防火墙nftables初探，ipv4和ipv6双栈

normanlu · 发表于 2022-12-24 15:06

前一段时间，投诉电信一直不给家里千兆宽带分配ipv6地址，反复几个来回后，终于拿到ipv6地址。

于是开始在软路由上设置ipv6，折腾软路由过程中，正好利用这个机会，研究了一下nftables这个iptables的替代者。

初步体验就是nftables优势明显，语句灵活，真香。附上我的nftables防火墙设置，互相学习，请高手指点。

flush ruleset
define DEV_LAN = eth1
define DEV_WAN = ppp0
define DEV_MODEM = eth0
define IP_MODEM = 192.168.0.11
define IPTV_VLAN85 = eth0.85
define IPTV_VLAN51 = eth0.51
define GUEST_LAN = { 192.168.4.0/24 }
define IOT_LAN = { 192.168.5.0/24 }
define HOME_LAN = { 192.168.10.0/24 }
define LAN_SET = {
$GUEST_LAN,
$IOT_LAN,
$HOME_LAN
}
table inet global {
flowtable f {
hook ingress priority 0; devices = { $DEV_LAN, $DEV_MODEM };
}
chain inbound_wan {
icmp type { echo-reply, echo-request } limit rate 50/second burst 100 packets counter accept \
comment "Allow-ping-from-WAN"
ip6 nexthdr icmpv6 icmpv6 type {
destination-unreachable, # type 1
packet-too-big, # type 2
time-exceeded, # type 3
parameter-problem, # type 4
echo-request, # type 128
echo-reply, # type 129
} limit rate 50/second burst 100 packets counter accept \
comment "Accept basic IPv6 functionality"
}
chain inbound_lan {
icmp type { echo-reply, echo-request } accept
ip6 nexthdr icmpv6 icmpv6 type {
destination-unreachable, # type 1
packet-too-big, # type 2
time-exceeded, # type 3
parameter-problem, # type 4
echo-request, # type 128
echo-reply, # type 129
} accept
# allow DNS, NTP and SSH from the private network
meta l4proto . th dport vmap { udp . 53 : accept, tcp . 53 : accept, udp . 123 : accept }
ip saddr $HOME_LAN tcp dport 22 accept
}
chain inbound {
type filter hook input priority 0; policy drop;
# Allow traffic from established and related packets, drop invalid
ct state vmap { established : accept, related : accept, invalid : drop }
ip6 nexthdr icmpv6 icmpv6 type {
nd-router-solicit, # type 133
nd-router-advert, # type 134
nd-neighbor-solicit, # type 135
nd-neighbor-advert, # type 136
} ip6 hoplimit 255 accept \
comment "Allow IPv6 SLAAC"
ip6 nexthdr icmpv6 icmpv6 type {
mld-listener-query, # type 130
mld-listener-report, # type 131
mld-listener-reduction, # type 132
mld-listener-report, # type 131
mld-listener-reduction, # type 132
mld2-listener-report, # type 143
} ip6 saddr fe80::/10 accept \
comment "Allow IPv6 multicast listener discovery on link-local"
meta nfproto ipv6 udp sport 547 udp dport 546 accept \
comment "Accept DHCPv6 replies from IPv6 link-local addresses"
# allow loopback traffic, anything else jump to chain for further evaluation
iifname vmap { lo : accept, $DEV_WAN : jump inbound_wan, $DEV_LAN : jump inbound_lan }
# the rest will be dropped
}
chain outbound {
type filter hook output priority 0; policy accept;
}
chain forward {
type filter hook forward priority 0; policy drop;
meta l4proto { tcp, udp } flow offload @f
counter
# Allow traffic from established and related packets, drop invalid
ct state vmap { established : accept, related : accept, invalid : drop }
iifname $DEV_WAN ip6 nexthdr icmpv6 icmpv6 type {
destination-unreachable, # type 1
packet-too-big, # type 2
time-exceeded, # type 3
parameter-problem, # type 4
echo-request, # type 128
echo-reply, # type 129
} limit rate 50/second burst 100 packets counter accept \
comment "Accept basic IPv6 functionality"
meta l4proto esp counter accept comment "Allow-IPSec-ESP"
udp dport { 500, 4500 } counter accept comment "Allow-ISAKMP"
# internal nets are allowed
iifname $DEV_LAN counter accept
# connections from the internet to the internal net
iifname $DEV_WAN meta l4proto . th dport vmap { tcp . 8006 : accept, udp . 53847 : accept, tcp . 53847 : accept, udp . 13231 : accept, tcp . 8123 : accept } \
# the rest will be dropped
}
chain forward_mangle {
type filter hook forward priority mangle; policy accept;
oifname $DEV_WAN meta nfproto ipv4 tcp flags syn tcp option maxseg size set 1452 comment "IPV4 TCP MSS Clamping"
oifname $DEV_WAN meta nfproto ipv6 tcp flags syn tcp option maxseg size set 1432 comment "IPV6 TCP MSS Clamping"
}
}
table ip nat {
chain prerouting {
type nat hook prerouting priority -100; policy accept;
iifname $DEV_WAN ip protocol { tcp, udp } th dport 53847 dnat to 192.168.10.4 comment "port forwarding: qbittorrent"
iifname $DEV_WAN dnat to tcp dport map { 8006 : 192.168.10.250, 8123 : 192.168.10.252 } comment "port forwarding: PVE & HomeAssistant"
iifname $DEV_WAN udp dport 13231 dnat to 192.168.10.249 comment "port forwarding: WireGuard"
}
chain postrouting {
type nat hook postrouting priority 100; policy accept;
# masquerade private IP addresses
ip saddr $LAN_SET oifname $DEV_WAN masquerade
ip saddr $HOME_LAN oifname $DEV_MODEM snat to $IP_MODEM comment "access from home LAN to Modem"
}
}
table bridge filter {
chain forward {
type filter hook forward priority 0; policy accept;
iif $IPTV_VLAN85 oif $IPTV_VLAN51 counter drop comment "drop IPTV packages between VLAN85 & VLAN51"
iif $IPTV_VLAN51 oif $IPTV_VLAN85 counter drop comment "drop IPTV packages between VLAN85 & VLAN51"
}
}

