[Bug] immortalwrt 23.05 默认配置,开启白名单后路由器本身无法上网,外网也连不进来 #797
Comments
|
@bsdcpp 脚本什么版本,另外是否启用了本机代理,然后提供一下问题状态的8-1-4内容 |
|
版本:1.9.1rc7 table inet shellcrash {
chain input {
type filter hook input priority -100; policy accept;
ip daddr 127.0.0.1 accept
tcp dport 9999 ip saddr { 10.0.8.0/24, 192.168.1.0-192.168.3.255 } accept
tcp dport 9999 reject
tcp dport 7890 ip saddr { 10.0.8.0/24, 192.168.1.0-192.168.3.255 } accept
tcp dport 7890 reject
}
chain prerouting_dns {
type nat hook prerouting priority dstnat; policy accept;
udp dport != 53 return
tcp dport != 53 return
meta mark 0x00001ed6 return
meta skgid { 453, 7890 } return
ip saddr != { 10.0.8.0/24, 192.168.1.0-192.168.3.255 } return
ip6 saddr != { 2408:820c:8211:f179::/64, 2408:820c:8218:7c90::/60, 240e:388:8101:df00::/60, 240e:38f:8105:2038::/64, fd00::/8, fe80::/10 } reject with icmpv6 port-unreachable
udp dport 53 redirect to :1053
tcp dport 53 redirect to :1053
}
chain prerouting {
type filter hook prerouting priority mangle; policy accept;
tcp dport 53 return
udp dport 53 return
tcp dport != { 22, 80, 143, 194, 443, 465, 587, 853, 993, 995, 5222, 8080, 8443 } ip daddr != 198.18.0.0/16 return
meta mark 0x00001ed6 return
meta skgid 7890 return
ip daddr { 0.0.0.0/8, 10.0.0.0/8, 100.64.0.0/10, 127.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12, 192.168.0.0/16, 224.0.0.0/3 } return
ip saddr != { 10.0.8.0/24, 192.168.1.0-192.168.3.255 } return
ip6 daddr { ::/127, ::ffff:0.0.0.0/96, 64:ff9b::/96, 100::/64, 2001::/32, 2001:20::/28, 2001:db8::/32, 2002::/16, 2408:820c:8211:f179::/64, 2408:820c:8218:7c90::/60, 240e:388:8101:df00::/60, 240e:38f:8105:2038::/64, fc00::/7, fe80::/10, ff00::/8 } return
ip6 saddr != { 2408:820c:8211:f179::/64, 2408:820c:8218:7c90::/60, 240e:388:8101:df00::/60, 240e:38f:8105:2038::/64, fd00::/8, fe80::/10 } return
meta l4proto { tcp, udp } meta mark set 0x00001ed4 tproxy to :7893
}
}以下是白名单不正常的情况: table inet shellcrash {
chain input {
type filter hook input priority -100; policy accept;
ip daddr 127.0.0.1 accept
tcp dport 9999 ip saddr { 10.0.8.0/24, 192.168.1.0-192.168.3.255 } accept
tcp dport 9999 reject
tcp dport 7890 ip saddr { 10.0.8.0/24, 192.168.1.0-192.168.3.255 } accept
tcp dport 7890 reject
}
chain prerouting_dns {
type nat hook prerouting priority dstnat; policy accept;
udp dport != 53 return
tcp dport != 53 return
meta mark 0x00001ed6 return
meta skgid { 453, 7890 } return
ip saddr != { 10.0.8.0/24, 192.168.1.0-192.168.3.255 } return
ip6 saddr != { 2408:820c:8211:f179::/64, 2408:820c:8218:7c90::/60, 240e:388:8101:df00::/60, 240e:38f:8105:2038::/64, fd00::/8, fe80::/10 } reject with icmpv6 port-unreachable
