[Bug] 0.45.54版本无法启动

[ghost]

Verify Steps

• [X] Tracker 我已经在 Issue Tracker 中找过我要提出的问题
• [X] Latest 我已经使用最新 Dev 版本测试过，问题依旧存在
• [X] Core 这是 OpenClash 存在的问题，并非我所使用的 Clash 或 Meta 等内核的特定问题
• [X] Meaningful 我提交的不是无意义的 催促更新或修复 请求

OpenClash Version

v0.45.54-beta

Bug on Environment

Lean

Bug on Platform

Linux-amd64(x86-64)

To Reproduce

同样的配置在0.45.53版本下正常启动，升级到0.45.54之后启动过程走到一半就停了，没有错误信息。

Describe the Bug

运行日志显示到这步就停了：

2022-08-31 23:04:13 第六步：删除 OpenClash 残留文件... 2022-08-31 23:04:11 第五步: 重启 Dnsmasq 程序...

OpenClash Log

OpenClash 调试日志

生成时间: 2022-08-31 23:01:27 插件版本: v0.45.54-beta 隐私提示: 上传此日志前请注意检查、屏蔽公网IP、节点、密码等相关敏感信息

#===================== 系统信息 =====================#

主机型号: BROUNION R86S/R86S - Intel(R) Celeron(R) N5105 @ 2.00GHz : 4 Core 4 Thread
固件版本: OpenWrt SNAPSHOT r4936-ddb8181fe
LuCI版本: git-22.236.14286-082687d-1
内核版本: 5.15.63
处理器架构: x86_64

#此项有值时,如不使用IPv6,建议到网络-接口-lan的设置中禁用IPV6的DHCP
IPV6-DHCP: 

#此项结果应仅有配置文件的DNS监听地址
Dnsmasq转发设置: 

#===================== 依赖检查 =====================#

dnsmasq-full: 已安装
coreutils: 已安装
coreutils-nohup: 已安装
bash: 已安装
curl: 已安装
ca-certificates: 已安装
ipset: 已安装
ip-full: 已安装
libcap: 已安装
libcap-bin: 已安装
ruby: 已安装
ruby-yaml: 已安装
ruby-psych: 已安装
ruby-pstore: 已安装
kmod-tun(TUN模式): 已安装
luci-compat(Luci-19.07): 未安装
kmod-inet-diag(PROCESS-NAME): 已安装
unzip: 已安装
iptables-mod-tproxy: 已安装
kmod-ipt-tproxy: 已安装
iptables-mod-extra: 已安装
kmod-ipt-extra: 已安装
kmod-ipt-nat: 已安装

#===================== 内核检查 =====================#

运行状态: 未运行
已选择的架构: linux-amd64

#下方无法显示内核版本号时请确认您的内核版本是否正确或者有无权限
Tun内核版本: 2022.08.26-1-g8720ef5
Tun内核文件: 存在
Tun内核运行权限: 正常

Dev内核版本: v1.11.8-1-g425b6e0
Dev内核文件: 存在
Dev内核运行权限: 正常

Meta内核版本: alpha-g4b39362
Meta内核文件: 存在
Meta内核运行权限: 正常

#===================== 插件设置 =====================#

当前配置文件: /etc/openclash/config/clash.yaml
启动配置文件: /etc/openclash/clash.yaml
运行模式: fake-ip-mix
默认代理模式: rule
UDP流量转发(tproxy): 停用
DNS劫持: 启用
自定义DNS: 停用
IPV6代理: 停用
IPV6-DNS解析: 停用
禁用Dnsmasq缓存: 启用
自定义规则: 停用
仅允许内网: 停用
仅代理命中规则流量: 停用
仅允许常用端口流量: 停用
绕过中国大陆IP: 停用
DNS远程解析: 启用
路由本机代理: 启用

#启动异常时建议关闭此项后重试
混合节点: 停用
保留配置: 停用

#启动异常时建议关闭此项后重试
第三方规则: 停用

#===================== 配置文件 =====================#

dns:
  enable: true
  ipv6: false
  enhanced-mode: fake-ip
  default-nameserver:
  - 114.114.114.114
  - 8.8.8.8
  nameserver:
  - https://doh.pub/dns-query
  - https://dns.alidns.com/dns-query
  fake-ip-filter:
  - "*.lan"
  - "*.localdomain"
  - "*.example"
  - "*.invalid"
  - "*.localhost"
  - "*.test"
  - "*.local"
  - "*.home.arpa"
  - time.*.com
  - time.*.gov
  - time.*.edu.cn
  - time.*.apple.com
  - time1.*.com
  - time2.*.com
  - time3.*.com
  - time4.*.com
  - time5.*.com
  - time6.*.com
  - time7.*.com
  - ntp.*.com
  - ntp1.*.com
  - ntp2.*.com
  - ntp3.*.com
  - ntp4.*.com
  - ntp5.*.com
  - ntp6.*.com
  - ntp7.*.com
  - "*.time.edu.cn"
  - "*.ntp.org.cn"
  - "+.pool.ntp.org"
  - time1.cloud.tencent.com
  - music.163.com
  - "*.music.163.com"
  - "*.126.net"
  - musicapi.taihe.com
  - music.taihe.com
  - songsearch.kugou.com
  - trackercdn.kugou.com
  - "*.kuwo.cn"
  - api-jooxtt.sanook.com
  - api.joox.com
  - joox.com
  - y.qq.com
  - "*.y.qq.com"
  - streamoc.music.tc.qq.com
  - mobileoc.music.tc.qq.com
  - isure.stream.qqmusic.qq.com
  - dl.stream.qqmusic.qq.com
  - aqqmusic.tc.qq.com
  - amobile.music.tc.qq.com
  - "*.xiami.com"
  - "*.music.migu.cn"
  - music.migu.cn
  - "+.msftconnecttest.com"
  - "+.msftncsi.com"
  - msftconnecttest.com
  - msftncsi.com
  - localhost.ptlogin2.qq.com
  - localhost.sec.qq.com
  - "+.srv.nintendo.net"
  - "+.stun.playstation.net"
  - xbox.*.microsoft.com
  - xnotify.xboxlive.com
  - "+.battlenet.com.cn"
  - "+.wotgame.cn"
  - "+.wggames.cn"
  - "+.wowsgame.cn"
  - "+.wargaming.net"
  - proxy.golang.org
  - stun.*.*
  - stun.*.*.*
  - "+.stun.*.*"
  - "+.stun.*.*.*"
  - "+.stun.*.*.*.*"
  - heartbeat.belkin.com
  - "*.linksys.com"
  - "*.linksyssmartwifi.com"
  - "*.router.asus.com"
  - mesu.apple.com
  - swscan.apple.com
  - swquery.apple.com
  - swdownload.apple.com
  - swcdn.apple.com
  - swdist.apple.com
  - lens.l.google.com
  - stun.l.google.com
  - "+.nflxvideo.net"
  - "*.square-enix.com"
  - "*.finalfantasyxiv.com"
  - "*.ffxiv.com"
  - "*.mcdn.bilivideo.cn"
  - "+.media.dssott.com"
  - "+.dns.google"
  fake-ip-range: 198.18.0.1/16
  listen: 0.0.0.0:7874
proxy-groups:
- name: FAST
  type: url-test
  disable-udp: false
  proxies:
  - HK1
  - TW1
  - US1
  url: http://cp.cloudflare.com/generate_204
  interval: '1800'
  tolerance: '0'
  lazy: false
rule-providers:
  Proxy:
    type: http
    behavior: domain
    url: https://xxxxx/clash/Proxy.yaml
    path: "./rule_provider/Proxy.yaml"
    interval: 86400
  AdBlock:
    type: http
    behavior: domain
    url: https://xxxxxx/AdBlock.yaml
    path: "./rule_provider/AdBlock.yaml"
    interval: 86400
rules:
- DST-PORT,7895,REJECT
- DST-PORT,7892,REJECT
- IP-CIDR,198.18.0.1/16,REJECT,no-resolve
- RULE-SET,AdBlock,REJECT
- DOMAIN-SUFFIX,local,DIRECT
- RULE-SET,Proxy,FAST
- GEOIP,LAN, DIRECT
- GEOIP,CN,DIRECT
- MATCH,FAST
redir-port: 7892
tproxy-port: 7895
port: 7890
socks-port: 7891
mixed-port: 7893
mode: rule
log-level: silent
allow-lan: true
external-controller: 0.0.0.0:9090
bind-address: "*"
external-ui: "/usr/share/openclash/ui"
ipv6: false
interface-name: eth0
experimental:
  sniff-tls-sni: true
tun:
  enable: true
  stack: system
  auto-route: false
  auto-detect-interface: false
  dns-hijack:
  - tcp://any:53
profile:
  store-selected: true
  store-fake-ip: true

#===================== 防火墙设置 =====================#

#IPv4 NAT chain

# Generated by iptables-save v1.8.7 on Wed Aug 31 23:01:29 2022
*nat
:PREROUTING ACCEPT [769:73982]
:INPUT ACCEPT [318:28812]
:OUTPUT ACCEPT [354:28791]
:POSTROUTING ACCEPT [41:4926]
:MINIUPNPD - [0:0]
:MINIUPNPD-POSTROUTING - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -p udp -m udp --dport 53 -j REDIRECT --to-ports 53
-A PREROUTING -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 53
-A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
-A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i eth0 -m comment --comment "!fw3" -j zone_wan_prerouting
-A POSTROUTING -s 10.242.0.0/16 -j MASQUERADE
-A POSTROUTING -o ztzlgmpcam -j MASQUERADE
-A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
-A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o eth0 -m comment --comment "!fw3" -j zone_wan_postrouting
-A MINIUPNPD -p tcp -m tcp --dport 39312 -j DNAT --to-destination 192.168.99.194:9010
-A MINIUPNPD -p tcp -m tcp --dport 30047 -j DNAT --to-destination 192.168.99.194:9020
-A MINIUPNPD -p udp -m udp --dport 31282 -j DNAT --to-destination 192.168.99.194:9030
-A MINIUPNPD -p udp -m udp --dport 39710 -j DNAT --to-destination 192.168.99.194:9031
-A MINIUPNPD -p udp -m udp --dport 35313 -j DNAT --to-destination 192.168.99.194:9032
-A MINIUPNPD -p udp -m udp --dport 34597 -j DNAT --to-destination 192.168.99.194:9033
-A MINIUPNPD-POSTROUTING -s 192.168.99.194/32 -p tcp -m tcp --sport 9010 -j MASQUERADE --to-ports 39312
-A MINIUPNPD-POSTROUTING -s 192.168.99.194/32 -p tcp -m tcp --sport 9020 -j MASQUERADE --to-ports 30047
-A MINIUPNPD-POSTROUTING -s 192.168.99.194/32 -p udp -m udp --sport 9030 -j MASQUERADE --to-ports 31282
-A MINIUPNPD-POSTROUTING -s 192.168.99.194/32 -p udp -m udp --sport 9031 -j MASQUERADE --to-ports 39710
-A MINIUPNPD-POSTROUTING -s 192.168.99.194/32 -p udp -m udp --sport 9032 -j MASQUERADE --to-ports 35313
-A MINIUPNPD-POSTROUTING -s 192.168.99.194/32 -p udp -m udp --sport 9033 -j MASQUERADE --to-ports 34597
-A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
-A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
-A zone_wan_postrouting -j MINIUPNPD-POSTROUTING
-A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
-A zone_wan_postrouting -m comment --comment "!fw3" -j FULLCONENAT
-A zone_wan_prerouting -j MINIUPNPD
-A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
-A zone_wan_prerouting -m comment --comment "!fw3" -j FULLCONENAT
COMMIT
# Completed on Wed Aug 31 23:01:29 2022

#IPv4 Mangle chain

# Generated by iptables-save v1.8.7 on Wed Aug 31 23:01:29 2022
*mangle
:PREROUTING ACCEPT [5770:1061499]
:INPUT ACCEPT [2878:809465]
:FORWARD ACCEPT [2762:220465]
:OUTPUT ACCEPT [3689:1458890]
:POSTROUTING ACCEPT [6322:1672743]
-A FORWARD -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Wed Aug 31 23:01:29 2022

#IPv4 Filter chain

# Generated by iptables-save v1.8.7 on Wed Aug 31 23:01:29 2022
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:MINIUPNPD - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i eth0 -m comment --comment "!fw3" -j zone_wan_input
-A FORWARD -o ztzlgmpcam -j ACCEPT
-A FORWARD -i ztzlgmpcam -j ACCEPT
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m comment --comment "!fw3: Traffic offloading" -m conntrack --ctstate RELATED,ESTABLISHED -j FLOWOFFLOAD --hw
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i eth0 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o eth0 -m comment --comment "!fw3" -j zone_wan_output
-A MINIUPNPD -d 192.168.99.194/32 -p tcp -m tcp --dport 9010 -j ACCEPT
-A MINIUPNPD -d 192.168.99.194/32 -p tcp -m tcp --dport 9020 -j ACCEPT
-A MINIUPNPD -d 192.168.99.194/32 -p udp -m udp --dport 9030 -j ACCEPT
-A MINIUPNPD -d 192.168.99.194/32 -p udp -m udp --dport 9031 -j ACCEPT
-A MINIUPNPD -d 192.168.99.194/32 -p udp -m udp --dport 9032 -j ACCEPT
-A MINIUPNPD -d 192.168.99.194/32 -p udp -m udp --dport 9033 -j ACCEPT
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o eth0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o eth0 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_REJECT -o eth0 -m comment --comment "!fw3" -j reject
-A zone_wan_forward -j MINIUPNPD
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
-A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_REJECT -i eth0 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Wed Aug 31 23:01:29 2022

#IPv6 NAT chain

# Generated by ip6tables-save v1.8.7 on Wed Aug 31 23:01:29 2022
*nat
:PREROUTING ACCEPT [124:37841]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [40:3451]
:POSTROUTING ACCEPT [40:3451]
-A PREROUTING -p udp -m udp --dport 53 -j REDIRECT --to-ports 53
-A PREROUTING -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 53
COMMIT
# Completed on Wed Aug 31 23:01:29 2022

#IPv6 Mangle chain

# Generated by ip6tables-save v1.8.7 on Wed Aug 31 23:01:29 2022
*mangle
:PREROUTING ACCEPT [330:59140]
:INPUT ACCEPT [179:19063]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [186:20199]
:POSTROUTING ACCEPT [186:20199]
-A FORWARD -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Wed Aug 31 23:01:29 2022

#IPv6 Filter chain

# Generated by ip6tables-save v1.8.7 on Wed Aug 31 23:01:29 2022
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [16:1408]
:MINIUPNPD - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i eth0 -m comment --comment "!fw3" -j zone_wan_input
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m comment --comment "!fw3: Traffic offloading" -m conntrack --ctstate RELATED,ESTABLISHED -j FLOWOFFLOAD --hw
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i eth0 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o eth0 -m comment --comment "!fw3" -j zone_wan_output
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp6-port-unreachable
-A syn_flood -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o eth0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o eth0 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_REJECT -o eth0 -m comment --comment "!fw3" -j reject
-A zone_wan_forward -j MINIUPNPD
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
-A zone_wan_input -s fc00::/6 -d fc00::/6 -p udp -m udp --dport 546 -m comment --comment "!fw3: Allow-DHCPv6" -j ACCEPT
-A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 130/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
-A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 131/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
-A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 132/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
-A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 143/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_REJECT -i eth0 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Wed Aug 31 23:01:29 2022