复制代码

guevrar · 发表于 2022-12-25 10:22

学习一下

aitkots · 发表于 2022-12-25 13:40

我也分享一下我的，是根据openwrt的导出，然后我自己修改了一部分：

#!/usr/sbin/nft -f
# This configuration file is customized by fox
# Optimize system nftables for linux router
flush ruleset
table inet router {
#
# Flowtable
#
flowtable ft {
hook ingress priority filter;
devices = { enp6s18, enp6s19, enp6s20, enp6s21, enp6s22 };
}
#
# Defines
#
define local_dns_ipv4 = { 172.16.1.1, 172.16.1.2, 172.16.1.3 }
define local_dns_ipv6 = { fd10::1, fd10::2, fd10::3 }
#
# Filter rules
#
chain input {
type filter hook input priority filter; policy accept;
iifname "lo" accept comment "defconf: Accept traffic from loopback"
ct state established,related accept comment "defconf: Allow inbound established and related flows"
ct state invalid counter drop comment "defconf: Drop input flows with invalid conntrack state"
tcp flags & (fin | syn | rst | ack) == syn counter jump syn_flood comment "defconf: Rate limit TCP syn packets"
iifname "bridge1" jump input_lan comment "defconf: Handle lan IPv4/IPv6 input traffic"
iifname { "enp6s18", "pppoe-out1" } jump input_wan comment "defconf: Handle wan IPv4/IPv6 input traffic"
}
chain forward {
type filter hook forward priority filter; policy drop;
meta l4proto { tcp, udp } flow offload @ft comment "defconf: Track forwarded flows"
ct state established,related accept comment "defconf: Allow forwarded established and related flows"
ct state invalid counter drop comment "defconf: Drop forward flows with invalid conntrack state"
iifname "bridge1" jump forward_lan comment "defconf: Handle lan IPv4/IPv6 forward traffic"
iifname { "enp6s18", "pppoe-out1" } jump forward_wan comment "defconf: Handle wan IPv4/IPv6 forward traffic"
}
chain output {
type filter hook output priority filter; policy accept;
oifname "lo" accept comment "defconf: Accept traffic towards loopback"
ct state established,related accept comment "defconf: Allow outbound established and related flows"
ct state invalid counter drop comment "defconf: Drop output flows with invalid conntrack state"
oifname "bridge1" jump output_lan comment "defconf: Handle lan IPv4/IPv6 output traffic"
oifname { "enp6s18", "pppoe-out1" } jump output_wan comment "defconf: Handle wan IPv4/IPv6 output traffic"
}
chain prerouting {
type filter hook prerouting priority filter; policy accept;
iifname "bridge1" jump helper_lan comment "defconf: Handle lan IPv4/IPv6 helper assignment"
}
chain handle_reject {
meta l4proto tcp reject with tcp reset comment "defconf: Reject TCP traffic"
counter reject comment "defconf: Reject any other traffic"
}
chain syn_flood {
limit rate 25/second burst 50 packets return comment "defconf: Accept SYN packets below rate-limit"
counter drop comment "defconf: Drop excess packets"
}
chain input_lan {
ct status dnat counter accept comment "lanconf: Accept port redirections"
jump accept_from_lan
}
chain output_lan {
jump accept_to_lan
}
chain forward_lan {
jump accept_to_wan comment "defconf: Accept lan to wan forwarding"
ct status dnat counter accept comment "lanconf: Accept port forwards"
jump accept_to_lan
}
chain helper_lan {
}
chain accept_from_lan {
iifname "bridge1" counter accept comment "defconf: Accept lan IPv4/IPv6 traffic"
}
chain accept_to_lan {
oifname "bridge1" counter accept comment "defconf: Accept lan IPv4/IPv6 traffic"
}
chain input_wan {
meta nfproto ipv4 udp dport 68 counter accept comment "defconf: Allow-DHCP-Renew"
meta nfproto ipv4 icmp type echo-request counter drop comment "defconf: Drop-ICMP-Ping-Input"
meta nfproto ipv6 icmpv6 type echo-request counter drop comment "defconf: Drop-ICMPv6-Ping-Input"
meta nfproto ipv4 meta l4proto igmp counter accept comment "defconf: Allow-IGMP"
