Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] OenClash启用后,内网的客户端无法拔PPTP VPN 服务器,报错619。关闭OenClash可正常拔 #4229

Open
5 of 7 tasks
dfgsdgsag73426 opened this issue Dec 14, 2024 · 3 comments
Open
5 of 7 tasks

[Bug] OenClash启用后,内网的客户端无法拔PPTP VPN 服务器,报错619。关闭OenClash可正常拔 #4229

dfgsdgsag73426 opened this issue Dec 14, 2024 · 3 comments
Labels
bug Something isn't working

Comments

@dfgsdgsag73426
Copy link

Verify Steps

  • Tracker 我已经在 Issue Tracker 中找过我要提出的问题
  • Branch 我知道 OpenClash 的 Dev 分支切换开关位于插件设置-版本更新中,或者我会手动下载并安装 Dev 分支的 OpenClash
  • Latest 我已经使用最新 Dev 版本测试过,问题依旧存在
  • Relevant 我知道 OpenClash 与 内核(Core)、控制面板(Dashboard)、在线订阅转换(Subconverter)等项目之间无直接关系,仅相互调用
  • Definite 这确实是 OpenClash 出现的问题
  • Contributors 我有能力协助 OpenClash 开发并解决此问题
  • Meaningless 我提交的是无意义的催促更新或修复请求

OpenClash Version

V0.46.050-beta

Bug on Environment

Official OpenWrt

OpenWrt Version

OpenWrt R24.03.20-D (2024-06-07)

Bug on Platform

Linux-arm64

Describe the Bug

OenClash启用后,内网的客户端无法拔PPTP VPN 服务器,报错619。关闭OenClash可正常拔

微信截图_20241214150610
微信截图_20241214150635

To Reproduce

OenClash启用后,内网的客户端无法拔PPTP VPN 服务器,报错619。关闭OenClash可正常拔

OpenClash Log

生成时间: 2024-12-14 15:08:43
插件版本: v0.46.050-beta
隐私提示: 上传此日志前请注意检查、屏蔽公网IP、节点、密码等相关敏感信息



#===================== 系统信息 =====================#

主机型号: FriendlyElec NanoPi R2S
固件版本: OpenWrt SNAPSHOT r5056-4b6f54007
LuCI版本: git-24.135.14813-d4e0cbd-1
内核版本: 6.1.92
处理器架构: aarch64_generic

#此项有值时,如不使用IPv6,建议到网络-接口-lan的设置中禁用IPV6的DHCP
IPV6-DHCP: server

DNS劫持: Dnsmasq 转发
#DNS劫持为Dnsmasq时,此项结果应仅有配置文件的DNS监听地址
Dnsmasq转发设置: 127.0.*.*#7874

#===================== 依赖检查 =====================#

dnsmasq-full: 已安装
coreutils: 已安装
coreutils-nohup: 已安装
bash: 已安装
curl: 已安装
ca-certificates: 已安装
ipset: 已安装
ip-full: 已安装
libcap: 已安装
libcap-bin: 已安装
ruby: 已安装
ruby-yaml: 已安装
ruby-psych: 已安装
ruby-pstore: 已安装
kmod-tun(TUN模式): 已安装
luci-compat(Luci >= 19.07): 已安装
kmod-inet-diag(PROCESS-NAME): 已安装
unzip: 已安装
iptables-mod-tproxy: 已安装
kmod-ipt-tproxy: 已安装
iptables-mod-extra: 已安装
kmod-ipt-extra: 已安装
kmod-ipt-nat: 已安装

#===================== 内核检查 =====================#

运行状态: 运行中
运行内核:Meta
进程pid: 16666
运行权限: 16666: cap_dac_override,cap_net_bind_service,cap_net_admin,cap_net_raw,cap_sys_ptrace,cap_sys_admin,cap_sys_resource=eip
运行用户: 
已选择的架构: linux-arm64

#下方无法显示内核版本号时请确认您的内核版本是否正确或者有无权限

Meta内核版本: alpha-g792f162
Meta内核文件: 存在
Meta内核运行权限: 正常

#===================== 插件设置 =====================#

当前配置文件: /etc/openclash/config/3f.yaml
启动配置文件: /etc/openclash/3f.yaml
运行模式: redir-host
默认代理模式: rule
UDP流量转发(tproxy): 启用
自定义DNS: 停用
IPV6代理: 停用
IPV6-DNS解析: 停用
禁用Dnsmasq缓存: 启用
自定义规则: 启用
仅允许内网: 启用
仅代理命中规则流量: 停用
仅允许常用端口流量: 停用
绕过中国大陆IP: 停用
路由本机代理: 启用

#启动异常时建议关闭此项后重试
混合节点: 停用
保留配置: 停用

#启动异常时建议关闭此项后重试
第三方规则: 停用

#===================== 自定义规则 一 =====================#
script:
##  shortcuts:
##    Notice: The core timezone is UTC
##    CST 20:00-24:00 = time.now().hour > 12 and time.now().hour < 16
##    内核时区为UTC,故以下time.now()函数的取值需要根据本地时区进行转换
##    北京时间(CST) 20:00-24:00 = time.now().hour > 12 and time.now().hour < 16
##    quic: network == 'udp' and dst_port == 443 and (geoip(resolve_ip(host)) != 'CN' or geoip(dst_ip) != 'CN')
##    time-limit: in_cidr(src_ip,'192.168.*.*/32') and time.now().hour < 20 or time.now().hour > 21
##    time-limit: src_ip == '192.168.*.*' and time.now().hour < 20 or time.now().hour > 21

##  code: |
##    def main(ctx, metadata):
##        directkeywordlist = ["baidu"]
##        for directkeyword in directkeywordlist:
##          if directkeyword in metadata["host"]:
##            ctx.log('[Script] matched keyword %s use direct' % directkeyword)
##            return "DIRECT"

rules:
##- SCRIPT,quic,REJECT #shortcuts rule
##- SCRIPT,time-limit,REJECT #shortcuts rule

##- PROCESS-NAME,curl,DIRECT #匹配路由自身进程(curl直连)
##- DOMAIN-SUFFIX,google.com,Proxy #匹配域名后缀(交由Proxy代理服务器组)
##- DOMAIN-KEYWORD,google,Proxy #匹配域名关键字(交由Proxy代理服务器组)
##- DOMAIN,google.com,Proxy #匹配域名(交由Proxy代理服务器组)
##- DOMAIN-SUFFIX,ad.com,REJECT #匹配域名后缀(拒绝)
##- IP-CIDR,127.0.*.*/8,DIRECT #匹配数据目标IP(直连)
##-IP-CIDR,221.6.*.*/24,DIRECT #匹配数据目标IP(直连)
##- SRC-IP-CIDR,192.168.*.*/32,DIRECT #匹配数据发起IP(直连)
##- DST-PORT,80,DIRECT #匹配数据目标端口(直连)
##- SRC-PORT,7777,DIRECT #匹配数据源端口(直连)

##排序在上的规则优先生效,如添加(去除规则前的#号):
##IP段:192.168.*.*-192.168.*.* 直连
##- SRC-IP-CIDR,192.168.*.*/31,DIRECT
##- SRC-IP-CIDR,192.168.*.*/30,DIRECT
##- SRC-IP-CIDR,192.168.*.*/29,DIRECT
##- SRC-IP-CIDR,192.168.*.*/28,DIRECT
##- SRC-IP-CIDR,192.168.*.*/27,DIRECT
##- SRC-IP-CIDR,192.168.*.*/26,DIRECT
##- SRC-IP-CIDR,192.168.*.*/26,DIRECT
##- SRC-IP-CIDR,192.168.*.*/29,DIRECT
##- SRC-IP-CIDR,192.168.*.*/32,DIRECT

