jklolixxs
commented
1 year ago ### OpenClash Log OpenClash 调试日志
生成时间: 2023-08-19 00:16:24 插件版本: v0.45.140-beta 隐私提示: 上传此日志前请注意检查、屏蔽公网IP、节点、密码等相关敏感信息
#===================== 系统信息 =====================#
主机型号: Default string Default string/Default string
固件版本: OpenWrt SNAPSHOT r0-415422b
LuCI版本: git-23.206.20747-22b3344-1
内核版本: 6.1.42
处理器架构: x86_64
#此项有值时,如不使用IPv6,建议到网络-接口-lan的设置中禁用IPV6的DHCP
IPV6-DHCP: server
DNS劫持: Dnsmasq 转发
#DNS劫持为Dnsmasq时,此项结果应仅有配置文件的DNS监听地址
Dnsmasq转发设置: 127.0.0.1#7874
#===================== 依赖检查 =====================#
dnsmasq-full: 已安装
coreutils: 已安装
coreutils-nohup: 已安装
bash: 已安装
curl: 已安装
ca-certificates: 已安装
ipset: 已安装
ip-full: 已安装
libcap: 已安装
libcap-bin: 已安装
ruby: 已安装
ruby-yaml: 未安装
ruby-psych: 未安装
ruby-pstore: 未安装
kmod-tun(TUN模式): 未安装
luci-compat(Luci >= 19.07): 未安装
kmod-inet-diag(PROCESS-NAME): 未安装
unzip: 已安装
iptables-mod-tproxy: 已安装
kmod-ipt-tproxy: 已安装
iptables-mod-extra: 已安装
kmod-ipt-extra: 已安装
kmod-ipt-nat: 已安装
#===================== 内核检查 =====================#
运行状态: 运行中
运行内核:Meta
进程pid: 12031
运行权限: 12031: cap_dac_override,cap_net_bind_service,cap_net_admin,cap_net_raw,cap_sys_ptrace,cap_sys_resource=eip
运行用户: nobody
已选择的架构: linux-amd64
#下方无法显示内核版本号时请确认您的内核版本是否正确或者有无权限
Tun内核版本: 2023.07.22-17-g6135a37
Tun内核文件: 存在
Tun内核运行权限: 正常
Dev内核版本: v1.17.0-16-gac3fd60
Dev内核文件: 存在
Dev内核运行权限: 正常
Meta内核版本: alpha-ged09df4
Meta内核文件: 存在
Meta内核运行权限: 正常
#===================== 插件设置 =====================#
当前配置文件: /etc/openclash/config/OpenClash.yaml
启动配置文件: /etc/openclash/OpenClash.yaml
运行模式: fake-ip-mix
默认代理模式: rule
UDP流量转发(tproxy): 停用
自定义DNS: 启用
IPV6代理: 启用
IPV6-DNS解析: 启用
禁用Dnsmasq缓存: 启用
自定义规则: 停用
仅允许内网: 启用
仅代理命中规则流量: 停用
仅允许常用端口流量: 停用
绕过中国大陆IP: 停用
路由本机代理: 启用
#启动异常时建议关闭此项后重试
混合节点: 停用
保留配置: 停用
#启动异常时建议关闭此项后重试
第三方规则: 停用
#===================== 配置文件 =====================#
过长,GitHub不允许
#===================== 自定义覆写设置 =====================#
#!/bin/sh
. /usr/share/openclash/ruby.sh
. /usr/share/openclash/log.sh
. /lib/functions.sh
# This script is called by /etc/init.d/openclash
# Add your custom overwrite scripts here, they will be take effict after the OpenClash own srcipts
LOG_OUT "Tip: Start Running Custom Overwrite Scripts..."
LOGTIME=$(echo $(date "+%Y-%m-%d %H:%M:%S"))
LOG_FILE="/tmp/openclash.log"
CONFIG_FILE="$1" #config path
#Simple Demo:
#General Demo
#1--config path
#2--key name
#3--value
#ruby_edit "$CONFIG_FILE" "['redir-port']" "7892"
#ruby_edit "$CONFIG_FILE" "['secret']" "123456"
#ruby_edit "$CONFIG_FILE" "['dns']['enable']" "true"
#Hash Demo
#1--config path
#2--key name
#3--hash type value
#ruby_edit "$CONFIG_FILE" "['experimental']" "{'sniff-tls-sni'=>true}"
#ruby_edit "$CONFIG_FILE" "['sniffer']" "{'sniffing'=>['tls','http']}"
#Array Demo:
#1--config path
#2--key name
#3--position(start from 0, end with -1)
#4--value
#ruby_arr_insert "$CONFIG_FILE" "['dns']['nameserver']" "0" "114.114.114.114"
#Array Add From Yaml File Demo:
#1--config path
#2--key name
#3--position(start from 0, end with -1)
#4--value file path
#5--value key name in #4 file
#ruby_arr_add_file "$CONFIG_FILE" "['dns']['fallback-filter']['ipcidr']" "0" "/etc/openclash/custom/openclash_custom_fallback_filter.yaml" "['fallback-filter']['ipcidr']"
#Ruby Script Demo:
#ruby -ryaml -rYAML -I "/usr/share/openclash" -E UTF-8 -e "
# begin
# Value = YAML.load_file('$CONFIG_FILE');
# rescue Exception => e
# puts '${LOGTIME} Error: Load File Failed,【' + e.message + '】';
# end;
#General
# begin
# Thread.new{
# Value['redir-port']=7892;
# Value['tproxy-port']=7895;
# Value['port']=7890;
# Value['socks-port']=7891;
# Value['mixed-port']=7893;
# }.join;
# rescue Exception => e
# puts '${LOGTIME} Error: Set General Failed,【' + e.message + '】';
# ensure
# File.open('$CONFIG_FILE','w') {|f| YAML.dump(Value, f)};
# end" 2>/dev/null >> $LOG_FILE
exit 0
#===================== 自定义防火墙设置 =====================#
#!/bin/sh
. /usr/share/openclash/log.sh
. /lib/functions.sh
# This script is called by /etc/init.d/openclash
# Add your custom firewall rules here, they will be added after the end of the OpenClash iptables rules
LOG_OUT "Tip: Start Add Custom Firewall Rules..."
exit 0
#===================== IPTABLES 防火墙设置 =====================#
#IPv4 NAT chain
# Generated by iptables-save v1.8.7 on Sat Aug 19 00:16:26 2023
*nat
:PREROUTING ACCEPT [6:785]
:INPUT ACCEPT [49:3110]
:OUTPUT ACCEPT [107:8557]
:POSTROUTING ACCEPT [76:6690]
:MINIUPNPD - [0:0]
:MINIUPNPD-POSTROUTING - [0:0]
:openclash - [0:0]
:openclash_output - [0:0]
:postrouting_ipsecserver_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_vpn_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_ipsecserver_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_vpn_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_ipsecserver_postrouting - [0:0]
:zone_ipsecserver_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_vpn_postrouting - [0:0]
:zone_vpn_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -p tcp -m comment --comment "OpenClash TCP DNS Hijack" -m tcp --dport 53 -j ACCEPT
-A PREROUTING -p tcp -m tcp --dport 53 -m comment --comment "OpenClash DNS Hijack" -j REDIRECT --to-ports 53
-A PREROUTING -p udp -m udp --dport 53 -m comment --comment "OpenClash DNS Hijack" -j REDIRECT --to-ports 53
-A PREROUTING -p udp -m udp --dport 53 -j REDIRECT --to-ports 53
-A PREROUTING -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 53
-A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
-A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_prerouting
-A PREROUTING -i eth0 -m comment --comment "!fw3" -j zone_wan_prerouting
-A PREROUTING -i tun0 -m comment --comment "!fw3" -j zone_vpn_prerouting
-A PREROUTING -i ipsec0 -m comment --comment "!fw3" -j zone_ipsecserver_prerouting
-A PREROUTING -p tcp -j openclash
-A OUTPUT -j openclash_output
-A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
-A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o pppoe-wan -m comment --comment "!fw3" -j zone_wan_postrouting
-A POSTROUTING -o eth0 -m comment --comment "!fw3" -j zone_wan_postrouting
-A POSTROUTING -o tun0 -m comment --comment "!fw3" -j zone_vpn_postrouting
-A POSTROUTING -o ipsec0 -m comment --comment "!fw3" -j zone_ipsecserver_postrouting
-A openclash -p tcp -m tcp --sport 1194 -j RETURN
-A openclash -m set --match-set localnetwork dst -j RETURN
-A openclash -p tcp -j REDIRECT --to-ports 7894
-A openclash_output -p tcp -m tcp --sport 1194 -j RETURN
-A openclash_output -d 198.18.0.0/16 -p tcp -m owner ! --uid-owner 65534 -j REDIRECT --to-ports 7894
-A openclash_output -m set --match-set localnetwork dst -j RETURN
-A openclash_output -p tcp -m owner ! --uid-owner 65534 -j REDIRECT --to-ports 7894
-A zone_ipsecserver_postrouting -m comment --comment "!fw3: Custom ipsecserver postrouting rule chain" -j postrouting_ipsecserver_rule
-A zone_ipsecserver_prerouting -m comment --comment "!fw3: Custom ipsecserver prerouting rule chain" -j prerouting_ipsecserver_rule
-A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
-A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
-A zone_vpn_postrouting -m comment --comment "!fw3: Custom vpn postrouting rule chain" -j postrouting_vpn_rule