meta nfproto ipv6 udp dport 546 counter accept comment "defconf: Allow-DHCPv6"
ip6 saddr fe80::/10 icmpv6 type . icmpv6 code { mld-listener-query . no-route, mld-listener-report . no-route, mld-listener-done . no-route, mld2-listener-report . no-route } counter accept comment "defconf: Allow-MLD"
meta nfproto ipv6 icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply, nd-router-solicit, nd-router-advert } limit rate 100/second burst 200 packets counter accept comment "defconf: Allow-ICMPv6-Input"
meta nfproto ipv6 icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, nd-neighbor-solicit . no-route, nd-neighbor-advert . no-route, parameter-problem . admin-prohibited } limit rate 100/second burst 200 packets counter accept comment "defconf: Allow-ICMPv6-Input"
jump drop_from_wan
}
chain output_wan {
jump accept_to_wan
}
chain forward_wan {
meta nfproto ipv4 icmp type echo-request counter drop comment "defconf: Drop-ICMP-Ping-Forward"
meta nfproto ipv6 icmpv6 type echo-request counter drop comment "defconf: Drop-ICMPv6-Ping-Forward"
meta nfproto ipv6 icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply } limit rate 100/second burst 200 packets counter accept comment "defconf: Allow-ICMPv6-Forward"
meta nfproto ipv6 icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, parameter-problem . admin-prohibited } limit rate 100/second burst 200 packets counter accept comment "defconf: Allow-ICMPv6-Forward"
meta l4proto esp counter jump accept_to_lan comment "defconf: Allow-IPSec-ESP"
udp dport 500 counter jump accept_to_lan comment "defconf: Allow-ISAKMP"
jump drop_to_wan
}
chain accept_to_wan {
oifname { "enp6s18", "pppoe-out1" } counter accept comment "defconf: Accept wan IPv4/IPv6 traffic"
}
chain drop_from_wan {
iifname { "enp6s18", "pppoe-out1" } counter drop comment "defconf: Drop wan IPv4/IPv6 traffic"
}
chain drop_to_wan {
oifname { "enp6s18", "pppoe-out1" } counter drop comment "defconf: Drop wan IPv4/IPv6 traffic"
}
#
# NAT rules
#
chain dstnat {
type nat hook prerouting priority dstnat; policy accept;
iifname "bridge1" meta l4proto { tcp, udp } th dport domain counter jump dstnat_lan comment "!fw4: Handle lan IPv4/IPv6 dstnat traffic"
}
chain srcnat {
type nat hook postrouting priority srcnat; policy accept;
oifname { "enp6s18", "pppoe-out1" } jump srcnat_wan comment "defconf: Handle wan IPv4/IPv6 srcnat traffic"
}
chain dstnat_lan {
ip saddr $local_dns_ipv4 meta l4proto { tcp, udp } th dport domain counter accept comment "lanconf: Accept lan dns IPv4 bootstrap query"
ip6 saddr $local_dns_ipv6 meta l4proto { tcp, udp } th dport domain counter accept comment "lanconf: Accept lan dns IPv6 bootstrap query"
meta l4proto { tcp, udp } th dport domain counter redirect to domain comment "lanconf: Lan dns redirect"
}
chain srcnat_wan {
meta nfproto ipv4 masquerade comment "defconf: Masquerade IPv4 wan traffic"
}
#
# Raw rules (notrack)
#
chain raw_prerouting {
type filter hook prerouting priority raw; policy accept;
}
chain raw_output {
type filter hook output priority raw; policy accept;
}
#
# Mangle rules
#
chain mangle_prerouting {
type filter hook prerouting priority mangle; policy accept;
}
chain mangle_postrouting {
type filter hook postrouting priority mangle; policy accept;
}
chain mangle_input {
type filter hook input priority mangle; policy accept;
}
chain mangle_output {
type route hook output priority mangle; policy accept;
}
chain mangle_forward {
type filter hook forward priority mangle; policy accept;
iifname { "enp6s18", "pppoe-out1" } tcp flags syn tcp option maxseg size set rt mtu comment "defconf: Zone wan IPv4/IPv6 ingress MTU fixing"
oifname { "enp6s18", "pppoe-out1" } tcp flags syn tcp option maxseg size set rt mtu comment "defconf: Zone wan IPv4/IPv6 egress MTU fixing"
}
}