##IP段:192.168.*.*-192.168.*.* 直连
##- SRC-IP-CIDR,192.168.*.*/31,DIRECT
##- SRC-IP-CIDR,192.168.*.*/30,DIRECT
##- SRC-IP-CIDR,192.168.*.*/28,DIRECT
##- SRC-IP-CIDR,192.168.*.*/27,DIRECT

##此时IP为192.168.*.*和192.168.*.*的客户端流量走代理(策略),其余客户端不走代理
##因为Fake-IP模式下,IP地址为192.168.*.*的路由器自身流量可走代理(策略),所以需要排除

##仅设置路由器自身直连:
##- SRC-IP-CIDR,192.168.*.*/32,DIRECT
##- SRC-IP-CIDR,198.18.*.*/32,DIRECT

##DDNS
##- DOMAIN-SUFFIX,checkip.dyndns.org,DIRECT
##- DOMAIN-SUFFIX,checkipv6.dyndns.org,DIRECT
##- DOMAIN-SUFFIX,checkip.synology.com,DIRECT
##- DOMAIN-SUFFIX,ifconfig.co,DIRECT
##- DOMAIN-SUFFIX,api.myip.com,DIRECT
##- DOMAIN-SUFFIX,ip-api.com,DIRECT
##- DOMAIN-SUFFIX,ipapi.co,DIRECT
##- DOMAIN-SUFFIX,ip6.seeip.org,DIRECT
##- DOMAIN-SUFFIX,members.3322.org,DIRECT

##在线IP段转CIDR地址:http://ip2cidr.com
#===================== 自定义规则 二 =====================#
script:
##  shortcuts:
##    common_port: dst_port not in [21, 22, 23, 53, 80, 123, 143, 194, 443, 465, 587, 853, 993, 995, 998, 2052, 2053, 2082, 2083, 2086, 2095, 2096, 5222, 5228, 5229, 5230, 8080, 8443, 8880, 8888, 8889]

##  code: |
##    def main(ctx, metadata):
##        directkeywordlist = ["baidu"]
##        for directkeyword in directkeywordlist:
##          if directkeyword in metadata["host"]:
##            ctx.log('[Script] matched keyword %s use direct' % directkeyword)
##            return "DIRECT"

rules:
##- SCRIPT,common_port,DIRECT #shortcuts rule

##- DOMAIN-SUFFIX,google.com,Proxy #匹配域名后缀(交由Proxy代理服务器组)
##- DOMAIN-KEYWORD,google,Proxy #匹配域名关键字(交由Proxy代理服务器组)
##- DOMAIN,google.com,Proxy #匹配域名(交由Proxy代理服务器组)
##- DOMAIN-SUFFIX,ad.com,REJECT #匹配域名后缀(拒绝)
##- IP-CIDR,127.0.*.*/8,DIRECT #匹配数据目标IP(直连)
##- SRC-IP-CIDR,192.168.*.*/32,DIRECT #匹配数据发起IP(直连)
##- DST-PORT,80,DIRECT #匹配数据目标端口(直连)
##- SRC-PORT,7777,DIRECT #匹配数据源端口(直连)



#===================== 自定义覆写设置 =====================#

#!/bin/sh
. /usr/share/openclash/ruby.sh
. /usr/share/openclash/log.sh
. /lib/functions.sh

# This script is called by /etc/init.d/openclash
# Add your custom overwrite scripts here, they will be take effict after the OpenClash own srcipts

LOG_OUT "Tip: Start Running Custom Overwrite Scripts..."
LOGTIME=$(echo $(date "+%Y-%m-%d %H:%M:%S"))
LOG_FILE="/tmp/openclash.log"
CONFIG_FILE="$1" #config path

#Simple Demo:
    #General Demo
    #1--config path
    #2--key name
    #3--value
    #ruby_edit "$CONFIG_FILE" "['redir-port']" "7892"
    #ruby_edit "$CONFIG_FILE" "['secret']" "123456"
    #ruby_edit "$CONFIG_FILE" "['dns']['enable']" "true"

    #Hash Demo
    #1--config path
    #2--key name
    #3--hash type value
    #ruby_edit "$CONFIG_FILE" "['experimental']" "{'sniff-tls-sni'=>true}"
    #ruby_edit "$CONFIG_FILE" "['sniffer']" "{'sniffing'=>['tls','http']}"

    #Array Demo:
    #1--config path
    #2--key name
    #3--position(start from 0, end with -1)
    #4--value
    #ruby_arr_insert "$CONFIG_FILE" "['dns']['nameserver']" "0" "114.114.*.*"

    #Array Add From Yaml File Demo:
    #1--config path
    #2--key name
    #3--position(start from 0, end with -1)
    #4--value file path
    #5--value key name in #4 file
    #ruby_arr_add_file "$CONFIG_FILE" "['dns']['fallback-filter']['ipcidr']" "0" "/etc/openclash/custom/openclash_custom_fallback_filter.yaml" "['fallback-filter']['ipcidr']"

#Ruby Script Demo:
    #ruby -ryaml -rYAML -I "/usr/share/openclash" -E UTF-8 -e "
    #   begin
    #      Value = YAML.load_file('$CONFIG_FILE');
    #   rescue Exception => e
    #      puts '${LOGTIME} Error: Load File Failed,【' + e.message + '】';
    #   end;

        #General
    #   begin
    #   Thread.new{
    #      Value['redir-port']=7892;
    #      Value['tproxy-port']=7895;
    #      Value['port']=7890;
    #      Value['socks-port']=7891;
    #      Value['mixed-port']=7893;
    #   }.join;

    #   rescue Exception => e
    #      puts '${LOGTIME} Error: Set General Failed,【' + e.message + '】';
    #   ensure
    #      File.open('$CONFIG_FILE','w') {|f| YAML.dump(Value, f)};
    #   end" 2>/dev/null >> $LOG_FILE

exit 0
#===================== 自定义防火墙设置 =====================#

#!/bin/sh
. /usr/share/openclash/log.sh
. /lib/functions.sh

# This script is called by /etc/init.d/openclash
# Add your custom firewall rules here, they will be added after the end of the OpenClash iptables rules

LOG_OUT "Tip: Start Add Custom Firewall Rules..."