-A zone_vpn_postrouting -m comment --comment "!fw3" -j FULLCONENAT
-A zone_vpn_prerouting -m comment --comment "!fw3: Custom vpn prerouting rule chain" -j prerouting_vpn_rule
-A zone_vpn_prerouting -m comment --comment "!fw3" -j FULLCONENAT
-A zone_wan_postrouting -j MINIUPNPD-POSTROUTING
-A zone_wan_postrouting -j MINIUPNPD-POSTROUTING
-A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
-A zone_wan_postrouting -m comment --comment "!fw3" -j FULLCONENAT
-A zone_wan_prerouting -j MINIUPNPD
-A zone_wan_prerouting -j MINIUPNPD
-A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
-A zone_wan_prerouting -m comment --comment "!fw3" -j FULLCONENAT
COMMIT
# Completed on Sat Aug 19 00:16:26 2023
#IPv4 Mangle chain
# Generated by iptables-save v1.8.7 on Sat Aug 19 00:16:26 2023
*mangle
:PREROUTING ACCEPT [10301:11302615]
:INPUT ACCEPT [10044:11272444]
:FORWARD ACCEPT [257:30171]
:OUTPUT ACCEPT [7011:11006196]
:POSTROUTING ACCEPT [7268:11036367]
:RRDIPT_FORWARD - [0:0]
:RRDIPT_INPUT - [0:0]
:RRDIPT_OUTPUT - [0:0]
:openclash - [0:0]
:openclash_dns_hijack - [0:0]
:openclash_output - [0:0]
:openclash_upnp - [0:0]
-A PREROUTING -p udp -j openclash
-A PREROUTING -p tcp -m tcp --dport 53 -j openclash_dns_hijack
-A INPUT -j RRDIPT_INPUT
-A FORWARD -j RRDIPT_FORWARD
-A FORWARD -o pppoe-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i pppoe-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A OUTPUT -j RRDIPT_OUTPUT
-A OUTPUT -j openclash_output
-A RRDIPT_FORWARD -s 192.168.10.223/32 -j RETURN
-A RRDIPT_FORWARD -d 192.168.10.223/32 -j RETURN
-A RRDIPT_FORWARD -s 192.168.10.173/32 -j RETURN
-A RRDIPT_FORWARD -d 192.168.10.173/32 -j RETURN
-A RRDIPT_FORWARD -s 192.168.10.100/32 -j RETURN
-A RRDIPT_FORWARD -d 192.168.10.100/32 -j RETURN
-A RRDIPT_FORWARD -s 192.168.10.208/32 -j RETURN
-A RRDIPT_FORWARD -d 192.168.10.208/32 -j RETURN
-A RRDIPT_INPUT -i br-lan -j RETURN
-A RRDIPT_INPUT -i pppoe-wan -j RETURN
-A RRDIPT_OUTPUT -o br-lan -j RETURN
-A RRDIPT_OUTPUT -o pppoe-wan -j RETURN
-A openclash -p udp -m udp --sport 1194 -j RETURN
-A openclash -p udp -m udp --sport 500 -j RETURN
-A openclash -p udp -m udp --sport 68 -j RETURN
-A openclash -i utun -j RETURN
-A openclash -m set --match-set localnetwork dst -j RETURN
-A openclash -p udp -j openclash_upnp
-A openclash -j MARK --set-xmark 0x162/0xffffffff
-A openclash_dns_hijack -p tcp -m comment --comment "OpenClash TCP DNS Hijack" -m tcp --dport 53 -j MARK --set-xmark 0x162/0xffffffff
-A openclash_output -p udp -m udp --sport 1194 -j RETURN
-A openclash_output -p udp -m udp --sport 500 -j RETURN
-A openclash_output -p udp -m udp --sport 68 -j RETURN
-A openclash_output -m set --match-set localnetwork dst -j RETURN
-A openclash_output -d 198.18.0.0/16 -p udp -m owner ! --uid-owner 65534 -j MARK --set-xmark 0x162/0xffffffff
COMMIT
# Completed on Sat Aug 19 00:16:26 2023
#IPv4 Filter chain
# Generated by iptables-save v1.8.7 on Sat Aug 19 00:16:26 2023
*filter
:INPUT ACCEPT [5:1670]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [6:1710]
:MINIUPNPD - [0:0]
:SOCAT - [0:0]
:forwarding_ipsecserver_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_vpn_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_ipsecserver_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_vpn_rule - [0:0]
:input_wan_rule - [0:0]
:openclash_wan_input - [0:0]
:output_ipsecserver_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_vpn_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_ipsecserver_dest_ACCEPT - [0:0]
:zone_ipsecserver_forward - [0:0]
:zone_ipsecserver_input - [0:0]
:zone_ipsecserver_output - [0:0]
:zone_ipsecserver_src_ACCEPT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_vpn_dest_ACCEPT - [0:0]
:zone_vpn_forward - [0:0]
:zone_vpn_input - [0:0]
:zone_vpn_output - [0:0]
:zone_vpn_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
-A INPUT -i eth0 -m set ! --match-set localnetwork src -j openclash_wan_input
-A INPUT -i pppoe-wan -m set ! --match-set localnetwork src -j openclash_wan_input
-A INPUT -j SOCAT
-A INPUT -j SOCAT
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i eth0 -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i tun0 -m comment --comment "!fw3" -j zone_vpn_input
-A INPUT -i ipsec0 -m comment --comment "!fw3" -j zone_ipsecserver_input
-A FORWARD -o utun -p udp -m udp --dport 443 -m comment --comment "OpenClash QUIC REJECT" -m set ! --match-set china_ip_route dst -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -o utun -m comment --comment "OpenClash TUN Forward" -j ACCEPT
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i eth0 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i tun0 -m comment --comment "!fw3" -j zone_vpn_forward
-A FORWARD -i ipsec0 -m comment --comment "!fw3" -j zone_ipsecserver_forward
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o pppoe-wan -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o eth0 -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o tun0 -m comment --comment "!fw3" -j zone_vpn_output
-A OUTPUT -o ipsec0 -m comment --comment "!fw3" -j zone_ipsecserver_output
-A openclash_wan_input -p udp -m multiport --dports 7894,7893,7747,7892,7891,7890,7874 -j REJECT --reject-with icmp-port-unreachable
-A openclash_wan_input -p tcp -m multiport --dports 7894,7893,7747,7892,7891,7890,7874 -j REJECT --reject-with icmp-port-unreachable
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_ipsecserver_dest_ACCEPT -o ipsec0 -m comment --comment "!fw3" -j ACCEPT
-A zone_ipsecserver_forward -m comment --comment "!fw3: Custom ipsecserver forwarding rule chain" -j forwarding_ipsecserver_rule
-A zone_ipsecserver_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_ipsecserver_forward -m comment --comment "!fw3" -j zone_ipsecserver_dest_ACCEPT
-A zone_ipsecserver_input -m comment --comment "!fw3: Custom ipsecserver input rule chain" -j input_ipsecserver_rule
-A zone_ipsecserver_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_ipsecserver_input -m comment --comment "!fw3" -j zone_ipsecserver_src_ACCEPT
-A zone_ipsecserver_output -m comment --comment "!fw3: Custom ipsecserver output rule chain" -j output_ipsecserver_rule
-A zone_ipsecserver_output -m comment --comment "!fw3" -j zone_ipsecserver_dest_ACCEPT
-A zone_ipsecserver_src_ACCEPT -i ipsec0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to vpn forwarding policy" -j zone_vpn_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_vpn_dest_ACCEPT -o tun0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_vpn_dest_ACCEPT -o tun0 -m comment --comment "!fw3" -j ACCEPT
-A zone_vpn_forward -m comment --comment "!fw3: Custom vpn forwarding rule chain" -j forwarding_vpn_rule
-A zone_vpn_forward -m comment --comment "!fw3: Zone vpn to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_vpn_forward -m comment --comment "!fw3: Zone vpn to lan forwarding policy" -j zone_lan_dest_ACCEPT
-A zone_vpn_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_vpn_forward -m comment --comment "!fw3" -j zone_vpn_dest_ACCEPT
