
  - 新加坡 01 [v1|云|1x]
  - 日本 Azure [v1]
  - 日本 东京01 [v1|云|1x]
  - 美国 CUVIP5 [v1|0.7x]
  - 美国 INAP
  - 美国 Ryana捐赠的西雅图1
  - 美国 洛杉矶1 x0.9
  - 美国 洛杉矶2 x0.9
  - 美国 西雅图CUVIP3
  - 韩国 春川01 [v1|Relay]
  - 韩国 首尔01 [v1|云|1x]
  - 香港 HGC [v1|Relay|Unlock|1.2x]
- name: "\U0001F30D 国外媒体"
  type: select
  proxies:
  - "\U0001F680 节点选择"
  - "♻️ 自动选择"
  - "\U0001F3AF 全球直连"
  - 俄罗斯 莫斯科
  - 印度 孟买01 [v1|云|1x]
  - 台湾 Hinet2 [v1|Relay|Unblock|1.2x]
  - 土耳其 伊斯坦布尔 [v1|Relay|0.8x]
  - 新加坡 01 [v1|云|1x]
  - 日本 Azure [v1]
  - 日本 东京01 [v1|云|1x]
  - 美国 CUVIP5 [v1|0.7x]
  - 美国 INAP
  - 美国 Ryana捐赠的西雅图1
  - 美国 洛杉矶1 x0.9
  - 美国 洛杉矶2 x0.9
  - 美国 西雅图CUVIP3
  - 韩国 春川01 [v1|Relay]
  - 韩国 首尔01 [v1|云|1x]
  - 香港 HGC [v1|Relay|Unlock|1.2x]
- name: "\U0001F4E2 谷歌FCM"
  type: select
  proxies:
  - "\U0001F680 节点选择"
  - "\U0001F3AF 全球直连"
  - "♻️ 自动选择"
  - 俄罗斯 莫斯科
  - 印度 孟买01 [v1|云|1x]
  - 台湾 Hinet2 [v1|Relay|Unblock|1.2x]
  - 土耳其 伊斯坦布尔 [v1|Relay|0.8x]
  - 新加坡 01 [v1|云|1x]
  - 日本 Azure [v1]
  - 日本 东京01 [v1|云|1x]
  - 美国 CUVIP5 [v1|0.7x]
  - 美国 INAP
  - 美国 Ryana捐赠的西雅图1
  - 美国 洛杉矶1 x0.9
  - 美国 洛杉矶2 x0.9
  - 美国 西雅图CUVIP3
  - 韩国 春川01 [v1|Relay]
  - 韩国 首尔01 [v1|云|1x]
  - 香港 HGC [v1|Relay|Unlock|1.2x]
- name: "\U0001F4F2 电报信息"
  type: select
  proxies:
  - "\U0001F680 节点选择"
  - "\U0001F3AF 全球直连"
  - 俄罗斯 莫斯科
  - 印度 孟买01 [v1|云|1x]
  - 台湾 Hinet2 [v1|Relay|Unblock|1.2x]
  - 土耳其 伊斯坦布尔 [v1|Relay|0.8x]
  - 新加坡 01 [v1|云|1x]
  - 日本 Azure [v1]
  - 日本 东京01 [v1|云|1x]
  - 美国 CUVIP5 [v1|0.7x]
  - 美国 INAP
  - 美国 Ryana捐赠的西雅图1
  - 美国 洛杉矶1 x0.9
  - 美国 洛杉矶2 x0.9
  - 美国 西雅图CUVIP3
  - 韩国 春川01 [v1|Relay]
  - 韩国 首尔01 [v1|云|1x]
  - 香港 HGC [v1|Relay|Unlock|1.2x]
- name: Ⓜ️ 微软服务
  type: select
  proxies:
  - "\U0001F3AF 全球直连"
  - "\U0001F680 节点选择"
  - 俄罗斯 莫斯科
  - 印度 孟买01 [v1|云|1x]
  - 台湾 Hinet2 [v1|Relay|Unblock|1.2x]
  - 土耳其 伊斯坦布尔 [v1|Relay|0.8x]
  - 新加坡 01 [v1|云|1x]
  - 日本 Azure [v1]
  - 日本 东京01 [v1|云|1x]
  - 美国 CUVIP5 [v1|0.7x]
  - 美国 INAP
  - 美国 Ryana捐赠的西雅图1
  - 美国 洛杉矶1 x0.9
  - 美国 洛杉矶2 x0.9
  - 美国 西雅图CUVIP3
  - 韩国 春川01 [v1|Relay]
  - 韩国 首尔01 [v1|云|1x]
  - 香港 HGC [v1|Relay|Unlock|1.2x]
- name: "\U0001F34E 苹果服务"
  type: select
  proxies:
  - "\U0001F680 节点选择"
  - "\U0001F3AF 全球直连"