复制代码

normanlu · 发表于 2022-12-25 14:10

aitkots 发表于 2022-12-25 13:40
我也分享一下我的，是根据openwrt的导出，然后我自己修改了一部分：

请教一下，这条规则起什么作用？

chain helper_lan

复制代码

Vampire_KILLer · 发表于 2022-12-25 15:26

本帖最后由 Vampire_KILLer 于 2022-12-25 15:40 编辑

防火墙现在我只会在PA和CP的集中管控上点点点了

不过Juniper和Hillstone还时不时需要敲几个命令行

华为的防火墙不管是seco还是ssh我都不想碰

aitkots · 发表于 2022-12-25 18:21

normanlu 发表于 2022-12-25 14:10
请教一下，这条规则起什么作用？

这个是openwrt留给自定义防火墙配置用的

normanlu · 发表于 2022-12-25 18:30

aitkots 发表于 2022-12-25 13:40
我也分享一下我的，是根据openwrt的导出，然后我自己修改了一部分：

多问一句，我研究了一下你的防火墙规则，貌似你的路由器并没有跑什么tcp服务，这条input链syn_flood应该并没什么作用吧。

normanlu · 发表于 2022-12-25 18:32

Vampire_KILLer 发表于 2022-12-25 15:26
防火墙现在我只会在PA和CP的集中管控上点点点了

不过Juniper和Hillstone还时不时需要敲几个命令行

家庭宽带，linux自带防火墙用用足够了，专业防火墙就不必了吧。

aitkots · 发表于 2022-12-25 19:14

normanlu 发表于 2022-12-25 18:30
多问一句，我研究了一下你的防火墙规则，貌似你的路由器并没有跑什么tcp服务，这条input链syn_flood应该 ...

作用是比较小咯，主要是对路由器的DDoS的一个防御

Krakenius · 发表于 2022-12-25 19:20

Vampire_KILLer 发表于 2022-12-25 15:26
防火墙现在我只会在PA和CP的集中管控上点点点了

不过Juniper和Hillstone还时不时需要敲几个命令行

为什么华为的不想碰？

Vampire_KILLer · 发表于 2022-12-26 05:09

normanlu 发表于 2022-12-25 18:32
家庭宽带，linux自带防火墙用用足够了，专业防火墙就不必了吧。

主要是我在我看来，折腾软路由啥的，真不如搞个二手的山石小防火墙，基本上pppoe多拨、多WAN口、运营商路由啥的都有

当然这是指路由这一块哈，其他诸如下载、插件功能的话这些是欠奉的

Vampire_KILLer · 发表于 2022-12-26 05:19

Krakenius 发表于 2022-12-25 19:20
为什么华为的不想碰？

使用体验差，日志功能差

网络厂商做的墙都有大病，思科如此、华为也如此

低层向高层做，要做好很难

高层转做低层，比较容易出彩——Juniper和Hillstone做核心交换机、F5做安全设备

normanlu · 发表于 2022-12-26 07:41

Vampire_KILLer 发表于 2022-12-26 05:09
主要是我在我看来，折腾软路由啥的，真不如搞个二手的山石小防火墙，基本上pppoe多拨、多WAN口、运营商路 ...