-A zone_vpn_input -m comment --comment "!fw3: Custom vpn input rule chain" -j input_vpn_rule
-A zone_vpn_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_vpn_input -m comment --comment "!fw3" -j zone_vpn_src_ACCEPT
-A zone_vpn_output -m comment --comment "!fw3: Custom vpn output rule chain" -j output_vpn_rule
-A zone_vpn_output -m comment --comment "!fw3" -j zone_vpn_dest_ACCEPT
-A zone_vpn_src_ACCEPT -i tun0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o pppoe-wan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o pppoe-wan -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o eth0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o eth0 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_REJECT -o pppoe-wan -m comment --comment "!fw3" -j reject
-A zone_wan_dest_REJECT -o eth0 -m comment --comment "!fw3" -j reject
-A zone_wan_forward -j MINIUPNPD
-A zone_wan_forward -j MINIUPNPD
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
-A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
-A zone_wan_input -p tcp -m tcp --dport 1194 -m comment --comment "!fw3: openvpn" -j ACCEPT
-A zone_wan_input -p udp -m udp --dport 1194 -m comment --comment "!fw3: openvpn" -j ACCEPT
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_REJECT -i pppoe-wan -m comment --comment "!fw3" -j reject
-A zone_wan_src_REJECT -i eth0 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Sat Aug 19 00:16:26 2023
#IPv6 NAT chain
# Generated by ip6tables-save v1.8.7 on Sat Aug 19 00:16:26 2023
*nat
:PREROUTING ACCEPT [25:1680]
:INPUT ACCEPT [39:2821]
:OUTPUT ACCEPT [114:14112]
:POSTROUTING ACCEPT [123:14652]
-A PREROUTING -d 2001:4860:4860::8844/128 -p tcp -m comment --comment "OpenClash Google DNS Hijack" -m tcp --dport 53 -j ACCEPT
-A PREROUTING -d 2001:4860:4860::8888/128 -p tcp -m comment --comment "OpenClash Google DNS Hijack" -m tcp --dport 53 -j ACCEPT
-A PREROUTING -p tcp -m tcp --dport 53 -m comment --comment "OpenClash DNS Hijack" -j REDIRECT --to-ports 53
-A PREROUTING -p udp -m udp --dport 53 -m comment --comment "OpenClash DNS Hijack" -j REDIRECT --to-ports 53
-A PREROUTING -p udp -m udp --dport 53 -j REDIRECT --to-ports 53
-A PREROUTING -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 53
COMMIT
# Completed on Sat Aug 19 00:16:26 2023
#IPv6 Mangle chain
# Generated by ip6tables-save v1.8.7 on Sat Aug 19 00:16:26 2023
*mangle
:PREROUTING ACCEPT [270:21657]
:INPUT ACCEPT [257:20485]
:FORWARD ACCEPT [9:720]
:OUTPUT ACCEPT [211:14843]
:POSTROUTING ACCEPT [211:14843]
:RRDIPT_FORWARD - [0:0]
:RRDIPT_INPUT - [0:0]
:RRDIPT_OUTPUT - [0:0]
:openclash - [0:0]
:openclash_output - [0:0]
-A PREROUTING -j openclash
-A INPUT -j RRDIPT_INPUT
-A FORWARD -j RRDIPT_FORWARD
-A FORWARD -o pppoe-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i pppoe-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A OUTPUT -j RRDIPT_OUTPUT
-A OUTPUT -j openclash_output
-A RRDIPT_FORWARD -s fe80::6340:3e04:bb2d:9458/128 -j RETURN
-A RRDIPT_FORWARD -d fe80::6340:3e04:bb2d:9458/128 -j RETURN
-A RRDIPT_FORWARD -s fda0:55b0:eeb8:0:609b:a42d:5272:93d7/128 -j RETURN
-A RRDIPT_FORWARD -d fda0:55b0:eeb8:0:609b:a42d:5272:93d7/128 -j RETURN
-A RRDIPT_FORWARD -s fe80::9687:e0ff:fe05:7e10/128 -j RETURN
-A RRDIPT_FORWARD -d fe80::9687:e0ff:fe05:7e10/128 -j RETURN
-A RRDIPT_FORWARD -s fe80::1290:27ff:fee7:2c0d/128 -j RETURN
-A RRDIPT_FORWARD -d fe80::1290:27ff:fee7:2c0d/128 -j RETURN
-A RRDIPT_FORWARD -s fe80::129f:4fff:fe6e:a53/128 -j RETURN
-A RRDIPT_FORWARD -d fe80::129f:4fff:fe6e:a53/128 -j RETURN
-A RRDIPT_FORWARD -s fda0:55b0:eeb8:0:7871:fd4c:e8cb:1792/128 -j RETURN
-A RRDIPT_FORWARD -d fda0:55b0:eeb8:0:7871:fd4c:e8cb:1792/128 -j RETURN
-A RRDIPT_FORWARD -s 240e:省略:省略:省略:省略:省略:省略:省略/128 -j RETURN
-A RRDIPT_FORWARD -d 240e:省略:省略:省略:省略:省略:省略:省略/128 -j RETURN
-A RRDIPT_FORWARD -s fda0:55b0:eeb8:0:cd6:2325:9a5f:e645/128 -j RETURN
-A RRDIPT_FORWARD -d fda0:55b0:eeb8:0:cd6:2325:9a5f:e645/128 -j RETURN
-A RRDIPT_FORWARD -s fe80::14ad:efff:feb0:b367/128 -j RETURN
-A RRDIPT_FORWARD -d fe80::14ad:efff:feb0:b367/128 -j RETURN
-A RRDIPT_FORWARD -s 240e:省略:省略:省略:省略:省略:省略:省略/128 -j RETURN
-A RRDIPT_FORWARD -d 240e:省略:省略:省略:省略:省略:省略:省略/128 -j RETURN
-A RRDIPT_INPUT -i br-lan -j RETURN
-A RRDIPT_INPUT -i pppoe-wan -j RETURN
-A RRDIPT_OUTPUT -o br-lan -j RETURN
-A RRDIPT_OUTPUT -o pppoe-wan -j RETURN
-A openclash -p udp -m udp --sport 1194 -j RETURN
-A openclash -p tcp -m tcp --sport 1194 -j RETURN
-A openclash -p udp -m udp --sport 500 -j RETURN
-A openclash -s fc00::/6 -p udp -m udp --sport 546 -j RETURN
-A openclash -i lo -j RETURN
-A openclash -m set --match-set localnetwork6 dst -j RETURN
-A openclash -p udp -m udp --dport 53 -j RETURN
-A openclash -p tcp -j MARK --set-xmark 0x162/0xffffffff
-A openclash -p udp -m comment --comment "OpenClash UDP TUN" -j MARK --set-xmark 0x162/0xffffffff
-A openclash_output -p udp -m udp --sport 1194 -j RETURN
-A openclash_output -p tcp -m tcp --sport 1194 -j RETURN
-A openclash_output -p udp -m udp --sport 500 -j RETURN
-A openclash_output -p udp -m udp --sport 546 -j RETURN
-A openclash_output -m set --match-set localnetwork6 dst -j RETURN
-A openclash_output -p tcp -m owner ! --uid-owner 65534 -j MARK --set-xmark 0x162/0xffffffff
COMMIT
# Completed on Sat Aug 19 00:16:26 2023
#IPv6 Filter chain
# Generated by ip6tables-save v1.8.7 on Sat Aug 19 00:16:26 2023
*filter
:INPUT ACCEPT [89:5340]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [1:60]
:MINIUPNPD - [0:0]
:SOCAT - [0:0]
:forwarding_ipsecserver_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_vpn_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_ipsecserver_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_vpn_rule - [0:0]
:input_wan_rule - [0:0]
:openclash_wan_input - [0:0]
:output_ipsecserver_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_vpn_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_ipsecserver_dest_ACCEPT - [0:0]
:zone_ipsecserver_forward - [0:0]
:zone_ipsecserver_input - [0:0]
:zone_ipsecserver_output - [0:0]
:zone_ipsecserver_src_ACCEPT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_vpn_dest_ACCEPT - [0:0]
:zone_vpn_forward - [0:0]
:zone_vpn_input - [0:0]
:zone_vpn_output - [0:0]
:zone_vpn_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
-A INPUT -i eth0 -m set ! --match-set localnetwork6 src -j openclash_wan_input
-A INPUT -i pppoe-wan -m set ! --match-set localnetwork6 src -j openclash_wan_input
-A INPUT -p udp -m udp --dport 443 -m comment --comment "OpenClash QUIC REJECT" -m set ! --match-set china_ip6_route dst -j REJECT --reject-with icmp6-port-unreachable
-A INPUT -j SOCAT
-A INPUT -j SOCAT
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i eth0 -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i tun0 -m comment --comment "!fw3" -j zone_vpn_input
-A INPUT -i ipsec0 -m comment --comment "!fw3" -j zone_ipsecserver_input
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i eth0 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i tun0 -m comment --comment "!fw3" -j zone_vpn_forward
-A FORWARD -i ipsec0 -m comment --comment "!fw3" -j zone_ipsecserver_forward