exit 0
#===================== IPTABLES 防火墙设置 =====================#

#IPv4 NAT chain

# Generated by iptables-save v1.8.7 on Sat Dec 14 15:08:47 2024
*nat
:PREROUTING ACCEPT [230:29503]
:INPUT ACCEPT [159:10256]
:OUTPUT ACCEPT [279:29949]
:POSTROUTING ACCEPT [116:7466]
:DOCKER - [0:0]
:MINIUPNPD - [0:0]
:MINIUPNPD-POSTROUTING - [0:0]
:openclash - [0:0]
:openclash_output - [0:0]
:postrouting_docker_rule - [0:0]
:postrouting_ipsecserver_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_vpn_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_docker_rule - [0:0]
:prerouting_ipsecserver_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_vpn_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_docker_postrouting - [0:0]
:zone_docker_prerouting - [0:0]
:zone_ipsecserver_postrouting - [0:0]
:zone_ipsecserver_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_vpn_postrouting - [0:0]
:zone_vpn_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -p tcp -m tcp --dport 53 -m comment --comment "OpenClash DNS Hijack" -j REDIRECT --to-ports 53
-A PREROUTING -p udp -m udp --dport 53 -m comment --comment "OpenClash DNS Hijack" -j REDIRECT --to-ports 53
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
-A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_prerouting
-A PREROUTING -i eth0 -m comment --comment "!fw3" -j zone_wan_prerouting
-A PREROUTING -i tun0 -m comment --comment "!fw3" -j zone_vpn_prerouting
-A PREROUTING -i ipsec0 -m comment --comment "!fw3" -j zone_ipsecserver_prerouting
-A PREROUTING -i docker0 -m comment --comment "!fw3" -j zone_docker_prerouting
-A PREROUTING -p tcp -j openclash
-A OUTPUT -d 127.0.*.*/32 -p udp -m owner ! --uid-owner 65534 -m comment --comment "OpenClash DNS Hijack" -m udp --dport 53 -j REDIRECT --to-ports 53
-A OUTPUT -d 127.0.*.*/32 -p tcp -m owner ! --uid-owner 65534 -m comment --comment "OpenClash DNS Hijack" -m tcp --dport 53 -j REDIRECT --to-ports 53
-A OUTPUT ! -d 127.0.*.*/8 -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT -j openclash_output
-A POSTROUTING -s 172.17.*.*/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
-A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o pppoe-wan -m comment --comment "!fw3" -j zone_wan_postrouting
-A POSTROUTING -o eth0 -m comment --comment "!fw3" -j zone_wan_postrouting
-A POSTROUTING -o tun0 -m comment --comment "!fw3" -j zone_vpn_postrouting
-A POSTROUTING -o ipsec0 -m comment --comment "!fw3" -j zone_ipsecserver_postrouting
-A POSTROUTING -o docker0 -m comment --comment "!fw3" -j zone_docker_postrouting
-A POSTROUTING -s 192.168.*.*/24 -m comment --comment "IPSec VPN Server" -j MASQUERADE
-A POSTROUTING -s 192.168.*.*/24 -m comment --comment "IPSec VPN Server" -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
-A openclash -p tcp -m tcp --sport 1688 -j RETURN
-A openclash -p tcp -m tcp --sport 1723 -j RETURN
-A openclash -p tcp -m tcp --sport 1194 -j RETURN
-A openclash -m set --match-set localnetwork dst -j RETURN
-A openclash -p tcp -j REDIRECT --to-ports 7892
-A openclash_output -p tcp -m tcp --sport 1688 -j RETURN
-A openclash_output -p tcp -m tcp --sport 1723 -j RETURN
-A openclash_output -p tcp -m tcp --sport 1194 -j RETURN
-A openclash_output -s 192.168.*.*/32 -p tcp -m tcp --sport 80 -j RETURN
-A openclash_output -s 192.168.*.*/32 -p tcp -m tcp --sport 80 -j RETURN
-A openclash_output -m set --match-set localnetwork dst -j RETURN
-A openclash_output -p tcp -m owner ! --uid-owner 65534 -j REDIRECT --to-ports 7892
-A zone_docker_postrouting -m comment --comment "!fw3: Custom docker postrouting rule chain" -j postrouting_docker_rule
-A zone_docker_prerouting -m comment --comment "!fw3: Custom docker prerouting rule chain" -j prerouting_docker_rule
-A zone_ipsecserver_postrouting -m comment --comment "!fw3: Custom ipsecserver postrouting rule chain" -j postrouting_ipsecserver_rule
-A zone_ipsecserver_prerouting -m comment --comment "!fw3: Custom ipsecserver prerouting rule chain" -j prerouting_ipsecserver_rule
-A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule

-A zone_vpn_postrouting -m comment --comment "!fw3: Custom vpn postrouting rule chain" -j postrouting_vpn_rule
-A zone_vpn_postrouting -m comment --comment "!fw3" -j MASQUERADE --mode fullcone
-A zone_vpn_prerouting -m comment --comment "!fw3: Custom vpn prerouting rule chain" -j prerouting_vpn_rule
-A zone_wan_postrouting -j MINIUPNPD-POSTROUTING
-A zone_wan_postrouting -j MINIUPNPD-POSTROUTING
-A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
-A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE --mode fullcone
-A zone_wan_prerouting -j MINIUPNPD
-A zone_wan_prerouting -j MINIUPNPD
-A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule

COMMIT
# Completed on Sat Dec 14 15:08:47 2024

#IPv4 Mangle chain

# Generated by iptables-save v1.8.7 on Sat Dec 14 15:08:47 2024
*mangle
:PREROUTING ACCEPT [1320:1073072]
:INPUT ACCEPT [1282:1070280]
:FORWARD ACCEPT [39:2868]
:OUTPUT ACCEPT [1249:1054509]
:POSTROUTING ACCEPT [1288:1057377]
:RRDIPT_FORWARD - [0:0]
:RRDIPT_INPUT - [0:0]
:RRDIPT_OUTPUT - [0:0]
:openclash - [0:0]
:openclash_output - [0:0]
:openclash_upnp - [0:0]
-A PREROUTING -p udp -j openclash
-A INPUT -j RRDIPT_INPUT
-A FORWARD -j RRDIPT_FORWARD
-A FORWARD -o pppoe-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i pppoe-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A OUTPUT -j RRDIPT_OUTPUT
-A OUTPUT -p udp -j openclash_output
-A RRDIPT_FORWARD -s 192.168.*.*/32 -j RETURN
-A RRDIPT_FORWARD -d 192.168.*.*/32 -j RETURN
-A RRDIPT_FORWARD -s 192.168.*.*/32 -j RETURN
-A RRDIPT_FORWARD -d 192.168.*.*/32 -j RETURN
-A RRDIPT_FORWARD -s 192.168.*.*/32 -j RETURN
-A RRDIPT_FORWARD -d 192.168.*.*/32 -j RETURN
-A RRDIPT_FORWARD -s 172.17.*.*/32 -j RETURN
-A RRDIPT_FORWARD -d 172.17.*.*/32 -j RETURN
-A RRDIPT_FORWARD -s 192.168.*.*/32 -j RETURN
-A RRDIPT_FORWARD -d 192.168.*.*/32 -j RETURN
-A RRDIPT_FORWARD -s 192.168.*.*/32 -j RETURN
-A RRDIPT_FORWARD -d 192.168.*.*/32 -j RETURN
-A RRDIPT_FORWARD -s 172.17.*.*/32 -j RETURN
-A RRDIPT_FORWARD -d 172.17.*.*/32 -j RETURN
-A RRDIPT_FORWARD -s 192.168.*.*/32 -j RETURN
-A RRDIPT_FORWARD -d 192.168.*.*/32 -j RETURN
-A RRDIPT_FORWARD -s 192.168.*.*/32 -j RETURN
-A RRDIPT_FORWARD -d 192.168.*.*/32 -j RETURN
-A RRDIPT_FORWARD -s 192.168.*.*/32 -j RETURN
-A RRDIPT_FORWARD -d 192.168.*.*/32 -j RETURN
-A RRDIPT_FORWARD -s 192.168.*.*/32 -j RETURN
-A RRDIPT_FORWARD -d 192.168.*.*/32 -j RETURN
-A RRDIPT_FORWARD -s 192.168.*.*/32 -j RETURN
-A RRDIPT_FORWARD -d 192.168.*.*/32 -j RETURN
-A RRDIPT_FORWARD -s 192.168.*.*/32 -j RETURN
-A RRDIPT_FORWARD -d 192.168.*.*/32 -j RETURN
-A RRDIPT_FORWARD -s 192.168.*.*/32 -j RETURN
-A RRDIPT_FORWARD -d 192.168.*.*/32 -j RETURN
-A RRDIPT_FORWARD -s 192.168.*.*/32 -j RETURN
-A RRDIPT_FORWARD -d 192.168.*.*/32 -j RETURN
-A RRDIPT_FORWARD -s 192.168.*.*/32 -j RETURN
-A RRDIPT_FORWARD -d 192.168.*.*/32 -j RETURN
-A RRDIPT_INPUT -i eth0 -j RETURN
-A RRDIPT_INPUT -i pppoe-wan -j RETURN
-A RRDIPT_OUTPUT -o eth0 -j RETURN
-A RRDIPT_OUTPUT -o pppoe-wan -j RETURN
-A openclash -p udp -m udp --sport 1194 -j RETURN
-A openclash -p udp -m udp --sport 500 -j RETURN
-A openclash -p udp -m udp --sport 68 -j RETURN
-A openclash -s 192.168.*.*/32 -p udp -m udp --sport 80 -j RETURN
-A openclash -s 192.168.*.*/32 -p udp -m udp --sport 80 -j RETURN
-A openclash -s 192.168.*.*/32 -p udp -m udp --sport 0 -j RETURN
-A openclash -s 192.168.*.*/32 -p udp -m udp --sport 0 -j RETURN
-A openclash -s 192.168.*.*/32 -p udp -m udp --sport 0 -j RETURN
-A openclash -i lo -j RETURN
-A openclash -m set --match-set localnetwork dst -j RETURN
-A openclash -p udp -m udp --dport 53 -j RETURN
-A openclash -p udp -j openclash_upnp
-A openclash -p udp -j TPROXY --on-port 7895 --on-ip 0.0.*.* --tproxy-mark 0x162/0xffffffff
-A openclash_output -p udp -m udp --sport 1194 -j RETURN
-A openclash_output -p udp -m udp --sport 500 -j RETURN
-A openclash_output -p udp -m udp --sport 68 -j RETURN
-A openclash_output -s 192.168.*.*/32 -p udp -m udp --sport 80 -j RETURN
-A openclash_output -s 192.168.*.*/32 -p udp -m udp --sport 80 -j RETURN
-A openclash_output -s 192.168.*.*/32 -p udp -m udp --sport 0 -j RETURN
-A openclash_output -s 192.168.*.*/32 -p udp -m udp --sport 0 -j RETURN
-A openclash_output -s 192.168.*.*/32 -p udp -m udp --sport 0 -j RETURN
-A openclash_output -d 198.18.*.*/16 -p udp -m owner ! --uid-owner 65534 -j MARK --set-xmark 0x162/0xffffffff
COMMIT
# Completed on Sat Dec 14 15:08:47 2024