udp dport 53 redirect to :1053
tcp dport 53 redirect to :1053
}
chain prerouting {
type filter hook prerouting priority mangle; policy accept;
tcp dport 53 return
udp dport 53 return
tcp dport != { 22, 80, 143, 194, 443, 465, 587, 853, 993, 995, 5222, 8080, 8443 } ip daddr != 198.18.0.0/16 return
meta mark 0x00001ed6 return
meta skgid 7890 return
ip daddr { 0.0.0.0/8, 10.0.0.0/8, 100.64.0.0/10, 127.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12, 192.168.0.0/16, 224.0.0.0/3 } return
ip6 daddr { ::/127, ::ffff:0.0.0.0/96, 64:ff9b::/96, 100::/64, 2001::/32, 2001:20::/28, 2001:db8::/32, 2002::/16, 2408:820c:8211:f179::/64, 2408:820c:8218:7c90::/60, 240e:388:8101:df00::/60, 240e:38f:8105:2038::/64, fc00::/7, fe80::/10, ff00::/8 } return
ip6 saddr != { 2408:820c:8211:f179::/64, 2408:820c:8218:7c90::/60, 240e:388:8101:df00::/60, 240e:38f:8105:2038::/64, fd00::/8, fe80::/10 } return
meta l4proto { tcp, udp } meta mark set 0x00001ed4 tproxy to :7893
}
}对比后,差异在 ip saddr != { 10.0.8.0/24, 192.168.1.0-192.168.3.255 } return |
|
@bsdcpp 看不出问题,防火墙配置是正常的,理论上也不会影响本机 |
我更新了下回复,麻烦再看下。 |
|
@bsdcpp 这里防火墙配置都是正常的,prerouting链也不会影响本机流量 |
|
@bsdcpp 如果是在docker中测试,需要启用容器/虚拟机代理功能 |
|
我是在真机环境下安装的,之前用iptables是没问题的,我再调试下看看,顺便学习下nft,感谢大佬解答,售后一级棒🎉 |
|
@juewuy 22:07:26.882400 pppoe-wan In IP 进入IP.32964 > 服务端IP.50000: UDP, length 96
22:07:26.937646 pppoe-wan Out IP 服务端IP.50000 > 进入IP.32964: UDP, length 96
22:07:26.994227 pppoe-wan In IP 进入IP.32964 > 服务端IP.50000: UDP, length 96
22:07:27.561369 pppoe-wan In IP 进入IP.32964 > 服务端IP.50000: UDP, length 96
22:07:27.671277 pppoe-wan In IP 进入IP.32964 > 服务端IP.50000: UDP, length 96
22:07:28.006316 pppoe-wan In IP 进入IP.32964 > 服务端IP.50000: UDP, length 96
22:07:28.618137 pppoe-wan Out IP 服务端IP.50000 > 进入IP.32964: UDP, length 96一旦开白名单,似乎有包进了lo,回环了吗,只有进没有出了? 22:07:28.652399 pppoe-wan In IP 进入IP.32964 > 服务端IP.50000: UDP, length 148
22:07:28.665062 lo In IP 服务端IP.33441 > 服务端IP.50000: UDP, length 148
22:07:28.777946 lo In IP 服务端IP.50000 > 服务端IP.33441: UDP, length 92
22:07:28.778022 lo In IP 服务端IP.50000 > 服务端IP.33441: UDP, length 92
22:07:28.842484 pppoe-wan In IP 进入IP.32964 > 服务端IP.50000: UDP, length 148
22:07:28.850514 lo In IP 服务端IP.48605 > 服务端IP.50000: UDP, length 92
22:07:28.850914 lo In IP 服务端IP.50000 > 服务端IP.48605: UDP, length 92
22:07:28.938108 lo In IP 服务端IP.50000 > 服务端IP.48605: UDP, length 92
22:07:29.098005 lo In IP 服务端IP.50000 > 服务端IP.48605: UDP, length 92