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o pppoe-wan -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o eth0 -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o tun0 -m comment --comment "!fw3" -j zone_vpn_output
-A OUTPUT -o ipsec0 -m comment --comment "!fw3" -j zone_ipsecserver_output
-A openclash_wan_input -p udp -m multiport --dports 7894,7893,7747,7892,7891,7890,7874 -j REJECT --reject-with icmp6-port-unreachable
-A openclash_wan_input -p tcp -m multiport --dports 7894,7893,7747,7892,7891,7890,7874 -j REJECT --reject-with icmp6-port-unreachable
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp6-port-unreachable
-A syn_flood -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_ipsecserver_dest_ACCEPT -o ipsec0 -m comment --comment "!fw3" -j ACCEPT
-A zone_ipsecserver_forward -m comment --comment "!fw3: Custom ipsecserver forwarding rule chain" -j forwarding_ipsecserver_rule
-A zone_ipsecserver_forward -m comment --comment "!fw3" -j zone_ipsecserver_dest_ACCEPT
-A zone_ipsecserver_input -m comment --comment "!fw3: Custom ipsecserver input rule chain" -j input_ipsecserver_rule
-A zone_ipsecserver_input -m comment --comment "!fw3" -j zone_ipsecserver_src_ACCEPT
-A zone_ipsecserver_output -m comment --comment "!fw3: Custom ipsecserver output rule chain" -j output_ipsecserver_rule
-A zone_ipsecserver_output -m comment --comment "!fw3" -j zone_ipsecserver_dest_ACCEPT
-A zone_ipsecserver_src_ACCEPT -i ipsec0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to vpn forwarding policy" -j zone_vpn_dest_ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_vpn_dest_ACCEPT -o tun0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_vpn_dest_ACCEPT -o tun0 -m comment --comment "!fw3" -j ACCEPT
-A zone_vpn_forward -m comment --comment "!fw3: Custom vpn forwarding rule chain" -j forwarding_vpn_rule
-A zone_vpn_forward -m comment --comment "!fw3: Zone vpn to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_vpn_forward -m comment --comment "!fw3: Zone vpn to lan forwarding policy" -j zone_lan_dest_ACCEPT
-A zone_vpn_forward -m comment --comment "!fw3" -j zone_vpn_dest_ACCEPT
-A zone_vpn_input -m comment --comment "!fw3: Custom vpn input rule chain" -j input_vpn_rule
-A zone_vpn_input -m comment --comment "!fw3" -j zone_vpn_src_ACCEPT
-A zone_vpn_output -m comment --comment "!fw3: Custom vpn output rule chain" -j output_vpn_rule
-A zone_vpn_output -m comment --comment "!fw3" -j zone_vpn_dest_ACCEPT
-A zone_vpn_src_ACCEPT -i tun0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o pppoe-wan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o pppoe-wan -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o eth0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o eth0 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_REJECT -o pppoe-wan -m comment --comment "!fw3" -j reject
-A zone_wan_dest_REJECT -o eth0 -m comment --comment "!fw3" -j reject
-A zone_wan_forward -j MINIUPNPD
-A zone_wan_forward -j MINIUPNPD
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
-A zone_wan_input -s fc00::/6 -d fc00::/6 -p udp -m udp --dport 546 -m comment --comment "!fw3: Allow-DHCPv6" -j ACCEPT
-A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 130/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
-A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 131/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
-A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 132/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
-A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 143/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p tcp -m tcp --dport 1194 -m comment --comment "!fw3: openvpn" -j ACCEPT
-A zone_wan_input -p udp -m udp --dport 1194 -m comment --comment "!fw3: openvpn" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_REJECT -i pppoe-wan -m comment --comment "!fw3" -j reject
-A zone_wan_src_REJECT -i eth0 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Sat Aug 19 00:16:26 2023
#===================== IPSET状态 =====================#
Name: mwan3_dynamic_ipv6
Type: hash:net
Revision: 7
Header: family inet6 hashsize 1024 maxelem 65536 bucketsize 12 initval 0x6284c052
Size in memory: 1240
References: 0
Number of entries: 0
Name: mwan3_connected_ipv4
Type: hash:net
Revision: 7
Header: family inet hashsize 1024 maxelem 65536 bucketsize 12 initval 0x9291a448
Size in memory: 648
References: 0
Number of entries: 4
Name: mwan3_connected_ipv6
Type: hash:net
Revision: 7
Header: family inet6 hashsize 1024 maxelem 65536 bucketsize 12 initval 0xd0a78707
Size in memory: 1816
References: 0
Number of entries: 8
Name: mwan3_custom_ipv4
Type: hash:net
Revision: 7
Header: family inet hashsize 1024 maxelem 65536 bucketsize 12 initval 0x8130163d
Size in memory: 456
References: 0
Number of entries: 0
Name: mwan3_custom_ipv6
Type: hash:net
Revision: 7
Header: family inet6 hashsize 1024 maxelem 65536 bucketsize 12 initval 0xcd287438
Size in memory: 1240
References: 0
Number of entries: 0
Name: mwan3_rule_ipv4_https
Type: hash:ip,mark
Revision: 3
Header: family inet markmask 0x00003f00 hashsize 1024 maxelem 65536 timeout 600 bucketsize 12 initval 0x3af5b9ef
Size in memory: 456
References: 0
Number of entries: 0
Name: mwan3_rule_ipv6_https
Type: hash:ip,mark
Revision: 3
Header: family inet6 markmask 0x00003f00 hashsize 1024 maxelem 65536 timeout 600 bucketsize 12 initval 0x7fabb576
Size in memory: 600
References: 0
Number of entries: 0
Name: china
Type: hash:net
Revision: 7
Header: family inet hashsize 262144 maxelem 1000000 bucketsize 12 initval 0x4cd156da
Size in memory: 16524576
References: 0
Number of entries: 559354
Name: localnetwork
Type: hash:net
Revision: 7
Header: family inet hashsize 1024 maxelem 65536 bucketsize 12 initval 0x8a6f4ef8
Size in memory: 936
References: 6
Number of entries: 10
Name: china_ip_route
Type: hash:net
Revision: 7
Header: family inet hashsize 4096 maxelem 1000000 bucketsize 12 initval 0x87bd6615
Size in memory: 256224
References: 1
Number of entries: 8616
Name: china_ip_route_pass
Type: hash:net
Revision: 7
Header: family inet hashsize 1024 maxelem 1000000 bucketsize 12 initval 0x63ef4ca0
Size in memory: 456
References: 0
Number of entries: 0
Name: china_ip6_route
Type: hash:net
Revision: 7
Header: family inet6 hashsize 1024 maxelem 1000000 bucketsize 12 initval 0x8e593f2e
Size in memory: 89296
References: 1
Number of entries: 1942
Name: china_ip6_route_pass
Type: hash:net
Revision: 7
Header: family inet6 hashsize 1024 maxelem 1000000 bucketsize 12 initval 0x0cfe5be3
Size in memory: 1240
References: 0
Number of entries: 0
Name: localnetwork6
Type: hash:net
Revision: 7
Header: family inet6 hashsize 1024 maxelem 65536 bucketsize 12 initval 0x6794c3f8
Size in memory: 2536
References: 4
Number of entries: 18
Name: mwan3_dynamic_ipv4
Type: list:set
Revision: 3
Header: size 8
Size in memory: 80
References: 0
Number of entries: 0
#===================== 路由表状态 =====================#
#IPv4
#route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.6.0.1 0.0.0.0 UG 0 0 0 pppoe-wan
10.6.0.1 0.0.0.0 255.255.255.255 UH 0 0 0 pppoe-wan