#===================== IPSET状态 =====================#

#===================== 路由表状态 =====================#

#route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 eth0
10.242.0.0      0.0.0.0         255.255.0.0     U     0      0        0 ztzlgmpcam
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
192.168.44.0    10.242.100.99   255.255.255.0   UG    5000   0        0 ztzlgmpcam
192.168.55.0    10.242.100.235  255.255.255.0   UG    5000   0        0 ztzlgmpcam
192.168.66.0    10.242.100.37   255.255.255.0   UG    5000   0        0 ztzlgmpcam
192.168.77.0    10.242.100.75   255.255.255.0   UG    5000   0        0 ztzlgmpcam
192.168.88.0    10.242.100.92   255.255.255.0   UG    5000   0        0 ztzlgmpcam
192.168.99.0    0.0.0.0         255.255.255.0   U     0      0        0 br-lan
#ip route list
default via 192.168.1.1 dev eth0 proto static src 192.168.1.2 
10.242.0.0/16 dev ztzlgmpcam proto kernel scope link src 10.242.100.212 
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.2 
192.168.44.0/24 via 10.242.100.99 dev ztzlgmpcam proto static metric 5000 
192.168.55.0/24 via 10.242.100.235 dev ztzlgmpcam proto static metric 5000 
192.168.66.0/24 via 10.242.100.37 dev ztzlgmpcam proto static metric 5000 
192.168.77.0/24 via 10.242.100.75 dev ztzlgmpcam proto static metric 5000 
192.168.88.0/24 via 10.242.100.92 dev ztzlgmpcam proto static metric 5000 
192.168.99.0/24 dev br-lan proto kernel scope link src 192.168.99.1 
#ip rule show
0:  from all lookup local
32766:  from all lookup main
32767:  from all lookup default

#===================== Tun设备状态 =====================#

ztzlgmpcam: tap

#===================== 端口占用状态 =====================#

#===================== 测试本机DNS查询 =====================#

Server:     127.0.0.1
Address:    127.0.0.1:53

Non-authoritative answer:
www.baidu.com   canonical name = www.a.shifen.com
Name:   www.a.shifen.com
Address: 36.152.44.96
Name:   www.a.shifen.com
Address: 36.152.44.95

Non-authoritative answer:
www.baidu.com   canonical name = www.a.shifen.com

#===================== resolv.conf.d =====================#

# Interface wan
nameserver 192.168.1.1

#===================== 测试本机网络连接 =====================#

HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
Connection: keep-alive
Content-Length: 277
Content-Type: text/html
Date: Wed, 31 Aug 2022 15:01:29 GMT
Etag: "575e1f7c-115"
Last-Modified: Mon, 13 Jun 2016 02:50:36 GMT
Pragma: no-cache
Server: bfe/1.0.8.18

#===================== 测试本机网络下载 =====================#

#===================== 最近运行日志 =====================#

2022-08-31 23:00:21 OpenClash Stoping...
2022-08-31 23:00:21 Step 1: Backup The Current Groups State...
2022-08-31 23:00:21 Step 2: Delete OpenClash Firewall Rules...
2022-08-31 23:00:22 Step 3: Close The OpenClash Daemons...
2022-08-31 23:00:22 Step 4: Close The Clash Core Process...
2022-08-31 23:00:22 Step 5: Restart Dnsmasq...
2022-08-31 23:00:24 Step 6: Delete OpenClash Residue File...
2022-08-31 23:00:24 OpenClash Start Running...
2022-08-31 23:00:24 Step 1: Get The Configuration...
2022-08-31 23:00:24 Step 2: Check The Components...
2022-08-31 23:00:24 Tip: Detected that the Chnroute Cidr List Format is wrong, Ready to Reformat...
2022-08-31 23:00:24 Start Downloading The Chnroute Cidr List...
2022-08-31 23:00:25 Chnroute Cidr List Download Success, Check Updated...
2022-08-31 23:00:25 Updated Chnroute Cidr List No Change, Do Nothing...
2022-08-31 23:00:28 Start Downloading The Chnroute6 Cidr List...
2022-08-31 23:00:28 Chnroute6 Cidr List Download Success, Check Updated...
2022-08-31 23:00:28 Updated Chnroute6 Cidr List No Change, Do Nothing...
2022-08-31 23:00:32 OpenClash Stoping...
2022-08-31 23:00:32 Step 1: Backup The Current Groups State...
2022-08-31 23:00:32 Step 2: Delete OpenClash Firewall Rules...
2022-08-31 23:00:33 Step 3: Close The OpenClash Daemons...
2022-08-31 23:00:33 Step 4: Close The Clash Core Process...
2022-08-31 23:00:33 Step 5: Restart Dnsmasq...
2022-08-31 23:00:36 Step 6: Delete OpenClash Residue File...

#===================== 活动连接信息 =====================#

OpenClash Config

No response

Expected Behavior

正常启动完成

Screenshots

No response

[shmilyx]

一样的错误，直接还原了快照

[ghost]

应该是今天commit的问题，昨天晚上还编译过都是正常的。

[vernlau]

54版在做Firewall4适配了，Base system换成Firewall4

[vernlau]

[ghost]

54版在做Firewall4适配了，Base system换成Firewall4

适配FW4是彻底放弃iptables？

[vernlau]

54版在做Firewall4适配了，Base system换成Firewall4

适配FW4是彻底放弃iptables？

这个就不清楚了。你自己编译要看作者更新的内容，换成fw4是可以启动的，已正常使用一天。

[vernesong]

https://github.com/vernesong/OpenClash/commit/c504e53e88de64a69628c0d59db8cac122d896b3

[ghost]

c504e53

刚尝试过编译这个commit了，还是一样的问题。能确定的是0.45.53是好的。

[zgc]

c504e53

刚尝试过编译这个commit了，还是一样的问题。能确定的是0.45.53是好的。

是的

[openips]

同样的问题 用的是dev commit f8cf5afd4369ee53009847fb49d843853a7a12b4 看了一下可能是nft的问题

OpenClash 调试日志

生成时间: 2022-09-01 07:02:50 插件版本: v0.45.54-beta 隐私提示: 上传此日志前请注意检查、屏蔽公网IP、节点、密码等相关敏感信息

#===================== 系统信息 =====================#

主机型号: QEMU Standard PC (i440FX + PIIX, 1996)
固件版本: OpenWrt SNAPSHOT r20439-a96382c1bb
LuCI版本: git-20.191.33648-4ddcb36
内核版本: 5.10.138
处理器架构: x86_64

#此项有值时,如不使用IPv6,建议到网络-接口-lan的设置中禁用IPV6的DHCP
IPV6-DHCP: 

#此项结果应仅有配置文件的DNS监听地址
Dnsmasq转发设置: 127.0.0.1#6054

#===================== 依赖检查 =====================#

dnsmasq-full: 已安装
coreutils: 已安装
coreutils-nohup: 已安装
bash: 已安装
curl: 已安装
ca-certificates: 已安装
ipset: 已安装
ip-full: 已安装
libcap: 已安装
libcap-bin: 已安装
ruby: 已安装
ruby-yaml: 已安装
ruby-psych: 已安装
ruby-pstore: 已安装
kmod-tun(TUN模式): 已安装
luci-compat(Luci-19.07): 已安装
kmod-inet-diag(PROCESS-NAME): 已安装
unzip: 已安装
iptables-mod-tproxy: 已安装
kmod-ipt-tproxy: 已安装
iptables-mod-extra: 已安装
kmod-ipt-extra: 已安装
kmod-ipt-nat: 已安装

#===================== 内核检查 =====================#

运行状态: 未运行
已选择的架构: linux-amd64

#下方无法显示内核版本号时请确认您的内核版本是否正确或者有无权限
Tun内核版本: 2022.07.07-15-g4104b53
Tun内核文件: 存在
Tun内核运行权限: 正常

Dev内核版本: v1.11.4-13-g6e058f8
Dev内核文件: 存在
Dev内核运行权限: 正常

Meta内核版本: alpha-g42e489e
Meta内核文件: 存在
Meta内核运行权限: 正常

#===================== 插件设置 =====================#

当前配置文件: /etc/openclash/config/config.yaml
启动配置文件: /etc/openclash/config.yaml
运行模式: redir-host
默认代理模式: rule
UDP流量转发(tproxy): 停用
DNS劫持: 启用
自定义DNS: 启用
IPV6代理: 停用
IPV6-DNS解析: 停用
禁用Dnsmasq缓存: 启用
自定义规则: 启用
仅允许内网: 停用
仅代理命中规则流量: 停用
仅允许常用端口流量: 停用
绕过中国大陆IP: 启用
DNS远程解析: 启用
路由本机代理: 启用

#启动异常时建议关闭此项后重试
混合节点: 停用
保留配置: 停用

#启动异常时建议关闭此项后重试
第三方规则: 启用

#===================== 自定义规则 一 =====================#
script:
##  shortcuts:
##    Notice: The core timezone is UTC
##    CST 20:00-24:00 = time.now().hour > 12 and time.now().hour < 16
##    内核时区为UTC,故以下time.now()函数的取值需要根据本地时区进行转换
##    北京时间(CST) 20:00-24:00 = time.now().hour > 12 and time.now().hour < 16
##    quic: network == 'udp' and dst_port == 443 and (geoip(resolve_ip(host)) != 'CN' or geoip(dst_ip) != 'CN')
##    time-limit: in_cidr(src_ip,'192.168.1.2/32') and time.now().hour < 20 or time.now().hour > 21
##    time-limit: src_ip == '192.168.1.2' and time.now().hour < 20 or time.now().hour > 21

##  code: |
##    def main(ctx, metadata):
##        directkeywordlist = ["baidu"]
##        for directkeyword in directkeywordlist:
##          if directkeyword in metadata["host"]:
##            ctx.log('[Script] matched keyword %s use direct' % directkeyword)
##            return "DIRECT"

rules:
##- SCRIPT,quic,REJECT #shortcuts rule
##- SCRIPT,time-limit,REJECT #shortcuts rule
##- PROCESS-NAME,curl,DIRECT #匹配路由自身进程(curl直连)
##- DOMAIN-SUFFIX,google.com,Proxy #匹配域名后缀(交由Proxy代理服务器组)
##- DOMAIN-KEYWORD,google,Proxy #匹配域名关键字(交由Proxy代理服务器组)
##- DOMAIN,google.com,Proxy #匹配域名(交由Proxy代理服务器组)
##- DOMAIN-SUFFIX,ad.com,REJECT #匹配域名后缀(拒绝)
##- IP-CIDR,127.0.0.0/8,DIRECT #匹配数据目标IP(直连)
##- SRC-IP-CIDR,192.168.1.201/32,DIRECT #匹配数据发起IP(直连)
##- DST-PORT,80,DIRECT #匹配数据目标端口(直连)
##- SRC-PORT,7777,DIRECT #匹配数据源端口(直连)

##排序在上的规则优先生效,如添加（去除规则前的#号）：
##IP段：192.168.1.2-192.168.1.200 直连
##- SRC-IP-CIDR,192.168.1.2/31,DIRECT
##- SRC-IP-CIDR,192.168.1.4/30,DIRECT
##- SRC-IP-CIDR,192.168.1.8/29,DIRECT
##- SRC-IP-CIDR,192.168.1.16/28,DIRECT
##- SRC-IP-CIDR,192.168.1.32/27,DIRECT
##- SRC-IP-CIDR,192.168.1.64/26,DIRECT
##- SRC-IP-CIDR,192.168.1.128/26,DIRECT
##- SRC-IP-CIDR,192.168.1.192/29,DIRECT
##- SRC-IP-CIDR,192.168.1.200/32,DIRECT

##IP段：192.168.1.202-192.168.1.255 直连
##- SRC-IP-CIDR,192.168.1.202/31,DIRECT
##- SRC-IP-CIDR,192.168.1.204/30,DIRECT
##- SRC-IP-CIDR,192.168.1.208/28,DIRECT
##- SRC-IP-CIDR,192.168.1.224/27,DIRECT

##此时IP为192.168.1.1和192.168.1.201的客户端流量走代理（策略），其余客户端不走代理
##因为Fake-IP模式下，IP地址为192.168.1.1的路由器自身流量可走代理（策略），所以需要排除

##仅设置路由器自身直连：
##- SRC-IP-CIDR,192.168.1.1/32,DIRECT
##- SRC-IP-CIDR,198.18.0.1/32,DIRECT

##DDNS
##- DOMAIN-SUFFIX,checkip.dyndns.org,DIRECT
##- DOMAIN-SUFFIX,checkipv6.dyndns.org,DIRECT
##- DOMAIN-SUFFIX,checkip.synology.com,DIRECT
##- DOMAIN-SUFFIX,ifconfig.co,DIRECT
##- DOMAIN-SUFFIX,api.myip.com,DIRECT
##- DOMAIN-SUFFIX,ip-api.com,DIRECT
##- DOMAIN-SUFFIX,ipapi.co,DIRECT
##- DOMAIN-SUFFIX,ip6.seeip.org,DIRECT
##- DOMAIN-SUFFIX,members.3322.org,DIRECT

##在线IP段转CIDR地址：http://ip2cidr.com
#===================== 自定义规则 二 =====================#
script:
##  shortcuts:
##    common_port: dst_port not in [21, 22, 23, 53, 80, 123, 143, 194, 443, 465, 587, 853, 993, 995, 998, 2052, 2053, 2082, 2083, 2086, 2095, 2096, 5222, 5228, 5229, 5230, 8080, 8443, 8880, 8888, 8889]

##  code: |
##    def main(ctx, metadata):
##        directkeywordlist = ["baidu"]
##        for directkeyword in directkeywordlist:
##          if directkeyword in metadata["host"]:
##            ctx.log('[Script] matched keyword %s use direct' % directkeyword)
##            return "DIRECT"

rules:
##- SCRIPT,common_port,DIRECT #shortcuts rule

##- DOMAIN-SUFFIX,google.com,Proxy #匹配域名后缀(交由Proxy代理服务器组)
##- DOMAIN-KEYWORD,google,Proxy #匹配域名关键字(交由Proxy代理服务器组)
##- DOMAIN,google.com,Proxy #匹配域名(交由Proxy代理服务器组)
##- DOMAIN-SUFFIX,ad.com,REJECT #匹配域名后缀(拒绝)
##- IP-CIDR,127.0.0.0/8,DIRECT #匹配数据目标IP(直连)
##- SRC-IP-CIDR,192.168.1.201/32,DIRECT #匹配数据发起IP(直连)
##- DST-PORT,80,DIRECT #匹配数据目标端口(直连)
##- SRC-PORT,7777,DIRECT #匹配数据源端口(直连)

#===================== 配置文件 =====================#

proxy-groups:
- name: Auto - UrlTest
  type: url-test
  proxies:
  - sg
  - sg_http
  - us
  - us_http
  - ru
  - ru_http
  url: https://cp.cloudflare.com/generate_204
  interval: '600'
  tolerance: '250'
- name: Proxy
  type: select
  proxies:
  - Auto - UrlTest
  - DIRECT
  - sg
  - sg_http
  - us
  - us_http
  - ru
  - ru_http
- name: Domestic
  type: select
  proxies:
  - DIRECT
  - Proxy
- name: Others
  type: select
  proxies:
  - Proxy
  - DIRECT
  - Domestic
- name: Microsoft
  type: select
  proxies:
  - DIRECT
  - Proxy
- name: Apple
  type: select
  proxies:
  - DIRECT
  - Proxy
  - sg
  - sg_http
  - us
  - us_http
  - ru
  - ru_http
- name: Google FCM
  type: select
  proxies:
  - DIRECT
  - Proxy
  - sg
  - sg_http
  - us
  - us_http
  - ru
  - ru_http
- name: Scholar
  type: select
  proxies:
  - DIRECT
  - Proxy
  - sg
  - sg_http
  - us
  - us_http
  - ru
  - ru_http
- name: Bilibili
  type: select
  proxies:
  - Asian TV
  - DIRECT
  - sg
  - sg_http
  - us
  - us_http
  - ru
  - ru_http
- name: Douyin
  type: select
  proxies:
  - DIRECT
  - Asian TV
  - sg
  - sg_http
  - us
  - us_http
  - ru
  - ru_http
- name: Bahamut
  type: select
  proxies:
  - Global TV
  - DIRECT
  - sg
  - sg_http
  - us
  - us_http
  - ru
  - ru_http
- name: HBO Max
  type: select
  proxies:
  - Global TV
  - DIRECT
  - sg
  - sg_http
  - us
  - us_http
  - ru
  - ru_http
- name: HBO Go
  type: select
  proxies:
  - Global TV
  - DIRECT
  - sg
  - sg_http
  - us
  - us_http
  - ru
  - ru_http
- name: Pornhub
  type: select
  proxies:
  - Global TV
  - DIRECT
  - sg
  - sg_http
  - us
  - us_http
  - ru
  - ru_http
- name: Netflix
  type: select
  proxies:
  - Global TV
  - DIRECT
  - sg
  - sg_http
  - us
  - us_http
  - ru
  - ru_http
- name: Disney
  type: select
  proxies:
  - Global TV
  - DIRECT
  - sg
  - sg_http
  - us
  - us_http
  - ru
  - ru_http
- name: Youtube
  type: select
  disable-udp: true
  proxies:
  - Global TV
  - DIRECT
  - sg
  - sg_http
  - us
  - us_http
  - ru
  - ru_http
- name: Discovery Plus
  type: select
  proxies:
  - Global TV
  - DIRECT
  - sg
  - sg_http
  - us
  - us_http
  - ru
  - ru_http
- name: DAZN
  type: select
  proxies:
  - Global TV
  - DIRECT
  - sg
  - sg_http
  - us
  - us_http
  - ru
  - ru_http
- name: Spotify
  type: select
  proxies:
  - Global TV
  - DIRECT
  - sg
  - sg_http
  - us
  - us_http
  - ru
  - ru_http
- name: Steam
  type: select
  proxies:
  - DIRECT
  - Proxy
  - sg
  - sg_http
  - us
  - us_http
  - ru
  - ru_http
- name: AdBlock
  type: select
  proxies:
  - REJECT
  - DIRECT
  - Proxy
- name: Asian TV
  type: select
  proxies:
  - DIRECT
  - Proxy
  - sg
  - sg_http
  - us
  - us_http
  - ru
  - ru_http
- name: Global TV
  type: select
  proxies:
  - Proxy
  - DIRECT
  - sg
  - sg_http
  - us
  - us_http
  - ru
  - ru_http
- name: Speedtest
  type: select
  proxies:
  - Proxy
  - DIRECT
  - sg
  - sg_http
  - us
  - us_http
  - ru
  - ru_http
- name: Telegram
  type: select
  proxies:
  - Proxy
  - DIRECT
  - sg
  - sg_http
  - us
  - us_http
  - ru
  - ru_http
- name: Crypto
  type: select
  proxies:
  - Proxy
  - DIRECT
  - sg
  - sg_http
  - us
  - us_http
  - ru
  - ru_http
- name: PayPal
  type: select
  proxies:
  - DIRECT
  - Proxy
  - sg
  - sg_http
  - us
  - us_http
  - ru
  - ru_http
redir-port: 7892
tproxy-port: 7895
port: 7890
socks-port: 7891
mixed-port: 7893
mode: rule
log-level: silent
allow-lan: true
external-controller: 0.0.0.0:9090
bind-address: "*"
external-ui: "/usr/share/openclash/ui"
ipv6: false
dns:
  enable: true
  ipv6: false
  enhanced-mode: fake-ip
  fake-ip-range: 198.18.0.1/16
  listen: 0.0.0.0:7874
  nameserver:
  - 127.0.0.1:6054
  fake-ip-filter:
  - "+.*"
experimental:
  sniff-tls-sni: true
profile:
  store-selected: true
  store-fake-ip: true
authentication:
- Clash:e3LgYc9x
rule-providers:
  Reject:
    type: http
    behavior: classical
    url: https://fastly.jsdelivr.net/gh/dler-io/Rules@main/Clash/Provider/Reject.yaml
    path: "./rule_provider/Reject"
    interval: 86400
  Special:
    type: http
    behavior: classical
    url: https://fastly.jsdelivr.net/gh/dler-io/Rules@main/Clash/Provider/Special.yaml
    path: "./rule_provider/Special"
    interval: 86400
  Netflix:
    type: http
    behavior: classical
    url: https://fastly.jsdelivr.net/gh/dler-io/Rules@main/Clash/Provider/Media/Netflix.yaml
    path: "./rule_provider/Netflix"
    interval: 86400
  Spotify:
    type: http
    behavior: classical
    url: https://fastly.jsdelivr.net/gh/dler-io/Rules@main/Clash/Provider/Media/Spotify.yaml
    path: "./rule_provider/Spotify"
    interval: 86400
  YouTube:
    type: http
    behavior: classical
    url: https://fastly.jsdelivr.net/gh/dler-io/Rules@main/Clash/Provider/Media/YouTube.yaml
    path: "./rule_provider/YouTube"
    interval: 86400
  Bilibili:
    type: http
    behavior: classical
    url: https://fastly.jsdelivr.net/gh/dler-io/Rules@main/Clash/Provider/Media/Bilibili.yaml
    path: "./rule_provider/Bilibili"
    interval: 86400
  IQ:
    type: http
    behavior: classical
    url: https://fastly.jsdelivr.net/gh/dler-io/Rules@main/Clash/Provider/Media/IQ.yaml
    path: "./rule_provider/IQI"
    interval: 86400
  IQIYI:
    type: http
    behavior: classical
    url: https://fastly.jsdelivr.net/gh/dler-io/Rules@main/Clash/Provider/Media/IQIYI.yaml
    path: "./rule_provider/IQYI"
    interval: 86400
  Letv:
    type: http
    behavior: classical
    url: https://fastly.jsdelivr.net/gh/dler-io/Rules@main/Clash/Provider/Media/Letv.yaml
    path: "./rule_provider/Letv"
    interval: 86400
  Netease Music:
    type: http
    behavior: classical
    url: https://fastly.jsdelivr.net/gh/dler-io/Rules@main/Clash/Provider/Media/Netease%20Music.yaml
    path: "./rule_provider/Netease_Music"
    interval: 86400
  Tencent Video:
    type: http
    behavior: classical
    url: https://fastly.jsdelivr.net/gh/dler-io/Rules@main/Clash/Provider/Media/Tencent%20Video.yaml
    path: "./rule_provider/Tencent_Video"
    interval: 86400
  Youku:
    type: http
    behavior: classical
    url: https://fastly.jsdelivr.net/gh/dler-io/Rules@main/Clash/Provider/Media/Youku.yaml
    path: "./rule_provider/Youku"
    interval: 86400
  WeTV:
    type: http
    behavior: classical
    url: https://fastly.jsdelivr.net/gh/dler-io/Rules@main/Clash/Provider/Media/WeTV.yaml
    path: "./rule_provider/WeTV"
    interval: 86400
  ABC:
    type: http
    behavior: classical
    url: https://fastly.jsdelivr.net/gh/dler-io/Rules@main/Clash/Provider/Media/ABC.yaml
    path: "./rule_provider/ABC"
    interval: 86400
  Abema TV:
    type: http
    behavior: classical
    url: https://fastly.jsdelivr.net/gh/dler-io/Rules@main/Clash/Provider/Media/Abema%20TV.yaml
    path: "./rule_provider/Abema_TV"
    interval: 86400
  Amazon:
    type: http
    behavior: classical
    url: https://fastly.jsdelivr.net/gh/dler-io/Rules@main/Clash/Provider/Media/Amazon.yaml
    path: "./rule_provider/Amazon"
    interval: 86400
  Apple News:
    type: http
    behavior: classical
    url: https://fastly.jsdelivr.net/gh/dler-io/Rules@main/Clash/Provider/Media/Apple%20News.yaml
    path: "./rule_provider/Apple_News"
    interval: 86400
  Apple TV:
    type: http
    behavior: classical
    url: https://fastly.jsdelivr.net/gh/dler-io/Rules@main/Clash/Provider/Media/Apple%20TV.yaml
    path: "./rule_provider/Apple_TV"
    interval: 86400
  Bahamut:
    type: http
    behavior: classical
    url: https://fastly.jsdelivr.net/gh/dler-io/Rules@main/Clash/Provider/Media/Bahamut.yaml
    path: "./rule_provider/Bahamut"
    interval: 86400
  BBC iPlayer:
    type: http
    behavior: classical
    url: https://fastly.jsdelivr.net/gh/dler-io/Rules@main/Clash/Provider/Media/BBC%20iPlayer.yaml
    path: "./rule_provider/BBC_iPlayer"
    interval: 86400
  DAZN:
    type: http
    behavior: classical
    url: https://fastly.jsdelivr.net/gh/dler-io/Rules@main/Clash/Provider/Media/DAZN.yaml
    path: "./rule_provider/DAZN"
    interval: 86400
  Discovery Plus:
    type: http
    behavior: classical
    url: https://fastly.jsdelivr.net/gh/dler-io/Rules@main/Clash/Provider/Media/Discovery%20Plus.yaml
    path: "./rule_provider/Discovery_Plus"
    interval: 86400
  Disney Plus:
    type: http
    behavior: classical
    url: https://fastly.jsdelivr.net/gh/dler-io/Rules@main/Clash/Provider/Media/Disney%20Plus.yaml
    path: "./rule_provider/Disney_Plus"
    interval: 86400
  encoreTVB:
    type: http
    behavior: classical
    url: https://fastly.jsdelivr.net/gh/dler-io/Rules@main/Clash/Provider/Media/encoreTVB.yaml
    path: "./rule_provider/encoreTVB"
    interval: 86400
  F1 TV:
    type: http
    behavior: classical
    url: https://fastly.jsdelivr.net/gh/dler-io/Rules@main/Clash/Provider/Media/F1%20TV.yaml
    path: "./rule_provider/F1_TV"
    interval: 86400
  Fox Now:
    type: http
    behavior: classical
    url: https://fastly.jsdelivr.net/gh/dler-io/Rules@main/Clash/Provider/Media/Fox%20Now.yaml
    path: "./rule_provider/Fox_Now"
    interval: 86400
  Fox+:
    type: http
    behavior: classical
    url: https://fastly.jsdelivr.net/gh/dler-io/Rules@main/Clash/Provider/Media/Fox%2B.yaml
    path: "./rule_provider/Fox+"
    interval: 86400
  HBO Go:
    type: http
    behavior: classical
    url: https://fastly.jsdelivr.net/gh/dler-io/Rules@main/Clash/Provider/Media/HBO%20Go.yaml
    path: "./rule_provider/HBO_Go"
    interval: 86400
  HBO Max:
    type: http
    behavior: classical
    url: https://fastly.jsdelivr.net/gh/dler-io/Rules@main/Clash/Provider/Media/HBO%20Max.yaml
    path: "./rule_provider/HBO_Max"
    interval: 86400
  Hulu Japan:
    type: http
    behavior: classical
    url: https://fastly.jsdelivr.net/gh/dler-io/Rules@main/Clash/Provider/Media/Hulu%20Japan.yaml
    path: "./rule_provider/Hulu_Japan"
    interval: 86400
  Hulu:
    type: http
    behavior: classical
    url: https://fastly.jsdelivr.net/gh/dler-io/Rules@main/Clash/Provider/Media/Hulu.yaml
    path: "./rule_provider/Hulu"
    interval: 86400
  Japonx:
    type: http
    behavior: classical
    url: https://fastly.jsdelivr.net/gh/dler-io/Rules@main/Clash/Provider/Media/Japonx.yaml
    path: "./rule_provider/Japonx"
    interval: 86400
  JOOX:
    type: http
    behavior: classical
    url: https://fastly.jsdelivr.net/gh/dler-io/Rules@main/Clash/Provider/Media/JOOX.yaml
    path: "./rule_provider/JOOX"
    interval: 86400
  KKBOX:
    type: http
    behavior: classical
    url: https://fastly.jsdelivr.net/gh/dler-io/Rules@main/Clash/Provider/Media/KKBOX.yaml
    path: "./rule_provider/KKBOX"
    interval: 86400
  KKTV:
    type: http
    behavior: classical
    url: https://fastly.jsdelivr.net/gh/dler-io/Rules@main/Clash/Provider/Media/KKTV.yaml
    path: "./rule_provider/KKTV"
    interval: 86400
  Line TV:
    type: http
    behavior: classical
    url: https://fastly.jsdelivr.net/gh/dler-io/Rules@main/Clash/Provider/Media/Line%20TV.yaml
    path: "./rule_provider/Line_TV"
    interval: 86400
  myTV SUPER:
    type: http
    behavior: classical
    url: https://fastly.jsdelivr.net/gh/dler-io/Rules@main/Clash/Provider/Media/myTV%20SUPER.yaml
    path: "./rule_provider/myTV_SUPER"
    interval: 86400
  Pandora:
    type: http
    behavior: classical
    url: https://fastly.jsdelivr.net/gh/dler-io/Rules@main/Clash/Provider/Media/Pandora.yaml
    path: "./rule_provider/Pandora"
    interval: 86400
  PBS:
    type: http
    behavior: classical
    url: https://fastly.jsdelivr.net/gh/dler-io/Rules@main/Clash/Provider/Media/PBS.yaml
    path: "./rule_provider/PBS"
    interval: 86400
  Pornhub:
    type: http
    behavior: classical
    url: https://fastly.jsdelivr.net/gh/dler-io/Rules@main/Clash/Provider/Media/Pornhub.yaml
    path: "./rule_provider/Pornhub"
    interval: 86400
  Soundcloud:
    type: http
    behavior: classical
    url: https://fastly.jsdelivr.net/gh/dler-io/Rules@main/Clash/Provider/Media/Soundcloud.yaml
    path: "./rule_provider/Soundcloud"
    interval: 86400
  ViuTV:
    type: http
    behavior: classical
    url: https://fastly.jsdelivr.net/gh/dler-io/Rules@main/Clash/Provider/Media/ViuTV.yaml
    path: "./rule_provider/ViuTV"
    interval: 86400
  Telegram:
    type: http
    behavior: classical
    url: https://fastly.jsdelivr.net/gh/dler-io/Rules@main/Clash/Provider/Telegram.yaml
    path: "./rule_provider/Telegram"
    interval: 86400
  Crypto:
    type: http
    behavior: classical
    url: https://fastly.jsdelivr.net/gh/dler-io/Rules@main/Clash/Provider/Crypto.yaml
    path: "./rule_provider/Crypto"
    interval: 86400
  Douyin:
    type: http
    behavior: classical
    url: https://fastly.jsdelivr.net/gh/dler-io/Rules@main/Clash/Provider/Douyin.yaml
    path: "./rule_provider/Douyin"
    interval: 86400
  Steam:
    type: http
    behavior: classical
    url: https://fastly.jsdelivr.net/gh/dler-io/Rules@main/Clash/Provider/Steam.yaml
    path: "./rule_provider/Steam"
    interval: 86400
  Speedtest:
    type: http
    behavior: classical
    url: https://fastly.jsdelivr.net/gh/dler-io/Rules@main/Clash/Provider/Speedtest.yaml
    path: "./rule_provider/Speedtest"
    interval: 86400
  PayPal:
    type: http
    behavior: classical
    url: https://fastly.jsdelivr.net/gh/dler-io/Rules@main/Clash/Provider/PayPal.yaml
    path: "./rule_provider/PayPal"
    interval: 86400
  Microsoft:
    type: http
    behavior: classical
    url: https://fastly.jsdelivr.net/gh/dler-io/Rules@main/Clash/Provider/Microsoft.yaml
    path: "./rule_provider/Microsoft"
    interval: 86400
  PROXY:
    type: http
    behavior: classical
    url: https://fastly.jsdelivr.net/gh/dler-io/Rules@main/Clash/Provider/Proxy.yaml
    path: "./rule_provider/Proxy"
    interval: 86400
  Domestic:
    type: http
    behavior: classical
    url: https://fastly.jsdelivr.net/gh/dler-io/Rules@main/Clash/Provider/Domestic.yaml
    path: "./rule_provider/Domestic"
    interval: 86400
  Apple:
    type: http
    behavior: classical
    url: https://fastly.jsdelivr.net/gh/dler-io/Rules@main/Clash/Provider/Apple.yaml
    path: "./rule_provider/Apple"
    interval: 86400
  Google FCM:
    type: http
    behavior: classical
    url: https://fastly.jsdelivr.net/gh/dler-io/Rules@main/Clash/Provider/Google%20FCM.yaml
    path: "./rule_provider/Google FCM"
    interval: 86400
  Scholar:
    type: http
    behavior: classical
    url: https://fastly.jsdelivr.net/gh/dler-io/Rules@main/Clash/Provider/Scholar.yaml
    path: "./rule_provider/Scholar"
    interval: 86400
  Domestic IPs:
    type: http
    behavior: ipcidr
    url: https://fastly.jsdelivr.net/gh/dler-io/Rules@main/Clash/Provider/Domestic%20IPs.yaml
    path: "./rule_provider/Domestic_IPs"
    interval: 86400
  LAN:
    type: http
    behavior: classical
    url: https://fastly.jsdelivr.net/gh/dler-io/Rules@main/Clash/Provider/LAN.yaml
    path: "./rule_provider/LAN"
    interval: 86400
  国内域名白名单:
    type: http
    behavior: classical
    path: "/etc/openclash/rule_provider/China.yaml"
    url: https://raw.githubusercontent.com/DivineEngine/Profiles/master/Clash/RuleSet/China.yaml
    interval: 86400
script:
  code: |
    def main(ctx, metadata):
        ruleset_action = {"Reject": "AdBlock",
            "Special": "DIRECT",
            "Netflix": "Netflix",
            "Spotify": "Spotify",
            "YouTube": "Youtube",
            "Disney Plus": "Disney",
            "Bilibili": "Bilibili",
            "IQ": "Asian TV",
            "IQIYI": "Asian TV",
            "Letv": "Asian TV",
            "Netease Music": "Asian TV",
            "Tencent Video": "Asian TV",
            "Youku": "Asian TV",
            "WeTV": "Asian TV",
            "ABC": "Global TV",
            "Abema TV": "Global TV",
            "Amazon": "Global TV",
            "Apple News": "Global TV",
            "Apple TV": "Global TV",
            "Bahamut": "Bahamut",
            "BBC iPlayer": "Global TV",
            "DAZN": "DAZN",
            "Discovery Plus": "Discovery Plus",
            "encoreTVB": "Global TV",
            "F1 TV": "Global TV",
            "Fox Now": "Global TV",
            "Fox+": "Global TV",
            "HBO Go": "HBO Go",
            "HBO Max": "HBO Max",
            "Hulu Japan": "Global TV",
            "Hulu": "Global TV",
            "Japonx": "Global TV",
            "JOOX": "Global TV",
            "KKBOX": "Global TV",
            "KKTV": "Global TV",
            "Line TV": "Global TV",
            "myTV SUPER": "Global TV",
            "Pandora": "Global TV",
            "PBS": "Global TV",
            "Pornhub": "Pornhub",
            "Soundcloud": "Global TV",
            "ViuTV": "Global TV",
            "Telegram": "Telegram",
            "Crypto": "Crypto",
            "Douyin": "Douyin",
            "Steam": "Steam",
            "Speedtest": "Speedtest",
            "PayPal": "PayPal",
            "Microsoft": "Microsoft",
            "Apple": "Apple",
            "Google FCM": "Google FCM",
            "Scholar": "Scholar",
            "PROXY": "Proxy",
            "Domestic": "Domestic",
            "Domestic IPs": "Domestic",
            "LAN": "DIRECT"
          }

        port = int(metadata["dst_port"])

        if metadata["network"] == "UDP":
            if port == 443:
                ctx.log('[Script] matched QUIC traffic use reject')
                return "REJECT"

        port_list = [21, 22, 23, 53, 80, 123, 143, 194, 443, 465, 587, 853, 993, 995, 998, 2052, 2053, 2082, 2083, 2086, 2095, 2096, 5222, 5228, 5229, 5230, 8080, 8443, 8880, 8888, 8889]
        if port not in port_list:
            ctx.log('[Script] not common port use direct')
            return "DIRECT"

        if metadata["dst_ip"] == "":
            metadata["dst_ip"] = ctx.resolve_ip(metadata["host"])

        for ruleset in ruleset_action:
            if ctx.rule_providers[ruleset].match(metadata):
                return ruleset_action[ruleset]

        if metadata["dst_ip"] == "":
            return "DIRECT"

        code = ctx.geoip(metadata["dst_ip"])
        if code == "CN":
            ctx.log('[Script] Geoip CN')
            return "Domestic"

        ctx.log('[Script] FINAL')
        return "Others"
rules:
- DST-PORT,7895,REJECT
- DST-PORT,7892,REJECT
- IP-CIDR,198.18.0.1/16,REJECT,no-resolve
- DOMAIN-SUFFIX,openbsd.cyou,DIRECT
- DOMAIN-SUFFIX,api.cloudflare.com,DIRECT
- DOMAIN-SUFFIX,aweray.com,DIRECT
- DOMAIN-SUFFIX,icloud.com,DIRECT
- RULE-SET,国内域名白名单,DIRECT
- RULE-SET,Reject,AdBlock
- RULE-SET,Special,DIRECT
- RULE-SET,Netflix,Netflix
- RULE-SET,Spotify,Spotify
- RULE-SET,YouTube,Youtube
- RULE-SET,Disney Plus,Disney
- RULE-SET,Bilibili,Bilibili
- RULE-SET,IQ,Asian TV
- RULE-SET,IQIYI,Asian TV
- RULE-SET,Letv,Asian TV
- RULE-SET,Netease Music,Asian TV
- RULE-SET,Tencent Video,Asian TV
- RULE-SET,Youku,Asian TV
- RULE-SET,WeTV,Asian TV
- RULE-SET,ABC,Global TV
- RULE-SET,Abema TV,Global TV
- RULE-SET,Amazon,Global TV
- RULE-SET,Apple News,Global TV
- RULE-SET,Apple TV,Global TV
- RULE-SET,Bahamut,Bahamut
- RULE-SET,BBC iPlayer,Global TV
- RULE-SET,DAZN,DAZN
- RULE-SET,Discovery Plus,Discovery Plus
- RULE-SET,encoreTVB,Global TV
- RULE-SET,F1 TV,Global TV
- RULE-SET,Fox Now,Global TV
- RULE-SET,Fox+,Global TV
- RULE-SET,HBO Go,HBO Go
- RULE-SET,HBO Max,HBO Max
- RULE-SET,Hulu Japan,Global TV
- RULE-SET,Hulu,Global TV
- RULE-SET,Japonx,Global TV
- RULE-SET,JOOX,Global TV
- RULE-SET,KKBOX,Global TV
- RULE-SET,KKTV,Global TV
- RULE-SET,Line TV,Global TV
- RULE-SET,myTV SUPER,Global TV
- RULE-SET,Pandora,Global TV
- RULE-SET,PBS,Global TV
- RULE-SET,Pornhub,Pornhub
- RULE-SET,Soundcloud,Global TV
- RULE-SET,ViuTV,Global TV
- RULE-SET,Telegram,Telegram
- RULE-SET,Crypto,Crypto
- RULE-SET,Douyin,Douyin
- RULE-SET,Steam,Steam
- RULE-SET,Speedtest,Speedtest
- RULE-SET,PayPal,PayPal
- RULE-SET,Microsoft,Microsoft
- RULE-SET,Apple,Apple
- RULE-SET,Google FCM,Google FCM
- RULE-SET,Scholar,Scholar
- RULE-SET,PROXY,Proxy
- RULE-SET,Domestic,Domestic
- RULE-SET,Domestic IPs,Domestic
- RULE-SET,LAN,DIRECT
- GEOIP,CN,Domestic
- MATCH,Others

#===================== 防火墙设置 =====================#

#IPv4 NAT chain

# Generated by iptables-save v1.8.8 on Thu Sep  1 07:02:51 2022
*nat
:PREROUTING ACCEPT [11011:2750617]
:INPUT ACCEPT [1263:89535]
:OUTPUT ACCEPT [10190:633323]
:POSTROUTING ACCEPT [1354:93928]
:MINIUPNPD - [0:0]
:MINIUPNPD-POSTROUTING - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -p udp -m udp --dport 123 -j REDIRECT --to-ports 123
-A PREROUTING -p udp -m udp --dport 53 -j REDIRECT --to-ports 53
-A PREROUTING -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 53
-A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
-A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i wg0 -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i eth3 -m comment --comment "!fw3" -j zone_wan_prerouting
-A PREROUTING -i pppoe-cmcc_wan -m comment --comment "!fw3" -j zone_wan_prerouting
-A PREROUTING -i eth2 -m comment --comment "!fw3" -j zone_wan_prerouting
-A PREROUTING -i pppoe-ct_wan -m comment --comment "!fw3" -j zone_wan_prerouting
-A PREROUTING -i eth1 -m comment --comment "!fw3" -j zone_wan_prerouting
-A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
-A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o wg0 -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o eth3 -m comment --comment "!fw3" -j zone_wan_postrouting
-A POSTROUTING -o pppoe-cmcc_wan -m comment --comment "!fw3" -j zone_wan_postrouting
-A POSTROUTING -o eth2 -m comment --comment "!fw3" -j zone_wan_postrouting
-A POSTROUTING -o pppoe-ct_wan -m comment --comment "!fw3" -j zone_wan_postrouting
-A POSTROUTING -o eth1 -m comment --comment "!fw3" -j zone_wan_postrouting
-A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
-A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.1/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: Router-WEB (reflection)" -j SNAT --to-source 192.168.1.1
-A zone_lan_postrouting -s 10.0.0.0/24 -d 192.168.1.1/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: Router-WEB (reflection)" -j SNAT --to-source 10.0.0.1
-A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.3/32 -p tcp -m tcp --dport 90 -m comment --comment "!fw3: AP-3_WEB (reflection)" -j SNAT --to-source 192.168.1.1
-A zone_lan_postrouting -s 10.0.0.0/24 -d 192.168.1.3/32 -p tcp -m tcp --dport 90 -m comment --comment "!fw3: AP-3_WEB (reflection)" -j SNAT --to-source 10.0.0.1
-A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.100/32 -p tcp -m tcp --dport 5555 -m comment --comment "!fw3: PC-Remote (reflection)" -j SNAT --to-source 192.168.1.1
-A zone_lan_postrouting -s 10.0.0.0/24 -d 192.168.1.100/32 -p tcp -m tcp --dport 5555 -m comment --comment "!fw3: PC-Remote (reflection)" -j SNAT --to-source 10.0.0.1
-A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.20/32 -p tcp -m tcp --dport 1194 -m comment --comment "!fw3: openvpn (reflection)" -j SNAT --to-source 192.168.1.1
-A zone_lan_postrouting -s 10.0.0.0/24 -d 192.168.1.20/32 -p tcp -m tcp --dport 1194 -m comment --comment "!fw3: openvpn (reflection)" -j SNAT --to-source 10.0.0.1
-A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.10/32 -p tcp -m tcp --dport 3306 -m comment --comment "!fw3: mysql (reflection)" -j SNAT --to-source 192.168.1.1
-A zone_lan_postrouting -s 10.0.0.0/24 -d 192.168.1.10/32 -p tcp -m tcp --dport 3306 -m comment --comment "!fw3: mysql (reflection)" -j SNAT --to-source 10.0.0.1
-A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.25/32 -p tcp -m tcp --dport 3690 -m comment --comment "!fw3: svn (reflection)" -j SNAT --to-source 192.168.1.1
-A zone_lan_postrouting -s 10.0.0.0/24 -d 192.168.1.25/32 -p tcp -m tcp --dport 3690 -m comment --comment "!fw3: svn (reflection)" -j SNAT --to-source 10.0.0.1
-A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.252/32 -p tcp -m tcp --dport 8006 -m comment --comment "!fw3: 252web (reflection)" -j SNAT --to-source 192.168.1.1
-A zone_lan_postrouting -s 10.0.0.0/24 -d 192.168.1.252/32 -p tcp -m tcp --dport 8006 -m comment --comment "!fw3: 252web (reflection)" -j SNAT --to-source 10.0.0.1
-A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.6/32 -p tcp -m tcp --dport 9091 -m comment --comment "!fw3: PT (reflection)" -j SNAT --to-source 192.168.1.1
-A zone_lan_postrouting -s 10.0.0.0/24 -d 192.168.1.6/32 -p tcp -m tcp --dport 9091 -m comment --comment "!fw3: PT (reflection)" -j SNAT --to-source 10.0.0.1
-A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.5/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: NAS_WEB (reflection)" -j SNAT --to-source 192.168.1.1
-A zone_lan_postrouting -s 10.0.0.0/24 -d 192.168.1.5/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: NAS_WEB (reflection)" -j SNAT --to-source 10.0.0.1
-A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.45/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: TEST_WEB (reflection)" -j SNAT --to-source 192.168.1.1
-A zone_lan_postrouting -s 10.0.0.0/24 -d 192.168.1.45/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: TEST_WEB (reflection)" -j SNAT --to-source 10.0.0.1
-A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.26/32 -p udp -m udp --dport 2736 -m comment --comment "!fw3: wireguad (reflection)" -j SNAT --to-source 192.168.1.1
-A zone_lan_postrouting -s 10.0.0.0/24 -d 192.168.1.26/32 -p udp -m udp --dport 2736 -m comment --comment "!fw3: wireguad (reflection)" -j SNAT --to-source 10.0.0.1
-A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.36/32 -p tcp -m tcp --dport 22 -m comment --comment "!fw3: IMG_SSH (reflection)" -j SNAT --to-source 192.168.1.1
-A zone_lan_postrouting -s 10.0.0.0/24 -d 192.168.1.36/32 -p tcp -m tcp --dport 22 -m comment --comment "!fw3: IMG_SSH (reflection)" -j SNAT --to-source 10.0.0.1
-A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.1/32 -p udp -m udp --dport 1111 -m comment --comment "!fw3: WIREGUARD (reflection)" -j SNAT --to-source 192.168.1.1
-A zone_lan_postrouting -s 10.0.0.0/24 -d 192.168.1.1/32 -p udp -m udp --dport 1111 -m comment --comment "!fw3: WIREGUARD (reflection)" -j SNAT --to-source 10.0.0.1
-A zone_lan_postrouting -m comment --comment "!fw3: fullclon" -j MASQUERADE
-A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
-A zone_lan_prerouting -s 192.168.1.0/24 -d 192.168.100.2/32 -p tcp -m tcp --dport 88 -m comment --comment "!fw3: Router-WEB (reflection)" -j DNAT --to-destination 192.168.1.1:80
-A zone_lan_prerouting -s 10.0.0.0/24 -d 192.168.100.2/32 -p tcp -m tcp --dport 88 -m comment --comment "!fw3: Router-WEB (reflection)" -j DNAT --to-destination 192.168.1.1:80
-A zone_lan_prerouting -s 192.168.1.0/24 -d 182.116.72.135/32 -p tcp -m tcp --dport 88 -m comment --comment "!fw3: Router-WEB (reflection)" -j DNAT --to-destination 192.168.1.1:80
-A zone_lan_prerouting -s 10.0.0.0/24 -d 182.116.72.135/32 -p tcp -m tcp --dport 88 -m comment --comment "!fw3: Router-WEB (reflection)" -j DNAT --to-destination 192.168.1.1:80
-A zone_lan_prerouting -s 192.168.1.0/24 -d 192.168.150.2/32 -p tcp -m tcp --dport 88 -m comment --comment "!fw3: Router-WEB (reflection)" -j DNAT --to-destination 192.168.1.1:80
-A zone_lan_prerouting -s 10.0.0.0/24 -d 192.168.150.2/32 -p tcp -m tcp --dport 88 -m comment --comment "!fw3: Router-WEB (reflection)" -j DNAT --to-destination 192.168.1.1:80
-A zone_lan_prerouting -s 192.168.1.0/24 -d 10.16.161.146/32 -p tcp -m tcp --dport 88 -m comment --comment "!fw3: Router-WEB (reflection)" -j DNAT --to-destination 192.168.1.1:80
-A zone_lan_prerouting -s 10.0.0.0/24 -d 10.16.161.146/32 -p tcp -m tcp --dport 88 -m comment --comment "!fw3: Router-WEB (reflection)" -j DNAT --to-destination 192.168.1.1:80
-A zone_lan_prerouting -s 192.168.1.0/24 -d 192.168.200.2/32 -p tcp -m tcp --dport 88 -m comment --comment "!fw3: Router-WEB (reflection)" -j DNAT --to-destination 192.168.1.1:80
-A zone_lan_prerouting -s 10.0.0.0/24 -d 192.168.200.2/32 -p tcp -m tcp --dport 88 -m comment --comment "!fw3: Router-WEB (reflection)" -j DNAT --to-destination 192.168.1.1:80
-A zone_lan_prerouting -s 192.168.1.0/24 -d 192.168.100.2/32 -p tcp -m tcp --dport 90 -m comment --comment "!fw3: AP-3_WEB (reflection)" -j DNAT --to-destination 192.168.1.3:90
-A zone_lan_prerouting -s 10.0.0.0/24 -d 192.168.100.2/32 -p tcp -m tcp --dport 90 -m comment --comment "!fw3: AP-3_WEB (reflection)" -j DNAT --to-destination 192.168.1.3:90
-A zone_lan_prerouting -s 192.168.1.0/24 -d 182.116.72.135/32 -p tcp -m tcp --dport 90 -m comment --comment "!fw3: AP-3_WEB (reflection)" -j DNAT --to-destination 192.168.1.3:90
-A zone_lan_prerouting -s 10.0.0.0/24 -d 182.116.72.135/32 -p tcp -m tcp --dport 90 -m comment --comment "!fw3: AP-3_WEB (reflection)" -j DNAT --to-destination 192.168.1.3:90
-A zone_lan_prerouting -s 192.168.1.0/24 -d 192.168.150.2/32 -p tcp -m tcp --dport 90 -m comment --comment "!fw3: AP-3_WEB (reflection)" -j DNAT --to-destination 192.168.1.3:90
-A zone_lan_prerouting -s 10.0.0.0/24 -d 192.168.150.2/32 -p tcp -m tcp --dport 90 -m comment --comment "!fw3: AP-3_WEB (reflection)" -j DNAT --to-destination 192.168.1.3:90
-A zone_lan_prerouting -s 192.168.1.0/24 -d 10.16.161.146/32 -p tcp -m tcp --dport 90 -m comment --comment "!fw3: AP-3_WEB (reflection)" -j DNAT --to-destination 192.168.1.3:90
-A zone_lan_prerouting -s 10.0.0.0/24 -d 10.16.161.146/32 -p tcp -m tcp --dport 90 -m comment --comment "!fw3: AP-3_WEB (reflection)" -j DNAT --to-destination 192.168.1.3:90
-A zone_lan_prerouting -s 192.168.1.0/24 -d 192.168.200.2/32 -p tcp -m tcp --dport 90 -m comment --comment "!fw3: AP-3_WEB (reflection)" -j DNAT --to-destination 192.168.1.3:90
-A zone_lan_prerouting -s 10.0.0.0/24 -d 192.168.200.2/32 -p tcp -m tcp --dport 90 -m comment --comment "!fw3: AP-3_WEB (reflection)" -j DNAT --to-destination 192.168.1.3:90
-A zone_lan_prerouting -s 192.168.1.0/24 -d 192.168.100.2/32 -p tcp -m tcp --dport 5555 -m comment --comment "!fw3: PC-Remote (reflection)" -j DNAT --to-destination 192.168.1.100:5555
-A zone_lan_prerouting -s 10.0.0.0/24 -d 192.168.100.2/32 -p tcp -m tcp --dport 5555 -m comment --comment "!fw3: PC-Remote (reflection)" -j DNAT --to-destination 192.168.1.100:5555
-A zone_lan_prerouting -s 192.168.1.0/24 -d 182.116.72.135/32 -p tcp -m tcp --dport 5555 -m comment --comment "!fw3: PC-Remote (reflection)" -j DNAT --to-destination 192.168.1.100:5555
-A zone_lan_prerouting -s 10.0.0.0/24 -d 182.116.72.135/32 -p tcp -m tcp --dport 5555 -m comment --comment "!fw3: PC-Remote (reflection)" -j DNAT --to-destination 192.168.1.100:5555
-A zone_lan_prerouting -s 192.168.1.0/24 -d 192.168.150.2/32 -p tcp -m tcp --dport 5555 -m comment --comment "!fw3: PC-Remote (reflection)" -j DNAT --to-destination 192.168.1.100:5555
-A zone_lan_prerouting -s 10.0.0.0/24 -d 192.168.150.2/32 -p tcp -m tcp --dport 5555 -m comment --comment "!fw3: PC-Remote (reflection)" -j DNAT --to-destination 192.168.1.100:5555
-A zone_lan_prerouting -s 192.168.1.0/24 -d 10.16.161.146/32 -p tcp -m tcp --dport 5555 -m comment --comment "!fw3: PC-Remote (reflection)" -j DNAT --to-destination 192.168.1.100:5555
-A zone_lan_prerouting -s 10.0.0.0/24 -d 10.16.161.146/32 -p tcp -m tcp --dport 5555 -m comment --comment "!fw3: PC-Remote (reflection)" -j DNAT --to-destination 192.168.1.100:5555
-A zone_lan_prerouting -s 192.168.1.0/24 -d 192.168.200.2/32 -p tcp -m tcp --dport 5555 -m comment --comment "!fw3: PC-Remote (reflection)" -j DNAT --to-destination 192.168.1.100:5555
-A zone_lan_prerouting -s 10.0.0.0/24 -d 192.168.200.2/32 -p tcp -m tcp --dport 5555 -m comment --comment "!fw3: PC-Remote (reflection)" -j DNAT --to-destination 192.168.1.100:5555
-A zone_lan_prerouting -s 192.168.1.0/24 -d 192.168.100.2/32 -p tcp -m tcp --dport 1194 -m comment --comment "!fw3: openvpn (reflection)" -j DNAT --to-destination 192.168.1.20:1194
-A zone_lan_prerouting -s 10.0.0.0/24 -d 192.168.100.2/32 -p tcp -m tcp --dport 1194 -m comment --comment "!fw3: openvpn (reflection)" -j DNAT --to-destination 192.168.1.20:1194
-A zone_lan_prerouting -s 192.168.1.0/24 -d 182.116.72.135/32 -p tcp -m tcp --dport 1194 -m comment --comment "!fw3: openvpn (reflection)" -j DNAT --to-destination 192.168.1.20:1194
-A zone_lan_prerouting -s 10.0.0.0/24 -d 182.116.72.135/32 -p tcp -m tcp --dport 1194 -m comment --comment "!fw3: openvpn (reflection)" -j DNAT --to-destination 192.168.1.20:1194
-A zone_lan_prerouting -s 192.168.1.0/24 -d 192.168.150.2/32 -p tcp -m tcp --dport 1194 -m comment --comment "!fw3: openvpn (reflection)" -j DNAT --to-destination 192.168.1.20:1194
-A zone_lan_prerouting -s 10.0.0.0/24 -d 192.168.150.2/32 -p tcp -m tcp --dport 1194 -m comment --comment "!fw3: openvpn (reflection)" -j DNAT --to-destination 192.168.1.20:1194
-A zone_lan_prerouting -s 192.168.1.0/24 -d 10.16.161.146/32 -p tcp -m tcp --dport 1194 -m comment --comment "!fw3: openvpn (reflection)" -j DNAT --to-destination 192.168.1.20:1194
-A zone_lan_prerouting -s 10.0.0.0/24 -d 10.16.161.146/32 -p tcp -m tcp --dport 1194 -m comment --comment "!fw3: openvpn (reflection)" -j DNAT --to-destination 192.168.1.20:1194
-A zone_lan_prerouting -s 192.168.1.0/24 -d 192.168.200.2/32 -p tcp -m tcp --dport 1194 -m comment --comment "!fw3: openvpn (reflection)" -j DNAT --to-destination 192.168.1.20:1194
-A zone_lan_prerouting -s 10.0.0.0/24 -d 192.168.200.2/32 -p tcp -m tcp --dport 1194 -m comment --comment "!fw3: openvpn (reflection)" -j DNAT --to-destination 192.168.1.20:1194
-A zone_lan_prerouting -s 192.168.1.0/24 -d 192.168.100.2/32 -p tcp -m tcp --dport 3306 -m comment --comment "!fw3: mysql (reflection)" -j DNAT --to-destination 192.168.1.10:3306
-A zone_lan_prerouting -s 10.0.0.0/24 -d 192.168.100.2/32 -p tcp -m tcp --dport 3306 -m comment --comment "!fw3: mysql (reflection)" -j DNAT --to-destination 192.168.1.10:3306
-A zone_lan_prerouting -s 192.168.1.0/24 -d 182.116.72.135/32 -p tcp -m tcp --dport 3306 -m comment --comment "!fw3: mysql (reflection)" -j DNAT --to-destination 192.168.1.10:3306
-A zone_lan_prerouting -s 10.0.0.0/24 -d 182.116.72.135/32 -p tcp -m tcp --dport 3306 -m comment --comment "!fw3: mysql (reflection)" -j DNAT --to-destination 192.168.1.10:3306
-A zone_lan_prerouting -s 192.168.1.0/24 -d 192.168.150.2/32 -p tcp -m tcp --dport 3306 -m comment --comment "!fw3: mysql (reflection)" -j DNAT --to-destination 192.168.1.10:3306
-A zone_lan_prerouting -s 10.0.0.0/24 -d 192.168.150.2/32 -p tcp -m tcp --dport 3306 -m comment --comment "!fw3: mysql (reflection)" -j DNAT --to-destination 192.168.1.10:3306
-A zone_lan_prerouting -s 192.168.1.0/24 -d 10.16.161.146/32 -p tcp -m tcp --dport 3306 -m comment --comment "!fw3: mysql (reflection)" -j DNAT --to-destination 192.168.1.10:3306
-A zone_lan_prerouting -s 10.0.0.0/24 -d 10.16.161.146/32 -p tcp -m tcp --dport 3306 -m comment --comment "!fw3: mysql (reflection)" -j DNAT --to-destination 192.168.1.10:3306
-A zone_lan_prerouting -s 192.168.1.0/24 -d 192.168.200.2/32 -p tcp -m tcp --dport 3306 -m comment --comment "!fw3: mysql (reflection)" -j DNAT --to-destination 192.168.1.10:3306
-A zone_lan_prerouting -s 10.0.0.0/24 -d 192.168.200.2/32 -p tcp -m tcp --dport 3306 -m comment --comment "!fw3: mysql (reflection)" -j DNAT --to-destination 192.168.1.10:3306
-A zone_lan_prerouting -s 192.168.1.0/24 -d 192.168.100.2/32 -p tcp -m tcp --dport 3690 -m comment --comment "!fw3: svn (reflection)" -j DNAT --to-destination 192.168.1.25:3690
-A zone_lan_prerouting -s 10.0.0.0/24 -d 192.168.100.2/32 -p tcp -m tcp --dport 3690 -m comment --comment "!fw3: svn (reflection)" -j DNAT --to-destination 192.168.1.25:3690
-A zone_lan_prerouting -s 192.168.1.0/24 -d 182.116.72.135/32 -p tcp -m tcp --dport 3690 -m comment --comment "!fw3: svn (reflection)" -j DNAT --to-destination 192.168.1.25:3690
-A zone_lan_prerouting -s 10.0.0.0/24 -d 182.116.72.135/32 -p tcp -m tcp --dport 3690 -m comment --comment "!fw3: svn (reflection)" -j DNAT --to-destination 192.168.1.25:3690
-A zone_lan_prerouting -s 192.168.1.0/24 -d 192.168.150.2/32 -p tcp -m tcp --dport 3690 -m comment --comment "!fw3: svn (reflection)" -j DNAT --to-destination 192.168.1.25:3690
-A zone_lan_prerouting -s 10.0.0.0/24 -d 192.168.150.2/32 -p tcp -m tcp --dport 3690 -m comment --comment "!fw3: svn (reflection)" -j DNAT --to-destination 192.168.1.25:3690
-A zone_lan_prerouting -s 192.168.1.0/24 -d 10.16.161.146/32 -p tcp -m tcp --dport 3690 -m comment --comment "!fw3: svn (reflection)" -j DNAT --to-destination 192.168.1.25:3690
-A zone_lan_prerouting -s 10.0.0.0/24 -d 10.16.161.146/32 -p tcp -m tcp --dport 3690 -m comment --comment "!fw3: svn (reflection)" -j DNAT --to-destination 192.168.1.25:3690
-A zone_lan_prerouting -s 192.168.1.0/24 -d 192.168.200.2/32 -p tcp -m tcp --dport 3690 -m comment --comment "!fw3: svn (reflection)" -j DNAT --to-destination 192.168.1.25:3690
-A zone_lan_prerouting -s 10.0.0.0/24 -d 192.168.200.2/32 -p tcp -m tcp --dport 3690 -m comment --comment "!fw3: svn (reflection)" -j DNAT --to-destination 192.168.1.25:3690
-A zone_lan_prerouting -s 192.168.1.0/24 -d 192.168.100.2/32 -p tcp -m tcp --dport 62 -m comment --comment "!fw3: 252web (reflection)" -j DNAT --to-destination 192.168.1.252:8006
-A zone_lan_prerouting -s 10.0.0.0/24 -d 192.168.100.2/32 -p tcp -m tcp --dport 62 -m comment --comment "!fw3: 252web (reflection)" -j DNAT --to-destination 192.168.1.252:8006
-A zone_lan_prerouting -s 192.168.1.0/24 -d 182.116.72.135/32 -p tcp -m tcp --dport 62 -m comment --comment "!fw3: 252web (reflection)" -j DNAT --to-destination 192.168.1.252:8006
-A zone_lan_prerouting -s 10.0.0.0/24 -d 182.116.72.135/32 -p tcp -m tcp --dport 62 -m comment --comment "!fw3: 252web (reflection)" -j DNAT --to-destination 192.168.1.252:8006
-A zone_lan_prerouting -s 192.168.1.0/24 -d 192.168.150.2/32 -p tcp -m tcp --dport 62 -m comment --comment "!fw3: 252web (reflection)" -j DNAT --to-destination 192.168.1.252:8006
-A zone_lan_prerouting -s 10.0.0.0/24 -d 192.168.150.2/32 -p tcp -m tcp --dport 62 -m comment --comment "!fw3: 252web (reflection)" -j DNAT --to-destination 192.168.1.252:8006
-A zone_lan_prerouting -s 192.168.1.0/24 -d 10.16.161.146/32 -p tcp -m tcp --dport 62 -m comment --comment "!fw3: 252web (reflection)" -j DNAT --to-destination 192.168.1.252:8006
-A zone_lan_prerouting -s 10.0.0.0/24 -d 10.16.161.146/32 -p tcp -m tcp --dport 62 -m comment --comment "!fw3: 252web (reflection)" -j DNAT --to-destination 192.168.1.252:8006
-A zone_lan_prerouting -s 192.168.1.0/24 -d 192.168.200.2/32 -p tcp -m tcp --dport 62 -m comment --comment "!fw3: 252web (reflection)" -j DNAT --to-destination 192.168.1.252:8006
-A zone_lan_prerouting -s 10.0.0.0/24 -d 192.168.200.2/32 -p tcp -m tcp --dport 62 -m comment --comment "!fw3: 252web (reflection)" -j DNAT --to-destination 192.168.1.252:8006
-A zone_lan_prerouting -s 192.168.1.0/24 -d 192.168.100.2/32 -p tcp -m tcp --dport 9091 -m comment --comment "!fw3: PT (reflection)" -j DNAT --to-destination 192.168.1.6:9091
-A zone_lan_prerouting -s 10.0.0.0/24 -d 192.168.100.2/32 -p tcp -m tcp --dport 9091 -m comment --comment "!fw3: PT (reflection)" -j DNAT --to-destination 192.168.1.6:9091
-A zone_lan_prerouting -s 192.168.1.0/24 -d 182.116.72.135/32 -p tcp -m tcp --dport 9091 -m comment --comment "!fw3: PT (reflection)" -j DNAT --to-destination 192.168.1.6:9091
-A zone_lan_prerouting -s 10.0.0.0/24 -d 182.116.72.135/32 -p tcp -m tcp --dport 9091 -m comment --comment "!fw3: PT (reflection)" -j DNAT --to-destination 192.168.1.6:9091
-A zone_lan_prerouting -s 192.168.1.0/24 -d 192.168.150.2/32 -p tcp -m tcp --dport 9091 -m comment --comment "!fw3: PT (reflection)" -j DNAT --to-destination 192.168.1.6:9091
-A zone_lan_prerouting -s 10.0.0.0/24 -d 192.168.150.2/32 -p tcp -m tcp --dport 9091 -m comment --comment "!fw3: PT (reflection)" -j DNAT --to-destination 192.168.1.6:9091
-A zone_lan_prerouting -s 192.168.1.0/24 -d 10.16.161.146/32 -p tcp -m tcp --dport 9091 -m comment --comment "!fw3: PT (reflection)" -j DNAT --to-destination 192.168.1.6:9091
-A zone_lan_prerouting -s 10.0.0.0/24 -d 10.16.161.146/32 -p tcp -m tcp --dport 9091 -m comment --comment "!fw3: PT (reflection)" -j DNAT --to-destination 192.168.1.6:9091
-A zone_lan_prerouting -s 192.168.1.0/24 -d 192.168.200.2/32 -p tcp -m tcp --dport 9091 -m comment --comment "!fw3: PT (reflection)" -j DNAT --to-destination 192.168.1.6:9091
-A zone_lan_prerouting -s 10.0.0.0/24 -d 192.168.200.2/32 -p tcp -m tcp --dport 9091 -m comment --comment "!fw3: PT (reflection)" -j DNAT --to-destination 192.168.1.6:9091
-A zone_lan_prerouting -s 192.168.1.0/24 -d 192.168.100.2/32 -p tcp -m tcp --dport 40 -m comment --comment "!fw3: NAS_WEB (reflection)" -j DNAT --to-destination 192.168.1.5:80
-A zone_lan_prerouting -s 10.0.0.0/24 -d 192.168.100.2/32 -p tcp -m tcp --dport 40 -m comment --comment "!fw3: NAS_WEB (reflection)" -j DNAT --to-destination 192.168.1.5:80
-A zone_lan_prerouting -s 192.168.1.0/24 -d 182.116.72.135/32 -p tcp -m tcp --dport 40 -m comment --comment "!fw3: NAS_WEB (reflection)" -j DNAT --to-destination 192.168.1.5:80
-A zone_lan_prerouting -s 10.0.0.0/24 -d 182.116.72.135/32 -p tcp -m tcp --dport 40 -m comment --comment "!fw3: NAS_WEB (reflection)" -j DNAT --to-destination 192.168.1.5:80
-A zone_lan_prerouting -s 192.168.1.0/24 -d 192.168.150.2/32 -p tcp -m tcp --dport 40 -m comment --comment "!fw3: NAS_WEB (reflection)" -j DNAT --to-destination 192.168.1.5:80
-A zone_lan_prerouting -s 10.0.0.0/24 -d 192.168.150.2/32 -p tcp -m tcp --dport 40 -m comment --comment "!fw3: NAS_WEB (reflection)" -j DNAT --to-destination 192.168.1.5:80
-A zone_lan_prerouting -s 192.168.1.0/24 -d 10.16.161.146/32 -p tcp -m tcp --dport 40 -m comment --comment "!fw3: NAS_WEB (reflection)" -j DNAT --to-destination 192.168.1.5:80
-A zone_lan_prerouting -s 10.0.0.0/24 -d 10.16.161.146/32 -p tcp -m tcp --dport 40 -m comment --comment "!fw3: NAS_WEB (reflection)" -j DNAT --to-destination 192.168.1.5:80
-A zone_lan_prerouting -s 192.168.1.0/24 -d 192.168.200.2/32 -p tcp -m tcp --dport 40 -m comment --comment "!fw3: NAS_WEB (reflection)" -j DNAT --to-destination 192.168.1.5:80
-A zone_lan_prerouting -s 10.0.0.0/24 -d 192.168.200.2/32 -p tcp -m tcp --dport 40 -m comment --comment "!fw3: NAS_WEB (reflection)" -j DNAT --to-destination 192.168.1.5:80
-A zone_lan_prerouting -s 192.168.1.0/24 -d 192.168.100.2/32 -p tcp -m tcp --dport 9090 -m comment --comment "!fw3: TEST_WEB (reflection)" -j DNAT --to-destination 192.168.1.45:80
-A zone_lan_prerouting -s 10.0.0.0/24 -d 192.168.100.2/32 -p tcp -m tcp --dport 9090 -m comment --comment "!fw3: TEST_WEB (reflection)" -j DNAT --to-destination 192.168.1.45:80
-A zone_lan_prerouting -s 192.168.1.0/24 -d 182.116.72.135/32 -p tcp -m tcp --dport 9090 -m comment --comment "!fw3: TEST_WEB (reflection)" -j DNAT --to-destination 192.168.1.45:80
-A zone_lan_prerouting -s 10.0.0.0/24 -d 182.116.72.135/32 -p tcp -m tcp --dport 9090 -m comment --comment "!fw3: TEST_WEB (reflection)" -j DNAT --to-destination 192.168.1.45:80
-A zone_lan_prerouting -s 192.168.1.0/24 -d 192.168.150.2/32 -p tcp -m tcp --dport 9090 -m comment --comment "!fw3: TEST_WEB (reflection)" -j DNAT --to-destination 192.168.1.45:80
-A zone_lan_prerouting -s 10.0.0.0/24 -d 192.168.150.2/32 -p tcp -m tcp --dport 9090 -m comment --comment "!fw3: TEST_WEB (reflection)" -j DNAT --to-destination 192.168.1.45:80
-A zone_lan_prerouting -s 192.168.1.0/24 -d 10.16.161.146/32 -p tcp -m tcp --dport 9090 -m comment --comment "!fw3: TEST_WEB (reflection)" -j DNAT --to-destination 192.168.1.45:80
-A zone_lan_prerouting -s 10.0.0.0/24 -d 10.16.161.146/32 -p tcp -m tcp --dport 9090 -m comment --comment "!fw3: TEST_WEB (reflection)" -j DNAT --to-destination 192.168.1.45:80
-A zone_lan_prerouting -s 192.168.1.0/24 -d 192.168.200.2/32 -p tcp -m tcp --dport 9090 -m comment --comment "!fw3: TEST_WEB (reflection)" -j DNAT --to-destination 192.168.1.45:80
-A zone_lan_prerouting -s 10.0.0.0/24 -d 192.168.200.2/32 -p tcp -m tcp --dport 9090 -m comment --comment "!fw3: TEST_WEB (reflection)" -j DNAT --to-destination 192.168.1.45:80
-A zone_lan_prerouting -s 192.168.1.0/24 -d 192.168.100.2/32 -p udp -m udp --dport 2736 -m comment --comment "!fw3: wireguad (reflection)" -j DNAT --to-destination 192.168.1.26:2736
-A zone_lan_prerouting -s 10.0.0.0/24 -d 192.168.100.2/32 -p udp -m udp --dport 2736 -m comment --comment "!fw3: wireguad (reflection)" -j DNAT --to-destination 192.168.1.26:2736
-A zone_lan_prerouting -s 192.168.1.0/24 -d 182.116.72.135/32 -p udp -m udp --dport 2736 -m comment --comment "!fw3: wireguad (reflection)" -j DNAT --to-destination 192.168.1.26:2736
-A zone_lan_prerouting -s 10.0.0.0/24 -d 182.116.72.135/32 -p udp -m udp --dport 2736 -m comment --comment "!fw3: wireguad (reflection)" -j DNAT --to-destination 192.168.1.26:2736
-A zone_lan_prerouting -s 192.168.1.0/24 -d 192.168.150.2/32 -p udp -m udp --dport 2736 -m comment --comment "!fw3: wireguad (reflection)" -j DNAT --to-destination 192.168.1.26:2736
-A zone_lan_prerouting -s 10.0.0.0/24 -d 192.168.150.2/32 -p udp -m udp --dport 2736 -m comment --comment "!fw3: wireguad (reflection)" -j DNAT --to-destination 192.168.1.26:2736
-A zone_lan_prerouting -s 192.168.1.0/24 -d 10.16.161.146/32 -p udp -m udp --dport 2736 -m comment --comment "!fw3: wireguad (reflection)" -j DNAT --to-destination 192.168.1.26:2736
-A zone_lan_prerouting -s 10.0.0.0/24 -d 10.16.161.146/32 -p udp -m udp --dport 2736 -m comment --comment "!fw3: wireguad (reflection)" -j DNAT --to-destination 192.168.1.26:2736
-A zone_lan_prerouting -s 192.168.1.0/24 -d 192.168.200.2/32 -p udp -m udp --dport 2736 -m comment --comment "!fw3: wireguad (reflection)" -j DNAT --to-destination 192.168.1.26:2736
-A zone_lan_prerouting -s 10.0.0.0/24 -d 192.168.200.2/32 -p udp -m udp --dport 2736 -m comment --comment "!fw3: wireguad (reflection)" -j DNAT --to-destination 192.168.1.26:2736
-A zone_lan_prerouting -s 192.168.1.0/24 -d 192.168.100.2/32 -p tcp -m tcp --dport 103 -m comment --comment "!fw3: IMG_SSH (reflection)" -j DNAT --to-destination 192.168.1.36:22
-A zone_lan_prerouting -s 10.0.0.0/24 -d 192.168.100.2/32 -p tcp -m tcp --dport 103 -m comment --comment "!fw3: IMG_SSH (reflection)" -j DNAT --to-destination 192.168.1.36:22
-A zone_lan_prerouting -s 192.168.1.0/24 -d 182.116.72.135/32 -p tcp -m tcp --dport 103 -m comment --comment "!fw3: IMG_SSH (reflection)" -j DNAT --to-destination 192.168.1.36:22
-A zone_lan_prerouting -s 10.0.0.0/24 -d 182.116.72.135/32 -p tcp -m tcp --dport 103 -m comment --comment "!fw3: IMG_SSH (reflection)" -j DNAT --to-destination 192.168.1.36:22
-A zone_lan_prerouting -s 192.168.1.0/24 -d 192.168.150.2/32 -p tcp -m tcp --dport 103 -m comment --comment "!fw3: IMG_SSH (reflection)" -j DNAT --to-destination 192.168.1.36:22
-A zone_lan_prerouting -s 10.0.0.0/24 -d 192.168.150.2/32 -p tcp -m tcp --dport 103 -m comment --comment "!fw3: IMG_SSH (reflection)" -j DNAT --to-destination 192.168.1.36:22
-A zone_lan_prerouting -s 192.168.1.0/24 -d 10.16.161.146/32 -p tcp -m tcp --dport 103 -m comment --comment "!fw3: IMG_SSH (reflection)" -j DNAT --to-destination 192.168.1.36:22
-A zone_lan_prerouting -s 10.0.0.0/24 -d 10.16.161.146/32 -p tcp -m tcp --dport 103 -m comment --comment "!fw3: IMG_SSH (reflection)" -j DNAT --to-destination 192.168.1.36:22
-A zone_lan_prerouting -s 192.168.1.0/24 -d 192.168.200.2/32 -p tcp -m tcp --dport 103 -m comment --comment "!fw3: IMG_SSH (reflection)" -j DNAT --to-destination 192.168.1.36:22
-A zone_lan_prerouting -s 10.0.0.0/24 -d 192.168.200.2/32 -p tcp -m tcp --dport 103 -m comment --comment "!fw3: IMG_SSH (reflection)" -j DNAT --to-destination 192.168.1.36:22
-A zone_lan_prerouting -s 192.168.1.0/24 -d 192.168.100.2/32 -p udp -m udp --dport 1111 -m comment --comment "!fw3: WIREGUARD (reflection)" -j DNAT --to-destination 192.168.1.1:1111
-A zone_lan_prerouting -s 10.0.0.0/24 -d 192.168.100.2/32 -p udp -m udp --dport 1111 -m comment --comment "!fw3: WIREGUARD (reflection)" -j DNAT --to-destination 192.168.1.1:1111
-A zone_lan_prerouting -s 192.168.1.0/24 -d 182.116.72.135/32 -p udp -m udp --dport 1111 -m comment --comment "!fw3: WIREGUARD (reflection)" -j DNAT --to-destination 192.168.1.1:1111
-A zone_lan_prerouting -s 10.0.0.0/24 -d 182.116.72.135/32 -p udp -m udp --dport 1111 -m comment --comment "!fw3: WIREGUARD (reflection)" -j DNAT --to-destination 192.168.1.1:1111
-A zone_lan_prerouting -s 192.168.1.0/24 -d 192.168.150.2/32 -p udp -m udp --dport 1111 -m comment --comment "!fw3: WIREGUARD (reflection)" -j DNAT --to-destination 192.168.1.1:1111
-A zone_lan_prerouting -s 10.0.0.0/24 -d 192.168.150.2/32 -p udp -m udp --dport 1111 -m comment --comment "!fw3: WIREGUARD (reflection)" -j DNAT --to-destination 192.168.1.1:1111
-A zone_lan_prerouting -s 192.168.1.0/24 -d 10.16.161.146/32 -p udp -m udp --dport 1111 -m comment --comment "!fw3: WIREGUARD (reflection)" -j DNAT --to-destination 192.168.1.1:1111
-A zone_lan_prerouting -s 10.0.0.0/24 -d 10.16.161.146/32 -p udp -m udp --dport 1111 -m comment --comment "!fw3: WIREGUARD (reflection)" -j DNAT --to-destination 192.168.1.1:1111
-A zone_lan_prerouting -s 192.168.1.0/24 -d 192.168.200.2/32 -p udp -m udp --dport 1111 -m comment --comment "!fw3: WIREGUARD (reflection)" -j DNAT --to-destination 192.168.1.1:1111
-A zone_lan_prerouting -s 10.0.0.0/24 -d 192.168.200.2/32 -p udp -m udp --dport 1111 -m comment --comment "!fw3: WIREGUARD (reflection)" -j DNAT --to-destination 192.168.1.1:1111
-A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
-A zone_wan_postrouting -j MINIUPNPD-POSTROUTING
-A zone_wan_postrouting -j MINIUPNPD-POSTROUTING
-A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
-A zone_wan_prerouting -p tcp -m tcp --dport 88 -m comment --comment "!fw3: Router-WEB" -j DNAT --to-destination 192.168.1.1:80
-A zone_wan_prerouting -p tcp -m tcp --dport 90 -m comment --comment "!fw3: AP-3_WEB" -j DNAT --to-destination 192.168.1.3:90
-A zone_wan_prerouting -p tcp -m tcp --dport 5555 -m comment --comment "!fw3: PC-Remote" -j DNAT --to-destination 192.168.1.100:5555
-A zone_wan_prerouting -p tcp -m tcp --dport 1194 -m comment --comment "!fw3: openvpn" -j DNAT --to-destination 192.168.1.20:1194
-A zone_wan_prerouting -p tcp -m tcp --dport 3306 -m comment --comment "!fw3: mysql" -j DNAT --to-destination 192.168.1.10:3306
-A zone_wan_prerouting -p tcp -m tcp --dport 3690 -m comment --comment "!fw3: svn" -j DNAT --to-destination 192.168.1.25:3690
-A zone_wan_prerouting -p tcp -m tcp --dport 62 -m comment --comment "!fw3: 252web" -j DNAT --to-destination 192.168.1.252:8006
-A zone_wan_prerouting -p tcp -m tcp --dport 9091 -m comment --comment "!fw3: PT" -j DNAT --to-destination 192.168.1.6:9091
-A zone_wan_prerouting -p tcp -m tcp --dport 40 -m comment --comment "!fw3: NAS_WEB" -j DNAT --to-destination 192.168.1.5:80
-A zone_wan_prerouting -p tcp -m tcp --dport 9090 -m comment --comment "!fw3: TEST_WEB" -j DNAT --to-destination 192.168.1.45:80
-A zone_wan_prerouting -p udp -m udp --dport 2736 -m comment --comment "!fw3: wireguad" -j DNAT --to-destination 192.168.1.26:2736
-A zone_wan_prerouting -p tcp -m tcp --dport 103 -m comment --comment "!fw3: IMG_SSH" -j DNAT --to-destination 192.168.1.36:22
-A zone_wan_prerouting -p udp -m udp --dport 1111 -m comment --comment "!fw3: WIREGUARD" -j DNAT --to-destination 192.168.1.1:1111
-A zone_wan_prerouting -j MINIUPNPD
-A zone_wan_prerouting -j MINIUPNPD
COMMIT
# Completed on Thu Sep  1 07:02:51 2022

#IPv4 Mangle chain

# Generated by iptables-save v1.8.8 on Thu Sep  1 07:02:51 2022
*mangle
:PREROUTING ACCEPT [264330:227614185]
:INPUT ACCEPT [48067:15496759]
:FORWARD ACCEPT [208675:209560822]
:OUTPUT ACCEPT [66012:21503954]
:POSTROUTING ACCEPT [273818:231027108]
:mwan3_connected_ipv4 - [0:0]
:mwan3_custom_ipv4 - [0:0]
:mwan3_dynamic_ipv4 - [0:0]
:mwan3_hook - [0:0]
:mwan3_iface_in_cmcc_wan - [0:0]
:mwan3_iface_in_ct_wan - [0:0]
:mwan3_ifaces_in - [0:0]
:mwan3_policy_balanced - [0:0]
:mwan3_policy_ct_only - [0:0]
:mwan3_policy_cu_only - [0:0]
:mwan3_rule_web - [0:0]
:mwan3_rules - [0:0]
-A PREROUTING -j mwan3_hook
-A FORWARD -o eth3 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i eth3 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o pppoe-cmcc_wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i pppoe-cmcc_wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o eth2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i eth2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o pppoe-ct_wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i pppoe-ct_wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A OUTPUT -j mwan3_hook
-A mwan3_connected_ipv4 -m set --match-set mwan3_connected_ipv4 dst -j MARK --set-xmark 0x3f00/0x3f00
-A mwan3_custom_ipv4 -m set --match-set mwan3_custom_ipv4 dst -j MARK --set-xmark 0x3f00/0x3f00
-A mwan3_dynamic_ipv4 -m set --match-set mwan3_dynamic_ipv4 dst -j MARK --set-xmark 0x3f00/0x3f00
-A mwan3_hook -m mark --mark 0x0/0x3f00 -j CONNMARK --restore-mark --nfmask 0x3f00 --ctmask 0x3f00
-A mwan3_hook -m mark --mark 0x0/0x3f00 -j mwan3_ifaces_in
-A mwan3_hook -m mark --mark 0x0/0x3f00 -j mwan3_custom_ipv4
-A mwan3_hook -m mark --mark 0x0/0x3f00 -j mwan3_connected_ipv4
-A mwan3_hook -m mark --mark 0x0/0x3f00 -j mwan3_dynamic_ipv4
-A mwan3_hook -m mark --mark 0x0/0x3f00 -j mwan3_rules
-A mwan3_hook -j CONNMARK --save-mark --nfmask 0x3f00 --ctmask 0x3f00
-A mwan3_hook -m mark ! --mark 0x3f00/0x3f00 -j mwan3_custom_ipv4
-A mwan3_hook -m mark ! --mark 0x3f00/0x3f00 -j mwan3_connected_ipv4
-A mwan3_hook -m mark ! --mark 0x3f00/0x3f00 -j mwan3_dynamic_ipv4
-A mwan3_iface_in_cmcc_wan -i pppoe-cmcc_wan -m set --match-set mwan3_custom_ipv4 src -m mark --mark 0x0/0x3f00 -m comment --comment default -j MARK --set-xmark 0x3f00/0x3f00
-A mwan3_iface_in_cmcc_wan -i pppoe-cmcc_wan -m set --match-set mwan3_connected_ipv4 src -m mark --mark 0x0/0x3f00 -m comment --comment default -j MARK --set-xmark 0x3f00/0x3f00
-A mwan3_iface_in_cmcc_wan -i pppoe-cmcc_wan -m set --match-set mwan3_dynamic_ipv4 src -m mark --mark 0x0/0x3f00 -m comment --comment default -j MARK --set-xmark 0x3f00/0x3f00
-A mwan3_iface_in_cmcc_wan -i pppoe-cmcc_wan -m mark --mark 0x0/0x3f00 -m comment --comment cmcc_wan -j MARK --set-xmark 0x200/0x3f00
-A mwan3_iface_in_ct_wan -i pppoe-ct_wan -m set --match-set mwan3_custom_ipv4 src -m mark --mark 0x0/0x3f00 -m comment --comment default -j MARK --set-xmark 0x3f00/0x3f00
-A mwan3_iface_in_ct_wan -i pppoe-ct_wan -m set --match-set mwan3_connected_ipv4 src -m mark --mark 0x0/0x3f00 -m comment --comment default -j MARK --set-xmark 0x3f00/0x3f00
-A mwan3_iface_in_ct_wan -i pppoe-ct_wan -m set --match-set mwan3_dynamic_ipv4 src -m mark --mark 0x0/0x3f00 -m comment --comment default -j MARK --set-xmark 0x3f00/0x3f00
-A mwan3_iface_in_ct_wan -i pppoe-ct_wan -m mark --mark 0x0/0x3f00 -m comment --comment ct_wan -j MARK --set-xmark 0x100/0x3f00
-A mwan3_ifaces_in -m mark --mark 0x0/0x3f00 -j mwan3_iface_in_cmcc_wan
-A mwan3_ifaces_in -m mark --mark 0x0/0x3f00 -j mwan3_iface_in_ct_wan
-A mwan3_policy_balanced -m mark --mark 0x0/0x3f00 -m comment --comment "cmcc_wan 3 3" -j MARK --set-xmark 0x200/0x3f00
-A mwan3_policy_ct_only -m mark --mark 0x0/0x3f00 -m comment --comment "ct_wan 5 5" -j MARK --set-xmark 0x100/0x3f00
-A mwan3_policy_cu_only -m mark --mark 0x0/0x3f00 -m comment --comment "cmcc_wan 3 3" -j MARK --set-xmark 0x200/0x3f00
-A mwan3_rule_web -m mark --mark 0x0/0x3f00 -j mwan3_policy_balanced
-A mwan3_rule_web -m mark ! --mark 0xfc00/0xfc00 -j SET --del-set mwan3_rule_ipv4_web src,src
-A mwan3_rule_web -m mark ! --mark 0xfc00/0xfc00 -j SET --add-set mwan3_rule_ipv4_web src,src
-A mwan3_rules -d 60.208.23.0/24 -m mark --mark 0x0/0x3f00 -j mwan3_policy_cu_only
-A mwan3_rules -s 192.168.1.80/32 -m mark --mark 0x0/0x3f00 -j mwan3_policy_ct_only
-A mwan3_rules -s 192.168.1.42/32 -m mark --mark 0x0/0x3f00 -j mwan3_policy_ct_only
-A mwan3_rules -s 192.168.1.43/32 -m mark --mark 0x0/0x3f00 -j mwan3_policy_cu_only
-A mwan3_rules -m set --match-set unicom dst -m mark --mark 0x0/0x3f00 -j mwan3_policy_cu_only
-A mwan3_rules -m set --match-set chinanet dst -m mark --mark 0x0/0x3f00 -j mwan3_policy_ct_only
-A mwan3_rules -p tcp -m multiport --dports 80,443 -m mark --mark 0x0/0x3f00 -j mwan3_rule_web
-A mwan3_rules -m mark --mark 0x0/0x3f00 -j mwan3_policy_balanced
-A mwan3_rules -m mark --mark 0x0/0x3f00 -j mwan3_policy_balanced
-A mwan3_rules -m mark --mark 0x0/0x3f00 -j mwan3_policy_cu_only
COMMIT
# Completed on Thu Sep  1 07:02:51 2022

#IPv4 Filter chain

# Generated by iptables-save v1.8.8 on Thu Sep  1 07:02:51 2022
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:MINIUPNPD - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i wg0 -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i eth3 -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i pppoe-cmcc_wan -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i eth2 -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i pppoe-ct_wan -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i eth1 -m comment --comment "!fw3" -j zone_wan_input
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i wg0 -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i eth3 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i pppoe-cmcc_wan -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i eth2 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i pppoe-ct_wan -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i eth1 -m comment --comment "!fw3" -j zone_wan_forward
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o wg0 -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o eth3 -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o pppoe-cmcc_wan -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o eth2 -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o pppoe-ct_wan -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o eth1 -m comment --comment "!fw3" -j zone_wan_output
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_dest_ACCEPT -o wg0 -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_src_ACCEPT -i wg0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o eth3 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o eth3 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o pppoe-cmcc_wan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o pppoe-cmcc_wan -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o eth2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o eth2 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o pppoe-ct_wan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o pppoe-ct_wan -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o eth1 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o eth1 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_REJECT -o eth3 -m comment --comment "!fw3" -j reject
-A zone_wan_dest_REJECT -o pppoe-cmcc_wan -m comment --comment "!fw3" -j reject
-A zone_wan_dest_REJECT -o eth2 -m comment --comment "!fw3" -j reject
-A zone_wan_dest_REJECT -o pppoe-ct_wan -m comment --comment "!fw3" -j reject
-A zone_wan_dest_REJECT -o eth1 -m comment --comment "!fw3" -j reject
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_wan_forward -j MINIUPNPD
-A zone_wan_forward -j MINIUPNPD
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
-A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_wan_input -j MINIUPNPD
-A zone_wan_input -j MINIUPNPD
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_REJECT -i eth3 -m comment --comment "!fw3" -j reject
-A zone_wan_src_REJECT -i pppoe-cmcc_wan -m comment --comment "!fw3" -j reject
-A zone_wan_src_REJECT -i eth2 -m comment --comment "!fw3" -j reject
-A zone_wan_src_REJECT -i pppoe-ct_wan -m comment --comment "!fw3" -j reject
-A zone_wan_src_REJECT -i eth1 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Thu Sep  1 07:02:51 2022

#IPv6 NAT chain

# Generated by ip6tables-save v1.8.8 on Thu Sep  1 07:02:51 2022
*nat
:PREROUTING ACCEPT [185:59292]
:INPUT ACCEPT [1:211]
:OUTPUT ACCEPT [2:230]
:POSTROUTING ACCEPT [2:230]
COMMIT
# Completed on Thu Sep  1 07:02:51 2022

#IPv6 Mangle chain

# Generated by ip6tables-save v1.8.8 on Thu Sep  1 07:02:51 2022
*mangle
:PREROUTING ACCEPT [214:61483]
:INPUT ACCEPT [3:344]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [4:308]
:POSTROUTING ACCEPT [4:308]
:mwan3_connected_ipv6 - [0:0]
:mwan3_custom_ipv6 - [0:0]
:mwan3_dynamic_ipv6 - [0:0]
:mwan3_hook - [0:0]
:mwan3_ifaces_in - [0:0]
:mwan3_policy_balanced - [0:0]
:mwan3_policy_ct_only - [0:0]
:mwan3_policy_cu_only - [0:0]
:mwan3_rules - [0:0]
-A PREROUTING -j mwan3_hook
-A FORWARD -o eth3 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i eth3 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o pppoe-cmcc_wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i pppoe-cmcc_wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o eth2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i eth2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o pppoe-ct_wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i pppoe-ct_wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A OUTPUT -j mwan3_hook
-A mwan3_connected_ipv6 -m set --match-set mwan3_connected_ipv6 dst -j MARK --set-xmark 0x3f00/0x3f00
-A mwan3_custom_ipv6 -m set --match-set mwan3_custom_ipv6 dst -j MARK --set-xmark 0x3f00/0x3f00
-A mwan3_dynamic_ipv6 -m set --match-set mwan3_dynamic_ipv6 dst -j MARK --set-xmark 0x3f00/0x3f00
-A mwan3_hook -p ipv6-icmp -m icmp6 --icmpv6-type 133 -j RETURN
-A mwan3_hook -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j RETURN
-A mwan3_hook -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j RETURN
-A mwan3_hook -p ipv6-icmp -m icmp6 --icmpv6-type 136 -j RETURN
-A mwan3_hook -p ipv6-icmp -m icmp6 --icmpv6-type 137 -j RETURN
-A mwan3_hook -m mark --mark 0x0/0x3f00 -j CONNMARK --restore-mark --nfmask 0x3f00 --ctmask 0x3f00
-A mwan3_hook -m mark --mark 0x0/0x3f00 -j mwan3_ifaces_in
-A mwan3_hook -m mark --mark 0x0/0x3f00 -j mwan3_custom_ipv6
-A mwan3_hook -m mark --mark 0x0/0x3f00 -j mwan3_connected_ipv6
-A mwan3_hook -m mark --mark 0x0/0x3f00 -j mwan3_dynamic_ipv6
-A mwan3_hook -m mark --mark 0x0/0x3f00 -j mwan3_rules
-A mwan3_hook -j CONNMARK --save-mark --nfmask 0x3f00 --ctmask 0x3f00
-A mwan3_hook -m mark ! --mark 0x3f00/0x3f00 -j mwan3_custom_ipv6
-A mwan3_hook -m mark ! --mark 0x3f00/0x3f00 -j mwan3_connected_ipv6
-A mwan3_hook -m mark ! --mark 0x3f00/0x3f00 -j mwan3_dynamic_ipv6
-A mwan3_policy_balanced -m mark --mark 0x0/0x3f00 -m comment --comment unreachable -j MARK --set-xmark 0x3e00/0x3f00
-A mwan3_policy_ct_only -m mark --mark 0x0/0x3f00 -m comment --comment unreachable -j MARK --set-xmark 0x3e00/0x3f00
-A mwan3_policy_cu_only -m mark --mark 0x0/0x3f00 -m comment --comment unreachable -j MARK --set-xmark 0x3e00/0x3f00
COMMIT
# Completed on Thu Sep  1 07:02:51 2022