22:07:29.201430 pppoe-wan In IP 进入IP.32964 > 服务端IP.50000: UDP, length 92貌似之前看到过这样的问题,不知道是不是同一类问题:#783 请教下,这个流是不是进入核心了? root@ImmortalWrt:/etc# ip ru
0: from all lookup local
32765: from all fwmark 0x1ed4 lookup 100
32766: from all lookup main
32767: from all lookup default
root@ImmortalWrt:/etc# ip r list table 100
local default dev lo scope host
root@ImmortalWrt:/etc#没看懂,tproxy走的是个lo接口? |
|
我这边是把ipv6透明代理关了就能通过ipv6访问局域网设备了 |
谢谢反馈,我现在只能用黑名单模式,和nft/iptables关系不大 |
lo没问题啊,有问题的是为什么流量会进到内核,不进内核不会被打上标记 |
|
感谢修复,不过我测试了下,还是挺烧脑的:
iptables: |
|
@bsdcpp 进阶设置防火墙里可能需要添加一下自定义网段 |
谢谢,里面已经有10.0.8.1/24段了,而且新的immortalwrt有点难搞: chain prerouting {
type nat hook prerouting priority dstnat; policy accept;
tcp dport 53 return
udp dport 53 return
tcp dport != { 22, 80, 143, 194, 443, 465, 587, 853, 993, 995, 5222, 8080, 8443 } ip daddr != 198.18.0.0/16 return
meta mark 0x00001ed6 return
meta skgid 7890 return
ip daddr 0.0.0.0 return
ether saddr != { 00:04:4b:84:20:ac,fc:7c:02:92:b4:fa } ip saddr != 10.0.8.0/24 return
meta nfproto ipv6 return
meta l4proto tcp redirect to :7892
tcp dport 53 return
udp dport 53 return
tcp dport != { 22, 80, 143, 194, 443, 465, 587, 853, 993, 995, 5222, 8080, 8443 } ip daddr != 198.18.0.0/16 return
meta mark 0x00001ed6 return
meta skgid 7890 return
ip daddr 0.0.0.0 return
ether saddr != { 00:04:4b:84:20:ac, fc:7c:02:92:b4:fa } ip saddr != 10.0.8.0/24 return
meta nfproto ipv6 return
meta l4proto { tcp, udp } meta mark set 0x00001ed4 tproxy to :7893
} |
|
@bsdcpp 重启设备吧,感觉有点乱 |
|
重启immortalwrt后还是一样的情况 |
|
@bsdcpp 好吧,明天有空我看一下 |
|
感谢,等你方便的时候,我主要用老的21的openwrt,一直很稳,这个新系统包括nftables确实比较令人崩溃。 Error: Could not process rule: File exists
add chain inet shellcrash prerouting { type filter hook prerouting priority -150 ; }
^^^^^^^^^^ |
|
应该是这行判断导致 Line 1314 in 1bcd7b6 改成 [ "$redir_mod" = "Tproxy模式" ] && ( modprobe nft_tproxy >/dev/null 2>&1 || lsmod 2>/dev/null | grep -q nft_tproxy ) && {没有重复 |
|
@bsdcpp OK |
|
对比了下nft和ipt的区别,mangle表里ipt的tproxy处理规则 Chain shellcrash_mark (4 references)
target prot opt source destination
RETURN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
RETURN udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
RETURN all -- 0.0.0.0/0 0.0.0.0/0 mark match 0x1ed6
RETURN all -- 0.0.0.0/0 192.168.1.0/24
RETURN all -- 0.0.0.0/0 192.168.3.0/24
RETURN all -- 0.0.0.0/0 192.168.2.0/24
RETURN all -- 0.0.0.0/0 192.168.77.0/24
RETURN all -- 0.0.0.0/0 10.0.8.0/24
RETURN all -- 0.0.0.0/0 0.0.0.0
TPROXY tcp -- 0.0.0.0/0 0.0.0.0/0 MAC cc:2d:b5:69:85:cd TPROXY redirect 0.0.0.0:7893 mark 0x1ed4/0xffffffff