192.168.10.0 0.0.0.0 255.255.255.0 U 0 0 0 br-lan
198.18.0.0 0.0.0.0 255.255.255.252 U 0 0 0 utun
#ip route list
default via 10.6.0.1 dev pppoe-wan proto static
10.6.0.1 dev pppoe-wan proto kernel scope link src *WAN IP*.51
192.168.10.0/24 dev br-lan proto kernel scope link src 192.168.10.1
198.18.0.0/30 dev utun proto kernel scope link src 198.18.0.1
#ip rule show
0: from all lookup local
32765: from all fwmark 0x162 lookup 354
32766: from all lookup main
32767: from all lookup default
#IPv6
#route -A inet6
Kernel IPv6 routing table
Destination Next Hop Flags Metric Ref Use Iface
::/0 :: U 1024 5 0 utun
::/0 :: !n -1 2 0 lo
::/0 fe80::ce1a:faff:fee8:2460 UG 512 5 0 pppoe-wan
::/0 fe80::ce1a:faff:fee8:2460 UG 512 6 0 pppoe-wan
240e:省略:省略:省略::/64 :: !n 2147483647 2 0 lo
240e:省略:省略:省略::/64 :: U 1024 6 0 br-lan
240e:省略:省略:省略::/62 fe80::129f:4fff:fe6e:a53 UG 1024 1 0 br-lan
240e:省略:省略:省略::/56 :: !n 2147483647 1 0 lo
fda0:55b0:eeb8::/64 :: U 1024 6 0 br-lan
fda0:55b0:eeb8:4::/62 fe80::129f:4fff:fe6e:a53 UG 1024 1 0 br-lan
fda0:55b0:eeb8::/48 :: !n 2147483647 3 0 lo
fdfe:dcba:9876::/126 :: U 256 3 0 utun
fe80::1290:2709:5fe7:2c0d/128 :: U 256 1 0 pppoe-wan
fe80::ce1a:faff:fee8:2460/128 :: U 256 1 0 pppoe-wan
fe80::/64 :: U 256 5 0 br-lan
fe80::/64 :: U 256 1 0 eth0
fe80::/64 :: U 256 1 0 utun
::/0 :: !n -1 2 0 lo
::1/128 :: Un 0 7 0 lo
240e:318:2a04:a::/128 :: Un 0 3 0 pppoe-wan
*WAN IP*:2c0d/128 :: Un 0 8 0 pppoe-wan
240e:319:2b0d:e600::/128 :: Un 0 3 0 br-lan
240e:319:2b0d:e600::1/128 :: Un 0 7 0 br-lan
fda0:55b0:eeb8::/128 :: Un 0 3 0 br-lan
fda0:55b0:eeb8::1/128 :: Un 0 9 0 br-lan
fdfe:dcba:9876::/128 :: Un 0 3 0 utun
fdfe:dcba:9876::1/128 :: Un 0 7 0 utun
fe80::/128 :: Un 0 3 0 br-lan
fe80::/128 :: Un 0 3 0 eth0
fe80::/128 :: Un 0 3 0 utun
fe80::1290:2709:5fe7:2c0d/128 :: Un 0 3 0 pppoe-wan
fe80::1290:27ff:fee7:2c0d/128 :: Un 0 2 0 eth0
fe80::1290:27ff:fee7:2c0e/128 :: Un 0 11 0 br-lan
fe80::793a:3afb:3523:f9d8/128 :: Un 0 2 0 utun
ff00::/8 :: U 256 5 0 br-lan
ff00::/8 :: U 256 5 0 eth0
ff00::/8 :: U 256 5 0 pppoe-wan
ff00::/8 :: U 256 5 0 utun
::/0 :: !n -1 2 0 lo
#ip -6 route list
default from 240e:省略:省略:省略::/64 via fe80::ce1a:faff:fee8:2460 dev pppoe-wan proto static metric 512 pref medium
default from 240e:省略:省略:省略::/56 via fe80::ce1a:faff:fee8:2460 dev pppoe-wan proto static metric 512 pref medium
unreachable 240e:省略:省略:省略::/64 dev lo proto static metric 2147483647 pref medium
240e:省略:省略:省略::/64 dev br-lan proto static metric 1024 pref medium
240e:省略:省略:省略::/62 via fe80::129f:4fff:fe6e:a53 dev br-lan proto static metric 1024 pref medium
unreachable 240e:省略:省略:省略::/56 dev lo proto static metric 2147483647 pref medium
fda0:55b0:eeb8::/64 dev br-lan proto static metric 1024 pref medium
fda0:55b0:eeb8:4::/62 via fe80::129f:4fff:fe6e:a53 dev br-lan proto static metric 1024 pref medium
unreachable fda0:55b0:eeb8::/48 dev lo proto static metric 2147483647 pref medium
fdfe:dcba:9876::/126 dev utun proto kernel metric 256 pref medium
fe80::1290:2709:5fe7:2c0d dev pppoe-wan proto kernel metric 256 pref medium
fe80::ce1a:faff:fee8:2460 dev pppoe-wan proto kernel metric 256 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev utun proto kernel metric 256 pref medium
#ip -6 rule show
0: from all lookup local
32765: from all fwmark 0x162 lookup 354
32766: from all lookup main
4200000000: from 240e:省略:省略:省略::1/60 iif br-lan unreachable
4200000001: from all iif lo failed_policy
4200000024: from all iif br-lan failed_policy
4200000027: from all iif pppoe-wan failed_policy
4200000027: from all iif pppoe-wan failed_policy
#===================== Tun设备状态 =====================#
utun: tun
#===================== 端口占用状态 =====================#
tcp 0 0 198.18.0.1:44729 0.0.0.0:* LISTEN 12031/clash
tcp 0 0 fdfe:dcba:9876::1:34431 :::* LISTEN 12031/clash
tcp 0 0 :::7890 :::* LISTEN 12031/clash
tcp 0 0 :::7891 :::* LISTEN 12031/clash
tcp 0 0 :::7894 :::* LISTEN 12031/clash
tcp 0 0 :::7892 :::* LISTEN 12031/clash
tcp 0 0 :::7893 :::* LISTEN 12031/clash
tcp 0 0 :::7747 :::* LISTEN 12031/clash
udp 0 0 :::7874 :::* 12031/clash
udp 0 0 :::7890 :::* 12031/clash
udp 0 0 :::7891 :::* 12031/clash
udp 0 0 :::7893 :::* 12031/clash
udp 0 0 :::7894 :::* 12031/clash
udp 0 0 :::41938 :::* 12031/clash
udp 0 0 :::58881 :::* 12031/clash
#===================== 测试本机DNS查询(www.baidu.com) =====================#
Server: 127.0.0.1
Address: 127.0.0.1:53
Name: www.baidu.com
Address: 198.18.0.12
#===================== 测试内核DNS查询(www.instagram.com) =====================#
Status: 0
TC: false
RD: true
RA: true
AD: false
CD: false
Question:
Name: www.instagram.com.
Qtype: 1
Qclass: 1
Answer:
TTL: 622
data: geo-p42.instagram.com.
name: www.instagram.com.
type: 5
TTL: 505
data: z-p42-instagram.c10r.instagram.com.
name: geo-p42.instagram.com.
type: 5
TTL: 60
data: 31.13.70.174
name: z-p42-instagram.c10r.instagram.com.
type: 1
Dnsmasq 当前默认 resolv 文件:/tmp/resolv.conf.d/resolv.conf.auto
#===================== /tmp/resolv.conf.d/resolv.conf.auto =====================#
# Interface wan
nameserver IPSIPV4DNS
nameserver IPSIPV4DNS
# Interface wan_6
nameserver IPSIPV6DNS
nameserver IPSIPV6DNS
#===================== 测试本机网络连接(www.baidu.com) =====================#
HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
Connection: keep-alive
Content-Length: 277
Content-Type: text/html
Date: Fri, 18 Aug 2023 16:16:27 GMT
Etag: "575e1f60-115"
Last-Modified: Mon, 13 Jun 2016 02:50:08 GMT
Pragma: no-cache
Server: bfe/1.0.8.18
#===================== 测试本机网络下载(raw.githubusercontent.com) =====================#
HTTP/2 200
cache-control: max-age=300
content-security-policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
content-type: text/plain; charset=utf-8
etag: "164887e509f49d611b745c94926c1e59df6802fc9db3bd2060f2c471fe51246c"
strict-transport-security: max-age=31536000
x-content-type-options: nosniff
x-frame-options: deny
x-xss-protection: 1; mode=block
x-github-request-id: 5764:04B1:B58CF6:D4C3D1:64DEC6C2
accept-ranges: bytes
date: Fri, 18 Aug 2023 16:16:27 GMT
via: 1.1 varnish
x-served-by: cache-sjc10021-SJC
x-cache: HIT
x-cache-hits: 1
x-timer: S1692375388.885271,VS0,VE7
vary: Authorization,Accept-Encoding,Origin
access-control-allow-origin: *
cross-origin-resource-policy: cross-origin
x-fastly-request-id: 3c47f4b107f17aa89334897a1e05ee21ab0f6dc9
expires: Fri, 18 Aug 2023 16:21:27 GMT
source-age: 25
content-length: 83
#===================== 最近运行日志(自动切换为Debug模式) =====================#
time="2023-08-19T00:16:07.170041451+08:00" level=info msg="Start initial compatible provider 🚀 Proxy"
time="2023-08-19T00:16:07.170070304+08:00" level=info msg="Start initial compatible provider 🎵 Spotify"
time="2023-08-19T00:16:07.170097229+08:00" level=info msg="Start initial compatible provider 🛑 Reject"
time="2023-08-19T00:16:07.170124897+08:00" level=info msg="Start initial compatible provider 🐟 Final"
time="2023-08-19T00:16:07.170156744+08:00" level=info msg="Start initial provider CTC-01"
time="2023-08-19T00:16:07.170835388+08:00" level=info msg="Start initial compatible provider 🪜 VLESS-Padding-CDN"
time="2023-08-19T00:16:07.170872863+08:00" level=info msg="Start initial compatible provider 💰 USDT"
time="2023-08-19T00:16:07.170902009+08:00" level=info msg="Start initial compatible provider 🖥 YouTube"
time="2023-08-19T00:16:07.170926689+08:00" level=info msg="Start initial compatible provider 🪜 Trojan-Padding-CDN"
time="2023-08-19T00:16:07.170950834+08:00" level=info msg="Start initial compatible provider ❇️ Nvidia"
time="2023-08-19T00:16:07.170975765+08:00" level=info msg="Start initial compatible provider 📢 Google"
time="2023-08-19T00:16:07.171002768+08:00" level=info msg="Start initial compatible provider default"
time="2023-08-19T00:16:07.171026835+08:00" level=info msg="Start initial provider FlowerCloud"
time="2023-08-19T00:16:07.173076731+08:00" level=info msg="Start initial compatible provider 🪜 VMESS-Padding-CDN"
time="2023-08-19T00:16:07.17312731+08:00" level=info msg="Start initial compatible provider ✍️ My"
time="2023-08-19T00:16:07.173081108+08:00" level=info msg="Start initial compatible provider 💃 TikTok"
time="2023-08-19T00:16:07.173158273+08:00" level=info msg="Start initial provider CTC-02"
time="2023-08-19T00:16:07.17319929+08:00" level=info msg="Start initial compatible provider 🎯 Direct"
time="2023-08-19T00:16:07.173230065+08:00" level=info msg="Start initial compatible provider 🖥 Twitch"
time="2023-08-19T00:16:07.17325697+08:00" level=info msg="Start initial compatible provider 🎮 Game"
time="2023-08-19T00:16:07.17328487+08:00" level=info msg="Start initial compatible provider 🪜 VLESS-Padding"
time="2023-08-19T00:16:07.173310016+08:00" level=info msg="Start initial compatible provider 🪜 Trojan-Padding"
time="2023-08-19T00:16:07.173335059+08:00" level=info msg="Start initial compatible provider 🍎 Apple"
time="2023-08-19T00:16:07.173360142+08:00" level=info msg="Start initial compatible provider 🎤 Discord"
time="2023-08-19T00:16:07.173389009+08:00" level=info msg="Start initial compatible provider 📚 Scholar"
time="2023-08-19T00:16:07.173414035+08:00" level=info msg="Start initial compatible provider 🪜 ShadowTLS-Padding"
time="2023-08-19T00:16:07.173090923+08:00" level=info msg="Start initial compatible provider 💳 PayPal"
time="2023-08-19T00:16:07.173111556+08:00" level=info msg="Start initial provider Nanoport"
time="2023-08-19T00:16:07.174300296+08:00" level=warning msg="To use xtls-rprx-vision, ensure your server is upgrade to Xray-core v1.8.0+"
time="2023-08-19T00:16:07.174381169+08:00" level=warning msg="To use xtls-rprx-vision, ensure your server is upgrade to Xray-core v1.8.0+"
time="2023-08-19T00:16:07.174444133+08:00" level=warning msg="To use xtls-rprx-vision, ensure your server is upgrade to Xray-core v1.8.0+"
time="2023-08-19T00:16:07.17451003+08:00" level=warning msg="To use xtls-rprx-vision, ensure your server is upgrade to Xray-core v1.8.0+"
time="2023-08-19T00:16:07.174574647+08:00" level=warning msg="To use xtls-rprx-vision, ensure your server is upgrade to Xray-core v1.8.0+"
time="2023-08-19T00:16:07.174638156+08:00" level=warning msg="To use xtls-rprx-vision, ensure your server is upgrade to Xray-core v1.8.0+"
time="2023-08-19T00:16:07.174698679+08:00" level=warning msg="To use xtls-rprx-vision, ensure your server is upgrade to Xray-core v1.8.0+"
time="2023-08-19T00:16:07.174761275+08:00" level=warning msg="To use xtls-rprx-vision, ensure your server is upgrade to Xray-core v1.8.0+"
time="2023-08-19T00:16:07.173101433+08:00" level=info msg="Start initial compatible provider 🗣 Twitter"
time="2023-08-19T00:16:07.173139606+08:00" level=info msg="Start initial compatible provider 🎥 NETFLIX"
time="2023-08-19T00:16:07.173148451+08:00" level=info msg="Start initial compatible provider 🤖 OpenAI"
time="2023-08-19T00:16:07.173166594+08:00" level=info msg="Start initial provider EXFLUX"
time="2023-08-19T00:16:07.176780153+08:00" level=info msg="Start initial compatible provider 🪜 VLESS-Vision"
time="2023-08-19T00:16:07.176813075+08:00" level=info msg="Start initial compatible provider Ⓜ️ Microsoft"
time="2023-08-19T00:16:07.17683928+08:00" level=info msg="Start initial compatible provider 📺 BiliBili"
time="2023-08-19T00:16:07.173174684+08:00" level=info msg="Start initial compatible provider 🪜 TUIC-Padding"
time="2023-08-19T00:16:07.173119515+08:00" level=info msg="Start initial provider ImmTelecom"
time="2023-08-19T00:16:07.186887543+08:00" level=info msg="Start initial provider stun_host_udp"
time="2023-08-19T00:16:07.187251585+08:00" level=info msg="Start initial provider reject"
time="2023-08-19T00:16:07.190460859+08:00" level=info msg="Start initial provider stun_host_tcp"
time="2023-08-19T00:16:07.192774554+08:00" level=info msg="Start initial provider stun_ip_udp"
time="2023-08-19T00:16:07.193233291+08:00" level=info msg="Start initial provider stun_ip_tcp"
time="2023-08-19T00:16:07.564746091+08:00" level=info msg="[TCP] clash.meta --> gist.github.com:443 match GeoSite(microsoft) using Ⓜ️ Microsoft[🇺🇸 BWG-LA-VLESS-A-Vision]"
time="2023-08-19T00:16:07.577465626+08:00" level=info msg="[TCP] clash.meta --> gist.github.com:443 match GeoSite(microsoft) using Ⓜ️ Microsoft[🇺🇸 BWG-LA-VLESS-A-Vision]"
time="2023-08-19T00:16:07.688453108+08:00" level=info msg="[TCP] clash.meta --> gist.github.com:443 match GeoSite(microsoft) using Ⓜ️ Microsoft[🇺🇸 Silk-SJ-VLESS-B-Padding]"
time="2023-08-19T00:16:07.738930655+08:00" level=info msg="[TCP] clash.meta --> gist.github.com:443 match GeoSite(microsoft) using Ⓜ️ Microsoft[🇺🇸 BWG-LA-VLESS-A-Vision]"
time="2023-08-19T00:16:07.739771018+08:00" level=info msg="[TCP] clash.meta --> gist.github.com:443 match GeoSite(microsoft) using Ⓜ️ Microsoft[🇺🇸 BWG-LA-VLESS-A-Vision]"
time="2023-08-19T00:16:07.799096802+08:00" level=info msg="[TCP] clash.meta --> gist.github.com:443 match GeoSite(microsoft) using Ⓜ️ Microsoft[🇺🇸 BWG-LA-VLESS-A-Vision]"
time="2023-08-19T00:16:07.973350321+08:00" level=info msg="[TCP] clash.meta --> gist.github.com:443 match GeoSite(microsoft) using Ⓜ️ Microsoft[🇺🇸 BWG-LA-VLESS-A-Vision]"
time="2023-08-19T00:16:08.180938177+08:00" level=info msg="[TCP] clash.meta --> gist.githubusercontent.com:443 match GeoSite(microsoft) using Ⓜ️ Microsoft[🇺🇸 Silk-SJ-VLESS-B-Padding]"
time="2023-08-19T00:16:08.263424441+08:00" level=info msg="[TCP] clash.meta --> gist.githubusercontent.com:443 match GeoSite(microsoft) using Ⓜ️ Microsoft[🇺🇸 Silk-SJ-VLESS-B-Padding]"
time="2023-08-19T00:16:08.295575894+08:00" level=info msg="[TCP] clash.meta --> gist.github.com:443 match GeoSite(microsoft) using Ⓜ️ Microsoft[🇺🇸 BWG-LA-VLESS-A-Vision]"
time="2023-08-19T00:16:08.486599857+08:00" level=info msg="[TCP] clash.meta --> gist.githubusercontent.com:443 match GeoSite(microsoft) using Ⓜ️ Microsoft[🇺🇸 Silk-SJ-VLESS-B-Padding]"
time="2023-08-19T00:16:08.897801218+08:00" level=info msg="[TCP] clash.meta --> gist.github.com:443 match GeoSite(microsoft) using Ⓜ️ Microsoft[🇺🇸 BWG-LA-VLESS-A-Vision]"
2023-08-19 00:16:12 Tip: Waiting for TUN Interface Start...
2023-08-19 00:16:12 Tip: Start Add Port Bypassing Rules For Firewall Redirect and Firewall Rules...
2023-08-19 00:16:12 Tip: Start Add Custom Firewall Rules...