#IPv4 Filter chain

# Generated by iptables-save v1.8.7 on Sat Dec 14 15:08:47 2024
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-MAN - [0:0]
:DOCKER-USER - [0:0]
:MINIUPNPD - [0:0]
:PSW-SERVER - [0:0]
:forwarding_docker_rule - [0:0]
:forwarding_ipsecserver_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_vpn_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_docker_rule - [0:0]
:input_ipsecserver_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_vpn_rule - [0:0]
:input_wan_rule - [0:0]
:openclash_wan_input - [0:0]
:output_docker_rule - [0:0]
:output_ipsecserver_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_vpn_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_docker_dest_ACCEPT - [0:0]
:zone_docker_forward - [0:0]
:zone_docker_input - [0:0]
:zone_docker_output - [0:0]
:zone_docker_src_ACCEPT - [0:0]
:zone_ipsecserver_dest_ACCEPT - [0:0]
:zone_ipsecserver_forward - [0:0]
:zone_ipsecserver_input - [0:0]
:zone_ipsecserver_output - [0:0]
:zone_ipsecserver_src_ACCEPT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_vpn_dest_ACCEPT - [0:0]
:zone_vpn_forward - [0:0]
:zone_vpn_input - [0:0]
:zone_vpn_output - [0:0]
:zone_vpn_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
-A INPUT -p udp -m udp --dport 443 -m comment --comment "OpenClash QUIC REJECT" -m set ! --match-set china_ip_route dst -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth0 -m set ! --match-set localnetwork src -j openclash_wan_input
-A INPUT -i pppoe-wan -m set ! --match-set localnetwork src -j openclash_wan_input
-A INPUT -j PSW-SERVER
-A INPUT -p udp -m multiport --dports 500,4500 -m comment --comment "IPSec VPN Server" -j ACCEPT
-A INPUT -p udp -m udp --dport 1701 -m comment --comment "IPSec VPN Server" -j ACCEPT
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i eth0 -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i tun0 -m comment --comment "!fw3" -j zone_vpn_input
-A INPUT -i ipsec0 -m comment --comment "!fw3" -j zone_ipsecserver_input
-A INPUT -i docker0 -m comment --comment "!fw3" -j zone_docker_input
-A FORWARD -o sb-tun+ -j ACCEPT
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i eth0 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i tun0 -m comment --comment "!fw3" -j zone_vpn_forward
-A FORWARD -i ipsec0 -m comment --comment "!fw3" -j zone_ipsecserver_forward
-A FORWARD -i docker0 -m comment --comment "!fw3" -j zone_docker_forward
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o pppoe-wan -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o eth0 -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o tun0 -m comment --comment "!fw3" -j zone_vpn_output
-A OUTPUT -o ipsec0 -m comment --comment "!fw3" -j zone_ipsecserver_output
-A OUTPUT -o docker0 -m comment --comment "!fw3" -j zone_docker_output
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-MAN -i br-lan -o docker0 -j RETURN
-A DOCKER-MAN -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j RETURN
-A DOCKER-MAN -o docker0 -m conntrack --ctstate INVALID,NEW -j DROP
-A DOCKER-MAN -j RETURN
-A DOCKER-USER -j DOCKER-MAN
-A DOCKER-USER -j RETURN
-A forwarding_rule -s 192.168.*.*/24 -m comment --comment "IPSec VPN Server" -j ACCEPT
-A forwarding_rule -m policy --dir out --pol ipsec --proto esp -m comment --comment "IPSec VPN Server" -j ACCEPT
-A forwarding_rule -m policy --dir in --pol ipsec --proto esp -m comment --comment "IPSec VPN Server" -j ACCEPT
-A forwarding_rule -s 192.168.*.*/24 -m comment --comment "IPSec VPN Server" -j ACCEPT
-A forwarding_rule -i pppoe+ -j RETURN
-A forwarding_rule -o pppoe+ -j RETURN
-A forwarding_rule -i ppp+ -m conntrack --ctstate NEW -j ACCEPT
-A forwarding_rule -o ppp+ -m conntrack --ctstate NEW -j ACCEPT
-A openclash_wan_input -p udp -m multiport --dports 7892,7895,9090,7890,7891,7893,7874 -j REJECT --reject-with icmp-port-unreachable
-A openclash_wan_input -p tcp -m multiport --dports 7892,7895,9090,7890,7891,7893,7874 -j REJECT --reject-with icmp-port-unreachable
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_docker_dest_ACCEPT -o docker0 -m comment --comment "!fw3" -j ACCEPT
-A zone_docker_forward -m comment --comment "!fw3: Custom docker forwarding rule chain" -j forwarding_docker_rule
-A zone_docker_forward -m comment --comment "!fw3: Zone docker to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_docker_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_docker_forward -m comment --comment "!fw3" -j zone_docker_dest_ACCEPT
-A zone_docker_input -m comment --comment "!fw3: Custom docker input rule chain" -j input_docker_rule
-A zone_docker_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_docker_input -m comment --comment "!fw3" -j zone_docker_src_ACCEPT
-A zone_docker_output -m comment --comment "!fw3: Custom docker output rule chain" -j output_docker_rule
-A zone_docker_output -m comment --comment "!fw3" -j zone_docker_dest_ACCEPT
-A zone_docker_src_ACCEPT -i docker0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_ipsecserver_dest_ACCEPT -o ipsec0 -m comment --comment "!fw3" -j ACCEPT
-A zone_ipsecserver_forward -m comment --comment "!fw3: Custom ipsecserver forwarding rule chain" -j forwarding_ipsecserver_rule
-A zone_ipsecserver_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_ipsecserver_forward -m comment --comment "!fw3" -j zone_ipsecserver_dest_ACCEPT
-A zone_ipsecserver_input -m comment --comment "!fw3: Custom ipsecserver input rule chain" -j input_ipsecserver_rule
-A zone_ipsecserver_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_ipsecserver_input -m comment --comment "!fw3" -j zone_ipsecserver_src_ACCEPT
-A zone_ipsecserver_output -m comment --comment "!fw3: Custom ipsecserver output rule chain" -j output_ipsecserver_rule
-A zone_ipsecserver_output -m comment --comment "!fw3" -j zone_ipsecserver_dest_ACCEPT
-A zone_ipsecserver_src_ACCEPT -i ipsec0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to vpn forwarding policy" -j zone_vpn_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_vpn_dest_ACCEPT -o tun0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_vpn_dest_ACCEPT -o tun0 -m comment --comment "!fw3" -j ACCEPT
-A zone_vpn_forward -m comment --comment "!fw3: Custom vpn forwarding rule chain" -j forwarding_vpn_rule
-A zone_vpn_forward -m comment --comment "!fw3: Zone vpn to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_vpn_forward -m comment --comment "!fw3: Zone vpn to lan forwarding policy" -j zone_lan_dest_ACCEPT
-A zone_vpn_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_vpn_forward -m comment --comment "!fw3" -j zone_vpn_dest_ACCEPT
-A zone_vpn_input -m comment --comment "!fw3: Custom vpn input rule chain" -j input_vpn_rule
-A zone_vpn_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_vpn_input -m comment --comment "!fw3" -j zone_vpn_src_ACCEPT
-A zone_vpn_output -m comment --comment "!fw3: Custom vpn output rule chain" -j output_vpn_rule
-A zone_vpn_output -m comment --comment "!fw3" -j zone_vpn_dest_ACCEPT
-A zone_vpn_src_ACCEPT -i tun0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o pppoe-wan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o pppoe-wan -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o eth0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o eth0 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_REJECT -o pppoe-wan -m comment --comment "!fw3" -j reject
-A zone_wan_dest_REJECT -o eth0 -m comment --comment "!fw3" -j reject
-A zone_wan_forward -j MINIUPNPD
-A zone_wan_forward -j MINIUPNPD
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
-A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
-A zone_wan_input -p tcp -m tcp --dport 1194 -m comment --comment "!fw3: openvpn" -j ACCEPT
-A zone_wan_input -p udp -m udp --dport 1194 -m comment --comment "!fw3: openvpn" -j ACCEPT
-A zone_wan_input -p tcp -m tcp --dport 1723 -m comment --comment "!fw3: pptp" -j ACCEPT
-A zone_wan_input -p gre -m comment --comment "!fw3: gre" -j ACCEPT
-A zone_wan_input -p tcp -m tcp --dport 1688 -m comment --comment "!fw3: kms" -j ACCEPT
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_REJECT -i pppoe-wan -m comment --comment "!fw3" -j reject
-A zone_wan_src_REJECT -i eth0 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Sat Dec 14 15:08:47 2024