TPROXY tcp -- 0.0.0.0/0 0.0.0.0/0 MAC 00:e1:4e:b4:48:9c TPROXY redirect 0.0.0.0:7893 mark 0x1ed4/0xffffffffnft: chain prerouting {
type filter hook prerouting priority mangle; policy accept;
tcp dport 53 return
udp dport 53 return
tcp dport != { 22, 80, 143, 194, 443, 465, 587, 853, 993, 995, 5222, 8080, 8443 } ip daddr != 198.18.0.0/16 return
meta mark 0x00001ed6 return
meta skgid 7890 return
ip daddr 0.0.0.0 return
ether saddr != { cc:2d:b5:69:85:cd, 00:e1:4e:b4:48:9c } return
meta nfproto ipv6 return
meta l4proto { tcp, udp } meta mark set 0x00001ed4 tproxy to :7893
}相比较,nft的好似不一样,具体逻辑我不太懂:
|
|
@bsdcpp 1应该是bug,2应该没什么区别 |
嗯,我就怕有什么没考虑到的通过了所有return“关卡”来到了不该打标签的地方。一些回环啥的确实烧脑,难为大佬维护,不容易 |
|
还有个神奇的地方是,iptables模式,只有在路由器上用127.0.0.1地址可以访问localhost:9999,用内网192.168.2.1访问不了。 Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 REJECT udp -- anywhere anywhere udp dpt:https reject-with icmp-port-unreachable
2 ACCEPT tcp -- anywhere localhost
3 LUCKY all -- anywhere anywhere
4 LUCKY all -- anywhere anywhere
5 ACCEPT tcp -- 0.0.0.0 anywhere tcp dpt:9999
6 REJECT tcp -- anywhere anywhere tcp dpt:9999 reject-with icmp-port-unreachable
7 ACCEPT tcp -- 0.0.0.0 anywhere tcp dpt:7890
8 REJECT tcp -- anywhere anywhere tcp dpt:7890 reject-with icmp-port-unreachable应该是被6 REJECT掉了 |
|
@bsdcpp localhost就是你本机,当然只能在本机访问 |
|
-A INPUT -s 0.0.0.0/32 -p tcp -m tcp --dport 9999 -j ACCEPT 是这样的,这个0.0.0.0/32正常吗?我去掉下面那个REJECT就内网设备可以访问了,是不是没匹配到这个0.0.0.0/32,导致走到了REJECT |
|
@bsdcpp 你这个设备有点问题,正常是会获取到局域网ip段的 |
|
@bsdcpp getlanip这个函数里有具体命令你可以运行试试 |
|
😂,是的,我看了正常的机器是: spiderClash:/# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT 6 -- 0.0.0.0/0 127.0.0.1
ACCEPT 6 -- 0.0.0.0/8 0.0.0.0/0 tcp dpt:9999
ACCEPT 6 -- 10.0.0.0/8 0.0.0.0/0 tcp dpt:9999
ACCEPT 6 -- 127.0.0.0/8 0.0.0.0/0 tcp dpt:9999
ACCEPT 6 -- 100.64.0.0/10 0.0.0.0/0 tcp dpt:9999
ACCEPT 6 -- 169.254.0.0/16 0.0.0.0/0 tcp dpt:9999
ACCEPT 6 -- 172.16.0.0/12 0.0.0.0/0 tcp dpt:9999
ACCEPT 6 -- 192.168.0.0/16 0.0.0.0/0 tcp dpt:9999
ACCEPT 6 -- 224.0.0.0/4 0.0.0.0/0 tcp dpt:9999
ACCEPT 6 -- 240.0.0.0/4 0.0.0.0/0 tcp dpt:9999
REJECT 6 -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9999 reject-with icmp-port-unreachable |
|
哈哈,确实,今天说的问题纯属意外,我看了下是因为我去访问7-3-4自定义内网段后,按了0返回导致reserved_ipv4='0'出现了一系列妖怪问题,抱歉。 然后回到之前,
这应该是一个问题。 按照今天你修复的情况 Line 1216 in d73e95c 比方我白名单添加了mac/ip,走了elif分支,这样的话就不会添加上面那条了。 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Verify steps
Description
全新安装的情况下也能复现,切换黑名单/关闭sc马上恢复。局域网设备好像不受影响,路由器本身国内163,baidu都无法ping通,谢谢。
shellcrash新装默认配置,只改了tproxy:nftables + tproxy + fake
The text was updated successfully, but these errors were encountered: