OpenClash
OpenClash copied to clipboard
vernesong
[Bug] 规则中直连的流量如何设置不伪装
Verify Steps
- [X] Tracker 我已经在 Issue Tracker 中找过我要提出的问题
- [X] Latest 我已经使用最新 Dev 版本测试过,问题依旧存在
- [X] Core 这是 OpenClash 存在的问题,并非我所使用的 Clash 或 Meta 等内核的特定问题
- [X] Meaningful 我提交的不是无意义的 催促更新或修复 请求
OpenClash Version
v0.45.35-beta
Bug on Environment
Official OpenWrt
Bug on Platform
Linux-amd64(x86-64)
To Reproduce
原生openwrt自编译版本,旁路由,防火墙及其他均为默认设置。
Describe the Bug
在上级路由的防火墙中看到所有流量包括直连流量的源地址都为旁路由地址。
Expected Behavior
除了绕过大陆IP选项的方法外,规则中直连的流量如何设置不伪装,使上级路由中获取真实的源地址,以便进行防火墙流量过滤等。
OpenClash Log
OpenClash 调试日志
生成时间: 2022-07-27 15:53:41 插件版本: v0.45.35-beta 隐私提示: 上传此日志前请注意检查、屏蔽公网IP、节点、密码等相关敏感信息
#===================== 系统信息 =====================#
主机型号: Microsoft Corporation Virtual Machine
固件版本: OpenWrt 22.03-SNAPSHOT r19575-506432a783
LuCI版本: git-20.074.84698-ead5e81
内核版本: 5.10.131
处理器架构: x86_64
#此项有值时,如不使用IPv6,建议到网络-接口-lan的设置中禁用IPV6的DHCP
IPV6-DHCP:
#此项结果应仅有配置文件的DNS监听地址
Dnsmasq转发设置: 127.0.0.1#7874
#===================== 依赖检查 =====================#
dnsmasq-full: 已安装
coreutils: 已安装
coreutils-nohup: 已安装
bash: 已安装
curl: 已安装
ca-certificates: 已安装
ipset: 已安装
ip-full: 已安装
iptables-mod-tproxy: 已安装
kmod-ipt-tproxy: 已安装
iptables-mod-extra: 已安装
kmod-ipt-extra: 已安装
libcap: 已安装
libcap-bin: 已安装
ruby: 已安装
ruby-yaml: 已安装
ruby-psych: 已安装
ruby-pstore: 已安装
ruby-dbm: 已安装
kmod-tun(TUN模式): 已安装
luci-compat(Luci-19.07): 已安装
kmod-inet-diag(PROCESS-NAME): 已安装
#===================== 内核检查 =====================#
运行状态: 运行中
进程pid: 20201
运行权限: 20201: cap_dac_override,cap_net_bind_service,cap_net_admin,cap_net_raw,cap_sys_ptrace,cap_sys_resource=eip
运行用户: nobody
已选择的架构: linux-amd64
#下方无法显示内核版本号时请确认您的内核版本是否正确或者有无权限
Tun内核版本: 2022.06.19-13-ga45638d
Tun内核文件: 存在
Tun内核运行权限: 正常
Dev内核版本: v1.11.0-7-g5497ada
Dev内核文件: 存在
Dev内核运行权限: 正常
Meta内核版本: alpha-g503b1ef
Meta内核文件: 存在
Meta内核运行权限: 正常
#===================== 插件设置 =====================#
当前配置文件: /etc/openclash/config/suwa.yaml
启动配置文件: /etc/openclash/suwa.yaml
运行模式: redir-host
默认代理模式: rule
UDP流量转发(tproxy): 启用
DNS劫持: 启用
自定义DNS: 启用
IPV6代理: 停用
IPV6-DNS解析: 停用
禁用Dnsmasq缓存: 停用
自定义规则: 停用
仅允许内网: 启用
仅代理命中规则流量: 停用
仅允许常用端口流量: 停用
绕过中国大陆IP: 启用
DNS远程解析: 启用
路由本机代理: 启用
#启动异常时建议关闭此项后重试
混合节点: 停用
保留配置: 停用
#启动异常时建议关闭此项后重试
第三方规则: 停用
#===================== 配置文件 =====================#
******
#===================== 防火墙设置 =====================#
#IPv4 NAT chain
# Generated by iptables-save v1.8.7 on Wed Jul 27 15:53:43 2022
*nat
:PREROUTING ACCEPT [21:4553]
:INPUT ACCEPT [7:798]
:OUTPUT ACCEPT [5:300]
:POSTROUTING ACCEPT [5:300]
:openclash - [0:0]
:openclash_output - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -d 8.8.4.4/32 -p tcp -m comment --comment "OpenClash Google DNS Hijack" -m tcp --dport 53 -j REDIRECT --to-ports 7892
-A PREROUTING -d 8.8.8.8/32 -p tcp -m comment --comment "OpenClash Google DNS Hijack" -m tcp --dport 53 -j REDIRECT --to-ports 7892
-A PREROUTING -p tcp -m tcp --dport 53 -m comment --comment "OpenClash DNS Hijack" -j REDIRECT --to-ports 53
-A PREROUTING -p udp -m udp --dport 53 -m comment --comment "OpenClash DNS Hijack" -j REDIRECT --to-ports 53
-A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
-A PREROUTING -i eth0 -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i eth1 -m comment --comment "!fw3" -j zone_wan_prerouting