#IPv6 NAT chain

# Generated by ip6tables-save v1.8.7 on Sat Dec 14 15:08:47 2024
*nat
:PREROUTING ACCEPT [20:1921]
:INPUT ACCEPT [19:1837]
:OUTPUT ACCEPT [15:1409]
:POSTROUTING ACCEPT [16:1493]
COMMIT
# Completed on Sat Dec 14 15:08:47 2024

#IPv6 Mangle chain

# Generated by ip6tables-save v1.8.7 on Sat Dec 14 15:08:47 2024
*mangle
:PREROUTING ACCEPT [117:11183]
:INPUT ACCEPT [106:10259]
:FORWARD ACCEPT [7:524]
:OUTPUT ACCEPT [103:11290]
:POSTROUTING ACCEPT [110:11814]
-A FORWARD -o pppoe-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i pppoe-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Sat Dec 14 15:08:47 2024

#IPv6 Filter chain

# Generated by ip6tables-save v1.8.7 on Sat Dec 14 15:08:47 2024
*filter
:INPUT ACCEPT [42:11616]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [29:6536]
:MINIUPNPD - [0:0]
:PSW-SERVER - [0:0]
:forwarding_docker_rule - [0:0]
:forwarding_ipsecserver_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_vpn_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_docker_rule - [0:0]
:input_ipsecserver_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_vpn_rule - [0:0]
:input_wan_rule - [0:0]
:output_docker_rule - [0:0]
:output_ipsecserver_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_vpn_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_docker_dest_ACCEPT - [0:0]
:zone_docker_forward - [0:0]
:zone_docker_input - [0:0]
:zone_docker_output - [0:0]
:zone_docker_src_ACCEPT - [0:0]
:zone_ipsecserver_dest_ACCEPT - [0:0]
:zone_ipsecserver_forward - [0:0]
:zone_ipsecserver_input - [0:0]
:zone_ipsecserver_output - [0:0]
:zone_ipsecserver_src_ACCEPT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_vpn_dest_ACCEPT - [0:0]
:zone_vpn_forward - [0:0]
:zone_vpn_input - [0:0]
:zone_vpn_output - [0:0]
:zone_vpn_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
-A INPUT -j PSW-SERVER
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i eth0 -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i tun0 -m comment --comment "!fw3" -j zone_vpn_input
-A INPUT -i ipsec0 -m comment --comment "!fw3" -j zone_ipsecserver_input
-A INPUT -i docker0 -m comment --comment "!fw3" -j zone_docker_input
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i eth0 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i tun0 -m comment --comment "!fw3" -j zone_vpn_forward
-A FORWARD -i ipsec0 -m comment --comment "!fw3" -j zone_ipsecserver_forward
-A FORWARD -i docker0 -m comment --comment "!fw3" -j zone_docker_forward
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o pppoe-wan -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o eth0 -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o tun0 -m comment --comment "!fw3" -j zone_vpn_output
-A OUTPUT -o ipsec0 -m comment --comment "!fw3" -j zone_ipsecserver_output
-A OUTPUT -o docker0 -m comment --comment "!fw3" -j zone_docker_output
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp6-port-unreachable
-A syn_flood -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_docker_dest_ACCEPT -o docker0 -m comment --comment "!fw3" -j ACCEPT
-A zone_docker_forward -m comment --comment "!fw3: Custom docker forwarding rule chain" -j forwarding_docker_rule
-A zone_docker_forward -m comment --comment "!fw3: Zone docker to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_docker_forward -m comment --comment "!fw3" -j zone_docker_dest_ACCEPT
-A zone_docker_input -m comment --comment "!fw3: Custom docker input rule chain" -j input_docker_rule
-A zone_docker_input -m comment --comment "!fw3" -j zone_docker_src_ACCEPT
-A zone_docker_output -m comment --comment "!fw3: Custom docker output rule chain" -j output_docker_rule
-A zone_docker_output -m comment --comment "!fw3" -j zone_docker_dest_ACCEPT
-A zone_docker_src_ACCEPT -i docker0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_ipsecserver_dest_ACCEPT -o ipsec0 -m comment --comment "!fw3" -j ACCEPT
-A zone_ipsecserver_forward -m comment --comment "!fw3: Custom ipsecserver forwarding rule chain" -j forwarding_ipsecserver_rule
-A zone_ipsecserver_forward -m comment --comment "!fw3" -j zone_ipsecserver_dest_ACCEPT
-A zone_ipsecserver_input -m comment --comment "!fw3: Custom ipsecserver input rule chain" -j input_ipsecserver_rule
-A zone_ipsecserver_input -m comment --comment "!fw3" -j zone_ipsecserver_src_ACCEPT
-A zone_ipsecserver_output -m comment --comment "!fw3: Custom ipsecserver output rule chain" -j output_ipsecserver_rule
-A zone_ipsecserver_output -m comment --comment "!fw3" -j zone_ipsecserver_dest_ACCEPT
-A zone_ipsecserver_src_ACCEPT -i ipsec0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to vpn forwarding policy" -j zone_vpn_dest_ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_vpn_dest_ACCEPT -o tun0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_vpn_dest_ACCEPT -o tun0 -m comment --comment "!fw3" -j ACCEPT
-A zone_vpn_forward -m comment --comment "!fw3: Custom vpn forwarding rule chain" -j forwarding_vpn_rule
-A zone_vpn_forward -m comment --comment "!fw3: Zone vpn to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_vpn_forward -m comment --comment "!fw3: Zone vpn to lan forwarding policy" -j zone_lan_dest_ACCEPT
-A zone_vpn_forward -m comment --comment "!fw3" -j zone_vpn_dest_ACCEPT
-A zone_vpn_input -m comment --comment "!fw3: Custom vpn input rule chain" -j input_vpn_rule
-A zone_vpn_input -m comment --comment "!fw3" -j zone_vpn_src_ACCEPT
-A zone_vpn_output -m comment --comment "!fw3: Custom vpn output rule chain" -j output_vpn_rule