公司用fortigate，专业的事情交给专业的。家里嘛，自己折腾一下linux就好了，不想家里整一堆的硬件设备。

normanlu · 发表于 2022-12-27 16:22

看到一篇很好的nftables hardening的文章，做了一些修改，除了ipv6的hardening规则还需完善外，基本算完工了。

https://blog.samuel.domains/blog/security/nftables-hardening-rules-and-good-practices

flush ruleset
define DEV_LAN = eth1
define DEV_WAN = ppp0
define DEV_MODEM = eth0
define IP_MODEM = 192.168.0.11
define IPTV_VLAN85 = eth0.85
define IPTV_VLAN51 = eth0.51
define GUEST_LAN = 192.168.4.0/24
define IOT_LAN = 192.168.5.0/24
define HOME_LAN = 192.168.10.0/24
define LAN_SET = {
$GUEST_LAN,
$IOT_LAN,
$HOME_LAN
}
table netdev filter {
chain ingress {
type filter hook ingress device $DEV_WAN priority -500;
# IP FRAGMENTS
ip frag-off & 0x1fff != 0 counter drop
# IP BOGONS
# From <https://www.team-cymru.com/bogon-reference.html>.
ip saddr {
0.0.0.0/8,
10.0.0.0/8,
100.64.0.0/10,
127.0.0.0/8,
169.254.0.0/16,
172.16.0.0/12,
192.0.0.0/24,
192.0.2.0/24,
192.168.0.0/16,
198.18.0.0/15,
198.51.100.0/24,
203.0.113.0/24,
224.0.0.0/3
} counter drop
# TCP XMAS
tcp flags & (fin|syn|rst|psh|ack|urg) == fin|syn|rst|psh|ack|urg counter drop
# TCP NULL
tcp flags & (fin|syn|rst|psh|ack|urg) == 0x0 counter drop
# TCP MSS
tcp flags syn tcp option maxseg size 1-536 counter drop
}
}
table inet global {
flowtable f {
hook ingress priority 0; devices = { $DEV_LAN, $DEV_MODEM };
}
chain inbound_wan {
# Allow-ping-from-WAN
icmp type { echo-reply, echo-request } limit rate 10/second burst 20 packets counter accept
# Accept basic IPv6 functionality
ip6 nexthdr icmpv6 icmpv6 type {
destination-unreachable, # type 1
packet-too-big, # type 2
time-exceeded, # type 3
parameter-problem, # type 4
echo-request, # type 128
echo-reply, # type 129
} limit rate 10/second burst 20 packets counter accept
}
chain inbound_lan {
icmp type { echo-reply, echo-request } accept
ip6 nexthdr icmpv6 icmpv6 type {
destination-unreachable, # type 1
packet-too-big, # type 2
time-exceeded, # type 3
parameter-problem, # type 4
echo-request, # type 128
echo-reply, # type 129
} accept
# allow DNS, NTP and SSH from the private network
meta l4proto . th dport vmap { udp . 53 : accept, tcp . 53 : accept, udp . 123 : accept }
ip saddr $HOME_LAN tcp dport 22 accept
}
chain inbound {
type filter hook input priority 0; policy drop;
# Allow traffic from established and related packets, drop invalid
ct state vmap { established : accept, related : accept, invalid : drop }
# Allow IPv6 SLAAC
ip6 nexthdr icmpv6 icmpv6 type {
nd-router-solicit, # type 133
nd-router-advert, # type 134
nd-neighbor-solicit, # type 135
nd-neighbor-advert, # type 136
} ip6 hoplimit 255 counter accept
# Allow IPv6 multicast listener discovery on link-local
ip6 nexthdr icmpv6 icmpv6 type {
mld-listener-query, # type 130
mld-listener-report, # type 131
mld-listener-reduction, # type 132
mld2-listener-report, # type 143
} ip6 saddr fe80::/10 counter accept
# Accept DHCPv6 replies from IPv6 link-local addresses
meta nfproto ipv6 udp sport 547 udp dport 546 counter accept
# allow loopback traffic, anything else jump to chain for further evaluation
iifname vmap { lo : accept, $DEV_WAN : jump inbound_wan, $DEV_LAN : jump inbound_lan }
# the rest will be dropped
}
chain outbound {
type filter hook output priority 0; policy accept;
}
chain forward {
type filter hook forward priority 0; policy drop;
meta l4proto { tcp, udp } flow offload @f
counter
# Allow traffic from established and related packets, drop invalid
ct state vmap { established : accept, related : accept, invalid : drop }
# Accept basic IPv6 functionality
iifname $DEV_WAN ip6 nexthdr icmpv6 icmpv6 type {
destination-unreachable, # type 1
packet-too-big, # type 2
time-exceeded, # type 3
parameter-problem, # type 4
echo-request, # type 128
echo-reply, # type 129
} limit rate 10/second burst 20 packets counter accept
# internal nets are allowed
iifname $DEV_LAN counter accept
# connections from the internet to the home lan
iifname $DEV_WAN ip daddr $HOME_LAN ct status dnat counter accept
# the rest will be dropped
}
chain forward_mangle {
type filter hook forward priority mangle; policy accept;
# IPV4 TCP MSS Clamping
oifname $DEV_WAN meta nfproto ipv4 tcp flags syn tcp option maxseg size set 1452
# IPV6 TCP MSS Clamping
oifname $DEV_WAN meta nfproto ipv6 tcp flags syn tcp option maxseg size set 1432
}
chain prerouting {
type filter hook prerouting priority -150; policy accept;
# CT INVALID
ct state invalid counter drop
# TCP SYN (CT NEW)
tcp flags & (fin|syn|rst|ack) != syn ct state new counter drop
}
}
table ip nat {
chain nat_prerouting {
type nat hook prerouting priority -100; policy accept;
# port forwarding: PVE, HomeAssistant, qbittorrent & WireGuard
iifname $DEV_WAN ip protocol { tcp, udp } th dport 53847 dnat to 192.168.10.4
iifname $DEV_WAN dnat to tcp dport map { 8006 : 192.168.10.250, 8123 : 192.168.10.252 }
iifname $DEV_WAN udp dport 13231 dnat to 192.168.10.251
}
chain nat_postrouting {
type nat hook postrouting priority 100; policy accept;
# masquerade private IP addresses
ip saddr $LAN_SET oifname $DEV_WAN masquerade
# allow access from home LAN to Modem
ip saddr $HOME_LAN oifname $DEV_MODEM snat to $IP_MODEM
}
}
table bridge iptv {
chain port_block {
type filter hook forward priority 0; policy accept;
# drop IPTV packages between VLAN85 & VLAN51
iif $IPTV_VLAN85 oif $IPTV_VLAN51 counter drop
iif $IPTV_VLAN51 oif $IPTV_VLAN85 counter drop
}
}