-A PREROUTING -p tcp -j openclash
-A OUTPUT -j openclash_output
-A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
-A POSTROUTING -o eth0 -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o eth1 -m comment --comment "!fw3" -j zone_wan_postrouting
-A openclash -m set --match-set localnetwork dst -j RETURN
-A openclash -m set --match-set lan_ac_black_ips src -j RETURN
-A openclash -m set --match-set china_ip_route dst -j RETURN
-A openclash -p tcp -j REDIRECT --to-ports 7892
-A openclash_output -m set --match-set localnetwork dst -j RETURN
-A openclash_output -m owner ! --uid-owner 65534 -m set --match-set china_ip_route dst -j RETURN
-A openclash_output -p tcp -m owner ! --uid-owner 65534 -j REDIRECT --to-ports 7892
-A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
-A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
-A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
-A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Wed Jul 27 15:53:43 2022
#IPv4 Mangle chain
# Generated by iptables-save v1.8.7 on Wed Jul 27 15:53:43 2022
*mangle
:PREROUTING ACCEPT [358:52090]
:INPUT ACCEPT [309:41617]
:FORWARD ACCEPT [29:4610]
:OUTPUT ACCEPT [439:340020]
:POSTROUTING ACCEPT [467:344562]
:openclash - [0:0]
-A PREROUTING -p udp -j openclash
-A FORWARD -o eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A openclash -p udp -m udp --sport 500 -j RETURN
-A openclash -p udp -m udp --sport 68 -j RETURN
-A openclash -m set --match-set localnetwork dst -j RETURN
-A openclash -m set --match-set lan_ac_black_ips src -j RETURN
-A openclash -m set --match-set china_ip_route dst -j RETURN
-A openclash -p udp -m udp --dport 53 -j RETURN
-A openclash -p udp -j TPROXY --on-port 7895 --on-ip 0.0.0.0 --tproxy-mark 0x162/0xffffffff
COMMIT
# Completed on Wed Jul 27 15:53:43 2022
#IPv4 Filter chain
# Generated by iptables-save v1.8.7 on Wed Jul 27 15:53:43 2022
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:openclash_wan_input - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_ACCEPT - [0:0]
-A INPUT -p udp -m udp --dport 443 -m comment --comment "OpenClash QUIC REJECT" -m set ! --match-set china_ip_route dst -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth1 -j openclash_wan_input
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -i eth0 -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i eth1 -m comment --comment "!fw3" -j zone_wan_input
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -i eth0 -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i eth1 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o eth0 -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o eth1 -m comment --comment "!fw3" -j zone_wan_output
-A openclash_wan_input -p udp -m multiport --dports 7892,7895,9090,7890,7891,7893,7874 -j REJECT --reject-with icmp-port-unreachable
-A openclash_wan_input -p tcp -m multiport --dports 7892,7895,9090,7890,7891,7893,7874 -j REJECT --reject-with icmp-port-unreachable
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_lan_dest_ACCEPT -o eth0 -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i eth0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o eth1 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o eth1 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_REJECT -o eth1 -m comment --comment "!fw3" -j reject
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
-A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_ACCEPT
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_ACCEPT -i eth1 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
COMMIT
# Completed on Wed Jul 27 15:53:43 2022
#IPv6 NAT chain
#IPv6 Mangle chain
#IPv6 Filter chain
#===================== IPSET状态 =====================#
Name: china_ip_route
Name: lan_ac_black_ips
Name: lan_ac_black_ipv6s
Name: localnetwork
#===================== 路由表状态 =====================#
#route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
#ip route list
default via 192.168.1.1 dev eth0 proto static
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.4
#ip rule show
0: from all lookup local
32765: from all fwmark 0x162 lookup 354
32766: from all lookup main
32767: from all lookup default
#===================== 端口占用状态 =====================#
tcp 0 0 :::7890 :::* LISTEN 20201/clash
tcp 0 0 :::7891 :::* LISTEN 20201/clash
tcp 0 0 :::7892 :::* LISTEN 20201/clash
tcp 0 0 :::7893 :::* LISTEN 20201/clash
tcp 0 0 :::7895 :::* LISTEN 20201/clash
tcp 0 0 :::9090 :::* LISTEN 20201/clash
udp 0 0 :::7874 :::* 20201/clash
udp 0 0 :::7891 :::* 20201/clash
udp 0 0 :::7892 :::* 20201/clash
udp 0 0 :::7893 :::* 20201/clash
udp 0 0 :::7895 :::* 20201/clash
#===================== 测试本机DNS查询 =====================#
Server: 127.0.0.1
Address: 127.0.0.1:53
www.baidu.com canonical name = www.a.shifen.com
Name: www.a.shifen.com
Address: 14.215.177.38
Name: www.a.shifen.com
Address: 14.215.177.39
#===================== resolv.conf.d =====================#
# Interface lan
nameserver 223.5.5.5
nameserver 223.6.6.6
#===================== 测试本机网络连接 =====================#
HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
Connection: keep-alive
Content-Length: 277
Content-Type: text/html
Date: Wed, 27 Jul 2022 07:53:43 GMT
Etag: "575e1f71-115"
Last-Modified: Mon, 13 Jun 2016 02:50:25 GMT
Pragma: no-cache
Server: bfe/1.0.8.18
#===================== 测试本机网络下载 =====================#
HTTP/2 200
cache-control: max-age=300
content-security-policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
content-type: text/plain; charset=utf-8
etag: "12516494caed5b963a8a09551b23b41387a0dd157657ef49fdb2f281c40240d6"
strict-transport-security: max-age=31536000
x-content-type-options: nosniff
x-frame-options: deny
x-xss-protection: 1; mode=block
x-github-request-id: 7E4C:6DBA:7653C:B9D21:62D85DC8
accept-ranges: bytes
date: Wed, 27 Jul 2022 07:53:43 GMT
via: 1.1 varnish
x-served-by: cache-hkg17925-HKG
x-cache: HIT
x-cache-hits: 7
x-timer: S1658908424.624496,VS0,VE0
vary: Authorization,Accept-Encoding,Origin
access-control-allow-origin: *
x-fastly-request-id: 5c7ff62b5a462f525d2a0c0f0892e6b6818ade12
expires: Wed, 27 Jul 2022 07:58:43 GMT
source-age: 290
content-length: 80
#===================== 最近运行日志 =====================#
2022-07-27 15:17:13 Step 4: Start Running The Clash Core...
2022-07-27 15:17:13 Tip: No Special Configuration Detected, Use Dev Core to Start...
2022-07-27 15:17:14 Step 5: Check The Core Status...
time="2022-07-27T07:17:14Z" level=info msg="Start initial compatible provider 🍃 应用净化"
time="2022-07-27T07:17:14Z" level=info msg="Start initial compatible provider 📲 电报信息"
time="2022-07-27T07:17:14Z" level=info msg="Start initial compatible provider 🍎 苹果服务"
time="2022-07-27T07:17:14Z" level=info msg="Start initial compatible provider 📢 谷歌FCM"
time="2022-07-27T07:17:14Z" level=info msg="Start initial compatible provider 🐟 漏网之鱼"
time="2022-07-27T07:17:14Z" level=info msg="Start initial compatible provider ♻️ 自动选择"
time="2022-07-27T07:17:14Z" level=info msg="Start initial compatible provider 🎯 全球直连"
time="2022-07-27T07:17:14Z" level=info msg="Start initial compatible provider Ⓜ️ 微软服务"
time="2022-07-27T07:17:14Z" level=info msg="Start initial compatible provider 🌍 国外媒体"
time="2022-07-27T07:17:14Z" level=info msg="Start initial compatible provider 🚀 节点选择"
time="2022-07-27T07:17:14Z" level=info msg="Start initial compatible provider 🛑 全球拦截"
2022-07-27 15:17:17 Step 6: Wait For The File Downloading...
2022-07-27 15:17:17 Step 7: Set Firewall Rules...
2022-07-27 15:17:17 Step 8: Restart Dnsmasq...
2022-07-27 15:17:17 Step 9: Add Cron Rules, Start Daemons...
2022-07-27 15:17:17 OpenClash Start Successful!
2022-07-27 15:53:32 OpenClash Stoping...
2022-07-27 15:53:32 Step 1: Backup The Current Groups State...
2022-07-27 15:53:32 Step 2: Delete OpenClash Firewall Rules...
2022-07-27 15:53:33 Step 3: Close The OpenClash Daemons...
2022-07-27 15:53:33 Step 4: Close The Clash Core Process...
2022-07-27 15:53:33 Step 5: Restart Dnsmasq...
2022-07-27 15:53:33 Step 6: Delete OpenClash Residue File...
2022-07-27 15:53:33 OpenClash Start Running...
2022-07-27 15:53:33 Step 1: Get The Configuration...
2022-07-27 15:53:33 Step 2: Check The Components...
2022-07-27 15:53:33 Tip: Because of the file【 /etc/config/openclash 】modificated, Pause quick start...
2022-07-27 15:53:33 Step 3: Modify The Config File...
2022-07-27 15:53:34 Step 4: Start Running The Clash Core...
2022-07-27 15:53:34 Tip: No Special Configuration Detected, Use Dev Core to Start...
2022-07-27 15:53:35 Step 5: Check The Core Status...
time="2022-07-27T07:53:35Z" level=info msg="Start initial compatible provider 🌍 国外媒体"
time="2022-07-27T07:53:35Z" level=info msg="Start initial compatible provider 🐟 漏网之鱼"
time="2022-07-27T07:53:35Z" level=info msg="Start initial compatible provider 🍎 苹果服务"
time="2022-07-27T07:53:35Z" level=info msg="Start initial compatible provider Ⓜ️ 微软服务"
time="2022-07-27T07:53:35Z" level=info msg="Start initial compatible provider 🍃 应用净化"
time="2022-07-27T07:53:35Z" level=info msg="Start initial compatible provider 📲 电报信息"
time="2022-07-27T07:53:35Z" level=info msg="Start initial compatible provider 📢 谷歌FCM"
time="2022-07-27T07:53:35Z" level=info msg="Start initial compatible provider 🎯 全球直连"
time="2022-07-27T07:53:35Z" level=info msg="Start initial compatible provider 🛑 全球拦截"
time="2022-07-27T07:53:35Z" level=info msg="Start initial compatible provider 🚀 节点选择"
time="2022-07-27T07:53:35Z" level=info msg="Start initial compatible provider ♻️ 自动选择"
2022-07-27 15:53:38 Step 6: Wait For The File Downloading...
2022-07-27 15:53:38 Step 7: Set Firewall Rules...
2022-07-27 15:53:38 Step 8: Restart Dnsmasq...
2022-07-27 15:53:38 Step 9: Add Cron Rules, Start Daemons...
2022-07-27 15:53:38 OpenClash Start Successful!
#===================== 活动连接信息 =====================#
1. SourceIP:【192.168.1.85】 - Host:【Empty】 - DestinationIP:【*.*.*.*】 - Network:【tcp】 - RulePayload:【】 - Lastchain:【v2|香港04|原生|★★★】
2. ........
OpenClash Config
No response
Screenshots
No response
