家里现在是公网 v4 v6 内网设备已经能拿到公网 v6 地址 v6 测试也能通过,但是没法直接在外网通过 v6 访问到内网设备,ddns 的 openwrt 可以正常访问,内网需要怎么设置才能公开?
1
kimking 2023-02-20 17:05:10 +08:00
防火墙入站放行。tplink 的家用路由就不用试了,默认开启 v6 防火墙且不可调整。
|
4
mcluyu 2023-02-20 17:52:40 +08:00
内网什么设备, 设备自己也有防火墙的,比如 Windows
|
5
lovelylain 2023-02-20 18:26:31 +08:00 via Android
默认情况下 wan 是拒绝转发的,你可以改为接受,或者 wan 分离为 wan wan6 然后只对 wan6 转发,也可以自己加 ip6tables 规则
|
6
hertzry 2023-02-20 19:41:23 +08:00
”ddns 的 openwrt 可以正常访问“?
你先解决公网直接访问路由器的问题,然后才是访问路由器后面的设备。 |
7
neroxps 2023-02-21 05:27:26 +08:00 via iPhone
ip6tables -S 发出来大家看看就知道了
|
8
pota OP |
9
pota OP @neroxps #7 -P INPUT ACCEPT
-P FORWARD ACCEPT -P OUTPUT ACCEPT -N MINIUPNPD -N SOCAT -N forwarding_docker_rule -N forwarding_lan_rule -N forwarding_rule -N forwarding_vpn_rule -N forwarding_wan_rule -N input_docker_rule -N input_lan_rule -N input_rule -N input_vpn_rule -N input_wan_rule -N output_docker_rule -N output_lan_rule -N output_rule -N output_vpn_rule -N output_wan_rule -N reject -N syn_flood -N zone_docker_dest_ACCEPT -N zone_docker_forward -N zone_docker_input -N zone_docker_output -N zone_docker_src_ACCEPT -N zone_lan_dest_ACCEPT -N zone_lan_forward -N zone_lan_input -N zone_lan_output -N zone_lan_src_ACCEPT -N zone_vpn_dest_ACCEPT -N zone_vpn_forward -N zone_vpn_input -N zone_vpn_output -N zone_vpn_src_ACCEPT -N zone_wan_dest_ACCEPT -N zone_wan_forward -N zone_wan_input -N zone_wan_output -N zone_wan_src_ACCEPT -A INPUT -j SOCAT -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input -A INPUT -i eth0 -m comment --comment "!fw3" -j zone_wan_input -A INPUT -i pppoe-Wan -m comment --comment "!fw3" -j zone_wan_input -A INPUT -i tun0 -m comment --comment "!fw3" -j zone_vpn_input -A INPUT -i docker0 -m comment --comment "!fw3" -j zone_docker_input -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule -A FORWARD -m comment --comment "!fw3: Traffic offloading" -m conntrack --ctstate RELATED,ESTABLISHED -j FLOWOFFLOAD -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward -A FORWARD -i eth0 -m comment --comment "!fw3" -j zone_wan_forward -A FORWARD -i pppoe-Wan -m comment --comment "!fw3" -j zone_wan_forward -A FORWARD -i tun0 -m comment --comment "!fw3" -j zone_vpn_forward -A FORWARD -i docker0 -m comment --comment "!fw3" -j zone_docker_forward -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output -A OUTPUT -o eth0 -m comment --comment "!fw3" -j zone_wan_output -A OUTPUT -o pppoe-Wan -m comment --comment "!fw3" -j zone_wan_output -A OUTPUT -o tun0 -m comment --comment "!fw3" -j zone_vpn_output -A OUTPUT -o docker0 -m comment --comment "!fw3" -j zone_docker_output -A SOCAT -p tcp -m tcp --dport 8000 -m comment --comment Openwrt -j ACCEPT -A SOCAT -p tcp -m tcp --dport 8001 -m comment --comment QNAP -j ACCEPT -A SOCAT -p tcp -m tcp --dport 8389 -m comment --comment "远程桌面" -j ACCEPT -A SOCAT -p udp -m udp --dport 500 -m comment --comment IKE -j ACCEPT -A SOCAT -p udp -m udp --dport 4500 -m comment --comment IPsec -j ACCEPT -A SOCAT -p tcp -m tcp --dport 1701 -m comment --comment L2TP -j ACCEPT -A SOCAT -p udp -m udp --dport 1701 -m comment --comment L2TP -j ACCEPT -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp6-port-unreachable -A syn_flood -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN -A syn_flood -m comment --comment "!fw3" -j DROP -A zone_docker_dest_ACCEPT -o docker0 -m comment --comment "!fw3" -j ACCEPT -A zone_docker_forward -m comment --comment "!fw3: Custom docker forwarding rule chain" -j forwarding_docker_rule -A zone_docker_forward -m comment --comment "!fw3" -j zone_docker_dest_ACCEPT -A zone_docker_input -m comment --comment "!fw3: Custom docker input rule chain" -j input_docker_rule -A zone_docker_input -m comment --comment "!fw3" -j zone_docker_src_ACCEPT -A zone_docker_output -m comment --comment "!fw3: Custom docker output rule chain" -j output_docker_rule -A zone_docker_output -m comment --comment "!fw3" -j zone_docker_dest_ACCEPT -A zone_docker_src_ACCEPT -i docker0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT -A zone_lan_forward -m comment --comment "!fw3: Zone lan to vpn forwarding policy" -j zone_vpn_dest_ACCEPT -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT -A zone_vpn_dest_ACCEPT -o tun0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP -A zone_vpn_dest_ACCEPT -o tun0 -m comment --comment "!fw3" -j ACCEPT -A zone_vpn_forward -m comment --comment "!fw3: Custom vpn forwarding rule chain" -j forwarding_vpn_rule -A zone_vpn_forward -m comment --comment "!fw3: Zone vpn to wan forwarding policy" -j zone_wan_dest_ACCEPT -A zone_vpn_forward -m comment --comment "!fw3: Zone vpn to lan forwarding policy" -j zone_lan_dest_ACCEPT -A zone_vpn_forward -m comment --comment "!fw3" -j zone_vpn_dest_ACCEPT -A zone_vpn_input -m comment --comment "!fw3: Custom vpn input rule chain" -j input_vpn_rule -A zone_vpn_input -m comment --comment "!fw3" -j zone_vpn_src_ACCEPT -A zone_vpn_output -m comment --comment "!fw3: Custom vpn output rule chain" -j output_vpn_rule -A zone_vpn_output -m comment --comment "!fw3" -j zone_vpn_dest_ACCEPT -A zone_vpn_src_ACCEPT -i tun0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT -A zone_wan_dest_ACCEPT -o eth0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP -A zone_wan_dest_ACCEPT -o eth0 -m comment --comment "!fw3" -j ACCEPT -A zone_wan_dest_ACCEPT -o pppoe-Wan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP -A zone_wan_dest_ACCEPT -o pppoe-Wan -m comment --comment "!fw3" -j ACCEPT -A zone_wan_forward -j MINIUPNPD -A zone_wan_forward -j MINIUPNPD -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule -A zone_wan_forward -p tcp -m comment --comment "!fw3: 开放 v6" -j ACCEPT -A zone_wan_forward -p udp -m comment --comment "!fw3: 开放 v6" -j ACCEPT -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule -A zone_wan_input -s fc00::/6 -d fc00::/6 -p udp -m udp --dport 546 -m comment --comment "!fw3: Allow-DHCPv6" -j ACCEPT -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 130/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 131/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 132/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 143/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT -A zone_wan_input -p tcp -m tcp --dport 1723 -m comment --comment "!fw3: pptp" -j ACCEPT -A zone_wan_input -p tcp -m tcp --dport 1688 -m comment --comment "!fw3: kms" -j ACCEPT -A zone_wan_input -p tcp -m tcp --dport 40000:65535 -m comment --comment "!fw3: wxedge" -j ACCEPT -A zone_wan_input -p udp -m udp --dport 40000:65535 -m comment --comment "!fw3: wxedge" -j ACCEPT -A zone_wan_input -p tcp -m tcp --dport 18888 -m comment --comment "!fw3: wxedge-port" -j reject -A zone_wan_input -p udp -m udp --dport 18888 -m comment --comment "!fw3: wxedge-port" -j reject -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_ACCEPT -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT -A zone_wan_src_ACCEPT -i eth0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT -A zone_wan_src_ACCEPT -i pppoe-Wan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT |
10
zbinlin 2023-02-21 12:08:54 +08:00
OpenWRT 的默认配置,我只需要添加一条 accept `wan` zone 到 `lan` zone 的 forward 就可以了
|