-A zone_vpn_output -m comment --comment "!fw3" -j zone_vpn_dest_ACCEPT
-A zone_vpn_src_ACCEPT -i tun0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o pppoe-wan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o pppoe-wan -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o eth0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o eth0 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_REJECT -o pppoe-wan -m comment --comment "!fw3" -j reject
-A zone_wan_dest_REJECT -o eth0 -m comment --comment "!fw3" -j reject
-A zone_wan_forward -j MINIUPNPD
-A zone_wan_forward -j MINIUPNPD
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
-A zone_wan_input -s fc00::/6 -d fc00::/6 -p udp -m udp --dport 546 -m comment --comment "!fw3: Allow-DHCPv6" -j ACCEPT
-A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 130/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
-A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 131/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
-A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 132/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
-A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 143/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p tcp -m tcp --dport 1194 -m comment --comment "!fw3: openvpn" -j ACCEPT
-A zone_wan_input -p udp -m udp --dport 1194 -m comment --comment "!fw3: openvpn" -j ACCEPT
-A zone_wan_input -p tcp -m tcp --dport 1723 -m comment --comment "!fw3: pptp" -j ACCEPT
-A zone_wan_input -p gre -m comment --comment "!fw3: gre" -j ACCEPT
-A zone_wan_input -p tcp -m tcp --dport 1688 -m comment --comment "!fw3: kms" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_REJECT -i pppoe-wan -m comment --comment "!fw3" -j reject
-A zone_wan_src_REJECT -i eth0 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Sat Dec 14 15:08:47 2024

#===================== IPSET状态 =====================#

Name: mwan3_connected_v4
Type: hash:net
Revision: 7
Header: family inet hashsize 1024 maxelem 65536 bucketsize 12 initval 0xf717521d
Size in memory: 896
References: 1
Number of entries: 9

Name: mwan3_connected_v6
Type: hash:net
Revision: 7
Header: family inet6 hashsize 1024 maxelem 65536 bucketsize 12 initval 0x6caa8ad1
Size in memory: 1536
References: 1
Number of entries: 4

Name: mwan3_source_v6
Type: hash:net
Revision: 7
Header: family inet6 hashsize 1024 maxelem 65536 bucketsize 12 initval 0x07435aad
Size in memory: 1392
References: 0
Number of entries: 2

Name: mwan3_dynamic_v4
Type: hash:net
Revision: 7
Header: family inet hashsize 1024 maxelem 65536 bucketsize 12 initval 0xf9b61ce4
Size in memory: 464
References: 1
Number of entries: 0

Name: mwan3_dynamic_v6
Type: hash:net
Revision: 7
Header: family inet6 hashsize 1024 maxelem 65536 bucketsize 12 initval 0x4ac4cd23
Size in memory: 1248
References: 1
Number of entries: 0

Name: mwan3_custom_v4
Type: hash:net
Revision: 7
Header: family inet hashsize 1024 maxelem 65536 bucketsize 12 initval 0xffdae180
Size in memory: 464
References: 1
Number of entries: 0

Name: mwan3_custom_v6
Type: hash:net
Revision: 7
Header: family inet6 hashsize 1024 maxelem 65536 bucketsize 12 initval 0x775a7733
Size in memory: 1248
References: 1
Number of entries: 0

Name: cn
Type: hash:net
Revision: 7
Header: family inet hashsize 2048 maxelem 65536 bucketsize 12 initval 0xa3696f3f
Size in memory: 231464
References: 0
Number of entries: 8618

Name: ct
Type: hash:net
Revision: 7
Header: family inet hashsize 1024 maxelem 65536 bucketsize 12 initval 0xe044247c
Size in memory: 59888
References: 0
Number of entries: 1962

Name: cnc
Type: hash:net
Revision: 7
Header: family inet hashsize 1024 maxelem 65536 bucketsize 12 initval 0x8951516c
Size in memory: 33008
References: 0
Number of entries: 915

Name: cmcc
Type: hash:net
Revision: 7
Header: family inet hashsize 1024 maxelem 65536 bucketsize 12 initval 0x2ab604fb
Size in memory: 3008
References: 0
Number of entries: 55

Name: crtc
Type: hash:net
Revision: 7
Header: family inet hashsize 1024 maxelem 65536 bucketsize 12 initval 0xc0cd4b34
Size in memory: 1232
References: 0
Number of entries: 16

Name: cernet
Type: hash:net
Revision: 7
Header: family inet hashsize 1024 maxelem 65536 bucketsize 12 initval 0x75eacb1c
Size in memory: 8192
References: 0
Number of entries: 171

Name: gwbn
Type: hash:net
Revision: 7
Header: family inet hashsize 1024 maxelem 65536 bucketsize 12 initval 0xe912806c
Size in memory: 12992
References: 0
Number of entries: 290

Name: othernet
Type: hash:net
Revision: 7
Header: family inet hashsize 2048 maxelem 65536 bucketsize 12 initval 0xebb72ba3
Size in memory: 149384
References: 0
Number of entries: 5209

Name: china_ip_route
Type: hash:net
Revision: 7
Header: family inet hashsize 2048 maxelem 1000000 bucketsize 12 initval 0xd14138c7
Size in memory: 232952
References: 1
Number of entries: 8661

Name: china_ip_route_pass
Type: hash:net
Revision: 7
Header: family inet hashsize 1024 maxelem 1000000 bucketsize 12 initval 0x6cd1d725
Size in memory: 464
References: 0
Number of entries: 0

Name: localnetwork
Type: hash:net
Revision: 7
Header: family inet hashsize 1024 maxelem 65536 bucketsize 12 initval 0xbbf577d8
Size in memory: 944
References: 5
Number of entries: 10

Name: passwall_gfwlist
Type: hash:net
Revision: 7
Header: family inet hashsize 1024 maxelem 1048576 timeout 172800 bucketsize 12 initval 0xc92e9172
Size in memory: 13008
References: 0
Number of entries: 160

Name: passwall_chnroute
Type: hash:net
Revision: 7
Header: family inet hashsize 4096 maxelem 1048576 timeout 172800 bucketsize 12 initval 0x5b5706d8
Size in memory: 427672
References: 0
Number of entries: 11300

Name: passwall_blacklist
Type: hash:net
Revision: 7
Header: family inet hashsize 1024 maxelem 1048576 timeout 172800 bucketsize 12 initval 0xb92f9083
Size in memory: 5648
References: 0
Number of entries: 64

Name: passwall_gfwlist6
Type: hash:net
Revision: 7
Header: family inet6 hashsize 1024 maxelem 1048576 timeout 172800 bucketsize 12 initval 0x7b3adcfc
Size in memory: 1248
References: 0
Number of entries: 0

Name: passwall_chnroute6
Type: hash:net
Revision: 7
Header: family inet6 hashsize 1024 maxelem 1048576 timeout 172800 bucketsize 12 initval 0x3cc80986
Size in memory: 185376
References: 0
Number of entries: 3314

Name: passwall_blacklist6
Type: hash:net
Revision: 7
Header: family inet6 hashsize 1024 maxelem 1048576 timeout 172800 bucketsize 12 initval 0xca7d27ca
Size in memory: 1728
References: 0
Number of entries: 5

Name: mwan3_connected
Type: list:set
Revision: 3
Header: size 8
Size in memory: 376
References: 0
Number of entries: 6

#===================== 路由表状态 =====================#

#IPv4

#route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.*.*         112.83.*.*      0.0.*.*         UG    0      0        0 pppoe-wan
112.83.*.*      0.0.*.*         255.255.*.* UH    0      0        0 pppoe-wan
172.17.*.*      0.0.*.*         255.255.*.*     U     0      0        0 docker0
192.168.*.*     0.0.*.*         255.255.*.*   U     0      0        0 br-lan

#ip route list
default via 112.83.*.* dev pppoe-wan proto static 
112.83.*.* dev pppoe-wan proto kernel scope link src 112.83.*.* 
172.17.*.*/16 dev docker0 proto kernel scope link src 172.17.*.* linkdown 
192.168.*.*/24 dev br-lan proto kernel scope link src 192.168.*.* 

#ip rule show
0:	from all lookup local
219:	from all fwmark 0x162 lookup 354
220:	from all lookup 220
32766:	from all lookup main
32767:	from all lookup default

#IPv6

#route -A inet6
Kernel IPv6 routing table
Destination                                 Next Hop                                Flags Metric Ref    Use Iface
::/0                                        ::                                      !n    -1     2        0 lo      
::/0                                        ::                                      !n    -1     2        0 lo      
::/0                                        fe80::*:*:*:5055               UG    512    5        0 pppoe-wan
::/0                                        fe80::*:*:*:5055               UG    512    6        0 pppoe-wan
2408:*:*:*::/64                    ::                                      !n    2147483647 2        0 lo      
2408:*:*:*::/64                    ::                                      U     1024   5        0 br-lan  
2408:*:*:*::/63                    fe80::fe7a:58ff:fea4:85a6               UG    1024   1        0 br-lan  
2408:*:*:*::/62                    ::                                      !n    2147483647 3        0 lo      
fe80::*:*:*:5055/128               ::                                      U     256    1        0 pppoe-wan
fe80::*:*:*:a467/128               ::                                      U     256    1        0 pppoe-wan
fe80::/64                                   ::                                      U     256    5        0 br-lan  
fe80::/64                                   ::                                      U     256    1        0 eth0    
fe80::/64                                   ::                                      U     256    1        0 docker0 
::/0                                        ::                                      !n    -1     2        0 lo      
::1/128                                     ::                                      Un    0      7        0 lo      
2408:*:*:*::/128                   ::                                      Un    0      3        0 pppoe-wan
2408:*:*:*:9573:6cb2:c9d8:a467/128 ::                                      Un    0      4        0 pppoe-wan
2408:*:*:*::/128                   ::                                      Un    0      3        0 br-lan  
2408:*:*:*::1/128                  ::                                      Un    0      7        0 br-lan  
fe80::/128                                  ::                                      Un    0      4        0 br-lan  
fe80::/128                                  ::                                      Un    0      3        0 eth0    
fe80::/128                                  ::                                      Un    0      3        0 docker0 
fe80::*:*:*:ea94/128                 ::                                      Un    0      2        0 docker0 
fe80::*:*:*:a9e4/128               ::                                      Un    0      2        0 eth0    
fe80::*:*:*:a9e5/128               ::                                      Un    0      8        0 br-lan  
fe80::*:*:*:a467/128               ::                                      Un    0      3        0 pppoe-wan
ff00::/8                                    ::                                      U     256    6        0 br-lan  
ff00::/8                                    ::                                      U     256    5        0 eth0    
ff00::/8                                    ::                                      U     256    5        0 pppoe-wan
ff00::/8                                    ::                                      U     256    4        0 docker0 
::/0                                        ::                                      !n    -1     2        0 lo      

#ip -6 route list
default from 2408:*:*:*::/64 via fe80::1ade:d7ff:feaa:5055 dev pppoe-wan proto static metric 512 pref medium
default from 2408:*:*:*::/62 via fe80::1ade:d7ff:feaa:5055 dev pppoe-wan proto static metric 512 pref medium
unreachable 2408:*:*:*::/64 dev lo proto static metric 2147483647 pref medium
2408:*:*:*::/64 dev br-lan proto static metric 1024 pref medium
2408:*:*:*::/63 via fe80::fe7a:58ff:fea4:85a6 dev br-lan proto static metric 1024 pref medium
unreachable 2408:*:*:*::/62 dev lo proto static metric 2147483647 pref medium
fe80::*:*:*:5055 dev pppoe-wan proto kernel metric 256 pref medium
fe80::*:*:*:a467 dev pppoe-wan proto kernel metric 256 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev docker0 proto kernel metric 256 linkdown pref medium

#ip -6 rule show
0:	from all lookup local
220:	from all lookup 220
32766:	from all lookup main
4200000000:	from 2408:*:*:*::1/62 iif br-lan unreachable
4200000001:	from all iif lo failed_policy
4200000010:	from all iif br-lan failed_policy
4200000016:	from all iif pppoe-wan failed_policy
4200000016:	from all iif pppoe-wan failed_policy

#===================== 端口占用状态 =====================#

tcp        0      0 :::9090                 :::*                    LISTEN      16666/clash
tcp        0      0 :::7891                 :::*                    LISTEN      16666/clash
tcp        0      0 :::7890                 :::*                    LISTEN      16666/clash
tcp        0      0 :::7893                 :::*                    LISTEN      16666/clash
tcp        0      0 :::7892                 :::*                    LISTEN      16666/clash
tcp        0      0 :::7895                 :::*                    LISTEN      16666/clash
udp        0      0 :::7874                 :::*                                16666/clash
udp        0      0 :::7891                 :::*                                16666/clash
udp        0      0 :::7892                 :::*                                16666/clash
udp        0      0 :::7893                 :::*                                16666/clash
udp        0      0 :::7895                 :::*                                16666/clash
udp        0      0 :::40221                :::*                                16666/clash
udp        0      0 :::44840                :::*                                16666/clash
udp        0      0 :::52043                :::*                                16666/clash
udp        0      0 :::59359                :::*                                16666/clash
udp        0      0 :::50158                :::*                                16666/clash
udp        0      0 :::36908                :::*                                16666/clash
udp        0      0 :::46674                :::*                                16666/clash
udp        0      0 :::50264                :::*                                16666/clash
udp        0      0 :::46188                :::*                                16666/clash

#===================== 测试本机DNS查询(www.baidu.com) =====================#

Server:		127.0.*.*
Address:	127.0.*.*:53

www.baidu.com	canonical name = www.a.shifen.com
Name:	www.a.shifen.com
Address: 157.0.*.*
Name:	www.a.shifen.com
Address: 157.0.*.*



#===================== 测试内核DNS查询(www.instagram.com) =====================#

Status: 0
TC: false
RD: true
RA: true
AD: false
CD: false

Question: 
  Name: www.instagram.com.
  Qtype: 1
  Qclass: 1

Answer: 
  TTL: 3560
  data: z-p42-instagram.c10r.instagram.com.
  name: www.instagram.com.
  type: 5

  TTL: 20
  data: 157.240.*.*
  name: z-p42-instagram.c10r.instagram.com.
  type: 1

Status: 0
TC: false
RD: true
RA: true
AD: false
CD: false

Question: 
  Name: www.instagram.com.
  Qtype: 28
  Qclass: 1

Answer: 
  TTL: 3556
  data: z-p42-instagram.c10r.instagram.com.
  name: www.instagram.com.
  type: 5

  TTL: 16
  data: 2a03:*:*:*:face:b00c:0:4420
  name: z-p42-instagram.c10r.instagram.com.
  type: 28


Dnsmasq 当前默认 resolv 文件:/tmp/resolv.conf.d/resolv.conf.auto

#===================== /tmp/resolv.conf.d/resolv.conf.auto =====================#

# Interface wan
nameserver 221.6.*.*
nameserver 58.240.*.*
# Interface wan_6
nameserver 2408:8000:aaaa::
nameserver 2408:8888::8

#===================== 测试本机网络连接(www.baidu.com) =====================#

HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
Connection: keep-alive
Content-Length: 277
Content-Type: text/html
Date: Sat, 14 Dec 2024 07:08:49 GMT
Etag: "575e1f71-115"
Last-Modified: Mon, 13 Jun 2016 02:50:25 GMT
Pragma: no-cache
Server: bfe/1.0.*.*


#===================== 测试本机网络下载(raw.githubusercontent.com) =====================#

HTTP/2 200 
cache-control: max-age=300
content-security-policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
content-type: text/plain; charset=utf-8
etag: "f6037a93c68519d7041a3b4df325b61c424ec255b45dfeb063371319e39b0d96"
strict-transport-security: max-age=31536000
x-content-type-options: nosniff
x-frame-options: deny
x-xss-protection: 1; mode=block
x-github-request-id: DF91:14E590:5F39C4:6F20AB:675D2F02
accept-ranges: bytes
date: Sat, 14 Dec 2024 07:08:50 GMT
via: 1.1 varnish
x-served-by: cache-nrt-rjtf7700032-NRT
x-cache: MISS
x-cache-hits: 0
x-timer: S1734160130.947741,VS0,VE429
vary: Authorization,Accept-Encoding,Origin
access-control-allow-origin: *
cross-origin-resource-policy: cross-origin
x-fastly-request-id: 98369e0a6b0c5d4d705869d02815457822712928
expires: Sat, 14 Dec 2024 07:13:50 GMT
source-age: 0
content-length: 1071





#===================== 活动连接信息 =====================#

1. SourceIP:【192.168.*.*】 - Host:【Empty】 - DestinationIP:【142.251.*.*】 - Network:【tcp】 - RulePayload:【】 - Lastchain:【日本直连接入点-B01】
2. SourceIP:【192.168.*.*】 - Host:【Empty】 - DestinationIP:【221.6.*.*】 - Network:【tcp】 - RulePayload:【cn】 - Lastchain:【DIRECT】
3. SourceIP:【192.168.*.*】 - Host:【safebrowsing.googleapis.com】 - DestinationIP:【114.250.*.*】 - Network:【tcp】 - RulePayload:【safebrowsing.googleapis.com】 - Lastchain:【DIRECT】
4. SourceIP:【192.168.*.*】 - Host:【pubstatic.b0.upaiyun.com】 - DestinationIP:【61.156.*.*】 - Network:【tcp】 - RulePayload:【upaiyun.com】 - Lastchain:【DIRECT】
5. SourceIP:【192.168.*.*】 - Host:【api.simpleallowcopy.com】 - DestinationIP:【137.184.*.*】 - Network:【tcp】 - RulePayload:【】 - Lastchain:【日本直连接入点-B01】
6. SourceIP:【192.168.*.*】 - Host:【clients4.google.com】 - DestinationIP:【142.250.*.*】 - Network:【tcp】 - RulePayload:【google】 - Lastchain:【日本直连接入点-B01】
7. SourceIP:【192.168.*.*】 - Host:【d.skk.moe】 - DestinationIP:【104.20.*.*】 - Network:【tcp】 - RulePayload:【】 - Lastchain:【日本直连接入点-B01】
8. SourceIP:【192.168.*.*】 - Host:【api.ip.sb】 - DestinationIP:【104.26.*.*】 - Network:【tcp】 - RulePayload:【】 - Lastchain:【日本直连接入点-B01】
9. SourceIP:【192.168.*.*】 - Host:【collector.github.com】 - DestinationIP:【140.82.*.*】 - Network:【tcp】 - RulePayload:【github】 - Lastchain:【日本直连接入点-B01】
10. SourceIP:【192.168.*.*】 - Host:【accounts.google.com】 - DestinationIP:【142.251.*.*】 - Network:【tcp】 - RulePayload:【google】 - Lastchain:【日本直连接入点-B01】
11. SourceIP:【192.168.*.*】 - Host:【Empty】 - DestinationIP:【172.67.*.*】 - Network:【tcp】 - RulePayload:【】 - Lastchain:【日本直连接入点-B01】
12. SourceIP:【192.168.*.*】 - Host:【api.ipify.org】 - DestinationIP:【172.67.*.*】 - Network:【tcp】 - RulePayload:【】 - Lastchain:【日本直连接入点-B01】
13. SourceIP:【192.168.*.*】 - Host:【a.nel.cloudflare.com】 - DestinationIP:【35.190.*.*】 - Network:【tcp】 - RulePayload:【cloudflare.com】 - Lastchain:【日本直连接入点-B01】
14. SourceIP:【192.168.*.*】 - Host:【gateway.fe.apple-dns.cn】 - DestinationIP:【112.19.*.*】 - Network:【tcp】 - RulePayload:【cn】 - Lastchain:【DIRECT】
15. SourceIP:【192.168.*.*】 - Host:【qqwry.api.skk.moe】 - DestinationIP:【104.21.*.*】 - Network:【tcp】 - RulePayload:【】 - Lastchain:【日本直连接入点-B01】
16. SourceIP:【192.168.*.*】 - Host:【Empty】 - DestinationIP:【193.182.*.*】 - Network:【udp】 - RulePayload:【】 - Lastchain:【日本直连接入点-B01】

OpenClash Config

No response

Expected Behavior

可以拔PPTP VPN 服务器,谢谢

Additional Context

No response
@dfgsdgsag73426 dfgsdgsag73426 added the bug Something isn't working label Dec 14, 2024
@vernesong
Copy link
Owner

端口绕过一下

@dfgsdgsag73426
Copy link
Author

幾乎

请问具体怎么设置?

@fejeIaqbhbv
Copy link

请问具体怎么设置?

把pptp用的端口号填到openclash里,我记得是用黑白名单的绕过端口

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@vernesong @dfgsdgsag73426 @fejeIaqbhbv