openwrt路由器中设置上网时间控制不起作用排查
1. 首先在查看iptables表
iptables -nvL --line-number
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 policy match dir out pol ipsec proto 50
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 policy match dir in pol ipsec proto 50
5415 1701K forwarding_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom forwarding rule chain */
4765 1635K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED /* !fw3 */
27 1612 zone_wan_dest_REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 MAC CC:DD:95:22:BB:AA TIME from 07:00:00 to 18:30:00 /* !fw3: @rule[18] */
0 0 zone_wan_dest_REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 MAC CE:E1:33:27:11:FB TIME from 07:00:00 to 18:00:00 /* !fw3: TV */
425 38634 zone_lan_forward all -- br-lan * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
198 25879 zone_wan_forward all -- pppoe-wan * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain forwarding_rule (1 references)
pkts bytes target prot opt in out source destination
137 39881 ACCEPT all -- ppp+ * 0.0.0.0/0 0.0.0.0/0
164 44160 ACCEPT all -- * ppp+ 0.0.0.0/0 0.0.0.0/0发现其中forwarding_rule规则导致的
2. 其次firewall配置文件
vi /etc/config/firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option network 'lan wlan'
option forward 'ACCEPT'
config zone
option name 'wan'
option input 'REJECT'
option forward 'REJECT'
option network 'wan wan6'
option masq '1'
option mtu_fix '1'
option output 'ACCEPT'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
option family 'any'
option reload '1'
config include 'adbyby'
option type 'script'
option path '/usr/share/adbyby/firewall.include'
option reload '1'
config rule 'adblock'
option name 'adblock'
option target 'DROP'
option src 'wan'
option proto 'tcp'
option dest_port '8118'
config include 'ipsecd'
option type 'script'
option path '/etc/ipsec.include'
option reload '1'
config rule 'ike'
option name 'ike'
option target 'ACCEPT'
option src 'wan'
option proto 'udp'
option dest_port '500'
config rule 'ipsec'
option name 'ipsec'
option target 'ACCEPT'
option src 'wan'
option proto 'udp'
option dest_port '4500'
config rule 'ah'
option name 'ah'
option target 'ACCEPT'
option src 'wan'
option proto 'ah'
config rule 'esp'
option name 'esp'
option target 'ACCEPT'
option src 'wan'
option proto 'esp'
config rule 'kms'
option name 'kms'
option target 'ACCEPT'
option src 'wan'
option proto 'tcp'
option dest_port '1688'
config include 'shadowsocksr'
option type 'script'
option path '/var/etc/shadowsocksr.include'
option reload '1'
config include 'wrtbwmon'
option type 'script'
option path '/etc/wrtbwmon.include'
option reload '1'
config rule 'openvpn'
option name 'openvpn'
option target 'ACCEPT'
option src 'wan'
option proto 'tcp udp'
option dest_port '1194'
config include 'pptpd'
option type 'script'
option path '/etc/pptpd.include'
option reload '1'
config rule 'pptp'
option name 'pptp'
option target 'ACCEPT'
option src 'wan'
option proto 'tcp'
option dest_port '1723'
config rule 'gre'
option name 'gre'
option target 'ACCEPT'
option src 'wan'
option proto '47'
config rule
option src '*'
option dest 'wan'
option proto '0'
option target 'REJECT'
option src_mac 'CC:DD:95:22:BB:AA'
option start_time '07:00:00'
option stop_time '18:30:00'
option ac_enabled '1'
config rule
option ac_enabled '1'
option src '*'
option dest 'wan'
option proto '0'
option target 'REJECT'
option name 'TV'
option src_mac 'CE:E1:33:27:11:FB'
option start_time '07:00:00'
option stop_time '18:00:00'3. 查看pptpd.include文件
vi /etc/pptpd.include
iptables -D forwarding_rule -i ppp+ -j ACCEPT 2>/dev/null
iptables -D forwarding_rule -o ppp+ -j ACCEPT 2>/dev/null
iptables -A forwarding_rule -i ppp+ -j ACCEPT
iptables -A forwarding_rule -o ppp+ -j ACCEPT
echo 1 > /proc/sys/net/ipv4/conf/br-lan/proxy_arp4. 用命令查看
iptables-save -c | grep -i "Custom forwarding rule chain"
[20105:5874049] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule5. 解决方案
注释或删除/etc/config/firewall文件中关于pptp内容
config include 'pptpd'
option type 'script'
option path '/etc/pptpd.include'
option reload '1'
config rule 'pptp'
option name 'pptp'
option target 'ACCEPT'
option src 'wan'
option proto 'tcp'
option dest_port '1723'6. 测试
iptables -I FORWARD -m mac --mac-source CE:E1:33:27:11:FB -p all -m time --timestart 06:30:00 --timestop 17:00:00 --kerneltz -j zone_wan_dest_REJECT测试上网时间设置正常。
微信
支付宝本作品采用 知识共享署名-相同方式共享 4.0 国际许可协议 进行许可。