- 光猫拨号,光猫关闭防火墙
- OpenWrt 路由器( 22.05 或者 23.05 )默认防火墙如下:
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
- 自己添加的规则如下:
config rule
option name 'allow_ssh_1'
list proto 'tcp'
option src 'wan'
option dest_port '22 222'
option target 'ACCEPT'
option family 'ipv6'
config rule
option name 'allow_ssh_2'
option family 'ipv6'
list proto 'tcp'
option src 'wan'
option dest '*'
option dest_port '22 222'
option target 'ACCEPT'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'forward_ssh'
option src 'wan'
option src_dport '222'
option dest_ip '240*:<目标设备>'
option dest_port '22'
list proto 'tcp'
list proto 'icmp'
其中 240*:<目标设备> 是想暴露 22 端口的设备,是通过网线直连 OpenWrt 路由器的,自身没有防火墙限制。
这样设置后:
- OpenWrt 路由器访问
240*:<目标设备>,通 - 远程访问 OpenWrt 路由器自身的 ssh ( 22 端口),通
- 远程访问 OpenWrt 路由器转发的 ssh ( 222 端口),不通
- 远程访问设备的 ssh (
240*:<目标设备>的 22 端口),不通
按照我的理解,第 0 和 第 1 点成功的话,第 2 点一定能成功才对
Select Language