  - 俄罗斯 莫斯科
  - 印度 孟买01 [v1|云|1x]
  - 台湾 Hinet2 [v1|Relay|Unblock|1.2x]
  - 土耳其 伊斯坦布尔 [v1|Relay|0.8x]
  - 新加坡 01 [v1|云|1x]
  - 日本 Azure [v1]
  - 日本 东京01 [v1|云|1x]
  - 美国 CUVIP5 [v1|0.7x]
  - 美国 INAP
  - 美国 Ryana捐赠的西雅图1
  - 美国 洛杉矶1 x0.9
  - 美国 洛杉矶2 x0.9
  - 美国 西雅图CUVIP3
  - 韩国 春川01 [v1|Relay]
  - 韩国 首尔01 [v1|云|1x]
  - 香港 HGC [v1|Relay|Unlock|1.2x]
- name: "\U0001F3AF 全球直连"
  type: select
  proxies:
  - DIRECT
  - "\U0001F680 节点选择"
  - "♻️ 自动选择"
- name: "\U0001F6D1 全球拦截"
  type: select
  proxies:
  - REJECT
  - DIRECT
- name: "\U0001F343 应用净化"
  type: select
  proxies:
  - REJECT
  - DIRECT
- name: "\U0001F18E AdBlock"
  type: select
  proxies:
  - REJECT
  - DIRECT
- name: "\U0001F41F 漏网之鱼"
  type: select
  proxies:
  - "\U0001F680 节点选择"
  - "\U0001F3AF 全球直连"
  - "♻️ 自动选择"
  - 俄罗斯 莫斯科
  - 印度 孟买01 [v1|云|1x]
  - 台湾 Hinet2 [v1|Relay|Unblock|1.2x]
  - 土耳其 伊斯坦布尔 [v1|Relay|0.8x]
  - 新加坡 01 [v1|云|1x]
  - 日本 Azure [v1]
  - 日本 东京01 [v1|云|1x]
  - 美国 CUVIP5 [v1|0.7x]
  - 美国 INAP
  - 美国 Ryana捐赠的西雅图1
  - 美国 洛杉矶1 x0.9
  - 美国 洛杉矶2 x0.9
  - 美国 西雅图CUVIP3
  - 韩国 春川01 [v1|Relay]
  - 韩国 首尔01 [v1|云|1x]
  - 香港 HGC [v1|Relay|Unlock|1.2x]
rules:
- DST-PORT,7895,REJECT
- DST-PORT,7892,REJECT
- IP-CIDR,198.18.0.1/16,REJECT,no-resolve
- SRC-IP-CIDR,192.168.31.2/32,DIRECT
- SRC-IP-CIDR,198.18.0.1/32,DIRECT
- DOMAIN-SUFFIX,awesome-hd.me,DIRECT
- DOMAIN-SUFFIX,broadcasthe.net,DIRECT
- DOMAIN-SUFFIX,chdbits.co,DIRECT
- DOMAIN-SUFFIX,classix-unlimited.co.uk,DIRECT
- DOMAIN-SUFFIX,empornium.me,DIRECT
- DOMAIN-SUFFIX,gazellegames.net,DIRECT
- DOMAIN-SUFFIX,hdchina.org,DIRECT
- DOMAIN-SUFFIX,hdsky.me,DIRECT
- DOMAIN-SUFFIX,icetorrent.org,DIRECT
- DOMAIN-SUFFIX,jpopsuki.eu,DIRECT
- DOMAIN-SUFFIX,keepfrds.com,DIRECT
- DOMAIN-SUFFIX,madsrevolution.net,DIRECT
- DOMAIN-SUFFIX,m-team.cc,DIRECT
- DOMAIN-SUFFIX,nanyangpt.com,DIRECT
- DOMAIN-SUFFIX,ncore.cc,DIRECT
- DOMAIN-SUFFIX,open.cd,DIRECT
- DOMAIN-SUFFIX,ourbits.club,DIRECT
- DOMAIN-SUFFIX,passthepopcorn.me,DIRECT
- DOMAIN-SUFFIX,privatehd.to,DIRECT
- DOMAIN-SUFFIX,redacted.ch,DIRECT
- DOMAIN-SUFFIX,springsunday.net,DIRECT
- DOMAIN-SUFFIX,tjupt.org,DIRECT
