OpenWrt/Firewall/旧版

# 路由器的 LAN IP
LAN_IP=192.168.1.1

iptables -I input_wan_rule -p tcp --dport 22 -j ACCEPT
iptables -I forwarding_wan_rule -m mark --mark 0x4/0x4 -j ACCEPT
iptables -I input_wan_rule -m set --match-set trust src -j ACCEPT
iptables -I forwarding_wan_rule -m set --match-set trust src -j ACCEPT

iptables -t mangle -I PREROUTING -m mark --mark 0x4/0x4 -j ACCEPT
iptables -t mangle -I PREROUTING -m mark --mark 0x1/0x1 -j ACCEPT
iptables -t mangle -I PREROUTING -m set --match-set nplan src -j MARK --set-mark 0x1/0x1
iptables -t mangle -I PREROUTING -m set --match-set cn dst -j MARK --set-mark 0x1/0x1
iptables -t mangle -I PREROUTING -m set --match-set servers dst -j MARK --set-mark 0x1/0x1
iptables -t mangle -I OUTPUT -m set --match-set cn dst -j MARK --set-mark 0x1/0x1
iptables -t mangle -I OUTPUT -m set --match-set servers dst -j MARK --set-mark 0x1/0x1
iptables -t mangle -I PREROUTING -i pppoe-wan -m conntrack --ctstate NEW -j MARK --set-mark 0x1/0x1
iptables -t mangle -I INPUT -i pppoe-wan -j MARK --set-mark 0x1/0x1

iptables -t nat -I prerouting_wan_rule -m mark --mark 0x4/0x4 -j ACCEPT
iptables -t nat -I prerouting_lan_rule -m mark --mark 0x4/0x4 -j ACCEPT
iptables -t nat -I prerouting_lan_rule -m mark --mark 0x1/0x1 -j ACCEPT
iptables -t nat -I postrouting_wan_rule -m mark --mark 0x4/0x4 -j MASQUERADE
# 端口映射
iptables -t nat -I prerouting_lan_rule -p tcp -d $LAN_IP --dport 11111 -j DNAT --to 192.168.1.20:80
# 重定向路由器 wan 8081 到 80.因为傻逼中国电信宽带封80
iptables -t nat -I prerouting_wan_rule -p tcp --dport 8081 -j REDIRECT --to-port 80
# 重定向所有局域网设备的DNS解析请求到路由器自身 (除nplan里设备)
iptables -t nat -I prerouting_lan_rule -p tcp --dport 53 -m set ! --match-set nplan src -j REDIRECT --to-port 53
iptables -t nat -I prerouting_lan_rule -p udp --dport 53 -m set ! --match-set nplan src -j REDIRECT --to-port 53
iptables -t nat -I OUTPUT -m mark --mark 0x1/0x1 -j ACCEPT                                          
iptables -t nat -I OUTPUT -m mark --mark 0x4/0x4 -j ACCEPT

iptables -t mangle -I PREROUTING -j CONNMARK --restore-mark
iptables -t mangle -I POSTROUTING -j CONNMARK --save-mark

shadowsocks relay (ss 中转:Internet IP => 路由器 WAN => ss server):

SS_IP=2.3.4.5
SS_PORT=443
LOCAL_PORT=21

iptables -t mangle -I PREROUTING -i pppoe-wan -p tcp --dport $LOCAL_PORT -j MARK --set-mark 0x4/0x4
iptables -t mangle -I PREROUTING -i pppoe-wan -p udp --dport $LOCAL_PORT -j MARK --set-mark 0x4/0x4
iptables -t nat -I prerouting_wan_rule -p tcp --dport $LOCAL_PORT -j DNAT --to $SS_IP:$SS_PORT
iptables -t nat -I prerouting_wan_rule -p udp --dport $LOCAL_PORT -j DNAT --to $SS_IP:$SS_PORT

iptables -t mangle -I PREROUTING -i br-lan -p tcp -d $LAN_IP --dport $LOCAL_PORT -j MARK --set-mark 0x4/0x4
iptables -t mangle -I PREROUTING -i br-lan -p udp -d $LAN_IP --dport $LOCAL_PORT -j MARK --set-mark 0x4/0x4
iptables -t nat -I prerouting_lan_rule -p tcp -d $LAN_IP --dport $LOCAL_PORT -j DNAT --to $SS_IP:$SS_PORT
iptables -t nat -I prerouting_lan_rule -p udp -d $LAN_IP --dport $LOCAL_PORT -j DNAT --to $SS_IP:$SS_PORT

Last update: 2020-09-02 07:05:21 UTC