time="2023-08-19T00:16:28.693386832+08:00" level=debug msg="[DNS] yhkyoa83j5.cloudflare-gateway.com --> [162.159.36.20 162.159.36.5], from tls://9.9.9.12:853"
time="2023-08-19T00:16:29.060164084+08:00" level=debug msg="[Rule] use default rules"
time="2023-08-19T00:16:29.060305061+08:00" level=info msg="[TCP] 192.168.10.173:52847 --> www.google-analytics.com:443 match RuleSet(reject) using 🛑 Reject[REJECT]"
time="2023-08-19T00:16:29.07735848+08:00" level=debug msg="[Rule] use default rules"
time="2023-08-19T00:16:29.077466871+08:00" level=info msg="[TCP] 192.168.10.173:52848 --> www.google-analytics.com:443 match RuleSet(reject) using 🛑 Reject[REJECT]"
time="2023-08-19T00:16:29.208978146+08:00" level=debug msg="[Rule] use default rules"
time="2023-08-19T00:16:29.209113447+08:00" level=info msg="[TCP] 192.168.10.173:52849 --> www.google-analytics.com:443 match RuleSet(reject) using 🛑 Reject[REJECT]"
time="2023-08-19T00:16:29.313621446+08:00" level=debug msg="[Rule] use default rules"
time="2023-08-19T00:16:29.313769192+08:00" level=info msg="[TCP] 192.168.10.173:52850 --> www.google-analytics.com:443 match RuleSet(reject) using 🛑 Reject[REJECT]"
time="2023-08-19T00:16:29.939462681+08:00" level=debug msg="[Rule] use default rules"
time="2023-08-19T00:16:29.985436464+08:00" level=info msg="[TCP] 192.168.10.100:40232 --> 123.244.94.41:443 match GeoIP(cn) using 🎯 Direct[DIRECT]"
time="2023-08-19T00:16:32.071139549+08:00" level=debug msg="[Rule] use default rules"
time="2023-08-19T00:16:32.071273755+08:00" level=info msg="[TCP] 192.168.10.173:52852 --> www.google-analytics.com:443 match RuleSet(reject) using 🛑 Reject[REJECT]"
time="2023-08-19T00:16:32.071316278+08:00" level=debug msg="[Rule] use default rules"
time="2023-08-19T00:16:32.071371828+08:00" level=info msg="[TCP] 192.168.10.173:52853 --> www.google-analytics.com:443 match RuleSet(reject) using 🛑 Reject[REJECT]"
time="2023-08-19T00:16:32.076887468+08:00" level=debug msg="[Rule] use default rules"
time="2023-08-19T00:16:32.076979843+08:00" level=info msg="[TCP] 192.168.10.173:52854 --> www.google-analytics.com:443 match RuleSet(reject) using 🛑 Reject[REJECT]"
time="2023-08-19T00:16:32.07710986+08:00" level=debug msg="[Rule] use default rules"
time="2023-08-19T00:16:32.077167251+08:00" level=info msg="[TCP] 192.168.10.173:52855 --> www.google-analytics.com:443 match RuleSet(reject) using 🛑 Reject[REJECT]"
time="2023-08-19T00:16:35.081498308+08:00" level=debug msg="[Rule] use default rules"
time="2023-08-19T00:16:35.081621755+08:00" level=debug msg="[Rule] use default rules"
time="2023-08-19T00:16:35.081679672+08:00" level=info msg="[TCP] 192.168.10.173:52858 --> www.google-analytics.com:443 match RuleSet(reject) using 🛑 Reject[REJECT]"
time="2023-08-19T00:16:35.081734948+08:00" level=info msg="[TCP] 192.168.10.173:52857 --> www.google-analytics.com:443 match RuleSet(reject) using 🛑 Reject[REJECT]"
time="2023-08-19T00:16:35.088421037+08:00" level=debug msg="[Rule] use default rules"
time="2023-08-19T00:16:35.088483445+08:00" level=info msg="[TCP] 192.168.10.173:52860 --> www.google-analytics.com:443 match RuleSet(reject) using 🛑 Reject[REJECT]"
time="2023-08-19T00:16:35.089132925+08:00" level=debug msg="[Rule] use default rules"
time="2023-08-19T00:16:35.08918642+08:00" level=info msg="[TCP] 192.168.10.173:52859 --> www.google-analytics.com:443 match RuleSet(reject) using 🛑 Reject[REJECT]"
time="2023-08-19T00:16:38.088613843+08:00" level=debug msg="[Rule] use default rules"
time="2023-08-19T00:16:38.088743213+08:00" level=info msg="[TCP] 192.168.10.173:52863 --> www.google-analytics.com:443 match RuleSet(reject) using 🛑 Reject[REJECT]"
time="2023-08-19T00:16:38.088832655+08:00" level=debug msg="[Rule] use default rules"
time="2023-08-19T00:16:38.088893562+08:00" level=info msg="[TCP] 192.168.10.173:52862 --> www.google-analytics.com:443 match RuleSet(reject) using 🛑 Reject[REJECT]"
time="2023-08-19T00:16:38.093195772+08:00" level=debug msg="[Rule] use default rules"
time="2023-08-19T00:16:38.093257146+08:00" level=info msg="[TCP] 192.168.10.173:52864 --> www.google-analytics.com:443 match RuleSet(reject) using 🛑 Reject[REJECT]"
time="2023-08-19T00:16:38.099050151+08:00" level=debug msg="[Rule] use default rules"
time="2023-08-19T00:16:38.099111511+08:00" level=info msg="[TCP] 192.168.10.173:52865 --> www.google-analytics.com:443 match RuleSet(reject) using 🛑 Reject[REJECT]"
#===================== 最近运行日志获取完成(自动切换为silent模式) =====================#
#===================== 活动连接信息 =====================#
1. SourceIP:【】 - Host:【gist.github.com】 - DestinationIP:【】 - Network:【tcp】 - RulePayload:【microsoft】 - Lastchain:【🇺🇸 BWG-LA-VLESS-A-Vision】
2. SourceIP:【192.168.10.173】 - Host:【api.github.com】 - DestinationIP:【】 - Network:【tcp】 - RulePayload:【microsoft】 - Lastchain:【🇺🇸 Silk-SJ-VLESS-B-Padding】
3. SourceIP:【】 - Host:【gist.github.com】 - DestinationIP:【】 - Network:【tcp】 - RulePayload:【microsoft】 - Lastchain:【🇺🇸 BWG-LA-VLESS-A-Vision】
4. SourceIP:【192.168.10.173】 - Host:【d1--ov-gotcha07.bilivideo.com】 - DestinationIP:【】 - Network:【tcp】 - RulePayload:【bilibili】 - Lastchain:【🇯🇵 JP-DMIT】
5. SourceIP:【192.168.10.208】 - Host:【findermp.video.qq.com】 - DestinationIP:【】 - Network:【tcp】 - RulePayload:【cn】 - Lastchain:【DIRECT】
6. SourceIP:【192.168.10.173】 - Host:【live-trace.bilibili.com】 - DestinationIP:【】 - Network:【tcp】 - RulePayload:【bilibili】 - Lastchain:【🇯🇵 JP-DMIT】
7. SourceIP:【】 - Host:【gist.github.com】 - DestinationIP:【】 - Network:【tcp】 - RulePayload:【microsoft】 - Lastchain:【🇺🇸 BWG-LA-VLESS-A-Vision】
8. SourceIP:【】 - Host:【gist.github.com】 - DestinationIP:【】 - Network:【tcp】 - RulePayload:【microsoft】 - Lastchain:【🇺🇸 BWG-LA-VLESS-A-Vision】
9. SourceIP:【192.168.10.173】 - Host:【Empty】 - DestinationIP:【149.154.167.92】 - Network:【tcp】 - RulePayload:【telegram】 - Lastchain:【🇺🇸 Silk-SJ-Trojan-B-Padding】
10. SourceIP:【】 - Host:【gist.github.com】 - DestinationIP:【】 - Network:【tcp】 - RulePayload:【microsoft】 - Lastchain:【🇺🇸 Silk-SJ-VLESS-B-Padding】
11. SourceIP:【】 - Host:【gist.github.com】 - DestinationIP:【】 - Network:【tcp】 - RulePayload:【microsoft】 - Lastchain:【🇺🇸 BWG-LA-VLESS-A-Vision】
12. SourceIP:【192.168.10.100】 - Host:【Empty】 - DestinationIP:【115.237.9.114】 - Network:【udp】 - RulePayload:【cn】 - Lastchain:【DIRECT】
13. SourceIP:【】 - Host:【gist.github.com】 - DestinationIP:【】 - Network:【tcp】 - RulePayload:【microsoft】 - Lastchain:【🇺🇸 BWG-LA-VLESS-A-Vision】