- DOMAIN-SUFFIX,totheglory.im,DIRECT
- DOMAIN-KEYWORD,announce,DIRECT
- DOMAIN-KEYWORD,torrent,DIRECT
- DOMAIN-KEYWORD,tracker,DIRECT
- PROCESS-NAME,aria2c,DIRECT
- PROCESS-NAME,BitComet,DIRECT
- PROCESS-NAME,fdm,DIRECT
- PROCESS-NAME,NetTransport,DIRECT
- PROCESS-NAME,qbittorrent,DIRECT
- PROCESS-NAME,Thunder,DIRECT
- PROCESS-NAME,transmission-daemon,DIRECT
- PROCESS-NAME,transmission-qt,DIRECT
- PROCESS-NAME,uTorrent,DIRECT
- PROCESS-NAME,WebTorrent,DIRECT
- PROCESS-NAME,aria2c,DIRECT
- PROCESS-NAME,fdm,DIRECT
- PROCESS-NAME,Folx,DIRECT
- PROCESS-NAME,NetTransport,DIRECT
- PROCESS-NAME,qbittorrent,DIRECT
- PROCESS-NAME,Thunder,DIRECT
- PROCESS-NAME,Transmission,DIRECT
- PROCESS-NAME,transmission,DIRECT
- PROCESS-NAME,uTorrent,DIRECT
- PROCESS-NAME,WebTorrent,DIRECT
- PROCESS-NAME,WebTorrent Helper,DIRECT
- PROCESS-NAME,v2ray,DIRECT
- PROCESS-NAME,ss-local,DIRECT
- PROCESS-NAME,ssr-local,DIRECT
- PROCESS-NAME,ss-redir,DIRECT
- PROCESS-NAME,ssr-redir,DIRECT
- PROCESS-NAME,ss-server,DIRECT
- PROCESS-NAME,trojan-go,DIRECT
- PROCESS-NAME,xray,DIRECT
- PROCESS-NAME,hysteria,DIRECT
- PROCESS-NAME,UUBooster,DIRECT
- PROCESS-NAME,uugamebooster,DIRECT
- DOMAIN-SUFFIX,smtp,DIRECT
- IP-CIDR,13.107.59.0/24,DIRECT
- IP-CIDR,13.107.60.0/22,DIRECT
- IP-CIDR,13.107.64.0/18,DIRECT
- IP-CIDR,13.107.128.0/19,DIRECT
- IP-CIDR,13.107.160.0/23,DIRECT
- IP-CIDR,52.105.217.0/24,DIRECT
- - "
- MATCH,DIRECT
redir-port: 7892
tproxy-port: 7895
mixed-port: 7893
bind-address: "*"
external-ui: "/usr/share/openclash/dashboard"
ipv6: false
geodata-mode: false
geodata-loader: memconservative
tcp-concurrent: true
dns:
  enable: true
  ipv6: false
  enhanced-mode: fake-ip
  fake-ip-range: 198.18.0.1/16
  listen: 0.0.0.0:7874
  nameserver:
  - 114.114.114.114
  - 192.168.31.1
  - 119.29.29.29
  - 119.28.28.28
  - 223.5.5.5
  fallback:
  - https://1.1.1.1/dns-query
  - tls://8.8.8.8:853
  use-hosts: true
  fake-ip-filter:
  - "+.*"
  default-nameserver:
  - 114.114.114.114
  - 192.168.31.1
  - 119.29.29.29
  - 119.28.28.28
  - 223.5.5.5
sniffer:
  enable: true
  sniffing:
  - tls
  - http
profile:
  store-selected: true
  store-fake-ip: true
hosts:

#===================== 防火墙设置 =====================#

#IPv4 NAT chain

# Generated by iptables-save v1.8.7 on Fri May 20 22:12:28 2022
*nat
:PREROUTING ACCEPT [2738:232294]
:INPUT ACCEPT [3639:228096]
:OUTPUT ACCEPT [12802:785301]
:POSTROUTING ACCEPT [145:8905]
:MINIUPNPD - [0:0]
:MINIUPNPD-POSTROUTING - [0:0]
:openclash - [0:0]
:openclash_output - [0:0]
:postrouting_docker_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_docker_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_docker_postrouting - [0:0]
:zone_docker_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -d 8.8.4.4/32 -p tcp -m comment --comment "OpenClash Google DNS Hijack" -m tcp --dport 53 -j REDIRECT --to-ports 7892
-A PREROUTING -d 8.8.8.8/32 -p tcp -m comment --comment "OpenClash Google DNS Hijack" -m tcp --dport 53 -j REDIRECT --to-ports 7892
-A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
-A PREROUTING -i eth0 -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i docker0 -m comment --comment "!fw3" -j zone_docker_prerouting
-A PREROUTING -p udp -m udp --dport 53 -j REDIRECT --to-ports 1314
-A PREROUTING -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 1314
-A PREROUTING -p tcp -j openclash
-A OUTPUT -j openclash_output
-A POSTROUTING -o eth0 -j MASQUERADE
-A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
-A POSTROUTING -o eth0 -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o docker0 -m comment --comment "!fw3" -j zone_docker_postrouting
-A POSTROUTING -s 172.31.0.0/24 ! -o docker0 -j MASQUERADE
-A openclash -p tcp -m tcp --sport 1688 -j RETURN
-A openclash -p tcp -m tcp --sport 10240 -j RETURN
-A openclash -p tcp -m tcp --sport 1723 -j RETURN
-A openclash -p tcp -m tcp --sport 1194 -j RETURN
-A openclash -m set --match-set localnetwork dst -j RETURN
-A openclash -m set ! --match-set common_ports dst -j RETURN
-A openclash -m set --match-set china_ip_route dst -j RETURN
-A openclash -p tcp -j REDIRECT --to-ports 7892
-A openclash_output -p tcp -m tcp --sport 1688 -j RETURN
-A openclash_output -p tcp -m tcp --sport 10240 -j RETURN
-A openclash_output -p tcp -m tcp --sport 1723 -j RETURN
-A openclash_output -p tcp -m tcp --sport 1194 -j RETURN
-A openclash_output -m set --match-set localnetwork dst -j RETURN
-A openclash_output -m owner ! --uid-owner 65534 -m set ! --match-set common_ports dst -j RETURN
-A openclash_output -m owner ! --uid-owner 65534 -m set --match-set china_ip_route dst -j RETURN
-A openclash_output -p tcp -m owner ! --uid-owner 65534 -j REDIRECT --to-ports 7892
-A zone_docker_postrouting -m comment --comment "!fw3: Custom docker postrouting rule chain" -j postrouting_docker_rule
-A zone_docker_prerouting -m comment --comment "!fw3: Custom docker prerouting rule chain" -j prerouting_docker_rule
-A zone_lan_postrouting -j MINIUPNPD-POSTROUTING
-A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
-A zone_lan_prerouting -j MINIUPNPD
-A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
-A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
-A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Fri May 20 22:12:28 2022