#IPv6 Filter chain

# Generated by ip6tables-save v1.8.8 on Thu Sep  1 07:02:51 2022
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:MINIUPNPD - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i wg0 -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i eth3 -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i pppoe-cmcc_wan -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i eth2 -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i pppoe-ct_wan -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i eth1 -m comment --comment "!fw3" -j zone_wan_input
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i wg0 -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i eth3 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i pppoe-cmcc_wan -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i eth2 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i pppoe-ct_wan -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i eth1 -m comment --comment "!fw3" -j zone_wan_forward
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o wg0 -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o eth3 -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o pppoe-cmcc_wan -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o eth2 -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o pppoe-ct_wan -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o eth1 -m comment --comment "!fw3" -j zone_wan_output
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp6-port-unreachable
-A syn_flood -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_dest_ACCEPT -o wg0 -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_src_ACCEPT -i wg0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o eth3 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o eth3 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o pppoe-cmcc_wan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o pppoe-cmcc_wan -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o eth2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o eth2 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o pppoe-ct_wan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o pppoe-ct_wan -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o eth1 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o eth1 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_REJECT -o eth3 -m comment --comment "!fw3" -j reject
-A zone_wan_dest_REJECT -o pppoe-cmcc_wan -m comment --comment "!fw3" -j reject
-A zone_wan_dest_REJECT -o eth2 -m comment --comment "!fw3" -j reject
-A zone_wan_dest_REJECT -o pppoe-ct_wan -m comment --comment "!fw3" -j reject
-A zone_wan_dest_REJECT -o eth1 -m comment --comment "!fw3" -j reject
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -j MINIUPNPD
-A zone_wan_forward -j MINIUPNPD
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
-A zone_wan_input -s fc00::/6 -d fc00::/6 -p udp -m udp --dport 546 -m comment --comment "!fw3: Allow-DHCPv6" -j ACCEPT
-A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 130/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
-A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 131/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
-A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 132/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
-A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 143/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -j MINIUPNPD
-A zone_wan_input -j MINIUPNPD
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_REJECT -i eth3 -m comment --comment "!fw3" -j reject
-A zone_wan_src_REJECT -i pppoe-cmcc_wan -m comment --comment "!fw3" -j reject
-A zone_wan_src_REJECT -i eth2 -m comment --comment "!fw3" -j reject
-A zone_wan_src_REJECT -i pppoe-ct_wan -m comment --comment "!fw3" -j reject
-A zone_wan_src_REJECT -i eth1 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Thu Sep  1 07:02:51 2022

#===================== IPSET状态 =====================#

Name: chinanet
Name: cmcc
Name: unicom
Name: mwan3_dynamic_ipv6
Name: mwan3_connected_ipv4
Name: mwan3_connected_ipv6
Name: mwan3_custom_ipv4
Name: mwan3_custom_ipv6
Name: mwan3_rule_ipv4_web
Name: mwan3_rule_ipv6_web
Name: mwan3_dynamic_ipv4

#===================== 路由表状态 =====================#

#route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         182.16.72.1    0.0.0.0         UG    5      0        0 pppoe-cmcc_wan
0.0.0.0         10.16.0.1       0.0.0.0         UG    20     0        0 pppoe-ct_wan
10.0.0.0        0.0.0.0         255.255.255.0   U     0      0        0 wg0
10.0.0.2        0.0.0.0         255.255.255.255 UH    0      0        0 wg0
10.0.0.3        0.0.0.0         255.255.255.255 UH    0      0        0 wg0
10.0.0.5        0.0.0.0         255.255.255.255 UH    0      0        0 wg0
10.16.0.1       0.0.0.0         255.255.255.255 UH    0      0        0 pppoe-ct_wan
182.16.72.1    0.0.0.0         255.255.255.255 UH    0      0        0 pppoe-cmcc_wan
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 br-lan
192.168.100.0   0.0.0.0         255.255.255.0   U     0      0        0 eth3
192.168.150.0   0.0.0.0         255.255.255.0   U     0      0        0 eth2
192.168.200.0   0.0.0.0         255.255.255.0   U     0      0        0 eth1
#ip route list
default via 182.116.72.1 dev pppoe-cmcc_wan proto static metric 5 
default via 10.16.0.1 dev pppoe-ct_wan proto static metric 20 
10.0.0.0/24 dev wg0 proto kernel scope link src 10.0.0.1 
10.0.0.2 dev wg0 proto static scope link 
10.0.0.3 dev wg0 proto static scope link 
10.0.0.5 dev wg0 proto static scope link 
10.16.0.1 dev pppoe-ct_wan proto kernel scope link src 10.16.161.146 
182.16.72.1 dev pppoe-cmcc_wan proto kernel scope link src 182.16.72.135 
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1 
192.168.100.0/24 dev eth3 proto kernel scope link src 192.168.100.2 
192.168.150.0/24 dev eth2 proto kernel scope link src 192.168.150.2 
192.168.200.0/24 dev eth1 proto kernel scope link src 192.168.200.2 
#ip rule show
0:  from all lookup local
1001:   from all iif pppoe-ct_wan lookup 1
1002:   from all iif pppoe-cmcc_wan lookup 2
2001:   from all fwmark 0x100/0x3f00 lookup 1
2002:   from all fwmark 0x200/0x3f00 lookup 2
2061:   from all fwmark 0x3d00/0x3f00 blackhole
2062:   from all fwmark 0x3e00/0x3f00 unreachable
3001:   from all fwmark 0x100/0x3f00 unreachable
3002:   from all fwmark 0x200/0x3f00 unreachable
32766:  from all lookup main
32767:  from all lookup default

#===================== 端口占用状态 =====================#

#===================== 测试本机DNS查询 =====================#

Server:     127.0.0.1
Address:    127.0.0.1:53

Non-authoritative answer:
www.baidu.com   canonical name = www.a.shifen.com
Name:   www.a.shifen.com
Address: 220.181.38.150

Non-authoritative answer:

#===================== resolv.conf.d =====================#

# Interface cmcc_wan_6
# Interface cmcc_wan
# Interface ct_wan

#===================== 测试本机网络连接 =====================#

HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
Connection: keep-alive
Content-Length: 277
Content-Type: text/html
Date: Wed, 31 Aug 2022 23:02:52 GMT
Etag: "575e1f60-115"
Last-Modified: Mon, 13 Jun 2016 02:50:08 GMT
Pragma: no-cache
Server: bfe/1.0.8.18

#===================== 测试本机网络下载 =====================#

HTTP/1.1 200 OK
Connection: keep-alive
Content-Length: 80
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "7b18c764d6c4574c6040f0dc7b80bc6a8df5289c8cdd0b3dd1df70ea589c5314"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: 7A3E:37DB:88230:A5A80:630E6406
Accept-Ranges: bytes
Date: Wed, 31 Aug 2022 23:02:57 GMT
Via: 1.1 varnish
X-Served-By: cache-tyo11951-TYO
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1661986977.332147,VS0,VE0
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
X-Fastly-Request-ID: d559546660ed729c1757950528a0fe6e9e1ec987
Expires: Wed, 31 Aug 2022 23:07:57 GMT
Source-Age: 232

#===================== 最近运行日志 =====================#

2022-09-01 06:59:06 Config File【config.yaml】Read Successful!
2022-09-01 06:59:09 Config File【config.yaml】Write Successful!
2022-09-01 06:59:12 OpenClash Stoping...
2022-09-01 06:59:12 Step 1: Backup The Current Groups State...
2022-09-01 06:59:12 Step 2: Delete OpenClash Firewall Rules...
2022-09-01 06:59:13 Step 3: Close The OpenClash Daemons...
2022-09-01 06:59:13 Step 4: Close The Clash Core Process...
2022-09-01 06:59:13 Step 5: Restart Dnsmasq...
2022-09-01 06:59:15 Step 6: Delete OpenClash Residue File...
2022-09-01 06:59:15 OpenClash Start Running...
2022-09-01 06:59:15 Step 1: Get The Configuration...
2022-09-01 06:59:15 Step 2: Check The Components...
2022-09-01 06:59:15 Tip: Detected that the Chnroute Cidr List Format is wrong, Ready to Reformat...
2022-09-01 06:59:15 Start Downloading The Chnroute Cidr List...
2022-09-01 06:59:16 Chnroute Cidr List Download Success, Check Updated...
2022-09-01 06:59:16 Updated Chnroute Cidr List No Change, Do Nothing...
2022-09-01 06:59:19 Start Downloading The Chnroute6 Cidr List...
2022-09-01 06:59:19 Chnroute6 Cidr List Download Success, Check Updated...
2022-09-01 06:59:19 Updated Chnroute6 Cidr List No Change, Do Nothing...
2022-09-01 06:59:23 OpenClash Stoping...
2022-09-01 06:59:23 Step 1: Backup The Current Groups State...
2022-09-01 06:59:23 Step 2: Delete OpenClash Firewall Rules...
2022-09-01 06:59:24 Step 3: Close The OpenClash Daemons...
2022-09-01 06:59:24 Step 4: Close The Clash Core Process...
2022-09-01 06:59:24 Step 5: Restart Dnsmasq...
2022-09-01 06:59:26 Step 6: Delete OpenClash Residue File...
2022-09-01 07:01:34 OpenClash Stoping...
2022-09-01 07:01:34 Step 1: Backup The Current Groups State...
2022-09-01 07:01:34 Step 2: Delete OpenClash Firewall Rules...
2022-09-01 07:01:35 Step 3: Close The OpenClash Daemons...
2022-09-01 07:01:35 Step 4: Close The Clash Core Process...
2022-09-01 07:01:35 Step 5: Restart Dnsmasq...
2022-09-01 07:01:37 Step 6: Delete OpenClash Residue File...
2022-09-01 07:01:37 OpenClash Start Running...
2022-09-01 07:01:37 Step 1: Get The Configuration...
2022-09-01 07:01:37 Step 2: Check The Components...
2022-09-01 07:01:37 Tip: Detected that the Chnroute Cidr List Format is wrong, Ready to Reformat...
2022-09-01 07:01:37 Start Downloading The Chnroute Cidr List...
2022-09-01 07:01:38 Chnroute Cidr List Download Success, Check Updated...
2022-09-01 07:01:38 Updated Chnroute Cidr List No Change, Do Nothing...
2022-09-01 07:01:41 Start Downloading The Chnroute6 Cidr List...
2022-09-01 07:01:41 Chnroute6 Cidr List Download Success, Check Updated...
2022-09-01 07:01:41 Updated Chnroute6 Cidr List No Change, Do Nothing...
2022-09-01 07:01:45 OpenClash Stoping...
2022-09-01 07:01:45 Step 1: Backup The Current Groups State...
2022-09-01 07:01:45 Step 2: Delete OpenClash Firewall Rules...
2022-09-01 07:01:46 Step 3: Close The OpenClash Daemons...
2022-09-01 07:01:46 Step 4: Close The Clash Core Process...
2022-09-01 07:01:46 Step 5: Restart Dnsmasq...
2022-09-01 07:01:49 Step 6: Delete OpenClash Residue File...

#===================== 活动连接信息 =====================#

[zzz6839]

最新的.55版本这个bug依然存在，还是卡在删除openclash残余文件

[shmilyx]

一样，同样的bug

[ghost]

c504e53

一个个commit试过来，确认就是这个commit导致的启动失败，把/etc/init.d/openclash里增加的这两句屏蔽掉是可以正常启动的。但是还没来得及看到底这两句哪里不对。

[vernesong]

修好了啊，把大陆白名单重新更新一下

[zzz6839]

修好了啊，把大陆白名单重新更新一下

2022-09-01 14:39:04 第六步：删除 OpenClash 残留文件... 2022-09-01 14:39:01 第五步: 重启 Dnsmasq 程序... 2022-09-01 14:39:01 第四步: 关闭 Clash 主程序... 2022-09-01 14:39:01 第三步: 关闭 OpenClash 守护程序... 2022-09-01 14:39:01 第二步: 删除 OpenClash 防火墙规则... 2022-09-01 14:39:01 第一步: 备份当前策略组状态... 2022-09-01 14:39:01 OpenClash 开始关闭... 2022-09-01 14:38:56 大陆 IPv6 白名单没有更新，停止继续操作... 2022-09-01 14:38:56 大陆 IPv6 白名单下载成功，检查版本是否更新... 2022-09-01 14:38:56 开始下载大陆 IPv6 白名单... 2022-09-01 14:38:53 大陆 IP 白名单没有更新，停止继续操作... 2022-09-01 14:38:52 大陆 IP 白名单下载成功，检查版本是否更新... 2022-09-01 14:38:51 开始下载大陆 IP 白名单... 2022-09-01 14:38:51 提示: 检测到大陆白名单列表格式错误，准备重新格式化... 2022-09-01 14:38:51 第二步: 组件运行前检查... 2022-09-01 14:38:51 第一步: 获取配置... 2022-09-01 14:38:51 OpenClash 开始启动... 2022-09-01 14:38:51 第六步：删除 OpenClash 残留文件... 2022-09-01 14:38:48 第五步: 重启 Dnsmasq 程序... 2022-09-01 14:38:48 第四步: 关闭 Clash 主程序... 2022-09-01 14:38:48 第三步: 关闭 OpenClash 守护程序... 2022-09-01 14:38:47 第二步: 删除 OpenClash 防火墙规则... 2022-09-01 14:38:47 第一步: 备份当前策略组状态... 2022-09-01 14:38:47 OpenClash 开始关闭... 2022-09-01 14:38:26 第六步：删除 OpenClash 残留文件... 2022-09-01 14:38:23 第五步: 重启 Dnsmasq 程序... 2022-09-01 14:38:23 第四步: 关闭 Clash 主程序... 2022-09-01 14:38:23 第三步: 关闭 OpenClash 守护程序... 2022-09-01 14:38:22 第二步: 删除 OpenClash 防火墙规则... 2022-09-01 14:38:22 第一步: 备份当前策略组状态... 2022-09-01 14:38:22 OpenClash 开始关闭...

没修好，我试了几次了还是这样，.55的

[ghost]

是的，最新版本已经修好了。

没修好，我试了几次了还是这样，.55的

要自己编译最新的commit，.55还没包含这个修复。