14. SourceIP:【192.168.10.173】 - Host:【i0.hdslb.com】 - DestinationIP:【】 - Network:【tcp】 - RulePayload:【bilibili】 - Lastchain:【🇯🇵 JP-DMIT】
15. SourceIP:【】 - Host:【gist.github.com】 - DestinationIP:【】 - Network:【tcp】 - RulePayload:【microsoft】 - Lastchain:【🇺🇸 BWG-LA-VLESS-A-Vision】
16. SourceIP:【192.168.10.208】 - Host:【mmbiz.qpic.cn】 - DestinationIP:【】 - Network:【tcp】 - RulePayload:【cn】 - Lastchain:【DIRECT】
17. SourceIP:【】 - Host:【gist.github.com】 - DestinationIP:【】 - Network:【tcp】 - RulePayload:【microsoft】 - Lastchain:【🇺🇸 Silk-SJ-VLESS-B-Padding】
18. SourceIP:【】 - Host:【sp.mux.sing-box.arpa】 - DestinationIP:【】 - Network:【tcp】 - RulePayload:【】 - Lastchain:【🇺🇸 Silk-SJ-VLESS-B-Padding】
19. SourceIP:【】 - Host:【gist.github.com】 - DestinationIP:【】 - Network:【tcp】 - RulePayload:【microsoft】 - Lastchain:【🇺🇸 Silk-SJ-VLESS-B-Padding】
20. SourceIP:【】 - Host:【gist.github.com】 - DestinationIP:【】 - Network:【tcp】 - RulePayload:【microsoft】 - Lastchain:【🇺🇸 Silk-SJ-VLESS-B-Padding】
21. SourceIP:【】 - Host:【gist.github.com】 - DestinationIP:【】 - Network:【tcp】 - RulePayload:【microsoft】 - Lastchain:【🇺🇸 Silk-SJ-VLESS-B-Padding】
22. SourceIP:【192.168.10.100】 - Host:【data.video.iqiyi.com】 - DestinationIP:【】 - Network:【tcp】 - RulePayload:【cn】 - Lastchain:【DIRECT】
23. SourceIP:【】 - Host:【gist.github.com】 - DestinationIP:【】 - Network:【tcp】 - RulePayload:【microsoft】 - Lastchain:【🇺🇸 Silk-SJ-VLESS-B-Padding】
24. SourceIP:【192.168.10.173】 - Host:【safebrowsing.googleapis.com】 - DestinationIP:【】 - Network:【tcp】 - RulePayload:【google】 - Lastchain:【🇺🇸 Silk-SJ-VLESS-B-Padding】
25. SourceIP:【】 - Host:【sp.mux.sing-box.arpa】 - DestinationIP:【】 - Network:【tcp】 - RulePayload:【】 - Lastchain:【🇺🇸 Silk-SJ-VLESS-B-Padding】
26. SourceIP:【192.168.10.100】 - Host:【Empty】 - DestinationIP:【123.244.94.41】 - Network:【tcp】 - RulePayload:【cn】 - Lastchain:【DIRECT】
27. SourceIP:【】 - Host:【gist.github.com】 - DestinationIP:【】 - Network:【tcp】 - RulePayload:【microsoft】 - Lastchain:【🇺🇸 BWG-LA-VLESS-A-Vision】
28. SourceIP:【*WAN IP*.51】 - Host:【Empty】 - DestinationIP:【115.219.6.39】 - Network:【udp】 - RulePayload:【cn】 - Lastchain:【DIRECT】
29. SourceIP:【】 - Host:【sp.mux.sing-box.arpa】 - DestinationIP:【】 - Network:【tcp】 - RulePayload:【】 - Lastchain:【🇺🇸 Silk-SJ-VLESS-B-Padding】
30. SourceIP:【192.168.10.173】 - Host:【github.com】 - DestinationIP:【】 - Network:【tcp】 - RulePayload:【microsoft】 - Lastchain:【🇺🇸 Silk-SJ-VLESS-B-Padding】
31. SourceIP:【192.168.10.173】 - Host:【alive.github.com】 - DestinationIP:【】 - Network:【tcp】 - RulePayload:【microsoft】 - Lastchain:【🇺🇸 Silk-SJ-VLESS-B-Padding】
32. SourceIP:【192.168.10.173】 - Host:【Empty】 - DestinationIP:【113.29.117.26】 - Network:【tcp】 - RulePayload:【】 - Lastchain:【🇺🇸 BWG-LA-VLESS-B-Vision】
33. SourceIP:【192.168.10.100】 - Host:【Empty】 - DestinationIP:【36.110.238.54】 - Network:【tcp】 - RulePayload:【cn】 - Lastchain:【DIRECT】
34. SourceIP:【】 - Host:【sp.mux.sing-box.arpa】 - DestinationIP:【】 - Network:【tcp】 - RulePayload:【】 - Lastchain:【🇺🇸 Silk-SJ-VLESS-B-Padding】
35. SourceIP:【】 - Host:【sp.mux.sing-box.arpa】 - DestinationIP:【】 - Network:【tcp】 - RulePayload:【】 - Lastchain:【🇺🇸 Silk-SJ-Trojan-B-Padding】
36. SourceIP:【192.168.10.173】 - Host:【41-courier.push.apple.com】 - DestinationIP:【】 - Network:【tcp】 - RulePayload:【push.apple.com】 - Lastchain:【🇺🇸 Silk-SJ-VLESS-B-Padding】
37. SourceIP:【】 - Host:【gist.github.com】 - DestinationIP:【】 - Network:【tcp】 - RulePayload:【microsoft】 - Lastchain:【🇺🇸 Silk-SJ-VLESS-B-Padding】
38. SourceIP:【】 - Host:【sp.mux.sing-box.arpa】 - DestinationIP:【】 - Network:【tcp】 - RulePayload:【】 - Lastchain:【🇺🇸 Silk-SJ-VLESS-B-Padding】
39. SourceIP:【192.168.10.173】 - Host:【broadcastlv.chat.bilibili.com】 - DestinationIP:【】 - Network:【tcp】 - RulePayload:【bilibili】 - Lastchain:【🇯🇵 JP-DMIT】
40. SourceIP:【】 - Host:【gist.github.com】 - DestinationIP:【】 - Network:【tcp】 - RulePayload:【microsoft】 - Lastchain:【🇺🇸 Silk-SJ-VLESS-B-Padding】
41. SourceIP:【192.168.10.173】 - Host:【clientservices.googleapis.com】 - DestinationIP:【】 - Network:【tcp】 - RulePayload:【google】 - Lastchain:【🇺🇸 Silk-SJ-VLESS-B-Padding】
42. SourceIP:【192.168.10.173】 - Host:【data.bilibili.com】 - DestinationIP:【】 - Network:【tcp】 - RulePayload:【bilibili】 - Lastchain:【🇯🇵 JP-DMIT】
43. SourceIP:【】 - Host:【gist.github.com】 - DestinationIP:【】 - Network:【tcp】 - RulePayload:【microsoft】 - Lastchain:【🇺🇸 Silk-SJ-VLESS-B-Padding】
44. SourceIP:【192.168.10.100】 - Host:【data.video.iqiyi.com】 - DestinationIP:【】 - Network:【tcp】 - RulePayload:【cn】 - Lastchain:【DIRECT】
45. SourceIP:【192.168.10.173】 - Host:【api.live.bilibili.com】 - DestinationIP:【】 - Network:【tcp】 - RulePayload:【bilibili】 - Lastchain:【🇯🇵 JP-DMIT】
46. SourceIP:【】 - Host:【gist.github.com】 - DestinationIP:【】 - Network:【tcp】 - RulePayload:【microsoft】 - Lastchain:【🇺🇸 BWG-LA-VLESS-A-Vision】
47. SourceIP:【】 - Host:【gist.github.com】 - DestinationIP:【】 - Network:【tcp】 - RulePayload:【microsoft】 - Lastchain:【🇺🇸 Silk-SJ-VLESS-B-Padding】
xianren78
Verify Steps
OpenClash Version
v0.45.140-bate
Bug on Environment
Lean
Bug on Platform
Linux-amd64(x86-64)
To Reproduce
光猫桥接,使用软路由拨号,软路由启用IPV6,OpenClash中,使用Meta内核,启用IPv6 流量代理,IPv6 代理模式为 Tun模式,允许 IPv6 类型 DNS 解析 正常开启OpenClash,在pppoe的wan6口连接时长,每经过30分钟时,均会出现一次断流,具体在日志中显示为:
2023-08-19 00:16:12 提示:开始添加自定义防火墙规则... 2023-08-19 00:16:12 提示:正在根据防火墙端口转发和防火墙通信规则添加端口绕过规则... 2023-08-19 00:16:12 提示:正在等待 TUN 接口启动... 2023-08-19 00:16:03 提示:正在等待 TUN 接口启动... 2023-08-19 00:16:03 提示:IPv6 代理模式为 TUN... 2023-08-19 00:16:03 提示:DNS 劫持模式为 Dnsmasq 转发... 2023-08-19 00:15:54 配置文件【/etc/openclash/OpenClash.yaml】测试成功... 2023-08-19 00:15:46 启动前调用内核测试配置文件... 2023-08-19 00:15:44 重置 OpenClash 防火墙规则...
不论何时开启OpenClash,都会出现这样子的结果,猜测可能与IPV6续租期有关,因为复现非常规律,每半个小时绝对出现,无遗漏情况
Describe the Bug
运营商给的IPV6的租期只有固定的一个小时,所以每半个小时,好像是为了续租期,OpenClash就会断一次,虽然IPV6的IP地址未发生改变,但这个问题稳定复现 具体表现就是在日志中出现如下文字 2023-08-19 00:16:12 提示:开始添加自定义防火墙规则... 2023-08-19 00:16:12 提示:正在根据防火墙端口转发和防火墙通信规则添加端口绕过规则... 2023-08-19 00:16:12 提示:正在等待 TUN 接口启动... 2023-08-19 00:16:03 提示:正在等待 TUN 接口启动... 2023-08-19 00:16:03 提示:IPv6 代理模式为 TUN... 2023-08-19 00:16:03 提示:DNS 劫持模式为 Dnsmasq 转发... 2023-08-19 00:15:54 配置文件【/etc/openclash/OpenClash.yaml】测试成功... 2023-08-19 00:15:46 启动前调用内核测试配置文件... 2023-08-19 00:15:44 重置 OpenClash 防火墙规则... 忘记从哪个版本开始了,这个样子已经保持半年之多,之前因为没有使用IPV6的需求,所以只在每次OpenClash更新版本后开启尝试一下,每次都一样,精准的每半个小时就会断一次。最近有使用IPV6的需求,所以特来发issue,希望可以得到解决。
OpenClash Log
我会再次评论补充,一次性太长GitHub不允许发
OpenClash Config
Expected Behavior
只希望开启IPV6后,不会再像目前这样,没半个小时中断一次
Screenshots
IPV6租期,仅为1小时,切换多个不同人编译的固件,均未找到可以修改租期的地方
防火墙相关设置
系统日志与OpenClash日志,00:15:44和00:45:44为最近两次OpenClash出现问题的时间点,精准的相隔了30分钟