#IPv4 Mangle chain

# Generated by iptables-save v1.8.7 on Fri May 20 22:12:28 2022
*mangle
:PREROUTING ACCEPT [3024610:5358995869]
:INPUT ACCEPT [2494518:4563942673]
:FORWARD ACCEPT [530092:795053196]
:OUTPUT ACCEPT [1176851:4469160655]
:POSTROUTING ACCEPT [1706718:5264190541]
:RRDIPT_FORWARD - [0:0]
:RRDIPT_INPUT - [0:0]
:RRDIPT_OUTPUT - [0:0]
-A INPUT -j RRDIPT_INPUT
-A FORWARD -j RRDIPT_FORWARD
-A OUTPUT -j RRDIPT_OUTPUT
-A RRDIPT_FORWARD -s 172.31.0.4/32 -j RETURN
-A RRDIPT_FORWARD -d 172.31.0.4/32 -j RETURN
-A RRDIPT_FORWARD -s 192.168.31.105/32 -j RETURN
-A RRDIPT_FORWARD -d 192.168.31.105/32 -j RETURN
-A RRDIPT_FORWARD -s 192.168.31.214/32 -j RETURN
-A RRDIPT_FORWARD -d 192.168.31.214/32 -j RETURN
-A RRDIPT_FORWARD -s 192.168.31.1/32 -j RETURN
-A RRDIPT_FORWARD -d 192.168.31.1/32 -j RETURN
-A RRDIPT_FORWARD -s 192.168.31.128/32 -j RETURN
-A RRDIPT_FORWARD -d 192.168.31.128/32 -j RETURN
-A RRDIPT_FORWARD -s 192.168.31.234/32 -j RETURN
-A RRDIPT_FORWARD -d 192.168.31.234/32 -j RETURN
-A RRDIPT_FORWARD -s 192.168.31.237/32 -j RETURN
-A RRDIPT_FORWARD -d 192.168.31.237/32 -j RETURN
-A RRDIPT_FORWARD -s 172.31.0.2/32 -j RETURN
-A RRDIPT_FORWARD -d 172.31.0.2/32 -j RETURN
-A RRDIPT_FORWARD -s 172.31.0.3/32 -j RETURN
-A RRDIPT_FORWARD -d 172.31.0.3/32 -j RETURN
-A RRDIPT_INPUT -i eth0 -j RETURN
-A RRDIPT_OUTPUT -o eth0 -j RETURN
COMMIT
# Completed on Fri May 20 22:12:28 2022

#IPv4 Filter chain

# Generated by iptables-save v1.8.7 on Fri May 20 22:12:28 2022
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [145:8700]
:OUTPUT ACCEPT [0:0]
:MINIUPNPD - [0:0]
:forwarding_docker_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_docker_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_docker_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_docker_dest_ACCEPT - [0:0]
:zone_docker_forward - [0:0]
:zone_docker_input - [0:0]
:zone_docker_output - [0:0]
:zone_docker_src_ACCEPT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_DROP - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_DROP - [0:0]
-A INPUT -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -i eth0 -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i docker0 -m comment --comment "!fw3" -j zone_docker_input
-A FORWARD -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A FORWARD -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 22 -m comment --comment "!fw3: drop-wan-ssh" -j zone_wan_dest_DROP
-A FORWARD -i eth0 -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i docker0 -m comment --comment "!fw3" -j zone_docker_forward
-A OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o eth0 -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o docker0 -m comment --comment "!fw3" -j zone_docker_output
-A forwarding_rule -i pppoe+ -j RETURN
-A forwarding_rule -o pppoe+ -j RETURN
-A forwarding_rule -i ppp+ -m conntrack --ctstate NEW -j ACCEPT
-A forwarding_rule -o ppp+ -m conntrack --ctstate NEW -j ACCEPT
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_docker_dest_ACCEPT -o docker0 -m comment --comment "!fw3" -j ACCEPT
-A zone_docker_forward -m comment --comment "!fw3: Custom docker forwarding rule chain" -j forwarding_docker_rule
-A zone_docker_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_docker_forward -m comment --comment "!fw3" -j zone_docker_dest_ACCEPT
-A zone_docker_input -m comment --comment "!fw3: Custom docker input rule chain" -j input_docker_rule
-A zone_docker_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_docker_input -m comment --comment "!fw3" -j zone_docker_src_ACCEPT
-A zone_docker_output -m comment --comment "!fw3: Custom docker output rule chain" -j output_docker_rule
-A zone_docker_output -m comment --comment "!fw3" -j zone_docker_dest_ACCEPT
-A zone_docker_src_ACCEPT -i docker0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_dest_ACCEPT -o eth0 -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -j MINIUPNPD
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i eth0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
-A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
-A zone_wan_input -p tcp -m tcp --dport 8118 -m comment --comment "!fw3: adblock" -j DROP
-A zone_wan_input -p udp -m udp --dport 500 -m comment --comment "!fw3: ike" -j ACCEPT
-A zone_wan_input -p udp -m udp --dport 4500 -m comment --comment "!fw3: ipsec" -j ACCEPT
-A zone_wan_input -p ah -m comment --comment "!fw3: ah" -j ACCEPT
-A zone_wan_input -p esp -m comment --comment "!fw3: esp" -j ACCEPT
-A zone_wan_input -p tcp -m tcp --dport 1194 -m comment --comment "!fw3: openvpn" -j ACCEPT
-A zone_wan_input -p udp -m udp --dport 1194 -m comment --comment "!fw3: openvpn" -j ACCEPT
-A zone_wan_input -p tcp -m tcp --dport 1723 -m comment --comment "!fw3: pptp" -j ACCEPT
-A zone_wan_input -p gre -m comment --comment "!fw3: gre" -j ACCEPT
-A zone_wan_input -p tcp -m tcp --dport 10240 -m comment --comment "!fw3: ssrs" -j ACCEPT
-A zone_wan_input -p tcp -m tcp --dport 1688 -m comment --comment "!fw3: kms" -j ACCEPT
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_DROP
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
COMMIT
# Completed on Fri May 20 22:12:28 2022

#IPv6 NAT chain

# Generated by ip6tables-save v1.8.7 on Fri May 20 22:12:28 2022
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [23:1904]
:POSTROUTING ACCEPT [23:1904]
COMMIT
# Completed on Fri May 20 22:12:28 2022

#IPv6 Mangle chain

# Generated by ip6tables-save v1.8.7 on Fri May 20 22:12:28 2022
*mangle
:PREROUTING ACCEPT [122:12363]
:INPUT ACCEPT [122:12363]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [111:11747]
:POSTROUTING ACCEPT [111:11747]
COMMIT
# Completed on Fri May 20 22:12:28 2022

#IPv6 Filter chain

# Generated by ip6tables-save v1.8.7 on Fri May 20 22:12:28 2022
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:MINIUPNPD - [0:0]
:forwarding_docker_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_docker_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_docker_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_docker_dest_ACCEPT - [0:0]
:zone_docker_forward - [0:0]
:zone_docker_input - [0:0]
:zone_docker_output - [0:0]
:zone_docker_src_ACCEPT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_DROP - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_DROP - [0:0]
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -i eth0 -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i docker0 -m comment --comment "!fw3" -j zone_docker_input
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 22 -m comment --comment "!fw3: drop-wan-ssh" -j zone_wan_dest_DROP
-A FORWARD -i eth0 -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i docker0 -m comment --comment "!fw3" -j zone_docker_forward
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o eth0 -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o docker0 -m comment --comment "!fw3" -j zone_docker_output
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp6-port-unreachable
-A syn_flood -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_docker_dest_ACCEPT -o docker0 -m comment --comment "!fw3" -j ACCEPT
-A zone_docker_forward -m comment --comment "!fw3: Custom docker forwarding rule chain" -j forwarding_docker_rule
-A zone_docker_forward -m comment --comment "!fw3" -j zone_docker_dest_ACCEPT
-A zone_docker_input -m comment --comment "!fw3: Custom docker input rule chain" -j input_docker_rule
-A zone_docker_input -m comment --comment "!fw3" -j zone_docker_src_ACCEPT
-A zone_docker_output -m comment --comment "!fw3: Custom docker output rule chain" -j output_docker_rule
-A zone_docker_output -m comment --comment "!fw3" -j zone_docker_dest_ACCEPT
-A zone_docker_src_ACCEPT -i docker0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_dest_ACCEPT -o eth0 -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -j MINIUPNPD
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i eth0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
-A zone_wan_input -s fc00::/6 -d fc00::/6 -p udp -m udp --dport 546 -m comment --comment "!fw3: Allow-DHCPv6" -j ACCEPT
-A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 130/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
-A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 131/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
-A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 132/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
-A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 143/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p tcp -m tcp --dport 8118 -m comment --comment "!fw3: adblock" -j DROP
-A zone_wan_input -p udp -m udp --dport 500 -m comment --comment "!fw3: ike" -j ACCEPT
-A zone_wan_input -p udp -m udp --dport 4500 -m comment --comment "!fw3: ipsec" -j ACCEPT
-A zone_wan_input -p ah -m comment --comment "!fw3: ah" -j ACCEPT
-A zone_wan_input -p esp -m comment --comment "!fw3: esp" -j ACCEPT
-A zone_wan_input -p tcp -m tcp --dport 1194 -m comment --comment "!fw3: openvpn" -j ACCEPT
-A zone_wan_input -p udp -m udp --dport 1194 -m comment --comment "!fw3: openvpn" -j ACCEPT
-A zone_wan_input -p tcp -m tcp --dport 1723 -m comment --comment "!fw3: pptp" -j ACCEPT
-A zone_wan_input -p gre -m comment --comment "!fw3: gre" -j ACCEPT
-A zone_wan_input -p tcp -m tcp --dport 10240 -m comment --comment "!fw3: ssrs" -j ACCEPT
-A zone_wan_input -p tcp -m tcp --dport 1688 -m comment --comment "!fw3: kms" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_DROP
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
COMMIT
# Completed on Fri May 20 22:12:28 2022

#===================== IPSET状态 =====================#

Name: cn
Name: ct
Name: cnc
Name: cmcc
Name: crtc
Name: cernet
Name: gwbn
Name: othernet
Name: music
Name: mwan3_connected_v4
Name: mwan3_connected_v6
Name: mwan3_source_v6
Name: mwan3_dynamic_v4
Name: mwan3_dynamic_v6
Name: mwan3_custom_v4
Name: mwan3_custom_v6
Name: china_ip_route
Name: localnetwork
Name: common_ports
Name: mwan3_connected

#===================== 路由表状态 =====================#

#route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.31.1    0.0.0.0         UG    0      0        0 eth0
172.31.0.0      0.0.0.0         255.255.255.0   U     0      0        0 docker0
192.168.31.0    0.0.0.0         255.255.255.0   U     0      0        0 eth0
#ip route list
default via 192.168.31.1 dev eth0 proto static 
172.31.0.0/24 dev docker0 proto kernel scope link src 172.31.0.1 
192.168.31.0/24 dev eth0 proto kernel scope link src 192.168.31.2 
#ip rule show
0:  from all lookup local
32766:  from all lookup main
32767:  from all lookup default

#===================== 端口占用状态 =====================#

tcp        0      0 :::7890                 :::*                    LISTEN      13449/clash
tcp        0      0 :::7891                 :::*                    LISTEN      13449/clash
tcp        0      0 :::7892                 :::*                    LISTEN      13449/clash
tcp        0      0 :::7893                 :::*                    LISTEN      13449/clash
tcp        0      0 :::7895                 :::*                    LISTEN      13449/clash
tcp        0      0 :::9090                 :::*                    LISTEN      13449/clash
udp        0      0 :::7874                 :::*                                13449/clash
udp        0      0 :::7891                 :::*                                13449/clash
udp        0      0 :::7892                 :::*                                13449/clash
udp        0      0 :::7893                 :::*                                13449/clash
udp        0      0 :::7895                 :::*                                13449/clash

#===================== 测试本机DNS查询 =====================#

Server:     127.0.0.1
Address:    127.0.0.1:53

Non-authoritative answer:
www.baidu.com   canonical name = www.a.shifen.com
Name:   www.a.shifen.com
Address: 
Name:   www.a.shifen.com
Address: 

#===================== resolv.conf.d =====================#

# Interface lan
nameserver 192.168.31.1
nameserver 114.114.114.114

#===================== 测试本机网络连接 =====================#

HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
Connection: keep-alive
Content-Length: 277
Content-Type: text/html
Date: Fri, 20 May 2022 14:12:28 GMT
Etag: "575e1f59-115"
Last-Modified: Mon, 13 Jun 2016 02:50:01 GMT
Pragma: no-cache
Server: bfe/1.0.8.18

#===================== 测试本机网络下载 =====================#

#===================== 最近运行日志 =====================#

2022-05-20 21:21:58 Reload OpenClash Firewall Rules...
2022-05-20 21:22:06 Reload OpenClash Firewall Rules...
2022-05-20 21:24:30 Reload OpenClash Firewall Rules...
2022-05-20 21:24:31 Watchdog: Reset Firewall For Enabling Redirect...

#===================== 活动连接信息 =====================#

1. SourceIP:【192.168.31.128】 - Host:【github.com】 - DestinationIP:【】 - Network:【tcp】 - RulePayload:【github】 - Lastchain:【日本 东京01 [v1|云|1x]】
vernesong / OpenClash

偶尔日志提示重置 OpenClash 防火墙规则 #2400