复制代码

二手烟 · 发表于 2023-5-18 18:32

不懂防火墙设置，最近在er-x路由器上刷了openwrt 22.03.5，ipv6有时打开某些网站很慢，在网上看到https://www.v2ex.com/t/800024
附：在基于 Linux 的路由器启用MSS Clamping的命令：

# 自动MSS，假设PPPOE虚接口是pppoe0
iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o pppoe0 -j TCPMSS --clamp-mss-to-pmtu
ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o pppoe0 -j TCPMSS --clamp-mss-to-pmtu

# 手动指定MSS，假设PPPOE虚接口是pppoe0
$ iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o pppoe0 -j TCPMSS --set-mss 1452
$ ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o pppoe0 -j TCPMSS --set-mss 1432

这个在firewall4 里应该如何写？还是系统防火墙了已经自带了？我看你的帖子里的第159到163好像就是类似命令。

normanlu · 发表于 2023-5-18 20:22

二手烟发表于 2023-5-18 18:32
不懂防火墙设置，最近在er-x路由器上刷了openwrt 22.03.5，ipv6有时打开某些网站很慢，在网上看到https://w ...

oifname $DEV_WAN meta nfproto ipv4 tcp flags syn tcp option maxseg size set 1452

复制代码

160行就是ipv4的mss clamping

账号		自动登录	找回密码
密码			加入我们

[网络] 防火墙nftables初探，ipv4和ipv6双栈